Bugzilla – Attachment 3090 Details for
Bug 2799
RSA Signatures using SHA2 provided by different ssh-agent are not properly verified
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Check signatures received from agent
bz2799.diff (text/plain), 2.35 KB, created by
Damien Miller
on 2017-11-24 14:32:14 AEDT
(
hide
)
Description:
Check signatures received from agent
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2017-11-24 14:32:14 AEDT
Size:
2.35 KB
patch
obsolete
>diff --git a/authfd.c b/authfd.c >index ebb0d59..dd60b96 100644 >--- a/authfd.c >+++ b/authfd.c >@@ -345,6 +345,7 @@ ssh_agent_sign(int sock, const struct sshkey *key, > size_t blen = 0, len = 0; > u_int flags = 0; > int r = SSH_ERR_INTERNAL_ERROR; >+ char *sigtype = NULL; > > *sigp = NULL; > *lenp = 0; >@@ -377,12 +378,30 @@ ssh_agent_sign(int sock, const struct sshkey *key, > if ((r = sshbuf_get_string(msg, sigp, &len)) != 0) > goto out; > *lenp = len; >+ >+ /* >+ * Some agents will return ssh-rsa signatures when asked to >+ * make a rsa-sha2-* signature. Check what they actually gave >+ * back. >+ */ >+ if (alg != NULL) { >+ if ((r = sshkey_sigtype(*sigp, *lenp, &sigtype)) != 0) >+ goto out; >+ if (strcmp(sigtype, alg) != 0) { >+ error("agent returned incorrect signature type %s " >+ "(expected %s)", sigtype, alg); >+ freezero(*sigp, *lenp); >+ *sigp = NULL; >+ *lenp = 0; >+ r = SSH_ERR_AGENT_FAILURE; >+ goto out; >+ } >+ } >+ > r = 0; > out: >- if (blob != NULL) { >- explicit_bzero(blob, blen); >- free(blob); >- } >+ free(sigtype); >+ freezero(blob, blen); > sshbuf_free(msg); > return r; > } >diff --git a/sshkey.c b/sshkey.c >index 0ad9a65..ed4b54e 100644 >--- a/sshkey.c >+++ b/sshkey.c >@@ -2011,6 +2011,31 @@ sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) > return r; > } > >+int >+sshkey_sigtype(const u_char *sig, size_t siglen, char **sigtypep) >+{ >+ int r; >+ struct sshbuf *b = NULL; >+ char *sigtype = NULL; >+ >+ if (sigtypep != NULL) >+ *sigtypep = NULL; >+ if ((b = sshbuf_from(sig, siglen)) == NULL) >+ return SSH_ERR_ALLOC_FAIL; >+ if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) >+ goto out; >+ /* success */ >+ if (sigtypep != NULL) { >+ *sigtypep = sigtype; >+ sigtype = NULL; >+ } >+ r = 0; >+ out: >+ free(sigtype); >+ sshbuf_free(b); >+ return r; >+} >+ > int > sshkey_sign(const struct sshkey *key, > u_char **sigp, size_t *lenp, >diff --git a/sshkey.h b/sshkey.h >index b4c036a..b81cf8f 100644 >--- a/sshkey.h >+++ b/sshkey.h >@@ -168,6 +168,7 @@ int sshkey_puts(const struct sshkey *, struct sshbuf *); > int sshkey_plain_to_blob(const struct sshkey *, u_char **, size_t *); > int sshkey_putb_plain(const struct sshkey *, struct sshbuf *); > >+int sshkey_sigtype(const u_char *, size_t, char **); > int sshkey_sign(const struct sshkey *, u_char **, size_t *, > const u_char *, size_t, const char *, u_int); > int sshkey_verify(const struct sshkey *, const u_char *, size_t,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3090">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2799
:
3090
|
3092
|
3100
|
3104
|
3135