summaryrefslogtreecommitdiff
path: root/sshkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2017-12-18 02:25:15 +0000
committerDamien Miller <djm@mindrot.org>2017-12-19 15:21:37 +1100
commit04c7e28f83062dc42f2380d1bb3a6bf0190852c0 (patch)
treebc2c59d39a33aba84e0576039474668ada2546d2 /sshkey.c
parent931c78dfd7fe30669681a59e536bbe66535f3ee9 (diff)
upstream commit
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@ OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
Diffstat (limited to 'sshkey.c')
-rw-r--r--sshkey.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/sshkey.c b/sshkey.c
index 19f26a11..91e0073f 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.58 2017/12/18 02:22:29 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.59 2017/12/18 02:25:15 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -1814,7 +1814,7 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
goto out;
}
if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
- sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0)
+ sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0)) != 0)
goto out;
/* Success */
@@ -2109,11 +2109,12 @@ sshkey_sign(const struct sshkey *key,
/*
* ssh_key_verify returns 0 for a correct signature and < 0 on error.
+ * If "alg" specified, then the signature must use that algorithm.
*/
int
sshkey_verify(const struct sshkey *key,
const u_char *sig, size_t siglen,
- const u_char *data, size_t dlen, u_int compat)
+ const u_char *data, size_t dlen, const char *alg, u_int compat)
{
if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
return SSH_ERR_INVALID_ARGUMENT;
@@ -2129,7 +2130,7 @@ sshkey_verify(const struct sshkey *key,
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT:
case KEY_RSA:
- return ssh_rsa_verify(key, sig, siglen, data, dlen);
+ return ssh_rsa_verify(key, sig, siglen, data, dlen, alg);
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT: