diff options
author | Jakub Jelen <jjelen@redhat.com> | 2018-07-03 15:53:44 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-08-31 14:18:34 +0200 |
commit | 60ad7ee15dc23c16d4827ee8eff7d228e13982cd (patch) | |
tree | 7c7ff31cea17e34acab9b767af8a4f7ab75eb034 /src/messages.c | |
parent | 5fe81e89fb0ce68cef0846a265900d3331396ae6 (diff) | |
download | libssh-60ad7ee15dc23c16d4827ee8eff7d228e13982cd.tar.gz libssh-60ad7ee15dc23c16d4827ee8eff7d228e13982cd.tar.xz libssh-60ad7ee15dc23c16d4827ee8eff7d228e13982cd.zip |
messages: Create correct digest for pki signatures
This does not affect old signatures, where the public key algorithm
matches the public key type.
This is a problem when using SHA2 extension for the RSA keys, where
the new signature algorithsm are introduced in addition to the
exitsing ssh-rsa which was ignored throughout the code.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/messages.c')
-rw-r--r-- | src/messages.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/messages.c b/src/messages.c index 6fe87f78..8a469d41 100644 --- a/src/messages.c +++ b/src/messages.c @@ -645,7 +645,8 @@ error: */ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, ssh_message msg, - const char *service) + const char *service, + ssh_string algo) { struct ssh_crypto_struct *crypto = session->current_crypto ? session->current_crypto : @@ -673,7 +674,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, service, "publickey", /* method */ 1, /* has to be signed (true) */ - msg->auth_request.pubkey->type_c, /* pubkey algorithm */ + ssh_string_get_char(algo), /* pubkey algorithm */ str); /* public key as a blob */ ssh_string_free(str); @@ -785,13 +786,13 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ if (rc != SSH_OK) { goto error; } - ssh_string_free(algo); - algo = NULL; rc = ssh_pki_import_pubkey_blob(pubkey_blob, &msg->auth_request.pubkey); ssh_string_free(pubkey_blob); pubkey_blob = NULL; if (rc < 0) { + ssh_string_free(algo); + algo = NULL; goto error; } msg->auth_request.signature_state = SSH_PUBLICKEY_STATE_NONE; @@ -804,10 +805,14 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ if(sig_blob == NULL) { SSH_LOG(SSH_LOG_PACKET, "Invalid signature packet from peer"); msg->auth_request.signature_state = SSH_PUBLICKEY_STATE_ERROR; + ssh_string_free(algo); + algo = NULL; goto error; } - digest = ssh_msg_userauth_build_digest(session, msg, service); + digest = ssh_msg_userauth_build_digest(session, msg, service, algo); + ssh_string_free(algo); + algo = NULL; if (digest == NULL) { ssh_string_free(sig_blob); SSH_LOG(SSH_LOG_PACKET, "Failed to get digest"); |