tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-31 01:35:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream: handle cr+lf (instead of just cr) in sshsig signature

Browse Source 
files

OpenBSD-Commit-ID: 647460a212b916540016d066568816507375fd7f
This commit is contained in:
djm@openbsd.org 2023-09-06 23:18:15 +00:00 committed by Damien Miller
parent e1c284d60a
commit 1ee0a16e07
No known key found for this signature in database
1 changed files with 19 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
sshsig.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshsig.c,v 1.32 2023/04/06 03:56:02 djm Exp $ */ /* $OpenBSD: sshsig.c,v 1.33 2023/09/06 23:18:15 djm Exp $ */
/* /*
* Copyright (c) 2019 Google LLC * Copyright (c) 2019 Google LLC
* *
@ -38,7 +38,7 @@
#define SIG_VERSION 0x01 #define SIG_VERSION 0x01
#define MAGIC_PREAMBLE "SSHSIG" #define MAGIC_PREAMBLE "SSHSIG"
#define MAGIC_PREAMBLE_LEN (sizeof(MAGIC_PREAMBLE) - 1) #define MAGIC_PREAMBLE_LEN (sizeof(MAGIC_PREAMBLE) - 1)
#define BEGIN_SIGNATURE "-----BEGIN SSH SIGNATURE-----\n" #define BEGIN_SIGNATURE "-----BEGIN SSH SIGNATURE-----"
#define END_SIGNATURE "-----END SSH SIGNATURE-----" #define END_SIGNATURE "-----END SSH SIGNATURE-----"
#define RSA_SIGN_ALG "rsa-sha2-512" /* XXX maybe make configurable */ #define RSA_SIGN_ALG "rsa-sha2-512" /* XXX maybe make configurable */
#define RSA_SIGN_ALLOWED "rsa-sha2-512,rsa-sha2-256" #define RSA_SIGN_ALLOWED "rsa-sha2-512,rsa-sha2-256"
@ -59,8 +59,7 @@ sshsig_armor(const struct sshbuf *blob, struct sshbuf **out)
goto out; goto out;
} }
if ((r = sshbuf_put(buf, BEGIN_SIGNATURE, if ((r = sshbuf_putf(buf, "%s\n", BEGIN_SIGNATURE)) != 0) {
sizeof(BEGIN_SIGNATURE)-1)) != 0) {
error_fr(r, "sshbuf_putf"); error_fr(r, "sshbuf_putf");
goto out; goto out;
} }
@ -99,23 +98,35 @@ sshsig_dearmor(struct sshbuf *sig, struct sshbuf **out)
return SSH_ERR_ALLOC_FAIL; return SSH_ERR_ALLOC_FAIL;
} }
/* Expect and consume preamble + lf/crlf */
if ((r = sshbuf_cmp(sbuf, 0, if ((r = sshbuf_cmp(sbuf, 0,
BEGIN_SIGNATURE, sizeof(BEGIN_SIGNATURE)-1)) != 0) { BEGIN_SIGNATURE, sizeof(BEGIN_SIGNATURE)-1)) != 0) {
error("Couldn't parse signature: missing header"); error("Couldn't parse signature: missing header");
goto done; goto done;
} }
if ((r = sshbuf_consume(sbuf, sizeof(BEGIN_SIGNATURE)-1)) != 0) { if ((r = sshbuf_consume(sbuf, sizeof(BEGIN_SIGNATURE)-1)) != 0) {
error_fr(r, "consume"); error_fr(r, "consume");
goto done; goto done;
} }
if ((r = sshbuf_cmp(sbuf, 0, "\r\n", 2)) == 0)
eoffset = 2;
else if ((r = sshbuf_cmp(sbuf, 0, "\n", 1)) == 0)
eoffset = 1;
else {
r = SSH_ERR_INVALID_FORMAT;
error_f("no header eol");
goto done;
}
if ((r = sshbuf_consume(sbuf, eoffset)) != 0) {
error_fr(r, "consume eol");
goto done;
}
/* Find and consume lf + suffix (any prior cr would be ignored) */
if ((r = sshbuf_find(sbuf, 0, "\n" END_SIGNATURE, if ((r = sshbuf_find(sbuf, 0, "\n" END_SIGNATURE,
sizeof("\n" END_SIGNATURE)-1, &eoffset)) != 0) { sizeof(END_SIGNATURE), &eoffset)) != 0) {
error("Couldn't parse signature: missing footer"); error("Couldn't parse signature: missing footer");
goto done; goto done;
} }
if ((r = sshbuf_consume_end(sbuf, sshbuf_len(sbuf)-eoffset)) != 0) { if ((r = sshbuf_consume_end(sbuf, sshbuf_len(sbuf)-eoffset)) != 0) {
error_fr(r, "consume"); error_fr(r, "consume");
goto done; goto done;