upstream: factor out kex_verify_hostkey() - again, duplicated
almost exactly across client and server for several KEX methods. from markus@ ok djm@ OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
bb39bafb6d
commit
b1b2ff4ed5
18
kex.c
18
kex.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kex.c,v 1.145 2019/01/21 10:05:09 djm Exp $ */
|
||||
/* $OpenBSD: kex.c,v 1.146 2019/01/21 10:07:22 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
|
@ -1071,6 +1071,22 @@ kex_load_hostkey(struct ssh *ssh, struct sshkey **pubp, struct sshkey **prvp)
|
|||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
|
||||
{
|
||||
struct kex *kex = ssh->kex;
|
||||
|
||||
if (kex->verify_host_key == NULL)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
if (server_host_key->type != kex->hostkey_type ||
|
||||
(kex->hostkey_type == KEY_ECDSA &&
|
||||
server_host_key->ecdsa_nid != kex->hostkey_nid))
|
||||
return SSH_ERR_KEY_TYPE_MISMATCH;
|
||||
if (kex->verify_host_key(server_host_key, ssh) == -1)
|
||||
return SSH_ERR_SIGNATURE_INVALID;
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
|
||||
void
|
||||
dump_digest(char *msg, u_char *digest, int len)
|
||||
|
|
|
|||
3
kex.h
3
kex.h
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kex.h,v 1.97 2019/01/21 10:05:09 djm Exp $ */
|
||||
/* $OpenBSD: kex.h,v 1.98 2019/01/21 10:07:22 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
|
|
@ -185,6 +185,7 @@ int kex_buf2prop(struct sshbuf *, int *, char ***);
|
|||
int kex_prop2buf(struct sshbuf *, char *proposal[PROPOSAL_MAX]);
|
||||
void kex_prop_free(char **);
|
||||
int kex_load_hostkey(struct ssh *, struct sshkey **, struct sshkey **);
|
||||
int kex_verify_host_key(struct ssh *, struct sshkey *);
|
||||
|
||||
int kex_send_kexinit(struct ssh *);
|
||||
int kex_input_kexinit(int, u_int32_t, struct ssh *);
|
||||
|
|
|
|||
17
kexc25519c.c
17
kexc25519c.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kexc25519c.c,v 1.11 2019/01/21 09:55:52 djm Exp $ */
|
||||
/* $OpenBSD: kexc25519c.c,v 1.12 2019/01/21 10:07:22 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2010 Damien Miller. All rights reserved.
|
||||
|
|
@ -80,27 +80,14 @@ input_kex_c25519_reply(int type, u_int32_t seq, struct ssh *ssh)
|
|||
size_t slen, pklen, sbloblen, hashlen;
|
||||
int r;
|
||||
|
||||
if (kex->verify_host_key == NULL) {
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* hostkey */
|
||||
if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
|
||||
&sbloblen)) != 0 ||
|
||||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
|
||||
&server_host_key)) != 0)
|
||||
goto out;
|
||||
if (server_host_key->type != kex->hostkey_type ||
|
||||
(kex->hostkey_type == KEY_ECDSA &&
|
||||
server_host_key->ecdsa_nid != kex->hostkey_nid)) {
|
||||
r = SSH_ERR_KEY_TYPE_MISMATCH;
|
||||
if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
|
||||
goto out;
|
||||
}
|
||||
if (kex->verify_host_key(server_host_key, ssh) == -1) {
|
||||
r = SSH_ERR_SIGNATURE_INVALID;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Q_S, server public key */
|
||||
/* signed H */
|
||||
|
|
|
|||
16
kexdhc.c
16
kexdhc.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kexdhc.c,v 1.28 2019/01/21 10:03:37 djm Exp $ */
|
||||
/* $OpenBSD: kexdhc.c,v 1.29 2019/01/21 10:07:22 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
|
@ -95,26 +95,14 @@ input_kex_dh(int type, u_int32_t seq, struct ssh *ssh)
|
|||
size_t slen, sbloblen, hashlen;
|
||||
int r;
|
||||
|
||||
if (kex->verify_host_key == NULL) {
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
goto out;
|
||||
}
|
||||
/* key, cert */
|
||||
if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
|
||||
&sbloblen)) != 0 ||
|
||||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
|
||||
&server_host_key)) != 0)
|
||||
goto out;
|
||||
if (server_host_key->type != kex->hostkey_type ||
|
||||
(kex->hostkey_type == KEY_ECDSA &&
|
||||
server_host_key->ecdsa_nid != kex->hostkey_nid)) {
|
||||
r = SSH_ERR_KEY_TYPE_MISMATCH;
|
||||
if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
|
||||
goto out;
|
||||
}
|
||||
if (kex->verify_host_key(server_host_key, ssh) == -1) {
|
||||
r = SSH_ERR_SIGNATURE_INVALID;
|
||||
goto out;
|
||||
}
|
||||
/* DH parameter f, server public DH key, signed H */
|
||||
if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 ||
|
||||
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
|
||||
|
|
|
|||
16
kexecdhc.c
16
kexecdhc.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kexecdhc.c,v 1.15 2019/01/21 09:55:52 djm Exp $ */
|
||||
/* $OpenBSD: kexecdhc.c,v 1.16 2019/01/21 10:07:22 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2010 Damien Miller. All rights reserved.
|
||||
|
|
@ -109,10 +109,6 @@ input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh)
|
|||
size_t klen = 0, hashlen;
|
||||
int r;
|
||||
|
||||
if (kex->verify_host_key == NULL) {
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
goto out;
|
||||
}
|
||||
group = kex->ec_group;
|
||||
client_key = kex->ec_client_key;
|
||||
|
||||
|
|
@ -122,16 +118,8 @@ input_kex_ecdh_reply(int type, u_int32_t seq, struct ssh *ssh)
|
|||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
|
||||
&server_host_key)) != 0)
|
||||
goto out;
|
||||
if (server_host_key->type != kex->hostkey_type ||
|
||||
(kex->hostkey_type == KEY_ECDSA &&
|
||||
server_host_key->ecdsa_nid != kex->hostkey_nid)) {
|
||||
r = SSH_ERR_KEY_TYPE_MISMATCH;
|
||||
if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
|
||||
goto out;
|
||||
}
|
||||
if (kex->verify_host_key(server_host_key, ssh) == -1) {
|
||||
r = SSH_ERR_SIGNATURE_INVALID;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Q_S, server public key */
|
||||
/* signed H */
|
||||
|
|
|
|||
16
kexgexc.c
16
kexgexc.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: kexgexc.c,v 1.32 2019/01/21 10:03:37 djm Exp $ */
|
||||
/* $OpenBSD: kexgexc.c,v 1.33 2019/01/21 10:07:22 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
* Copyright (c) 2001 Markus Friedl. All rights reserved.
|
||||
|
|
@ -153,26 +153,14 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh)
|
|||
int r;
|
||||
|
||||
debug("got SSH2_MSG_KEX_DH_GEX_REPLY");
|
||||
if (kex->verify_host_key == NULL) {
|
||||
r = SSH_ERR_INVALID_ARGUMENT;
|
||||
goto out;
|
||||
}
|
||||
/* key, cert */
|
||||
if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
|
||||
&sbloblen)) != 0 ||
|
||||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
|
||||
&server_host_key)) != 0)
|
||||
goto out;
|
||||
if (server_host_key->type != kex->hostkey_type ||
|
||||
(kex->hostkey_type == KEY_ECDSA &&
|
||||
server_host_key->ecdsa_nid != kex->hostkey_nid)) {
|
||||
r = SSH_ERR_KEY_TYPE_MISMATCH;
|
||||
if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
|
||||
goto out;
|
||||
}
|
||||
if (kex->verify_host_key(server_host_key, ssh) == -1) {
|
||||
r = SSH_ERR_SIGNATURE_INVALID;
|
||||
goto out;
|
||||
}
|
||||
/* DH parameter f, server public DH key, signed H */
|
||||
if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 ||
|
||||
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
|
||||
|
|
|
|||
Loading…
Reference in New Issue