1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 01:48:00 +00:00

Pass flags from agent sign request to ssh_key_sign.

Now each public-key algorithm gets to indicate what flags it supports,
and the ones it specifies support for may turn up in a call to its
sign() method.

We still don't actually support any flags yet, though.
This commit is contained in:
Simon Tatham 2018-11-19 20:24:37 +00:00
parent 74f792e00b
commit 7d4a276fc1
7 changed files with 22 additions and 11 deletions

View File

@ -323,7 +323,7 @@ void pageant_handle_msg(BinarySink *bs,
struct ssh2_userkey *key;
ptrlen keyblob, sigdata;
strbuf *signature;
uint32_t flags;
uint32_t flags, supported_flags;
plog(logctx, logfn, "request: SSH2_AGENTC_SIGN_REQUEST");
@ -366,20 +366,22 @@ void pageant_handle_msg(BinarySink *bs,
else
plog(logctx, logfn, "no signature flags");
if (flags) {
supported_flags = ssh_key_alg(key->key)->supported_flags;
if (flags & ~supported_flags) {
/*
* We MUST reject any message containing flags we
* don't understand.
*/
char *msg = dupprintf(
"unsupported flag bits 0x%08"PRIx32, flags);
"unsupported flag bits 0x%08"PRIx32,
flags & ~supported_flags);
pageant_failure_msg(bs, msg, logctx, logfn);
sfree(msg);
return;
}
signature = strbuf_new();
ssh_key_sign(key->key, sigdata.ptr, sigdata.len,
ssh_key_sign(key->key, sigdata.ptr, sigdata.len, flags,
BinarySink_UPCAST(signature));
put_byte(bs, SSH2_AGENT_SIGN_RESPONSE);

7
ssh.h
View File

@ -770,7 +770,8 @@ struct ssh_keyalg {
/* Methods that operate on an existing ssh_key */
void (*freekey) (ssh_key *key);
void (*sign) (ssh_key *key, const void *data, int datalen, BinarySink *);
void (*sign) (ssh_key *key, const void *data, int datalen,
unsigned flags, BinarySink *);
bool (*verify) (ssh_key *key, ptrlen sig, ptrlen data);
void (*public_blob)(ssh_key *key, BinarySink *);
void (*private_blob)(ssh_key *key, BinarySink *);
@ -784,6 +785,7 @@ struct ssh_keyalg {
const char *ssh_id; /* string identifier in the SSH protocol */
const char *cache_id; /* identifier used in PuTTY's host key cache */
const void *extra; /* private to the public key methods */
const unsigned supported_flags; /* signature-type flags we understand */
};
#define ssh_key_new_pub(alg, data) ((alg)->new_pub(alg, data))
@ -791,7 +793,8 @@ struct ssh_keyalg {
#define ssh_key_new_priv_openssh(alg, bs) ((alg)->new_priv_openssh(alg, bs))
#define ssh_key_free(key) ((*(key))->freekey(key))
#define ssh_key_sign(key, data, len, bs) ((*(key))->sign(key, data, len, bs))
#define ssh_key_sign(key, data, len, flags, bs) \
((*(key))->sign(key, data, len, flags, bs))
#define ssh_key_verify(key, sig, data) ((*(key))->verify(key, sig, data))
#define ssh_key_public_blob(key, bs) ((*(key))->public_blob(key, bs))
#define ssh_key_private_blob(key, bs) ((*(key))->private_blob(key, bs))

View File

@ -27,7 +27,7 @@ static strbuf *finalise_and_sign_exhash(struct ssh2_transport_state *s)
strbuf *sb;
ssh2transport_finalise_exhash(s);
sb = strbuf_new();
ssh_key_sign(s->hkey, s->exchange_hash, s->kex_alg->hash->hlen,
ssh_key_sign(s->hkey, s->exchange_hash, s->kex_alg->hash->hlen, 0,
BinarySink_UPCAST(sb));
return sb;
}

View File

@ -863,7 +863,7 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
put_data(sigdata, s->pktout->data + 5,
s->pktout->length - 5);
sigblob = strbuf_new();
ssh_key_sign(key->key, sigdata->s, sigdata->len,
ssh_key_sign(key->key, sigdata->s, sigdata->len, 0,
BinarySink_UPCAST(sigblob));
strbuf_free(sigdata);
ssh2_userauth_add_sigblob(

View File

@ -447,7 +447,7 @@ Bignum *dss_gen_k(const char *id_string, Bignum modulus, Bignum private_key,
}
static void dss_sign(ssh_key *key, const void *data, int datalen,
BinarySink *bs)
unsigned flags, BinarySink *bs)
{
struct dss_key *dss = container_of(key, struct dss_key, sshk);
Bignum k, gkp, hash, kinv, hxr, r, s;
@ -504,4 +504,5 @@ const ssh_keyalg ssh_dss = {
"ssh-dss",
"dss",
NULL,
0, /* no supported flags */
};

View File

@ -2257,7 +2257,7 @@ static bool ecdsa_verify(ssh_key *key, ptrlen sig, ptrlen data)
}
static void ecdsa_sign(ssh_key *key, const void *data, int datalen,
BinarySink *bs)
unsigned flags, BinarySink *bs)
{
struct ec_key *ec = container_of(key, struct ec_key, sshk);
const struct ecsign_extra *extra =
@ -2413,6 +2413,7 @@ const ssh_keyalg ssh_ecdsa_ed25519 = {
"ssh-ed25519",
"ssh-ed25519",
&sign_extra_ed25519,
0, /* no supported flags */
};
/* OID: 1.2.840.10045.3.1.7 (ansiX9p256r1) */
@ -2441,6 +2442,7 @@ const ssh_keyalg ssh_ecdsa_nistp256 = {
"ecdsa-sha2-nistp256",
"ecdsa-sha2-nistp256",
&sign_extra_nistp256,
0, /* no supported flags */
};
/* OID: 1.3.132.0.34 (secp384r1) */
@ -2469,6 +2471,7 @@ const ssh_keyalg ssh_ecdsa_nistp384 = {
"ecdsa-sha2-nistp384",
"ecdsa-sha2-nistp384",
&sign_extra_nistp384,
0, /* no supported flags */
};
/* OID: 1.3.132.0.35 (secp521r1) */
@ -2497,6 +2500,7 @@ const ssh_keyalg ssh_ecdsa_nistp521 = {
"ecdsa-sha2-nistp521",
"ecdsa-sha2-nistp521",
&sign_extra_nistp521,
0, /* no supported flags */
};
/* ----------------------------------------------------------------------

View File

@ -744,7 +744,7 @@ static bool rsa2_verify(ssh_key *key, ptrlen sig, ptrlen data)
}
static void rsa2_sign(ssh_key *key, const void *data, int datalen,
BinarySink *bs)
unsigned flags, BinarySink *bs)
{
struct RSAKey *rsa = container_of(key, struct RSAKey, sshk);
unsigned char *bytes;
@ -800,6 +800,7 @@ const ssh_keyalg ssh_rsa = {
"ssh-rsa",
"rsa2",
NULL,
0, /* no supported flags */
};
struct RSAKey *ssh_rsakex_newkey(const void *data, int len)