upstream: factor out kex_verify_hostkey() - again, duplicated
almost exactly across client and server for several KEX methods.
from markus@ ok djm@
OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
diff --git a/kex.c b/kex.c
index a0d13a8..d8c71bb 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.145 2019/01/21 10:05:09 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.146 2019/01/21 10:07:22 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -1071,6 +1071,22 @@
return 0;
}
+int
+kex_verify_host_key(struct ssh *ssh, struct sshkey *server_host_key)
+{
+ struct kex *kex = ssh->kex;
+
+ if (kex->verify_host_key == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+ if (server_host_key->type != kex->hostkey_type ||
+ (kex->hostkey_type == KEY_ECDSA &&
+ server_host_key->ecdsa_nid != kex->hostkey_nid))
+ return SSH_ERR_KEY_TYPE_MISMATCH;
+ if (kex->verify_host_key(server_host_key, ssh) == -1)
+ return SSH_ERR_SIGNATURE_INVALID;
+ return 0;
+}
+
#if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
void
dump_digest(char *msg, u_char *digest, int len)
diff --git a/kex.h b/kex.h
index fa65b86..e404d03 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.97 2019/01/21 10:05:09 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.98 2019/01/21 10:07:22 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -185,6 +185,7 @@
int kex_prop2buf(struct sshbuf *, char *proposal[PROPOSAL_MAX]);
void kex_prop_free(char **);
int kex_load_hostkey(struct ssh *, struct sshkey **, struct sshkey **);
+int kex_verify_host_key(struct ssh *, struct sshkey *);
int kex_send_kexinit(struct ssh *);
int kex_input_kexinit(int, u_int32_t, struct ssh *);
diff --git a/kexc25519c.c b/kexc25519c.c
index 59b4e4c..1c7f790 100644
--- a/kexc25519c.c
+++ b/kexc25519c.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexc25519c.c,v 1.11 2019/01/21 09:55:52 djm Exp $ */
+/* $OpenBSD: kexc25519c.c,v 1.12 2019/01/21 10:07:22 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -80,27 +80,14 @@
size_t slen, pklen, sbloblen, hashlen;
int r;
- if (kex->verify_host_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
-
/* hostkey */
if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
&sbloblen)) != 0 ||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
&server_host_key)) != 0)
goto out;
- if (server_host_key->type != kex->hostkey_type ||
- (kex->hostkey_type == KEY_ECDSA &&
- server_host_key->ecdsa_nid != kex->hostkey_nid)) {
- r = SSH_ERR_KEY_TYPE_MISMATCH;
+ if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
goto out;
- }
- if (kex->verify_host_key(server_host_key, ssh) == -1) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
/* Q_S, server public key */
/* signed H */
diff --git a/kexdhc.c b/kexdhc.c
index 2e26f22..a2af8cb 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhc.c,v 1.28 2019/01/21 10:03:37 djm Exp $ */
+/* $OpenBSD: kexdhc.c,v 1.29 2019/01/21 10:07:22 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -95,26 +95,14 @@
size_t slen, sbloblen, hashlen;
int r;
- if (kex->verify_host_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
/* key, cert */
if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
&sbloblen)) != 0 ||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
&server_host_key)) != 0)
goto out;
- if (server_host_key->type != kex->hostkey_type ||
- (kex->hostkey_type == KEY_ECDSA &&
- server_host_key->ecdsa_nid != kex->hostkey_nid)) {
- r = SSH_ERR_KEY_TYPE_MISMATCH;
+ if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
goto out;
- }
- if (kex->verify_host_key(server_host_key, ssh) == -1) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
/* DH parameter f, server public DH key, signed H */
if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 ||
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||
diff --git a/kexecdhc.c b/kexecdhc.c
index 2cff343..bfb9f47 100644
--- a/kexecdhc.c
+++ b/kexecdhc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexecdhc.c,v 1.15 2019/01/21 09:55:52 djm Exp $ */
+/* $OpenBSD: kexecdhc.c,v 1.16 2019/01/21 10:07:22 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -109,10 +109,6 @@
size_t klen = 0, hashlen;
int r;
- if (kex->verify_host_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
group = kex->ec_group;
client_key = kex->ec_client_key;
@@ -122,16 +118,8 @@
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
&server_host_key)) != 0)
goto out;
- if (server_host_key->type != kex->hostkey_type ||
- (kex->hostkey_type == KEY_ECDSA &&
- server_host_key->ecdsa_nid != kex->hostkey_nid)) {
- r = SSH_ERR_KEY_TYPE_MISMATCH;
+ if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
goto out;
- }
- if (kex->verify_host_key(server_host_key, ssh) == -1) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
/* Q_S, server public key */
/* signed H */
diff --git a/kexgexc.c b/kexgexc.c
index 600d91a..ac42127 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexc.c,v 1.32 2019/01/21 10:03:37 djm Exp $ */
+/* $OpenBSD: kexgexc.c,v 1.33 2019/01/21 10:07:22 djm Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -153,26 +153,14 @@
int r;
debug("got SSH2_MSG_KEX_DH_GEX_REPLY");
- if (kex->verify_host_key == NULL) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
/* key, cert */
if ((r = sshpkt_get_string(ssh, &server_host_key_blob,
&sbloblen)) != 0 ||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
&server_host_key)) != 0)
goto out;
- if (server_host_key->type != kex->hostkey_type ||
- (kex->hostkey_type == KEY_ECDSA &&
- server_host_key->ecdsa_nid != kex->hostkey_nid)) {
- r = SSH_ERR_KEY_TYPE_MISMATCH;
+ if ((r = kex_verify_host_key(ssh, server_host_key)) != 0)
goto out;
- }
- if (kex->verify_host_key(server_host_key, ssh) == -1) {
- r = SSH_ERR_SIGNATURE_INVALID;
- goto out;
- }
/* DH parameter f, server public DH key, signed H */
if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 ||
(r = sshpkt_get_string(ssh, &signature, &slen)) != 0 ||