e3ddbe6a80
- Fix CVEs and fix issues found by cosvcan after the change Resolves: rhbz#2182252, rhbz#2189740 Signed-off-by: Norbert Pocs <npocs@redhat.com>
83 lines
2.5 KiB
Diff
83 lines
2.5 KiB
Diff
diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
|
|
--- ../libssh-0.10.4/src/pki_crypto.c 2023-04-27 13:24:03.105744519 +0200
|
|
+++ ./src/pki_crypto.c 2023-04-27 13:30:24.016756496 +0200
|
|
@@ -3186,8 +3186,12 @@
|
|
unsigned char *raw_sig_data = NULL;
|
|
unsigned int raw_sig_len;
|
|
|
|
+ /* Function return code
|
|
+ * Do not change this variable throughout the function until the signature
|
|
+ * is successfully verified!
|
|
+ */
|
|
int rc = SSH_ERROR;
|
|
- int evp_rc;
|
|
+ int ok;
|
|
|
|
if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
|
|
signature == NULL || (signature->raw_sig == NULL
|
|
@@ -3202,8 +3206,8 @@
|
|
}
|
|
|
|
/* Check if public key and hash type are compatible */
|
|
- rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
|
|
- if (rc != SSH_OK) {
|
|
+ ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);
|
|
+ if (ok != SSH_OK) {
|
|
return SSH_ERROR;
|
|
}
|
|
|
|
@@ -3248,8 +3252,8 @@
|
|
}
|
|
|
|
/* Verify the signature */
|
|
- evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
|
|
- if (evp_rc != 1){
|
|
+ ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
|
|
+ if (ok != 1){
|
|
SSH_LOG(SSH_LOG_TRACE,
|
|
"EVP_DigestVerifyInit() failed: %s",
|
|
ERR_error_string(ERR_get_error(), NULL));
|
|
@@ -3257,32 +3261,30 @@
|
|
}
|
|
|
|
#ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
|
|
- evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
|
|
+ ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
|
|
#else
|
|
- evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);
|
|
- if (evp_rc != 1) {
|
|
+ ok = EVP_DigestVerifyUpdate(ctx, input, input_len);
|
|
+ if (ok != 1) {
|
|
SSH_LOG(SSH_LOG_TRACE,
|
|
"EVP_DigestVerifyUpdate() failed: %s",
|
|
ERR_error_string(ERR_get_error(), NULL));
|
|
goto out;
|
|
}
|
|
|
|
- evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
|
|
+ ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
|
|
#endif
|
|
- if (evp_rc == 1) {
|
|
- SSH_LOG(SSH_LOG_TRACE, "Signature valid");
|
|
- rc = SSH_OK;
|
|
- } else {
|
|
+ if (ok != 1) {
|
|
SSH_LOG(SSH_LOG_TRACE,
|
|
"Signature invalid: %s",
|
|
ERR_error_string(ERR_get_error(), NULL));
|
|
- rc = SSH_ERROR;
|
|
+ goto out;
|
|
}
|
|
|
|
+ SSH_LOG(SSH_LOG_TRACE, "Signature valid");
|
|
+ rc = SSH_OK;
|
|
+
|
|
out:
|
|
- if (ctx != NULL) {
|
|
- EVP_MD_CTX_free(ctx);
|
|
- }
|
|
+ EVP_MD_CTX_free(ctx);
|
|
EVP_PKEY_free(pkey);
|
|
return rc;
|
|
}
|