Skip to content

Commit b318bc9

Browse files
ejohnstownejohnstown
authored
Merge pull request #906 from embhorn/zd21548
Customer reported issues
2 parents e8f54ae + 31a06d3 commit b318bc9

File tree

2 files changed

+137
-20
lines changed

2 files changed

+137
-20
lines changed

src/internal.c

Lines changed: 93 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -2403,7 +2403,10 @@ int wolfSSH_ProcessBuffer(WOLFSSH_CTX* ctx,
24032403
if (der == NULL)
24042404
return WS_MEMORY_E;
24052405

2406-
ret = wc_CertPemToDer(in, inSz, der, inSz, wcType);
2406+
if (type == BUFTYPE_PRIVKEY)
2407+
ret = wc_KeyPemToDer(in, inSz, der, inSz, NULL);
2408+
else
2409+
ret = wc_CertPemToDer(in, inSz, der, inSz, wcType);
24072410
if (ret < 0) {
24082411
WFREE(der, heap, dynamicType);
24092412
return WS_BAD_FILE_E;
@@ -7040,11 +7043,33 @@ static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
70407043
}
70417044

70427045
if (ret == WS_SUCCESS) {
7043-
if (publicKeyTypeSz != pk->publicKeyTypeSz
7044-
|| publicKeyType == NULL
7045-
|| WMEMCMP(publicKeyType, pk->publicKeyType,
7046-
publicKeyTypeSz) != 0) {
7047-
7046+
int sigTypeOk = 0;
7047+
if (publicKeyType != NULL) {
7048+
if (publicKeyTypeSz == pk->publicKeyTypeSz
7049+
&& WMEMCMP(publicKeyType, pk->publicKeyType,
7050+
publicKeyTypeSz) == 0) {
7051+
sigTypeOk = 1;
7052+
}
7053+
#ifdef WOLFSSH_CERTS
7054+
else if (pk->publicKeyTypeSz == 14
7055+
&& WMEMCMP(pk->publicKeyType,
7056+
"x509v3-ssh-rsa", 14) == 0) {
7057+
/* RFC 6187 Section 5: the signature uses the underlying
7058+
* RSA algorithm, not the X.509 key type name. */
7059+
if ((publicKeyTypeSz == 7
7060+
&& WMEMCMP(publicKeyType, "ssh-rsa", 7) == 0)
7061+
|| (publicKeyTypeSz == 12
7062+
&& WMEMCMP(publicKeyType,
7063+
"rsa-sha2-256", 12) == 0)
7064+
|| (publicKeyTypeSz == 12
7065+
&& WMEMCMP(publicKeyType,
7066+
"rsa-sha2-512", 12) == 0)) {
7067+
sigTypeOk = 1;
7068+
}
7069+
}
7070+
#endif
7071+
}
7072+
if (!sigTypeOk) {
70487073
WLOG(WS_LOG_DEBUG,
70497074
"Signature's type does not match public key type");
70507075
ret = WS_INVALID_ALGO_ID;
@@ -7179,10 +7204,33 @@ static int DoUserAuthRequestRsaCert(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
71797204
}
71807205

71817206
if (ret == WS_SUCCESS) {
7182-
if (publicKeyTypeSz != pk->publicKeyTypeSz
7183-
|| WMEMCMP(publicKeyType, pk->publicKeyType,
7184-
publicKeyTypeSz) != 0) {
7185-
7207+
int sigTypeOk = 0;
7208+
if (publicKeyType != NULL
7209+
&& publicKeyTypeSz == pk->publicKeyTypeSz
7210+
&& WMEMCMP(publicKeyType, pk->publicKeyType,
7211+
publicKeyTypeSz) == 0) {
7212+
sigTypeOk = 1;
7213+
}
7214+
#ifdef WOLFSSH_CERTS
7215+
else if (publicKeyType != NULL
7216+
&& pk->publicKeyTypeSz == 14
7217+
&& WMEMCMP(pk->publicKeyType,
7218+
"x509v3-ssh-rsa", 14) == 0) {
7219+
/* RFC 6187 Section 5: the signature uses the underlying
7220+
* RSA algorithm, not the X.509 key type name. */
7221+
if ((publicKeyTypeSz == 7
7222+
&& WMEMCMP(publicKeyType, "ssh-rsa", 7) == 0)
7223+
|| (publicKeyTypeSz == 12
7224+
&& WMEMCMP(publicKeyType,
7225+
"rsa-sha2-256", 12) == 0)
7226+
|| (publicKeyTypeSz == 12
7227+
&& WMEMCMP(publicKeyType,
7228+
"rsa-sha2-512", 12) == 0)) {
7229+
sigTypeOk = 1;
7230+
}
7231+
}
7232+
#endif
7233+
if (!sigTypeOk) {
71867234
WLOG(WS_LOG_DEBUG,
71877235
"Signature's type does not match public key type");
71887236
ret = WS_INVALID_ALGO_ID;
@@ -12667,8 +12715,20 @@ int SendKexDhReply(WOLFSSH* ssh)
1266712715
* add it to the hash and then add K. */
1266812716
if (ret == WS_SUCCESS) {
1266912717
sigBlockSz = (LENGTH_SZ * 2) + sigKeyBlock_ptr->pubKeyNameSz + sigSz;
12670-
payloadSz = MSG_ID_SZ + (LENGTH_SZ * 3) +
12671-
sigKeyBlock_ptr->sz + fSz + fPad + sigBlockSz;
12718+
#ifdef WOLFSSH_CERTS
12719+
if (sigKeyBlock_ptr->pubKeyFmtId == ID_X509V3_SSH_RSA
12720+
|| sigKeyBlock_ptr->pubKeyFmtId == ID_X509V3_ECDSA_SHA2_NISTP256
12721+
|| sigKeyBlock_ptr->pubKeyFmtId == ID_X509V3_ECDSA_SHA2_NISTP384
12722+
|| sigKeyBlock_ptr->pubKeyFmtId == ID_X509V3_ECDSA_SHA2_NISTP521) {
12723+
payloadSz = MSG_ID_SZ + (LENGTH_SZ * 2) +
12724+
sigKeyBlock_ptr->sz + fSz + fPad + sigBlockSz;
12725+
}
12726+
else
12727+
#endif
12728+
{
12729+
payloadSz = MSG_ID_SZ + (LENGTH_SZ * 3) +
12730+
sigKeyBlock_ptr->sz + fSz + fPad + sigBlockSz;
12731+
}
1267212732
ret = PreparePacket(ssh, payloadSz);
1267312733
}
1267412734

@@ -12678,15 +12738,28 @@ int SendKexDhReply(WOLFSSH* ssh)
1267812738

1267912739
output[idx++] = msgId;
1268012740

12681-
/* Copy the key block size into the buffer */
12682-
c32toa(sigKeyBlock_ptr->sz, output + idx);
12683-
idx += LENGTH_SZ;
12741+
#ifdef WOLFSSH_CERTS
12742+
if (sigKeyBlock_ptr->pubKeyFmtId == ID_X509V3_SSH_RSA
12743+
|| sigKeyBlock_ptr->pubKeyFmtId == ID_X509V3_ECDSA_SHA2_NISTP256
12744+
|| sigKeyBlock_ptr->pubKeyFmtId == ID_X509V3_ECDSA_SHA2_NISTP384
12745+
|| sigKeyBlock_ptr->pubKeyFmtId == ID_X509V3_ECDSA_SHA2_NISTP521) {
12746+
/* BuildRFC6187Info writes the complete K_S including
12747+
* the outer length and key type name. Skip common header. */
12748+
}
12749+
else
12750+
#endif
12751+
{
12752+
/* Copy the key block size into the buffer */
12753+
c32toa(sigKeyBlock_ptr->sz, output + idx);
12754+
idx += LENGTH_SZ;
1268412755

12685-
/* Copy the key name into the buffer */
12686-
c32toa(sigKeyBlock_ptr->pubKeyFmtNameSz, output + idx);
12687-
idx += LENGTH_SZ;
12688-
WMEMCPY(output + idx, sigKeyBlock_ptr->pubKeyFmtName, sigKeyBlock_ptr->pubKeyFmtNameSz);
12689-
idx += sigKeyBlock_ptr->pubKeyFmtNameSz;
12756+
/* Copy the key name into the buffer */
12757+
c32toa(sigKeyBlock_ptr->pubKeyFmtNameSz, output + idx);
12758+
idx += LENGTH_SZ;
12759+
WMEMCPY(output + idx, sigKeyBlock_ptr->pubKeyFmtName,
12760+
sigKeyBlock_ptr->pubKeyFmtNameSz);
12761+
idx += sigKeyBlock_ptr->pubKeyFmtNameSz;
12762+
}
1269012763

1269112764
/* add host public key */
1269212765
switch (sigKeyBlock_ptr->pubKeyFmtId) {

tests/api.c

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -593,6 +593,49 @@ static void test_wolfSSH_CTX_UseCert_buffer(void)
593593
}
594594

595595

596+
static void test_wolfSSH_CTX_UsePrivateKey_buffer_pem(void)
597+
{
598+
#if defined(WOLFSSH_CERTS) && !defined(WOLFSSH_NO_SERVER)
599+
WOLFSSH_CTX* ctx = NULL;
600+
byte* key = NULL;
601+
word32 keySz = 0;
602+
603+
ctx = wolfSSH_CTX_new(WOLFSSH_ENDPOINT_SERVER, NULL);
604+
AssertNotNull(ctx);
605+
606+
#ifndef WOLFSSH_NO_RSA
607+
AssertIntEQ(0, load_file("./keys/server-key-rsa.pem", &key, &keySz));
608+
AssertNotNull(key);
609+
AssertIntNE(0, keySz);
610+
611+
/* PEM private key should load successfully */
612+
AssertIntEQ(WS_SUCCESS,
613+
wolfSSH_CTX_UsePrivateKey_buffer(ctx, key, keySz,
614+
WOLFSSH_FORMAT_PEM));
615+
616+
free(key);
617+
key = NULL;
618+
#endif /* WOLFSSH_NO_RSA */
619+
620+
#ifndef WOLFSSH_NO_ECDSA
621+
AssertIntEQ(0, load_file("./keys/server-key-ecc.pem", &key, &keySz));
622+
AssertNotNull(key);
623+
AssertIntNE(0, keySz);
624+
625+
/* PEM ECC private key should load successfully */
626+
AssertIntEQ(WS_SUCCESS,
627+
wolfSSH_CTX_UsePrivateKey_buffer(ctx, key, keySz,
628+
WOLFSSH_FORMAT_PEM));
629+
630+
free(key);
631+
key = NULL;
632+
#endif /* WOLFSSH_NO_ECDSA */
633+
634+
wolfSSH_CTX_free(ctx);
635+
#endif /* WOLFSSH_CERTS && !WOLFSSH_NO_SERVER */
636+
}
637+
638+
596639
static void test_wolfSSH_CertMan(void)
597640
{
598641
#ifdef WOLFSSH_CERTMAN
@@ -1990,6 +2033,7 @@ int wolfSSH_ApiTest(int argc, char** argv)
19902033
test_wolfSSH_ConvertConsole();
19912034
test_wolfSSH_CTX_UsePrivateKey_buffer();
19922035
test_wolfSSH_CTX_UseCert_buffer();
2036+
test_wolfSSH_CTX_UsePrivateKey_buffer_pem();
19932037
test_wolfSSH_CertMan();
19942038
test_wolfSSH_ReadKey();
19952039
test_wolfSSH_QueryAlgoList();

0 commit comments

Comments
 (0)