Do not accept signatures not meeting size requirements

Thanks to Harry Sintonen from WithSecure for pointing this out. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2022-05-10 11:39:23 +02:00 · 2022-05-10 11:39:23 +02:00 · ddd0367e9c
--- a/src/pki.c
+++ b/src/pki.c
@ -2460,6 +2460,7 @@ int ssh_pki_signature_verify(ssh_session session,
                             size_t input_len)
 {
    int rc;
+    bool allowed;
    enum ssh_keytypes_e key_type;

    if (session == NULL || sig == NULL || key == NULL || input == NULL) {
@ -2480,6 +2481,13 @@ int ssh_pki_signature_verify(ssh_session session,
        return SSH_ERROR;
    }

+    allowed = ssh_key_size_allowed(session, key);
+    if (!allowed) {
+        ssh_set_error(session, SSH_FATAL, "The '%s' key of size %d is not "
+                      "allowd by RSA_MIN_SIZE", key->type_c, ssh_key_size(key));
+        return SSH_ERROR;
+    }
+
    /* Check if public key and hash type are compatible */
    rc = pki_key_check_hash_compatible(key, sig->hash_type);
    if (rc != SSH_OK) {
--- a/tests/unittests/torture_pki_rsa.c
+++ b/tests/unittests/torture_pki_rsa.c
@ -665,6 +665,44 @@ static void torture_pki_rsa_sha2(void **state)
    ssh_free(session);
 }

+static void torture_pki_rsa_key_size(void **state)
+{
+    int rc;
+    ssh_key key = NULL, pubkey = NULL;
+    ssh_signature sign = NULL;
+    ssh_session session=ssh_new();
+    unsigned int length = 4096;
+
+    (void) state;
+
+    rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 2048, &key);
+    assert_true(rc == SSH_OK);
+    assert_non_null(key);
+    rc = ssh_pki_export_privkey_to_pubkey(key, &pubkey);
+    assert_int_equal(rc, SSH_OK);
+    assert_non_null(pubkey);
+    sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256);
+    assert_non_null(sign);
+    rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
+    assert_ssh_return_code(session, rc);
+
+    /* Set the minumum RSA key size to 4k */
+    rc = ssh_options_set(session, SSH_OPTIONS_RSA_MIN_SIZE, &length);
+    assert_ssh_return_code(session, rc);
+
+    /* the verification should fail now */
+    rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
+    assert_true(rc == SSH_ERROR);
+
+    ssh_signature_free(sign);
+    SSH_KEY_FREE(key);
+    SSH_KEY_FREE(pubkey);
+    key = NULL;
+    pubkey = NULL;
+
+    ssh_free(session);
+}
+
 static int test_sign_verify_data(ssh_key key,
                                 enum ssh_digest_e hash_type,
                                 const unsigned char *input,
@ -985,6 +1023,7 @@ int torture_run_tests(void) {
                                        setup_rsa_key,
                                        teardown),
        cmocka_unit_test(torture_pki_rsa_generate_key),
+        cmocka_unit_test(torture_pki_rsa_key_size),
 #if defined(HAVE_LIBCRYPTO)
        cmocka_unit_test_setup_teardown(torture_pki_rsa_write_privkey,
                                        setup_rsa_key,