mirror of
https://git.libssh.org/projects/libssh.git
synced 2025-07-31 00:03:07 +03:00
pki: Add mbedTLS ECDSA key comparison support
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
committed by
Andreas Schneider
parent
81847bf513
commit
d11869bdb6
@ -1,15 +1,3 @@
|
|||||||
libssh mbedTLS ECDSA support
|
|
||||||
=============================
|
|
||||||
|
|
||||||
When built with mbedTLS, libssh currently does not support ECDSA key comparison.
|
|
||||||
Since the comparison function is used during the verification of publickey
|
|
||||||
authentication requests a libssh server will not be able to deal with ECDSA
|
|
||||||
keys.
|
|
||||||
|
|
||||||
In general, if the ssh_key_cmp function is used with mbedTLS, ECDSA key
|
|
||||||
comparison won't work.
|
|
||||||
|
|
||||||
|
|
||||||
mbedTLS and libssh in multithreaded applications
|
mbedTLS and libssh in multithreaded applications
|
||||||
==================================================
|
==================================================
|
||||||
|
|
||||||
|
@ -451,15 +451,34 @@ int pki_key_compare(const ssh_key k1, const ssh_key k2, enum ssh_keycmp_e what)
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case SSH_KEYTYPE_ECDSA:
|
case SSH_KEYTYPE_ECDSA: {
|
||||||
/* TODO: mbedTLS can't compare ecdsa keys.
|
mbedtls_ecp_keypair *ecdsa1 = k1->ecdsa;
|
||||||
mbedtls_ecdsa_context is actually a mbedtls_ecp_keypair,
|
mbedtls_ecp_keypair *ecdsa2 = k2->ecdsa;
|
||||||
so the private and public points and the group can be accessed
|
|
||||||
through the keypair. However, mbedtls has no method corresponding
|
if (ecdsa1->grp.id != ecdsa2->grp.id) {
|
||||||
to OpenSSL's EC_GROUP_cmp and EC_POITN_cmp, so the comparison
|
|
||||||
would have to be done manually.
|
|
||||||
*/
|
|
||||||
return 1;
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mbedtls_mpi_cmp_mpi(&ecdsa1->Q.X, &ecdsa2->Q.X)) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mbedtls_mpi_cmp_mpi(&ecdsa1->Q.Y, &ecdsa2->Q.Y)) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mbedtls_mpi_cmp_mpi(&ecdsa1->Q.Z, &ecdsa2->Q.Z)) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (what == SSH_KEY_CMP_PRIVATE) {
|
||||||
|
if (mbedtls_mpi_cmp_mpi(&ecdsa1->d, &ecdsa2->d)) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
break;
|
||||||
|
}
|
||||||
case SSH_KEYTYPE_ED25519:
|
case SSH_KEYTYPE_ED25519:
|
||||||
/* ed25519 keys handled globally */
|
/* ed25519 keys handled globally */
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -227,11 +227,8 @@ static void torture_pki_ecdsa_duplicate_key(void **state)
|
|||||||
|
|
||||||
assert_string_equal(b64_key, b64_key_gen);
|
assert_string_equal(b64_key, b64_key_gen);
|
||||||
|
|
||||||
#ifndef HAVE_LIBMBEDCRYPTO
|
|
||||||
/* libmbedcrypto can't compare ecdsa keys */
|
|
||||||
rc = ssh_key_cmp(privkey, privkey_dup, SSH_KEY_CMP_PRIVATE);
|
rc = ssh_key_cmp(privkey, privkey_dup, SSH_KEY_CMP_PRIVATE);
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
#endif
|
|
||||||
|
|
||||||
ssh_key_free(pubkey);
|
ssh_key_free(pubkey);
|
||||||
ssh_key_free(privkey);
|
ssh_key_free(privkey);
|
||||||
|
Reference in New Issue
Block a user