mirror of
https://git.libssh.org/projects/libssh.git
synced 2025-08-08 19:02:06 +03:00
pki: Separate signature extraction and verification
Initial solution proposed by Tilo Eckert <tilo.eckert@flam.de> Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jakub Jelen
committed by
Andreas Schneider
Andreas Schneider
parent
7f83a1efae
commit
d2434c69c0
@@ -110,8 +110,8 @@ int ssh_pki_export_signature_blob(const ssh_signature sign,
|
|||||||
int ssh_pki_import_signature_blob(const ssh_string sig_blob,
|
int ssh_pki_import_signature_blob(const ssh_string sig_blob,
|
||||||
const ssh_key pubkey,
|
const ssh_key pubkey,
|
||||||
ssh_signature *psig);
|
ssh_signature *psig);
|
||||||
int ssh_pki_signature_verify_blob(ssh_session session,
|
int ssh_pki_signature_verify(ssh_session session,
|
||||||
ssh_string sig_blob,
|
ssh_signature sig,
|
||||||
const ssh_key key,
|
const ssh_key key,
|
||||||
unsigned char *digest,
|
unsigned char *digest,
|
||||||
size_t dlen);
|
size_t dlen);
|
||||||
|
|||||||
@@ -730,6 +730,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session,
|
|||||||
*/
|
*/
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
|
SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
|
||||||
ssh_message msg = NULL;
|
ssh_message msg = NULL;
|
||||||
|
ssh_signature sig = NULL;
|
||||||
char *service = NULL;
|
char *service = NULL;
|
||||||
char *method = NULL;
|
char *method = NULL;
|
||||||
int cmp;
|
int cmp;
|
||||||
@@ -863,13 +864,19 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = ssh_pki_signature_verify_blob(session,
|
rc = ssh_pki_import_signature_blob(sig_blob,
|
||||||
sig_blob,
|
msg->auth_request.pubkey,
|
||||||
|
&sig);
|
||||||
|
if (rc == SSH_OK) {
|
||||||
|
rc = ssh_pki_signature_verify(session,
|
||||||
|
sig,
|
||||||
msg->auth_request.pubkey,
|
msg->auth_request.pubkey,
|
||||||
ssh_buffer_get(digest),
|
ssh_buffer_get(digest),
|
||||||
ssh_buffer_get_len(digest));
|
ssh_buffer_get_len(digest));
|
||||||
|
}
|
||||||
ssh_string_free(sig_blob);
|
ssh_string_free(sig_blob);
|
||||||
ssh_buffer_free(digest);
|
ssh_buffer_free(digest);
|
||||||
|
ssh_signature_free(sig);
|
||||||
if (rc < 0) {
|
if (rc < 0) {
|
||||||
SSH_LOG(
|
SSH_LOG(
|
||||||
SSH_LOG_PACKET,
|
SSH_LOG_PACKET,
|
||||||
|
|||||||
@@ -138,6 +138,7 @@ error:
|
|||||||
|
|
||||||
SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
||||||
ssh_string sig_blob = NULL;
|
ssh_string sig_blob = NULL;
|
||||||
|
ssh_signature sig = NULL;
|
||||||
int rc;
|
int rc;
|
||||||
(void)packet;
|
(void)packet;
|
||||||
(void)user;
|
(void)user;
|
||||||
@@ -185,7 +186,12 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
|||||||
/* get the server public key */
|
/* get the server public key */
|
||||||
server_key = ssh_dh_get_next_server_publickey(session);
|
server_key = ssh_dh_get_next_server_publickey(session);
|
||||||
if (server_key == NULL) {
|
if (server_key == NULL) {
|
||||||
return SSH_ERROR;
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
rc = ssh_pki_import_signature_blob(sig_blob, server_key, &sig);
|
||||||
|
if (rc != SSH_OK) {
|
||||||
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* check if public key from server matches user preferences */
|
/* check if public key from server matches user preferences */
|
||||||
@@ -202,13 +208,14 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = ssh_pki_signature_verify_blob(session,
|
rc = ssh_pki_signature_verify(session,
|
||||||
sig_blob,
|
sig,
|
||||||
server_key,
|
server_key,
|
||||||
session->next_crypto->secret_hash,
|
session->next_crypto->secret_hash,
|
||||||
session->next_crypto->digest_len);
|
session->next_crypto->digest_len);
|
||||||
ssh_string_burn(sig_blob);
|
ssh_string_burn(sig_blob);
|
||||||
ssh_string_free(sig_blob);
|
ssh_string_free(sig_blob);
|
||||||
|
ssh_signature_free(sig);
|
||||||
sig_blob = NULL;
|
sig_blob = NULL;
|
||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
goto error;
|
goto error;
|
||||||
|
|||||||
12
src/pki.c
12
src/pki.c
@@ -1919,20 +1919,14 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
|
|||||||
return SSH_OK;
|
return SSH_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
int ssh_pki_signature_verify_blob(ssh_session session,
|
int ssh_pki_signature_verify(ssh_session session,
|
||||||
ssh_string sig_blob,
|
ssh_signature sig,
|
||||||
const ssh_key key,
|
const ssh_key key,
|
||||||
unsigned char *digest,
|
unsigned char *digest,
|
||||||
size_t dlen)
|
size_t dlen)
|
||||||
{
|
{
|
||||||
ssh_signature sig;
|
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
|
|
||||||
if (rc < 0) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
SSH_LOG(SSH_LOG_FUNCTIONS,
|
SSH_LOG(SSH_LOG_FUNCTIONS,
|
||||||
"Going to verify a %s type signature",
|
"Going to verify a %s type signature",
|
||||||
sig->type_c);
|
sig->type_c);
|
||||||
@@ -2000,8 +1994,6 @@ int ssh_pki_signature_verify_blob(ssh_session session,
|
|||||||
hlen);
|
hlen);
|
||||||
}
|
}
|
||||||
|
|
||||||
ssh_signature_free(sig);
|
|
||||||
|
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user