lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-08-08 19:02:06 +03:00
Code Activity

pki: Separate signature extraction and verification

Browse Source 
Initial solution proposed by Tilo Eckert <tilo.eckert@flam.de>

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jakub Jelen
2018-11-22 10:43:18 +01:00
committed by Andreas Schneider
parent 7f83a1efae
commit d2434c69c0
4 changed files with 34 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
include/libssh/pki.h
View File

@@ -110,11 +110,11 @@ int ssh_pki_export_signature_blob(const ssh_signature sign,
int ssh_pki_import_signature_blob(const ssh_string sig_blob,
const ssh_key pubkey,
ssh_signature *psig);
int ssh_pki_signature_verify_blob(ssh_session session,
ssh_string sig_blob,
const ssh_key key,
unsigned char *digest,
size_t dlen);
int ssh_pki_signature_verify(ssh_session session,
ssh_signature sig,
const ssh_key key,
unsigned char *digest,
size_t dlen);
/* SSH Public Key Functions */
int ssh_pki_export_pubkey_blob(const ssh_key key,

15
src/messages.c
View File

@@ -730,6 +730,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session,
*/
SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
ssh_message msg = NULL;
ssh_signature sig = NULL;
char *service = NULL;
char *method = NULL;
int cmp;
@@ -863,13 +864,19 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
goto error;
}
rc = ssh_pki_signature_verify_blob(session,
sig_blob,
rc = ssh_pki_import_signature_blob(sig_blob,
msg->auth_request.pubkey,
ssh_buffer_get(digest),
ssh_buffer_get_len(digest));
&sig);
if (rc == SSH_OK) {
rc = ssh_pki_signature_verify(session,
sig,
msg->auth_request.pubkey,
ssh_buffer_get(digest),
ssh_buffer_get_len(digest));
}
ssh_string_free(sig_blob);
ssh_buffer_free(digest);
ssh_signature_free(sig);
if (rc < 0) {
SSH_LOG(
SSH_LOG_PACKET,

19
src/packet_cb.c
View File

@@ -138,6 +138,7 @@ error:
SSH_PACKET_CALLBACK(ssh_packet_newkeys){
ssh_string sig_blob = NULL;
ssh_signature sig = NULL;
int rc;
(void)packet;
(void)user;
@@ -185,7 +186,12 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
/* get the server public key */
server_key = ssh_dh_get_next_server_publickey(session);
if (server_key == NULL) {
return SSH_ERROR;
goto error;
}
rc = ssh_pki_import_signature_blob(sig_blob, server_key, &sig);
if (rc != SSH_OK) {
goto error;
}
/* check if public key from server matches user preferences */
@@ -202,13 +208,14 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
}
}
rc = ssh_pki_signature_verify_blob(session,
sig_blob,
server_key,
session->next_crypto->secret_hash,
session->next_crypto->digest_len);
rc = ssh_pki_signature_verify(session,
sig,
server_key,
session->next_crypto->secret_hash,
session->next_crypto->digest_len);
ssh_string_burn(sig_blob);
ssh_string_free(sig_blob);
ssh_signature_free(sig);
sig_blob = NULL;
if (rc == SSH_ERROR) {
goto error;

18
src/pki.c
View File

@@ -1919,20 +1919,14 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
return SSH_OK;
}
int ssh_pki_signature_verify_blob(ssh_session session,
ssh_string sig_blob,
const ssh_key key,
unsigned char *digest,
size_t dlen)
int ssh_pki_signature_verify(ssh_session session,
ssh_signature sig,
const ssh_key key,
unsigned char *digest,
size_t dlen)
{
ssh_signature sig;
int rc;
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
if (rc < 0) {
return SSH_ERROR;
}
SSH_LOG(SSH_LOG_FUNCTIONS,
"Going to verify a %s type signature",
sig->type_c);
@@ -2000,8 +1994,6 @@ int ssh_pki_signature_verify_blob(ssh_session session,
hlen);
}
ssh_signature_free(sig);
return rc;
}