diff options
author | Jakub Jelen <jjelen@redhat.com> | 2018-11-22 10:43:18 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-11-30 18:57:38 +0100 |
commit | c3a57fe2dcfe3afbed097fb2ddd70621fc7f8016 (patch) | |
tree | 5dba10019f98eae4a2f56471f02f246afbec3359 | |
parent | a238df2436a07202015a19b2f8b658a360f3e7b9 (diff) | |
download | libssh-c3a57fe2dcfe3afbed097fb2ddd70621fc7f8016.tar.gz libssh-c3a57fe2dcfe3afbed097fb2ddd70621fc7f8016.tar.xz libssh-c3a57fe2dcfe3afbed097fb2ddd70621fc7f8016.zip |
pki: Separate signature extraction and verification
Initial solution proposed by Tilo Eckert <tilo.eckert@flam.de>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit d2434c69c008aa1cd3bd488ca6bc524da0e4ca3a)
-rw-r--r-- | include/libssh/pki.h | 10 | ||||
-rw-r--r-- | src/messages.c | 15 | ||||
-rw-r--r-- | src/packet_cb.c | 19 | ||||
-rw-r--r-- | src/pki.c | 18 |
4 files changed, 34 insertions, 28 deletions
diff --git a/include/libssh/pki.h b/include/libssh/pki.h index b682f273..c2b8f230 100644 --- a/include/libssh/pki.h +++ b/include/libssh/pki.h @@ -110,11 +110,11 @@ int ssh_pki_export_signature_blob(const ssh_signature sign, int ssh_pki_import_signature_blob(const ssh_string sig_blob, const ssh_key pubkey, ssh_signature *psig); -int ssh_pki_signature_verify_blob(ssh_session session, - ssh_string sig_blob, - const ssh_key key, - unsigned char *digest, - size_t dlen); +int ssh_pki_signature_verify(ssh_session session, + ssh_signature sig, + const ssh_key key, + unsigned char *digest, + size_t dlen); /* SSH Public Key Functions */ int ssh_pki_export_pubkey_blob(const ssh_key key, diff --git a/src/messages.c b/src/messages.c index c225a80c..400b8e9b 100644 --- a/src/messages.c +++ b/src/messages.c @@ -702,6 +702,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, */ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ ssh_message msg = NULL; + ssh_signature sig = NULL; char *service = NULL; char *method = NULL; int cmp; @@ -835,13 +836,19 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ goto error; } - rc = ssh_pki_signature_verify_blob(session, - sig_blob, + rc = ssh_pki_import_signature_blob(sig_blob, msg->auth_request.pubkey, - ssh_buffer_get(digest), - ssh_buffer_get_len(digest)); + &sig); + if (rc == SSH_OK) { + rc = ssh_pki_signature_verify(session, + sig, + msg->auth_request.pubkey, + ssh_buffer_get(digest), + ssh_buffer_get_len(digest)); + } ssh_string_free(sig_blob); ssh_buffer_free(digest); + ssh_signature_free(sig); if (rc < 0) { SSH_LOG( SSH_LOG_PACKET, diff --git a/src/packet_cb.c b/src/packet_cb.c index af5b966c..5a008c23 100644 --- a/src/packet_cb.c +++ b/src/packet_cb.c @@ -138,6 +138,7 @@ error: SSH_PACKET_CALLBACK(ssh_packet_newkeys){ ssh_string sig_blob = NULL; + ssh_signature sig = NULL; int rc; (void)packet; (void)user; @@ -185,7 +186,12 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ /* get the server public key */ server_key = ssh_dh_get_next_server_publickey(session); if (server_key == NULL) { - return SSH_ERROR; + goto error; + } + + rc = ssh_pki_import_signature_blob(sig_blob, server_key, &sig); + if (rc != SSH_OK) { + goto error; } /* check if public key from server matches user preferences */ @@ -202,13 +208,14 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ } } - rc = ssh_pki_signature_verify_blob(session, - sig_blob, - server_key, - session->next_crypto->secret_hash, - session->next_crypto->digest_len); + rc = ssh_pki_signature_verify(session, + sig, + server_key, + session->next_crypto->secret_hash, + session->next_crypto->digest_len); ssh_string_burn(sig_blob); ssh_string_free(sig_blob); + ssh_signature_free(sig); sig_blob = NULL; if (rc == SSH_ERROR) { goto error; @@ -1916,20 +1916,14 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, return SSH_OK; } -int ssh_pki_signature_verify_blob(ssh_session session, - ssh_string sig_blob, - const ssh_key key, - unsigned char *digest, - size_t dlen) +int ssh_pki_signature_verify(ssh_session session, + ssh_signature sig, + const ssh_key key, + unsigned char *digest, + size_t dlen) { - ssh_signature sig; int rc; - rc = ssh_pki_import_signature_blob(sig_blob, key, &sig); - if (rc < 0) { - return SSH_ERROR; - } - SSH_LOG(SSH_LOG_FUNCTIONS, "Going to verify a %s type signature", sig->type_c); @@ -1997,8 +1991,6 @@ int ssh_pki_signature_verify_blob(ssh_session session, hlen); } - ssh_signature_free(sig); - return rc; } |