diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2011-08-23 08:19:53 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2011-08-23 08:19:53 +0200 |
commit | 149be78ee046057391311fd5c5778bfaa22a7b4f (patch) | |
tree | 5c855092bd31a09e31a366684b75dcee815d12e1 /src/client.c | |
parent | 8fb8ad01516623976431264f89aed40f274c0787 (diff) | |
download | libssh-149be78ee046057391311fd5c5778bfaa22a7b4f.tar.gz libssh-149be78ee046057391311fd5c5778bfaa22a7b4f.tar.xz libssh-149be78ee046057391311fd5c5778bfaa22a7b4f.zip |
pki: We need only one signature verify blob function.
This fixes the build without server.
Diffstat (limited to 'src/client.c')
-rw-r--r-- | src/client.c | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/src/client.c b/src/client.c index 6a7b4970..c7f33a5a 100644 --- a/src/client.c +++ b/src/client.c @@ -228,6 +228,7 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ /* server things are done in server.c */ session->dh_handshake_state=DH_STATE_FINISHED; } else { + ssh_key key; /* client */ rc = make_sessionid(session); if (rc != SSH_OK) { @@ -249,16 +250,44 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ /* Verify the host's signature. FIXME do it sooner */ sig_blob = session->next_crypto->dh_server_signature; session->next_crypto->dh_server_signature = NULL; + + /* get the server public key */ + rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key); + if (rc < 0) { + return SSH_ERROR; + } + + /* check if public key from server matches user preferences */ + if (session->wanted_methods[SSH_HOSTKEYS]) { + if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS], + key->type_c)) { + ssh_set_error(session, + SSH_FATAL, + "Public key from server (%s) doesn't match user " + "preference (%s)", + key->type_c, + session->wanted_methods[SSH_HOSTKEYS]); + ssh_key_free(key); + return -1; + } + } + rc = ssh_pki_signature_verify_blob(session, - sig_blob); + sig_blob, + key, + session->next_crypto->session_id, + session->next_crypto->digest_len); + /* Set the server public key type for known host checking */ + session->next_crypto->server_pubkey_type = key->type_c; + + ssh_key_free(key); + ssh_string_burn(sig_blob); + ssh_string_free(sig_blob); + sig_blob = NULL; if (rc == SSH_ERROR) { goto error; } ssh_log(session,SSH_LOG_PROTOCOL,"Signature verified and valid"); - /* forget it for now ... */ - ssh_string_burn(sig_blob); - ssh_string_free(sig_blob); - sig_blob = NULL; /* * Once we got SSH2_MSG_NEWKEYS we can switch next_crypto and |