aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJakub Jelen <jjelen@redhat.com>2018-11-22 10:43:18 +0100
committerAndreas Schneider <asn@cryptomilk.org>2018-11-30 16:21:18 +0100
commitd2434c69c008aa1cd3bd488ca6bc524da0e4ca3a (patch)
tree9c7e75f20d783734a4644dcd81cf1766ea62adb6 /src
parent7f83a1efae6a7da19e18268d6298fc11b4e68c57 (diff)
downloadlibssh-d2434c69c008aa1cd3bd488ca6bc524da0e4ca3a.tar.gz
libssh-d2434c69c008aa1cd3bd488ca6bc524da0e4ca3a.tar.xz
libssh-d2434c69c008aa1cd3bd488ca6bc524da0e4ca3a.zip
pki: Separate signature extraction and verification
Initial solution proposed by Tilo Eckert <tilo.eckert@flam.de> Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src')
-rw-r--r--src/messages.c15
-rw-r--r--src/packet_cb.c19
-rw-r--r--src/pki.c18
3 files changed, 29 insertions, 23 deletions
diff --git a/src/messages.c b/src/messages.c
index 9273fda7..4c83cf0b 100644
--- a/src/messages.c
+++ b/src/messages.c
@@ -730,6 +730,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session,
*/
SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
ssh_message msg = NULL;
+ ssh_signature sig = NULL;
char *service = NULL;
char *method = NULL;
int cmp;
@@ -863,13 +864,19 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
goto error;
}
- rc = ssh_pki_signature_verify_blob(session,
- sig_blob,
+ rc = ssh_pki_import_signature_blob(sig_blob,
msg->auth_request.pubkey,
- ssh_buffer_get(digest),
- ssh_buffer_get_len(digest));
+ &sig);
+ if (rc == SSH_OK) {
+ rc = ssh_pki_signature_verify(session,
+ sig,
+ msg->auth_request.pubkey,
+ ssh_buffer_get(digest),
+ ssh_buffer_get_len(digest));
+ }
ssh_string_free(sig_blob);
ssh_buffer_free(digest);
+ ssh_signature_free(sig);
if (rc < 0) {
SSH_LOG(
SSH_LOG_PACKET,
diff --git a/src/packet_cb.c b/src/packet_cb.c
index 7e2902d3..e655c88d 100644
--- a/src/packet_cb.c
+++ b/src/packet_cb.c
@@ -138,6 +138,7 @@ error:
SSH_PACKET_CALLBACK(ssh_packet_newkeys){
ssh_string sig_blob = NULL;
+ ssh_signature sig = NULL;
int rc;
(void)packet;
(void)user;
@@ -185,7 +186,12 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
/* get the server public key */
server_key = ssh_dh_get_next_server_publickey(session);
if (server_key == NULL) {
- return SSH_ERROR;
+ goto error;
+ }
+
+ rc = ssh_pki_import_signature_blob(sig_blob, server_key, &sig);
+ if (rc != SSH_OK) {
+ goto error;
}
/* check if public key from server matches user preferences */
@@ -202,13 +208,14 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
}
}
- rc = ssh_pki_signature_verify_blob(session,
- sig_blob,
- server_key,
- session->next_crypto->secret_hash,
- session->next_crypto->digest_len);
+ rc = ssh_pki_signature_verify(session,
+ sig,
+ server_key,
+ session->next_crypto->secret_hash,
+ session->next_crypto->digest_len);
ssh_string_burn(sig_blob);
ssh_string_free(sig_blob);
+ ssh_signature_free(sig);
sig_blob = NULL;
if (rc == SSH_ERROR) {
goto error;
diff --git a/src/pki.c b/src/pki.c
index 2bbf813c..0080b539 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -1919,20 +1919,14 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
return SSH_OK;
}
-int ssh_pki_signature_verify_blob(ssh_session session,
- ssh_string sig_blob,
- const ssh_key key,
- unsigned char *digest,
- size_t dlen)
+int ssh_pki_signature_verify(ssh_session session,
+ ssh_signature sig,
+ const ssh_key key,
+ unsigned char *digest,
+ size_t dlen)
{
- ssh_signature sig;
int rc;
- rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
- if (rc < 0) {
- return SSH_ERROR;
- }
-
SSH_LOG(SSH_LOG_FUNCTIONS,
"Going to verify a %s type signature",
sig->type_c);
@@ -2000,8 +1994,6 @@ int ssh_pki_signature_verify_blob(ssh_session session,
hlen);
}
- ssh_signature_free(sig);
-
return rc;
}