diff options
author | Jakub Jelen <jjelen@redhat.com> | 2018-11-22 10:43:18 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-11-30 16:21:18 +0100 |
commit | d2434c69c008aa1cd3bd488ca6bc524da0e4ca3a (patch) | |
tree | 9c7e75f20d783734a4644dcd81cf1766ea62adb6 /src | |
parent | 7f83a1efae6a7da19e18268d6298fc11b4e68c57 (diff) | |
download | libssh-d2434c69c008aa1cd3bd488ca6bc524da0e4ca3a.tar.gz libssh-d2434c69c008aa1cd3bd488ca6bc524da0e4ca3a.tar.xz libssh-d2434c69c008aa1cd3bd488ca6bc524da0e4ca3a.zip |
pki: Separate signature extraction and verification
Initial solution proposed by Tilo Eckert <tilo.eckert@flam.de>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/messages.c | 15 | ||||
-rw-r--r-- | src/packet_cb.c | 19 | ||||
-rw-r--r-- | src/pki.c | 18 |
3 files changed, 29 insertions, 23 deletions
diff --git a/src/messages.c b/src/messages.c index 9273fda7..4c83cf0b 100644 --- a/src/messages.c +++ b/src/messages.c @@ -730,6 +730,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, */ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ ssh_message msg = NULL; + ssh_signature sig = NULL; char *service = NULL; char *method = NULL; int cmp; @@ -863,13 +864,19 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ goto error; } - rc = ssh_pki_signature_verify_blob(session, - sig_blob, + rc = ssh_pki_import_signature_blob(sig_blob, msg->auth_request.pubkey, - ssh_buffer_get(digest), - ssh_buffer_get_len(digest)); + &sig); + if (rc == SSH_OK) { + rc = ssh_pki_signature_verify(session, + sig, + msg->auth_request.pubkey, + ssh_buffer_get(digest), + ssh_buffer_get_len(digest)); + } ssh_string_free(sig_blob); ssh_buffer_free(digest); + ssh_signature_free(sig); if (rc < 0) { SSH_LOG( SSH_LOG_PACKET, diff --git a/src/packet_cb.c b/src/packet_cb.c index 7e2902d3..e655c88d 100644 --- a/src/packet_cb.c +++ b/src/packet_cb.c @@ -138,6 +138,7 @@ error: SSH_PACKET_CALLBACK(ssh_packet_newkeys){ ssh_string sig_blob = NULL; + ssh_signature sig = NULL; int rc; (void)packet; (void)user; @@ -185,7 +186,12 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ /* get the server public key */ server_key = ssh_dh_get_next_server_publickey(session); if (server_key == NULL) { - return SSH_ERROR; + goto error; + } + + rc = ssh_pki_import_signature_blob(sig_blob, server_key, &sig); + if (rc != SSH_OK) { + goto error; } /* check if public key from server matches user preferences */ @@ -202,13 +208,14 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){ } } - rc = ssh_pki_signature_verify_blob(session, - sig_blob, - server_key, - session->next_crypto->secret_hash, - session->next_crypto->digest_len); + rc = ssh_pki_signature_verify(session, + sig, + server_key, + session->next_crypto->secret_hash, + session->next_crypto->digest_len); ssh_string_burn(sig_blob); ssh_string_free(sig_blob); + ssh_signature_free(sig); sig_blob = NULL; if (rc == SSH_ERROR) { goto error; @@ -1919,20 +1919,14 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, return SSH_OK; } -int ssh_pki_signature_verify_blob(ssh_session session, - ssh_string sig_blob, - const ssh_key key, - unsigned char *digest, - size_t dlen) +int ssh_pki_signature_verify(ssh_session session, + ssh_signature sig, + const ssh_key key, + unsigned char *digest, + size_t dlen) { - ssh_signature sig; int rc; - rc = ssh_pki_import_signature_blob(sig_blob, key, &sig); - if (rc < 0) { - return SSH_ERROR; - } - SSH_LOG(SSH_LOG_FUNCTIONS, "Going to verify a %s type signature", sig->type_c); @@ -2000,8 +1994,6 @@ int ssh_pki_signature_verify_blob(ssh_session session, hlen); } - ssh_signature_free(sig); - return rc; } |