aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2011-08-23 08:19:53 +0200
committerAndreas Schneider <asn@cryptomilk.org>2011-08-23 08:19:53 +0200
commit149be78ee046057391311fd5c5778bfaa22a7b4f (patch)
tree5c855092bd31a09e31a366684b75dcee815d12e1
parent8fb8ad01516623976431264f89aed40f274c0787 (diff)
downloadlibssh-149be78ee046057391311fd5c5778bfaa22a7b4f.tar.gz
libssh-149be78ee046057391311fd5c5778bfaa22a7b4f.tar.xz
libssh-149be78ee046057391311fd5c5778bfaa22a7b4f.zip
pki: We need only one signature verify blob function.
This fixes the build without server.
-rw-r--r--include/libssh/pki.h10
-rw-r--r--src/client.c39
-rw-r--r--src/messages.c10
-rw-r--r--src/pki.c69
4 files changed, 48 insertions, 80 deletions
diff --git a/include/libssh/pki.h b/include/libssh/pki.h
index ef2ea09..0d89821 100644
--- a/include/libssh/pki.h
+++ b/include/libssh/pki.h
@@ -69,12 +69,10 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
const ssh_key pubkey,
ssh_signature *psig);
int ssh_pki_signature_verify_blob(ssh_session session,
- ssh_string sig_blob);
-int ssh_srv_pki_signature_verify_blob(ssh_session session,
- ssh_string sig_blob,
- const ssh_key key,
- unsigned char *digest,
- size_t dlen);
+ ssh_string sig_blob,
+ const ssh_key key,
+ unsigned char *digest,
+ size_t dlen);
/* SSH Public Key Functions */
ssh_string ssh_pki_export_pubkey_blob(const ssh_key key);
diff --git a/src/client.c b/src/client.c
index 6a7b497..c7f33a5 100644
--- a/src/client.c
+++ b/src/client.c
@@ -228,6 +228,7 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
/* server things are done in server.c */
session->dh_handshake_state=DH_STATE_FINISHED;
} else {
+ ssh_key key;
/* client */
rc = make_sessionid(session);
if (rc != SSH_OK) {
@@ -249,16 +250,44 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
/* Verify the host's signature. FIXME do it sooner */
sig_blob = session->next_crypto->dh_server_signature;
session->next_crypto->dh_server_signature = NULL;
+
+ /* get the server public key */
+ rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key);
+ if (rc < 0) {
+ return SSH_ERROR;
+ }
+
+ /* check if public key from server matches user preferences */
+ if (session->wanted_methods[SSH_HOSTKEYS]) {
+ if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],
+ key->type_c)) {
+ ssh_set_error(session,
+ SSH_FATAL,
+ "Public key from server (%s) doesn't match user "
+ "preference (%s)",
+ key->type_c,
+ session->wanted_methods[SSH_HOSTKEYS]);
+ ssh_key_free(key);
+ return -1;
+ }
+ }
+
rc = ssh_pki_signature_verify_blob(session,
- sig_blob);
+ sig_blob,
+ key,
+ session->next_crypto->session_id,
+ session->next_crypto->digest_len);
+ /* Set the server public key type for known host checking */
+ session->next_crypto->server_pubkey_type = key->type_c;
+
+ ssh_key_free(key);
+ ssh_string_burn(sig_blob);
+ ssh_string_free(sig_blob);
+ sig_blob = NULL;
if (rc == SSH_ERROR) {
goto error;
}
ssh_log(session,SSH_LOG_PROTOCOL,"Signature verified and valid");
- /* forget it for now ... */
- ssh_string_burn(sig_blob);
- ssh_string_free(sig_blob);
- sig_blob = NULL;
/*
* Once we got SSH2_MSG_NEWKEYS we can switch next_crypto and
diff --git a/src/messages.c b/src/messages.c
index d8aad75..94cf79e 100644
--- a/src/messages.c
+++ b/src/messages.c
@@ -617,11 +617,11 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
goto error;
}
- rc = ssh_srv_pki_signature_verify_blob(session,
- sig_blob,
- msg->auth_request.pubkey,
- buffer_get_rest(digest),
- buffer_get_rest_len(digest));
+ rc = ssh_pki_signature_verify_blob(session,
+ sig_blob,
+ msg->auth_request.pubkey,
+ buffer_get_rest(digest),
+ buffer_get_rest_len(digest));
ssh_string_free(sig_blob);
ssh_buffer_free(digest);
if (rc < 0) {
diff --git a/src/pki.c b/src/pki.c
index 4be6f58..a469ba2 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -992,32 +992,15 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
}
int ssh_pki_signature_verify_blob(ssh_session session,
- ssh_string sig_blob)
+ ssh_string sig_blob,
+ const ssh_key key,
+ unsigned char *digest,
+ size_t dlen)
{
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
ssh_signature sig;
- ssh_key key;
int rc;
- rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key);
- if (rc < 0) {
- return SSH_ERROR;
- }
-
- if (session->wanted_methods[SSH_HOSTKEYS]) {
- if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],
- key->type_c)) {
- ssh_set_error(session,
- SSH_FATAL,
- "Public key from server (%s) doesn't match user "
- "preference (%s)",
- key->type_c,
- session->wanted_methods[SSH_HOSTKEYS]);
- ssh_key_free(key);
- return -1;
- }
- }
-
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
if (rc < 0) {
ssh_key_free(key);
@@ -1030,9 +1013,7 @@ int ssh_pki_signature_verify_blob(ssh_session session,
key->type_c);
- sha1(session->next_crypto->session_id,
- session->next_crypto->digest_len,
- hash + 1);
+ sha1(digest, dlen, hash + 1);
#ifdef DEBUG_CRYPTO
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
@@ -1043,9 +1024,7 @@ int ssh_pki_signature_verify_blob(ssh_session session,
key,
hash,
SHA_DIGEST_LEN);
- session->next_crypto->server_pubkey_type = key->type_c;
ssh_signature_free(sig);
- ssh_key_free(key);
return rc;
}
@@ -1153,44 +1132,6 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session,
#endif /* _WIN32 */
#ifdef WITH_SERVER
-int ssh_srv_pki_signature_verify_blob(ssh_session session,
- ssh_string sig_blob,
- const ssh_key key,
- unsigned char *digest,
- size_t dlen)
-{
- unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
- ssh_signature sig;
- int rc;
-
- rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
- if (rc < 0) {
- ssh_key_free(key);
- return SSH_ERROR;
- }
-
- ssh_log(session,
- SSH_LOG_FUNCTIONS,
- "Going to verify a %s type signature",
- key->type_c);
-
-
- sha1(digest, dlen, hash + 1);
-
-#ifdef DEBUG_CRYPTO
- ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
-#endif
-
- rc = pki_signature_verify(session,
- sig,
- key,
- hash,
- SHA_DIGEST_LEN);
- ssh_signature_free(sig);
-
- return rc;
-}
-
ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session,
const ssh_key privkey)
{