pki: We need only one signature verify blob function.
This fixes the build without server.
Этот коммит содержится в:
Andreas Schneider
родитель
8fb8ad0151
Коммит
149be78ee0
@ -69,8 +69,6 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
|
|||||||
const ssh_key pubkey,
|
const ssh_key pubkey,
|
||||||
ssh_signature *psig);
|
ssh_signature *psig);
|
||||||
int ssh_pki_signature_verify_blob(ssh_session session,
|
int ssh_pki_signature_verify_blob(ssh_session session,
|
||||||
ssh_string sig_blob);
|
|
||||||
int ssh_srv_pki_signature_verify_blob(ssh_session session,
|
|
||||||
ssh_string sig_blob,
|
ssh_string sig_blob,
|
||||||
const ssh_key key,
|
const ssh_key key,
|
||||||
unsigned char *digest,
|
unsigned char *digest,
|
||||||
|
|||||||
39
src/client.c
39
src/client.c
@ -228,6 +228,7 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
|||||||
/* server things are done in server.c */
|
/* server things are done in server.c */
|
||||||
session->dh_handshake_state=DH_STATE_FINISHED;
|
session->dh_handshake_state=DH_STATE_FINISHED;
|
||||||
} else {
|
} else {
|
||||||
|
ssh_key key;
|
||||||
/* client */
|
/* client */
|
||||||
rc = make_sessionid(session);
|
rc = make_sessionid(session);
|
||||||
if (rc != SSH_OK) {
|
if (rc != SSH_OK) {
|
||||||
@ -249,16 +250,44 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
|||||||
/* Verify the host's signature. FIXME do it sooner */
|
/* Verify the host's signature. FIXME do it sooner */
|
||||||
sig_blob = session->next_crypto->dh_server_signature;
|
sig_blob = session->next_crypto->dh_server_signature;
|
||||||
session->next_crypto->dh_server_signature = NULL;
|
session->next_crypto->dh_server_signature = NULL;
|
||||||
|
|
||||||
|
/* get the server public key */
|
||||||
|
rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key);
|
||||||
|
if (rc < 0) {
|
||||||
|
return SSH_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* check if public key from server matches user preferences */
|
||||||
|
if (session->wanted_methods[SSH_HOSTKEYS]) {
|
||||||
|
if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],
|
||||||
|
key->type_c)) {
|
||||||
|
ssh_set_error(session,
|
||||||
|
SSH_FATAL,
|
||||||
|
"Public key from server (%s) doesn't match user "
|
||||||
|
"preference (%s)",
|
||||||
|
key->type_c,
|
||||||
|
session->wanted_methods[SSH_HOSTKEYS]);
|
||||||
|
ssh_key_free(key);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
rc = ssh_pki_signature_verify_blob(session,
|
rc = ssh_pki_signature_verify_blob(session,
|
||||||
sig_blob);
|
sig_blob,
|
||||||
|
key,
|
||||||
|
session->next_crypto->session_id,
|
||||||
|
session->next_crypto->digest_len);
|
||||||
|
/* Set the server public key type for known host checking */
|
||||||
|
session->next_crypto->server_pubkey_type = key->type_c;
|
||||||
|
|
||||||
|
ssh_key_free(key);
|
||||||
|
ssh_string_burn(sig_blob);
|
||||||
|
ssh_string_free(sig_blob);
|
||||||
|
sig_blob = NULL;
|
||||||
if (rc == SSH_ERROR) {
|
if (rc == SSH_ERROR) {
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
ssh_log(session,SSH_LOG_PROTOCOL,"Signature verified and valid");
|
ssh_log(session,SSH_LOG_PROTOCOL,"Signature verified and valid");
|
||||||
/* forget it for now ... */
|
|
||||||
ssh_string_burn(sig_blob);
|
|
||||||
ssh_string_free(sig_blob);
|
|
||||||
sig_blob = NULL;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Once we got SSH2_MSG_NEWKEYS we can switch next_crypto and
|
* Once we got SSH2_MSG_NEWKEYS we can switch next_crypto and
|
||||||
|
|||||||
@ -617,7 +617,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = ssh_srv_pki_signature_verify_blob(session,
|
rc = ssh_pki_signature_verify_blob(session,
|
||||||
sig_blob,
|
sig_blob,
|
||||||
msg->auth_request.pubkey,
|
msg->auth_request.pubkey,
|
||||||
buffer_get_rest(digest),
|
buffer_get_rest(digest),
|
||||||
|
|||||||
69
src/pki.c
69
src/pki.c
@ -992,32 +992,15 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
|
|||||||
}
|
}
|
||||||
|
|
||||||
int ssh_pki_signature_verify_blob(ssh_session session,
|
int ssh_pki_signature_verify_blob(ssh_session session,
|
||||||
ssh_string sig_blob)
|
ssh_string sig_blob,
|
||||||
|
const ssh_key key,
|
||||||
|
unsigned char *digest,
|
||||||
|
size_t dlen)
|
||||||
{
|
{
|
||||||
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
|
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
|
||||||
ssh_signature sig;
|
ssh_signature sig;
|
||||||
ssh_key key;
|
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key);
|
|
||||||
if (rc < 0) {
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (session->wanted_methods[SSH_HOSTKEYS]) {
|
|
||||||
if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],
|
|
||||||
key->type_c)) {
|
|
||||||
ssh_set_error(session,
|
|
||||||
SSH_FATAL,
|
|
||||||
"Public key from server (%s) doesn't match user "
|
|
||||||
"preference (%s)",
|
|
||||||
key->type_c,
|
|
||||||
session->wanted_methods[SSH_HOSTKEYS]);
|
|
||||||
ssh_key_free(key);
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
|
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
|
||||||
if (rc < 0) {
|
if (rc < 0) {
|
||||||
ssh_key_free(key);
|
ssh_key_free(key);
|
||||||
@ -1030,9 +1013,7 @@ int ssh_pki_signature_verify_blob(ssh_session session,
|
|||||||
key->type_c);
|
key->type_c);
|
||||||
|
|
||||||
|
|
||||||
sha1(session->next_crypto->session_id,
|
sha1(digest, dlen, hash + 1);
|
||||||
session->next_crypto->digest_len,
|
|
||||||
hash + 1);
|
|
||||||
|
|
||||||
#ifdef DEBUG_CRYPTO
|
#ifdef DEBUG_CRYPTO
|
||||||
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
|
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
|
||||||
@ -1043,9 +1024,7 @@ int ssh_pki_signature_verify_blob(ssh_session session,
|
|||||||
key,
|
key,
|
||||||
hash,
|
hash,
|
||||||
SHA_DIGEST_LEN);
|
SHA_DIGEST_LEN);
|
||||||
session->next_crypto->server_pubkey_type = key->type_c;
|
|
||||||
ssh_signature_free(sig);
|
ssh_signature_free(sig);
|
||||||
ssh_key_free(key);
|
|
||||||
|
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
@ -1153,44 +1132,6 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session,
|
|||||||
#endif /* _WIN32 */
|
#endif /* _WIN32 */
|
||||||
|
|
||||||
#ifdef WITH_SERVER
|
#ifdef WITH_SERVER
|
||||||
int ssh_srv_pki_signature_verify_blob(ssh_session session,
|
|
||||||
ssh_string sig_blob,
|
|
||||||
const ssh_key key,
|
|
||||||
unsigned char *digest,
|
|
||||||
size_t dlen)
|
|
||||||
{
|
|
||||||
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
|
|
||||||
ssh_signature sig;
|
|
||||||
int rc;
|
|
||||||
|
|
||||||
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
|
|
||||||
if (rc < 0) {
|
|
||||||
ssh_key_free(key);
|
|
||||||
return SSH_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
ssh_log(session,
|
|
||||||
SSH_LOG_FUNCTIONS,
|
|
||||||
"Going to verify a %s type signature",
|
|
||||||
key->type_c);
|
|
||||||
|
|
||||||
|
|
||||||
sha1(digest, dlen, hash + 1);
|
|
||||||
|
|
||||||
#ifdef DEBUG_CRYPTO
|
|
||||||
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
rc = pki_signature_verify(session,
|
|
||||||
sig,
|
|
||||||
key,
|
|
||||||
hash,
|
|
||||||
SHA_DIGEST_LEN);
|
|
||||||
ssh_signature_free(sig);
|
|
||||||
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session,
|
ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session,
|
||||||
const ssh_key privkey)
|
const ssh_key privkey)
|
||||||
{
|
{
|
||||||
|
|||||||
Загрузка…
x
Ссылка в новой задаче
Block a user