1
1

pki: We need only one signature verify blob function.

This fixes the build without server.
Этот коммит содержится в:
Andreas Schneider 2011-08-23 08:19:53 +02:00
родитель 8fb8ad0151
Коммит 149be78ee0
4 изменённых файлов: 48 добавлений и 80 удалений

Просмотреть файл

@ -69,12 +69,10 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
const ssh_key pubkey,
ssh_signature *psig);
int ssh_pki_signature_verify_blob(ssh_session session,
ssh_string sig_blob);
int ssh_srv_pki_signature_verify_blob(ssh_session session,
ssh_string sig_blob,
const ssh_key key,
unsigned char *digest,
size_t dlen);
ssh_string sig_blob,
const ssh_key key,
unsigned char *digest,
size_t dlen);
/* SSH Public Key Functions */
ssh_string ssh_pki_export_pubkey_blob(const ssh_key key);

Просмотреть файл

@ -228,6 +228,7 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
/* server things are done in server.c */
session->dh_handshake_state=DH_STATE_FINISHED;
} else {
ssh_key key;
/* client */
rc = make_sessionid(session);
if (rc != SSH_OK) {
@ -249,16 +250,44 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
/* Verify the host's signature. FIXME do it sooner */
sig_blob = session->next_crypto->dh_server_signature;
session->next_crypto->dh_server_signature = NULL;
/* get the server public key */
rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key);
if (rc < 0) {
return SSH_ERROR;
}
/* check if public key from server matches user preferences */
if (session->wanted_methods[SSH_HOSTKEYS]) {
if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],
key->type_c)) {
ssh_set_error(session,
SSH_FATAL,
"Public key from server (%s) doesn't match user "
"preference (%s)",
key->type_c,
session->wanted_methods[SSH_HOSTKEYS]);
ssh_key_free(key);
return -1;
}
}
rc = ssh_pki_signature_verify_blob(session,
sig_blob);
sig_blob,
key,
session->next_crypto->session_id,
session->next_crypto->digest_len);
/* Set the server public key type for known host checking */
session->next_crypto->server_pubkey_type = key->type_c;
ssh_key_free(key);
ssh_string_burn(sig_blob);
ssh_string_free(sig_blob);
sig_blob = NULL;
if (rc == SSH_ERROR) {
goto error;
}
ssh_log(session,SSH_LOG_PROTOCOL,"Signature verified and valid");
/* forget it for now ... */
ssh_string_burn(sig_blob);
ssh_string_free(sig_blob);
sig_blob = NULL;
/*
* Once we got SSH2_MSG_NEWKEYS we can switch next_crypto and

Просмотреть файл

@ -617,11 +617,11 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
goto error;
}
rc = ssh_srv_pki_signature_verify_blob(session,
sig_blob,
msg->auth_request.pubkey,
buffer_get_rest(digest),
buffer_get_rest_len(digest));
rc = ssh_pki_signature_verify_blob(session,
sig_blob,
msg->auth_request.pubkey,
buffer_get_rest(digest),
buffer_get_rest_len(digest));
ssh_string_free(sig_blob);
ssh_buffer_free(digest);
if (rc < 0) {

Просмотреть файл

@ -992,32 +992,15 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
}
int ssh_pki_signature_verify_blob(ssh_session session,
ssh_string sig_blob)
ssh_string sig_blob,
const ssh_key key,
unsigned char *digest,
size_t dlen)
{
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
ssh_signature sig;
ssh_key key;
int rc;
rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key);
if (rc < 0) {
return SSH_ERROR;
}
if (session->wanted_methods[SSH_HOSTKEYS]) {
if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],
key->type_c)) {
ssh_set_error(session,
SSH_FATAL,
"Public key from server (%s) doesn't match user "
"preference (%s)",
key->type_c,
session->wanted_methods[SSH_HOSTKEYS]);
ssh_key_free(key);
return -1;
}
}
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
if (rc < 0) {
ssh_key_free(key);
@ -1030,9 +1013,7 @@ int ssh_pki_signature_verify_blob(ssh_session session,
key->type_c);
sha1(session->next_crypto->session_id,
session->next_crypto->digest_len,
hash + 1);
sha1(digest, dlen, hash + 1);
#ifdef DEBUG_CRYPTO
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
@ -1043,9 +1024,7 @@ int ssh_pki_signature_verify_blob(ssh_session session,
key,
hash,
SHA_DIGEST_LEN);
session->next_crypto->server_pubkey_type = key->type_c;
ssh_signature_free(sig);
ssh_key_free(key);
return rc;
}
@ -1153,44 +1132,6 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session,
#endif /* _WIN32 */
#ifdef WITH_SERVER
int ssh_srv_pki_signature_verify_blob(ssh_session session,
ssh_string sig_blob,
const ssh_key key,
unsigned char *digest,
size_t dlen)
{
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
ssh_signature sig;
int rc;
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
if (rc < 0) {
ssh_key_free(key);
return SSH_ERROR;
}
ssh_log(session,
SSH_LOG_FUNCTIONS,
"Going to verify a %s type signature",
key->type_c);
sha1(digest, dlen, hash + 1);
#ifdef DEBUG_CRYPTO
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
#endif
rc = pki_signature_verify(session,
sig,
key,
hash,
SHA_DIGEST_LEN);
ssh_signature_free(sig);
return rc;
}
ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session,
const ssh_key privkey)
{