pki: We need only one signature verify blob function.
This fixes the build without server.
Этот коммит содержится в:
родитель
8fb8ad0151
Коммит
149be78ee0
@ -69,12 +69,10 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
|
||||
const ssh_key pubkey,
|
||||
ssh_signature *psig);
|
||||
int ssh_pki_signature_verify_blob(ssh_session session,
|
||||
ssh_string sig_blob);
|
||||
int ssh_srv_pki_signature_verify_blob(ssh_session session,
|
||||
ssh_string sig_blob,
|
||||
const ssh_key key,
|
||||
unsigned char *digest,
|
||||
size_t dlen);
|
||||
ssh_string sig_blob,
|
||||
const ssh_key key,
|
||||
unsigned char *digest,
|
||||
size_t dlen);
|
||||
|
||||
/* SSH Public Key Functions */
|
||||
ssh_string ssh_pki_export_pubkey_blob(const ssh_key key);
|
||||
|
39
src/client.c
39
src/client.c
@ -228,6 +228,7 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
||||
/* server things are done in server.c */
|
||||
session->dh_handshake_state=DH_STATE_FINISHED;
|
||||
} else {
|
||||
ssh_key key;
|
||||
/* client */
|
||||
rc = make_sessionid(session);
|
||||
if (rc != SSH_OK) {
|
||||
@ -249,16 +250,44 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
|
||||
/* Verify the host's signature. FIXME do it sooner */
|
||||
sig_blob = session->next_crypto->dh_server_signature;
|
||||
session->next_crypto->dh_server_signature = NULL;
|
||||
|
||||
/* get the server public key */
|
||||
rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key);
|
||||
if (rc < 0) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
/* check if public key from server matches user preferences */
|
||||
if (session->wanted_methods[SSH_HOSTKEYS]) {
|
||||
if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],
|
||||
key->type_c)) {
|
||||
ssh_set_error(session,
|
||||
SSH_FATAL,
|
||||
"Public key from server (%s) doesn't match user "
|
||||
"preference (%s)",
|
||||
key->type_c,
|
||||
session->wanted_methods[SSH_HOSTKEYS]);
|
||||
ssh_key_free(key);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
rc = ssh_pki_signature_verify_blob(session,
|
||||
sig_blob);
|
||||
sig_blob,
|
||||
key,
|
||||
session->next_crypto->session_id,
|
||||
session->next_crypto->digest_len);
|
||||
/* Set the server public key type for known host checking */
|
||||
session->next_crypto->server_pubkey_type = key->type_c;
|
||||
|
||||
ssh_key_free(key);
|
||||
ssh_string_burn(sig_blob);
|
||||
ssh_string_free(sig_blob);
|
||||
sig_blob = NULL;
|
||||
if (rc == SSH_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
ssh_log(session,SSH_LOG_PROTOCOL,"Signature verified and valid");
|
||||
/* forget it for now ... */
|
||||
ssh_string_burn(sig_blob);
|
||||
ssh_string_free(sig_blob);
|
||||
sig_blob = NULL;
|
||||
|
||||
/*
|
||||
* Once we got SSH2_MSG_NEWKEYS we can switch next_crypto and
|
||||
|
@ -617,11 +617,11 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
|
||||
goto error;
|
||||
}
|
||||
|
||||
rc = ssh_srv_pki_signature_verify_blob(session,
|
||||
sig_blob,
|
||||
msg->auth_request.pubkey,
|
||||
buffer_get_rest(digest),
|
||||
buffer_get_rest_len(digest));
|
||||
rc = ssh_pki_signature_verify_blob(session,
|
||||
sig_blob,
|
||||
msg->auth_request.pubkey,
|
||||
buffer_get_rest(digest),
|
||||
buffer_get_rest_len(digest));
|
||||
ssh_string_free(sig_blob);
|
||||
ssh_buffer_free(digest);
|
||||
if (rc < 0) {
|
||||
|
69
src/pki.c
69
src/pki.c
@ -992,32 +992,15 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
|
||||
}
|
||||
|
||||
int ssh_pki_signature_verify_blob(ssh_session session,
|
||||
ssh_string sig_blob)
|
||||
ssh_string sig_blob,
|
||||
const ssh_key key,
|
||||
unsigned char *digest,
|
||||
size_t dlen)
|
||||
{
|
||||
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
|
||||
ssh_signature sig;
|
||||
ssh_key key;
|
||||
int rc;
|
||||
|
||||
rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key);
|
||||
if (rc < 0) {
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
if (session->wanted_methods[SSH_HOSTKEYS]) {
|
||||
if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],
|
||||
key->type_c)) {
|
||||
ssh_set_error(session,
|
||||
SSH_FATAL,
|
||||
"Public key from server (%s) doesn't match user "
|
||||
"preference (%s)",
|
||||
key->type_c,
|
||||
session->wanted_methods[SSH_HOSTKEYS]);
|
||||
ssh_key_free(key);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
|
||||
if (rc < 0) {
|
||||
ssh_key_free(key);
|
||||
@ -1030,9 +1013,7 @@ int ssh_pki_signature_verify_blob(ssh_session session,
|
||||
key->type_c);
|
||||
|
||||
|
||||
sha1(session->next_crypto->session_id,
|
||||
session->next_crypto->digest_len,
|
||||
hash + 1);
|
||||
sha1(digest, dlen, hash + 1);
|
||||
|
||||
#ifdef DEBUG_CRYPTO
|
||||
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
|
||||
@ -1043,9 +1024,7 @@ int ssh_pki_signature_verify_blob(ssh_session session,
|
||||
key,
|
||||
hash,
|
||||
SHA_DIGEST_LEN);
|
||||
session->next_crypto->server_pubkey_type = key->type_c;
|
||||
ssh_signature_free(sig);
|
||||
ssh_key_free(key);
|
||||
|
||||
return rc;
|
||||
}
|
||||
@ -1153,44 +1132,6 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session,
|
||||
#endif /* _WIN32 */
|
||||
|
||||
#ifdef WITH_SERVER
|
||||
int ssh_srv_pki_signature_verify_blob(ssh_session session,
|
||||
ssh_string sig_blob,
|
||||
const ssh_key key,
|
||||
unsigned char *digest,
|
||||
size_t dlen)
|
||||
{
|
||||
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
|
||||
ssh_signature sig;
|
||||
int rc;
|
||||
|
||||
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
|
||||
if (rc < 0) {
|
||||
ssh_key_free(key);
|
||||
return SSH_ERROR;
|
||||
}
|
||||
|
||||
ssh_log(session,
|
||||
SSH_LOG_FUNCTIONS,
|
||||
"Going to verify a %s type signature",
|
||||
key->type_c);
|
||||
|
||||
|
||||
sha1(digest, dlen, hash + 1);
|
||||
|
||||
#ifdef DEBUG_CRYPTO
|
||||
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
|
||||
#endif
|
||||
|
||||
rc = pki_signature_verify(session,
|
||||
sig,
|
||||
key,
|
||||
hash,
|
||||
SHA_DIGEST_LEN);
|
||||
ssh_signature_free(sig);
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session,
|
||||
const ssh_key privkey)
|
||||
{
|
||||
|
Загрузка…
Ссылка в новой задаче
Block a user