diff --git a/include/libssh/pki.h b/include/libssh/pki.h index e7a20156..533d3e09 100644 --- a/include/libssh/pki.h +++ b/include/libssh/pki.h @@ -133,7 +133,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, int ssh_pki_signature_verify(ssh_session session, ssh_signature sig, const ssh_key key, - unsigned char *digest, + const unsigned char *digest, size_t dlen); /* SSH Public Key Functions */ diff --git a/include/libssh/pki_priv.h b/include/libssh/pki_priv.h index 24538d8e..d365a2dd 100644 --- a/include/libssh/pki_priv.h +++ b/include/libssh/pki_priv.h @@ -124,11 +124,6 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, const ssh_string sig_blob, enum ssh_keytypes_e type, enum ssh_digest_e hash_type); -int pki_signature_verify(ssh_session session, - const ssh_signature sig, - const ssh_key key, - const unsigned char *input, - size_t input_len); /* SSH Signing Functions */ ssh_signature pki_do_sign(const ssh_key privkey, diff --git a/src/pki.c b/src/pki.c index 2ee1bb5b..488500cc 100644 --- a/src/pki.c +++ b/src/pki.c @@ -2239,7 +2239,7 @@ int pki_key_check_hash_compatible(ssh_key key, int ssh_pki_signature_verify(ssh_session session, ssh_signature sig, const ssh_key key, - unsigned char *input, + const unsigned char *input, size_t input_len) { int rc; diff --git a/src/pki_crypto.c b/src/pki_crypto.c index f73199c8..13198249 100644 --- a/src/pki_crypto.c +++ b/src/pki_crypto.c @@ -1856,46 +1856,6 @@ error: return NULL; } -int pki_signature_verify(ssh_session session, - const ssh_signature sig, - const ssh_key key, - const unsigned char *input, - size_t input_len) -{ - int rc; - - if (session == NULL || sig == NULL || key == NULL || input == NULL) { - SSH_LOG(SSH_LOG_TRACE, "Bad parameter provided to " - "pki_signature_verify()"); - return SSH_ERROR; - } - - if (ssh_key_type_plain(key->type) != sig->type) { - SSH_LOG(SSH_LOG_WARN, - "Can not verify %s signature with %s key", - sig->type_c, - key->type_c); - return SSH_ERROR; - } - - /* Check if public key and hash type are compatible */ - rc = pki_key_check_hash_compatible(key, sig->hash_type); - if (rc != SSH_OK) { - return SSH_ERROR; - } - - rc = pki_verify_data_signature(sig, key, input, input_len); - - if (rc != SSH_OK){ - ssh_set_error(session, - SSH_FATAL, - "Signature verification error"); - return SSH_ERROR; - } - - return SSH_OK; -} - static const EVP_MD *pki_digest_to_md(enum ssh_digest_e hash_type) { const EVP_MD *md = NULL; diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c index 8adc8165..6e00194a 100644 --- a/src/pki_gcrypt.c +++ b/src/pki_gcrypt.c @@ -2087,47 +2087,6 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, return sig; } -int pki_signature_verify(ssh_session session, - const ssh_signature sig, - const ssh_key key, - const unsigned char *input, - size_t input_len) -{ - int rc; - - if (session == NULL || sig == NULL || key == NULL || input == NULL) { - SSH_LOG(SSH_LOG_TRACE, "Bad parameter provided to " - "pki_signature_verify()"); - return SSH_ERROR; - } - - if (ssh_key_type_plain(key->type) != sig->type) { - SSH_LOG(SSH_LOG_WARN, - "Can not verify %s signature with %s key", - sig->type_c, - key->type_c); - return SSH_ERROR; - } - - /* Check if public key and hash type are compatible */ - rc = pki_key_check_hash_compatible(key, sig->hash_type); - if (rc != SSH_OK) { - return SSH_ERROR; - } - - /* For the other key types, calculate the hash and verify the signature */ - rc = pki_verify_data_signature(sig, key, input, input_len); - - if (rc != SSH_OK){ - ssh_set_error(session, - SSH_FATAL, - "Signature verification error"); - return SSH_ERROR; - } - - return SSH_OK; -} - ssh_signature pki_do_sign_hash(const ssh_key privkey, const unsigned char *hash, size_t hlen, diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c index 7236210a..3774192f 100644 --- a/src/pki_mbedcrypto.c +++ b/src/pki_mbedcrypto.c @@ -1022,42 +1022,6 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, return sig; } -int pki_signature_verify(ssh_session session, const ssh_signature sig, const - ssh_key key, const unsigned char *input, size_t input_len) -{ - int rc; - - if (session == NULL || sig == NULL || key == NULL || input == NULL) { - SSH_LOG(SSH_LOG_TRACE, "Bad parameter provided to " - "pki_signature_verify()"); - return SSH_ERROR; - } - - if (ssh_key_type_plain(key->type) != sig->type) { - SSH_LOG(SSH_LOG_WARN, - "Can not verify %s signature with %s key", - sig->type_c, - key->type_c); - return SSH_ERROR; - } - - /* Check if public key and hash type are compatible */ - rc = pki_key_check_hash_compatible(key, sig->hash_type); - if (rc != SSH_OK) { - return SSH_ERROR; - } - - rc = pki_verify_data_signature(sig, key, input, input_len); - if (rc != SSH_OK){ - ssh_set_error(session, - SSH_FATAL, - "Signature verification error"); - return SSH_ERROR; - } - - return SSH_OK; -} - static ssh_string rsa_do_sign_hash(const unsigned char *digest, int dlen, mbedtls_pk_context *privkey, diff --git a/tests/unittests/torture_pki.c b/tests/unittests/torture_pki.c index 0e4ea1af..d886245c 100644 --- a/tests/unittests/torture_pki.c +++ b/tests/unittests/torture_pki.c @@ -331,7 +331,7 @@ static void torture_pki_verify_mismatch(void **state) assert_int_equal(import_sig->type, key->type); assert_string_equal(import_sig->type_c, skey_attrs.sig_type_c); - rc = pki_signature_verify(session, + rc = ssh_pki_signature_verify(session, import_sig, pubkey, INPUT, @@ -374,7 +374,7 @@ static void torture_pki_verify_mismatch(void **state) assert_non_null(verify_pubkey); /* Should gracefully fail, but not crash */ - rc = pki_signature_verify(session, + rc = ssh_pki_signature_verify(session, sign, verify_pubkey, INPUT, @@ -382,7 +382,7 @@ static void torture_pki_verify_mismatch(void **state) assert_true(rc != SSH_OK); /* Try the same with the imported signature */ - rc = pki_signature_verify(session, + rc = ssh_pki_signature_verify(session, import_sig, verify_pubkey, INPUT, @@ -401,7 +401,7 @@ static void torture_pki_verify_mismatch(void **state) assert_string_equal(new_sig->type_c, skey_attrs.sig_type_c); /* The verification should not work */ - rc = pki_signature_verify(session, + rc = ssh_pki_signature_verify(session, new_sig, verify_pubkey, INPUT, diff --git a/tests/unittests/torture_pki_dsa.c b/tests/unittests/torture_pki_dsa.c index 08e6235c..b555e487 100644 --- a/tests/unittests/torture_pki_dsa.c +++ b/tests/unittests/torture_pki_dsa.c @@ -809,7 +809,7 @@ static void torture_pki_dsa_generate_key(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); ssh_signature_free(sign); SSH_KEY_FREE(key); @@ -823,7 +823,7 @@ static void torture_pki_dsa_generate_key(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); ssh_signature_free(sign); SSH_KEY_FREE(key); @@ -837,7 +837,7 @@ static void torture_pki_dsa_generate_key(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); ssh_signature_free(sign); SSH_KEY_FREE(key); @@ -868,7 +868,7 @@ static void torture_pki_dsa_cert_verify(void **state) sign = pki_do_sign(privkey, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1); assert_non_null(sign); - rc = pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); ssh_signature_free(sign); SSH_KEY_FREE(privkey); diff --git a/tests/unittests/torture_pki_ecdsa.c b/tests/unittests/torture_pki_ecdsa.c index 161fe713..22f06a46 100644 --- a/tests/unittests/torture_pki_ecdsa.c +++ b/tests/unittests/torture_pki_ecdsa.c @@ -546,7 +546,7 @@ static void torture_pki_generate_key_ecdsa(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); type = ssh_key_type(key); assert_true(type == SSH_KEYTYPE_ECDSA_P256); @@ -568,7 +568,7 @@ static void torture_pki_generate_key_ecdsa(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); type = ssh_key_type(key); assert_true(type == SSH_KEYTYPE_ECDSA_P256); @@ -589,7 +589,7 @@ static void torture_pki_generate_key_ecdsa(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA384); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); type = ssh_key_type(key); assert_true(type == SSH_KEYTYPE_ECDSA_P384); @@ -611,7 +611,7 @@ static void torture_pki_generate_key_ecdsa(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA384); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); type = ssh_key_type(key); assert_true(type == SSH_KEYTYPE_ECDSA_P384); @@ -632,7 +632,7 @@ static void torture_pki_generate_key_ecdsa(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA512); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); type = ssh_key_type(key); assert_true(type == SSH_KEYTYPE_ECDSA_P521); @@ -654,7 +654,7 @@ static void torture_pki_generate_key_ecdsa(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA512); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); type = ssh_key_type(key); assert_true(type == SSH_KEYTYPE_ECDSA_P521); @@ -696,7 +696,7 @@ static void torture_pki_ecdsa_cert_verify(void **state) sign = pki_do_sign(privkey, INPUT, sizeof(INPUT), hash_type); assert_non_null(sign); - rc = pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); ssh_signature_free(sign); SSH_KEY_FREE(privkey); diff --git a/tests/unittests/torture_pki_ed25519.c b/tests/unittests/torture_pki_ed25519.c index 422be580..3d486965 100644 --- a/tests/unittests/torture_pki_ed25519.c +++ b/tests/unittests/torture_pki_ed25519.c @@ -440,7 +440,7 @@ static void torture_pki_ed25519_generate_key(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, HASH, 20, SSH_DIGEST_AUTO); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, HASH, 20); + rc = ssh_pki_signature_verify(session, sign, pubkey, HASH, 20); assert_true(rc == SSH_OK); type = ssh_key_type(key); assert_true(type == SSH_KEYTYPE_ED25519); @@ -455,7 +455,7 @@ static void torture_pki_ed25519_generate_key(void **state) #endif assert_non_null(raw_sig_data); (raw_sig_data)[3]^= 0xff; - rc = pki_signature_verify(session, sign, pubkey, HASH, 20); + rc = ssh_pki_signature_verify(session, sign, pubkey, HASH, 20); assert_true(rc == SSH_ERROR); ssh_signature_free(sign); @@ -494,7 +494,7 @@ static void torture_pki_ed25519_cert_verify(void **state) sign = pki_do_sign(privkey, HASH, 20, SSH_DIGEST_AUTO); assert_non_null(sign); - rc = pki_signature_verify(session, sign, cert, HASH, 20); + rc = ssh_pki_signature_verify(session, sign, cert, HASH, 20); assert_true(rc == SSH_OK); ssh_signature_free(sign); SSH_KEY_FREE(privkey); @@ -683,7 +683,7 @@ static void torture_pki_ed25519_verify(void **state){ sig = pki_signature_from_blob(pubkey, blob, SSH_KEYTYPE_ED25519, SSH_DIGEST_AUTO); assert_non_null(sig); - rc = pki_signature_verify(session, sig, pubkey, HASH, sizeof(HASH)); + rc = ssh_pki_signature_verify(session, sig, pubkey, HASH, sizeof(HASH)); assert_true(rc == SSH_OK); /* Alter signature and expect verification error */ @@ -694,7 +694,7 @@ static void torture_pki_ed25519_verify(void **state){ #endif assert_non_null(raw_sig_data); (raw_sig_data)[3]^= 0xff; - rc = pki_signature_verify(session, sig, pubkey, HASH, sizeof(HASH)); + rc = ssh_pki_signature_verify(session, sig, pubkey, HASH, sizeof(HASH)); assert_true(rc == SSH_ERROR); ssh_signature_free(sig); @@ -741,7 +741,7 @@ static void torture_pki_ed25519_verify_bad(void **state){ sig = pki_signature_from_blob(pubkey, blob, SSH_KEYTYPE_ED25519, SSH_DIGEST_AUTO); assert_non_null(sig); - rc = pki_signature_verify(session, sig, pubkey, HASH, sizeof(HASH)); + rc = ssh_pki_signature_verify(session, sig, pubkey, HASH, sizeof(HASH)); assert_true(rc == SSH_ERROR); ssh_signature_free(sig); diff --git a/tests/unittests/torture_pki_rsa.c b/tests/unittests/torture_pki_rsa.c index d3a02a11..a9867069 100644 --- a/tests/unittests/torture_pki_rsa.c +++ b/tests/unittests/torture_pki_rsa.c @@ -553,7 +553,7 @@ static void torture_pki_rsa_generate_key(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); ssh_signature_free(sign); SSH_KEY_FREE(key); @@ -570,7 +570,7 @@ static void torture_pki_rsa_generate_key(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); ssh_signature_free(sign); SSH_KEY_FREE(key); @@ -586,7 +586,7 @@ static void torture_pki_rsa_generate_key(void **state) assert_non_null(pubkey); sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_true(rc == SSH_OK); ssh_signature_free(sign); SSH_KEY_FREE(key); @@ -625,9 +625,9 @@ static void torture_pki_rsa_sha2(void **state) /* Sign using old SHA1 digest */ sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_ssh_return_code(session, rc); - rc = pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); assert_ssh_return_code(session, rc); ssh_signature_free(sign); } @@ -635,18 +635,18 @@ static void torture_pki_rsa_sha2(void **state) /* Sign using new SHA256 digest */ sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_ssh_return_code(session, rc); - rc = pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); assert_ssh_return_code(session, rc); ssh_signature_free(sign); /* Sign using rsa-sha2-512 algorithm */ sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA512); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); assert_ssh_return_code(session, rc); - rc = pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); + rc = ssh_pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); assert_ssh_return_code(session, rc); ssh_signature_free(sign); diff --git a/tests/unittests/torture_threads_pki_rsa.c b/tests/unittests/torture_threads_pki_rsa.c index 03d526cd..a04a7462 100644 --- a/tests/unittests/torture_threads_pki_rsa.c +++ b/tests/unittests/torture_threads_pki_rsa.c @@ -583,7 +583,7 @@ static void *thread_pki_rsa_generate_key(void *threadid) sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, RSA_HASH, 20); + rc = ssh_pki_signature_verify(session, sign, pubkey, RSA_HASH, 20); assert_ssh_return_code(session, rc); ssh_signature_free(sign); @@ -602,7 +602,7 @@ static void *thread_pki_rsa_generate_key(void *threadid) sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, RSA_HASH, 20); + rc = ssh_pki_signature_verify(session, sign, pubkey, RSA_HASH, 20); assert_ssh_return_code(session, rc); ssh_signature_free(sign); @@ -620,7 +620,7 @@ static void *thread_pki_rsa_generate_key(void *threadid) sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, RSA_HASH, 20); + rc = ssh_pki_signature_verify(session, sign, pubkey, RSA_HASH, 20); assert_true(rc == SSH_OK); ssh_signature_free(sign);