1
1

pki: Add ssh_pki_signature_verify_blob().

Этот коммит содержится в:
Andreas Schneider 2011-08-22 16:27:38 +02:00
родитель bcc0a6d0e0
Коммит 5cc98ed720
5 изменённых файлов: 179 добавлений и 0 удалений

Просмотреть файл

@ -68,6 +68,8 @@ int ssh_pki_export_signature_blob(const ssh_signature sign,
int ssh_pki_import_signature_blob(const ssh_string sig_blob,
const ssh_key pubkey,
ssh_signature *psig);
int ssh_pki_signature_verify_blob(ssh_session session,
ssh_string sig_blob);
/* SSH Public Key Functions */
ssh_string ssh_pki_export_pubkey_blob(const ssh_key key);

Просмотреть файл

@ -55,6 +55,11 @@ ssh_string pki_signature_to_blob(const ssh_signature sign);
ssh_signature pki_signature_from_blob(const ssh_key pubkey,
const ssh_string sig_blob,
enum ssh_keytypes_e type);
int pki_signature_verify(ssh_session session,
const ssh_signature sig,
const ssh_key key,
const unsigned char *hash,
size_t len);
/* SSH Signing Functions */
struct signature_struct *pki_do_sign(const ssh_key privatekey,

Просмотреть файл

@ -979,6 +979,65 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
return SSH_OK;
}
int ssh_pki_signature_verify_blob(ssh_session session,
ssh_string sig_blob)
{
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
ssh_signature sig;
ssh_key key;
int rc;
rc = ssh_pki_import_pubkey_blob(session->next_crypto->server_pubkey, &key);
if (rc < 0) {
return SSH_ERROR;
}
if (session->wanted_methods[SSH_HOSTKEYS]) {
if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],
key->type_c)) {
ssh_set_error(session,
SSH_FATAL,
"Public key from server (%s) doesn't match user "
"preference (%s)",
key->type_c,
session->wanted_methods[SSH_HOSTKEYS]);
ssh_key_free(key);
return -1;
}
}
rc = ssh_pki_import_signature_blob(sig_blob, key, &sig);
if (rc < 0) {
ssh_key_free(key);
return SSH_ERROR;
}
ssh_log(session,
SSH_LOG_FUNCTIONS,
"Going to verify a %s type signature",
key->type_c);
sha1(session->next_crypto->session_id,
session->next_crypto->digest_len,
hash + 1);
#ifdef DEBUG_CRYPTO
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
#endif
rc = pki_signature_verify(session,
sig,
key,
hash,
SHA_DIGEST_LEN);
session->next_crypto->server_pubkey_type = key->type_c;
ssh_signature_free(sig);
ssh_key_free(key);
return rc;
}
/*
* This function signs the session id (known as H) as a string then
* the content of sigbuf */

Просмотреть файл

@ -673,6 +673,53 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
return sig;
}
int pki_signature_verify(ssh_session session,
const ssh_signature sig,
const ssh_key key,
const unsigned char *hash,
size_t len)
{
int rc;
switch(key->type) {
case SSH_KEYTYPE_DSS:
rc = DSA_do_verify(hash + 1,
len,
sig->dsa_sig,
key->dsa);
if (rc < 0) {
ssh_set_error(session,
SSH_FATAL,
"DSA error: %s",
ERR_error_string(ERR_get_error(), NULL));
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
rc = RSA_verify(NID_sha1,
hash + 1,
len,
string_data(sig->rsa_sig),
ssh_string_len(sig->rsa_sig),
key->rsa);
if (rc < 0) {
ssh_set_error(session,
SSH_FATAL,
"RSA error: %s",
ERR_error_string(ERR_get_error(), NULL));
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_ECDSA:
case SSH_KEYTYPE_UNKNOWN:
ssh_set_error(session, SSH_FATAL, "Unknown public key type");
return SSH_ERROR;
}
return SSH_OK;
}
struct signature_struct *pki_do_sign(ssh_key privatekey,
const unsigned char *hash) {
struct signature_struct *sign;

Просмотреть файл

@ -1313,6 +1313,72 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
return sig;
}
int pki_signature_verify(ssh_session session,
const ssh_signature sig,
const ssh_key key,
const unsigned char *hash,
size_t len)
{
gcry_sexp_t sexp;
gcry_error_t err;
switch(key->type) {
case SSH_KEYTYPE_DSS:
err = gcry_sexp_build(&sexp, NULL, "%b", len, hash + 1);
if (err) {
ssh_set_error(session,
SSH_FATAL,
"DSA error: %s", gcry_strerror(err));
return SSH_ERROR;
}
err = gcry_pk_verify(sig->dsa_sig, sexp, key->dsa);
gcry_sexp_release(sexp);
if (err) {
ssh_set_error(session, SSH_FATAL, "Invalid DSA signature");
if (gcry_err_code(err) != GPG_ERR_BAD_SIGNATURE) {
ssh_set_error(session,
SSH_FATAL,
"DSA verify error: %s",
gcry_strerror(err));
}
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
err = gcry_sexp_build(&sexp,
NULL,
"(data(flags pkcs1)(hash sha1 %b))",
len, hash + 1);
if (err) {
ssh_set_error(session,
SSH_FATAL,
"RSA error: %s",
gcry_strerror(err));
return SSH_ERROR;
}
err = gcry_pk_verify(sig->rsa_sig, sexp, key->rsa);
gcry_sexp_release(sexp);
if (err) {
ssh_set_error(session, SSH_FATAL, "Invalid RSA signature");
if (gcry_err_code(err) != GPG_ERR_BAD_SIGNATURE) {
ssh_set_error(session,
SSH_FATAL,
"RSA verify error: %s",
gcry_strerror(err));
}
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_ECDSA:
case SSH_KEYTYPE_UNKNOWN:
ssh_set_error(session, SSH_FATAL, "Unknown public key type");
return SSH_ERROR;
}
return SSH_OK;
}
struct signature_struct *pki_do_sign(ssh_key privatekey,
const unsigned char *hash) {
struct signature_struct *sign;