diff --git a/include/libssh/pki.h b/include/libssh/pki.h index 4c844a32..0f0fac5d 100644 --- a/include/libssh/pki.h +++ b/include/libssh/pki.h @@ -101,6 +101,8 @@ ssh_key_get_signature_algorithm(ssh_session session, enum ssh_keytypes_e type); enum ssh_keytypes_e ssh_key_type_from_signature_name(const char *name); enum ssh_keytypes_e ssh_key_type_plain(enum ssh_keytypes_e type); +enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, + enum ssh_keytypes_e type); #define is_ecdsa_key_type(t) \ ((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521) @@ -138,7 +140,7 @@ int ssh_pki_import_cert_blob(const ssh_string cert_blob, /* SSH Signing Functions */ ssh_string ssh_pki_do_sign(ssh_session session, ssh_buffer sigbuf, - const ssh_key privatekey); + const ssh_key privatekey, enum ssh_digest_e hash_type); ssh_string ssh_pki_do_sign_agent(ssh_session session, struct ssh_buffer_struct *buf, const ssh_key pubkey); diff --git a/include/libssh/pki_priv.h b/include/libssh/pki_priv.h index 9c79aa88..32d8e449 100644 --- a/include/libssh/pki_priv.h +++ b/include/libssh/pki_priv.h @@ -117,12 +117,14 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, int pki_signature_verify(ssh_session session, const ssh_signature sig, const ssh_key key, - const unsigned char *hash, - size_t hlen); + const unsigned char *input, + size_t input_len); /* SSH Signing Functions */ -#define pki_do_sign(key, hash, hlen) \ - pki_do_sign_hash(key, hash, hlen, SSH_DIGEST_AUTO) +ssh_signature pki_do_sign(const ssh_key privkey, + const unsigned char *input, + size_t input_len, + enum ssh_digest_e hash_type); ssh_signature pki_do_sign_hash(const ssh_key privkey, const unsigned char *hash, size_t hlen, diff --git a/src/auth.c b/src/auth.c index 286a0d4e..6d549c0f 100644 --- a/src/auth.c +++ b/src/auth.c @@ -613,6 +613,7 @@ int ssh_userauth_publickey(ssh_session session, int rc; const char *sig_type_c = NULL; enum ssh_keytypes_e key_type; + enum ssh_digest_e hash_type; if (session == NULL) { return SSH_AUTH_ERROR; @@ -681,8 +682,11 @@ int ssh_userauth_publickey(ssh_session session, } ssh_string_free(str); + /* Get the hash type to be used in the signature based on the key type */ + hash_type = ssh_key_type_to_hash(session, privkey->type); + /* sign the buffer with the private key */ - str = ssh_pki_do_sign(session, session->out_buffer, privkey); + str = ssh_pki_do_sign(session, session->out_buffer, privkey, hash_type); if (str == NULL) { goto fail; } diff --git a/src/pki.c b/src/pki.c index fcce8863..911b75f5 100644 --- a/src/pki.c +++ b/src/pki.c @@ -2064,12 +2064,18 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, int ssh_pki_signature_verify(ssh_session session, ssh_signature sig, const ssh_key key, - unsigned char *digest, - size_t dlen) + unsigned char *input, + size_t input_len) { int rc; enum ssh_keytypes_e key_type = ssh_key_type_plain(key->type); + if (session == NULL || sig == NULL || key == NULL || input == NULL) { + SSH_LOG(SSH_LOG_TRACE, "Bad parameter provided to " + "ssh_pki_signature_verify()"); + return SSH_ERROR; + } + SSH_LOG(SSH_LOG_FUNCTIONS, "Going to verify a %s type signature", sig->type_c); @@ -2081,77 +2087,68 @@ int ssh_pki_signature_verify(ssh_session session, return SSH_ERROR; } - if (is_ecdsa_key_type(key_type)) { -#if HAVE_ECC - unsigned char ehash[EVP_DIGEST_LEN] = {0}; - uint32_t elen; - - evp(key->ecdsa_nid, digest, dlen, ehash, &elen); - -#ifdef DEBUG_CRYPTO - ssh_print_hexa("Hash to be verified with ecdsa", - ehash, elen); -#endif - - rc = pki_signature_verify(session, - sig, - key, - ehash, - elen); -#endif - } else if (key_type == SSH_KEYTYPE_ED25519) { - rc = pki_signature_verify(session, sig, key, digest, dlen); - } else { - unsigned char hash[SHA512_DIGEST_LEN] = {0}; - uint32_t hlen = 0; - - if (sig->type != SSH_KEYTYPE_RSA && sig->hash_type != SSH_DIGEST_AUTO) { - SSH_LOG(SSH_LOG_TRACE, "Only RSA keys support non-SHA1 hashes."); - return SSH_ERROR; - } - - switch (sig->hash_type) { - case SSH_DIGEST_SHA256: - sha256(digest, dlen, hash); - hlen = SHA256_DIGEST_LEN; - break; - case SSH_DIGEST_SHA512: - sha512(digest, dlen, hash); - hlen = SHA512_DIGEST_LEN; - break; - case SSH_DIGEST_SHA1: - case SSH_DIGEST_AUTO: - sha1(digest, dlen, hash); - hlen = SHA_DIGEST_LEN; - break; - default: - SSH_LOG(SSH_LOG_TRACE, "Unknown sig->hash_type: %d", sig->hash_type); - return SSH_ERROR; - } -#ifdef DEBUG_CRYPTO - ssh_print_hexa(key_type == SSH_KEYTYPE_DSS - ? "Hash to be verified with DSA" - : "Hash to be verified with RSA", - hash, - hlen); -#endif - - rc = pki_signature_verify(session, - sig, - key, - hash, - hlen); - } + rc = pki_signature_verify(session, sig, key, input, input_len); return rc; } +ssh_signature pki_do_sign(const ssh_key privkey, + const unsigned char *input, + size_t input_len, + enum ssh_digest_e hash_type) +{ + unsigned char hash[SHA512_DIGEST_LEN] = {0}; + uint32_t hlen = 0; + + if (privkey == NULL || input == NULL) { + SSH_LOG(SSH_LOG_TRACE, "Bad parameter provided to " + "pki_do_sign()"); + return NULL; + } + + if (privkey->type == SSH_KEYTYPE_ED25519 || + privkey->type == SSH_KEYTYPE_ED25519_CERT01) + { + return pki_do_sign_hash(privkey, input, input_len, SSH_DIGEST_AUTO); + } + + switch (hash_type) { + case SSH_DIGEST_SHA256: + sha256(input, input_len, hash); + hlen = SHA256_DIGEST_LEN; + break; + case SSH_DIGEST_SHA384: + sha384(input, input_len, hash); + hlen = SHA384_DIGEST_LEN; + break; + case SSH_DIGEST_SHA512: + sha512(input, input_len, hash); + hlen = SHA512_DIGEST_LEN; + break; + case SSH_DIGEST_AUTO: + case SSH_DIGEST_SHA1: + sha1(input, input_len, hash); + hlen = SHA_DIGEST_LEN; + break; + default: + SSH_LOG(SSH_LOG_TRACE, "Unknown hash algorithm for type: %d", + hash_type); + goto error; + } + + return pki_do_sign_hash(privkey, hash, hlen, hash_type); + +error: + return NULL; +} + /* * This function signs the session id as a string then * the content of sigbuf */ ssh_string ssh_pki_do_sign(ssh_session session, ssh_buffer sigbuf, - const ssh_key privkey) + const ssh_key privkey, + enum ssh_digest_e hash_type) { struct ssh_crypto_struct *crypto = NULL; @@ -2161,11 +2158,13 @@ ssh_string ssh_pki_do_sign(ssh_session session, ssh_string session_id = NULL; ssh_buffer sign_input = NULL; - enum ssh_digest_e hash_type; - int rc; - if (privkey == NULL || !ssh_key_is_private(privkey)) { + if (session == NULL || sigbuf == NULL || privkey == NULL || + !ssh_key_is_private(privkey)) + { + SSH_LOG(SSH_LOG_TRACE, "Bad parameter provided to " + "ssh_pki_do_sign()"); return NULL; } @@ -2181,9 +2180,6 @@ ssh_string ssh_pki_do_sign(ssh_session session, } ssh_string_fill(session_id, crypto->session_id, crypto->digest_len); - /* Get the hash type from the key type */ - hash_type = ssh_key_type_to_hash(session, privkey->type); - /* Fill the input */ sign_input = ssh_buffer_new(); if (sign_input == NULL) { @@ -2200,52 +2196,14 @@ ssh_string ssh_pki_do_sign(ssh_session session, } /* Generate the signature */ - if (privkey->type == SSH_KEYTYPE_ED25519){ - sig = pki_do_sign(privkey, - ssh_buffer_get(sign_input), - ssh_buffer_get_len(sign_input)); - } else { - unsigned char hash[SHA512_DIGEST_LEN] = {0}; - uint32_t hlen = 0; - switch (hash_type) { - case SSH_DIGEST_SHA256: - sha256(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input), - hash); - hlen = SHA256_DIGEST_LEN; - break; - case SSH_DIGEST_SHA384: - sha384(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input), - hash); - hlen = SHA384_DIGEST_LEN; - break; - case SSH_DIGEST_SHA512: - sha512(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input), - hash); - hlen = SHA512_DIGEST_LEN; - break; - case SSH_DIGEST_SHA1: - case SSH_DIGEST_AUTO: - sha1(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input), - hash); - hlen = SHA_DIGEST_LEN; - break; - default: - SSH_LOG(SSH_LOG_TRACE, "Unknown hash algorithm for type: %d", - hash_type); - goto end; - } - sig = pki_do_sign_hash(privkey, hash, hlen, hash_type); - } - + sig = pki_do_sign(privkey, + ssh_buffer_get(sign_input), + ssh_buffer_get_len(sign_input), + hash_type); if (sig == NULL) { goto end; } -#ifdef DEBUG_CRYPTO - SSH_LOG(SSH_LOG_TRACE, "Generated signature for %s and hash_type = %d", - privkey->type_c, hash_type); -#endif - /* Convert the signature to blob */ rc = ssh_pki_export_signature_blob(sig, &sig_blob); if (rc < 0) { @@ -2355,52 +2313,14 @@ ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session, } /* Generate the signature */ - if (privkey->type == SSH_KEYTYPE_ED25519){ - sig = pki_do_sign(privkey, - ssh_buffer_get(sign_input), - ssh_buffer_get_len(sign_input)); - } else { - unsigned char hash[SHA512_DIGEST_LEN] = {0}; - uint32_t hlen = 0; - switch (hash_type) { - case SSH_DIGEST_SHA256: - sha256(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input), - hash); - hlen = SHA256_DIGEST_LEN; - break; - case SSH_DIGEST_SHA384: - sha384(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input), - hash); - hlen = SHA384_DIGEST_LEN; - break; - case SSH_DIGEST_SHA512: - sha512(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input), - hash); - hlen = SHA512_DIGEST_LEN; - break; - case SSH_DIGEST_SHA1: - case SSH_DIGEST_AUTO: - sha1(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input), - hash); - hlen = SHA_DIGEST_LEN; - break; - default: - SSH_LOG(SSH_LOG_TRACE, "Unknown hash algorithm for type: %d", - hash_type); - goto end; - } - sig = pki_do_sign_hash(privkey, hash, hlen, hash_type); - } - + sig = pki_do_sign(privkey, + ssh_buffer_get(sign_input), + ssh_buffer_get_len(sign_input), + hash_type); if (sig == NULL) { goto end; } -#ifdef DEBUG_CRYPTO - SSH_LOG(SSH_LOG_TRACE, "Generated signature for %s and hash_type = %d", - privkey->type_c, hash_type); -#endif - /* Convert the signature to blob */ rc = ssh_pki_export_signature_blob(sig, &sig_blob); if (rc < 0) { diff --git a/src/pki_crypto.c b/src/pki_crypto.c index d0db5cf0..b6f5991d 100644 --- a/src/pki_crypto.c +++ b/src/pki_crypto.c @@ -1856,12 +1856,15 @@ error: int pki_signature_verify(ssh_session session, const ssh_signature sig, const ssh_key key, - const unsigned char *hash, - size_t hlen) + const unsigned char *input, + size_t input_len) { int rc; int nid; + unsigned char hash[SHA512_DIGEST_LEN] = {0}; + uint32_t hlen = 0; + if (ssh_key_type_plain(key->type) != sig->type) { SSH_LOG(SSH_LOG_WARN, "Can not verify %s signature with %s key", @@ -1870,6 +1873,49 @@ int pki_signature_verify(ssh_session session, return SSH_ERROR; } + /* For ed25519 keys, verify using the input directly */ + if (key->type == SSH_KEYTYPE_ED25519 || + key->type == SSH_KEYTYPE_ED25519_CERT01) + { + rc = pki_ed25519_verify(key, sig, input, input_len); + if (rc != SSH_OK){ + ssh_set_error(session, + SSH_FATAL, + "ed25519 signature verification error"); + return SSH_ERROR; + } + + return SSH_OK; + } + + /* For the other key types, calculate the hash and verify the signature */ + switch (sig->hash_type) { + case SSH_DIGEST_SHA256: + sha256(input, input_len, hash); + hlen = SHA256_DIGEST_LEN; + nid = NID_sha256; + break; + case SSH_DIGEST_SHA384: + sha384(input, input_len, hash); + hlen = SHA384_DIGEST_LEN; + nid = NID_sha384; + break; + case SSH_DIGEST_SHA512: + sha512(input, input_len, hash); + hlen = SHA512_DIGEST_LEN; + nid = NID_sha512; + break; + case SSH_DIGEST_AUTO: + case SSH_DIGEST_SHA1: + sha1(input, input_len, hash); + hlen = SHA_DIGEST_LEN; + nid = NID_sha1; + break; + default: + SSH_LOG(SSH_LOG_TRACE, "Unknown sig->hash_type: %d", sig->hash_type); + return SSH_ERROR; + } + switch (key->type) { case SSH_KEYTYPE_DSS: case SSH_KEYTYPE_DSS_CERT01: @@ -1888,25 +1934,6 @@ int pki_signature_verify(ssh_session session, case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA_CERT01: - switch (sig->hash_type) { - case SSH_DIGEST_AUTO: - case SSH_DIGEST_SHA1: - nid = NID_sha1; - break; - case SSH_DIGEST_SHA256: - nid = NID_sha256; - break; - case SSH_DIGEST_SHA512: - nid = NID_sha512; - break; - default: - SSH_LOG(SSH_LOG_TRACE, "Unknown hash type %d", sig->hash_type); - ssh_set_error(session, - SSH_FATAL, - "Unexpected hash type %d during RSA verify", - sig->hash_type); - return SSH_ERROR; - } rc = RSA_verify(nid, hash, hlen, @@ -1922,16 +1949,6 @@ int pki_signature_verify(ssh_session session, return SSH_ERROR; } break; - case SSH_KEYTYPE_ED25519: - case SSH_KEYTYPE_ED25519_CERT01: - rc = pki_ed25519_verify(key, sig, hash, hlen); - if (rc != SSH_OK){ - ssh_set_error(session, - SSH_FATAL, - "ed25519 signature verification error"); - return SSH_ERROR; - } - break; case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P384: case SSH_KEYTYPE_ECDSA_P521: @@ -2040,6 +2057,11 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey, return NULL; } +#ifdef DEBUG_CRYPTO + SSH_LOG(SSH_LOG_TRACE, "Generated signature for %s and hash_type = %d", + privkey->type_c, hash_type); +#endif + return sig; } diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c index 628ad3ba..c5bfbe3b 100644 --- a/src/pki_gcrypt.c +++ b/src/pki_gcrypt.c @@ -2088,14 +2088,19 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, int pki_signature_verify(ssh_session session, const ssh_signature sig, const ssh_key key, - const unsigned char *hash, - size_t hlen) + const unsigned char *input, + size_t input_len) { - unsigned char ghash[hlen + 1]; const char *hash_type = NULL; gcry_sexp_t sexp; gcry_error_t err; + unsigned char ghash[SHA512_DIGEST_LEN + 1] = {0}; + unsigned char *hash = ghash + 1; + uint32_t hlen = 0; + + int rc; + if (ssh_key_type_plain(key->type) != sig->type) { SSH_LOG(SSH_LOG_WARN, "Can not verify %s signature with %s key", @@ -2104,13 +2109,54 @@ int pki_signature_verify(ssh_session session, return SSH_ERROR; } + /* For ed25519 keys, verify using the input directly */ + if (key->type == SSH_KEYTYPE_ED25519 || + key->type == SSH_KEYTYPE_ED25519_CERT01) + { + rc = pki_ed25519_verify(key, sig, input, input_len); + if (rc != SSH_OK){ + ssh_set_error(session, + SSH_FATAL, + "ed25519 signature verification error"); + return SSH_ERROR; + } + + return SSH_OK; + } + + /* For the other key types, calculate the hash and verify the signature */ + switch (sig->hash_type) { + case SSH_DIGEST_SHA256: + sha256(input, input_len, hash); + hlen = SHA256_DIGEST_LEN; + hash_type = "sha256"; + break; + case SSH_DIGEST_SHA384: + sha384(input, input_len, hash); + hlen = SHA384_DIGEST_LEN; + hash_type = "sha384"; + break; + case SSH_DIGEST_SHA512: + sha512(input, input_len, hash); + hlen = SHA512_DIGEST_LEN; + hash_type = "sha512"; + break; + case SSH_DIGEST_AUTO: + case SSH_DIGEST_SHA1: + sha1(input, input_len, hash); + hlen = SHA_DIGEST_LEN; + hash_type = "sha1"; + break; + default: + SSH_LOG(SSH_LOG_TRACE, "Unknown sig->hash_type: %d", sig->hash_type); + return SSH_ERROR; + } + switch(key->type) { case SSH_KEYTYPE_DSS: case SSH_KEYTYPE_DSS_CERT01: /* That is to mark the number as positive */ if(hash[0] >= 0x80) { - memcpy(ghash + 1, hash, hlen); - ghash[0] = 0; hash = ghash; hlen += 1; } @@ -2137,25 +2183,6 @@ int pki_signature_verify(ssh_session session, break; case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA_CERT01: - switch (sig->hash_type) { - case SSH_DIGEST_SHA256: - hash_type = "sha256"; - break; - case SSH_DIGEST_SHA512: - hash_type = "sha512"; - break; - case SSH_DIGEST_SHA1: - case SSH_DIGEST_AUTO: - hash_type = "sha1"; - break; - default: - SSH_LOG(SSH_LOG_TRACE, "Unknown sig type %d", sig->hash_type); - ssh_set_error(session, - SSH_FATAL, - "Unexpected signature type %d during RSA verify", - sig->hash_type); - return SSH_ERROR; - } err = gcry_sexp_build(&sexp, NULL, "(data(flags pkcs1)(hash %s %b))", @@ -2180,14 +2207,6 @@ int pki_signature_verify(ssh_session session, return SSH_ERROR; } break; - case SSH_KEYTYPE_ED25519: - case SSH_KEYTYPE_ED25519_CERT01: - err = pki_ed25519_verify(key, sig, hash, hlen); - if (err != SSH_OK){ - ssh_set_error(session, SSH_FATAL, "ed25519 signature verification error"); - return SSH_ERROR; - } - break; case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P384: case SSH_KEYTYPE_ECDSA_P521: diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c index 735001e1..fc732668 100644 --- a/src/pki_mbedcrypto.c +++ b/src/pki_mbedcrypto.c @@ -1022,11 +1022,14 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, } int pki_signature_verify(ssh_session session, const ssh_signature sig, const - ssh_key key, const unsigned char *hash, size_t hlen) + ssh_key key, const unsigned char *input, size_t input_len) { int rc; mbedtls_md_type_t md = 0; + unsigned char hash[SHA512_DIGEST_LEN] = {0}; + uint32_t hlen = 0; + if (ssh_key_type_plain(key->type) != sig->type) { SSH_LOG(SSH_LOG_WARN, "Can not verify %s signature with %s key", @@ -1035,28 +1038,52 @@ int pki_signature_verify(ssh_session session, const ssh_signature sig, const return SSH_ERROR; } + /* For ed25519 keys, verify using the input directly */ + if (key->type == SSH_KEYTYPE_ED25519 || + key->type == SSH_KEYTYPE_ED25519_CERT01) + { + rc = pki_ed25519_verify(key, sig, input, input_len); + if (rc != SSH_OK){ + ssh_set_error(session, + SSH_FATAL, + "ed25519 signature verification error"); + return SSH_ERROR; + } + + return SSH_OK; + } + + /* For the other key types, calculate the hash and verify the signature */ + switch (sig->hash_type) { + case SSH_DIGEST_SHA256: + sha256(input, input_len, hash); + hlen = SHA256_DIGEST_LEN; + md = MBEDTLS_MD_SHA256; + break; + case SSH_DIGEST_SHA384: + sha384(input, input_len, hash); + hlen = SHA384_DIGEST_LEN; + md = MBEDTLS_MD_SHA384; + break; + case SSH_DIGEST_SHA512: + sha512(input, input_len, hash); + hlen = SHA512_DIGEST_LEN; + md = MBEDTLS_MD_SHA512; + break; + case SSH_DIGEST_AUTO: + case SSH_DIGEST_SHA1: + sha1(input, input_len, hash); + hlen = SHA_DIGEST_LEN; + md = MBEDTLS_MD_SHA1; + break; + default: + SSH_LOG(SSH_LOG_TRACE, "Unknown sig->hash_type: %d", sig->hash_type); + return SSH_ERROR; + } + switch (key->type) { case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA_CERT01: - switch (sig->hash_type) { - case SSH_DIGEST_SHA1: - case SSH_DIGEST_AUTO: - md = MBEDTLS_MD_SHA1; - break; - case SSH_DIGEST_SHA256: - md = MBEDTLS_MD_SHA256; - break; - case SSH_DIGEST_SHA512: - md = MBEDTLS_MD_SHA512; - break; - default: - SSH_LOG(SSH_LOG_TRACE, "Unknown sig type %d", sig->hash_type); - ssh_set_error(session, - SSH_FATAL, - "Unexpected signature hash type %d during RSA verify", - sig->hash_type); - return SSH_ERROR; - } rc = mbedtls_pk_verify(key->rsa, md, hash, hlen, ssh_string_data(sig->rsa_sig), ssh_string_len(sig->rsa_sig)); @@ -1078,20 +1105,11 @@ int pki_signature_verify(ssh_session session, const ssh_signature sig, const if (rc != 0) { char error_buf[100]; mbedtls_strerror(rc, error_buf, 100); - ssh_set_error(session, SSH_FATAL, "RSA error: %s", error_buf); + ssh_set_error(session, SSH_FATAL, "ECDSA error: %s", error_buf); return SSH_ERROR; } break; - case SSH_KEYTYPE_ED25519: - case SSH_KEYTYPE_ED25519_CERT01: - rc = pki_ed25519_verify(key, sig, hash, hlen); - if (rc != SSH_OK) { - ssh_set_error(session, SSH_FATAL, - "ed25519 signature verification error"); - return SSH_ERROR; - } - break; default: ssh_set_error(session, SSH_FATAL, "Unknown public key type"); return SSH_ERROR; diff --git a/tests/unittests/torture_pki.c b/tests/unittests/torture_pki.c index 9e1757f7..4cff35c7 100644 --- a/tests/unittests/torture_pki.c +++ b/tests/unittests/torture_pki.c @@ -206,7 +206,7 @@ static void torture_pki_verify_mismatch(void **state) sig_type, hash); /* Create a valid signature using this key */ - sign = pki_do_sign_hash(key, HASH, hash_length, hash); + sign = pki_do_sign(key, HASH, hash_length, hash); assert_non_null(sign); assert_int_equal(sign->type, key->type); if (hash == SSH_DIGEST_AUTO) { diff --git a/tests/unittests/torture_pki_dsa.c b/tests/unittests/torture_pki_dsa.c index d8d4b69d..9675bbb0 100644 --- a/tests/unittests/torture_pki_dsa.c +++ b/tests/unittests/torture_pki_dsa.c @@ -621,7 +621,7 @@ static void torture_pki_dsa_generate_key(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 1024, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, DSA_HASH, 20); + sign = pki_do_sign(key, DSA_HASH, 20, SSH_DIGEST_AUTO); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,DSA_HASH,20); assert_true(rc == SSH_OK); @@ -631,7 +631,7 @@ static void torture_pki_dsa_generate_key(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 2048, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, DSA_HASH, 20); + sign = pki_do_sign(key, DSA_HASH, 20, SSH_DIGEST_AUTO); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,DSA_HASH,20); assert_true(rc == SSH_OK); @@ -641,7 +641,7 @@ static void torture_pki_dsa_generate_key(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_DSS, 3072, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, DSA_HASH, 20); + sign = pki_do_sign(key, DSA_HASH, 20, SSH_DIGEST_AUTO); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,DSA_HASH,20); assert_true(rc == SSH_OK); @@ -671,7 +671,7 @@ static void torture_pki_dsa_cert_verify(void **state) assert_true(rc == 0); assert_non_null(cert); - sign = pki_do_sign(privkey, DSA_HASH, 20); + sign = pki_do_sign(privkey, DSA_HASH, 20, SSH_DIGEST_AUTO); assert_non_null(sign); rc = pki_signature_verify(session, sign, cert, DSA_HASH, 20); assert_true(rc == SSH_OK); diff --git a/tests/unittests/torture_pki_ecdsa.c b/tests/unittests/torture_pki_ecdsa.c index 138ee267..f07e60d0 100644 --- a/tests/unittests/torture_pki_ecdsa.c +++ b/tests/unittests/torture_pki_ecdsa.c @@ -474,7 +474,7 @@ static void torture_pki_generate_key_ecdsa(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA_P256, 0, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, ECDSA_HASH, 20); + sign = pki_do_sign(key, ECDSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); assert_true(rc == SSH_OK); @@ -492,7 +492,7 @@ static void torture_pki_generate_key_ecdsa(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA, 256, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, ECDSA_HASH, 20); + sign = pki_do_sign(key, ECDSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); assert_true(rc == SSH_OK); @@ -509,7 +509,7 @@ static void torture_pki_generate_key_ecdsa(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA_P384, 0, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, ECDSA_HASH, 20); + sign = pki_do_sign(key, ECDSA_HASH, 20, SSH_DIGEST_SHA384); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); assert_true(rc == SSH_OK); @@ -527,7 +527,7 @@ static void torture_pki_generate_key_ecdsa(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA, 384, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, ECDSA_HASH, 20); + sign = pki_do_sign(key, ECDSA_HASH, 20, SSH_DIGEST_SHA384); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); assert_true(rc == SSH_OK); @@ -544,7 +544,7 @@ static void torture_pki_generate_key_ecdsa(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA_P521, 0, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, ECDSA_HASH, 20); + sign = pki_do_sign(key, ECDSA_HASH, 20, SSH_DIGEST_SHA512); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); assert_true(rc == SSH_OK); @@ -562,7 +562,7 @@ static void torture_pki_generate_key_ecdsa(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA, 521, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, ECDSA_HASH, 20); + sign = pki_do_sign(key, ECDSA_HASH, 20, SSH_DIGEST_SHA512); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); assert_true(rc == SSH_OK); @@ -599,7 +599,7 @@ static void torture_pki_ecdsa_cert_verify(void **state) assert_true(rc == 0); assert_non_null(cert); - sign = pki_do_sign(privkey, ECDSA_HASH, 20); + sign = pki_do_sign(privkey, ECDSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session, sign, cert, ECDSA_HASH, 20); assert_true(rc == SSH_OK); diff --git a/tests/unittests/torture_pki_ed25519.c b/tests/unittests/torture_pki_ed25519.c index 7baea924..0ace82c6 100644 --- a/tests/unittests/torture_pki_ed25519.c +++ b/tests/unittests/torture_pki_ed25519.c @@ -349,7 +349,7 @@ static void torture_pki_ed25519_generate_key(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_ED25519, 256, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, HASH, 20); + sign = pki_do_sign(key, HASH, 20, SSH_DIGEST_AUTO); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,HASH,20); assert_true(rc == SSH_OK); @@ -389,7 +389,7 @@ static void torture_pki_ed25519_cert_verify(void **state) assert_true(rc == 0); assert_non_null(cert); - sign = pki_do_sign(privkey, HASH, 20); + sign = pki_do_sign(privkey, HASH, 20, SSH_DIGEST_AUTO); assert_non_null(sign); rc = pki_signature_verify(session, sign, cert, HASH, 20); assert_true(rc == SSH_OK); diff --git a/tests/unittests/torture_pki_rsa.c b/tests/unittests/torture_pki_rsa.c index 9333e8c3..04068cbd 100644 --- a/tests/unittests/torture_pki_rsa.c +++ b/tests/unittests/torture_pki_rsa.c @@ -469,7 +469,7 @@ static void torture_pki_rsa_generate_key(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 1024, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, RSA_HASH, 20); + sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,RSA_HASH,20); assert_true(rc == SSH_OK); @@ -480,7 +480,7 @@ static void torture_pki_rsa_generate_key(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 2048, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, RSA_HASH, 20); + sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,RSA_HASH,20); assert_true(rc == SSH_OK); @@ -491,7 +491,7 @@ static void torture_pki_rsa_generate_key(void **state) rc = ssh_pki_generate(SSH_KEYTYPE_RSA, 4096, &key); assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, RSA_HASH, 20); + sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,RSA_HASH,20); assert_true(rc == SSH_OK); @@ -522,7 +522,7 @@ static void torture_pki_rsa_sha2(void **state) assert_non_null(cert); /* Sign using automatic digest */ - sign = pki_do_sign_hash(key, RSA_HASH, 20, SSH_DIGEST_AUTO); + sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_AUTO); assert_non_null(sign); rc = pki_signature_verify(session, sign, key, RSA_HASH, 20); assert_ssh_return_code(session, rc); @@ -531,7 +531,7 @@ static void torture_pki_rsa_sha2(void **state) ssh_signature_free(sign); /* Sign using old SHA1 digest */ - sign = pki_do_sign_hash(key, RSA_HASH, 20, SSH_DIGEST_SHA1); + sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA1); assert_non_null(sign); rc = pki_signature_verify(session, sign, key, RSA_HASH, 20); assert_ssh_return_code(session, rc); @@ -540,7 +540,7 @@ static void torture_pki_rsa_sha2(void **state) ssh_signature_free(sign); /* Sign using new SHA256 digest */ - sign = pki_do_sign_hash(key, SHA256_HASH, 32, SSH_DIGEST_SHA256); + sign = pki_do_sign(key, SHA256_HASH, 32, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session, sign, key, SHA256_HASH, 32); assert_ssh_return_code(session, rc); @@ -549,7 +549,7 @@ static void torture_pki_rsa_sha2(void **state) ssh_signature_free(sign); /* Sign using rsa-sha2-512 algorithm */ - sign = pki_do_sign_hash(key, SHA512_HASH, 64, SSH_DIGEST_SHA512); + sign = pki_do_sign(key, SHA512_HASH, 64, SSH_DIGEST_SHA512); assert_non_null(sign); rc = pki_signature_verify(session, sign, key, SHA512_HASH, 64); assert_ssh_return_code(session, rc); diff --git a/tests/unittests/torture_threads_pki_rsa.c b/tests/unittests/torture_threads_pki_rsa.c index e333da3b..752db411 100644 --- a/tests/unittests/torture_threads_pki_rsa.c +++ b/tests/unittests/torture_threads_pki_rsa.c @@ -575,7 +575,7 @@ static void *thread_pki_rsa_generate_key(void *threadid) assert_ssh_return_code(session, rc); assert_non_null(key); - sign = pki_do_sign(key, RSA_HASH, 20); + sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,RSA_HASH,20); @@ -588,7 +588,7 @@ static void *thread_pki_rsa_generate_key(void *threadid) assert_ssh_return_code(session, rc); assert_non_null(key); - sign = pki_do_sign(key, RSA_HASH, 20); + sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,RSA_HASH,20); @@ -602,7 +602,7 @@ static void *thread_pki_rsa_generate_key(void *threadid) assert_true(rc == SSH_OK); assert_non_null(key); - sign = pki_do_sign(key, RSA_HASH, 20); + sign = pki_do_sign(key, RSA_HASH, 20, SSH_DIGEST_SHA256); assert_non_null(sign); rc = pki_signature_verify(session,sign,key,RSA_HASH,20);