dh: Remove obsolete signature functions.
Этот коммит содержится в:
Andreas Schneider
родитель
8edf57fbf2
Коммит
9da331e79b
@ -49,10 +49,6 @@ int make_sessionid(ssh_session session);
|
||||
int hashbufin_add_cookie(ssh_session session, unsigned char *cookie);
|
||||
int hashbufout_add_cookie(ssh_session session);
|
||||
int generate_session_keys(ssh_session session);
|
||||
int sig_verify(ssh_session session, ssh_public_key pubkey,
|
||||
SIGNATURE *signature, unsigned char *digest, int size);
|
||||
/* returns 1 if server signature ok, 0 otherwise. The NEXT crypto is checked, not the current one */
|
||||
int signature_verify(ssh_session session,ssh_string signature);
|
||||
bignum make_string_bn(ssh_string string);
|
||||
ssh_string make_bignum_string(bignum num);
|
||||
|
||||
|
||||
140
src/dh.c
140
src/dh.c
@ -1017,146 +1017,6 @@ ssh_string ssh_get_pubkey(ssh_session session){
|
||||
return ssh_string_copy(session->current_crypto->server_pubkey);
|
||||
}
|
||||
|
||||
int sig_verify(ssh_session session, ssh_public_key pubkey,
|
||||
SIGNATURE *signature, unsigned char *digest, int size) {
|
||||
#ifdef HAVE_LIBGCRYPT
|
||||
gcry_error_t valid = 0;
|
||||
gcry_sexp_t gcryhash;
|
||||
#elif defined HAVE_LIBCRYPTO
|
||||
int valid = 0;
|
||||
#endif
|
||||
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
|
||||
|
||||
sha1(digest, size, hash + 1);
|
||||
|
||||
#ifdef DEBUG_CRYPTO
|
||||
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
|
||||
#endif
|
||||
|
||||
switch(pubkey->type) {
|
||||
case SSH_KEYTYPE_DSS:
|
||||
#ifdef HAVE_LIBGCRYPT
|
||||
valid = gcry_sexp_build(&gcryhash, NULL, "%b", SHA_DIGEST_LEN + 1, hash);
|
||||
if (valid != 0) {
|
||||
ssh_set_error(session, SSH_FATAL,
|
||||
"RSA error: %s", gcry_strerror(valid));
|
||||
return -1;
|
||||
}
|
||||
valid = gcry_pk_verify(signature->dsa_sign, gcryhash, pubkey->dsa_pub);
|
||||
gcry_sexp_release(gcryhash);
|
||||
if (valid == 0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (gcry_err_code(valid) != GPG_ERR_BAD_SIGNATURE) {
|
||||
ssh_set_error(session, SSH_FATAL,
|
||||
"DSA error: %s", gcry_strerror(valid));
|
||||
return -1;
|
||||
}
|
||||
#elif defined HAVE_LIBCRYPTO
|
||||
valid = DSA_do_verify(hash + 1, SHA_DIGEST_LEN, signature->dsa_sign,
|
||||
pubkey->dsa_pub);
|
||||
if (valid == 1) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (valid == -1) {
|
||||
ssh_set_error(session, SSH_FATAL,
|
||||
"DSA error: %s", ERR_error_string(ERR_get_error(), NULL));
|
||||
return -1;
|
||||
}
|
||||
#endif
|
||||
ssh_set_error(session, SSH_FATAL, "Invalid DSA signature");
|
||||
return -1;
|
||||
|
||||
case SSH_KEYTYPE_RSA:
|
||||
case SSH_KEYTYPE_RSA1:
|
||||
#ifdef HAVE_LIBGCRYPT
|
||||
valid = gcry_sexp_build(&gcryhash, NULL,
|
||||
"(data(flags pkcs1)(hash sha1 %b))", SHA_DIGEST_LEN, hash + 1);
|
||||
if (valid != 0) {
|
||||
ssh_set_error(session, SSH_FATAL,
|
||||
"RSA error: %s", gcry_strerror(valid));
|
||||
return -1;
|
||||
}
|
||||
valid = gcry_pk_verify(signature->rsa_sign,gcryhash,pubkey->rsa_pub);
|
||||
gcry_sexp_release(gcryhash);
|
||||
if (valid == 0) {
|
||||
return 0;
|
||||
}
|
||||
if (gcry_err_code(valid) != GPG_ERR_BAD_SIGNATURE) {
|
||||
ssh_set_error(session, SSH_FATAL,
|
||||
"RSA error: %s", gcry_strerror(valid));
|
||||
return -1;
|
||||
}
|
||||
#elif defined HAVE_LIBCRYPTO
|
||||
valid = RSA_verify(NID_sha1, hash + 1, SHA_DIGEST_LEN,
|
||||
signature->rsa_sign->string, ssh_string_len(signature->rsa_sign),
|
||||
pubkey->rsa_pub);
|
||||
if (valid == 1) {
|
||||
return 0;
|
||||
}
|
||||
if (valid == -1) {
|
||||
ssh_set_error(session, SSH_FATAL,
|
||||
"RSA error: %s", ERR_error_string(ERR_get_error(), NULL));
|
||||
return -1;
|
||||
}
|
||||
#endif
|
||||
ssh_set_error(session, SSH_FATAL, "Invalid RSA signature");
|
||||
return -1;
|
||||
default:
|
||||
ssh_set_error(session, SSH_FATAL, "Unknown public key type");
|
||||
return -1;
|
||||
}
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
int signature_verify(ssh_session session, ssh_string signature) {
|
||||
ssh_public_key pubkey = NULL;
|
||||
SIGNATURE *sign = NULL;
|
||||
int err;
|
||||
|
||||
enter_function();
|
||||
|
||||
pubkey = publickey_from_string(session,session->next_crypto->server_pubkey);
|
||||
if(pubkey == NULL) {
|
||||
leave_function();
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (session->wanted_methods[SSH_HOSTKEYS]) {
|
||||
if(!ssh_match_group(session->wanted_methods[SSH_HOSTKEYS],pubkey->type_c)) {
|
||||
ssh_set_error(session, SSH_FATAL,
|
||||
"Public key from server (%s) doesn't match user preference (%s)",
|
||||
pubkey->type_c, session->wanted_methods[SSH_HOSTKEYS]);
|
||||
publickey_free(pubkey);
|
||||
leave_function();
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
sign = signature_from_string(session, signature, pubkey, pubkey->type);
|
||||
if (sign == NULL) {
|
||||
ssh_set_error(session, SSH_FATAL, "Invalid signature blob");
|
||||
publickey_free(pubkey);
|
||||
leave_function();
|
||||
return -1;
|
||||
}
|
||||
|
||||
ssh_log(session, SSH_LOG_FUNCTIONS,
|
||||
"Going to verify a %s type signature", pubkey->type_c);
|
||||
|
||||
err = sig_verify(session,pubkey,sign,
|
||||
session->next_crypto->session_id, session->next_crypto->digest_len);
|
||||
signature_free(sign);
|
||||
session->next_crypto->server_pubkey_type = pubkey->type_c;
|
||||
publickey_free(pubkey);
|
||||
|
||||
leave_function();
|
||||
return err;
|
||||
}
|
||||
|
||||
/** @} */
|
||||
|
||||
/* vim: set ts=4 sw=4 et cindent: */
|
||||
|
||||
Загрузка…
x
Ссылка в новой задаче
Block a user