auth, pki: Calculate hash internally when signing/verifying

This makes pki_do_sign() and pki_signature_verify() to receive the original input instead of the pre-calculated hash. The hash is then calculated internally. The hash to be used inside the signature is decided earlier, when all the information about the signature to be generated/verified is available. Simplify ssh_pki_do_sign() and ssh_srv_pki_do_sign_sessionid(). The tests were modified to use pki_do_sign() instead of pki_do_sign_hash(). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-06 10:27:22 +09:00 · 2019-04-29 16:29:16 +02:00
parent 58b3b2696c
commit 76f9808eb2
13 changed files with 264 additions and 277 deletions
--- a/include/libssh/pki.h
+++ b/include/libssh/pki.h
@@ -101,6 +101,8 @@ ssh_key_get_signature_algorithm(ssh_session session,
                                enum ssh_keytypes_e type);
 enum ssh_keytypes_e ssh_key_type_from_signature_name(const char *name);
 enum ssh_keytypes_e ssh_key_type_plain(enum ssh_keytypes_e type);
+enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
+                                       enum ssh_keytypes_e type);

 #define is_ecdsa_key_type(t) \
    ((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521)
@@ -138,7 +140,7 @@ int ssh_pki_import_cert_blob(const ssh_string cert_blob,

 /* SSH Signing Functions */
 ssh_string ssh_pki_do_sign(ssh_session session, ssh_buffer sigbuf,
-    const ssh_key privatekey);
+    const ssh_key privatekey, enum ssh_digest_e hash_type);
 ssh_string ssh_pki_do_sign_agent(ssh_session session,
                                 struct ssh_buffer_struct *buf,
                                 const ssh_key pubkey);
--- a/include/libssh/pki_priv.h
+++ b/include/libssh/pki_priv.h
@@ -117,12 +117,14 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
 int pki_signature_verify(ssh_session session,
                         const ssh_signature sig,
                         const ssh_key key,
-                         const unsigned char *hash,
-                         size_t hlen);
+                         const unsigned char *input,
+                         size_t input_len);

 /* SSH Signing Functions */
-#define pki_do_sign(key, hash, hlen) \
-    pki_do_sign_hash(key, hash, hlen, SSH_DIGEST_AUTO)
+ssh_signature pki_do_sign(const ssh_key privkey,
+                          const unsigned char *input,
+                          size_t input_len,
+                          enum ssh_digest_e hash_type);
 ssh_signature pki_do_sign_hash(const ssh_key privkey,
                               const unsigned char *hash,
                               size_t hlen,