shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-06 10:27:22 +09:00
Code Issues Packages Projects Releases Wiki Activity

auth, pki: Calculate hash internally when signing/verifying

Browse Source 
This makes pki_do_sign() and pki_signature_verify() to receive the
original input instead of the pre-calculated hash.  The hash is then
calculated internally.

The hash to be used inside the signature is decided earlier, when all
the information about the signature to be generated/verified is
available.

Simplify ssh_pki_do_sign() and ssh_srv_pki_do_sign_sessionid().

The tests were modified to use pki_do_sign() instead of
pki_do_sign_hash().

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Anderson Toshiyuki Sasaki
2019-04-29 16:29:16 +02:00
committed by Andreas Schneider
parent 58b3b2696c
commit 76f9808eb2
13 changed files with 264 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/auth.c
View File

@@ -613,6 +613,7 @@ int ssh_userauth_publickey(ssh_session session,
int rc;
const char *sig_type_c = NULL;
enum ssh_keytypes_e key_type;
enum ssh_digest_e hash_type;
if (session == NULL) {
return SSH_AUTH_ERROR;
@@ -681,8 +682,11 @@ int ssh_userauth_publickey(ssh_session session,
}
ssh_string_free(str);
/* Get the hash type to be used in the signature based on the key type */
hash_type = ssh_key_type_to_hash(session, privkey->type);
/* sign the buffer with the private key */
str = ssh_pki_do_sign(session, session->out_buffer, privkey);
str = ssh_pki_do_sign(session, session->out_buffer, privkey, hash_type);
if (str == NULL) {
goto fail;
}

228
src/pki.c
View File

@@ -2064,12 +2064,18 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob,
int ssh_pki_signature_verify(ssh_session session,
ssh_signature sig,
const ssh_key key,
unsigned char *digest,
size_t dlen)
unsigned char *input,
size_t input_len)
{
int rc;
enum ssh_keytypes_e key_type = ssh_key_type_plain(key->type);
if (session == NULL || sig == NULL || key == NULL || input == NULL) {
SSH_LOG(SSH_LOG_TRACE, "Bad parameter provided to "
"ssh_pki_signature_verify()");
return SSH_ERROR;
}
SSH_LOG(SSH_LOG_FUNCTIONS,
"Going to verify a %s type signature",
sig->type_c);
@@ -2081,77 +2087,68 @@ int ssh_pki_signature_verify(ssh_session session,
return SSH_ERROR;
}
if (is_ecdsa_key_type(key_type)) {
#if HAVE_ECC
unsigned char ehash[EVP_DIGEST_LEN] = {0};
uint32_t elen;
evp(key->ecdsa_nid, digest, dlen, ehash, &elen);
#ifdef DEBUG_CRYPTO
ssh_print_hexa("Hash to be verified with ecdsa",
ehash, elen);
#endif
rc = pki_signature_verify(session,
sig,
key,
ehash,
elen);
#endif
} else if (key_type == SSH_KEYTYPE_ED25519) {
rc = pki_signature_verify(session, sig, key, digest, dlen);
} else {
unsigned char hash[SHA512_DIGEST_LEN] = {0};
uint32_t hlen = 0;
if (sig->type != SSH_KEYTYPE_RSA && sig->hash_type != SSH_DIGEST_AUTO) {
SSH_LOG(SSH_LOG_TRACE, "Only RSA keys support non-SHA1 hashes.");
return SSH_ERROR;
}
switch (sig->hash_type) {
case SSH_DIGEST_SHA256:
sha256(digest, dlen, hash);
hlen = SHA256_DIGEST_LEN;
break;
case SSH_DIGEST_SHA512:
sha512(digest, dlen, hash);
hlen = SHA512_DIGEST_LEN;
break;
case SSH_DIGEST_SHA1:
case SSH_DIGEST_AUTO:
sha1(digest, dlen, hash);
hlen = SHA_DIGEST_LEN;
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown sig->hash_type: %d", sig->hash_type);
return SSH_ERROR;
}
#ifdef DEBUG_CRYPTO
ssh_print_hexa(key_type == SSH_KEYTYPE_DSS
? "Hash to be verified with DSA"
: "Hash to be verified with RSA",
hash,
hlen);
#endif
rc = pki_signature_verify(session,
sig,
key,
hash,
hlen);
}
rc = pki_signature_verify(session, sig, key, input, input_len);
return rc;
}
ssh_signature pki_do_sign(const ssh_key privkey,
const unsigned char *input,
size_t input_len,
enum ssh_digest_e hash_type)
{
unsigned char hash[SHA512_DIGEST_LEN] = {0};
uint32_t hlen = 0;
if (privkey == NULL || input == NULL) {
SSH_LOG(SSH_LOG_TRACE, "Bad parameter provided to "
"pki_do_sign()");
return NULL;
}
if (privkey->type == SSH_KEYTYPE_ED25519 ||
privkey->type == SSH_KEYTYPE_ED25519_CERT01)
{
return pki_do_sign_hash(privkey, input, input_len, SSH_DIGEST_AUTO);
}
switch (hash_type) {
case SSH_DIGEST_SHA256:
sha256(input, input_len, hash);
hlen = SHA256_DIGEST_LEN;
break;
case SSH_DIGEST_SHA384:
sha384(input, input_len, hash);
hlen = SHA384_DIGEST_LEN;
break;
case SSH_DIGEST_SHA512:
sha512(input, input_len, hash);
hlen = SHA512_DIGEST_LEN;
break;
case SSH_DIGEST_AUTO:
case SSH_DIGEST_SHA1:
sha1(input, input_len, hash);
hlen = SHA_DIGEST_LEN;
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown hash algorithm for type: %d",
hash_type);
goto error;
}
return pki_do_sign_hash(privkey, hash, hlen, hash_type);
error:
return NULL;
}
/*
* This function signs the session id as a string then
* the content of sigbuf */
ssh_string ssh_pki_do_sign(ssh_session session,
ssh_buffer sigbuf,
const ssh_key privkey)
const ssh_key privkey,
enum ssh_digest_e hash_type)
{
struct ssh_crypto_struct *crypto = NULL;
@@ -2161,11 +2158,13 @@ ssh_string ssh_pki_do_sign(ssh_session session,
ssh_string session_id = NULL;
ssh_buffer sign_input = NULL;
enum ssh_digest_e hash_type;
int rc;
if (privkey == NULL || !ssh_key_is_private(privkey)) {
if (session == NULL || sigbuf == NULL || privkey == NULL ||
!ssh_key_is_private(privkey))
{
SSH_LOG(SSH_LOG_TRACE, "Bad parameter provided to "
"ssh_pki_do_sign()");
return NULL;
}
@@ -2181,9 +2180,6 @@ ssh_string ssh_pki_do_sign(ssh_session session,
}
ssh_string_fill(session_id, crypto->session_id, crypto->digest_len);
/* Get the hash type from the key type */
hash_type = ssh_key_type_to_hash(session, privkey->type);
/* Fill the input */
sign_input = ssh_buffer_new();
if (sign_input == NULL) {
@@ -2200,52 +2196,14 @@ ssh_string ssh_pki_do_sign(ssh_session session,
}
/* Generate the signature */
if (privkey->type == SSH_KEYTYPE_ED25519){
sig = pki_do_sign(privkey,
ssh_buffer_get(sign_input),
ssh_buffer_get_len(sign_input));
} else {
unsigned char hash[SHA512_DIGEST_LEN] = {0};
uint32_t hlen = 0;
switch (hash_type) {
case SSH_DIGEST_SHA256:
sha256(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input),
hash);
hlen = SHA256_DIGEST_LEN;
break;
case SSH_DIGEST_SHA384:
sha384(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input),
hash);
hlen = SHA384_DIGEST_LEN;
break;
case SSH_DIGEST_SHA512:
sha512(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input),
hash);
hlen = SHA512_DIGEST_LEN;
break;
case SSH_DIGEST_SHA1:
case SSH_DIGEST_AUTO:
sha1(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input),
hash);
hlen = SHA_DIGEST_LEN;
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown hash algorithm for type: %d",
hash_type);
goto end;
}
sig = pki_do_sign_hash(privkey, hash, hlen, hash_type);
}
sig = pki_do_sign(privkey,
ssh_buffer_get(sign_input),
ssh_buffer_get_len(sign_input),
hash_type);
if (sig == NULL) {
goto end;
}
#ifdef DEBUG_CRYPTO
SSH_LOG(SSH_LOG_TRACE, "Generated signature for %s and hash_type = %d",
privkey->type_c, hash_type);
#endif
/* Convert the signature to blob */
rc = ssh_pki_export_signature_blob(sig, &sig_blob);
if (rc < 0) {
@@ -2355,52 +2313,14 @@ ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session,
}
/* Generate the signature */
if (privkey->type == SSH_KEYTYPE_ED25519){
sig = pki_do_sign(privkey,
ssh_buffer_get(sign_input),
ssh_buffer_get_len(sign_input));
} else {
unsigned char hash[SHA512_DIGEST_LEN] = {0};
uint32_t hlen = 0;
switch (hash_type) {
case SSH_DIGEST_SHA256:
sha256(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input),
hash);
hlen = SHA256_DIGEST_LEN;
break;
case SSH_DIGEST_SHA384:
sha384(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input),
hash);
hlen = SHA384_DIGEST_LEN;
break;
case SSH_DIGEST_SHA512:
sha512(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input),
hash);
hlen = SHA512_DIGEST_LEN;
break;
case SSH_DIGEST_SHA1:
case SSH_DIGEST_AUTO:
sha1(ssh_buffer_get(sign_input), ssh_buffer_get_len(sign_input),
hash);
hlen = SHA_DIGEST_LEN;
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown hash algorithm for type: %d",
hash_type);
goto end;
}
sig = pki_do_sign_hash(privkey, hash, hlen, hash_type);
}
sig = pki_do_sign(privkey,
ssh_buffer_get(sign_input),
ssh_buffer_get_len(sign_input),
hash_type);
if (sig == NULL) {
goto end;
}
#ifdef DEBUG_CRYPTO
SSH_LOG(SSH_LOG_TRACE, "Generated signature for %s and hash_type = %d",
privkey->type_c, hash_type);
#endif
/* Convert the signature to blob */
rc = ssh_pki_export_signature_blob(sig, &sig_blob);
if (rc < 0) {

84
src/pki_crypto.c
View File

@@ -1856,12 +1856,15 @@ error:
int pki_signature_verify(ssh_session session,
const ssh_signature sig,
const ssh_key key,
const unsigned char *hash,
size_t hlen)
const unsigned char *input,
size_t input_len)
{
int rc;
int nid;
unsigned char hash[SHA512_DIGEST_LEN] = {0};
uint32_t hlen = 0;
if (ssh_key_type_plain(key->type) != sig->type) {
SSH_LOG(SSH_LOG_WARN,
"Can not verify %s signature with %s key",
@@ -1870,6 +1873,49 @@ int pki_signature_verify(ssh_session session,
return SSH_ERROR;
}
/* For ed25519 keys, verify using the input directly */
if (key->type == SSH_KEYTYPE_ED25519 ||
key->type == SSH_KEYTYPE_ED25519_CERT01)
{
rc = pki_ed25519_verify(key, sig, input, input_len);
if (rc != SSH_OK){
ssh_set_error(session,
SSH_FATAL,
"ed25519 signature verification error");
return SSH_ERROR;
}
return SSH_OK;
}
/* For the other key types, calculate the hash and verify the signature */
switch (sig->hash_type) {
case SSH_DIGEST_SHA256:
sha256(input, input_len, hash);
hlen = SHA256_DIGEST_LEN;
nid = NID_sha256;
break;
case SSH_DIGEST_SHA384:
sha384(input, input_len, hash);
hlen = SHA384_DIGEST_LEN;
nid = NID_sha384;
break;
case SSH_DIGEST_SHA512:
sha512(input, input_len, hash);
hlen = SHA512_DIGEST_LEN;
nid = NID_sha512;
break;
case SSH_DIGEST_AUTO:
case SSH_DIGEST_SHA1:
sha1(input, input_len, hash);
hlen = SHA_DIGEST_LEN;
nid = NID_sha1;
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown sig->hash_type: %d", sig->hash_type);
return SSH_ERROR;
}
switch (key->type) {
case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_DSS_CERT01:
@@ -1888,25 +1934,6 @@ int pki_signature_verify(ssh_session session,
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_RSA_CERT01:
switch (sig->hash_type) {
case SSH_DIGEST_AUTO:
case SSH_DIGEST_SHA1:
nid = NID_sha1;
break;
case SSH_DIGEST_SHA256:
nid = NID_sha256;
break;
case SSH_DIGEST_SHA512:
nid = NID_sha512;
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown hash type %d", sig->hash_type);
ssh_set_error(session,
SSH_FATAL,
"Unexpected hash type %d during RSA verify",
sig->hash_type);
return SSH_ERROR;
}
rc = RSA_verify(nid,
hash,
hlen,
@@ -1922,16 +1949,6 @@ int pki_signature_verify(ssh_session session,
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_ED25519:
case SSH_KEYTYPE_ED25519_CERT01:
rc = pki_ed25519_verify(key, sig, hash, hlen);
if (rc != SSH_OK){
ssh_set_error(session,
SSH_FATAL,
"ed25519 signature verification error");
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521:
@@ -2040,6 +2057,11 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey,
return NULL;
}
#ifdef DEBUG_CRYPTO
SSH_LOG(SSH_LOG_TRACE, "Generated signature for %s and hash_type = %d",
privkey->type_c, hash_type);
#endif
return sig;
}

83
src/pki_gcrypt.c
View File

@@ -2088,14 +2088,19 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
int pki_signature_verify(ssh_session session,
const ssh_signature sig,
const ssh_key key,
const unsigned char *hash,
size_t hlen)
const unsigned char *input,
size_t input_len)
{
unsigned char ghash[hlen + 1];
const char *hash_type = NULL;
gcry_sexp_t sexp;
gcry_error_t err;
unsigned char ghash[SHA512_DIGEST_LEN + 1] = {0};
unsigned char *hash = ghash + 1;
uint32_t hlen = 0;
int rc;
if (ssh_key_type_plain(key->type) != sig->type) {
SSH_LOG(SSH_LOG_WARN,
"Can not verify %s signature with %s key",
@@ -2104,13 +2109,54 @@ int pki_signature_verify(ssh_session session,
return SSH_ERROR;
}
/* For ed25519 keys, verify using the input directly */
if (key->type == SSH_KEYTYPE_ED25519 ||
key->type == SSH_KEYTYPE_ED25519_CERT01)
{
rc = pki_ed25519_verify(key, sig, input, input_len);
if (rc != SSH_OK){
ssh_set_error(session,
SSH_FATAL,
"ed25519 signature verification error");
return SSH_ERROR;
}
return SSH_OK;
}
/* For the other key types, calculate the hash and verify the signature */
switch (sig->hash_type) {
case SSH_DIGEST_SHA256:
sha256(input, input_len, hash);
hlen = SHA256_DIGEST_LEN;
hash_type = "sha256";
break;
case SSH_DIGEST_SHA384:
sha384(input, input_len, hash);
hlen = SHA384_DIGEST_LEN;
hash_type = "sha384";
break;
case SSH_DIGEST_SHA512:
sha512(input, input_len, hash);
hlen = SHA512_DIGEST_LEN;
hash_type = "sha512";
break;
case SSH_DIGEST_AUTO:
case SSH_DIGEST_SHA1:
sha1(input, input_len, hash);
hlen = SHA_DIGEST_LEN;
hash_type = "sha1";
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown sig->hash_type: %d", sig->hash_type);
return SSH_ERROR;
}
switch(key->type) {
case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_DSS_CERT01:
/* That is to mark the number as positive */
if(hash[0] >= 0x80) {
memcpy(ghash + 1, hash, hlen);
ghash[0] = 0;
hash = ghash;
hlen += 1;
}
@@ -2137,25 +2183,6 @@ int pki_signature_verify(ssh_session session,
break;
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA_CERT01:
switch (sig->hash_type) {
case SSH_DIGEST_SHA256:
hash_type = "sha256";
break;
case SSH_DIGEST_SHA512:
hash_type = "sha512";
break;
case SSH_DIGEST_SHA1:
case SSH_DIGEST_AUTO:
hash_type = "sha1";
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown sig type %d", sig->hash_type);
ssh_set_error(session,
SSH_FATAL,
"Unexpected signature type %d during RSA verify",
sig->hash_type);
return SSH_ERROR;
}
err = gcry_sexp_build(&sexp,
NULL,
"(data(flags pkcs1)(hash %s %b))",
@@ -2180,14 +2207,6 @@ int pki_signature_verify(ssh_session session,
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_ED25519:
case SSH_KEYTYPE_ED25519_CERT01:
err = pki_ed25519_verify(key, sig, hash, hlen);
if (err != SSH_OK){
ssh_set_error(session, SSH_FATAL, "ed25519 signature verification error");
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521:

78
src/pki_mbedcrypto.c
View File

@@ -1022,11 +1022,14 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey,
}
int pki_signature_verify(ssh_session session, const ssh_signature sig, const
ssh_key key, const unsigned char *hash, size_t hlen)
ssh_key key, const unsigned char *input, size_t input_len)
{
int rc;
mbedtls_md_type_t md = 0;
unsigned char hash[SHA512_DIGEST_LEN] = {0};
uint32_t hlen = 0;
if (ssh_key_type_plain(key->type) != sig->type) {
SSH_LOG(SSH_LOG_WARN,
"Can not verify %s signature with %s key",
@@ -1035,28 +1038,52 @@ int pki_signature_verify(ssh_session session, const ssh_signature sig, const
return SSH_ERROR;
}
/* For ed25519 keys, verify using the input directly */
if (key->type == SSH_KEYTYPE_ED25519 ||
key->type == SSH_KEYTYPE_ED25519_CERT01)
{
rc = pki_ed25519_verify(key, sig, input, input_len);
if (rc != SSH_OK){
ssh_set_error(session,
SSH_FATAL,
"ed25519 signature verification error");
return SSH_ERROR;
}
return SSH_OK;
}
/* For the other key types, calculate the hash and verify the signature */
switch (sig->hash_type) {
case SSH_DIGEST_SHA256:
sha256(input, input_len, hash);
hlen = SHA256_DIGEST_LEN;
md = MBEDTLS_MD_SHA256;
break;
case SSH_DIGEST_SHA384:
sha384(input, input_len, hash);
hlen = SHA384_DIGEST_LEN;
md = MBEDTLS_MD_SHA384;
break;
case SSH_DIGEST_SHA512:
sha512(input, input_len, hash);
hlen = SHA512_DIGEST_LEN;
md = MBEDTLS_MD_SHA512;
break;
case SSH_DIGEST_AUTO:
case SSH_DIGEST_SHA1:
sha1(input, input_len, hash);
hlen = SHA_DIGEST_LEN;
md = MBEDTLS_MD_SHA1;
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown sig->hash_type: %d", sig->hash_type);
return SSH_ERROR;
}
switch (key->type) {
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA_CERT01:
switch (sig->hash_type) {
case SSH_DIGEST_SHA1:
case SSH_DIGEST_AUTO:
md = MBEDTLS_MD_SHA1;
break;
case SSH_DIGEST_SHA256:
md = MBEDTLS_MD_SHA256;
break;
case SSH_DIGEST_SHA512:
md = MBEDTLS_MD_SHA512;
break;
default:
SSH_LOG(SSH_LOG_TRACE, "Unknown sig type %d", sig->hash_type);
ssh_set_error(session,
SSH_FATAL,
"Unexpected signature hash type %d during RSA verify",
sig->hash_type);
return SSH_ERROR;
}
rc = mbedtls_pk_verify(key->rsa, md, hash, hlen,
ssh_string_data(sig->rsa_sig),
ssh_string_len(sig->rsa_sig));
@@ -1078,20 +1105,11 @@ int pki_signature_verify(ssh_session session, const ssh_signature sig, const
if (rc != 0) {
char error_buf[100];
mbedtls_strerror(rc, error_buf, 100);
ssh_set_error(session, SSH_FATAL, "RSA error: %s", error_buf);
ssh_set_error(session, SSH_FATAL, "ECDSA error: %s", error_buf);
return SSH_ERROR;
}
break;
case SSH_KEYTYPE_ED25519:
case SSH_KEYTYPE_ED25519_CERT01:
rc = pki_ed25519_verify(key, sig, hash, hlen);
if (rc != SSH_OK) {
ssh_set_error(session, SSH_FATAL,
"ed25519 signature verification error");
return SSH_ERROR;
}
break;
default:
ssh_set_error(session, SSH_FATAL, "Unknown public key type");
return SSH_ERROR;