diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/pki.c | 123 | ||||
| -rw-r--r-- | src/pki_crypto.c | 46 | ||||
| -rw-r--r-- | src/pki_gcrypt.c | 43 |
3 files changed, 121 insertions, 91 deletions
@@ -354,108 +354,49 @@ ssh_key ssh_pki_publickey_from_privatekey(ssh_key privkey) { * the content of sigbuf */ ssh_string ssh_pki_do_sign(ssh_session session, ssh_buffer sigbuf, ssh_key privatekey) { - struct ssh_crypto_struct *crypto = session->current_crypto ? session->current_crypto : - session->next_crypto; - unsigned char hash[SHA_DIGEST_LEN + 1] = {0}; - ssh_string session_str = NULL; - ssh_string signature = NULL; - SIGNATURE *sign = NULL; - SHACTX ctx = NULL; -#ifdef HAVE_LIBGCRYPT - gcry_sexp_t gcryhash; -#endif + struct ssh_crypto_struct *crypto = session->current_crypto ? session->current_crypto : + session->next_crypto; + unsigned char hash[SHA_DIGEST_LEN + 1] = {0}; + ssh_string session_str = NULL; + ssh_string signature = NULL; + struct signature_struct *sign = NULL; + SHACTX ctx = NULL; + + if (privatekey == NULL || !ssh_key_is_private(privatekey)) { + return NULL; + } - if(privatekey == NULL || !ssh_key_is_private(privatekey)) { - return NULL; - } + session_str = ssh_string_new(SHA_DIGEST_LEN); + if (session_str == NULL) { + return NULL; + } + ssh_string_fill(session_str, crypto->session_id, SHA_DIGEST_LEN); - session_str = ssh_string_new(SHA_DIGEST_LEN); - if (session_str == NULL) { - return NULL; - } - ssh_string_fill(session_str, crypto->session_id, SHA_DIGEST_LEN); + ctx = sha1_init(); + if (ctx == NULL) { + ssh_string_free(session_str); + return NULL; + } - ctx = sha1_init(); - if (ctx == NULL) { + sha1_update(ctx, session_str, ssh_string_len(session_str) + 4); ssh_string_free(session_str); - return NULL; - } - - sha1_update(ctx, session_str, ssh_string_len(session_str) + 4); - ssh_string_free(session_str); - sha1_update(ctx, buffer_get_rest(sigbuf), buffer_get_rest_len(sigbuf)); - sha1_final(hash + 1,ctx); - hash[0] = 0; + sha1_update(ctx, buffer_get_rest(sigbuf), buffer_get_rest_len(sigbuf)); + sha1_final(hash + 1,ctx); + hash[0] = 0; #ifdef DEBUG_CRYPTO - ssh_print_hexa("Hash being signed with dsa", hash + 1, SHA_DIGEST_LEN); + ssh_print_hexa("Hash being signed with dsa", hash + 1, SHA_DIGEST_LEN); #endif - sign = malloc(sizeof(SIGNATURE)); - if (sign == NULL) { - return NULL; - } - - switch(privatekey->type) { - case SSH_KEYTYPE_DSS: -#ifdef HAVE_LIBGCRYPT - if (gcry_sexp_build(&gcryhash, NULL, "%b", SHA_DIGEST_LEN + 1, hash) || - gcry_pk_sign(&sign->dsa_sign, gcryhash, privatekey->dsa)) { - ssh_set_error(session, SSH_FATAL, "Signing: libcrypt error"); - gcry_sexp_release(gcryhash); - signature_free(sign); + sign = pki_do_sign(privatekey, hash); + if (sign == NULL) { return NULL; - } -#elif defined HAVE_LIBCRYPTO - sign->dsa_sign = DSA_do_sign(hash + 1, SHA_DIGEST_LEN, - privatekey->dsa); - if (sign->dsa_sign == NULL) { - ssh_set_error(session, SSH_FATAL, "Signing: openssl error"); - signature_free(sign); - return NULL; - } -#ifdef DEBUG_CRYPTO - ssh_print_bignum("r", sign->dsa_sign->r); - ssh_print_bignum("s", sign->dsa_sign->s); -#endif -#endif /* HAVE_LIBCRYPTO */ - sign->rsa_sign = NULL; - break; - case SSH_KEYTYPE_RSA: -#ifdef HAVE_LIBGCRYPT - if (gcry_sexp_build(&gcryhash, NULL, "(data(flags pkcs1)(hash sha1 %b))", - SHA_DIGEST_LEN, hash + 1) || - gcry_pk_sign(&sign->rsa_sign, gcryhash, privatekey->rsa)) { - ssh_set_error(session, SSH_FATAL, "Signing: libcrypt error"); - gcry_sexp_release(gcryhash); - signature_free(sign); - return NULL; - } -#elif defined HAVE_LIBCRYPTO - sign->rsa_sign = RSA_do_sign(hash + 1, SHA_DIGEST_LEN, - privatekey->rsa); - if (sign->rsa_sign == NULL) { - ssh_set_error(session, SSH_FATAL, "Signing: openssl error"); - signature_free(sign); - return NULL; - } -#endif - sign->dsa_sign = NULL; - break; - default: - signature_free(sign); - return NULL; - } -#ifdef HAVE_LIBGCRYPT - gcry_sexp_release(gcryhash); -#endif - - sign->type = privatekey->type; + } - signature = signature_to_string(sign); - signature_free(sign); + signature = signature_to_string(sign); + signature_free(sign); - return signature; + return signature; } diff --git a/src/pki_crypto.c b/src/pki_crypto.c index 532e1ea..2c99daf 100644 --- a/src/pki_crypto.c +++ b/src/pki_crypto.c @@ -35,6 +35,7 @@ #include "libssh/session.h" #include "libssh/callbacks.h" #include "libssh/pki.h" +#include "libssh/keys.h" static int pem_get_password(char *buf, int size, int rwflag, void *userdata) { ssh_session session = userdata; @@ -218,4 +219,49 @@ fail: return NULL; } +struct signature_struct *pki_do_sign(ssh_key privatekey, + const unsigned char *hash) { + struct signature_struct *sign; + + sign = malloc(sizeof(SIGNATURE)); + if (sign == NULL) { + return NULL; + } + sign->type = privatekey->type; + + switch(privatekey->type) { + case SSH_KEYTYPE_DSS: + sign->dsa_sign = DSA_do_sign(hash + 1, SHA_DIGEST_LEN, + privatekey->dsa); + if (sign->dsa_sign == NULL) { + signature_free(sign); + return NULL; + } + +#ifdef DEBUG_CRYPTO + ssh_print_bignum("r", sign->dsa_sign->r); + ssh_print_bignum("s", sign->dsa_sign->s); +#endif + + sign->rsa_sign = NULL; + break; + case SSH_KEYTYPE_RSA: + case SSH_KEYTYPE_RSA1: + sign->rsa_sign = RSA_do_sign(hash + 1, SHA_DIGEST_LEN, + privatekey->rsa); + if (sign->rsa_sign == NULL) { + signature_free(sign); + return NULL; + } + sign->dsa_sign = NULL; + break; + case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_UNKNOWN: + signature_free(sign); + return NULL; + } + + return sign; +} + #endif /* _PKI_CRYPTO_H */ diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c index 30448c2..9c6cd67 100644 --- a/src/pki_gcrypt.c +++ b/src/pki_gcrypt.c @@ -856,6 +856,49 @@ fail: return NULL; } +struct signature_struct *pki_do_sign(ssh_key privatekey, + const unsigned char *hash) { + struct signature_struct *sign; + gcry_sexp_t gcryhash; + + sign = malloc(sizeof(SIGNATURE)); + if (sign == NULL) { + return NULL; + } + sign->type = privatekey->type; + + switch(privatekey->type) { + case SSH_KEYTYPE_DSS: + if (gcry_sexp_build(&gcryhash, NULL, "%b", SHA_DIGEST_LEN + 1, hash) || + gcry_pk_sign(&sign->dsa_sign, gcryhash, privatekey->dsa)) { + gcry_sexp_release(gcryhash); + signature_free(sign); + return NULL; + } + sign->rsa_sign = NULL; + break; + case SSH_KEYTYPE_RSA: + case SSH_KEYTYPE_RSA1: + if (gcry_sexp_build(&gcryhash, NULL, "(data(flags pkcs1)(hash sha1 %b))", + SHA_DIGEST_LEN, hash + 1) || + gcry_pk_sign(&sign->rsa_sign, gcryhash, privatekey->rsa)) { + gcry_sexp_release(gcryhash); + signature_free(sign); + return NULL; + } + sign->dsa_sign = NULL; + break; + case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_UNKNOWN: + signature_free(sign); + return NULL; + } + + gcry_sexp_release(gcryhash); + + return sign; +} + #endif /* HAVE_LIBGCRYPT */ /** |