-
-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add
verify_signature()
method to SessionBind
extension message st…
…ruct Signed-off-by: James Spencer <[email protected]>
- Loading branch information
Showing
5 changed files
with
92 additions
and
2 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -212,7 +212,10 @@ impl Session for KeyStorage { | |
} | ||
"[email protected]" => match extension.parse_message::<SessionBind>()? { | ||
Some(bind) => { | ||
info!("Bind: {bind:?}"); | ||
bind.verify_signature() | ||
.map_err(|_| AgentError::ExtensionFailure)?; | ||
|
||
info!("Session binding: {bind:?}"); | ||
Ok(None) | ||
} | ||
None => Err(AgentError::Failure), | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ | |
//! - [draft-miller-ssh-agent-14](https://www.ietf.org/archive/id/draft-miller-ssh-agent-14.html) | ||
//! - [OpenSSH `PROTOCOL.agent`](https://github.com/openssh/openssh-portable/blob/cbbdf868bce431a59e2fa36ca244d5739429408d/PROTOCOL.agent) | ||
use signature::Verifier; | ||
use ssh_encoding::{CheckedSum, Decode, Encode, Error as EncodingError, Reader, Writer}; | ||
use ssh_key::{public::KeyData, Signature}; | ||
|
||
|
@@ -109,6 +110,21 @@ impl Encode for SessionBind { | |
} | ||
} | ||
|
||
impl SessionBind { | ||
/// Verify the server's signature of the session identifier | ||
/// using the public `host_key`. | ||
/// | ||
/// > When an agent receives \[a `[email protected]` message\], | ||
/// > it will verify the signature. | ||
/// | ||
/// Described in [OpenSSH PROTOCOL.agent § 1](https://github.com/openssh/openssh-portable/blob/cbbdf868bce431a59e2fa36ca244d5739429408d/PROTOCOL.agent#L31) | ||
pub fn verify_signature(&self) -> Result<(), ProtoError> { | ||
self.host_key | ||
.verify(self.session_id.as_slice(), &self.signature)?; | ||
Ok(()) | ||
} | ||
} | ||
|
||
impl MessageExtension for SessionBind { | ||
const NAME: &'static str = "[email protected]"; | ||
} | ||
|
@@ -149,6 +165,10 @@ mod tests { | |
let bind = SessionBind::decode(&mut buffer)?; | ||
eprintln!("Bind: {bind:#?}"); | ||
|
||
// Check `signature` (of `session_id`) against | ||
// server public-key `host_key` | ||
bind.verify_signature()?; | ||
|
||
round_trip(bind)?; | ||
|
||
Ok(()) | ||
|