Merge pull request #62 from wiktor-k/jcspencer/session-bind-verify

wiktor-k · web-flow · commit 576f21f56be9 · 2024-04-29T13:51:19.000+02:00
Add `verify()` method to `SessionBind` extension message struct
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,10 +27,11 @@ tokio = { version = "1", optional = true, features = ["rt", "net", "time"] }
 tokio-util = { version = "0.7.1", optional = true, features = ["codec"] }
 service-binding = { version = "^2.1" }
 ssh-encoding = { version = "0.2.0" }
-ssh-key = { version = "0.6.6", features = ["rsa", "alloc"] }
+ssh-key = { version = "0.6.6", features = ["crypto", "alloc"] }
 thiserror = "1.0.58"
 #uuid = { version = "1.8.0", features = ["v4"] }
 subtle = { version = "2", default-features = false }
+signature = { version = "2.2.0", features = ["alloc"] }
 
 [features]
 default = ["agent"]
diff --git a/examples/key_storage.rs b/examples/key_storage.rs
@@ -212,7 +212,10 @@ impl Session for KeyStorage {
             }
             "session-bind@openssh.com" => match extension.parse_message::<SessionBind>()? {
                 Some(bind) => {
-                    info!("Bind: {bind:?}");
+                    bind.verify_signature()
+                        .map_err(|_| AgentError::ExtensionFailure)?;
+
+                    info!("Session binding: {bind:?}");
                     Ok(None)
                 }
                 None => Err(AgentError::Failure),
diff --git a/src/proto/error.rs b/src/proto/error.rs
@@ -23,6 +23,10 @@ pub enum ProtoError {
     #[error("SSH key error: {0}")]
     SshKey(#[from] ssh_key::Error),
 
+    /// SSH signature error.
+    #[error("SSH signature error: {0}")]
+    SshSignature(#[from] signature::Error),
+
     /// Received command was not supported.
     #[error("Command not supported ({command})")]
     UnsupportedCommand {
diff --git a/src/proto/extension/message.rs b/src/proto/extension/message.rs
@@ -4,6 +4,7 @@
 //! - [draft-miller-ssh-agent-14](https://www.ietf.org/archive/id/draft-miller-ssh-agent-14.html)
 //! - [OpenSSH `PROTOCOL.agent`](https://github.com/openssh/openssh-portable/blob/cbbdf868bce431a59e2fa36ca244d5739429408d/PROTOCOL.agent)
 
+use signature::Verifier;
 use ssh_encoding::{CheckedSum, Decode, Encode, Error as EncodingError, Reader, Writer};
 use ssh_key::{public::KeyData, Signature};
 
@@ -109,6 +110,21 @@ impl Encode for SessionBind {
     }
 }
 
+impl SessionBind {
+    /// Verify the server's signature of the session identifier
+    /// using the public `host_key`.
+    ///
+    /// > When an agent receives \[a `session-bind@openssh.com` message\],
+    /// > it will verify the signature.
+    ///
+    /// Described in [OpenSSH PROTOCOL.agent § 1](https://github.com/openssh/openssh-portable/blob/cbbdf868bce431a59e2fa36ca244d5739429408d/PROTOCOL.agent#L31)
+    pub fn verify_signature(&self) -> Result<(), ProtoError> {
+        self.host_key
+            .verify(self.session_id.as_slice(), &self.signature)?;
+        Ok(())
+    }
+}
+
 impl MessageExtension for SessionBind {
     const NAME: &'static str = "session-bind@openssh.com";
 }
@@ -149,6 +165,10 @@ mod tests {
         let bind = SessionBind::decode(&mut buffer)?;
         eprintln!("Bind: {bind:#?}");
 
+        // Check `signature` (of `session_id`) against
+        // server public-key `host_key`
+        bind.verify_signature()?;
+
         round_trip(bind)?;
 
         Ok(())

Original file line number	Diff line number	Diff line change
`@@ -212,7 +212,10 @@ impl Session for KeyStorage {`
`212`	`212`	`}`
`213`	`213`	`"session-bind@openssh.com" => match extension.parse_message::<SessionBind>()? {`
`214`	`214`	`Some(bind) => {`
`215`		`- info!("Bind: {bind:?}");`
	`215`	`+ bind.verify_signature()`
	`216`	`+ .map_err(\|_\| AgentError::ExtensionFailure)?;`
	`217`	`+`
	`218`	`+ info!("Session binding: {bind:?}");`
`216`	`219`	`Ok(None)`
`217`	`220`	`}`
`218`	`221`	`None => Err(AgentError::Failure),`