diff options
| author | Damien Miller <djm@mindrot.org> | 2013-12-07 10:40:26 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2013-12-07 10:40:26 +1100 |
| commit | f0e9060d236c0e38bec2fa1c6579fb0a2ea6458d (patch) | |
| tree | 3ad8b9719e35b7f7e0a4ae2d012f6e8ee5160dcc | |
| parent | 0f8536da23a6ef26e6495177c0d8a4242b710289 (diff) | |
- markus@cvs.openbsd.org 2013/12/06 13:30:08
[authfd.c key.c key.h ssh-agent.c]
move private key (de)serialization to key.c; ok djm
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | authfd.c | 57 | ||||
| -rw-r--r-- | key.c | 193 | ||||
| -rw-r--r-- | key.h | 5 | ||||
| -rw-r--r-- | ssh-agent.c | 133 |
5 files changed, 213 insertions, 178 deletions
| @@ -9,6 +9,9 @@ | |||
| 9 | remove duplicated character ('g') in getopt() string; | 9 | remove duplicated character ('g') in getopt() string; |
| 10 | document the (few) remaining option characters so we don't have to | 10 | document the (few) remaining option characters so we don't have to |
| 11 | rummage next time. | 11 | rummage next time. |
| 12 | - markus@cvs.openbsd.org 2013/12/06 13:30:08 | ||
| 13 | [authfd.c key.c key.h ssh-agent.c] | ||
| 14 | move private key (de)serialization to key.c; ok djm | ||
| 12 | 15 | ||
| 13 | 20131205 | 16 | 20131205 |
| 14 | - (djm) OpenBSD CVS Sync | 17 | - (djm) OpenBSD CVS Sync |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: authfd.c,v 1.88 2013/11/08 00:39:14 djm Exp $ */ | 1 | /* $OpenBSD: authfd.c,v 1.89 2013/12/06 13:30:08 markus Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -42,8 +42,8 @@ | |||
| 42 | #include <sys/socket.h> | 42 | #include <sys/socket.h> |
| 43 | 43 | ||
| 44 | #include <openssl/evp.h> | 44 | #include <openssl/evp.h> |
| 45 | |||
| 46 | #include <openssl/crypto.h> | 45 | #include <openssl/crypto.h> |
| 46 | |||
| 47 | #include <fcntl.h> | 47 | #include <fcntl.h> |
| 48 | #include <stdlib.h> | 48 | #include <stdlib.h> |
| 49 | #include <signal.h> | 49 | #include <signal.h> |
| @@ -474,58 +474,7 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) | |||
| 474 | static void | 474 | static void |
| 475 | ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) | 475 | ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) |
| 476 | { | 476 | { |
| 477 | buffer_put_cstring(b, key_ssh_name(key)); | 477 | key_private_serialize(key, b); |
| 478 | switch (key->type) { | ||
| 479 | case KEY_RSA: | ||
| 480 | buffer_put_bignum2(b, key->rsa->n); | ||
| 481 | buffer_put_bignum2(b, key->rsa->e); | ||
| 482 | buffer_put_bignum2(b, key->rsa->d); | ||
| 483 | buffer_put_bignum2(b, key->rsa->iqmp); | ||
| 484 | buffer_put_bignum2(b, key->rsa->p); | ||
| 485 | buffer_put_bignum2(b, key->rsa->q); | ||
| 486 | break; | ||
| 487 | case KEY_RSA_CERT_V00: | ||
| 488 | case KEY_RSA_CERT: | ||
| 489 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 490 | fatal("%s: no cert/certblob", __func__); | ||
| 491 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 492 | buffer_len(&key->cert->certblob)); | ||
| 493 | buffer_put_bignum2(b, key->rsa->d); | ||
| 494 | buffer_put_bignum2(b, key->rsa->iqmp); | ||
| 495 | buffer_put_bignum2(b, key->rsa->p); | ||
| 496 | buffer_put_bignum2(b, key->rsa->q); | ||
| 497 | break; | ||
| 498 | case KEY_DSA: | ||
| 499 | buffer_put_bignum2(b, key->dsa->p); | ||
| 500 | buffer_put_bignum2(b, key->dsa->q); | ||
| 501 | buffer_put_bignum2(b, key->dsa->g); | ||
| 502 | buffer_put_bignum2(b, key->dsa->pub_key); | ||
| 503 | buffer_put_bignum2(b, key->dsa->priv_key); | ||
| 504 | break; | ||
| 505 | case KEY_DSA_CERT_V00: | ||
| 506 | case KEY_DSA_CERT: | ||
| 507 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 508 | fatal("%s: no cert/certblob", __func__); | ||
| 509 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 510 | buffer_len(&key->cert->certblob)); | ||
| 511 | buffer_put_bignum2(b, key->dsa->priv_key); | ||
| 512 | break; | ||
| 513 | #ifdef OPENSSL_HAS_ECC | ||
| 514 | case KEY_ECDSA: | ||
| 515 | buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid)); | ||
| 516 | buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa), | ||
| 517 | EC_KEY_get0_public_key(key->ecdsa)); | ||
| 518 | buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); | ||
| 519 | break; | ||
| 520 | case KEY_ECDSA_CERT: | ||
| 521 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 522 | fatal("%s: no cert/certblob", __func__); | ||
| 523 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 524 | buffer_len(&key->cert->certblob)); | ||
| 525 | buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); | ||
| 526 | break; | ||
| 527 | #endif | ||
| 528 | } | ||
| 529 | buffer_put_cstring(b, comment); | 478 | buffer_put_cstring(b, comment); |
| 530 | } | 479 | } |
| 531 | 480 | ||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: key.c,v 1.106 2013/12/02 03:09:22 djm Exp $ */ | 1 | /* $OpenBSD: key.c,v 1.107 2013/12/06 13:30:08 markus Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * read_bignum(): | 3 | * read_bignum(): |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -2276,3 +2276,194 @@ key_dump_ec_key(const EC_KEY *key) | |||
| 2276 | } | 2276 | } |
| 2277 | #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ | 2277 | #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ |
| 2278 | #endif /* OPENSSL_HAS_ECC */ | 2278 | #endif /* OPENSSL_HAS_ECC */ |
| 2279 | |||
| 2280 | void | ||
| 2281 | key_private_serialize(const Key *key, Buffer *b) | ||
| 2282 | { | ||
| 2283 | buffer_put_cstring(b, key_ssh_name(key)); | ||
| 2284 | switch (key->type) { | ||
| 2285 | case KEY_RSA: | ||
| 2286 | buffer_put_bignum2(b, key->rsa->n); | ||
| 2287 | buffer_put_bignum2(b, key->rsa->e); | ||
| 2288 | buffer_put_bignum2(b, key->rsa->d); | ||
| 2289 | buffer_put_bignum2(b, key->rsa->iqmp); | ||
| 2290 | buffer_put_bignum2(b, key->rsa->p); | ||
| 2291 | buffer_put_bignum2(b, key->rsa->q); | ||
| 2292 | break; | ||
| 2293 | case KEY_RSA_CERT_V00: | ||
| 2294 | case KEY_RSA_CERT: | ||
| 2295 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 2296 | fatal("%s: no cert/certblob", __func__); | ||
| 2297 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 2298 | buffer_len(&key->cert->certblob)); | ||
| 2299 | buffer_put_bignum2(b, key->rsa->d); | ||
| 2300 | buffer_put_bignum2(b, key->rsa->iqmp); | ||
| 2301 | buffer_put_bignum2(b, key->rsa->p); | ||
| 2302 | buffer_put_bignum2(b, key->rsa->q); | ||
| 2303 | break; | ||
| 2304 | case KEY_DSA: | ||
| 2305 | buffer_put_bignum2(b, key->dsa->p); | ||
| 2306 | buffer_put_bignum2(b, key->dsa->q); | ||
| 2307 | buffer_put_bignum2(b, key->dsa->g); | ||
| 2308 | buffer_put_bignum2(b, key->dsa->pub_key); | ||
| 2309 | buffer_put_bignum2(b, key->dsa->priv_key); | ||
| 2310 | break; | ||
| 2311 | case KEY_DSA_CERT_V00: | ||
| 2312 | case KEY_DSA_CERT: | ||
| 2313 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 2314 | fatal("%s: no cert/certblob", __func__); | ||
| 2315 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 2316 | buffer_len(&key->cert->certblob)); | ||
| 2317 | buffer_put_bignum2(b, key->dsa->priv_key); | ||
| 2318 | break; | ||
| 2319 | #ifdef OPENSSL_HAS_ECC | ||
| 2320 | case KEY_ECDSA: | ||
| 2321 | buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid)); | ||
| 2322 | buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa), | ||
| 2323 | EC_KEY_get0_public_key(key->ecdsa)); | ||
| 2324 | buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); | ||
| 2325 | break; | ||
| 2326 | case KEY_ECDSA_CERT: | ||
| 2327 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 2328 | fatal("%s: no cert/certblob", __func__); | ||
| 2329 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 2330 | buffer_len(&key->cert->certblob)); | ||
| 2331 | buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); | ||
| 2332 | break; | ||
| 2333 | #endif /* OPENSSL_HAS_ECC */ | ||
| 2334 | } | ||
| 2335 | } | ||
| 2336 | |||
| 2337 | Key * | ||
| 2338 | key_private_deserialize(Buffer *blob) | ||
| 2339 | { | ||
| 2340 | char *type_name; | ||
| 2341 | Key *k = NULL; | ||
| 2342 | u_char *cert; | ||
| 2343 | u_int len; | ||
| 2344 | int type; | ||
| 2345 | #ifdef OPENSSL_HAS_ECC | ||
| 2346 | char *curve; | ||
| 2347 | BIGNUM *exponent; | ||
| 2348 | EC_POINT *q; | ||
| 2349 | #endif | ||
| 2350 | |||
| 2351 | type_name = buffer_get_string(blob, NULL); | ||
| 2352 | type = key_type_from_name(type_name); | ||
| 2353 | switch (type) { | ||
| 2354 | case KEY_DSA: | ||
| 2355 | k = key_new_private(type); | ||
| 2356 | buffer_get_bignum2(blob, k->dsa->p); | ||
| 2357 | buffer_get_bignum2(blob, k->dsa->q); | ||
| 2358 | buffer_get_bignum2(blob, k->dsa->g); | ||
| 2359 | buffer_get_bignum2(blob, k->dsa->pub_key); | ||
| 2360 | buffer_get_bignum2(blob, k->dsa->priv_key); | ||
| 2361 | break; | ||
| 2362 | case KEY_DSA_CERT_V00: | ||
| 2363 | case KEY_DSA_CERT: | ||
| 2364 | cert = buffer_get_string(blob, &len); | ||
| 2365 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 2366 | fatal("Certificate parse failed"); | ||
| 2367 | free(cert); | ||
| 2368 | key_add_private(k); | ||
| 2369 | buffer_get_bignum2(blob, k->dsa->priv_key); | ||
| 2370 | break; | ||
| 2371 | #ifdef OPENSSL_HAS_ECC | ||
| 2372 | case KEY_ECDSA: | ||
| 2373 | k = key_new_private(type); | ||
| 2374 | k->ecdsa_nid = key_ecdsa_nid_from_name(type_name); | ||
| 2375 | curve = buffer_get_string(blob, NULL); | ||
| 2376 | if (k->ecdsa_nid != key_curve_name_to_nid(curve)) | ||
| 2377 | fatal("%s: curve names mismatch", __func__); | ||
| 2378 | free(curve); | ||
| 2379 | k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); | ||
| 2380 | if (k->ecdsa == NULL) | ||
| 2381 | fatal("%s: EC_KEY_new_by_curve_name failed", | ||
| 2382 | __func__); | ||
| 2383 | q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa)); | ||
| 2384 | if (q == NULL) | ||
| 2385 | fatal("%s: BN_new failed", __func__); | ||
| 2386 | if ((exponent = BN_new()) == NULL) | ||
| 2387 | fatal("%s: BN_new failed", __func__); | ||
| 2388 | buffer_get_ecpoint(blob, | ||
| 2389 | EC_KEY_get0_group(k->ecdsa), q); | ||
| 2390 | buffer_get_bignum2(blob, exponent); | ||
| 2391 | if (EC_KEY_set_public_key(k->ecdsa, q) != 1) | ||
| 2392 | fatal("%s: EC_KEY_set_public_key failed", | ||
| 2393 | __func__); | ||
| 2394 | if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) | ||
| 2395 | fatal("%s: EC_KEY_set_private_key failed", | ||
| 2396 | __func__); | ||
| 2397 | if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | ||
| 2398 | EC_KEY_get0_public_key(k->ecdsa)) != 0) | ||
| 2399 | fatal("%s: bad ECDSA public key", __func__); | ||
| 2400 | if (key_ec_validate_private(k->ecdsa) != 0) | ||
| 2401 | fatal("%s: bad ECDSA private key", __func__); | ||
| 2402 | BN_clear_free(exponent); | ||
| 2403 | EC_POINT_free(q); | ||
| 2404 | break; | ||
| 2405 | case KEY_ECDSA_CERT: | ||
| 2406 | cert = buffer_get_string(blob, &len); | ||
| 2407 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 2408 | fatal("Certificate parse failed"); | ||
| 2409 | free(cert); | ||
| 2410 | key_add_private(k); | ||
| 2411 | if ((exponent = BN_new()) == NULL) | ||
| 2412 | fatal("%s: BN_new failed", __func__); | ||
| 2413 | buffer_get_bignum2(blob, exponent); | ||
| 2414 | if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) | ||
| 2415 | fatal("%s: EC_KEY_set_private_key failed", | ||
| 2416 | __func__); | ||
| 2417 | if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | ||
| 2418 | EC_KEY_get0_public_key(k->ecdsa)) != 0 || | ||
| 2419 | key_ec_validate_private(k->ecdsa) != 0) | ||
| 2420 | fatal("%s: bad ECDSA key", __func__); | ||
| 2421 | BN_clear_free(exponent); | ||
| 2422 | break; | ||
| 2423 | #endif | ||
| 2424 | case KEY_RSA: | ||
| 2425 | k = key_new_private(type); | ||
| 2426 | buffer_get_bignum2(blob, k->rsa->n); | ||
| 2427 | buffer_get_bignum2(blob, k->rsa->e); | ||
| 2428 | buffer_get_bignum2(blob, k->rsa->d); | ||
| 2429 | buffer_get_bignum2(blob, k->rsa->iqmp); | ||
| 2430 | buffer_get_bignum2(blob, k->rsa->p); | ||
| 2431 | buffer_get_bignum2(blob, k->rsa->q); | ||
| 2432 | |||
| 2433 | /* Generate additional parameters */ | ||
| 2434 | rsa_generate_additional_parameters(k->rsa); | ||
| 2435 | break; | ||
| 2436 | case KEY_RSA_CERT_V00: | ||
| 2437 | case KEY_RSA_CERT: | ||
| 2438 | cert = buffer_get_string(blob, &len); | ||
| 2439 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 2440 | fatal("Certificate parse failed"); | ||
| 2441 | free(cert); | ||
| 2442 | key_add_private(k); | ||
| 2443 | buffer_get_bignum2(blob, k->rsa->d); | ||
| 2444 | buffer_get_bignum2(blob, k->rsa->iqmp); | ||
| 2445 | buffer_get_bignum2(blob, k->rsa->p); | ||
| 2446 | buffer_get_bignum2(blob, k->rsa->q); | ||
| 2447 | break; | ||
| 2448 | default: | ||
| 2449 | free(type_name); | ||
| 2450 | buffer_clear(blob); | ||
| 2451 | return NULL; | ||
| 2452 | } | ||
| 2453 | free(type_name); | ||
| 2454 | |||
| 2455 | /* enable blinding */ | ||
| 2456 | switch (k->type) { | ||
| 2457 | case KEY_RSA: | ||
| 2458 | case KEY_RSA_CERT_V00: | ||
| 2459 | case KEY_RSA_CERT: | ||
| 2460 | case KEY_RSA1: | ||
| 2461 | if (RSA_blinding_on(k->rsa, NULL) != 1) { | ||
| 2462 | error("%s: RSA_blinding_on failed", __func__); | ||
| 2463 | key_free(k); | ||
| 2464 | return NULL; | ||
| 2465 | } | ||
| 2466 | break; | ||
| 2467 | } | ||
| 2468 | return k; | ||
| 2469 | } | ||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: key.h,v 1.38 2013/10/29 09:42:11 djm Exp $ */ | 1 | /* $OpenBSD: key.h,v 1.39 2013/12/06 13:30:08 markus Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| @@ -151,4 +151,7 @@ void key_dump_ec_point(const EC_GROUP *, const EC_POINT *); | |||
| 151 | void key_dump_ec_key(const EC_KEY *); | 151 | void key_dump_ec_key(const EC_KEY *); |
| 152 | #endif | 152 | #endif |
| 153 | 153 | ||
| 154 | void key_private_serialize(const Key *, Buffer *); | ||
| 155 | Key *key_private_deserialize(Buffer *); | ||
| 156 | |||
| 154 | #endif | 157 | #endif |
diff --git a/ssh-agent.c b/ssh-agent.c index c3b11729c..0196f8f6b 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-agent.c,v 1.177 2013/07/20 01:50:20 djm Exp $ */ | 1 | /* $OpenBSD: ssh-agent.c,v 1.178 2013/12/06 13:30:08 markus Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -464,16 +464,9 @@ process_add_identity(SocketEntry *e, int version) | |||
| 464 | Idtab *tab = idtab_lookup(version); | 464 | Idtab *tab = idtab_lookup(version); |
| 465 | Identity *id; | 465 | Identity *id; |
| 466 | int type, success = 0, confirm = 0; | 466 | int type, success = 0, confirm = 0; |
| 467 | char *type_name, *comment; | 467 | char *comment; |
| 468 | time_t death = 0; | 468 | time_t death = 0; |
| 469 | Key *k = NULL; | 469 | Key *k = NULL; |
| 470 | #ifdef OPENSSL_HAS_ECC | ||
| 471 | BIGNUM *exponent; | ||
| 472 | EC_POINT *q; | ||
| 473 | char *curve; | ||
| 474 | #endif | ||
| 475 | u_char *cert; | ||
| 476 | u_int len; | ||
| 477 | 470 | ||
| 478 | switch (version) { | 471 | switch (version) { |
| 479 | case 1: | 472 | case 1: |
| @@ -490,125 +483,21 @@ process_add_identity(SocketEntry *e, int version) | |||
| 490 | 483 | ||
| 491 | /* Generate additional parameters */ | 484 | /* Generate additional parameters */ |
| 492 | rsa_generate_additional_parameters(k->rsa); | 485 | rsa_generate_additional_parameters(k->rsa); |
| 493 | break; | 486 | |
| 494 | case 2: | 487 | /* enable blinding */ |
| 495 | type_name = buffer_get_string(&e->request, NULL); | ||
| 496 | type = key_type_from_name(type_name); | ||
| 497 | switch (type) { | ||
| 498 | case KEY_DSA: | ||
| 499 | k = key_new_private(type); | ||
| 500 | buffer_get_bignum2(&e->request, k->dsa->p); | ||
| 501 | buffer_get_bignum2(&e->request, k->dsa->q); | ||
| 502 | buffer_get_bignum2(&e->request, k->dsa->g); | ||
| 503 | buffer_get_bignum2(&e->request, k->dsa->pub_key); | ||
| 504 | buffer_get_bignum2(&e->request, k->dsa->priv_key); | ||
| 505 | break; | ||
| 506 | case KEY_DSA_CERT_V00: | ||
| 507 | case KEY_DSA_CERT: | ||
| 508 | cert = buffer_get_string(&e->request, &len); | ||
| 509 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 510 | fatal("Certificate parse failed"); | ||
| 511 | free(cert); | ||
| 512 | key_add_private(k); | ||
| 513 | buffer_get_bignum2(&e->request, k->dsa->priv_key); | ||
| 514 | break; | ||
| 515 | #ifdef OPENSSL_HAS_ECC | ||
| 516 | case KEY_ECDSA: | ||
| 517 | k = key_new_private(type); | ||
| 518 | k->ecdsa_nid = key_ecdsa_nid_from_name(type_name); | ||
| 519 | curve = buffer_get_string(&e->request, NULL); | ||
| 520 | if (k->ecdsa_nid != key_curve_name_to_nid(curve)) | ||
| 521 | fatal("%s: curve names mismatch", __func__); | ||
| 522 | free(curve); | ||
| 523 | k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); | ||
| 524 | if (k->ecdsa == NULL) | ||
| 525 | fatal("%s: EC_KEY_new_by_curve_name failed", | ||
| 526 | __func__); | ||
| 527 | q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa)); | ||
| 528 | if (q == NULL) | ||
| 529 | fatal("%s: BN_new failed", __func__); | ||
| 530 | if ((exponent = BN_new()) == NULL) | ||
| 531 | fatal("%s: BN_new failed", __func__); | ||
| 532 | buffer_get_ecpoint(&e->request, | ||
| 533 | EC_KEY_get0_group(k->ecdsa), q); | ||
| 534 | buffer_get_bignum2(&e->request, exponent); | ||
| 535 | if (EC_KEY_set_public_key(k->ecdsa, q) != 1) | ||
| 536 | fatal("%s: EC_KEY_set_public_key failed", | ||
| 537 | __func__); | ||
| 538 | if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) | ||
| 539 | fatal("%s: EC_KEY_set_private_key failed", | ||
| 540 | __func__); | ||
| 541 | if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | ||
| 542 | EC_KEY_get0_public_key(k->ecdsa)) != 0) | ||
| 543 | fatal("%s: bad ECDSA public key", __func__); | ||
| 544 | if (key_ec_validate_private(k->ecdsa) != 0) | ||
| 545 | fatal("%s: bad ECDSA private key", __func__); | ||
| 546 | BN_clear_free(exponent); | ||
| 547 | EC_POINT_free(q); | ||
| 548 | break; | ||
| 549 | case KEY_ECDSA_CERT: | ||
| 550 | cert = buffer_get_string(&e->request, &len); | ||
| 551 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 552 | fatal("Certificate parse failed"); | ||
| 553 | free(cert); | ||
| 554 | key_add_private(k); | ||
| 555 | if ((exponent = BN_new()) == NULL) | ||
| 556 | fatal("%s: BN_new failed", __func__); | ||
| 557 | buffer_get_bignum2(&e->request, exponent); | ||
| 558 | if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) | ||
| 559 | fatal("%s: EC_KEY_set_private_key failed", | ||
| 560 | __func__); | ||
| 561 | if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | ||
| 562 | EC_KEY_get0_public_key(k->ecdsa)) != 0 || | ||
| 563 | key_ec_validate_private(k->ecdsa) != 0) | ||
| 564 | fatal("%s: bad ECDSA key", __func__); | ||
| 565 | BN_clear_free(exponent); | ||
| 566 | break; | ||
| 567 | #endif /* OPENSSL_HAS_ECC */ | ||
| 568 | case KEY_RSA: | ||
| 569 | k = key_new_private(type); | ||
| 570 | buffer_get_bignum2(&e->request, k->rsa->n); | ||
| 571 | buffer_get_bignum2(&e->request, k->rsa->e); | ||
| 572 | buffer_get_bignum2(&e->request, k->rsa->d); | ||
| 573 | buffer_get_bignum2(&e->request, k->rsa->iqmp); | ||
| 574 | buffer_get_bignum2(&e->request, k->rsa->p); | ||
| 575 | buffer_get_bignum2(&e->request, k->rsa->q); | ||
| 576 | |||
| 577 | /* Generate additional parameters */ | ||
| 578 | rsa_generate_additional_parameters(k->rsa); | ||
| 579 | break; | ||
| 580 | case KEY_RSA_CERT_V00: | ||
| 581 | case KEY_RSA_CERT: | ||
| 582 | cert = buffer_get_string(&e->request, &len); | ||
| 583 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 584 | fatal("Certificate parse failed"); | ||
| 585 | free(cert); | ||
| 586 | key_add_private(k); | ||
| 587 | buffer_get_bignum2(&e->request, k->rsa->d); | ||
| 588 | buffer_get_bignum2(&e->request, k->rsa->iqmp); | ||
| 589 | buffer_get_bignum2(&e->request, k->rsa->p); | ||
| 590 | buffer_get_bignum2(&e->request, k->rsa->q); | ||
| 591 | break; | ||
| 592 | default: | ||
| 593 | free(type_name); | ||
| 594 | buffer_clear(&e->request); | ||
| 595 | goto send; | ||
| 596 | } | ||
| 597 | free(type_name); | ||
| 598 | break; | ||
| 599 | } | ||
| 600 | /* enable blinding */ | ||
| 601 | switch (k->type) { | ||
| 602 | case KEY_RSA: | ||
| 603 | case KEY_RSA_CERT_V00: | ||
| 604 | case KEY_RSA_CERT: | ||
| 605 | case KEY_RSA1: | ||
| 606 | if (RSA_blinding_on(k->rsa, NULL) != 1) { | 488 | if (RSA_blinding_on(k->rsa, NULL) != 1) { |
| 607 | error("process_add_identity: RSA_blinding_on failed"); | 489 | error("process_add_identity: RSA_blinding_on failed"); |
| 608 | key_free(k); | 490 | key_free(k); |
| 609 | goto send; | 491 | goto send; |
| 610 | } | 492 | } |
| 611 | break; | 493 | break; |
| 494 | case 2: | ||
| 495 | k = key_private_deserialize(&e->request); | ||
| 496 | if (k == NULL) { | ||
| 497 | buffer_clear(&e->request); | ||
| 498 | goto send; | ||
| 499 | } | ||
| 500 | break; | ||
| 612 | } | 501 | } |
| 613 | comment = buffer_get_string(&e->request, NULL); | 502 | comment = buffer_get_string(&e->request, NULL); |
| 614 | if (k == NULL) { | 503 | if (k == NULL) { |