diff options
author | Damien Miller <djm@mindrot.org> | 2013-01-18 11:44:04 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2013-01-18 11:44:04 +1100 |
commit | f3747bf4014a450c9aaf1d88b010f6e579d10072 (patch) | |
tree | 0b1e1b497da13eb815e16a0f43be09e873e6a243 /key.c | |
parent | b26699bbadaffa1b1de2f6b0e175b77aba337de5 (diff) |
- djm@cvs.openbsd.org 2013/01/17 23:00:01
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
[krl.c krl.h PROTOCOL.krl]
add support for Key Revocation Lists (KRLs). These are a compact way to
represent lists of revoked keys and certificates, taking as little as
a single bit of incremental cost to revoke a certificate by serial number.
KRLs are loaded via the existing RevokedKeys sshd_config option.
feedback and ok markus@
Diffstat (limited to 'key.c')
-rw-r--r-- | key.c | 40 |
1 files changed, 25 insertions, 15 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: key.c,v 1.99 2012/05/23 03:28:28 djm Exp $ */ | 1 | /* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * read_bignum(): | 3 | * read_bignum(): |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -55,6 +55,8 @@ | |||
55 | #include "misc.h" | 55 | #include "misc.h" |
56 | #include "ssh2.h" | 56 | #include "ssh2.h" |
57 | 57 | ||
58 | static int to_blob(const Key *, u_char **, u_int *, int); | ||
59 | |||
58 | static struct KeyCert * | 60 | static struct KeyCert * |
59 | cert_new(void) | 61 | cert_new(void) |
60 | { | 62 | { |
@@ -324,14 +326,15 @@ key_equal(const Key *a, const Key *b) | |||
324 | } | 326 | } |
325 | 327 | ||
326 | u_char* | 328 | u_char* |
327 | key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) | 329 | key_fingerprint_raw(const Key *k, enum fp_type dgst_type, |
330 | u_int *dgst_raw_length) | ||
328 | { | 331 | { |
329 | const EVP_MD *md = NULL; | 332 | const EVP_MD *md = NULL; |
330 | EVP_MD_CTX ctx; | 333 | EVP_MD_CTX ctx; |
331 | u_char *blob = NULL; | 334 | u_char *blob = NULL; |
332 | u_char *retval = NULL; | 335 | u_char *retval = NULL; |
333 | u_int len = 0; | 336 | u_int len = 0; |
334 | int nlen, elen, otype; | 337 | int nlen, elen; |
335 | 338 | ||
336 | *dgst_raw_length = 0; | 339 | *dgst_raw_length = 0; |
337 | 340 | ||
@@ -371,10 +374,7 @@ key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) | |||
371 | case KEY_ECDSA_CERT: | 374 | case KEY_ECDSA_CERT: |
372 | case KEY_RSA_CERT: | 375 | case KEY_RSA_CERT: |
373 | /* We want a fingerprint of the _key_ not of the cert */ | 376 | /* We want a fingerprint of the _key_ not of the cert */ |
374 | otype = k->type; | 377 | to_blob(k, &blob, &len, 1); |
375 | k->type = key_type_plain(k->type); | ||
376 | key_to_blob(k, &blob, &len); | ||
377 | k->type = otype; | ||
378 | break; | 378 | break; |
379 | case KEY_UNSPEC: | 379 | case KEY_UNSPEC: |
380 | return retval; | 380 | return retval; |
@@ -1587,18 +1587,19 @@ key_from_blob(const u_char *blob, u_int blen) | |||
1587 | return key; | 1587 | return key; |
1588 | } | 1588 | } |
1589 | 1589 | ||
1590 | int | 1590 | static int |
1591 | key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | 1591 | to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) |
1592 | { | 1592 | { |
1593 | Buffer b; | 1593 | Buffer b; |
1594 | int len; | 1594 | int len, type; |
1595 | 1595 | ||
1596 | if (key == NULL) { | 1596 | if (key == NULL) { |
1597 | error("key_to_blob: key == NULL"); | 1597 | error("key_to_blob: key == NULL"); |
1598 | return 0; | 1598 | return 0; |
1599 | } | 1599 | } |
1600 | buffer_init(&b); | 1600 | buffer_init(&b); |
1601 | switch (key->type) { | 1601 | type = force_plain ? key_type_plain(key->type) : key->type; |
1602 | switch (type) { | ||
1602 | case KEY_DSA_CERT_V00: | 1603 | case KEY_DSA_CERT_V00: |
1603 | case KEY_RSA_CERT_V00: | 1604 | case KEY_RSA_CERT_V00: |
1604 | case KEY_DSA_CERT: | 1605 | case KEY_DSA_CERT: |
@@ -1609,7 +1610,8 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | |||
1609 | buffer_len(&key->cert->certblob)); | 1610 | buffer_len(&key->cert->certblob)); |
1610 | break; | 1611 | break; |
1611 | case KEY_DSA: | 1612 | case KEY_DSA: |
1612 | buffer_put_cstring(&b, key_ssh_name(key)); | 1613 | buffer_put_cstring(&b, |
1614 | key_ssh_name_from_type_nid(type, key->ecdsa_nid)); | ||
1613 | buffer_put_bignum2(&b, key->dsa->p); | 1615 | buffer_put_bignum2(&b, key->dsa->p); |
1614 | buffer_put_bignum2(&b, key->dsa->q); | 1616 | buffer_put_bignum2(&b, key->dsa->q); |
1615 | buffer_put_bignum2(&b, key->dsa->g); | 1617 | buffer_put_bignum2(&b, key->dsa->g); |
@@ -1617,14 +1619,16 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | |||
1617 | break; | 1619 | break; |
1618 | #ifdef OPENSSL_HAS_ECC | 1620 | #ifdef OPENSSL_HAS_ECC |
1619 | case KEY_ECDSA: | 1621 | case KEY_ECDSA: |
1620 | buffer_put_cstring(&b, key_ssh_name(key)); | 1622 | buffer_put_cstring(&b, |
1623 | key_ssh_name_from_type_nid(type, key->ecdsa_nid)); | ||
1621 | buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); | 1624 | buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); |
1622 | buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), | 1625 | buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), |
1623 | EC_KEY_get0_public_key(key->ecdsa)); | 1626 | EC_KEY_get0_public_key(key->ecdsa)); |
1624 | break; | 1627 | break; |
1625 | #endif | 1628 | #endif |
1626 | case KEY_RSA: | 1629 | case KEY_RSA: |
1627 | buffer_put_cstring(&b, key_ssh_name(key)); | 1630 | buffer_put_cstring(&b, |
1631 | key_ssh_name_from_type_nid(type, key->ecdsa_nid)); | ||
1628 | buffer_put_bignum2(&b, key->rsa->e); | 1632 | buffer_put_bignum2(&b, key->rsa->e); |
1629 | buffer_put_bignum2(&b, key->rsa->n); | 1633 | buffer_put_bignum2(&b, key->rsa->n); |
1630 | break; | 1634 | break; |
@@ -1646,6 +1650,12 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | |||
1646 | } | 1650 | } |
1647 | 1651 | ||
1648 | int | 1652 | int |
1653 | key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | ||
1654 | { | ||
1655 | return to_blob(key, blobp, lenp, 0); | ||
1656 | } | ||
1657 | |||
1658 | int | ||
1649 | key_sign( | 1659 | key_sign( |
1650 | const Key *key, | 1660 | const Key *key, |
1651 | u_char **sigp, u_int *lenp, | 1661 | u_char **sigp, u_int *lenp, |
@@ -2024,7 +2034,7 @@ key_cert_check_authority(const Key *k, int want_host, int require_principal, | |||
2024 | } | 2034 | } |
2025 | 2035 | ||
2026 | int | 2036 | int |
2027 | key_cert_is_legacy(Key *k) | 2037 | key_cert_is_legacy(const Key *k) |
2028 | { | 2038 | { |
2029 | switch (k->type) { | 2039 | switch (k->type) { |
2030 | case KEY_DSA_CERT_V00: | 2040 | case KEY_DSA_CERT_V00: |