summaryrefslogtreecommitdiff
path: root/key.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2013-01-18 11:44:04 +1100
committerDamien Miller <djm@mindrot.org>2013-01-18 11:44:04 +1100
commitf3747bf4014a450c9aaf1d88b010f6e579d10072 (patch)
tree0b1e1b497da13eb815e16a0f43be09e873e6a243 /key.c
parentb26699bbadaffa1b1de2f6b0e175b77aba337de5 (diff)
- djm@cvs.openbsd.org 2013/01/17 23:00:01
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] [krl.c krl.h PROTOCOL.krl] add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
Diffstat (limited to 'key.c')
-rw-r--r--key.c40
1 files changed, 25 insertions, 15 deletions
diff --git a/key.c b/key.c
index 7e9099703..4cc5c5d35 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.c,v 1.99 2012/05/23 03:28:28 djm Exp $ */ 1/* $OpenBSD: key.c,v 1.100 2013/01/17 23:00:01 djm Exp $ */
2/* 2/*
3 * read_bignum(): 3 * read_bignum():
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -55,6 +55,8 @@
55#include "misc.h" 55#include "misc.h"
56#include "ssh2.h" 56#include "ssh2.h"
57 57
58static int to_blob(const Key *, u_char **, u_int *, int);
59
58static struct KeyCert * 60static struct KeyCert *
59cert_new(void) 61cert_new(void)
60{ 62{
@@ -324,14 +326,15 @@ key_equal(const Key *a, const Key *b)
324} 326}
325 327
326u_char* 328u_char*
327key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) 329key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
330 u_int *dgst_raw_length)
328{ 331{
329 const EVP_MD *md = NULL; 332 const EVP_MD *md = NULL;
330 EVP_MD_CTX ctx; 333 EVP_MD_CTX ctx;
331 u_char *blob = NULL; 334 u_char *blob = NULL;
332 u_char *retval = NULL; 335 u_char *retval = NULL;
333 u_int len = 0; 336 u_int len = 0;
334 int nlen, elen, otype; 337 int nlen, elen;
335 338
336 *dgst_raw_length = 0; 339 *dgst_raw_length = 0;
337 340
@@ -371,10 +374,7 @@ key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length)
371 case KEY_ECDSA_CERT: 374 case KEY_ECDSA_CERT:
372 case KEY_RSA_CERT: 375 case KEY_RSA_CERT:
373 /* We want a fingerprint of the _key_ not of the cert */ 376 /* We want a fingerprint of the _key_ not of the cert */
374 otype = k->type; 377 to_blob(k, &blob, &len, 1);
375 k->type = key_type_plain(k->type);
376 key_to_blob(k, &blob, &len);
377 k->type = otype;
378 break; 378 break;
379 case KEY_UNSPEC: 379 case KEY_UNSPEC:
380 return retval; 380 return retval;
@@ -1587,18 +1587,19 @@ key_from_blob(const u_char *blob, u_int blen)
1587 return key; 1587 return key;
1588} 1588}
1589 1589
1590int 1590static int
1591key_to_blob(const Key *key, u_char **blobp, u_int *lenp) 1591to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain)
1592{ 1592{
1593 Buffer b; 1593 Buffer b;
1594 int len; 1594 int len, type;
1595 1595
1596 if (key == NULL) { 1596 if (key == NULL) {
1597 error("key_to_blob: key == NULL"); 1597 error("key_to_blob: key == NULL");
1598 return 0; 1598 return 0;
1599 } 1599 }
1600 buffer_init(&b); 1600 buffer_init(&b);
1601 switch (key->type) { 1601 type = force_plain ? key_type_plain(key->type) : key->type;
1602 switch (type) {
1602 case KEY_DSA_CERT_V00: 1603 case KEY_DSA_CERT_V00:
1603 case KEY_RSA_CERT_V00: 1604 case KEY_RSA_CERT_V00:
1604 case KEY_DSA_CERT: 1605 case KEY_DSA_CERT:
@@ -1609,7 +1610,8 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1609 buffer_len(&key->cert->certblob)); 1610 buffer_len(&key->cert->certblob));
1610 break; 1611 break;
1611 case KEY_DSA: 1612 case KEY_DSA:
1612 buffer_put_cstring(&b, key_ssh_name(key)); 1613 buffer_put_cstring(&b,
1614 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1613 buffer_put_bignum2(&b, key->dsa->p); 1615 buffer_put_bignum2(&b, key->dsa->p);
1614 buffer_put_bignum2(&b, key->dsa->q); 1616 buffer_put_bignum2(&b, key->dsa->q);
1615 buffer_put_bignum2(&b, key->dsa->g); 1617 buffer_put_bignum2(&b, key->dsa->g);
@@ -1617,14 +1619,16 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1617 break; 1619 break;
1618#ifdef OPENSSL_HAS_ECC 1620#ifdef OPENSSL_HAS_ECC
1619 case KEY_ECDSA: 1621 case KEY_ECDSA:
1620 buffer_put_cstring(&b, key_ssh_name(key)); 1622 buffer_put_cstring(&b,
1623 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1621 buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); 1624 buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid));
1622 buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), 1625 buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa),
1623 EC_KEY_get0_public_key(key->ecdsa)); 1626 EC_KEY_get0_public_key(key->ecdsa));
1624 break; 1627 break;
1625#endif 1628#endif
1626 case KEY_RSA: 1629 case KEY_RSA:
1627 buffer_put_cstring(&b, key_ssh_name(key)); 1630 buffer_put_cstring(&b,
1631 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1628 buffer_put_bignum2(&b, key->rsa->e); 1632 buffer_put_bignum2(&b, key->rsa->e);
1629 buffer_put_bignum2(&b, key->rsa->n); 1633 buffer_put_bignum2(&b, key->rsa->n);
1630 break; 1634 break;
@@ -1646,6 +1650,12 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1646} 1650}
1647 1651
1648int 1652int
1653key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1654{
1655 return to_blob(key, blobp, lenp, 0);
1656}
1657
1658int
1649key_sign( 1659key_sign(
1650 const Key *key, 1660 const Key *key,
1651 u_char **sigp, u_int *lenp, 1661 u_char **sigp, u_int *lenp,
@@ -2024,7 +2034,7 @@ key_cert_check_authority(const Key *k, int want_host, int require_principal,
2024} 2034}
2025 2035
2026int 2036int
2027key_cert_is_legacy(Key *k) 2037key_cert_is_legacy(const Key *k)
2028{ 2038{
2029 switch (k->type) { 2039 switch (k->type) {
2030 case KEY_DSA_CERT_V00: 2040 case KEY_DSA_CERT_V00: