diff options
author | Damien Miller <djm@mindrot.org> | 2010-09-10 11:39:26 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-09-10 11:39:26 +1000 |
commit | 6af914a15c0c33e8b5bab5ca61919b8562ff1db9 (patch) | |
tree | b87546d8a88a05e6fd600cbb2b8c0b132278cb10 /key.c | |
parent | 041ab7c1e7d6514ed84a539a767f79ffb356e807 (diff) |
- (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]
[kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c]
[ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on
platforms that don't have the requisite OpenSSL support. ok dtucker@
Diffstat (limited to 'key.c')
-rw-r--r-- | key.c | 67 |
1 files changed, 64 insertions, 3 deletions
@@ -111,10 +111,12 @@ key_new(int type) | |||
111 | fatal("key_new: BN_new failed"); | 111 | fatal("key_new: BN_new failed"); |
112 | k->dsa = dsa; | 112 | k->dsa = dsa; |
113 | break; | 113 | break; |
114 | #ifdef OPENSSL_HAS_ECC | ||
114 | case KEY_ECDSA: | 115 | case KEY_ECDSA: |
115 | case KEY_ECDSA_CERT: | 116 | case KEY_ECDSA_CERT: |
116 | /* Cannot do anything until we know the group */ | 117 | /* Cannot do anything until we know the group */ |
117 | break; | 118 | break; |
119 | #endif | ||
118 | case KEY_UNSPEC: | 120 | case KEY_UNSPEC: |
119 | break; | 121 | break; |
120 | default: | 122 | default: |
@@ -214,12 +216,14 @@ key_free(Key *k) | |||
214 | DSA_free(k->dsa); | 216 | DSA_free(k->dsa); |
215 | k->dsa = NULL; | 217 | k->dsa = NULL; |
216 | break; | 218 | break; |
219 | #ifdef OPENSSL_HAS_ECC | ||
217 | case KEY_ECDSA: | 220 | case KEY_ECDSA: |
218 | case KEY_ECDSA_CERT: | 221 | case KEY_ECDSA_CERT: |
219 | if (k->ecdsa != NULL) | 222 | if (k->ecdsa != NULL) |
220 | EC_KEY_free(k->ecdsa); | 223 | EC_KEY_free(k->ecdsa); |
221 | k->ecdsa = NULL; | 224 | k->ecdsa = NULL; |
222 | break; | 225 | break; |
226 | #endif | ||
223 | case KEY_UNSPEC: | 227 | case KEY_UNSPEC: |
224 | break; | 228 | break; |
225 | default: | 229 | default: |
@@ -279,6 +283,7 @@ key_equal_public(const Key *a, const Key *b) | |||
279 | BN_cmp(a->dsa->q, b->dsa->q) == 0 && | 283 | BN_cmp(a->dsa->q, b->dsa->q) == 0 && |
280 | BN_cmp(a->dsa->g, b->dsa->g) == 0 && | 284 | BN_cmp(a->dsa->g, b->dsa->g) == 0 && |
281 | BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; | 285 | BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; |
286 | #ifdef OPENSSL_HAS_ECC | ||
282 | case KEY_ECDSA_CERT: | 287 | case KEY_ECDSA_CERT: |
283 | case KEY_ECDSA: | 288 | case KEY_ECDSA: |
284 | if (a->ecdsa == NULL || b->ecdsa == NULL || | 289 | if (a->ecdsa == NULL || b->ecdsa == NULL || |
@@ -297,6 +302,7 @@ key_equal_public(const Key *a, const Key *b) | |||
297 | } | 302 | } |
298 | BN_CTX_free(bnctx); | 303 | BN_CTX_free(bnctx); |
299 | return 1; | 304 | return 1; |
305 | #endif /* OPENSSL_HAS_ECC */ | ||
300 | default: | 306 | default: |
301 | fatal("key_equal: bad key type %d", a->type); | 307 | fatal("key_equal: bad key type %d", a->type); |
302 | } | 308 | } |
@@ -695,11 +701,13 @@ key_read(Key *ret, char **cpp) | |||
695 | } | 701 | } |
696 | *space = '\0'; | 702 | *space = '\0'; |
697 | type = key_type_from_name(cp); | 703 | type = key_type_from_name(cp); |
704 | #ifdef OPENSSL_HAS_ECC | ||
698 | if (key_type_plain(type) == KEY_ECDSA && | 705 | if (key_type_plain(type) == KEY_ECDSA && |
699 | (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) { | 706 | (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) { |
700 | debug("key_read: invalid curve"); | 707 | debug("key_read: invalid curve"); |
701 | return -1; | 708 | return -1; |
702 | } | 709 | } |
710 | #endif | ||
703 | *space = ' '; | 711 | *space = ' '; |
704 | if (type == KEY_UNSPEC) { | 712 | if (type == KEY_UNSPEC) { |
705 | debug3("key_read: missing keytype"); | 713 | debug3("key_read: missing keytype"); |
@@ -736,12 +744,14 @@ key_read(Key *ret, char **cpp) | |||
736 | key_free(k); | 744 | key_free(k); |
737 | return -1; | 745 | return -1; |
738 | } | 746 | } |
747 | #ifdef OPENSSL_HAS_ECC | ||
739 | if (key_type_plain(type) == KEY_ECDSA && | 748 | if (key_type_plain(type) == KEY_ECDSA && |
740 | curve_nid != k->ecdsa_nid) { | 749 | curve_nid != k->ecdsa_nid) { |
741 | error("key_read: type mismatch: EC curve mismatch"); | 750 | error("key_read: type mismatch: EC curve mismatch"); |
742 | key_free(k); | 751 | key_free(k); |
743 | return -1; | 752 | return -1; |
744 | } | 753 | } |
754 | #endif | ||
745 | /*XXXX*/ | 755 | /*XXXX*/ |
746 | if (key_is_cert(ret)) { | 756 | if (key_is_cert(ret)) { |
747 | if (!key_is_cert(k)) { | 757 | if (!key_is_cert(k)) { |
@@ -772,6 +782,7 @@ key_read(Key *ret, char **cpp) | |||
772 | DSA_print_fp(stderr, ret->dsa, 8); | 782 | DSA_print_fp(stderr, ret->dsa, 8); |
773 | #endif | 783 | #endif |
774 | } | 784 | } |
785 | #ifdef OPENSSL_HAS_ECC | ||
775 | if (key_type_plain(ret->type) == KEY_ECDSA) { | 786 | if (key_type_plain(ret->type) == KEY_ECDSA) { |
776 | if (ret->ecdsa != NULL) | 787 | if (ret->ecdsa != NULL) |
777 | EC_KEY_free(ret->ecdsa); | 788 | EC_KEY_free(ret->ecdsa); |
@@ -783,6 +794,7 @@ key_read(Key *ret, char **cpp) | |||
783 | key_dump_ec_key(ret->ecdsa); | 794 | key_dump_ec_key(ret->ecdsa); |
784 | #endif | 795 | #endif |
785 | } | 796 | } |
797 | #endif | ||
786 | success = 1; | 798 | success = 1; |
787 | /*XXXX*/ | 799 | /*XXXX*/ |
788 | key_free(k); | 800 | key_free(k); |
@@ -839,11 +851,13 @@ key_write(const Key *key, FILE *f) | |||
839 | if (key->dsa == NULL) | 851 | if (key->dsa == NULL) |
840 | return 0; | 852 | return 0; |
841 | break; | 853 | break; |
854 | #ifdef OPENSSL_HAS_ECC | ||
842 | case KEY_ECDSA: | 855 | case KEY_ECDSA: |
843 | case KEY_ECDSA_CERT: | 856 | case KEY_ECDSA_CERT: |
844 | if (key->ecdsa == NULL) | 857 | if (key->ecdsa == NULL) |
845 | return 0; | 858 | return 0; |
846 | break; | 859 | break; |
860 | #endif | ||
847 | case KEY_RSA: | 861 | case KEY_RSA: |
848 | case KEY_RSA_CERT_V00: | 862 | case KEY_RSA_CERT_V00: |
849 | case KEY_RSA_CERT: | 863 | case KEY_RSA_CERT: |
@@ -877,8 +891,10 @@ key_type(const Key *k) | |||
877 | return "RSA"; | 891 | return "RSA"; |
878 | case KEY_DSA: | 892 | case KEY_DSA: |
879 | return "DSA"; | 893 | return "DSA"; |
894 | #ifdef OPENSSL_HAS_ECC | ||
880 | case KEY_ECDSA: | 895 | case KEY_ECDSA: |
881 | return "ECDSA"; | 896 | return "ECDSA"; |
897 | #endif | ||
882 | case KEY_RSA_CERT_V00: | 898 | case KEY_RSA_CERT_V00: |
883 | return "RSA-CERT-V00"; | 899 | return "RSA-CERT-V00"; |
884 | case KEY_DSA_CERT_V00: | 900 | case KEY_DSA_CERT_V00: |
@@ -887,8 +903,10 @@ key_type(const Key *k) | |||
887 | return "RSA-CERT"; | 903 | return "RSA-CERT"; |
888 | case KEY_DSA_CERT: | 904 | case KEY_DSA_CERT: |
889 | return "DSA-CERT"; | 905 | return "DSA-CERT"; |
906 | #ifdef OPENSSL_HAS_ECC | ||
890 | case KEY_ECDSA_CERT: | 907 | case KEY_ECDSA_CERT: |
891 | return "ECDSA-CERT"; | 908 | return "ECDSA-CERT"; |
909 | #endif | ||
892 | } | 910 | } |
893 | return "unknown"; | 911 | return "unknown"; |
894 | } | 912 | } |
@@ -922,6 +940,7 @@ key_ssh_name_from_type_nid(int type, int nid) | |||
922 | return "ssh-rsa-cert-v01@openssh.com"; | 940 | return "ssh-rsa-cert-v01@openssh.com"; |
923 | case KEY_DSA_CERT: | 941 | case KEY_DSA_CERT: |
924 | return "ssh-dss-cert-v01@openssh.com"; | 942 | return "ssh-dss-cert-v01@openssh.com"; |
943 | #ifdef OPENSSL_HAS_ECC | ||
925 | case KEY_ECDSA: | 944 | case KEY_ECDSA: |
926 | switch (nid) { | 945 | switch (nid) { |
927 | case NID_X9_62_prime256v1: | 946 | case NID_X9_62_prime256v1: |
@@ -946,6 +965,7 @@ key_ssh_name_from_type_nid(int type, int nid) | |||
946 | break; | 965 | break; |
947 | } | 966 | } |
948 | break; | 967 | break; |
968 | #endif /* OPENSSL_HAS_ECC */ | ||
949 | } | 969 | } |
950 | return "ssh-unknown"; | 970 | return "ssh-unknown"; |
951 | } | 971 | } |
@@ -976,9 +996,11 @@ key_size(const Key *k) | |||
976 | case KEY_DSA_CERT_V00: | 996 | case KEY_DSA_CERT_V00: |
977 | case KEY_DSA_CERT: | 997 | case KEY_DSA_CERT: |
978 | return BN_num_bits(k->dsa->p); | 998 | return BN_num_bits(k->dsa->p); |
999 | #ifdef OPENSSL_HAS_ECC | ||
979 | case KEY_ECDSA: | 1000 | case KEY_ECDSA: |
980 | case KEY_ECDSA_CERT: | 1001 | case KEY_ECDSA_CERT: |
981 | return key_curve_nid_to_bits(k->ecdsa_nid); | 1002 | return key_curve_nid_to_bits(k->ecdsa_nid); |
1003 | #endif | ||
982 | } | 1004 | } |
983 | return 0; | 1005 | return 0; |
984 | } | 1006 | } |
@@ -1012,17 +1034,20 @@ int | |||
1012 | key_ecdsa_bits_to_nid(int bits) | 1034 | key_ecdsa_bits_to_nid(int bits) |
1013 | { | 1035 | { |
1014 | switch (bits) { | 1036 | switch (bits) { |
1037 | #ifdef OPENSSL_HAS_ECC | ||
1015 | case 256: | 1038 | case 256: |
1016 | return NID_X9_62_prime256v1; | 1039 | return NID_X9_62_prime256v1; |
1017 | case 384: | 1040 | case 384: |
1018 | return NID_secp384r1; | 1041 | return NID_secp384r1; |
1019 | case 521: | 1042 | case 521: |
1020 | return NID_secp521r1; | 1043 | return NID_secp521r1; |
1044 | #endif | ||
1021 | default: | 1045 | default: |
1022 | return -1; | 1046 | return -1; |
1023 | } | 1047 | } |
1024 | } | 1048 | } |
1025 | 1049 | ||
1050 | #ifdef OPENSSL_HAS_ECC | ||
1026 | /* | 1051 | /* |
1027 | * This is horrid, but OpenSSL's PEM_read_PrivateKey seems not to restore | 1052 | * This is horrid, but OpenSSL's PEM_read_PrivateKey seems not to restore |
1028 | * the EC_GROUP nid when loading a key... | 1053 | * the EC_GROUP nid when loading a key... |
@@ -1070,6 +1095,7 @@ ecdsa_generate_private_key(u_int bits, int *nid) | |||
1070 | fatal("%s: EC_KEY_generate_key failed", __func__); | 1095 | fatal("%s: EC_KEY_generate_key failed", __func__); |
1071 | return private; | 1096 | return private; |
1072 | } | 1097 | } |
1098 | #endif /* OPENSSL_HAS_ECC */ | ||
1073 | 1099 | ||
1074 | Key * | 1100 | Key * |
1075 | key_generate(int type, u_int bits) | 1101 | key_generate(int type, u_int bits) |
@@ -1079,9 +1105,11 @@ key_generate(int type, u_int bits) | |||
1079 | case KEY_DSA: | 1105 | case KEY_DSA: |
1080 | k->dsa = dsa_generate_private_key(bits); | 1106 | k->dsa = dsa_generate_private_key(bits); |
1081 | break; | 1107 | break; |
1108 | #ifdef OPENSSL_HAS_ECC | ||
1082 | case KEY_ECDSA: | 1109 | case KEY_ECDSA: |
1083 | k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid); | 1110 | k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid); |
1084 | break; | 1111 | break; |
1112 | #endif | ||
1085 | case KEY_RSA: | 1113 | case KEY_RSA: |
1086 | case KEY_RSA1: | 1114 | case KEY_RSA1: |
1087 | k->rsa = rsa_generate_private_key(bits); | 1115 | k->rsa = rsa_generate_private_key(bits); |
@@ -1158,6 +1186,7 @@ key_from_private(const Key *k) | |||
1158 | (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) | 1186 | (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) |
1159 | fatal("key_from_private: BN_copy failed"); | 1187 | fatal("key_from_private: BN_copy failed"); |
1160 | break; | 1188 | break; |
1189 | #ifdef OPENSSL_HAS_ECC | ||
1161 | case KEY_ECDSA: | 1190 | case KEY_ECDSA: |
1162 | case KEY_ECDSA_CERT: | 1191 | case KEY_ECDSA_CERT: |
1163 | n = key_new(k->type); | 1192 | n = key_new(k->type); |
@@ -1168,6 +1197,7 @@ key_from_private(const Key *k) | |||
1168 | EC_KEY_get0_public_key(k->ecdsa)) != 1) | 1197 | EC_KEY_get0_public_key(k->ecdsa)) != 1) |
1169 | fatal("%s: EC_KEY_set_public_key failed", __func__); | 1198 | fatal("%s: EC_KEY_set_public_key failed", __func__); |
1170 | break; | 1199 | break; |
1200 | #endif | ||
1171 | case KEY_RSA: | 1201 | case KEY_RSA: |
1172 | case KEY_RSA1: | 1202 | case KEY_RSA1: |
1173 | case KEY_RSA_CERT_V00: | 1203 | case KEY_RSA_CERT_V00: |
@@ -1199,11 +1229,13 @@ key_type_from_name(char *name) | |||
1199 | return KEY_RSA; | 1229 | return KEY_RSA; |
1200 | } else if (strcmp(name, "ssh-dss") == 0) { | 1230 | } else if (strcmp(name, "ssh-dss") == 0) { |
1201 | return KEY_DSA; | 1231 | return KEY_DSA; |
1232 | #ifdef OPENSSL_HAS_ECC | ||
1202 | } else if (strcmp(name, "ecdsa") == 0 || | 1233 | } else if (strcmp(name, "ecdsa") == 0 || |
1203 | strcmp(name, "ecdsa-sha2-nistp256") == 0 || | 1234 | strcmp(name, "ecdsa-sha2-nistp256") == 0 || |
1204 | strcmp(name, "ecdsa-sha2-nistp384") == 0 || | 1235 | strcmp(name, "ecdsa-sha2-nistp384") == 0 || |
1205 | strcmp(name, "ecdsa-sha2-nistp521") == 0) { | 1236 | strcmp(name, "ecdsa-sha2-nistp521") == 0) { |
1206 | return KEY_ECDSA; | 1237 | return KEY_ECDSA; |
1238 | #endif | ||
1207 | } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) { | 1239 | } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) { |
1208 | return KEY_RSA_CERT_V00; | 1240 | return KEY_RSA_CERT_V00; |
1209 | } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { | 1241 | } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { |
@@ -1212,10 +1244,13 @@ key_type_from_name(char *name) | |||
1212 | return KEY_RSA_CERT; | 1244 | return KEY_RSA_CERT; |
1213 | } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { | 1245 | } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { |
1214 | return KEY_DSA_CERT; | 1246 | return KEY_DSA_CERT; |
1247 | #ifdef OPENSSL_HAS_ECC | ||
1215 | } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 || | 1248 | } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 || |
1216 | strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 || | 1249 | strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 || |
1217 | strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) | 1250 | strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) { |
1218 | return KEY_ECDSA_CERT; | 1251 | return KEY_ECDSA_CERT; |
1252 | #endif | ||
1253 | } | ||
1219 | 1254 | ||
1220 | debug2("key_type_from_name: unknown key type '%s'", name); | 1255 | debug2("key_type_from_name: unknown key type '%s'", name); |
1221 | return KEY_UNSPEC; | 1256 | return KEY_UNSPEC; |
@@ -1224,6 +1259,7 @@ key_type_from_name(char *name) | |||
1224 | int | 1259 | int |
1225 | key_ecdsa_nid_from_name(const char *name) | 1260 | key_ecdsa_nid_from_name(const char *name) |
1226 | { | 1261 | { |
1262 | #ifdef OPENSSL_HAS_ECC | ||
1227 | if (strcmp(name, "ecdsa-sha2-nistp256") == 0 || | 1263 | if (strcmp(name, "ecdsa-sha2-nistp256") == 0 || |
1228 | strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0) | 1264 | strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0) |
1229 | return NID_X9_62_prime256v1; | 1265 | return NID_X9_62_prime256v1; |
@@ -1233,6 +1269,7 @@ key_ecdsa_nid_from_name(const char *name) | |||
1233 | if (strcmp(name, "ecdsa-sha2-nistp521") == 0 || | 1269 | if (strcmp(name, "ecdsa-sha2-nistp521") == 0 || |
1234 | strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) | 1270 | strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0) |
1235 | return NID_secp521r1; | 1271 | return NID_secp521r1; |
1272 | #endif /* OPENSSL_HAS_ECC */ | ||
1236 | 1273 | ||
1237 | debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); | 1274 | debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); |
1238 | return -1; | 1275 | return -1; |
@@ -1403,7 +1440,9 @@ key_from_blob(const u_char *blob, u_int blen) | |||
1403 | int rlen, type, nid = -1; | 1440 | int rlen, type, nid = -1; |
1404 | char *ktype = NULL, *curve = NULL; | 1441 | char *ktype = NULL, *curve = NULL; |
1405 | Key *key = NULL; | 1442 | Key *key = NULL; |
1443 | #ifdef OPENSSL_HAS_ECC | ||
1406 | EC_POINT *q = NULL; | 1444 | EC_POINT *q = NULL; |
1445 | #endif | ||
1407 | 1446 | ||
1408 | #ifdef DEBUG_PK | 1447 | #ifdef DEBUG_PK |
1409 | dump_base64(stderr, blob, blen); | 1448 | dump_base64(stderr, blob, blen); |
@@ -1416,8 +1455,10 @@ key_from_blob(const u_char *blob, u_int blen) | |||
1416 | } | 1455 | } |
1417 | 1456 | ||
1418 | type = key_type_from_name(ktype); | 1457 | type = key_type_from_name(ktype); |
1458 | #ifdef OPENSSL_HAS_ECC | ||
1419 | if (key_type_plain(type) == KEY_ECDSA) | 1459 | if (key_type_plain(type) == KEY_ECDSA) |
1420 | nid = key_ecdsa_nid_from_name(ktype); | 1460 | nid = key_ecdsa_nid_from_name(ktype); |
1461 | #endif | ||
1421 | 1462 | ||
1422 | switch (type) { | 1463 | switch (type) { |
1423 | case KEY_RSA_CERT: | 1464 | case KEY_RSA_CERT: |
@@ -1455,6 +1496,7 @@ key_from_blob(const u_char *blob, u_int blen) | |||
1455 | DSA_print_fp(stderr, key->dsa, 8); | 1496 | DSA_print_fp(stderr, key->dsa, 8); |
1456 | #endif | 1497 | #endif |
1457 | break; | 1498 | break; |
1499 | #ifdef OPENSSL_HAS_ECC | ||
1458 | case KEY_ECDSA_CERT: | 1500 | case KEY_ECDSA_CERT: |
1459 | (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ | 1501 | (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ |
1460 | /* FALLTHROUGH */ | 1502 | /* FALLTHROUGH */ |
@@ -1490,6 +1532,7 @@ key_from_blob(const u_char *blob, u_int blen) | |||
1490 | key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); | 1532 | key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); |
1491 | #endif | 1533 | #endif |
1492 | break; | 1534 | break; |
1535 | #endif /* OPENSSL_HAS_ECC */ | ||
1493 | case KEY_UNSPEC: | 1536 | case KEY_UNSPEC: |
1494 | key = key_new(type); | 1537 | key = key_new(type); |
1495 | break; | 1538 | break; |
@@ -1509,8 +1552,10 @@ key_from_blob(const u_char *blob, u_int blen) | |||
1509 | xfree(ktype); | 1552 | xfree(ktype); |
1510 | if (curve != NULL) | 1553 | if (curve != NULL) |
1511 | xfree(curve); | 1554 | xfree(curve); |
1555 | #ifdef OPENSSL_HAS_ECC | ||
1512 | if (q != NULL) | 1556 | if (q != NULL) |
1513 | EC_POINT_free(q); | 1557 | EC_POINT_free(q); |
1558 | #endif | ||
1514 | buffer_free(&b); | 1559 | buffer_free(&b); |
1515 | return key; | 1560 | return key; |
1516 | } | 1561 | } |
@@ -1543,12 +1588,14 @@ key_to_blob(const Key *key, u_char **blobp, u_int *lenp) | |||
1543 | buffer_put_bignum2(&b, key->dsa->g); | 1588 | buffer_put_bignum2(&b, key->dsa->g); |
1544 | buffer_put_bignum2(&b, key->dsa->pub_key); | 1589 | buffer_put_bignum2(&b, key->dsa->pub_key); |
1545 | break; | 1590 | break; |
1591 | #ifdef OPENSSL_HAS_ECC | ||
1546 | case KEY_ECDSA: | 1592 | case KEY_ECDSA: |
1547 | buffer_put_cstring(&b, key_ssh_name(key)); | 1593 | buffer_put_cstring(&b, key_ssh_name(key)); |
1548 | buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); | 1594 | buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); |
1549 | buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), | 1595 | buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), |
1550 | EC_KEY_get0_public_key(key->ecdsa)); | 1596 | EC_KEY_get0_public_key(key->ecdsa)); |
1551 | break; | 1597 | break; |
1598 | #endif | ||
1552 | case KEY_RSA: | 1599 | case KEY_RSA: |
1553 | buffer_put_cstring(&b, key_ssh_name(key)); | 1600 | buffer_put_cstring(&b, key_ssh_name(key)); |
1554 | buffer_put_bignum2(&b, key->rsa->e); | 1601 | buffer_put_bignum2(&b, key->rsa->e); |
@@ -1582,9 +1629,11 @@ key_sign( | |||
1582 | case KEY_DSA_CERT: | 1629 | case KEY_DSA_CERT: |
1583 | case KEY_DSA: | 1630 | case KEY_DSA: |
1584 | return ssh_dss_sign(key, sigp, lenp, data, datalen); | 1631 | return ssh_dss_sign(key, sigp, lenp, data, datalen); |
1632 | #ifdef OPENSSL_HAS_ECC | ||
1585 | case KEY_ECDSA_CERT: | 1633 | case KEY_ECDSA_CERT: |
1586 | case KEY_ECDSA: | 1634 | case KEY_ECDSA: |
1587 | return ssh_ecdsa_sign(key, sigp, lenp, data, datalen); | 1635 | return ssh_ecdsa_sign(key, sigp, lenp, data, datalen); |
1636 | #endif | ||
1588 | case KEY_RSA_CERT_V00: | 1637 | case KEY_RSA_CERT_V00: |
1589 | case KEY_RSA_CERT: | 1638 | case KEY_RSA_CERT: |
1590 | case KEY_RSA: | 1639 | case KEY_RSA: |
@@ -1613,9 +1662,11 @@ key_verify( | |||
1613 | case KEY_DSA_CERT: | 1662 | case KEY_DSA_CERT: |
1614 | case KEY_DSA: | 1663 | case KEY_DSA: |
1615 | return ssh_dss_verify(key, signature, signaturelen, data, datalen); | 1664 | return ssh_dss_verify(key, signature, signaturelen, data, datalen); |
1665 | #ifdef OPENSSL_HAS_ECC | ||
1616 | case KEY_ECDSA_CERT: | 1666 | case KEY_ECDSA_CERT: |
1617 | case KEY_ECDSA: | 1667 | case KEY_ECDSA: |
1618 | return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen); | 1668 | return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen); |
1669 | #endif | ||
1619 | case KEY_RSA_CERT_V00: | 1670 | case KEY_RSA_CERT_V00: |
1620 | case KEY_RSA_CERT: | 1671 | case KEY_RSA_CERT: |
1621 | case KEY_RSA: | 1672 | case KEY_RSA: |
@@ -1670,6 +1721,7 @@ key_demote(const Key *k) | |||
1670 | if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) | 1721 | if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) |
1671 | fatal("key_demote: BN_dup failed"); | 1722 | fatal("key_demote: BN_dup failed"); |
1672 | break; | 1723 | break; |
1724 | #ifdef OPENSSL_HAS_ECC | ||
1673 | case KEY_ECDSA_CERT: | 1725 | case KEY_ECDSA_CERT: |
1674 | key_cert_copy(k, pk); | 1726 | key_cert_copy(k, pk); |
1675 | /* FALLTHROUGH */ | 1727 | /* FALLTHROUGH */ |
@@ -1680,6 +1732,7 @@ key_demote(const Key *k) | |||
1680 | EC_KEY_get0_public_key(k->ecdsa)) != 1) | 1732 | EC_KEY_get0_public_key(k->ecdsa)) != 1) |
1681 | fatal("key_demote: EC_KEY_set_public_key failed"); | 1733 | fatal("key_demote: EC_KEY_set_public_key failed"); |
1682 | break; | 1734 | break; |
1735 | #endif | ||
1683 | default: | 1736 | default: |
1684 | fatal("key_free: bad key type %d", k->type); | 1737 | fatal("key_free: bad key type %d", k->type); |
1685 | break; | 1738 | break; |
@@ -1819,6 +1872,7 @@ key_certify(Key *k, Key *ca) | |||
1819 | buffer_put_bignum2(&k->cert->certblob, k->dsa->g); | 1872 | buffer_put_bignum2(&k->cert->certblob, k->dsa->g); |
1820 | buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key); | 1873 | buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key); |
1821 | break; | 1874 | break; |
1875 | #ifdef OPENSSL_HAS_ECC | ||
1822 | case KEY_ECDSA_CERT: | 1876 | case KEY_ECDSA_CERT: |
1823 | buffer_put_cstring(&k->cert->certblob, | 1877 | buffer_put_cstring(&k->cert->certblob, |
1824 | key_curve_nid_to_name(k->ecdsa_nid)); | 1878 | key_curve_nid_to_name(k->ecdsa_nid)); |
@@ -1826,6 +1880,7 @@ key_certify(Key *k, Key *ca) | |||
1826 | EC_KEY_get0_group(k->ecdsa), | 1880 | EC_KEY_get0_group(k->ecdsa), |
1827 | EC_KEY_get0_public_key(k->ecdsa)); | 1881 | EC_KEY_get0_public_key(k->ecdsa)); |
1828 | break; | 1882 | break; |
1883 | #endif | ||
1829 | case KEY_RSA_CERT_V00: | 1884 | case KEY_RSA_CERT_V00: |
1830 | case KEY_RSA_CERT: | 1885 | case KEY_RSA_CERT: |
1831 | buffer_put_bignum2(&k->cert->certblob, k->rsa->e); | 1886 | buffer_put_bignum2(&k->cert->certblob, k->rsa->e); |
@@ -1955,12 +2010,14 @@ key_cert_is_legacy(Key *k) | |||
1955 | int | 2010 | int |
1956 | key_curve_name_to_nid(const char *name) | 2011 | key_curve_name_to_nid(const char *name) |
1957 | { | 2012 | { |
2013 | #ifdef OPENSSL_HAS_ECC | ||
1958 | if (strcmp(name, "nistp256") == 0) | 2014 | if (strcmp(name, "nistp256") == 0) |
1959 | return NID_X9_62_prime256v1; | 2015 | return NID_X9_62_prime256v1; |
1960 | else if (strcmp(name, "nistp384") == 0) | 2016 | else if (strcmp(name, "nistp384") == 0) |
1961 | return NID_secp384r1; | 2017 | return NID_secp384r1; |
1962 | else if (strcmp(name, "nistp521") == 0) | 2018 | else if (strcmp(name, "nistp521") == 0) |
1963 | return NID_secp521r1; | 2019 | return NID_secp521r1; |
2020 | #endif | ||
1964 | 2021 | ||
1965 | debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); | 2022 | debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); |
1966 | return -1; | 2023 | return -1; |
@@ -1970,12 +2027,14 @@ u_int | |||
1970 | key_curve_nid_to_bits(int nid) | 2027 | key_curve_nid_to_bits(int nid) |
1971 | { | 2028 | { |
1972 | switch (nid) { | 2029 | switch (nid) { |
2030 | #ifdef OPENSSL_HAS_ECC | ||
1973 | case NID_X9_62_prime256v1: | 2031 | case NID_X9_62_prime256v1: |
1974 | return 256; | 2032 | return 256; |
1975 | case NID_secp384r1: | 2033 | case NID_secp384r1: |
1976 | return 384; | 2034 | return 384; |
1977 | case NID_secp521r1: | 2035 | case NID_secp521r1: |
1978 | return 521; | 2036 | return 521; |
2037 | #endif | ||
1979 | default: | 2038 | default: |
1980 | error("%s: unsupported EC curve nid %d", __func__, nid); | 2039 | error("%s: unsupported EC curve nid %d", __func__, nid); |
1981 | return 0; | 2040 | return 0; |
@@ -1985,17 +2044,19 @@ key_curve_nid_to_bits(int nid) | |||
1985 | const char * | 2044 | const char * |
1986 | key_curve_nid_to_name(int nid) | 2045 | key_curve_nid_to_name(int nid) |
1987 | { | 2046 | { |
2047 | #ifdef OPENSSL_HAS_ECC | ||
1988 | if (nid == NID_X9_62_prime256v1) | 2048 | if (nid == NID_X9_62_prime256v1) |
1989 | return "nistp256"; | 2049 | return "nistp256"; |
1990 | else if (nid == NID_secp384r1) | 2050 | else if (nid == NID_secp384r1) |
1991 | return "nistp384"; | 2051 | return "nistp384"; |
1992 | else if (nid == NID_secp521r1) | 2052 | else if (nid == NID_secp521r1) |
1993 | return "nistp521"; | 2053 | return "nistp521"; |
1994 | 2054 | #endif | |
1995 | error("%s: unsupported EC curve nid %d", __func__, nid); | 2055 | error("%s: unsupported EC curve nid %d", __func__, nid); |
1996 | return NULL; | 2056 | return NULL; |
1997 | } | 2057 | } |
1998 | 2058 | ||
2059 | #ifdef OPENSSL_HAS_ECC | ||
1999 | const EVP_MD * | 2060 | const EVP_MD * |
2000 | key_ec_nid_to_evpmd(int nid) | 2061 | key_ec_nid_to_evpmd(int nid) |
2001 | { | 2062 | { |
@@ -2180,4 +2241,4 @@ key_dump_ec_key(const EC_KEY *key) | |||
2180 | fputs("\n", stderr); | 2241 | fputs("\n", stderr); |
2181 | } | 2242 | } |
2182 | #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ | 2243 | #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ |
2183 | 2244 | #endif /* OPENSSL_HAS_ECC */ | |