diff options
author | Damien Miller <djm@mindrot.org> | 2000-11-13 22:57:25 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-11-13 22:57:25 +1100 |
commit | 0bc1bd814e3c2b5e92d6f595930051960d17f47f (patch) | |
tree | 176c7dc2844ecc2c1de0f72d221449556ffa5209 /ssh-agent.c | |
parent | 559d383037b0872fcde4e6c40188b649c574be74 (diff) |
- (djm) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/06 16:04:56
[channels.c channels.h clientloop.c nchan.c serverloop.c]
[session.c ssh.c]
agent forwarding and -R for ssh2, based on work from
jhuuskon@messi.uku.fi
- markus@cvs.openbsd.org 2000/11/06 16:13:27
[ssh.c sshconnect.c sshd.c]
do not disabled rhosts(rsa) if server port > 1024; from
pekkas@netcore.fi
- markus@cvs.openbsd.org 2000/11/06 16:16:35
[sshconnect.c]
downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net
- markus@cvs.openbsd.org 2000/11/09 18:04:40
[auth1.c]
typo; from mouring@pconline.com
- markus@cvs.openbsd.org 2000/11/12 12:03:28
[ssh-agent.c]
off-by-one when removing a key from the agent
- markus@cvs.openbsd.org 2000/11/12 12:50:39
[auth-rh-rsa.c auth2.c authfd.c authfd.h]
[authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h]
[readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config]
[sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c]
[ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h]
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
- (djm) Fix up Makefile and Redhat init script to create RSA host keys
- (djm) Change to interim version
Diffstat (limited to 'ssh-agent.c')
-rw-r--r-- | ssh-agent.c | 143 |
1 files changed, 70 insertions, 73 deletions
diff --git a/ssh-agent.c b/ssh-agent.c index 479388fab..9f61aec3b 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $ */ | 1 | /* $OpenBSD: ssh-agent.c,v 1.39 2000/11/12 19:50:38 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -37,7 +37,7 @@ | |||
37 | */ | 37 | */ |
38 | 38 | ||
39 | #include "includes.h" | 39 | #include "includes.h" |
40 | RCSID("$OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $"); | 40 | RCSID("$OpenBSD: ssh-agent.c,v 1.39 2000/11/12 19:50:38 markus Exp $"); |
41 | 41 | ||
42 | #include "ssh.h" | 42 | #include "ssh.h" |
43 | #include "rsa.h" | 43 | #include "rsa.h" |
@@ -54,7 +54,6 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $"); | |||
54 | #include <openssl/rsa.h> | 54 | #include <openssl/rsa.h> |
55 | #include "key.h" | 55 | #include "key.h" |
56 | #include "authfd.h" | 56 | #include "authfd.h" |
57 | #include "dsa.h" | ||
58 | #include "kex.h" | 57 | #include "kex.h" |
59 | #include "compat.h" | 58 | #include "compat.h" |
60 | 59 | ||
@@ -147,14 +146,14 @@ process_request_identities(SocketEntry *e, int version) | |||
147 | buffer_put_int(&msg, tab->nentries); | 146 | buffer_put_int(&msg, tab->nentries); |
148 | for (i = 0; i < tab->nentries; i++) { | 147 | for (i = 0; i < tab->nentries; i++) { |
149 | Identity *id = &tab->identities[i]; | 148 | Identity *id = &tab->identities[i]; |
150 | if (id->key->type == KEY_RSA) { | 149 | if (id->key->type == KEY_RSA1) { |
151 | buffer_put_int(&msg, BN_num_bits(id->key->rsa->n)); | 150 | buffer_put_int(&msg, BN_num_bits(id->key->rsa->n)); |
152 | buffer_put_bignum(&msg, id->key->rsa->e); | 151 | buffer_put_bignum(&msg, id->key->rsa->e); |
153 | buffer_put_bignum(&msg, id->key->rsa->n); | 152 | buffer_put_bignum(&msg, id->key->rsa->n); |
154 | } else { | 153 | } else { |
155 | unsigned char *blob; | 154 | unsigned char *blob; |
156 | unsigned int blen; | 155 | unsigned int blen; |
157 | dsa_make_key_blob(id->key, &blob, &blen); | 156 | key_to_blob(id->key, &blob, &blen); |
158 | buffer_put_string(&msg, blob, blen); | 157 | buffer_put_string(&msg, blob, blen); |
159 | xfree(blob); | 158 | xfree(blob); |
160 | } | 159 | } |
@@ -178,7 +177,7 @@ process_authentication_challenge1(SocketEntry *e) | |||
178 | unsigned int response_type; | 177 | unsigned int response_type; |
179 | 178 | ||
180 | buffer_init(&msg); | 179 | buffer_init(&msg); |
181 | key = key_new(KEY_RSA); | 180 | key = key_new(KEY_RSA1); |
182 | challenge = BN_new(); | 181 | challenge = BN_new(); |
183 | 182 | ||
184 | buffer_get_int(&e->input); /* ignored */ | 183 | buffer_get_int(&e->input); /* ignored */ |
@@ -251,11 +250,11 @@ process_sign_request2(SocketEntry *e) | |||
251 | if (flags & SSH_AGENT_OLD_SIGNATURE) | 250 | if (flags & SSH_AGENT_OLD_SIGNATURE) |
252 | datafellows = SSH_BUG_SIGBLOB; | 251 | datafellows = SSH_BUG_SIGBLOB; |
253 | 252 | ||
254 | key = dsa_key_from_blob(blob, blen); | 253 | key = key_from_blob(blob, blen); |
255 | if (key != NULL) { | 254 | if (key != NULL) { |
256 | private = lookup_private_key(key, NULL, 2); | 255 | private = lookup_private_key(key, NULL, 2); |
257 | if (private != NULL) | 256 | if (private != NULL) |
258 | ok = dsa_sign(private, &signature, &slen, data, dlen); | 257 | ok = key_sign(private, &signature, &slen, data, dlen); |
259 | } | 258 | } |
260 | key_free(key); | 259 | key_free(key); |
261 | buffer_init(&msg); | 260 | buffer_init(&msg); |
@@ -287,7 +286,7 @@ process_remove_identity(SocketEntry *e, int version) | |||
287 | 286 | ||
288 | switch(version){ | 287 | switch(version){ |
289 | case 1: | 288 | case 1: |
290 | key = key_new(KEY_RSA); | 289 | key = key_new(KEY_RSA1); |
291 | bits = buffer_get_int(&e->input); | 290 | bits = buffer_get_int(&e->input); |
292 | buffer_get_bignum(&e->input, key->rsa->e); | 291 | buffer_get_bignum(&e->input, key->rsa->e); |
293 | buffer_get_bignum(&e->input, key->rsa->n); | 292 | buffer_get_bignum(&e->input, key->rsa->n); |
@@ -298,7 +297,7 @@ process_remove_identity(SocketEntry *e, int version) | |||
298 | break; | 297 | break; |
299 | case 2: | 298 | case 2: |
300 | blob = buffer_get_string(&e->input, &blen); | 299 | blob = buffer_get_string(&e->input, &blen); |
301 | key = dsa_key_from_blob(blob, blen); | 300 | key = key_from_blob(blob, blen); |
302 | xfree(blob); | 301 | xfree(blob); |
303 | break; | 302 | break; |
304 | } | 303 | } |
@@ -315,8 +314,12 @@ process_remove_identity(SocketEntry *e, int version) | |||
315 | Idtab *tab = idtab_lookup(version); | 314 | Idtab *tab = idtab_lookup(version); |
316 | key_free(tab->identities[idx].key); | 315 | key_free(tab->identities[idx].key); |
317 | xfree(tab->identities[idx].comment); | 316 | xfree(tab->identities[idx].comment); |
318 | if (idx != tab->nentries) | 317 | if (tab->nentries < 1) |
319 | tab->identities[idx] = tab->identities[tab->nentries]; | 318 | fatal("process_remove_identity: " |
319 | "internal error: tab->nentries %d", | ||
320 | tab->nentries); | ||
321 | if (idx != tab->nentries - 1) | ||
322 | tab->identities[idx] = tab->identities[tab->nentries - 1]; | ||
320 | tab->nentries--; | 323 | tab->nentries--; |
321 | success = 1; | 324 | success = 1; |
322 | } | 325 | } |
@@ -349,79 +352,80 @@ process_remove_all_identities(SocketEntry *e, int version) | |||
349 | } | 352 | } |
350 | 353 | ||
351 | void | 354 | void |
352 | process_add_identity(SocketEntry *e, int version) | 355 | generate_additional_parameters(RSA *rsa) |
353 | { | 356 | { |
354 | Key *k = NULL; | ||
355 | RSA *rsa; | ||
356 | BIGNUM *aux; | 357 | BIGNUM *aux; |
357 | BN_CTX *ctx; | 358 | BN_CTX *ctx; |
358 | char *type; | 359 | /* Generate additional parameters */ |
360 | aux = BN_new(); | ||
361 | ctx = BN_CTX_new(); | ||
362 | |||
363 | BN_sub(aux, rsa->q, BN_value_one()); | ||
364 | BN_mod(rsa->dmq1, rsa->d, aux, ctx); | ||
365 | |||
366 | BN_sub(aux, rsa->p, BN_value_one()); | ||
367 | BN_mod(rsa->dmp1, rsa->d, aux, ctx); | ||
368 | |||
369 | BN_clear_free(aux); | ||
370 | BN_CTX_free(ctx); | ||
371 | } | ||
372 | |||
373 | void | ||
374 | process_add_identity(SocketEntry *e, int version) | ||
375 | { | ||
376 | Key *k = NULL; | ||
377 | char *type_name; | ||
359 | char *comment; | 378 | char *comment; |
360 | int success = 0; | 379 | int type, success = 0; |
361 | Idtab *tab = idtab_lookup(version); | 380 | Idtab *tab = idtab_lookup(version); |
362 | 381 | ||
363 | switch (version) { | 382 | switch (version) { |
364 | case 1: | 383 | case 1: |
365 | k = key_new(KEY_RSA); | 384 | k = key_new_private(KEY_RSA1); |
366 | rsa = k->rsa; | 385 | buffer_get_int(&e->input); /* ignored */ |
367 | 386 | buffer_get_bignum(&e->input, k->rsa->n); | |
368 | /* allocate mem for private key */ | 387 | buffer_get_bignum(&e->input, k->rsa->e); |
369 | /* XXX rsa->n and rsa->e are already allocated */ | 388 | buffer_get_bignum(&e->input, k->rsa->d); |
370 | rsa->d = BN_new(); | 389 | buffer_get_bignum(&e->input, k->rsa->iqmp); |
371 | rsa->iqmp = BN_new(); | ||
372 | rsa->q = BN_new(); | ||
373 | rsa->p = BN_new(); | ||
374 | rsa->dmq1 = BN_new(); | ||
375 | rsa->dmp1 = BN_new(); | ||
376 | |||
377 | buffer_get_int(&e->input); /* ignored */ | ||
378 | |||
379 | buffer_get_bignum(&e->input, rsa->n); | ||
380 | buffer_get_bignum(&e->input, rsa->e); | ||
381 | buffer_get_bignum(&e->input, rsa->d); | ||
382 | buffer_get_bignum(&e->input, rsa->iqmp); | ||
383 | 390 | ||
384 | /* SSH and SSL have p and q swapped */ | 391 | /* SSH and SSL have p and q swapped */ |
385 | buffer_get_bignum(&e->input, rsa->q); /* p */ | 392 | buffer_get_bignum(&e->input, k->rsa->q); /* p */ |
386 | buffer_get_bignum(&e->input, rsa->p); /* q */ | 393 | buffer_get_bignum(&e->input, k->rsa->p); /* q */ |
387 | 394 | ||
388 | /* Generate additional parameters */ | 395 | /* Generate additional parameters */ |
389 | aux = BN_new(); | 396 | generate_additional_parameters(k->rsa); |
390 | ctx = BN_CTX_new(); | ||
391 | |||
392 | BN_sub(aux, rsa->q, BN_value_one()); | ||
393 | BN_mod(rsa->dmq1, rsa->d, aux, ctx); | ||
394 | |||
395 | BN_sub(aux, rsa->p, BN_value_one()); | ||
396 | BN_mod(rsa->dmp1, rsa->d, aux, ctx); | ||
397 | |||
398 | BN_clear_free(aux); | ||
399 | BN_CTX_free(ctx); | ||
400 | |||
401 | break; | 397 | break; |
402 | case 2: | 398 | case 2: |
403 | type = buffer_get_string(&e->input, NULL); | 399 | type_name = buffer_get_string(&e->input, NULL); |
404 | if (strcmp(type, KEX_DSS)) { | 400 | type = key_type_from_name(type_name); |
401 | xfree(type_name); | ||
402 | switch(type) { | ||
403 | case KEY_DSA: | ||
404 | k = key_new_private(type); | ||
405 | buffer_get_bignum2(&e->input, k->dsa->p); | ||
406 | buffer_get_bignum2(&e->input, k->dsa->q); | ||
407 | buffer_get_bignum2(&e->input, k->dsa->g); | ||
408 | buffer_get_bignum2(&e->input, k->dsa->pub_key); | ||
409 | buffer_get_bignum2(&e->input, k->dsa->priv_key); | ||
410 | break; | ||
411 | case KEY_RSA: | ||
412 | k = key_new_private(type); | ||
413 | buffer_get_bignum2(&e->input, k->rsa->n); | ||
414 | buffer_get_bignum2(&e->input, k->rsa->e); | ||
415 | buffer_get_bignum2(&e->input, k->rsa->d); | ||
416 | buffer_get_bignum2(&e->input, k->rsa->iqmp); | ||
417 | buffer_get_bignum2(&e->input, k->rsa->p); | ||
418 | buffer_get_bignum2(&e->input, k->rsa->q); | ||
419 | |||
420 | /* Generate additional parameters */ | ||
421 | generate_additional_parameters(k->rsa); | ||
422 | break; | ||
423 | default: | ||
405 | buffer_clear(&e->input); | 424 | buffer_clear(&e->input); |
406 | xfree(type); | ||
407 | goto send; | 425 | goto send; |
408 | } | 426 | } |
409 | xfree(type); | ||
410 | |||
411 | k = key_new(KEY_DSA); | ||
412 | |||
413 | /* allocate mem for private key */ | ||
414 | k->dsa->priv_key = BN_new(); | ||
415 | |||
416 | buffer_get_bignum2(&e->input, k->dsa->p); | ||
417 | buffer_get_bignum2(&e->input, k->dsa->q); | ||
418 | buffer_get_bignum2(&e->input, k->dsa->g); | ||
419 | buffer_get_bignum2(&e->input, k->dsa->pub_key); | ||
420 | buffer_get_bignum2(&e->input, k->dsa->priv_key); | ||
421 | |||
422 | break; | 427 | break; |
423 | } | 428 | } |
424 | |||
425 | comment = buffer_get_string(&e->input, NULL); | 429 | comment = buffer_get_string(&e->input, NULL); |
426 | if (k == NULL) { | 430 | if (k == NULL) { |
427 | xfree(comment); | 431 | xfree(comment); |
@@ -670,13 +674,6 @@ main(int ac, char **av) | |||
670 | 674 | ||
671 | init_rng(); | 675 | init_rng(); |
672 | 676 | ||
673 | /* check if RSA support exists */ | ||
674 | if (rsa_alive() == 0) { | ||
675 | fprintf(stderr, | ||
676 | "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", | ||
677 | __progname); | ||
678 | exit(1); | ||
679 | } | ||
680 | #ifdef __GNU_LIBRARY__ | 677 | #ifdef __GNU_LIBRARY__ |
681 | while ((ch = getopt(ac, av, "+cks")) != -1) { | 678 | while ((ch = getopt(ac, av, "+cks")) != -1) { |
682 | #else /* __GNU_LIBRARY__ */ | 679 | #else /* __GNU_LIBRARY__ */ |