diff options
| author | Damien Miller <djm@mindrot.org> | 2000-11-13 22:57:25 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2000-11-13 22:57:25 +1100 |
| commit | 0bc1bd814e3c2b5e92d6f595930051960d17f47f (patch) | |
| tree | 176c7dc2844ecc2c1de0f72d221449556ffa5209 /ssh-agent.c | |
| parent | 559d383037b0872fcde4e6c40188b649c574be74 (diff) | |
- (djm) Merge OpenBSD changes:
- markus@cvs.openbsd.org 2000/11/06 16:04:56
[channels.c channels.h clientloop.c nchan.c serverloop.c]
[session.c ssh.c]
agent forwarding and -R for ssh2, based on work from
jhuuskon@messi.uku.fi
- markus@cvs.openbsd.org 2000/11/06 16:13:27
[ssh.c sshconnect.c sshd.c]
do not disabled rhosts(rsa) if server port > 1024; from
pekkas@netcore.fi
- markus@cvs.openbsd.org 2000/11/06 16:16:35
[sshconnect.c]
downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net
- markus@cvs.openbsd.org 2000/11/09 18:04:40
[auth1.c]
typo; from mouring@pconline.com
- markus@cvs.openbsd.org 2000/11/12 12:03:28
[ssh-agent.c]
off-by-one when removing a key from the agent
- markus@cvs.openbsd.org 2000/11/12 12:50:39
[auth-rh-rsa.c auth2.c authfd.c authfd.h]
[authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h]
[readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c]
[ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config]
[sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c]
[ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h]
add support for RSA to SSH2. please test.
there are now 3 types of keys: RSA1 is used by ssh-1 only,
RSA and DSA are used by SSH2.
you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA
keys for SSH2 and use the RSA keys for hostkeys or for user keys.
SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before.
- (djm) Fix up Makefile and Redhat init script to create RSA host keys
- (djm) Change to interim version
Diffstat (limited to 'ssh-agent.c')
| -rw-r--r-- | ssh-agent.c | 143 |
1 files changed, 70 insertions, 73 deletions
diff --git a/ssh-agent.c b/ssh-agent.c index 479388fab..9f61aec3b 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $ */ | 1 | /* $OpenBSD: ssh-agent.c,v 1.39 2000/11/12 19:50:38 markus Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -37,7 +37,7 @@ | |||
| 37 | */ | 37 | */ |
| 38 | 38 | ||
| 39 | #include "includes.h" | 39 | #include "includes.h" |
| 40 | RCSID("$OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $"); | 40 | RCSID("$OpenBSD: ssh-agent.c,v 1.39 2000/11/12 19:50:38 markus Exp $"); |
| 41 | 41 | ||
| 42 | #include "ssh.h" | 42 | #include "ssh.h" |
| 43 | #include "rsa.h" | 43 | #include "rsa.h" |
| @@ -54,7 +54,6 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.37 2000/09/21 11:07:51 markus Exp $"); | |||
| 54 | #include <openssl/rsa.h> | 54 | #include <openssl/rsa.h> |
| 55 | #include "key.h" | 55 | #include "key.h" |
| 56 | #include "authfd.h" | 56 | #include "authfd.h" |
| 57 | #include "dsa.h" | ||
| 58 | #include "kex.h" | 57 | #include "kex.h" |
| 59 | #include "compat.h" | 58 | #include "compat.h" |
| 60 | 59 | ||
| @@ -147,14 +146,14 @@ process_request_identities(SocketEntry *e, int version) | |||
| 147 | buffer_put_int(&msg, tab->nentries); | 146 | buffer_put_int(&msg, tab->nentries); |
| 148 | for (i = 0; i < tab->nentries; i++) { | 147 | for (i = 0; i < tab->nentries; i++) { |
| 149 | Identity *id = &tab->identities[i]; | 148 | Identity *id = &tab->identities[i]; |
| 150 | if (id->key->type == KEY_RSA) { | 149 | if (id->key->type == KEY_RSA1) { |
| 151 | buffer_put_int(&msg, BN_num_bits(id->key->rsa->n)); | 150 | buffer_put_int(&msg, BN_num_bits(id->key->rsa->n)); |
| 152 | buffer_put_bignum(&msg, id->key->rsa->e); | 151 | buffer_put_bignum(&msg, id->key->rsa->e); |
| 153 | buffer_put_bignum(&msg, id->key->rsa->n); | 152 | buffer_put_bignum(&msg, id->key->rsa->n); |
| 154 | } else { | 153 | } else { |
| 155 | unsigned char *blob; | 154 | unsigned char *blob; |
| 156 | unsigned int blen; | 155 | unsigned int blen; |
| 157 | dsa_make_key_blob(id->key, &blob, &blen); | 156 | key_to_blob(id->key, &blob, &blen); |
| 158 | buffer_put_string(&msg, blob, blen); | 157 | buffer_put_string(&msg, blob, blen); |
| 159 | xfree(blob); | 158 | xfree(blob); |
| 160 | } | 159 | } |
| @@ -178,7 +177,7 @@ process_authentication_challenge1(SocketEntry *e) | |||
| 178 | unsigned int response_type; | 177 | unsigned int response_type; |
| 179 | 178 | ||
| 180 | buffer_init(&msg); | 179 | buffer_init(&msg); |
| 181 | key = key_new(KEY_RSA); | 180 | key = key_new(KEY_RSA1); |
| 182 | challenge = BN_new(); | 181 | challenge = BN_new(); |
| 183 | 182 | ||
| 184 | buffer_get_int(&e->input); /* ignored */ | 183 | buffer_get_int(&e->input); /* ignored */ |
| @@ -251,11 +250,11 @@ process_sign_request2(SocketEntry *e) | |||
| 251 | if (flags & SSH_AGENT_OLD_SIGNATURE) | 250 | if (flags & SSH_AGENT_OLD_SIGNATURE) |
| 252 | datafellows = SSH_BUG_SIGBLOB; | 251 | datafellows = SSH_BUG_SIGBLOB; |
| 253 | 252 | ||
| 254 | key = dsa_key_from_blob(blob, blen); | 253 | key = key_from_blob(blob, blen); |
| 255 | if (key != NULL) { | 254 | if (key != NULL) { |
| 256 | private = lookup_private_key(key, NULL, 2); | 255 | private = lookup_private_key(key, NULL, 2); |
| 257 | if (private != NULL) | 256 | if (private != NULL) |
| 258 | ok = dsa_sign(private, &signature, &slen, data, dlen); | 257 | ok = key_sign(private, &signature, &slen, data, dlen); |
| 259 | } | 258 | } |
| 260 | key_free(key); | 259 | key_free(key); |
| 261 | buffer_init(&msg); | 260 | buffer_init(&msg); |
| @@ -287,7 +286,7 @@ process_remove_identity(SocketEntry *e, int version) | |||
| 287 | 286 | ||
| 288 | switch(version){ | 287 | switch(version){ |
| 289 | case 1: | 288 | case 1: |
| 290 | key = key_new(KEY_RSA); | 289 | key = key_new(KEY_RSA1); |
| 291 | bits = buffer_get_int(&e->input); | 290 | bits = buffer_get_int(&e->input); |
| 292 | buffer_get_bignum(&e->input, key->rsa->e); | 291 | buffer_get_bignum(&e->input, key->rsa->e); |
| 293 | buffer_get_bignum(&e->input, key->rsa->n); | 292 | buffer_get_bignum(&e->input, key->rsa->n); |
| @@ -298,7 +297,7 @@ process_remove_identity(SocketEntry *e, int version) | |||
| 298 | break; | 297 | break; |
| 299 | case 2: | 298 | case 2: |
| 300 | blob = buffer_get_string(&e->input, &blen); | 299 | blob = buffer_get_string(&e->input, &blen); |
| 301 | key = dsa_key_from_blob(blob, blen); | 300 | key = key_from_blob(blob, blen); |
| 302 | xfree(blob); | 301 | xfree(blob); |
| 303 | break; | 302 | break; |
| 304 | } | 303 | } |
| @@ -315,8 +314,12 @@ process_remove_identity(SocketEntry *e, int version) | |||
| 315 | Idtab *tab = idtab_lookup(version); | 314 | Idtab *tab = idtab_lookup(version); |
| 316 | key_free(tab->identities[idx].key); | 315 | key_free(tab->identities[idx].key); |
| 317 | xfree(tab->identities[idx].comment); | 316 | xfree(tab->identities[idx].comment); |
| 318 | if (idx != tab->nentries) | 317 | if (tab->nentries < 1) |
| 319 | tab->identities[idx] = tab->identities[tab->nentries]; | 318 | fatal("process_remove_identity: " |
| 319 | "internal error: tab->nentries %d", | ||
| 320 | tab->nentries); | ||
| 321 | if (idx != tab->nentries - 1) | ||
| 322 | tab->identities[idx] = tab->identities[tab->nentries - 1]; | ||
| 320 | tab->nentries--; | 323 | tab->nentries--; |
| 321 | success = 1; | 324 | success = 1; |
| 322 | } | 325 | } |
| @@ -349,79 +352,80 @@ process_remove_all_identities(SocketEntry *e, int version) | |||
| 349 | } | 352 | } |
| 350 | 353 | ||
| 351 | void | 354 | void |
| 352 | process_add_identity(SocketEntry *e, int version) | 355 | generate_additional_parameters(RSA *rsa) |
| 353 | { | 356 | { |
| 354 | Key *k = NULL; | ||
| 355 | RSA *rsa; | ||
| 356 | BIGNUM *aux; | 357 | BIGNUM *aux; |
| 357 | BN_CTX *ctx; | 358 | BN_CTX *ctx; |
| 358 | char *type; | 359 | /* Generate additional parameters */ |
| 360 | aux = BN_new(); | ||
| 361 | ctx = BN_CTX_new(); | ||
| 362 | |||
| 363 | BN_sub(aux, rsa->q, BN_value_one()); | ||
| 364 | BN_mod(rsa->dmq1, rsa->d, aux, ctx); | ||
| 365 | |||
| 366 | BN_sub(aux, rsa->p, BN_value_one()); | ||
| 367 | BN_mod(rsa->dmp1, rsa->d, aux, ctx); | ||
| 368 | |||
| 369 | BN_clear_free(aux); | ||
| 370 | BN_CTX_free(ctx); | ||
| 371 | } | ||
| 372 | |||
| 373 | void | ||
| 374 | process_add_identity(SocketEntry *e, int version) | ||
| 375 | { | ||
| 376 | Key *k = NULL; | ||
| 377 | char *type_name; | ||
| 359 | char *comment; | 378 | char *comment; |
| 360 | int success = 0; | 379 | int type, success = 0; |
| 361 | Idtab *tab = idtab_lookup(version); | 380 | Idtab *tab = idtab_lookup(version); |
| 362 | 381 | ||
| 363 | switch (version) { | 382 | switch (version) { |
| 364 | case 1: | 383 | case 1: |
| 365 | k = key_new(KEY_RSA); | 384 | k = key_new_private(KEY_RSA1); |
| 366 | rsa = k->rsa; | 385 | buffer_get_int(&e->input); /* ignored */ |
| 367 | 386 | buffer_get_bignum(&e->input, k->rsa->n); | |
| 368 | /* allocate mem for private key */ | 387 | buffer_get_bignum(&e->input, k->rsa->e); |
| 369 | /* XXX rsa->n and rsa->e are already allocated */ | 388 | buffer_get_bignum(&e->input, k->rsa->d); |
| 370 | rsa->d = BN_new(); | 389 | buffer_get_bignum(&e->input, k->rsa->iqmp); |
| 371 | rsa->iqmp = BN_new(); | ||
| 372 | rsa->q = BN_new(); | ||
| 373 | rsa->p = BN_new(); | ||
| 374 | rsa->dmq1 = BN_new(); | ||
| 375 | rsa->dmp1 = BN_new(); | ||
| 376 | |||
| 377 | buffer_get_int(&e->input); /* ignored */ | ||
| 378 | |||
| 379 | buffer_get_bignum(&e->input, rsa->n); | ||
| 380 | buffer_get_bignum(&e->input, rsa->e); | ||
| 381 | buffer_get_bignum(&e->input, rsa->d); | ||
| 382 | buffer_get_bignum(&e->input, rsa->iqmp); | ||
| 383 | 390 | ||
| 384 | /* SSH and SSL have p and q swapped */ | 391 | /* SSH and SSL have p and q swapped */ |
| 385 | buffer_get_bignum(&e->input, rsa->q); /* p */ | 392 | buffer_get_bignum(&e->input, k->rsa->q); /* p */ |
| 386 | buffer_get_bignum(&e->input, rsa->p); /* q */ | 393 | buffer_get_bignum(&e->input, k->rsa->p); /* q */ |
| 387 | 394 | ||
| 388 | /* Generate additional parameters */ | 395 | /* Generate additional parameters */ |
| 389 | aux = BN_new(); | 396 | generate_additional_parameters(k->rsa); |
| 390 | ctx = BN_CTX_new(); | ||
| 391 | |||
| 392 | BN_sub(aux, rsa->q, BN_value_one()); | ||
| 393 | BN_mod(rsa->dmq1, rsa->d, aux, ctx); | ||
| 394 | |||
| 395 | BN_sub(aux, rsa->p, BN_value_one()); | ||
| 396 | BN_mod(rsa->dmp1, rsa->d, aux, ctx); | ||
| 397 | |||
| 398 | BN_clear_free(aux); | ||
| 399 | BN_CTX_free(ctx); | ||
| 400 | |||
| 401 | break; | 397 | break; |
| 402 | case 2: | 398 | case 2: |
| 403 | type = buffer_get_string(&e->input, NULL); | 399 | type_name = buffer_get_string(&e->input, NULL); |
| 404 | if (strcmp(type, KEX_DSS)) { | 400 | type = key_type_from_name(type_name); |
| 401 | xfree(type_name); | ||
| 402 | switch(type) { | ||
| 403 | case KEY_DSA: | ||
| 404 | k = key_new_private(type); | ||
| 405 | buffer_get_bignum2(&e->input, k->dsa->p); | ||
| 406 | buffer_get_bignum2(&e->input, k->dsa->q); | ||
| 407 | buffer_get_bignum2(&e->input, k->dsa->g); | ||
| 408 | buffer_get_bignum2(&e->input, k->dsa->pub_key); | ||
| 409 | buffer_get_bignum2(&e->input, k->dsa->priv_key); | ||
| 410 | break; | ||
| 411 | case KEY_RSA: | ||
| 412 | k = key_new_private(type); | ||
| 413 | buffer_get_bignum2(&e->input, k->rsa->n); | ||
| 414 | buffer_get_bignum2(&e->input, k->rsa->e); | ||
| 415 | buffer_get_bignum2(&e->input, k->rsa->d); | ||
| 416 | buffer_get_bignum2(&e->input, k->rsa->iqmp); | ||
| 417 | buffer_get_bignum2(&e->input, k->rsa->p); | ||
| 418 | buffer_get_bignum2(&e->input, k->rsa->q); | ||
| 419 | |||
| 420 | /* Generate additional parameters */ | ||
| 421 | generate_additional_parameters(k->rsa); | ||
| 422 | break; | ||
| 423 | default: | ||
| 405 | buffer_clear(&e->input); | 424 | buffer_clear(&e->input); |
| 406 | xfree(type); | ||
| 407 | goto send; | 425 | goto send; |
| 408 | } | 426 | } |
| 409 | xfree(type); | ||
| 410 | |||
| 411 | k = key_new(KEY_DSA); | ||
| 412 | |||
| 413 | /* allocate mem for private key */ | ||
| 414 | k->dsa->priv_key = BN_new(); | ||
| 415 | |||
| 416 | buffer_get_bignum2(&e->input, k->dsa->p); | ||
| 417 | buffer_get_bignum2(&e->input, k->dsa->q); | ||
| 418 | buffer_get_bignum2(&e->input, k->dsa->g); | ||
| 419 | buffer_get_bignum2(&e->input, k->dsa->pub_key); | ||
| 420 | buffer_get_bignum2(&e->input, k->dsa->priv_key); | ||
| 421 | |||
| 422 | break; | 427 | break; |
| 423 | } | 428 | } |
| 424 | |||
| 425 | comment = buffer_get_string(&e->input, NULL); | 429 | comment = buffer_get_string(&e->input, NULL); |
| 426 | if (k == NULL) { | 430 | if (k == NULL) { |
| 427 | xfree(comment); | 431 | xfree(comment); |
| @@ -670,13 +674,6 @@ main(int ac, char **av) | |||
| 670 | 674 | ||
| 671 | init_rng(); | 675 | init_rng(); |
| 672 | 676 | ||
| 673 | /* check if RSA support exists */ | ||
| 674 | if (rsa_alive() == 0) { | ||
| 675 | fprintf(stderr, | ||
| 676 | "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", | ||
| 677 | __progname); | ||
| 678 | exit(1); | ||
| 679 | } | ||
| 680 | #ifdef __GNU_LIBRARY__ | 677 | #ifdef __GNU_LIBRARY__ |
| 681 | while ((ch = getopt(ac, av, "+cks")) != -1) { | 678 | while ((ch = getopt(ac, av, "+cks")) != -1) { |
| 682 | #else /* __GNU_LIBRARY__ */ | 679 | #else /* __GNU_LIBRARY__ */ |