diff options
author | Damien Miller <djm@mindrot.org> | 2014-07-02 15:28:02 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-07-02 15:28:02 +1000 |
commit | 8668706d0f52654fe64c0ca41a96113aeab8d2b8 (patch) | |
tree | 73e78e1ea3d39206e39870bbe0af17d6c430fb51 /ssh-agent.c | |
parent | 2cd7929250cf9e9f658d70dcd452f529ba08c942 (diff) |
- djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
[auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
[cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
[digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
[hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
[ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
[ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
[ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
[sshconnect2.c sshd.c sshkey.c sshkey.h
[openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.
with and ok markus@
Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.
NB. This commit also removes portable OpenSSH support for OpenSSL
<0.9.8e.
Diffstat (limited to 'ssh-agent.c')
-rw-r--r-- | ssh-agent.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/ssh-agent.c b/ssh-agent.c index bc96ad705..693d763e2 100644 --- a/ssh-agent.c +++ b/ssh-agent.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-agent.c,v 1.185 2014/04/29 18:01:49 markus Exp $ */ | 1 | /* $OpenBSD: ssh-agent.c,v 1.186 2014/06/24 01:13:21 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -278,7 +278,7 @@ process_authentication_challenge1(SocketEntry *e) | |||
278 | if (id != NULL && (!id->confirm || confirm_key(id) == 0)) { | 278 | if (id != NULL && (!id->confirm || confirm_key(id) == 0)) { |
279 | Key *private = id->key; | 279 | Key *private = id->key; |
280 | /* Decrypt the challenge using the private key. */ | 280 | /* Decrypt the challenge using the private key. */ |
281 | if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0) | 281 | if (rsa_private_decrypt(challenge, challenge, private->rsa) != 0) |
282 | goto failure; | 282 | goto failure; |
283 | 283 | ||
284 | /* The response is MD5 of decrypted challenge plus session id. */ | 284 | /* The response is MD5 of decrypted challenge plus session id. */ |
@@ -365,12 +365,16 @@ process_sign_request2(SocketEntry *e) | |||
365 | static void | 365 | static void |
366 | process_remove_identity(SocketEntry *e, int version) | 366 | process_remove_identity(SocketEntry *e, int version) |
367 | { | 367 | { |
368 | u_int blen, bits; | 368 | u_int blen; |
369 | int success = 0; | 369 | int success = 0; |
370 | Key *key = NULL; | 370 | Key *key = NULL; |
371 | u_char *blob; | 371 | u_char *blob; |
372 | #ifdef WITH_SSH1 | ||
373 | u_int bits; | ||
374 | #endif /* WITH_SSH1 */ | ||
372 | 375 | ||
373 | switch (version) { | 376 | switch (version) { |
377 | #ifdef WITH_SSH1 | ||
374 | case 1: | 378 | case 1: |
375 | key = key_new(KEY_RSA1); | 379 | key = key_new(KEY_RSA1); |
376 | bits = buffer_get_int(&e->request); | 380 | bits = buffer_get_int(&e->request); |
@@ -381,6 +385,7 @@ process_remove_identity(SocketEntry *e, int version) | |||
381 | logit("Warning: identity keysize mismatch: actual %u, announced %u", | 385 | logit("Warning: identity keysize mismatch: actual %u, announced %u", |
382 | key_size(key), bits); | 386 | key_size(key), bits); |
383 | break; | 387 | break; |
388 | #endif /* WITH_SSH1 */ | ||
384 | case 2: | 389 | case 2: |
385 | blob = buffer_get_string(&e->request, &blen); | 390 | blob = buffer_get_string(&e->request, &blen); |
386 | key = key_from_blob(blob, blen); | 391 | key = key_from_blob(blob, blen); |
@@ -477,6 +482,7 @@ process_add_identity(SocketEntry *e, int version) | |||
477 | Key *k = NULL; | 482 | Key *k = NULL; |
478 | 483 | ||
479 | switch (version) { | 484 | switch (version) { |
485 | #ifdef WITH_SSH1 | ||
480 | case 1: | 486 | case 1: |
481 | k = key_new_private(KEY_RSA1); | 487 | k = key_new_private(KEY_RSA1); |
482 | (void) buffer_get_int(&e->request); /* ignored */ | 488 | (void) buffer_get_int(&e->request); /* ignored */ |
@@ -490,7 +496,9 @@ process_add_identity(SocketEntry *e, int version) | |||
490 | buffer_get_bignum(&e->request, k->rsa->p); /* q */ | 496 | buffer_get_bignum(&e->request, k->rsa->p); /* q */ |
491 | 497 | ||
492 | /* Generate additional parameters */ | 498 | /* Generate additional parameters */ |
493 | rsa_generate_additional_parameters(k->rsa); | 499 | if (rsa_generate_additional_parameters(k->rsa) != 0) |
500 | fatal("%s: rsa_generate_additional_parameters " | ||
501 | "error", __func__); | ||
494 | 502 | ||
495 | /* enable blinding */ | 503 | /* enable blinding */ |
496 | if (RSA_blinding_on(k->rsa, NULL) != 1) { | 504 | if (RSA_blinding_on(k->rsa, NULL) != 1) { |
@@ -499,6 +507,7 @@ process_add_identity(SocketEntry *e, int version) | |||
499 | goto send; | 507 | goto send; |
500 | } | 508 | } |
501 | break; | 509 | break; |
510 | #endif /* WITH_SSH1 */ | ||
502 | case 2: | 511 | case 2: |
503 | k = key_private_deserialize(&e->request); | 512 | k = key_private_deserialize(&e->request); |
504 | if (k == NULL) { | 513 | if (k == NULL) { |
@@ -507,11 +516,10 @@ process_add_identity(SocketEntry *e, int version) | |||
507 | } | 516 | } |
508 | break; | 517 | break; |
509 | } | 518 | } |
510 | comment = buffer_get_string(&e->request, NULL); | 519 | if (k == NULL) |
511 | if (k == NULL) { | ||
512 | free(comment); | ||
513 | goto send; | 520 | goto send; |
514 | } | 521 | comment = buffer_get_string(&e->request, NULL); |
522 | |||
515 | while (buffer_len(&e->request)) { | 523 | while (buffer_len(&e->request)) { |
516 | switch ((type = buffer_get_char(&e->request))) { | 524 | switch ((type = buffer_get_char(&e->request))) { |
517 | case SSH_AGENT_CONSTRAIN_LIFETIME: | 525 | case SSH_AGENT_CONSTRAIN_LIFETIME: |