diff options
author | markus@openbsd.org <markus@openbsd.org> | 2015-12-04 16:41:28 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-12-07 12:38:58 +1100 |
commit | 76c9fbbe35aabc1db977fb78e827644345e9442e (patch) | |
tree | e7c85e7e1471f1bd00b3a50a58e315c055f40b86 /sshkey.c | |
parent | 6064a8b8295cb5a17b5ebcfade53053377714f40 (diff) |
upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
(user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt; with & ok djm@
Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
Diffstat (limited to 'sshkey.c')
-rw-r--r-- | sshkey.c | 43 |
1 files changed, 23 insertions, 20 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.c,v 1.27 2015/11/19 01:08:55 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.28 2015/12/04 16:41:28 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
@@ -83,36 +83,39 @@ struct keytype { | |||
83 | int type; | 83 | int type; |
84 | int nid; | 84 | int nid; |
85 | int cert; | 85 | int cert; |
86 | int sigonly; | ||
86 | }; | 87 | }; |
87 | static const struct keytype keytypes[] = { | 88 | static const struct keytype keytypes[] = { |
88 | { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, | 89 | { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, |
89 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", | 90 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", |
90 | KEY_ED25519_CERT, 0, 1 }, | 91 | KEY_ED25519_CERT, 0, 1, 0 }, |
91 | #ifdef WITH_OPENSSL | 92 | #ifdef WITH_OPENSSL |
92 | { NULL, "RSA1", KEY_RSA1, 0, 0 }, | 93 | { NULL, "RSA1", KEY_RSA1, 0, 0, 0 }, |
93 | { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, | 94 | { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, |
94 | { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, | 95 | { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, |
96 | { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, | ||
97 | { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, | ||
95 | # ifdef OPENSSL_HAS_ECC | 98 | # ifdef OPENSSL_HAS_ECC |
96 | { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, | 99 | { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, |
97 | { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, | 100 | { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, |
98 | # ifdef OPENSSL_HAS_NISTP521 | 101 | # ifdef OPENSSL_HAS_NISTP521 |
99 | { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, | 102 | { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, |
100 | # endif /* OPENSSL_HAS_NISTP521 */ | 103 | # endif /* OPENSSL_HAS_NISTP521 */ |
101 | # endif /* OPENSSL_HAS_ECC */ | 104 | # endif /* OPENSSL_HAS_ECC */ |
102 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, | 105 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, |
103 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, | 106 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, |
104 | # ifdef OPENSSL_HAS_ECC | 107 | # ifdef OPENSSL_HAS_ECC |
105 | { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", | 108 | { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", |
106 | KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, | 109 | KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, |
107 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", | 110 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", |
108 | KEY_ECDSA_CERT, NID_secp384r1, 1 }, | 111 | KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, |
109 | # ifdef OPENSSL_HAS_NISTP521 | 112 | # ifdef OPENSSL_HAS_NISTP521 |
110 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", | 113 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", |
111 | KEY_ECDSA_CERT, NID_secp521r1, 1 }, | 114 | KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, |
112 | # endif /* OPENSSL_HAS_NISTP521 */ | 115 | # endif /* OPENSSL_HAS_NISTP521 */ |
113 | # endif /* OPENSSL_HAS_ECC */ | 116 | # endif /* OPENSSL_HAS_ECC */ |
114 | #endif /* WITH_OPENSSL */ | 117 | #endif /* WITH_OPENSSL */ |
115 | { NULL, NULL, -1, -1, 0 } | 118 | { NULL, NULL, -1, -1, 0, 0 } |
116 | }; | 119 | }; |
117 | 120 | ||
118 | const char * | 121 | const char * |
@@ -200,7 +203,7 @@ key_alg_list(int certs_only, int plain_only) | |||
200 | const struct keytype *kt; | 203 | const struct keytype *kt; |
201 | 204 | ||
202 | for (kt = keytypes; kt->type != -1; kt++) { | 205 | for (kt = keytypes; kt->type != -1; kt++) { |
203 | if (kt->name == NULL) | 206 | if (kt->name == NULL || kt->sigonly) |
204 | continue; | 207 | continue; |
205 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 208 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
206 | continue; | 209 | continue; |
@@ -2174,7 +2177,7 @@ sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) | |||
2174 | int | 2177 | int |
2175 | sshkey_sign(const struct sshkey *key, | 2178 | sshkey_sign(const struct sshkey *key, |
2176 | u_char **sigp, size_t *lenp, | 2179 | u_char **sigp, size_t *lenp, |
2177 | const u_char *data, size_t datalen, u_int compat) | 2180 | const u_char *data, size_t datalen, const char *alg, u_int compat) |
2178 | { | 2181 | { |
2179 | if (sigp != NULL) | 2182 | if (sigp != NULL) |
2180 | *sigp = NULL; | 2183 | *sigp = NULL; |
@@ -2194,7 +2197,7 @@ sshkey_sign(const struct sshkey *key, | |||
2194 | # endif /* OPENSSL_HAS_ECC */ | 2197 | # endif /* OPENSSL_HAS_ECC */ |
2195 | case KEY_RSA_CERT: | 2198 | case KEY_RSA_CERT: |
2196 | case KEY_RSA: | 2199 | case KEY_RSA: |
2197 | return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); | 2200 | return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); |
2198 | #endif /* WITH_OPENSSL */ | 2201 | #endif /* WITH_OPENSSL */ |
2199 | case KEY_ED25519: | 2202 | case KEY_ED25519: |
2200 | case KEY_ED25519_CERT: | 2203 | case KEY_ED25519_CERT: |
@@ -2226,7 +2229,7 @@ sshkey_verify(const struct sshkey *key, | |||
2226 | # endif /* OPENSSL_HAS_ECC */ | 2229 | # endif /* OPENSSL_HAS_ECC */ |
2227 | case KEY_RSA_CERT: | 2230 | case KEY_RSA_CERT: |
2228 | case KEY_RSA: | 2231 | case KEY_RSA: |
2229 | return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); | 2232 | return ssh_rsa_verify(key, sig, siglen, data, dlen); |
2230 | #endif /* WITH_OPENSSL */ | 2233 | #endif /* WITH_OPENSSL */ |
2231 | case KEY_ED25519: | 2234 | case KEY_ED25519: |
2232 | case KEY_ED25519_CERT: | 2235 | case KEY_ED25519_CERT: |
@@ -2460,7 +2463,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) | |||
2460 | 2463 | ||
2461 | /* Sign the whole mess */ | 2464 | /* Sign the whole mess */ |
2462 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | 2465 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
2463 | sshbuf_len(cert), 0)) != 0) | 2466 | sshbuf_len(cert), NULL, 0)) != 0) |
2464 | goto out; | 2467 | goto out; |
2465 | 2468 | ||
2466 | /* Append signature and we are done */ | 2469 | /* Append signature and we are done */ |