diff options
| author | markus@openbsd.org <markus@openbsd.org> | 2015-12-04 16:41:28 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-12-07 12:38:58 +1100 |
| commit | 76c9fbbe35aabc1db977fb78e827644345e9442e (patch) | |
| tree | e7c85e7e1471f1bd00b3a50a58e315c055f40b86 /sshkey.c | |
| parent | 6064a8b8295cb5a17b5ebcfade53053377714f40 (diff) | |
upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
(user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt; with & ok djm@
Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
Diffstat (limited to 'sshkey.c')
| -rw-r--r-- | sshkey.c | 43 |
1 files changed, 23 insertions, 20 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshkey.c,v 1.27 2015/11/19 01:08:55 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.28 2015/12/04 16:41:28 markus Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
| @@ -83,36 +83,39 @@ struct keytype { | |||
| 83 | int type; | 83 | int type; |
| 84 | int nid; | 84 | int nid; |
| 85 | int cert; | 85 | int cert; |
| 86 | int sigonly; | ||
| 86 | }; | 87 | }; |
| 87 | static const struct keytype keytypes[] = { | 88 | static const struct keytype keytypes[] = { |
| 88 | { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, | 89 | { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, |
| 89 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", | 90 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", |
| 90 | KEY_ED25519_CERT, 0, 1 }, | 91 | KEY_ED25519_CERT, 0, 1, 0 }, |
| 91 | #ifdef WITH_OPENSSL | 92 | #ifdef WITH_OPENSSL |
| 92 | { NULL, "RSA1", KEY_RSA1, 0, 0 }, | 93 | { NULL, "RSA1", KEY_RSA1, 0, 0, 0 }, |
| 93 | { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, | 94 | { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, |
| 94 | { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, | 95 | { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, |
| 96 | { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, | ||
| 97 | { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, | ||
| 95 | # ifdef OPENSSL_HAS_ECC | 98 | # ifdef OPENSSL_HAS_ECC |
| 96 | { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, | 99 | { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, |
| 97 | { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, | 100 | { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, |
| 98 | # ifdef OPENSSL_HAS_NISTP521 | 101 | # ifdef OPENSSL_HAS_NISTP521 |
| 99 | { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, | 102 | { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, |
| 100 | # endif /* OPENSSL_HAS_NISTP521 */ | 103 | # endif /* OPENSSL_HAS_NISTP521 */ |
| 101 | # endif /* OPENSSL_HAS_ECC */ | 104 | # endif /* OPENSSL_HAS_ECC */ |
| 102 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, | 105 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, |
| 103 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, | 106 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, |
| 104 | # ifdef OPENSSL_HAS_ECC | 107 | # ifdef OPENSSL_HAS_ECC |
| 105 | { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", | 108 | { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", |
| 106 | KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, | 109 | KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, |
| 107 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", | 110 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", |
| 108 | KEY_ECDSA_CERT, NID_secp384r1, 1 }, | 111 | KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, |
| 109 | # ifdef OPENSSL_HAS_NISTP521 | 112 | # ifdef OPENSSL_HAS_NISTP521 |
| 110 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", | 113 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", |
| 111 | KEY_ECDSA_CERT, NID_secp521r1, 1 }, | 114 | KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, |
| 112 | # endif /* OPENSSL_HAS_NISTP521 */ | 115 | # endif /* OPENSSL_HAS_NISTP521 */ |
| 113 | # endif /* OPENSSL_HAS_ECC */ | 116 | # endif /* OPENSSL_HAS_ECC */ |
| 114 | #endif /* WITH_OPENSSL */ | 117 | #endif /* WITH_OPENSSL */ |
| 115 | { NULL, NULL, -1, -1, 0 } | 118 | { NULL, NULL, -1, -1, 0, 0 } |
| 116 | }; | 119 | }; |
| 117 | 120 | ||
| 118 | const char * | 121 | const char * |
| @@ -200,7 +203,7 @@ key_alg_list(int certs_only, int plain_only) | |||
| 200 | const struct keytype *kt; | 203 | const struct keytype *kt; |
| 201 | 204 | ||
| 202 | for (kt = keytypes; kt->type != -1; kt++) { | 205 | for (kt = keytypes; kt->type != -1; kt++) { |
| 203 | if (kt->name == NULL) | 206 | if (kt->name == NULL || kt->sigonly) |
| 204 | continue; | 207 | continue; |
| 205 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 208 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
| 206 | continue; | 209 | continue; |
| @@ -2174,7 +2177,7 @@ sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) | |||
| 2174 | int | 2177 | int |
| 2175 | sshkey_sign(const struct sshkey *key, | 2178 | sshkey_sign(const struct sshkey *key, |
| 2176 | u_char **sigp, size_t *lenp, | 2179 | u_char **sigp, size_t *lenp, |
| 2177 | const u_char *data, size_t datalen, u_int compat) | 2180 | const u_char *data, size_t datalen, const char *alg, u_int compat) |
| 2178 | { | 2181 | { |
| 2179 | if (sigp != NULL) | 2182 | if (sigp != NULL) |
| 2180 | *sigp = NULL; | 2183 | *sigp = NULL; |
| @@ -2194,7 +2197,7 @@ sshkey_sign(const struct sshkey *key, | |||
| 2194 | # endif /* OPENSSL_HAS_ECC */ | 2197 | # endif /* OPENSSL_HAS_ECC */ |
| 2195 | case KEY_RSA_CERT: | 2198 | case KEY_RSA_CERT: |
| 2196 | case KEY_RSA: | 2199 | case KEY_RSA: |
| 2197 | return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); | 2200 | return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); |
| 2198 | #endif /* WITH_OPENSSL */ | 2201 | #endif /* WITH_OPENSSL */ |
| 2199 | case KEY_ED25519: | 2202 | case KEY_ED25519: |
| 2200 | case KEY_ED25519_CERT: | 2203 | case KEY_ED25519_CERT: |
| @@ -2226,7 +2229,7 @@ sshkey_verify(const struct sshkey *key, | |||
| 2226 | # endif /* OPENSSL_HAS_ECC */ | 2229 | # endif /* OPENSSL_HAS_ECC */ |
| 2227 | case KEY_RSA_CERT: | 2230 | case KEY_RSA_CERT: |
| 2228 | case KEY_RSA: | 2231 | case KEY_RSA: |
| 2229 | return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); | 2232 | return ssh_rsa_verify(key, sig, siglen, data, dlen); |
| 2230 | #endif /* WITH_OPENSSL */ | 2233 | #endif /* WITH_OPENSSL */ |
| 2231 | case KEY_ED25519: | 2234 | case KEY_ED25519: |
| 2232 | case KEY_ED25519_CERT: | 2235 | case KEY_ED25519_CERT: |
| @@ -2460,7 +2463,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) | |||
| 2460 | 2463 | ||
| 2461 | /* Sign the whole mess */ | 2464 | /* Sign the whole mess */ |
| 2462 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | 2465 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
| 2463 | sshbuf_len(cert), 0)) != 0) | 2466 | sshbuf_len(cert), NULL, 0)) != 0) |
| 2464 | goto out; | 2467 | goto out; |
| 2465 | 2468 | ||
| 2466 | /* Append signature and we are done */ | 2469 | /* Append signature and we are done */ |