Mercurial > dropbear

comparison signkey.c @ 1295:750ec4ec4cbe

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Convert #ifdef to #if, other build changes
author Matt Johnston <matt@ucc.asn.au>
date Wed, 04 May 2016 15:33:40 +0200
parents 0c47d97aa9d5
children 74a22c562cdf c721e8c42d2a
comparison
equal deleted inserted replaced
1294:56aba7dedbea 1295:750ec4ec4cbe
28 #include "buffer.h" 28 #include "buffer.h"
29 #include "ssh.h" 29 #include "ssh.h"
30 #include "ecdsa.h" 30 #include "ecdsa.h"
31 31
32 static const char * const signkey_names[DROPBEAR_SIGNKEY_NUM_NAMED] = { 32 static const char * const signkey_names[DROPBEAR_SIGNKEY_NUM_NAMED] = {
33 #ifdef DROPBEAR_RSA 33 #if DROPBEAR_RSA
34 "ssh-rsa", 34 "ssh-rsa",
35 #endif 35 #endif
36 #ifdef DROPBEAR_DSS 36 #if DROPBEAR_DSS
37 "ssh-dss", 37 "ssh-dss",
38 #endif 38 #endif
39 #ifdef DROPBEAR_ECDSA 39 #if DROPBEAR_ECDSA
40 "ecdsa-sha2-nistp256", 40 "ecdsa-sha2-nistp256",
41 "ecdsa-sha2-nistp384", 41 "ecdsa-sha2-nistp384",
42 "ecdsa-sha2-nistp521" 42 "ecdsa-sha2-nistp521"
43 #endif /* DROPBEAR_ECDSA */ 43 #endif /* DROPBEAR_ECDSA */
44 }; 44 };
73 for (i = 0; i < DROPBEAR_SIGNKEY_NUM_NAMED; i++) { 73 for (i = 0; i < DROPBEAR_SIGNKEY_NUM_NAMED; i++) {
74 const char *fixed_name = signkey_names[i]; 74 const char *fixed_name = signkey_names[i];
75 if (namelen == strlen(fixed_name) 75 if (namelen == strlen(fixed_name)
76 && memcmp(fixed_name, name, namelen) == 0) { 76 && memcmp(fixed_name, name, namelen) == 0) {
77 77
78 #ifdef DROPBEAR_ECDSA 78 #if DROPBEAR_ECDSA
79 /* Some of the ECDSA key sizes are defined even if they're not compiled in */ 79 /* Some of the ECDSA key sizes are defined even if they're not compiled in */
80 if (0 80 if (0
81 #ifndef DROPBEAR_ECC_256 81 #ifndef DROPBEAR_ECC_256
82 || i == DROPBEAR_SIGNKEY_ECDSA_NISTP256 82 || i == DROPBEAR_SIGNKEY_ECDSA_NISTP256
83 #endif 83 #endif
104 104
105 /* Returns a pointer to the key part specific to "type" */ 105 /* Returns a pointer to the key part specific to "type" */
106 void ** 106 void **
107 signkey_key_ptr(sign_key *key, enum signkey_type type) { 107 signkey_key_ptr(sign_key *key, enum signkey_type type) {
108 switch (type) { 108 switch (type) {
109 #ifdef DROPBEAR_ECDSA 109 #if DROPBEAR_ECDSA
110 #ifdef DROPBEAR_ECC_256 110 #if DROPBEAR_ECC_256
111 case DROPBEAR_SIGNKEY_ECDSA_NISTP256: 111 case DROPBEAR_SIGNKEY_ECDSA_NISTP256:
112 return (void**)&key->ecckey256; 112 return (void**)&key->ecckey256;
113 #endif 113 #endif
114 #ifdef DROPBEAR_ECC_384 114 #if DROPBEAR_ECC_384
115 case DROPBEAR_SIGNKEY_ECDSA_NISTP384: 115 case DROPBEAR_SIGNKEY_ECDSA_NISTP384:
116 return (void**)&key->ecckey384; 116 return (void**)&key->ecckey384;
117 #endif 117 #endif
118 #ifdef DROPBEAR_ECC_521 118 #if DROPBEAR_ECC_521
119 case DROPBEAR_SIGNKEY_ECDSA_NISTP521: 119 case DROPBEAR_SIGNKEY_ECDSA_NISTP521:
120 return (void**)&key->ecckey521; 120 return (void**)&key->ecckey521;
121 #endif 121 #endif
122 #endif /* DROPBEAR_ECDSA */ 122 #endif /* DROPBEAR_ECDSA */
123 #ifdef DROPBEAR_RSA 123 #if DROPBEAR_RSA
124 case DROPBEAR_SIGNKEY_RSA: 124 case DROPBEAR_SIGNKEY_RSA:
125 return (void**)&key->rsakey; 125 return (void**)&key->rsakey;
126 #endif 126 #endif
127 #ifdef DROPBEAR_DSS 127 #if DROPBEAR_DSS
128 case DROPBEAR_SIGNKEY_DSS: 128 case DROPBEAR_SIGNKEY_DSS:
129 return (void**)&key->dsskey; 129 return (void**)&key->dsskey;
130 #endif 130 #endif
131 default: 131 default:
132 return NULL; 132 return NULL;
159 *type = keytype; 159 *type = keytype;
160 160
161 /* Rewind the buffer back before "ssh-rsa" etc */ 161 /* Rewind the buffer back before "ssh-rsa" etc */
162 buf_incrpos(buf, -len - 4); 162 buf_incrpos(buf, -len - 4);
163 163
164 #ifdef DROPBEAR_DSS 164 #if DROPBEAR_DSS
165 if (keytype == DROPBEAR_SIGNKEY_DSS) { 165 if (keytype == DROPBEAR_SIGNKEY_DSS) {
166 dss_key_free(key->dsskey); 166 dss_key_free(key->dsskey);
167 key->dsskey = m_malloc(sizeof(*key->dsskey)); 167 key->dsskey = m_malloc(sizeof(*key->dsskey));
168 ret = buf_get_dss_pub_key(buf, key->dsskey); 168 ret = buf_get_dss_pub_key(buf, key->dsskey);
169 if (ret == DROPBEAR_FAILURE) { 169 if (ret == DROPBEAR_FAILURE) {
170 m_free(key->dsskey); 170 m_free(key->dsskey);
171 } 171 }
172 } 172 }
173 #endif 173 #endif
174 #ifdef DROPBEAR_RSA 174 #if DROPBEAR_RSA
175 if (keytype == DROPBEAR_SIGNKEY_RSA) { 175 if (keytype == DROPBEAR_SIGNKEY_RSA) {
176 rsa_key_free(key->rsakey); 176 rsa_key_free(key->rsakey);
177 key->rsakey = m_malloc(sizeof(*key->rsakey)); 177 key->rsakey = m_malloc(sizeof(*key->rsakey));
178 ret = buf_get_rsa_pub_key(buf, key->rsakey); 178 ret = buf_get_rsa_pub_key(buf, key->rsakey);
179 if (ret == DROPBEAR_FAILURE) { 179 if (ret == DROPBEAR_FAILURE) {
180 m_free(key->rsakey); 180 m_free(key->rsakey);
181 } 181 }
182 } 182 }
183 #endif 183 #endif
184 #ifdef DROPBEAR_ECDSA 184 #if DROPBEAR_ECDSA
185 if (signkey_is_ecdsa(keytype)) { 185 if (signkey_is_ecdsa(keytype)) {
186 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype); 186 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype);
187 if (eck) { 187 if (eck) {
188 if (*eck) { 188 if (*eck) {
189 ecc_free(*eck); 189 ecc_free(*eck);
228 *type = keytype; 228 *type = keytype;
229 229
230 /* Rewind the buffer back before "ssh-rsa" etc */ 230 /* Rewind the buffer back before "ssh-rsa" etc */
231 buf_incrpos(buf, -len - 4); 231 buf_incrpos(buf, -len - 4);
232 232
233 #ifdef DROPBEAR_DSS 233 #if DROPBEAR_DSS
234 if (keytype == DROPBEAR_SIGNKEY_DSS) { 234 if (keytype == DROPBEAR_SIGNKEY_DSS) {
235 dss_key_free(key->dsskey); 235 dss_key_free(key->dsskey);
236 key->dsskey = m_malloc(sizeof(*key->dsskey)); 236 key->dsskey = m_malloc(sizeof(*key->dsskey));
237 ret = buf_get_dss_priv_key(buf, key->dsskey); 237 ret = buf_get_dss_priv_key(buf, key->dsskey);
238 if (ret == DROPBEAR_FAILURE) { 238 if (ret == DROPBEAR_FAILURE) {
239 m_free(key->dsskey); 239 m_free(key->dsskey);
240 } 240 }
241 } 241 }
242 #endif 242 #endif
243 #ifdef DROPBEAR_RSA 243 #if DROPBEAR_RSA
244 if (keytype == DROPBEAR_SIGNKEY_RSA) { 244 if (keytype == DROPBEAR_SIGNKEY_RSA) {
245 rsa_key_free(key->rsakey); 245 rsa_key_free(key->rsakey);
246 key->rsakey = m_malloc(sizeof(*key->rsakey)); 246 key->rsakey = m_malloc(sizeof(*key->rsakey));
247 ret = buf_get_rsa_priv_key(buf, key->rsakey); 247 ret = buf_get_rsa_priv_key(buf, key->rsakey);
248 if (ret == DROPBEAR_FAILURE) { 248 if (ret == DROPBEAR_FAILURE) {
249 m_free(key->rsakey); 249 m_free(key->rsakey);
250 } 250 }
251 } 251 }
252 #endif 252 #endif
253 #ifdef DROPBEAR_ECDSA 253 #if DROPBEAR_ECDSA
254 if (signkey_is_ecdsa(keytype)) { 254 if (signkey_is_ecdsa(keytype)) {
255 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype); 255 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype);
256 if (eck) { 256 if (eck) {
257 if (*eck) { 257 if (*eck) {
258 ecc_free(*eck); 258 ecc_free(*eck);
279 buffer *pubkeys; 279 buffer *pubkeys;
280 280
281 TRACE2(("enter buf_put_pub_key")) 281 TRACE2(("enter buf_put_pub_key"))
282 pubkeys = buf_new(MAX_PUBKEY_SIZE); 282 pubkeys = buf_new(MAX_PUBKEY_SIZE);
283 283
284 #ifdef DROPBEAR_DSS 284 #if DROPBEAR_DSS
285 if (type == DROPBEAR_SIGNKEY_DSS) { 285 if (type == DROPBEAR_SIGNKEY_DSS) {
286 buf_put_dss_pub_key(pubkeys, key->dsskey); 286 buf_put_dss_pub_key(pubkeys, key->dsskey);
287 } 287 }
288 #endif 288 #endif
289 #ifdef DROPBEAR_RSA 289 #if DROPBEAR_RSA
290 if (type == DROPBEAR_SIGNKEY_RSA) { 290 if (type == DROPBEAR_SIGNKEY_RSA) {
291 buf_put_rsa_pub_key(pubkeys, key->rsakey); 291 buf_put_rsa_pub_key(pubkeys, key->rsakey);
292 } 292 }
293 #endif 293 #endif
294 #ifdef DROPBEAR_ECDSA 294 #if DROPBEAR_ECDSA
295 if (signkey_is_ecdsa(type)) { 295 if (signkey_is_ecdsa(type)) {
296 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type); 296 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
297 if (eck) { 297 if (eck) {
298 buf_put_ecdsa_pub_key(pubkeys, *eck); 298 buf_put_ecdsa_pub_key(pubkeys, *eck);
299 } 299 }
312 void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type) { 312 void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type) {
313 313
314 TRACE(("enter buf_put_priv_key")) 314 TRACE(("enter buf_put_priv_key"))
315 TRACE(("type is %d", type)) 315 TRACE(("type is %d", type))
316 316
317 #ifdef DROPBEAR_DSS 317 #if DROPBEAR_DSS
318 if (type == DROPBEAR_SIGNKEY_DSS) { 318 if (type == DROPBEAR_SIGNKEY_DSS) {
319 buf_put_dss_priv_key(buf, key->dsskey); 319 buf_put_dss_priv_key(buf, key->dsskey);
320 TRACE(("leave buf_put_priv_key: dss done")) 320 TRACE(("leave buf_put_priv_key: dss done"))
321 return; 321 return;
322 } 322 }
323 #endif 323 #endif
324 #ifdef DROPBEAR_RSA 324 #if DROPBEAR_RSA
325 if (type == DROPBEAR_SIGNKEY_RSA) { 325 if (type == DROPBEAR_SIGNKEY_RSA) {
326 buf_put_rsa_priv_key(buf, key->rsakey); 326 buf_put_rsa_priv_key(buf, key->rsakey);
327 TRACE(("leave buf_put_priv_key: rsa done")) 327 TRACE(("leave buf_put_priv_key: rsa done"))
328 return; 328 return;
329 } 329 }
330 #endif 330 #endif
331 #ifdef DROPBEAR_ECDSA 331 #if DROPBEAR_ECDSA
332 if (signkey_is_ecdsa(type)) { 332 if (signkey_is_ecdsa(type)) {
333 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type); 333 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
334 if (eck) { 334 if (eck) {
335 buf_put_ecdsa_priv_key(buf, *eck); 335 buf_put_ecdsa_priv_key(buf, *eck);
336 TRACE(("leave buf_put_priv_key: ecdsa done")) 336 TRACE(("leave buf_put_priv_key: ecdsa done"))
343 343
344 void sign_key_free(sign_key *key) { 344 void sign_key_free(sign_key *key) {
345 345
346 TRACE2(("enter sign_key_free")) 346 TRACE2(("enter sign_key_free"))
347 347
348 #ifdef DROPBEAR_DSS 348 #if DROPBEAR_DSS
349 dss_key_free(key->dsskey); 349 dss_key_free(key->dsskey);
350 key->dsskey = NULL; 350 key->dsskey = NULL;
351 #endif 351 #endif
352 #ifdef DROPBEAR_RSA 352 #if DROPBEAR_RSA
353 rsa_key_free(key->rsakey); 353 rsa_key_free(key->rsakey);
354 key->rsakey = NULL; 354 key->rsakey = NULL;
355 #endif 355 #endif
356 #ifdef DROPBEAR_ECDSA 356 #if DROPBEAR_ECDSA
357 #ifdef DROPBEAR_ECC_256 357 #if DROPBEAR_ECC_256
358 if (key->ecckey256) { 358 if (key->ecckey256) {
359 ecc_free(key->ecckey256); 359 ecc_free(key->ecckey256);
360 m_free(key->ecckey256); 360 m_free(key->ecckey256);
361 key->ecckey256 = NULL; 361 key->ecckey256 = NULL;
362 } 362 }
363 #endif 363 #endif
364 #ifdef DROPBEAR_ECC_384 364 #if DROPBEAR_ECC_384
365 if (key->ecckey384) { 365 if (key->ecckey384) {
366 ecc_free(key->ecckey384); 366 ecc_free(key->ecckey384);
367 m_free(key->ecckey384); 367 m_free(key->ecckey384);
368 key->ecckey384 = NULL; 368 key->ecckey384 = NULL;
369 } 369 }
370 #endif 370 #endif
371 #ifdef DROPBEAR_ECC_521 371 #if DROPBEAR_ECC_521
372 if (key->ecckey521) { 372 if (key->ecckey521) {
373 ecc_free(key->ecckey521); 373 ecc_free(key->ecckey521);
374 m_free(key->ecckey521); 374 m_free(key->ecckey521);
375 key->ecckey521 = NULL; 375 key->ecckey521 = NULL;
376 } 376 }
393 return 'a' + x - 10; 393 return 'a' + x - 10;
394 } 394 }
395 395
396 /* Since we're not sure if we'll have md5 or sha1, we present both. 396 /* Since we're not sure if we'll have md5 or sha1, we present both.
397 * MD5 is used in preference, but sha1 could still be useful */ 397 * MD5 is used in preference, but sha1 could still be useful */
398 #ifdef DROPBEAR_MD5_HMAC 398 #if DROPBEAR_MD5_HMAC
399 static char * sign_key_md5_fingerprint(unsigned char* keyblob, 399 static char * sign_key_md5_fingerprint(unsigned char* keyblob,
400 unsigned int keybloblen) { 400 unsigned int keybloblen) {
401 401
402 char * ret; 402 char * ret;
403 hash_state hs; 403 hash_state hs;
468 468
469 /* This will return a freshly malloced string, containing a fingerprint 469 /* This will return a freshly malloced string, containing a fingerprint
470 * in either sha1 or md5 */ 470 * in either sha1 or md5 */
471 char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen) { 471 char * sign_key_fingerprint(unsigned char* keyblob, unsigned int keybloblen) {
472 472
473 #ifdef DROPBEAR_MD5_HMAC 473 #if DROPBEAR_MD5_HMAC
474 return sign_key_md5_fingerprint(keyblob, keybloblen); 474 return sign_key_md5_fingerprint(keyblob, keybloblen);
475 #else 475 #else
476 return sign_key_sha1_fingerprint(keyblob, keybloblen); 476 return sign_key_sha1_fingerprint(keyblob, keybloblen);
477 #endif 477 #endif
478 } 478 }
480 void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, 480 void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type,
481 buffer *data_buf) { 481 buffer *data_buf) {
482 buffer *sigblob; 482 buffer *sigblob;
483 sigblob = buf_new(MAX_PUBKEY_SIZE); 483 sigblob = buf_new(MAX_PUBKEY_SIZE);
484 484
485 #ifdef DROPBEAR_DSS 485 #if DROPBEAR_DSS
486 if (type == DROPBEAR_SIGNKEY_DSS) { 486 if (type == DROPBEAR_SIGNKEY_DSS) {
487 buf_put_dss_sign(sigblob, key->dsskey, data_buf); 487 buf_put_dss_sign(sigblob, key->dsskey, data_buf);
488 } 488 }
489 #endif 489 #endif
490 #ifdef DROPBEAR_RSA 490 #if DROPBEAR_RSA
491 if (type == DROPBEAR_SIGNKEY_RSA) { 491 if (type == DROPBEAR_SIGNKEY_RSA) {
492 buf_put_rsa_sign(sigblob, key->rsakey, data_buf); 492 buf_put_rsa_sign(sigblob, key->rsakey, data_buf);
493 } 493 }
494 #endif 494 #endif
495 #ifdef DROPBEAR_ECDSA 495 #if DROPBEAR_ECDSA
496 if (signkey_is_ecdsa(type)) { 496 if (signkey_is_ecdsa(type)) {
497 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type); 497 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
498 if (eck) { 498 if (eck) {
499 buf_put_ecdsa_sign(sigblob, *eck, data_buf); 499 buf_put_ecdsa_sign(sigblob, *eck, data_buf);
500 } 500 }
506 buf_putbufstring(buf, sigblob); 506 buf_putbufstring(buf, sigblob);
507 buf_free(sigblob); 507 buf_free(sigblob);
508 508
509 } 509 }
510 510
511 #ifdef DROPBEAR_SIGNKEY_VERIFY 511 #if DROPBEAR_SIGNKEY_VERIFY
512 /* Return DROPBEAR_SUCCESS or DROPBEAR_FAILURE. 512 /* Return DROPBEAR_SUCCESS or DROPBEAR_FAILURE.
513 * If FAILURE is returned, the position of 513 * If FAILURE is returned, the position of
514 * buf is undefined. If SUCCESS is returned, buf will be positioned after the 514 * buf is undefined. If SUCCESS is returned, buf will be positioned after the
515 * signature blob */ 515 * signature blob */
516 int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) { 516 int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) {
524 buf_getint(buf); /* blob length */ 524 buf_getint(buf); /* blob length */
525 type_name = buf_getstring(buf, &type_name_len); 525 type_name = buf_getstring(buf, &type_name_len);
526 type = signkey_type_from_name(type_name, type_name_len); 526 type = signkey_type_from_name(type_name, type_name_len);
527 m_free(type_name); 527 m_free(type_name);
528 528
529 #ifdef DROPBEAR_DSS 529 #if DROPBEAR_DSS
530 if (type == DROPBEAR_SIGNKEY_DSS) { 530 if (type == DROPBEAR_SIGNKEY_DSS) {
531 if (key->dsskey == NULL) { 531 if (key->dsskey == NULL) {
532 dropbear_exit("No DSS key to verify signature"); 532 dropbear_exit("No DSS key to verify signature");
533 } 533 }
534 return buf_dss_verify(buf, key->dsskey, data_buf); 534 return buf_dss_verify(buf, key->dsskey, data_buf);
535 } 535 }
536 #endif 536 #endif
537 537
538 #ifdef DROPBEAR_RSA 538 #if DROPBEAR_RSA
539 if (type == DROPBEAR_SIGNKEY_RSA) { 539 if (type == DROPBEAR_SIGNKEY_RSA) {
540 if (key->rsakey == NULL) { 540 if (key->rsakey == NULL) {
541 dropbear_exit("No RSA key to verify signature"); 541 dropbear_exit("No RSA key to verify signature");
542 } 542 }
543 return buf_rsa_verify(buf, key->rsakey, data_buf); 543 return buf_rsa_verify(buf, key->rsakey, data_buf);
544 } 544 }
545 #endif 545 #endif
546 #ifdef DROPBEAR_ECDSA 546 #if DROPBEAR_ECDSA
547 if (signkey_is_ecdsa(type)) { 547 if (signkey_is_ecdsa(type)) {
548 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type); 548 ecc_key **eck = (ecc_key**)signkey_key_ptr(key, type);
549 if (eck) { 549 if (eck) {
550 return buf_ecdsa_verify(buf, *eck, data_buf); 550 return buf_ecdsa_verify(buf, *eck, data_buf);
551 } 551 }
555 dropbear_exit("Non-matching signing type"); 555 dropbear_exit("Non-matching signing type");
556 return DROPBEAR_FAILURE; 556 return DROPBEAR_FAILURE;
557 } 557 }
558 #endif /* DROPBEAR_SIGNKEY_VERIFY */ 558 #endif /* DROPBEAR_SIGNKEY_VERIFY */
559 559
560 #ifdef DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */ 560 #if DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
561 561
562 /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE when given a buffer containing 562 /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE when given a buffer containing
563 * a key, a key, and a type. The buffer is positioned at the start of the 563 * a key, a key, and a type. The buffer is positioned at the start of the
564 * base64 data, and contains no trailing data */ 564 * base64 data, and contains no trailing data */
565 /* If fingerprint is non-NULL, it will be set to a malloc()ed fingerprint 565 /* If fingerprint is non-NULL, it will be set to a malloc()ed fingerprint