Mercurial > dropbear

comparison signkey.c @ 4:fe6bca95afa7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Makefile.in contains updated files required
author Matt Johnston <matt@ucc.asn.au>
date Tue, 01 Jun 2004 02:46:09 +0000
parents
children 0969767bca0d
comparison
equal deleted inserted replaced
-1:000000000000 4:fe6bca95afa7
1 /*
2 * Dropbear - a SSH2 server
3 *
4 * Copyright (c) 2002,2003 Matt Johnston
5 * All rights reserved.
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 * SOFTWARE. */
24
25 #include "includes.h"
26 #include "dbutil.h"
27 #include "signkey.h"
28 #include "buffer.h"
29 #include "ssh.h"
30
31 /* malloc a new sign_key and set the dss and rsa keys to NULL */
32 sign_key * new_sign_key() {
33
34 sign_key * ret;
35
36 ret = (sign_key*)m_malloc(sizeof(sign_key));
37 #ifdef DROPBEAR_DSS
38 ret->dsskey = NULL;
39 #endif
40 #ifdef DROPBEAR_RSA
41 ret->rsakey = NULL;
42 #endif
43 return ret;
44
45 }
46
47 /* returns DROPBEAR_SUCCESS on success, DROPBEAR_FAILURE on fail.
48 * type is set to hold the type returned */
49 int buf_get_pub_key(buffer *buf, sign_key *key, int *type) {
50
51 unsigned char* ident;
52 unsigned int len;
53
54 ident = buf_getstring(buf, &len);
55
56 #ifdef DROPBEAR_DSS
57 if (memcmp(ident, SSH_SIGNKEY_DSS, len) == 0
58 && (*type == DROPBEAR_SIGNKEY_ANY
59 || *type == DROPBEAR_SIGNKEY_DSS)) {
60 m_free(ident);
61 buf_setpos(buf, buf->pos - len - 4);
62 dss_key_free(key->dsskey);
63 key->dsskey = (dss_key*)m_malloc(sizeof(dss_key));
64 *type = DROPBEAR_SIGNKEY_DSS;
65 return buf_get_dss_pub_key(buf, key->dsskey);
66 }
67 #endif
68 #ifdef DROPBEAR_RSA
69 if (memcmp(ident, SSH_SIGNKEY_RSA, len) == 0
70 && (*type == DROPBEAR_SIGNKEY_ANY
71 || *type == DROPBEAR_SIGNKEY_RSA)) {
72 m_free(ident);
73 buf_setpos(buf, buf->pos - len - 4);
74 rsa_key_free(key->rsakey);
75 key->rsakey = (rsa_key*)m_malloc(sizeof(rsa_key));
76 *type = DROPBEAR_SIGNKEY_RSA;
77 return buf_get_rsa_pub_key(buf, key->rsakey);
78 }
79 #endif
80
81 m_free(ident);
82
83 return DROPBEAR_FAILURE;
84
85 }
86
87 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
88 /* type is set to hold the type returned */
89 int buf_get_priv_key(buffer *buf, sign_key *key, int *type) {
90
91 unsigned char* ident;
92 unsigned int len;
93 int ret;
94
95 TRACE(("enter buf_get_priv_key"));
96 ident = buf_getstring(buf, &len);
97
98 #ifdef DROPBEAR_DSS
99 if (memcmp(ident, SSH_SIGNKEY_DSS, len) == 0
100 && (*type == DROPBEAR_SIGNKEY_ANY
101 || *type == DROPBEAR_SIGNKEY_DSS)) {
102 m_free(ident);
103 buf_setpos(buf, buf->pos - len - 4);
104 dss_key_free(key->dsskey);
105 key->dsskey = (dss_key*)m_malloc(sizeof(dss_key));
106 ret = buf_get_dss_priv_key(buf, key->dsskey);
107 *type = DROPBEAR_SIGNKEY_DSS;
108 if (ret == DROPBEAR_FAILURE) {
109 m_free(key->dsskey);
110 }
111 TRACE(("leave buf_get_priv_key: done get dss"));
112 return ret;
113 }
114 #endif
115 #ifdef DROPBEAR_RSA
116 if (memcmp(ident, SSH_SIGNKEY_RSA, len) == 0
117 && (*type == DROPBEAR_SIGNKEY_ANY
118 || *type == DROPBEAR_SIGNKEY_RSA)) {
119 m_free(ident);
120 buf_setpos(buf, buf->pos - len - 4);
121 rsa_key_free(key->rsakey);
122 key->rsakey = (rsa_key*)m_malloc(sizeof(rsa_key));
123 ret = buf_get_rsa_priv_key(buf, key->rsakey);
124 *type = DROPBEAR_SIGNKEY_RSA;
125 if (ret == DROPBEAR_FAILURE) {
126 m_free(key->rsakey);
127 }
128 TRACE(("leave buf_get_priv_key: done get rsa"));
129 return ret;
130 }
131 #endif
132
133 m_free(ident);
134
135 TRACE(("leave buf_get_priv_key"));
136 return DROPBEAR_FAILURE;
137
138 }
139
140 /* type is either DROPBEAR_SIGNKEY_DSS or DROPBEAR_SIGNKEY_RSA */
141 void buf_put_pub_key(buffer* buf, sign_key *key, int type) {
142
143 buffer *pubkeys;
144
145 TRACE(("enter buf_put_pub_key"));
146 pubkeys = buf_new(1000);
147
148 #ifdef DROPBEAR_DSS
149 if (type == DROPBEAR_SIGNKEY_DSS) {
150 buf_put_dss_pub_key(pubkeys, key->dsskey);
151 }
152 #endif
153 #ifdef DROPBEAR_RSA
154 if (type == DROPBEAR_SIGNKEY_RSA) {
155 buf_put_rsa_pub_key(pubkeys, key->rsakey);
156 }
157 #endif
158 if (pubkeys->len == 0) {
159 dropbear_exit("bad key types in buf_put_pub_key");
160 }
161
162 buf_setpos(pubkeys, 0);
163 buf_putstring(buf, buf_getptr(pubkeys, pubkeys->len),
164 pubkeys->len);
165
166 buf_free(pubkeys);
167 TRACE(("leave buf_put_pub_key"));
168 }
169
170 /* type is either DROPBEAR_SIGNKEY_DSS or DROPBEAR_SIGNKEY_RSA */
171 void buf_put_priv_key(buffer* buf, sign_key *key, int type) {
172
173 TRACE(("enter buf_put_priv_key"));
174 TRACE(("type is %d", type));
175
176 #ifdef DROPBEAR_DSS
177 if (type == DROPBEAR_SIGNKEY_DSS) {
178 buf_put_dss_priv_key(buf, key->dsskey);
179 TRACE(("leave buf_put_priv_key: dss done"));
180 return;
181 }
182 #endif
183 #ifdef DROPBEAR_RSA
184 if (type == DROPBEAR_SIGNKEY_RSA) {
185 buf_put_rsa_priv_key(buf, key->rsakey);
186 TRACE(("leave buf_put_priv_key: rsa done"));
187 return;
188 }
189 #endif
190 dropbear_exit("bad key types in put pub key");
191 }
192
193 void sign_key_free(sign_key *key) {
194
195 TRACE(("enter sign_key_free"));
196
197 #ifdef DROPBEAR_DSS
198 dss_key_free(key->dsskey);
199 key->dsskey = NULL;
200 #endif
201 #ifdef DROPBEAR_RSA
202 rsa_key_free(key->rsakey);
203 key->rsakey = NULL;
204 #endif
205
206 m_free(key);
207 TRACE(("leave sign_key_free"));
208 }
209
210 static char hexdig(unsigned char x) {
211
212 if (x > 0xf)
213 return 'X';
214
215 if (x < 10)
216 return '0' + x;
217 else
218 return 'a' + x - 10;
219 }
220
221 /* Since we're not sure if we'll have md5 or sha1, we present both.
222 * MD5 is used in preference, but sha1 could still be useful */
223 #ifdef DROPBEAR_MD5_HMAC
224 static char * sign_key_md5_fingerprint(sign_key *key, int type) {
225
226 char * ret;
227 hash_state hs;
228 buffer *pubkeys;
229 unsigned char hash[MD5_HASH_SIZE];
230 unsigned int h, i;
231 unsigned int buflen;
232
233 md5_init(&hs);
234
235 pubkeys = buf_new(1000);
236 buf_put_pub_key(pubkeys, key, type);
237 /* skip the size int of the string - this is a bit messy */
238 buf_setpos(pubkeys, 4);
239 md5_process(&hs, buf_getptr(pubkeys, pubkeys->len-pubkeys->pos),
240 pubkeys->len-pubkeys->pos);
241
242 buf_free(pubkeys);
243 md5_done(&hs, hash);
244
245 /* "md5 hexfingerprinthere\0", each hex digit is "AB:" etc */
246 buflen = 4 + 3*MD5_HASH_SIZE;
247 ret = (char*)m_malloc(buflen);
248
249 memset(ret, 'Z', buflen);
250 strcpy(ret, "md5 ");
251
252 for (i = 4, h = 0; i < buflen; i+=3, h++) {
253 ret[i] = hexdig(hash[h] >> 4);
254 ret[i+1] = hexdig(hash[h] & 0x0f);
255 ret[i+2] = ':';
256 }
257 ret[buflen-1] = 0x0;
258
259 return ret;
260 }
261
262 #else /* use SHA1 rather than MD5 for fingerprint */
263 static char * sign_key_sha1_fingerprint(sign_key *key, int type) {
264
265 char * ret;
266 hash_state hs;
267 buffer *pubkeys;
268 unsigned char hash[SHA1_HASH_SIZE];
269 unsigned int h, i;
270 unsigned int buflen;
271
272 sha1_init(&hs);
273
274 pubkeys = buf_new(1000);
275 buf_put_pub_key(pubkeys, key, type);
276 buf_setpos(pubkeys, 4);
277 /* skip the size int of the string - this is a bit messy */
278 sha1_process(&hs, buf_getptr(pubkeys, pubkeys->len-pubkeys->pos),
279 pubkeys->len-pubkeys->pos);
280
281 buf_free(pubkeys);
282 sha1_done(&hs, hash);
283
284 /* "sha1 hexfingerprinthere\0", each hex digit is "AB:" etc */
285 buflen = 5 + 3*SHA1_HASH_SIZE;
286 ret = (char*)m_malloc(buflen);
287
288 strcpy(ret, "sha1 ");
289
290 for (i = 5, h = 0; i < buflen; i+=3, h++) {
291 ret[i] = hexdig(hash[h] >> 4);
292 ret[i+1] = hexdig(hash[h] & 0x0f);
293 ret[i+2] = ':';
294 }
295 ret[buflen-1] = 0x0;
296
297 return ret;
298 }
299
300 #endif /* MD5/SHA1 switch */
301
302 /* This will return a freshly malloced string, containing a fingerprint
303 * in either sha1 or md5 */
304 char * sign_key_fingerprint(sign_key *key, int type) {
305
306 #ifdef DROPBEAR_MD5_HMAC
307 return sign_key_md5_fingerprint(key, type);
308 #else
309 return sign_key_sha1_fingerprint(key, type);
310 #endif
311 }
312
313 void buf_put_sign(buffer* buf, sign_key *key, int type,
314 const unsigned char *data, unsigned int len) {
315
316 buffer *sigblob;
317
318 sigblob = buf_new(1000);
319
320 #ifdef DROPBEAR_DSS
321 if (type == DROPBEAR_SIGNKEY_DSS) {
322 buf_put_dss_sign(sigblob, key->dsskey, data, len);
323 }
324 #endif
325 #ifdef DROPBEAR_RSA
326 if (type == DROPBEAR_SIGNKEY_RSA) {
327 buf_put_rsa_sign(sigblob, key->rsakey, data, len);
328 }
329 #endif
330 if (sigblob->len == 0) {
331 dropbear_exit("non-matching signing type");
332 }
333
334 buf_setpos(sigblob, 0);
335 buf_putstring(buf, buf_getptr(sigblob, sigblob->len),
336 sigblob->len);
337
338 buf_free(sigblob);
339
340 }
341
342 #ifdef DROPBEAR_SIGNKEY_VERIFY
343 /* Return DROPBEAR_SUCCESS or DROPBEAR_FAILURE.
344 * If FAILURE is returned, the position of
345 * buf is undefined. If SUCCESS is returned, buf will be positioned after the
346 * signature blob */
347 int buf_verify(buffer * buf, sign_key *key, const unsigned char *data,
348 unsigned int len) {
349
350 unsigned int bloblen;
351 unsigned char * ident = NULL;
352 unsigned int identlen = 0;
353
354 bloblen = buf_getint(buf);
355 ident = buf_getstring(buf, &identlen);
356
357 #ifdef DROPBEAR_DSS
358 if (bloblen == DSS_SIGNATURE_SIZE &&
359 memcmp(ident, SSH_SIGNKEY_DSS, identlen) == 0) {
360 m_free(ident);
361 return buf_dss_verify(buf, key->dsskey, data, len);
362 }
363 #endif
364
365 #ifdef DROPBEAR_RSA
366 if (memcmp(ident, SSH_SIGNKEY_RSA, identlen) == 0) {
367 m_free(ident);
368 return buf_rsa_verify(buf, key->rsakey, data, len);
369 }
370 #endif
371
372 m_free(ident);
373 dropbear_exit("non-matching signing type");
374 return DROPBEAR_FAILURE;
375 }
376 #endif /* DROPBEAR_SIGNKEY_VERIFY */