diff options
-rw-r--r-- | ChangeLog | 33 | ||||
-rw-r--r-- | Makefile.in | 16 | ||||
-rw-r--r-- | auth-rh-rsa.c | 6 | ||||
-rw-r--r-- | auth1.c | 2 | ||||
-rw-r--r-- | auth2.c | 38 | ||||
-rw-r--r-- | authfd.c | 76 | ||||
-rw-r--r-- | authfd.h | 7 | ||||
-rw-r--r-- | authfile.c | 136 | ||||
-rw-r--r-- | channels.c | 159 | ||||
-rw-r--r-- | channels.h | 18 | ||||
-rw-r--r-- | clientloop.c | 122 | ||||
-rwxr-xr-x | contrib/redhat/sshd.init | 27 | ||||
-rw-r--r-- | hostfile.c | 12 | ||||
-rw-r--r-- | kex.c | 12 | ||||
-rw-r--r-- | kex.h | 2 | ||||
-rw-r--r-- | key.c | 388 | ||||
-rw-r--r-- | key.h | 28 | ||||
-rw-r--r-- | myproposal.h | 2 | ||||
-rw-r--r-- | nchan.c | 6 | ||||
-rw-r--r-- | readconf.c | 55 | ||||
-rw-r--r-- | readconf.h | 9 | ||||
-rw-r--r-- | rsa.c | 79 | ||||
-rw-r--r-- | rsa.h | 13 | ||||
-rw-r--r-- | servconf.c | 57 | ||||
-rw-r--r-- | servconf.h | 9 | ||||
-rw-r--r-- | serverloop.c | 128 | ||||
-rw-r--r-- | session.c | 17 | ||||
-rw-r--r-- | sftp-server.8 | 4 | ||||
-rw-r--r-- | ssh-add.1 | 2 | ||||
-rw-r--r-- | ssh-add.c | 26 | ||||
-rw-r--r-- | ssh-agent.1 | 4 | ||||
-rw-r--r-- | ssh-agent.c | 143 | ||||
-rw-r--r-- | ssh-dss.c (renamed from dsa.c) | 118 | ||||
-rw-r--r-- | ssh-dss.h (renamed from dsa.h) | 10 | ||||
-rw-r--r-- | ssh-keygen.1 | 24 | ||||
-rw-r--r-- | ssh-keygen.c | 115 | ||||
-rw-r--r-- | ssh-rsa.c | 163 | ||||
-rw-r--r-- | ssh-rsa.h | 39 | ||||
-rw-r--r-- | ssh.1 | 53 | ||||
-rw-r--r-- | ssh.c | 193 | ||||
-rw-r--r-- | ssh_config | 13 | ||||
-rw-r--r-- | sshconnect.c | 12 | ||||
-rw-r--r-- | sshconnect1.c | 13 | ||||
-rw-r--r-- | sshconnect2.c | 77 | ||||
-rw-r--r-- | sshd.8 | 30 | ||||
-rw-r--r-- | sshd.c | 316 | ||||
-rw-r--r-- | sshd_config | 2 |
47 files changed, 1817 insertions, 997 deletions
@@ -1,6 +1,39 @@ 20001113 - (djm) Add pointer to http://www.imasy.or.jp/~gotoh/connect.c to contrib/README + - (djm) Merge OpenBSD changes: + - markus@cvs.openbsd.org 2000/11/06 16:04:56 + [channels.c channels.h clientloop.c nchan.c serverloop.c] + [session.c ssh.c] + agent forwarding and -R for ssh2, based on work from + jhuuskon@messi.uku.fi + - markus@cvs.openbsd.org 2000/11/06 16:13:27 + [ssh.c sshconnect.c sshd.c] + do not disabled rhosts(rsa) if server port > 1024; from + pekkas@netcore.fi + - markus@cvs.openbsd.org 2000/11/06 16:16:35 + [sshconnect.c] + downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net + - markus@cvs.openbsd.org 2000/11/09 18:04:40 + [auth1.c] + typo; from mouring@pconline.com + - markus@cvs.openbsd.org 2000/11/12 12:03:28 + [ssh-agent.c] + off-by-one when removing a key from the agent + - markus@cvs.openbsd.org 2000/11/12 12:50:39 + [auth-rh-rsa.c auth2.c authfd.c authfd.h] + [authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h] + [readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c] + [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config] + [sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c] + [ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h] + add support for RSA to SSH2. please test. + there are now 3 types of keys: RSA1 is used by ssh-1 only, + RSA and DSA are used by SSH2. + you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA + keys for SSH2 and use the RSA keys for hostkeys or for user keys. + SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. + - (djm) Fix up Makefile and Redhat init script to create RSA host keys 20001112 - (bal) SCO Patch to add needed libraries for configure.in. Patch by diff --git a/Makefile.in b/Makefile.in index cc49517b..c93e7eab 100644 --- a/Makefile.in +++ b/Makefile.in @@ -35,7 +35,7 @@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) $(EXTRA_TARGETS) -LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o +LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-getcwd.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-realpath.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o bsd-vis.o bsd-setproctitle.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o @@ -179,18 +179,24 @@ host-key: ssh-keygen$(EXEEXT) if [ -f "$(DESTDIR)$(sysconfdir)/ssh_host_key" ] ; then \ echo "$(DESTDIR)$(sysconfdir)/ssh_host_key already exists, skipping." ; \ else \ - $(srcdir)/ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \ + $(srcdir)/ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ; \ fi ; \ if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key ] ; then \ echo "$(DESTDIR)$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ else \ - $(srcdir)/ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \ + $(srcdir)/ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ; \ + fi ; \ + if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key ] ; then \ + echo "$(DESTDIR)$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \ + else \ + $(srcdir)/ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" ; \ fi ; \ fi ; host-key-force: ssh-keygen$(EXEEXT) - $(srcdir)/ssh-keygen -b 1024 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" - $(srcdir)/ssh-keygen -d -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" + $(srcdir)/ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" + $(srcdir)/ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" + $(srcdir)/ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 3070c9d4..a9f17ef8 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.18 2000/11/12 19:50:37 markus Exp $"); #include "packet.h" #include "ssh.h" @@ -53,10 +53,10 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key debug("Rhosts RSA authentication: canonical host %.900s", canonical_hostname); /* wrap the RSA key into a 'generic' key */ - client_key = key_new(KEY_RSA); + client_key = key_new(KEY_RSA1); BN_copy(client_key->rsa->e, client_host_key->e); BN_copy(client_key->rsa->n, client_host_key->n); - found = key_new(KEY_RSA); + found = key_new(KEY_RSA1); /* Check if we know the host and its host key. */ host_status = check_host_in_hostfile(SSH_SYSTEM_HOSTFILE, canonical_hostname, @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.7 2000/11/10 01:04:40 markus Exp $"); #ifdef HAVE_OSF_SIA # include <sia.h> @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.21 2000/11/12 19:50:37 markus Exp $"); #ifdef HAVE_OSF_SIA # include <sia.h> @@ -52,7 +52,6 @@ RCSID("$OpenBSD: auth2.c,v 1.20 2000/10/14 12:16:56 markus Exp $"); #include "key.h" #include "kex.h" -#include "dsa.h" #include "uidswap.h" #include "auth-options.h" @@ -89,7 +88,7 @@ void protocol_error(int type, int plen, void *ctxt); /* helper */ Authmethod *authmethod_lookup(const char *name); struct passwd *pwcopy(struct passwd *pw); -int user_dsa_key_allowed(struct passwd *pw, Key *key); +int user_key_allowed(struct passwd *pw, Key *key); char *authmethods_get(void); /* auth */ @@ -104,7 +103,7 @@ Authmethod authmethods[] = { &one}, {"publickey", userauth_pubkey, - &options.dsa_authentication}, + &options.pubkey_authentication}, {"keyboard-interactive", userauth_kbdint, &options.kbd_interactive_authentication}, @@ -422,7 +421,7 @@ userauth_pubkey(Authctxt *authctxt) Key *key; char *pkalg, *pkblob, *sig; unsigned int alen, blen, slen; - int have_sig; + int have_sig, pktype; int authenticated = 0; if (!authctxt->valid) { @@ -431,13 +430,14 @@ userauth_pubkey(Authctxt *authctxt) } have_sig = packet_get_char(); pkalg = packet_get_string(&alen); - if (strcmp(pkalg, KEX_DSS) != 0) { - log("bad pkalg %s", pkalg); /*XXX*/ + pktype = key_type_from_name(pkalg); + if (pktype == KEY_UNSPEC) { + log("bad pkalg %s", pkalg); xfree(pkalg); return 0; } pkblob = packet_get_string(&blen); - key = dsa_key_from_blob(pkblob, blen); + key = key_from_blob(pkblob, blen); if (key != NULL) { if (have_sig) { sig = packet_get_string(&slen); @@ -457,14 +457,14 @@ userauth_pubkey(Authctxt *authctxt) authctxt->service); buffer_put_cstring(&b, "publickey"); buffer_put_char(&b, have_sig); - buffer_put_cstring(&b, KEX_DSS); + buffer_put_cstring(&b, key_ssh_name(key)); buffer_put_string(&b, pkblob, blen); -#ifdef DEBUG_DSS +#ifdef DEBUG_PK buffer_dump(&b); #endif /* test for correct signature */ - if (user_dsa_key_allowed(authctxt->pw, key) && - dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) + if (user_key_allowed(authctxt->pw, key) && + key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) authenticated = 1; buffer_clear(&b); xfree(sig); @@ -480,7 +480,7 @@ userauth_pubkey(Authctxt *authctxt) * if a user is not allowed to login. is this an * issue? -markus */ - if (user_dsa_key_allowed(authctxt->pw, key)) { + if (user_key_allowed(authctxt->pw, key)) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); @@ -493,6 +493,7 @@ userauth_pubkey(Authctxt *authctxt) auth_clear_options(); key_free(key); } + debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg); xfree(pkalg); xfree(pkblob); #ifdef HAVE_CYGWIN @@ -560,11 +561,10 @@ authmethod_lookup(const char *name) /* return 1 if user allows given key */ int -user_dsa_key_allowed(struct passwd *pw, Key *key) +user_key_allowed(struct passwd *pw, Key *key) { char line[8192], file[1024]; int found_key = 0; - unsigned int bits = -1; FILE *f; unsigned long linenum = 0; struct stat st; @@ -645,10 +645,10 @@ user_dsa_key_allowed(struct passwd *pw, Key *key) if (!*cp || *cp == '\n' || *cp == '#') continue; - bits = key_read(found, &cp); - if (bits == 0) { + if (key_read(found, &cp) == -1) { /* no key? check if there are options for this key */ int quoted = 0; + debug2("user_key_allowed: check options: '%s'", cp); options = cp; for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { if (*cp == '\\' && cp[1] == '"') @@ -659,8 +659,8 @@ user_dsa_key_allowed(struct passwd *pw, Key *key) /* Skip remaining whitespace. */ for (; *cp == ' ' || *cp == '\t'; cp++) ; - bits = key_read(found, &cp); - if (bits == 0) { + if (key_read(found, &cp) == -1) { + debug2("user_key_allowed: advance: '%s'", cp); /* still no key? advance to next line*/ continue; } @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.30 2000/11/12 19:50:37 markus Exp $"); #include "ssh.h" #include "rsa.h" @@ -50,7 +50,6 @@ RCSID("$OpenBSD: authfd.c,v 1.29 2000/10/09 21:51:00 markus Exp $"); #include "key.h" #include "authfd.h" #include "kex.h" -#include "dsa.h" #include "compat.h" /* helper */ @@ -211,8 +210,8 @@ ssh_close_authentication_connection(AuthenticationConnection *auth) * Returns the first authentication identity held by the agent. */ -Key * -ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int version) +int +ssh_get_num_identities(AuthenticationConnection *auth, int version) { int type, code1 = 0, code2 = 0; Buffer request; @@ -227,7 +226,7 @@ ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int versi code2 = SSH2_AGENT_IDENTITIES_ANSWER; break; default: - return NULL; + return 0; } /* @@ -240,14 +239,14 @@ ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int versi buffer_clear(&auth->identities); if (ssh_request_reply(auth, &request, &auth->identities) == 0) { buffer_free(&request); - return NULL; + return 0; } buffer_free(&request); /* Get message type, and verify that we got a proper answer. */ type = buffer_get_char(&auth->identities); if (agent_failed(type)) { - return NULL; + return 0; } else if (type != code2) { fatal("Bad authentication reply message type: %d", type); } @@ -258,8 +257,16 @@ ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int versi fatal("Too many identities in authentication reply: %d\n", auth->howmany); - /* Return the first entry (if any). */ - return ssh_get_next_identity(auth, comment, version); + return auth->howmany; +} + +Key * +ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int version) +{ + /* get number of identities and return the first entry (if any). */ + if (ssh_get_num_identities(auth, version) > 0) + return ssh_get_next_identity(auth, comment, version); + return NULL; } Key * @@ -280,7 +287,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio */ switch(version){ case 1: - key = key_new(KEY_RSA); + key = key_new(KEY_RSA1); bits = buffer_get_int(&auth->identities); buffer_get_bignum(&auth->identities, key->rsa->e); buffer_get_bignum(&auth->identities, key->rsa->n); @@ -292,7 +299,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio case 2: blob = buffer_get_string(&auth->identities, &blen); *comment = buffer_get_string(&auth->identities, NULL); - key = dsa_key_from_blob(blob, blen); + key = key_from_blob(blob, blen); xfree(blob); break; default: @@ -324,7 +331,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth, int i; int type; - if (key->type != KEY_RSA) + if (key->type != KEY_RSA1) return 0; if (response_type == 0) { log("Compatibility with ssh protocol version 1.0 no longer supported."); @@ -376,7 +383,7 @@ ssh_agent_sign(AuthenticationConnection *auth, int type, flags = 0; int ret = -1; - if (dsa_make_key_blob(key, &blob, &blen) == 0) + if (key_to_blob(key, &blob, &blen) == 0) return -1; if (datafellows & SSH_BUG_SIGBLOB) @@ -409,7 +416,7 @@ ssh_agent_sign(AuthenticationConnection *auth, /* Encode key for a message to the agent. */ void -ssh_encode_identity_rsa(Buffer *b, RSA *key, const char *comment) +ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment) { buffer_clear(b); buffer_put_char(b, SSH_AGENTC_ADD_RSA_IDENTITY); @@ -425,17 +432,29 @@ ssh_encode_identity_rsa(Buffer *b, RSA *key, const char *comment) } void -ssh_encode_identity_dsa(Buffer *b, DSA *key, const char *comment) +ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment) { buffer_clear(b); buffer_put_char(b, SSH2_AGENTC_ADD_IDENTITY); - buffer_put_cstring(b, KEX_DSS); - buffer_put_bignum2(b, key->p); - buffer_put_bignum2(b, key->q); - buffer_put_bignum2(b, key->g); - buffer_put_bignum2(b, key->pub_key); - buffer_put_bignum2(b, key->priv_key); - buffer_put_string(b, comment, strlen(comment)); + buffer_put_cstring(b, key_ssh_name(key)); + switch(key->type){ + case KEY_RSA: + buffer_put_bignum2(b, key->rsa->n); + buffer_put_bignum2(b, key->rsa->e); + buffer_put_bignum2(b, key->rsa->d); + buffer_put_bignum2(b, key->rsa->iqmp); + buffer_put_bignum2(b, key->rsa->p); + buffer_put_bignum2(b, key->rsa->q); + break; + case KEY_DSA: + buffer_put_bignum2(b, key->dsa->p); + buffer_put_bignum2(b, key->dsa->q); + buffer_put_bignum2(b, key->dsa->g); + buffer_put_bignum2(b, key->dsa->pub_key); + buffer_put_bignum2(b, key->dsa->priv_key); + break; + } + buffer_put_cstring(b, comment); } /* @@ -452,11 +471,12 @@ ssh_add_identity(AuthenticationConnection *auth, Key *key, const char *comment) buffer_init(&msg); switch (key->type) { - case KEY_RSA: - ssh_encode_identity_rsa(&msg, key->rsa, comment); + case KEY_RSA1: + ssh_encode_identity_rsa1(&msg, key->rsa, comment); break; + case KEY_RSA: case KEY_DSA: - ssh_encode_identity_dsa(&msg, key->dsa, comment); + ssh_encode_identity_ssh2(&msg, key, comment); break; default: buffer_free(&msg); @@ -487,13 +507,13 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) buffer_init(&msg); - if (key->type == KEY_RSA) { + if (key->type == KEY_RSA1) { buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY); buffer_put_int(&msg, BN_num_bits(key->rsa->n)); buffer_put_bignum(&msg, key->rsa->e); buffer_put_bignum(&msg, key->rsa->n); - } else if (key->type == KEY_DSA) { - dsa_make_key_blob(key, &blob, &blen); + } else if (key->type == KEY_DSA || key->type == KEY_RSA) { + key_to_blob(key, &blob, &blen); buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); buffer_put_string(&msg, blob, blen); xfree(blob); @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: authfd.h,v 1.13 2000/10/09 21:51:00 markus Exp $"); */ +/* RCSID("$OpenBSD: authfd.h,v 1.14 2000/11/12 19:50:37 markus Exp $"); */ #ifndef AUTHFD_H #define AUTHFD_H @@ -75,6 +75,11 @@ AuthenticationConnection *ssh_get_authentication_connection(); void ssh_close_authentication_connection(AuthenticationConnection *auth); /* + * Returns the number authentication identity held by the agent. + */ +int ssh_get_num_identities(AuthenticationConnection *auth, int version); + +/* * Returns the first authentication identity held by the agent or NULL if * no identies are available. Caller must free comment and key. * Note that you cannot mix calls with different versions. @@ -36,11 +36,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.21 2000/11/12 19:50:37 markus Exp $"); #include <openssl/bn.h> #include <openssl/dsa.h> #include <openssl/rsa.h> +#include <openssl/err.h> #include <openssl/pem.h> #include <openssl/evp.h> @@ -61,7 +62,7 @@ RCSID("$OpenBSD: authfile.c,v 1.20 2000/10/11 20:27:23 markus Exp $"); */ int -save_private_key_rsa(const char *filename, const char *passphrase, +save_private_key_rsa1(const char *filename, const char *passphrase, RSA *key, const char *comment) { Buffer buffer, encrypted; @@ -155,16 +156,17 @@ save_private_key_rsa(const char *filename, const char *passphrase, return 1; } -/* save DSA key in OpenSSL PEM format */ - +/* save SSH2 key in OpenSSL PEM format */ int -save_private_key_dsa(const char *filename, const char *passphrase, - DSA *dsa, const char *comment) +save_private_key_ssh2(const char *filename, const char *_passphrase, + Key *key, const char *comment) { FILE *fp; int fd; - int success = 1; - int len = strlen(passphrase); + int success = 0; + int len = strlen(_passphrase); + char *passphrase = (len > 0) ? (char *)_passphrase : NULL; + EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL; if (len > 0 && len <= 4) { error("passphrase too short: %d bytes", len); @@ -182,14 +184,15 @@ save_private_key_dsa(const char *filename, const char *passphrase, close(fd); return 0; } - if (len > 0) { - if (!PEM_write_DSAPrivateKey(fp, dsa, EVP_des_ede3_cbc(), - (char *)passphrase, strlen(passphrase), NULL, NULL)) - success = 0; - } else { - if (!PEM_write_DSAPrivateKey(fp, dsa, NULL, - NULL, 0, NULL, NULL)) - success = 0; + switch (key->type) { + case KEY_DSA: + success = PEM_write_DSAPrivateKey(fp, key->dsa, + cipher, passphrase, len, NULL, NULL); + break; + case KEY_RSA: + success = PEM_write_RSAPrivateKey(fp, key->rsa, + cipher, passphrase, len, NULL, NULL); + break; } fclose(fp); return success; @@ -200,11 +203,12 @@ save_private_key(const char *filename, const char *passphrase, Key *key, const char *comment) { switch (key->type) { - case KEY_RSA: - return save_private_key_rsa(filename, passphrase, key->rsa, comment); + case KEY_RSA1: + return save_private_key_rsa1(filename, passphrase, key->rsa, comment); break; case KEY_DSA: - return save_private_key_dsa(filename, passphrase, key->dsa, comment); + case KEY_RSA: + return save_private_key_ssh2(filename, passphrase, key, comment); break; default: break; @@ -246,7 +250,7 @@ load_public_key_rsa(const char *filename, RSA * pub, char **comment_return) /* Check that it is at least big enought to contain the ID string. */ if (len < strlen(AUTHFILE_ID_STRING) + 1) { - debug("Bad key file %.200s.", filename); + debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); return 0; } @@ -256,7 +260,7 @@ load_public_key_rsa(const char *filename, RSA * pub, char **comment_return) */ for (i = 0; i < (unsigned int) strlen(AUTHFILE_ID_STRING) + 1; i++) if (buffer_get_char(&buffer) != (u_char) AUTHFILE_ID_STRING[i]) { - debug("Bad key file %.200s.", filename); + debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); return 0; } @@ -288,10 +292,11 @@ int load_public_key(const char *filename, Key * key, char **comment_return) { switch (key->type) { - case KEY_RSA: + case KEY_RSA1: return load_public_key_rsa(filename, key->rsa, comment_return); break; case KEY_DSA: + case KEY_RSA: default: break; } @@ -306,7 +311,7 @@ load_public_key(const char *filename, Key * key, char **comment_return) */ int -load_private_key_rsa(int fd, const char *filename, +load_private_key_rsa1(int fd, const char *filename, const char *passphrase, RSA * prv, char **comment_return) { int i, check1, check2, cipher_type; @@ -326,7 +331,7 @@ load_private_key_rsa(int fd, const char *filename, if (read(fd, cp, (size_t) len) != (size_t) len) { debug("Read from key file %.200s failed: %.100s", filename, - strerror(errno)); + strerror(errno)); buffer_free(&buffer); close(fd); return 0; @@ -335,7 +340,7 @@ load_private_key_rsa(int fd, const char *filename, /* Check that it is at least big enought to contain the ID string. */ if (len < strlen(AUTHFILE_ID_STRING) + 1) { - debug("Bad key file %.200s.", filename); + debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); return 0; } @@ -344,8 +349,8 @@ load_private_key_rsa(int fd, const char *filename, * from the buffer. */ for (i = 0; i < (unsigned int) strlen(AUTHFILE_ID_STRING) + 1; i++) - if (buffer_get_char(&buffer) != (unsigned char) AUTHFILE_ID_STRING[i]) { - debug("Bad key file %.200s.", filename); + if (buffer_get_char(&buffer) != (u_char) AUTHFILE_ID_STRING[i]) { + debug3("Bad RSA1 key file %.200s.", filename); buffer_free(&buffer); return 0; } @@ -431,40 +436,59 @@ fail: } int -load_private_key_dsa(int fd, const char *passphrase, Key *k, char **comment_return) +load_private_key_ssh2(int fd, const char *passphrase, Key *k, char **comment_return) { - DSA *dsa; - BIO *in; FILE *fp; + int success = 0; + EVP_PKEY *pk = NULL; + char *name = "<no key>"; - in = BIO_new(BIO_s_file()); - if (in == NULL) { - error("BIO_new failed"); - return 0; - } fp = fdopen(fd, "r"); if (fp == NULL) { error("fdopen failed"); return 0; } - BIO_set_fp(in, fp, BIO_NOCLOSE); - dsa = PEM_read_bio_DSAPrivateKey(in, NULL, NULL, (char *)passphrase); - if (dsa == NULL) { - debug("PEM_read_bio_DSAPrivateKey failed"); - } else { + pk = PEM_read_PrivateKey(fp, NULL, NULL, (char *)passphrase); + if (pk == NULL) { + debug("PEM_read_PrivateKey failed"); + (void)ERR_get_error(); + } else if (pk->type == EVP_PKEY_RSA) { + /* replace k-&g |