1/* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */
2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
--- 68 unchanged lines hidden (view full) ---
78
79/* Supported key types */
80struct keytype {
81 const char *name;
82 const char *shortname;
83 int type;
84 int nid;
85 int cert;
86};
87static const struct keytype keytypes[] = {
88 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
89 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
90 KEY_ED25519_CERT, 0, 1 },
91#ifdef WITH_OPENSSL
92 { NULL, "RSA1", KEY_RSA1, 0, 0 },
93 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
94 { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
95# ifdef OPENSSL_HAS_ECC
96 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
97 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
98# ifdef OPENSSL_HAS_NISTP521
99 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
100# endif /* OPENSSL_HAS_NISTP521 */
101# endif /* OPENSSL_HAS_ECC */
102 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
103 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
104# ifdef OPENSSL_HAS_ECC
105 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
106 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
107 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
108 KEY_ECDSA_CERT, NID_secp384r1, 1 },
109# ifdef OPENSSL_HAS_NISTP521
110 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
111 KEY_ECDSA_CERT, NID_secp521r1, 1 },
112# endif /* OPENSSL_HAS_NISTP521 */
113# endif /* OPENSSL_HAS_ECC */
114#endif /* WITH_OPENSSL */
115 { NULL, NULL, -1, -1, 0 }
116};
117
118const char *
119sshkey_type(const struct sshkey *k)
120{
121 const struct keytype *kt;
122
123 for (kt = keytypes; kt->type != -1; kt++) {
--- 71 unchanged lines hidden (view full) ---
195char *
196key_alg_list(int certs_only, int plain_only)
197{
198 char *tmp, *ret = NULL;
199 size_t nlen, rlen = 0;
200 const struct keytype *kt;
201
202 for (kt = keytypes; kt->type != -1; kt++) {
203 if (kt->name == NULL)
204 continue;
205 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
206 continue;
207 if (ret != NULL)
208 ret[rlen++] = '\n';
209 nlen = strlen(kt->name);
210 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
211 free(ret);
--- 200 unchanged lines hidden (view full) ---
412
413static void
414cert_free(struct sshkey_cert *cert)
415{
416 u_int i;
417
418 if (cert == NULL)
419 return;
420 if (cert->certblob != NULL)
421 sshbuf_free(cert->certblob);
422 if (cert->critical != NULL)
423 sshbuf_free(cert->critical);
424 if (cert->extensions != NULL)
425 sshbuf_free(cert->extensions);
426 if (cert->key_id != NULL)
427 free(cert->key_id);
428 for (i = 0; i < cert->nprincipals; i++)
429 free(cert->principals[i]);
430 if (cert->principals != NULL)
431 free(cert->principals);
432 if (cert->signature_key != NULL)
433 sshkey_free(cert->signature_key);
434 explicit_bzero(cert, sizeof(*cert));
435 free(cert);
436}
437
438static struct sshkey_cert *
439cert_new(void)
440{
441 struct sshkey_cert *cert;
--- 769 unchanged lines hidden (view full) ---
1211 cp++;
1212 e = strspn(cp, "0123456789");
1213 if (e == 0)
1214 return SSH_ERR_INVALID_FORMAT;
1215 if (e > SSHBUF_MAX_BIGNUM * 3)
1216 return SSH_ERR_BIGNUM_TOO_LARGE;
1217 if (cp[e] == '\0')
1218 skip = 0;
1219 else if (index(" \t\r\n", cp[e]) == NULL)
1220 return SSH_ERR_INVALID_FORMAT;
1221 cp[e] = '\0';
1222 if (BN_dec2bn(&v, cp) <= 0)
1223 return SSH_ERR_INVALID_FORMAT;
1224 *cpp = cp + e + skip;
1225 return 0;
1226}
1227#endif /* WITH_SSH1 */
1228
1229/* returns 0 ok, and < 0 error */
1230int
1231sshkey_read(struct sshkey *ret, char **cpp)
1232{
1233 struct sshkey *k;
1234 int retval = SSH_ERR_INVALID_FORMAT;
1235 char *cp, *space;
1236 int r, type, curve_nid = -1;
1237 struct sshbuf *blob;
1238#ifdef WITH_SSH1
1239 char *ep;
1240 u_long bits;
1241#endif /* WITH_SSH1 */
1242
1243 cp = *cpp;
1244
1245 switch (ret->type) {
1246 case KEY_RSA1:
1247#ifdef WITH_SSH1
1248 /* Get number of bits. */
1249 bits = strtoul(cp, &ep, 10);
1250 if (*cp == '\0' || index(" \t\r\n", *ep) == NULL ||
1251 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
1252 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
1253 /* Get public exponent, public modulus. */
1254 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
1255 return r;
1256 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0)
1257 return r;
1258 *cpp = ep;
1259 /* validate the claimed number of bits */
1260 if (BN_num_bits(ret->rsa->n) != (int)bits)
1261 return SSH_ERR_KEY_BITS_MISMATCH;
1262 retval = 0;
1263#endif /* WITH_SSH1 */
1264 break;
1265 case KEY_UNSPEC:
1266 case KEY_RSA:
1267 case KEY_DSA:
1268 case KEY_ECDSA:
1269 case KEY_ED25519:
--- 21 unchanged lines hidden (view full) ---
1291 return SSH_ERR_ALLOC_FAIL;
1292 /* trim comment */
1293 space = strchr(cp, ' ');
1294 if (space) {
1295 /* advance 'space': skip whitespace */
1296 *space++ = '\0';
1297 while (*space == ' ' || *space == '\t')
1298 space++;
1299 *cpp = space;
1300 } else
1301 *cpp = cp + strlen(cp);
1302 if ((r = sshbuf_b64tod(blob, cp)) != 0) {
1303 sshbuf_free(blob);
1304 return r;
1305 }
1306 if ((r = sshkey_from_blob(sshbuf_ptr(blob),
1307 sshbuf_len(blob), &k)) != 0) {
1308 sshbuf_free(blob);
1309 return r;
--- 14 unchanged lines hidden (view full) ---
1324 sshkey_free(k);
1325 return SSH_ERR_EXPECTED_CERT;
1326 }
1327 if (ret->cert != NULL)
1328 cert_free(ret->cert);
1329 ret->cert = k->cert;
1330 k->cert = NULL;
1331 }
1332#ifdef WITH_OPENSSL
1333 if (sshkey_type_plain(ret->type) == KEY_RSA) {
1334 if (ret->rsa != NULL)
1335 RSA_free(ret->rsa);
1336 ret->rsa = k->rsa;
1337 k->rsa = NULL;
1338#ifdef DEBUG_PK
1339 RSA_print_fp(stderr, ret->rsa, 8);
1340#endif
1341 }
1342 if (sshkey_type_plain(ret->type) == KEY_DSA) {
1343 if (ret->dsa != NULL)
1344 DSA_free(ret->dsa);
1345 ret->dsa = k->dsa;
1346 k->dsa = NULL;
1347#ifdef DEBUG_PK
1348 DSA_print_fp(stderr, ret->dsa, 8);
1349#endif
1350 }
1351# ifdef OPENSSL_HAS_ECC
1352 if (sshkey_type_plain(ret->type) == KEY_ECDSA) {
1353 if (ret->ecdsa != NULL)
1354 EC_KEY_free(ret->ecdsa);
1355 ret->ecdsa = k->ecdsa;
1356 ret->ecdsa_nid = k->ecdsa_nid;
1357 k->ecdsa = NULL;
1358 k->ecdsa_nid = -1;
1359#ifdef DEBUG_PK
1360 sshkey_dump_ec_key(ret->ecdsa);
1361#endif
1362 }
1363# endif /* OPENSSL_HAS_ECC */
1364#endif /* WITH_OPENSSL */
1365 if (sshkey_type_plain(ret->type) == KEY_ED25519) {
1366 free(ret->ed25519_pk);
1367 ret->ed25519_pk = k->ed25519_pk;
1368 k->ed25519_pk = NULL;
1369#ifdef DEBUG_PK
1370 /* XXX */
1371#endif
1372 }
1373 retval = 0;
1374/*XXXX*/
1375 sshkey_free(k);
1376 if (retval != 0)
1377 break;
1378 break;
1379 default:
1380 return SSH_ERR_INVALID_ARGUMENT;
--- 331 unchanged lines hidden (view full) ---
1712 if ((from = from_key->cert) == NULL)
1713 return SSH_ERR_INVALID_ARGUMENT;
1714
1715 if ((to = to_key->cert = cert_new()) == NULL)
1716 return SSH_ERR_ALLOC_FAIL;
1717
1718 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
1719 (ret = sshbuf_putb(to->critical, from->critical)) != 0 ||
1720 (ret = sshbuf_putb(to->extensions, from->extensions) != 0))
1721 return ret;
1722
1723 to->serial = from->serial;
1724 to->type = from->type;
1725 if (from->key_id == NULL)
1726 to->key_id = NULL;
1727 else if ((to->key_id = strdup(from->key_id)) == NULL)
1728 return SSH_ERR_ALLOC_FAIL;
--- 24 unchanged lines hidden (view full) ---
1753}
1754
1755int
1756sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1757{
1758 struct sshkey *n = NULL;
1759 int ret = SSH_ERR_INTERNAL_ERROR;
1760
1761 if (pkp != NULL)
1762 *pkp = NULL;
1763
1764 switch (k->type) {
1765#ifdef WITH_OPENSSL
1766 case KEY_DSA:
1767 case KEY_DSA_CERT:
1768 if ((n = sshkey_new(k->type)) == NULL)
1769 return SSH_ERR_ALLOC_FAIL;
1770 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1771 (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
--- 397 unchanged lines hidden (view full) ---
2169 r = sshkey_from_blob_internal(b, keyp, 1);
2170 sshbuf_free(b);
2171 return r;
2172}
2173
2174int
2175sshkey_sign(const struct sshkey *key,
2176 u_char **sigp, size_t *lenp,
2177 const u_char *data, size_t datalen, u_int compat)
2178{
2179 if (sigp != NULL)
2180 *sigp = NULL;
2181 if (lenp != NULL)
2182 *lenp = 0;
2183 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2184 return SSH_ERR_INVALID_ARGUMENT;
2185 switch (key->type) {
2186#ifdef WITH_OPENSSL
2187 case KEY_DSA_CERT:
2188 case KEY_DSA:
2189 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
2190# ifdef OPENSSL_HAS_ECC
2191 case KEY_ECDSA_CERT:
2192 case KEY_ECDSA:
2193 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2194# endif /* OPENSSL_HAS_ECC */
2195 case KEY_RSA_CERT:
2196 case KEY_RSA:
2197 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
2198#endif /* WITH_OPENSSL */
2199 case KEY_ED25519:
2200 case KEY_ED25519_CERT:
2201 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
2202 default:
2203 return SSH_ERR_KEY_TYPE_UNKNOWN;
2204 }
2205}
--- 15 unchanged lines hidden (view full) ---
2221 return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
2222# ifdef OPENSSL_HAS_ECC
2223 case KEY_ECDSA_CERT:
2224 case KEY_ECDSA:
2225 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2226# endif /* OPENSSL_HAS_ECC */
2227 case KEY_RSA_CERT:
2228 case KEY_RSA:
2229 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
2230#endif /* WITH_OPENSSL */
2231 case KEY_ED25519:
2232 case KEY_ED25519_CERT:
2233 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
2234 default:
2235 return SSH_ERR_KEY_TYPE_UNKNOWN;
2236 }
2237}
2238
2239/* Converts a private to a public key */
2240int
2241sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2242{
2243 struct sshkey *pk;
2244 int ret = SSH_ERR_INTERNAL_ERROR;
2245
2246 if (dkp != NULL)
2247 *dkp = NULL;
2248
2249 if ((pk = calloc(1, sizeof(*pk))) == NULL)
2250 return SSH_ERR_ALLOC_FAIL;
2251 pk->type = k->type;
2252 pk->flags = k->flags;
2253 pk->ecdsa_nid = k->ecdsa_nid;
2254 pk->dsa = NULL;
2255 pk->ecdsa = NULL;
2256 pk->rsa = NULL;
--- 200 unchanged lines hidden (view full) ---
2457 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
2458 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
2459 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2460 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2461 goto out;
2462
2463 /* Sign the whole mess */
2464 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2465 sshbuf_len(cert), 0)) != 0)
2466 goto out;
2467
2468 /* Append signature and we are done */
2469 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
2470 goto out;
2471 ret = 0;
2472 out:
2473 if (ret != 0)
2474 sshbuf_reset(cert);
2475 if (sig_blob != NULL)
2476 free(sig_blob);
2477 if (ca_blob != NULL)
2478 free(ca_blob);
2479 if (principals != NULL)
2480 sshbuf_free(principals);
2481 return ret;
2482}
2483
2484int
2485sshkey_cert_check_authority(const struct sshkey *k,
2486 int want_host, int require_principal,
2487 const char *name, const char **reason)
2488{
--- 44 unchanged lines hidden (view full) ---
2533 *reason = "Certificate invalid: name is not a listed "
2534 "principal";
2535 return SSH_ERR_KEY_CERT_INVALID;
2536 }
2537 }
2538 return 0;
2539}
2540
2541int
2542sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2543{
2544 int r = SSH_ERR_INTERNAL_ERROR;
2545
2546 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
2547 goto out;
2548 switch (key->type) {
--- 147 unchanged lines hidden (view full) ---
2696 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
2697 (r = sshbuf_get_bignum2(buf, exponent)))
2698 goto out;
2699 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
2700 r = SSH_ERR_LIBCRYPTO_ERROR;
2701 goto out;
2702 }
2703 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2704 EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
2705 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2706 goto out;
2707 break;
2708 case KEY_ECDSA_CERT:
2709 if ((exponent = BN_new()) == NULL) {
2710 r = SSH_ERR_LIBCRYPTO_ERROR;
2711 goto out;
2712 }
2713 if ((r = sshkey_froms(buf, &k)) != 0 ||
2714 (r = sshkey_add_private(k)) != 0 ||
2715 (r = sshbuf_get_bignum2(buf, exponent)) != 0)
2716 goto out;
2717 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
2718 r = SSH_ERR_LIBCRYPTO_ERROR;
2719 goto out;
2720 }
2721 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2722 EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
2723 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2724 goto out;
2725 break;
2726# endif /* OPENSSL_HAS_ECC */
2727 case KEY_RSA:
2728 if ((k = sshkey_new_private(type)) == NULL) {
2729 r = SSH_ERR_ALLOC_FAIL;
2730 goto out;
--- 5 unchanged lines hidden (view full) ---
2736 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
2737 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
2738 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2739 goto out;
2740 break;
2741 case KEY_RSA_CERT:
2742 if ((r = sshkey_froms(buf, &k)) != 0 ||
2743 (r = sshkey_add_private(k)) != 0 ||
2744 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) ||
2745 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) ||
2746 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) ||
2747 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) ||
2748 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2749 goto out;
2750 break;
2751#endif /* WITH_OPENSSL */
2752 case KEY_ED25519:
2753 if ((k = sshkey_new_private(type)) == NULL) {
2754 r = SSH_ERR_ALLOC_FAIL;
2755 goto out;
--- 670 unchanged lines hidden (view full) ---
3426
3427 /* Store cipher type and "reserved" field. */
3428 if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 ||
3429 (r = sshbuf_put_u32(encrypted, 0)) != 0)
3430 goto out;
3431
3432 /* Store public key. This will be in plain text. */
3433 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 ||
3434 (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) ||
3435 (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) ||
3436 (r = sshbuf_put_cstring(encrypted, comment) != 0))
3437 goto out;
3438
3439 /* Allocate space for the private part of the key in the buffer. */
3440 if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0)
3441 goto out;
3442
3443 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
3444 CIPHER_ENCRYPT)) != 0)
--- 4 unchanged lines hidden (view full) ---
3449 if ((r = cipher_cleanup(&ciphercontext)) != 0)
3450 goto out;
3451
3452 r = sshbuf_putb(blob, encrypted);
3453
3454 out:
3455 explicit_bzero(&ciphercontext, sizeof(ciphercontext));
3456 explicit_bzero(buf, sizeof(buf));
3457 if (buffer != NULL)
3458 sshbuf_free(buffer);
3459 if (encrypted != NULL)
3460 sshbuf_free(encrypted);
3461
3462 return r;
3463}
3464#endif /* WITH_SSH1 */
3465
3466#ifdef WITH_OPENSSL
3467/* convert SSH v2 key in OpenSSL PEM format */
3468static int
--- 137 unchanged lines hidden (view full) ---
3606 r = 0;
3607 if (keyp != NULL)
3608 *keyp = pub;
3609 else
3610 sshkey_free(pub);
3611 pub = NULL;
3612
3613 out:
3614 if (copy != NULL)
3615 sshbuf_free(copy);
3616 if (pub != NULL)
3617 sshkey_free(pub);
3618 return r;
3619}
3620
3621static int
3622sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase,
3623 struct sshkey **keyp, char **commentp)
3624{
3625 int r;
--- 95 unchanged lines hidden (view full) ---
3721 *keyp = prv;
3722 prv = NULL;
3723 if (commentp != NULL) {
3724 *commentp = comment;
3725 comment = NULL;
3726 }
3727 out:
3728 explicit_bzero(&ciphercontext, sizeof(ciphercontext));
3729 if (comment != NULL)
3730 free(comment);
3731 if (prv != NULL)
3732 sshkey_free(prv);
3733 if (copy != NULL)
3734 sshbuf_free(copy);
3735 if (decrypted != NULL)
3736 sshbuf_free(decrypted);
3737 return r;
3738}
3739#endif /* WITH_SSH1 */
3740
3741#ifdef WITH_OPENSSL
3742static int
3743sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
3744 const char *passphrase, struct sshkey **keyp)
--- 73 unchanged lines hidden (view full) ---
3818 }
3819 r = 0;
3820 *keyp = prv;
3821 prv = NULL;
3822 out:
3823 BIO_free(bio);
3824 if (pk != NULL)
3825 EVP_PKEY_free(pk);
3826 if (prv != NULL)
3827 sshkey_free(prv);
3828 return r;
3829}
3830#endif /* WITH_OPENSSL */
3831
3832int
3833sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3834 const char *passphrase, struct sshkey **keyp, char **commentp)
3835{
3836 int r;
3837
3838 *keyp = NULL;
3839 if (commentp != NULL)
3840 *commentp = NULL;
3841
3842 switch (type) {
3843#ifdef WITH_SSH1
3844 case KEY_RSA1:
3845 return sshkey_parse_private_rsa1(blob, passphrase,
--- 5 unchanged lines hidden (view full) ---
3851 case KEY_RSA:
3852 return sshkey_parse_private_pem_fileblob(blob, type,
3853 passphrase, keyp);
3854#endif /* WITH_OPENSSL */
3855 case KEY_ED25519:
3856 return sshkey_parse_private2(blob, type, passphrase,
3857 keyp, commentp);
3858 case KEY_UNSPEC:
3859 if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
3860 commentp)) == 0)
3861 return 0;
3862#ifdef WITH_OPENSSL
3863 return sshkey_parse_private_pem_fileblob(blob, type,
3864 passphrase, keyp);
3865#else
3866 return SSH_ERR_INVALID_FORMAT;
3867#endif /* WITH_OPENSSL */
3868 default:
3869 return SSH_ERR_KEY_TYPE_UNKNOWN;
3870 }
3871}
3872
3873int
3874sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
3875 const char *filename, struct sshkey **keyp, char **commentp)
3876{
3877 int r;
3878
3879 if (keyp != NULL)
3880 *keyp = NULL;
3881 if (commentp != NULL)
3882 *commentp = NULL;
3883
3884#ifdef WITH_SSH1
3885 /* it's a SSH v1 key if the public key part is readable */
3886 if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) {
3887 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
3888 passphrase, keyp, commentp);
3889 }
3890#endif /* WITH_SSH1 */
3891 if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
3892 passphrase, keyp, commentp)) == 0)
3893 return 0;
3894 return r;
3895}
2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
--- 68 unchanged lines hidden (view full) ---
78
79/* Supported key types */
80struct keytype {
81 const char *name;
82 const char *shortname;
83 int type;
84 int nid;
85 int cert;
86};
87static const struct keytype keytypes[] = {
88 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
89 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
90 KEY_ED25519_CERT, 0, 1 },
91#ifdef WITH_OPENSSL
92 { NULL, "RSA1", KEY_RSA1, 0, 0 },
93 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
94 { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
95# ifdef OPENSSL_HAS_ECC
96 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
97 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
98# ifdef OPENSSL_HAS_NISTP521
99 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
100# endif /* OPENSSL_HAS_NISTP521 */
101# endif /* OPENSSL_HAS_ECC */
102 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
103 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
104# ifdef OPENSSL_HAS_ECC
105 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
106 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
107 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
108 KEY_ECDSA_CERT, NID_secp384r1, 1 },
109# ifdef OPENSSL_HAS_NISTP521
110 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
111 KEY_ECDSA_CERT, NID_secp521r1, 1 },
112# endif /* OPENSSL_HAS_NISTP521 */
113# endif /* OPENSSL_HAS_ECC */
114#endif /* WITH_OPENSSL */
115 { NULL, NULL, -1, -1, 0 }
116};
117
118const char *
119sshkey_type(const struct sshkey *k)
120{
121 const struct keytype *kt;
122
123 for (kt = keytypes; kt->type != -1; kt++) {
--- 71 unchanged lines hidden (view full) ---
195char *
196key_alg_list(int certs_only, int plain_only)
197{
198 char *tmp, *ret = NULL;
199 size_t nlen, rlen = 0;
200 const struct keytype *kt;
201
202 for (kt = keytypes; kt->type != -1; kt++) {
203 if (kt->name == NULL)
204 continue;
205 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
206 continue;
207 if (ret != NULL)
208 ret[rlen++] = '\n';
209 nlen = strlen(kt->name);
210 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
211 free(ret);
--- 200 unchanged lines hidden (view full) ---
412
413static void
414cert_free(struct sshkey_cert *cert)
415{
416 u_int i;
417
418 if (cert == NULL)
419 return;
420 if (cert->certblob != NULL)
421 sshbuf_free(cert->certblob);
422 if (cert->critical != NULL)
423 sshbuf_free(cert->critical);
424 if (cert->extensions != NULL)
425 sshbuf_free(cert->extensions);
426 if (cert->key_id != NULL)
427 free(cert->key_id);
428 for (i = 0; i < cert->nprincipals; i++)
429 free(cert->principals[i]);
430 if (cert->principals != NULL)
431 free(cert->principals);
432 if (cert->signature_key != NULL)
433 sshkey_free(cert->signature_key);
434 explicit_bzero(cert, sizeof(*cert));
435 free(cert);
436}
437
438static struct sshkey_cert *
439cert_new(void)
440{
441 struct sshkey_cert *cert;
--- 769 unchanged lines hidden (view full) ---
1211 cp++;
1212 e = strspn(cp, "0123456789");
1213 if (e == 0)
1214 return SSH_ERR_INVALID_FORMAT;
1215 if (e > SSHBUF_MAX_BIGNUM * 3)
1216 return SSH_ERR_BIGNUM_TOO_LARGE;
1217 if (cp[e] == '\0')
1218 skip = 0;
1219 else if (index(" \t\r\n", cp[e]) == NULL)
1220 return SSH_ERR_INVALID_FORMAT;
1221 cp[e] = '\0';
1222 if (BN_dec2bn(&v, cp) <= 0)
1223 return SSH_ERR_INVALID_FORMAT;
1224 *cpp = cp + e + skip;
1225 return 0;
1226}
1227#endif /* WITH_SSH1 */
1228
1229/* returns 0 ok, and < 0 error */
1230int
1231sshkey_read(struct sshkey *ret, char **cpp)
1232{
1233 struct sshkey *k;
1234 int retval = SSH_ERR_INVALID_FORMAT;
1235 char *cp, *space;
1236 int r, type, curve_nid = -1;
1237 struct sshbuf *blob;
1238#ifdef WITH_SSH1
1239 char *ep;
1240 u_long bits;
1241#endif /* WITH_SSH1 */
1242
1243 cp = *cpp;
1244
1245 switch (ret->type) {
1246 case KEY_RSA1:
1247#ifdef WITH_SSH1
1248 /* Get number of bits. */
1249 bits = strtoul(cp, &ep, 10);
1250 if (*cp == '\0' || index(" \t\r\n", *ep) == NULL ||
1251 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
1252 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
1253 /* Get public exponent, public modulus. */
1254 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
1255 return r;
1256 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0)
1257 return r;
1258 *cpp = ep;
1259 /* validate the claimed number of bits */
1260 if (BN_num_bits(ret->rsa->n) != (int)bits)
1261 return SSH_ERR_KEY_BITS_MISMATCH;
1262 retval = 0;
1263#endif /* WITH_SSH1 */
1264 break;
1265 case KEY_UNSPEC:
1266 case KEY_RSA:
1267 case KEY_DSA:
1268 case KEY_ECDSA:
1269 case KEY_ED25519:
--- 21 unchanged lines hidden (view full) ---
1291 return SSH_ERR_ALLOC_FAIL;
1292 /* trim comment */
1293 space = strchr(cp, ' ');
1294 if (space) {
1295 /* advance 'space': skip whitespace */
1296 *space++ = '\0';
1297 while (*space == ' ' || *space == '\t')
1298 space++;
1299 *cpp = space;
1300 } else
1301 *cpp = cp + strlen(cp);
1302 if ((r = sshbuf_b64tod(blob, cp)) != 0) {
1303 sshbuf_free(blob);
1304 return r;
1305 }
1306 if ((r = sshkey_from_blob(sshbuf_ptr(blob),
1307 sshbuf_len(blob), &k)) != 0) {
1308 sshbuf_free(blob);
1309 return r;
--- 14 unchanged lines hidden (view full) ---
1324 sshkey_free(k);
1325 return SSH_ERR_EXPECTED_CERT;
1326 }
1327 if (ret->cert != NULL)
1328 cert_free(ret->cert);
1329 ret->cert = k->cert;
1330 k->cert = NULL;
1331 }
1332#ifdef WITH_OPENSSL
1333 if (sshkey_type_plain(ret->type) == KEY_RSA) {
1334 if (ret->rsa != NULL)
1335 RSA_free(ret->rsa);
1336 ret->rsa = k->rsa;
1337 k->rsa = NULL;
1338#ifdef DEBUG_PK
1339 RSA_print_fp(stderr, ret->rsa, 8);
1340#endif
1341 }
1342 if (sshkey_type_plain(ret->type) == KEY_DSA) {
1343 if (ret->dsa != NULL)
1344 DSA_free(ret->dsa);
1345 ret->dsa = k->dsa;
1346 k->dsa = NULL;
1347#ifdef DEBUG_PK
1348 DSA_print_fp(stderr, ret->dsa, 8);
1349#endif
1350 }
1351# ifdef OPENSSL_HAS_ECC
1352 if (sshkey_type_plain(ret->type) == KEY_ECDSA) {
1353 if (ret->ecdsa != NULL)
1354 EC_KEY_free(ret->ecdsa);
1355 ret->ecdsa = k->ecdsa;
1356 ret->ecdsa_nid = k->ecdsa_nid;
1357 k->ecdsa = NULL;
1358 k->ecdsa_nid = -1;
1359#ifdef DEBUG_PK
1360 sshkey_dump_ec_key(ret->ecdsa);
1361#endif
1362 }
1363# endif /* OPENSSL_HAS_ECC */
1364#endif /* WITH_OPENSSL */
1365 if (sshkey_type_plain(ret->type) == KEY_ED25519) {
1366 free(ret->ed25519_pk);
1367 ret->ed25519_pk = k->ed25519_pk;
1368 k->ed25519_pk = NULL;
1369#ifdef DEBUG_PK
1370 /* XXX */
1371#endif
1372 }
1373 retval = 0;
1374/*XXXX*/
1375 sshkey_free(k);
1376 if (retval != 0)
1377 break;
1378 break;
1379 default:
1380 return SSH_ERR_INVALID_ARGUMENT;
--- 331 unchanged lines hidden (view full) ---
1712 if ((from = from_key->cert) == NULL)
1713 return SSH_ERR_INVALID_ARGUMENT;
1714
1715 if ((to = to_key->cert = cert_new()) == NULL)
1716 return SSH_ERR_ALLOC_FAIL;
1717
1718 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
1719 (ret = sshbuf_putb(to->critical, from->critical)) != 0 ||
1720 (ret = sshbuf_putb(to->extensions, from->extensions) != 0))
1721 return ret;
1722
1723 to->serial = from->serial;
1724 to->type = from->type;
1725 if (from->key_id == NULL)
1726 to->key_id = NULL;
1727 else if ((to->key_id = strdup(from->key_id)) == NULL)
1728 return SSH_ERR_ALLOC_FAIL;
--- 24 unchanged lines hidden (view full) ---
1753}
1754
1755int
1756sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1757{
1758 struct sshkey *n = NULL;
1759 int ret = SSH_ERR_INTERNAL_ERROR;
1760
1761 if (pkp != NULL)
1762 *pkp = NULL;
1763
1764 switch (k->type) {
1765#ifdef WITH_OPENSSL
1766 case KEY_DSA:
1767 case KEY_DSA_CERT:
1768 if ((n = sshkey_new(k->type)) == NULL)
1769 return SSH_ERR_ALLOC_FAIL;
1770 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1771 (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
--- 397 unchanged lines hidden (view full) ---
2169 r = sshkey_from_blob_internal(b, keyp, 1);
2170 sshbuf_free(b);
2171 return r;
2172}
2173
2174int
2175sshkey_sign(const struct sshkey *key,
2176 u_char **sigp, size_t *lenp,
2177 const u_char *data, size_t datalen, u_int compat)
2178{
2179 if (sigp != NULL)
2180 *sigp = NULL;
2181 if (lenp != NULL)
2182 *lenp = 0;
2183 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2184 return SSH_ERR_INVALID_ARGUMENT;
2185 switch (key->type) {
2186#ifdef WITH_OPENSSL
2187 case KEY_DSA_CERT:
2188 case KEY_DSA:
2189 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
2190# ifdef OPENSSL_HAS_ECC
2191 case KEY_ECDSA_CERT:
2192 case KEY_ECDSA:
2193 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2194# endif /* OPENSSL_HAS_ECC */
2195 case KEY_RSA_CERT:
2196 case KEY_RSA:
2197 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
2198#endif /* WITH_OPENSSL */
2199 case KEY_ED25519:
2200 case KEY_ED25519_CERT:
2201 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
2202 default:
2203 return SSH_ERR_KEY_TYPE_UNKNOWN;
2204 }
2205}
--- 15 unchanged lines hidden (view full) ---
2221 return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
2222# ifdef OPENSSL_HAS_ECC
2223 case KEY_ECDSA_CERT:
2224 case KEY_ECDSA:
2225 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2226# endif /* OPENSSL_HAS_ECC */
2227 case KEY_RSA_CERT:
2228 case KEY_RSA:
2229 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
2230#endif /* WITH_OPENSSL */
2231 case KEY_ED25519:
2232 case KEY_ED25519_CERT:
2233 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
2234 default:
2235 return SSH_ERR_KEY_TYPE_UNKNOWN;
2236 }
2237}
2238
2239/* Converts a private to a public key */
2240int
2241sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2242{
2243 struct sshkey *pk;
2244 int ret = SSH_ERR_INTERNAL_ERROR;
2245
2246 if (dkp != NULL)
2247 *dkp = NULL;
2248
2249 if ((pk = calloc(1, sizeof(*pk))) == NULL)
2250 return SSH_ERR_ALLOC_FAIL;
2251 pk->type = k->type;
2252 pk->flags = k->flags;
2253 pk->ecdsa_nid = k->ecdsa_nid;
2254 pk->dsa = NULL;
2255 pk->ecdsa = NULL;
2256 pk->rsa = NULL;
--- 200 unchanged lines hidden (view full) ---
2457 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
2458 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
2459 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2460 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2461 goto out;
2462
2463 /* Sign the whole mess */
2464 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2465 sshbuf_len(cert), 0)) != 0)
2466 goto out;
2467
2468 /* Append signature and we are done */
2469 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
2470 goto out;
2471 ret = 0;
2472 out:
2473 if (ret != 0)
2474 sshbuf_reset(cert);
2475 if (sig_blob != NULL)
2476 free(sig_blob);
2477 if (ca_blob != NULL)
2478 free(ca_blob);
2479 if (principals != NULL)
2480 sshbuf_free(principals);
2481 return ret;
2482}
2483
2484int
2485sshkey_cert_check_authority(const struct sshkey *k,
2486 int want_host, int require_principal,
2487 const char *name, const char **reason)
2488{
--- 44 unchanged lines hidden (view full) ---
2533 *reason = "Certificate invalid: name is not a listed "
2534 "principal";
2535 return SSH_ERR_KEY_CERT_INVALID;
2536 }
2537 }
2538 return 0;
2539}
2540
2541int
2542sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2543{
2544 int r = SSH_ERR_INTERNAL_ERROR;
2545
2546 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
2547 goto out;
2548 switch (key->type) {
--- 147 unchanged lines hidden (view full) ---
2696 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
2697 (r = sshbuf_get_bignum2(buf, exponent)))
2698 goto out;
2699 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
2700 r = SSH_ERR_LIBCRYPTO_ERROR;
2701 goto out;
2702 }
2703 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2704 EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
2705 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2706 goto out;
2707 break;
2708 case KEY_ECDSA_CERT:
2709 if ((exponent = BN_new()) == NULL) {
2710 r = SSH_ERR_LIBCRYPTO_ERROR;
2711 goto out;
2712 }
2713 if ((r = sshkey_froms(buf, &k)) != 0 ||
2714 (r = sshkey_add_private(k)) != 0 ||
2715 (r = sshbuf_get_bignum2(buf, exponent)) != 0)
2716 goto out;
2717 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
2718 r = SSH_ERR_LIBCRYPTO_ERROR;
2719 goto out;
2720 }
2721 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2722 EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
2723 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2724 goto out;
2725 break;
2726# endif /* OPENSSL_HAS_ECC */
2727 case KEY_RSA:
2728 if ((k = sshkey_new_private(type)) == NULL) {
2729 r = SSH_ERR_ALLOC_FAIL;
2730 goto out;
--- 5 unchanged lines hidden (view full) ---
2736 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
2737 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
2738 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2739 goto out;
2740 break;
2741 case KEY_RSA_CERT:
2742 if ((r = sshkey_froms(buf, &k)) != 0 ||
2743 (r = sshkey_add_private(k)) != 0 ||
2744 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) ||
2745 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) ||
2746 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) ||
2747 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) ||
2748 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2749 goto out;
2750 break;
2751#endif /* WITH_OPENSSL */
2752 case KEY_ED25519:
2753 if ((k = sshkey_new_private(type)) == NULL) {
2754 r = SSH_ERR_ALLOC_FAIL;
2755 goto out;
--- 670 unchanged lines hidden (view full) ---
3426
3427 /* Store cipher type and "reserved" field. */
3428 if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 ||
3429 (r = sshbuf_put_u32(encrypted, 0)) != 0)
3430 goto out;
3431
3432 /* Store public key. This will be in plain text. */
3433 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 ||
3434 (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) ||
3435 (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) ||
3436 (r = sshbuf_put_cstring(encrypted, comment) != 0))
3437 goto out;
3438
3439 /* Allocate space for the private part of the key in the buffer. */
3440 if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0)
3441 goto out;
3442
3443 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
3444 CIPHER_ENCRYPT)) != 0)
--- 4 unchanged lines hidden (view full) ---
3449 if ((r = cipher_cleanup(&ciphercontext)) != 0)
3450 goto out;
3451
3452 r = sshbuf_putb(blob, encrypted);
3453
3454 out:
3455 explicit_bzero(&ciphercontext, sizeof(ciphercontext));
3456 explicit_bzero(buf, sizeof(buf));
3457 if (buffer != NULL)
3458 sshbuf_free(buffer);
3459 if (encrypted != NULL)
3460 sshbuf_free(encrypted);
3461
3462 return r;
3463}
3464#endif /* WITH_SSH1 */
3465
3466#ifdef WITH_OPENSSL
3467/* convert SSH v2 key in OpenSSL PEM format */
3468static int
--- 137 unchanged lines hidden (view full) ---
3606 r = 0;
3607 if (keyp != NULL)
3608 *keyp = pub;
3609 else
3610 sshkey_free(pub);
3611 pub = NULL;
3612
3613 out:
3614 if (copy != NULL)
3615 sshbuf_free(copy);
3616 if (pub != NULL)
3617 sshkey_free(pub);
3618 return r;
3619}
3620
3621static int
3622sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase,
3623 struct sshkey **keyp, char **commentp)
3624{
3625 int r;
--- 95 unchanged lines hidden (view full) ---
3721 *keyp = prv;
3722 prv = NULL;
3723 if (commentp != NULL) {
3724 *commentp = comment;
3725 comment = NULL;
3726 }
3727 out:
3728 explicit_bzero(&ciphercontext, sizeof(ciphercontext));
3729 if (comment != NULL)
3730 free(comment);
3731 if (prv != NULL)
3732 sshkey_free(prv);
3733 if (copy != NULL)
3734 sshbuf_free(copy);
3735 if (decrypted != NULL)
3736 sshbuf_free(decrypted);
3737 return r;
3738}
3739#endif /* WITH_SSH1 */
3740
3741#ifdef WITH_OPENSSL
3742static int
3743sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
3744 const char *passphrase, struct sshkey **keyp)
--- 73 unchanged lines hidden (view full) ---
3818 }
3819 r = 0;
3820 *keyp = prv;
3821 prv = NULL;
3822 out:
3823 BIO_free(bio);
3824 if (pk != NULL)
3825 EVP_PKEY_free(pk);
3826 if (prv != NULL)
3827 sshkey_free(prv);
3828 return r;
3829}
3830#endif /* WITH_OPENSSL */
3831
3832int
3833sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3834 const char *passphrase, struct sshkey **keyp, char **commentp)
3835{
3836 int r;
3837
3838 *keyp = NULL;
3839 if (commentp != NULL)
3840 *commentp = NULL;
3841
3842 switch (type) {
3843#ifdef WITH_SSH1
3844 case KEY_RSA1:
3845 return sshkey_parse_private_rsa1(blob, passphrase,
--- 5 unchanged lines hidden (view full) ---
3851 case KEY_RSA:
3852 return sshkey_parse_private_pem_fileblob(blob, type,
3853 passphrase, keyp);
3854#endif /* WITH_OPENSSL */
3855 case KEY_ED25519:
3856 return sshkey_parse_private2(blob, type, passphrase,
3857 keyp, commentp);
3858 case KEY_UNSPEC:
3859 if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
3860 commentp)) == 0)
3861 return 0;
3862#ifdef WITH_OPENSSL
3863 return sshkey_parse_private_pem_fileblob(blob, type,
3864 passphrase, keyp);
3865#else
3866 return SSH_ERR_INVALID_FORMAT;
3867#endif /* WITH_OPENSSL */
3868 default:
3869 return SSH_ERR_KEY_TYPE_UNKNOWN;
3870 }
3871}
3872
3873int
3874sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
3875 const char *filename, struct sshkey **keyp, char **commentp)
3876{
3877 int r;
3878
3879 if (keyp != NULL)
3880 *keyp = NULL;
3881 if (commentp != NULL)
3882 *commentp = NULL;
3883
3884#ifdef WITH_SSH1
3885 /* it's a SSH v1 key if the public key part is readable */
3886 if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) {
3887 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
3888 passphrase, keyp, commentp);
3889 }
3890#endif /* WITH_SSH1 */
3891 if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
3892 passphrase, keyp, commentp)) == 0)
3893 return 0;
3894 return r;
3895}