void create_server_keys(SshPrivateKey *host, SshPrivateKey *server,
unsigned char **blob, unsigned int *len)
{
SshPublicKey public_host_key;
#ifdef DEBUG
ssh_debug("generating host key");
#endif
if (ssh_private_key_generate(random_state, host,
SSH_CRYPTO_RSA, SSH_PKF_SIZE, 768,
SSH_PKF_END) != SSH_CRYPTO_OK)
ssh_fatal("Generating host key failed");
#ifdef DEBUG
ssh_debug("generating server key");
#endif
if (ssh_private_key_generate(random_state, server,
SSH_CRYPTO_RSA, SSH_PKF_SIZE, 512,
SSH_PKF_END) != SSH_CRYPTO_OK)
ssh_fatal("Generating server key failed");
#ifdef DEBUG
ssh_debug("deriving public host key blob");
#endif
public_host_key = ssh_private_key_derive_public_key(*host);
if (ssh_public_key_export(public_host_key, blob, len) != SSH_CRYPTO_OK)
ssh_fatal("deriving public key blob failed");
ssh_public_key_free(public_host_key);
}
void ssh_x509_public_key_clear(SshX509PublicKey p)
{
if (p == NULL)
return;
if (p->public_key)
ssh_public_key_free(p->public_key);
if (p->public_group)
ssh_pk_group_free(p->public_group);
ssh_x509_public_key_init(p);
}
/* shade{0.9}
* ike_policy_reply_accl_public_key
* Return accelerated public key. . shade{1.0}
*/
void ike_policy_reply_accl_public_key(SshEkStatus status,
SshPublicKey public_key_return,
void *context)
{
SshIkeNegotiation negotiation = (SshIkeNegotiation) context;
SSH_DEBUG(5, ("Start"));
if (status == SSH_EK_OK)
{
/* Accelerated public key found, use it */
SSH_DEBUG(7, ("Using accelerated public key"));
ssh_public_key_free(negotiation->ike_ed->public_key);
negotiation->ike_ed->public_key = public_key_return;
}
else
{
/* Error occurred, when trying to get the accelerated public key/ */
SSH_DEBUG(3, ("ssh_ek_generate_accelerated_public_key failed: %d",
status));
}
/* Restart state machine if needed */
ike_reply_done(negotiation);
}
Boolean ssh_x509_cert_set_public_key(SshX509Certificate c,
const SshPublicKey public_key)
{
const SshX509PkAlgorithmDefStruct *algorithm;
if (public_key == NULL)
return FALSE;
algorithm = ssh_x509_public_key_algorithm(public_key);
if (algorithm == NULL)
return FALSE;
/* If resetting it */
if (c->subject_pkey.public_key)
ssh_public_key_free(c->subject_pkey.public_key);
if (ssh_public_key_copy(public_key,
&c->subject_pkey.public_key) != SSH_CRYPTO_OK)
return FALSE;
c->subject_pkey.pk_type = algorithm->algorithm;
return TRUE;
}
/* Decoding of the SSH2 ascii key blob format. */
unsigned long
ssh2_key_blob_decode(unsigned char *data, size_t len,
Boolean try_convert_ssh1_cert,
char **subject,
char **comment,
unsigned char **blob, size_t *bloblen)
{
unsigned char *tmp, *whitened;
char *my_name, *my_comment;
size_t step, start, end, start2, end2;
unsigned long magic, magic2;
/* Match first the heading. */
magic = ssh_key_blob_match(data, len,
0, /* head */
&start, &end);
if (magic == SSH_KEY_MAGIC_FAIL)
goto fail;
/* Match then the tail. */
magic2 = ssh_key_blob_match(data, len,
1, /* tail */
&start2, &end2);
if (magic2 != magic)
goto fail;
if ((magic != SSH_KEY_MAGIC_SSH1_PUBLIC) &&
(magic != SSH_KEY_MAGIC_SSH1_PRIVATE) &&
(magic != SSH_KEY_MAGIC_SSH1_PRIVATE_ENCRYPTED))
{
/* Check. */
if (len - end == 0)
goto fail;
/* Read the keywords. */
step = ssh_key_blob_keywords(data + end + 1, len - end - 1,
&my_name, &my_comment);
/* If name is available pass it up. */
if (subject)
*subject = my_name;
else
ssh_xfree(my_name);
/* If comment is available pass it up. */
if (comment)
*comment = my_comment;
else
ssh_xfree(my_comment);
/* Convert the remainder to a string. */
tmp = ssh_xmalloc(start2 - end - step);
memcpy(tmp, data + end + 1 + step, start2 - end - step - 1);
/* Remove whitespace. */
whitened = ssh_base64_remove_whitespace(tmp, start2 - end - step - 1);
ssh_xfree(tmp);
/* Decode the base64 blob. */
*blob = ssh_base64_to_buf(whitened, bloblen);
ssh_xfree(whitened);
ssh_xfree(data);
}
#ifdef SSHDIST_APPUTIL_SSH1ENCODE
else if ((magic == SSH_KEY_MAGIC_SSH1_PUBLIC) &&
(try_convert_ssh1_cert != FALSE))
{
SshPublicKey tmpkey;
unsigned char *tmpblob;
size_t tmpbloblen;
if (ssh1_decode_pubkeyblob(data, len, &my_comment, &tmpkey)
== SSH_CRYPTO_OK)
{
tmpbloblen = ssh_encode_pubkeyblob(tmpkey, &tmpblob);
ssh_public_key_free(tmpkey);
if (tmpbloblen > 0)
{
ssh_xfree(data);
data = tmpblob;
len = tmpbloblen;
magic = SSH_KEY_MAGIC_PUBLIC;
SSH_DEBUG(5, ("converted ssh1 pubkey to ssh2 certs"));
}
else
{
ssh_xfree(my_comment);
goto fail;
}
}
else
{
goto fail;
}
if (comment)
*comment = my_comment;
else
ssh_xfree(my_comment);
*blob = data;
if (bloblen)
*bloblen = len;
}
else if (magic == SSH_KEY_MAGIC_SSH1_PUBLIC)
{
SshPublicKey tmpkey;
unsigned char *tmpblob;
size_t tmpbloblen;
if (ssh1_decode_pubkeyblob(data, len, &my_comment, &tmpkey)
== SSH_CRYPTO_OK)
{
size_t l;
SshMPIntegerStruct e, n;
char *estr, *nstr;
ssh_mprz_init(&e);
ssh_mprz_init(&n);
if (ssh_public_key_get_info(tmpkey,
SSH_PKF_MODULO_N, &n,
SSH_PKF_PUBLIC_E, &e,
SSH_PKF_END) == SSH_CRYPTO_OK)
{
ssh_public_key_free(tmpkey);
l = ssh_mprz_get_size(&n, 2);
estr = ssh_mprz_get_str(&e, 10);
nstr = ssh_mprz_get_str(&n, 10);
ssh_mprz_clear(&e);
ssh_mprz_clear(&n);
tmpbloblen = ssh_xdsprintf(&tmpblob,
"%u %s %s -",
(unsigned int)l,
estr,
nstr);
ssh_xfree(estr);
ssh_xfree(nstr);
}
else
{
ssh_public_key_free(tmpkey);
ssh_mprz_clear(&e);
ssh_mprz_clear(&n);
ssh_xfree(my_comment);
goto fail;
}
data = tmpblob;
len = tmpbloblen;
}
else
{
goto fail;
}
if (comment)
*comment = my_comment;
else
ssh_xfree(my_comment);
*blob = data;
if (bloblen)
*bloblen = len;
}
#endif /* SSHDIST_APPUTIL_SSH1ENCODE */
else
{
/* If it's an ssh1 private key we just push entire blob up. */
*blob = data;
if (bloblen)
*bloblen = len;
}
SSH_DEBUG(5, ("key blob magic = 0x%08lx", magic));
return magic;
fail:
ssh_xfree(data);
return SSH_KEY_MAGIC_FAIL;
}
void
ikev2_fallback_negotiation_free(SshIkev2Fb fb, SshIkev2FbNegotiation neg)
{
SSH_ASSERT(neg->ref_count > 0);
neg->ref_count--;
if (neg->ref_count > 0)
{
SSH_DEBUG(SSH_D_NICETOKNOW,
("Fallback negotiation %p has still %d references",
neg, neg->ref_count));
return;
}
SSH_DEBUG(SSH_D_NICETOKNOW, ("Freeing fallback negotiation %p", neg));
if (neg->aggr_mode_responder)
fb->num_aggr_mode_responder_active--;
if (neg->ed)
ikev2_free_exchange_data(neg->ike_sa, neg->ed);
if (neg->ike_sa)
ssh_ikev2_ike_sa_free(neg->ike_sa);
#ifdef SSHDIST_IKE_CERT_AUTH
if (neg->private_key)
ssh_private_key_free(neg->private_key);
if (neg->public_key)
ssh_public_key_free(neg->public_key);
if (neg->cert_encodings)
ssh_free(neg->cert_encodings);
if (neg->cert_lengths)
ssh_free(neg->cert_lengths);
if (neg->certs)
{
int i;
for (i = 0; i < neg->number_of_certificates; i++)
ssh_free(neg->certs[i]);
ssh_free(neg->certs);
}
#endif /* SSHDIST_IKE_CERT_AUTH */
#ifdef SSHDIST_IKE_XAUTH
if (neg->attrs)
ikev2_fb_xauth_free_attributes(neg->attrs);
if (neg->v1_attrs)
ikev2_fb_xauth_free_v1_attributes(neg->v1_attrs);
#endif /* SSHDIST_IKE_XAUTH */
if (neg->transform_index)
ssh_free(neg->transform_index);
if (neg->selected)
ikev2_fb_free_sa_indexes(neg->selected, 1);
if (neg->psk)
ssh_free(neg->psk);
if (neg->sav2)
ssh_ikev2_sa_free(neg->server->sad_handle, neg->sav2);
if (neg->ikev1_id)
ssh_ike_id_free(neg->ikev1_id);
#ifdef DEBUG_LIGHT
memset(neg, 'F', sizeof(*neg));
#endif /* DEBUG_LIGHT */
neg->next = fb->negotiation_freelist;
fb->negotiation_freelist = neg;
return;
}
int
ssh_cm_render_certificate(unsigned char *buf, int len,
int precision, void *datum)
{
SshX509Certificate cert = datum;
char *name;
unsigned char *t;
SshX509Name names;
SshMPIntegerStruct mp;
SshBerTimeStruct not_before, not_after;
SshBufferStruct buffer;
SshX509OidList oid_list;
const SshOidStruct *oids;
Boolean critical;
SshStr str;
size_t l, kid_len;
SshPublicKey pub;
unsigned char *kid;
if (cert)
{
ssh_buffer_init(&buffer);
ssh_buffer_append_str(&buffer, "\ncertificate = { \n");
/* Add the serial number. */
ssh_mprz_init(&mp);
if (ssh_x509_cert_get_serial_number(cert, &mp) == FALSE)
{
ssh_buffer_append_str(&buffer, " missing-serial-number\n");
}
else
{
if ((t = (unsigned char *) ssh_mprz_get_str(&mp, 10)) != NULL)
{
ssh_buffer_append_cstrs(&buffer,
" serial-number = ", t, "\n", NULL);
ssh_mprz_clear(&mp);
ssh_free(t);
}
else
{
ssh_mprz_clear(&mp);
ssh_buffer_uninit(&buffer);
return -1;
}
}
/* Add suitable names. */
ssh_x509_name_reset(cert->subject_name);
if (!ssh_x509_cert_get_subject_name_str(cert, &str))
{
ssh_buffer_append_str(&buffer, " missing-subject-name\n");
}
else
{
SshStr latin1 = ssh_str_charset_convert(str,
SSH_CHARSET_ISO_8859_1);
name = (char *)ssh_str_get(latin1, &l);
ssh_buffer_append_cstrs(&buffer,
" subject-name = <", name, ">\n", NULL);
ssh_str_free(latin1);
ssh_free(name);
ssh_str_free(str);
}
ssh_x509_name_reset(cert->issuer_name);
if (!ssh_x509_cert_get_issuer_name(cert, &name))
{
ssh_buffer_append_str(&buffer, " missing-issuer-name\n");
}
else
{
ssh_buffer_append_cstrs(&buffer,
" issuer-name = <", name, ">\n", NULL);
ssh_free(name);
}
/* Validity period. */
if (!ssh_x509_cert_get_validity(cert, ¬_before, ¬_after))
{
ssh_buffer_append_str(&buffer, " missing-validity-period\n");
}
else
{
if ((t = ssh_malloc(64)) != NULL)
{
if (ssh_ber_time_available(¬_before))
{
ssh_snprintf(t, 64,
"%@", ssh_ber_time_render, ¬_before);
ssh_buffer_append_cstrs(&buffer,
" not-before = ", t, "\n", NULL);
}
if (ssh_ber_time_available(¬_after))
{
ssh_snprintf(t, 64,
"%@", ssh_ber_time_render, ¬_after);
ssh_buffer_append_cstrs(&buffer,
" not-after = ", t, "\n", NULL);
}
ssh_free(t);
}
}
if (ssh_x509_cert_get_subject_key_id(cert, &kid, &kid_len, &critical))
{
unsigned char *fingerprint;
if ((fingerprint = (unsigned char *)
ssh_fingerprint(kid, kid_len, SSH_FINGERPRINT_HEX_UPPER))
!= NULL)
ssh_buffer_append_cstrs(&buffer,
" subject-kid = ",
fingerprint, "\n", NULL);
ssh_free(fingerprint);
}
if (ssh_x509_cert_get_public_key(cert, &pub))
{
unsigned char *key_digest;
size_t digest_len;
if (ssh_cm_key_kid_create(pub, FALSE, &key_digest, &digest_len))
{
unsigned char *fingerprint;
fingerprint =
(unsigned char *)ssh_fingerprint(key_digest,
digest_len,
SSH_FINGERPRINT_HEX_UPPER);
if (fingerprint)
{
ssh_buffer_append_cstrs(&buffer,
" pubkey-hash = ",
ssh_sstr(fingerprint), "\n", NULL);
}
ssh_free(fingerprint);
ssh_free(key_digest);
}
ssh_public_key_free(pub);
}
/* Some alternate names. */
if (ssh_x509_cert_get_subject_alternative_names(cert, &names, &critical))
{
ssh_x509_name_reset(names);
ssh_buffer_append_str(&buffer, " subject-alt-names = { \n");
ssh_cm_names_dump(&buffer, names);
ssh_buffer_append_str(&buffer, " }\n");
}
if (ssh_x509_cert_get_issuer_alternative_names(cert, &names, &critical))
{
ssh_x509_name_reset(names);
ssh_buffer_append_str(&buffer, " issuer-alt-names = { \n");
ssh_cm_names_dump(&buffer, names);
ssh_buffer_append_str(&buffer, " }\n");
}
if (ssh_x509_cert_get_ext_key_usage(cert, &oid_list, &critical))
{
ssh_buffer_append_str(&buffer, " extended-key-usage = { \n");
while (oid_list != NULL)
{
oids = ssh_oid_find_by_oid_of_type(ssh_custr(oid_list->oid),
SSH_OID_EXT_KEY_USAGE);
if (oids == NULL)
ssh_buffer_append_cstrs(&buffer,
" (", oid_list->oid, ")\n",
NULL);
else
ssh_buffer_append_cstrs(&buffer,
" ", oids->std_name,
" (", oid_list->oid, ")\n",
NULL);
oid_list = oid_list->next;
}
ssh_buffer_append_str(&buffer, " }\n");
}
ssh_buffer_append_str(&buffer, "}\n");
return cm_debug_renderer_return(&buffer, buf, len);
}
return 0;
}
int main(int argc, char **argv)
{
SshExternalKeyTestCtx test_ctx;
int i;
SshPrivateKey prv_key;
SshPublicKey pub_key;
SshMPInteger n;
parse_arguments(argc, argv);
ssh_pk_provider_register(&ssh_pk_if_modn_generator);
/* Initialize the event loop and the test context. */
ssh_event_loop_initialize();
ssh_debug_set_level_string(debug_level_string);
ssh_global_init();
/* Initialize the crypto library. */
if (ssh_crypto_library_initialize() != SSH_CRYPTO_OK)
ssh_fatal("Cannot initialize the crypto library");
test_ctx = ssh_xcalloc(1, sizeof(*test_ctx));
test_ctx->accelerated_encrypts_left = default_accelerated_encrypts;
test_ctx->timer = ssh_time_measure_allocate();
SSH_DEBUG(3, ("Reading the test key. Please wait...."));
prv_key = get_prv_key("accelerator-test.prv");
if (ssh_private_key_select_scheme(prv_key,
SSH_PKF_ENCRYPT, "rsa-none-none",
SSH_PKF_END) != SSH_CRYPTO_OK)
ssh_fatal("Could not select the scheme for private key");
if (ssh_private_key_derive_public_key(prv_key, &pub_key)
!= SSH_CRYPTO_OK)
{
ssh_fatal("Can not derive a public key from a "
"stored private key");
}
if (ssh_public_key_select_scheme(pub_key,
SSH_PKF_ENCRYPT, "rsa-none-none",
SSH_PKF_END) != SSH_CRYPTO_OK)
ssh_fatal("Could not select the scheme for public key");
n = ssh_mprz_malloc();
/* Get information about the RSA key. E and N are needed for nFast. */
if (ssh_public_key_get_info(pub_key,
SSH_PKF_MODULO_N, n,
SSH_PKF_END)
!= SSH_CRYPTO_OK)
{
return FALSE;
}
#if 0
n_bytes = (ssh_mprz_get_size(n, 2) + 7) / 8;
if (n_bytes == 0 || (n_bytes & 3) != 0)
n_bytes += (4 - (n_bytes & 3));
test_ctx->big_buf = ssh_xmalloc(n_bytes);
test_ctx->big_buf_len = n_bytes;
ssh_mprz_get_buf(test_ctx->big_buf, test_ctx->big_buf_len, n);
ssh_mprz_free(n);
test_ctx->big_buf_len = 128;
test_ctx->big_buf[0] = 1;
#else
#if 0
n_bytes = ssh_mprz_get_size(n, 8);
test_ctx->big_buf = ssh_xmalloc(n_bytes);
test_ctx->big_buf_len = n_bytes;
ssh_mprz_init(&r);
ssh_mprz_rand(&r, n_bytes * 8);
ssh_mprz_mod(&r, &r, n);
ssh_mprz_get_buf(test_ctx->big_buf, test_ctx->big_buf_len, &r);
ssh_mprz_free(n);
ssh_mprz_clear(&r);
#else
test_ctx->big_buf = ssh_xmalloc(129);
test_ctx->big_buf_len = 129;
memcpy(test_ctx->big_buf,
"\x00\x50\xe7\x85\x86\x40\xf8\x9b"
"\xb8\xeb\x19\x64\xd8\x51\x33\xd7"
"\x4f\xac\x32\x5d\x03\x66\x3d\x0c"
"\xbe\xfd\x40\x29\x82\xb7\x61\x09"
"\x15\x37\x4f\xe1\xd0\x57\xb0\x6d"
"\x16\x49\x73\x25\x20\x3d\xa8\xfa"
"\xf6\xb4\x72\xec\x75\xc8\x42\xc7"
"\x99\x64\x63\x23\x29\xe0\x65\xa1"
"\x2a\xc2\xb7\xf1\x5b\xb4\x9b\x30"
"\xdb\xc7\x22\xb9\xf9\xde\xb5\x09"
"\xb5\xe0\x0a\xca\xc5\xf9\xaf\x8f"
"\x54\xf2\x9a\x06\x2b\xc1\xc2\x65"
"\x87\xb3\xd5\xec\xd3\x8a\x2f\xa7"
"\x5f\x69\x34\xe7\x7f\xeb\xaf\x56"
"\x3c\x3d\x71\x3f\x73\xba\x8b\xa7"
"\xd3\xe5\x6d\x98\xc8\x01\x6b\x18"
"\x14",
129);
#endif
#endif
test_ctx->pub_key = pub_key;
test_ctx->prv_key = prv_key;
test_ek_add(test_ctx);
#ifndef WIN32
ssh_register_signal(SIGUSR1, test_signal_handler, test_ctx);
#endif
ssh_event_loop_run();
/* Uninitialize. */
for (i = 0; i < test_ctx->num_prv_keys; i++)
ssh_private_key_free(test_ctx->prv_keys[i]);
for (i = 0; i < test_ctx->num_pub_keys; i++)
ssh_public_key_free(test_ctx->pub_keys[i]);
ssh_xfree(test_ctx->prv_keys);
ssh_xfree(test_ctx->pub_keys);
ssh_xfree(test_ctx);
return 0;
}
