void create_server_keys(SshPrivateKey *host, SshPrivateKey *server, unsigned char **blob, unsigned int *len) { SshPublicKey public_host_key; #ifdef DEBUG ssh_debug("generating host key"); #endif if (ssh_private_key_generate(random_state, host, SSH_CRYPTO_RSA, SSH_PKF_SIZE, 768, SSH_PKF_END) != SSH_CRYPTO_OK) ssh_fatal("Generating host key failed"); #ifdef DEBUG ssh_debug("generating server key"); #endif if (ssh_private_key_generate(random_state, server, SSH_CRYPTO_RSA, SSH_PKF_SIZE, 512, SSH_PKF_END) != SSH_CRYPTO_OK) ssh_fatal("Generating server key failed"); #ifdef DEBUG ssh_debug("deriving public host key blob"); #endif public_host_key = ssh_private_key_derive_public_key(*host); if (ssh_public_key_export(public_host_key, blob, len) != SSH_CRYPTO_OK) ssh_fatal("deriving public key blob failed"); ssh_public_key_free(public_host_key); }
void ssh_x509_public_key_clear(SshX509PublicKey p) { if (p == NULL) return; if (p->public_key) ssh_public_key_free(p->public_key); if (p->public_group) ssh_pk_group_free(p->public_group); ssh_x509_public_key_init(p); }
/* shade{0.9} * ike_policy_reply_accl_public_key * Return accelerated public key. . shade{1.0} */ void ike_policy_reply_accl_public_key(SshEkStatus status, SshPublicKey public_key_return, void *context) { SshIkeNegotiation negotiation = (SshIkeNegotiation) context; SSH_DEBUG(5, ("Start")); if (status == SSH_EK_OK) { /* Accelerated public key found, use it */ SSH_DEBUG(7, ("Using accelerated public key")); ssh_public_key_free(negotiation->ike_ed->public_key); negotiation->ike_ed->public_key = public_key_return; } else { /* Error occurred, when trying to get the accelerated public key/ */ SSH_DEBUG(3, ("ssh_ek_generate_accelerated_public_key failed: %d", status)); } /* Restart state machine if needed */ ike_reply_done(negotiation); }
Boolean ssh_x509_cert_set_public_key(SshX509Certificate c, const SshPublicKey public_key) { const SshX509PkAlgorithmDefStruct *algorithm; if (public_key == NULL) return FALSE; algorithm = ssh_x509_public_key_algorithm(public_key); if (algorithm == NULL) return FALSE; /* If resetting it */ if (c->subject_pkey.public_key) ssh_public_key_free(c->subject_pkey.public_key); if (ssh_public_key_copy(public_key, &c->subject_pkey.public_key) != SSH_CRYPTO_OK) return FALSE; c->subject_pkey.pk_type = algorithm->algorithm; return TRUE; }
/* Decoding of the SSH2 ascii key blob format. */ unsigned long ssh2_key_blob_decode(unsigned char *data, size_t len, Boolean try_convert_ssh1_cert, char **subject, char **comment, unsigned char **blob, size_t *bloblen) { unsigned char *tmp, *whitened; char *my_name, *my_comment; size_t step, start, end, start2, end2; unsigned long magic, magic2; /* Match first the heading. */ magic = ssh_key_blob_match(data, len, 0, /* head */ &start, &end); if (magic == SSH_KEY_MAGIC_FAIL) goto fail; /* Match then the tail. */ magic2 = ssh_key_blob_match(data, len, 1, /* tail */ &start2, &end2); if (magic2 != magic) goto fail; if ((magic != SSH_KEY_MAGIC_SSH1_PUBLIC) && (magic != SSH_KEY_MAGIC_SSH1_PRIVATE) && (magic != SSH_KEY_MAGIC_SSH1_PRIVATE_ENCRYPTED)) { /* Check. */ if (len - end == 0) goto fail; /* Read the keywords. */ step = ssh_key_blob_keywords(data + end + 1, len - end - 1, &my_name, &my_comment); /* If name is available pass it up. */ if (subject) *subject = my_name; else ssh_xfree(my_name); /* If comment is available pass it up. */ if (comment) *comment = my_comment; else ssh_xfree(my_comment); /* Convert the remainder to a string. */ tmp = ssh_xmalloc(start2 - end - step); memcpy(tmp, data + end + 1 + step, start2 - end - step - 1); /* Remove whitespace. */ whitened = ssh_base64_remove_whitespace(tmp, start2 - end - step - 1); ssh_xfree(tmp); /* Decode the base64 blob. */ *blob = ssh_base64_to_buf(whitened, bloblen); ssh_xfree(whitened); ssh_xfree(data); } #ifdef SSHDIST_APPUTIL_SSH1ENCODE else if ((magic == SSH_KEY_MAGIC_SSH1_PUBLIC) && (try_convert_ssh1_cert != FALSE)) { SshPublicKey tmpkey; unsigned char *tmpblob; size_t tmpbloblen; if (ssh1_decode_pubkeyblob(data, len, &my_comment, &tmpkey) == SSH_CRYPTO_OK) { tmpbloblen = ssh_encode_pubkeyblob(tmpkey, &tmpblob); ssh_public_key_free(tmpkey); if (tmpbloblen > 0) { ssh_xfree(data); data = tmpblob; len = tmpbloblen; magic = SSH_KEY_MAGIC_PUBLIC; SSH_DEBUG(5, ("converted ssh1 pubkey to ssh2 certs")); } else { ssh_xfree(my_comment); goto fail; } } else { goto fail; } if (comment) *comment = my_comment; else ssh_xfree(my_comment); *blob = data; if (bloblen) *bloblen = len; } else if (magic == SSH_KEY_MAGIC_SSH1_PUBLIC) { SshPublicKey tmpkey; unsigned char *tmpblob; size_t tmpbloblen; if (ssh1_decode_pubkeyblob(data, len, &my_comment, &tmpkey) == SSH_CRYPTO_OK) { size_t l; SshMPIntegerStruct e, n; char *estr, *nstr; ssh_mprz_init(&e); ssh_mprz_init(&n); if (ssh_public_key_get_info(tmpkey, SSH_PKF_MODULO_N, &n, SSH_PKF_PUBLIC_E, &e, SSH_PKF_END) == SSH_CRYPTO_OK) { ssh_public_key_free(tmpkey); l = ssh_mprz_get_size(&n, 2); estr = ssh_mprz_get_str(&e, 10); nstr = ssh_mprz_get_str(&n, 10); ssh_mprz_clear(&e); ssh_mprz_clear(&n); tmpbloblen = ssh_xdsprintf(&tmpblob, "%u %s %s -", (unsigned int)l, estr, nstr); ssh_xfree(estr); ssh_xfree(nstr); } else { ssh_public_key_free(tmpkey); ssh_mprz_clear(&e); ssh_mprz_clear(&n); ssh_xfree(my_comment); goto fail; } data = tmpblob; len = tmpbloblen; } else { goto fail; } if (comment) *comment = my_comment; else ssh_xfree(my_comment); *blob = data; if (bloblen) *bloblen = len; } #endif /* SSHDIST_APPUTIL_SSH1ENCODE */ else { /* If it's an ssh1 private key we just push entire blob up. */ *blob = data; if (bloblen) *bloblen = len; } SSH_DEBUG(5, ("key blob magic = 0x%08lx", magic)); return magic; fail: ssh_xfree(data); return SSH_KEY_MAGIC_FAIL; }
void ikev2_fallback_negotiation_free(SshIkev2Fb fb, SshIkev2FbNegotiation neg) { SSH_ASSERT(neg->ref_count > 0); neg->ref_count--; if (neg->ref_count > 0) { SSH_DEBUG(SSH_D_NICETOKNOW, ("Fallback negotiation %p has still %d references", neg, neg->ref_count)); return; } SSH_DEBUG(SSH_D_NICETOKNOW, ("Freeing fallback negotiation %p", neg)); if (neg->aggr_mode_responder) fb->num_aggr_mode_responder_active--; if (neg->ed) ikev2_free_exchange_data(neg->ike_sa, neg->ed); if (neg->ike_sa) ssh_ikev2_ike_sa_free(neg->ike_sa); #ifdef SSHDIST_IKE_CERT_AUTH if (neg->private_key) ssh_private_key_free(neg->private_key); if (neg->public_key) ssh_public_key_free(neg->public_key); if (neg->cert_encodings) ssh_free(neg->cert_encodings); if (neg->cert_lengths) ssh_free(neg->cert_lengths); if (neg->certs) { int i; for (i = 0; i < neg->number_of_certificates; i++) ssh_free(neg->certs[i]); ssh_free(neg->certs); } #endif /* SSHDIST_IKE_CERT_AUTH */ #ifdef SSHDIST_IKE_XAUTH if (neg->attrs) ikev2_fb_xauth_free_attributes(neg->attrs); if (neg->v1_attrs) ikev2_fb_xauth_free_v1_attributes(neg->v1_attrs); #endif /* SSHDIST_IKE_XAUTH */ if (neg->transform_index) ssh_free(neg->transform_index); if (neg->selected) ikev2_fb_free_sa_indexes(neg->selected, 1); if (neg->psk) ssh_free(neg->psk); if (neg->sav2) ssh_ikev2_sa_free(neg->server->sad_handle, neg->sav2); if (neg->ikev1_id) ssh_ike_id_free(neg->ikev1_id); #ifdef DEBUG_LIGHT memset(neg, 'F', sizeof(*neg)); #endif /* DEBUG_LIGHT */ neg->next = fb->negotiation_freelist; fb->negotiation_freelist = neg; return; }
int ssh_cm_render_certificate(unsigned char *buf, int len, int precision, void *datum) { SshX509Certificate cert = datum; char *name; unsigned char *t; SshX509Name names; SshMPIntegerStruct mp; SshBerTimeStruct not_before, not_after; SshBufferStruct buffer; SshX509OidList oid_list; const SshOidStruct *oids; Boolean critical; SshStr str; size_t l, kid_len; SshPublicKey pub; unsigned char *kid; if (cert) { ssh_buffer_init(&buffer); ssh_buffer_append_str(&buffer, "\ncertificate = { \n"); /* Add the serial number. */ ssh_mprz_init(&mp); if (ssh_x509_cert_get_serial_number(cert, &mp) == FALSE) { ssh_buffer_append_str(&buffer, " missing-serial-number\n"); } else { if ((t = (unsigned char *) ssh_mprz_get_str(&mp, 10)) != NULL) { ssh_buffer_append_cstrs(&buffer, " serial-number = ", t, "\n", NULL); ssh_mprz_clear(&mp); ssh_free(t); } else { ssh_mprz_clear(&mp); ssh_buffer_uninit(&buffer); return -1; } } /* Add suitable names. */ ssh_x509_name_reset(cert->subject_name); if (!ssh_x509_cert_get_subject_name_str(cert, &str)) { ssh_buffer_append_str(&buffer, " missing-subject-name\n"); } else { SshStr latin1 = ssh_str_charset_convert(str, SSH_CHARSET_ISO_8859_1); name = (char *)ssh_str_get(latin1, &l); ssh_buffer_append_cstrs(&buffer, " subject-name = <", name, ">\n", NULL); ssh_str_free(latin1); ssh_free(name); ssh_str_free(str); } ssh_x509_name_reset(cert->issuer_name); if (!ssh_x509_cert_get_issuer_name(cert, &name)) { ssh_buffer_append_str(&buffer, " missing-issuer-name\n"); } else { ssh_buffer_append_cstrs(&buffer, " issuer-name = <", name, ">\n", NULL); ssh_free(name); } /* Validity period. */ if (!ssh_x509_cert_get_validity(cert, ¬_before, ¬_after)) { ssh_buffer_append_str(&buffer, " missing-validity-period\n"); } else { if ((t = ssh_malloc(64)) != NULL) { if (ssh_ber_time_available(¬_before)) { ssh_snprintf(t, 64, "%@", ssh_ber_time_render, ¬_before); ssh_buffer_append_cstrs(&buffer, " not-before = ", t, "\n", NULL); } if (ssh_ber_time_available(¬_after)) { ssh_snprintf(t, 64, "%@", ssh_ber_time_render, ¬_after); ssh_buffer_append_cstrs(&buffer, " not-after = ", t, "\n", NULL); } ssh_free(t); } } if (ssh_x509_cert_get_subject_key_id(cert, &kid, &kid_len, &critical)) { unsigned char *fingerprint; if ((fingerprint = (unsigned char *) ssh_fingerprint(kid, kid_len, SSH_FINGERPRINT_HEX_UPPER)) != NULL) ssh_buffer_append_cstrs(&buffer, " subject-kid = ", fingerprint, "\n", NULL); ssh_free(fingerprint); } if (ssh_x509_cert_get_public_key(cert, &pub)) { unsigned char *key_digest; size_t digest_len; if (ssh_cm_key_kid_create(pub, FALSE, &key_digest, &digest_len)) { unsigned char *fingerprint; fingerprint = (unsigned char *)ssh_fingerprint(key_digest, digest_len, SSH_FINGERPRINT_HEX_UPPER); if (fingerprint) { ssh_buffer_append_cstrs(&buffer, " pubkey-hash = ", ssh_sstr(fingerprint), "\n", NULL); } ssh_free(fingerprint); ssh_free(key_digest); } ssh_public_key_free(pub); } /* Some alternate names. */ if (ssh_x509_cert_get_subject_alternative_names(cert, &names, &critical)) { ssh_x509_name_reset(names); ssh_buffer_append_str(&buffer, " subject-alt-names = { \n"); ssh_cm_names_dump(&buffer, names); ssh_buffer_append_str(&buffer, " }\n"); } if (ssh_x509_cert_get_issuer_alternative_names(cert, &names, &critical)) { ssh_x509_name_reset(names); ssh_buffer_append_str(&buffer, " issuer-alt-names = { \n"); ssh_cm_names_dump(&buffer, names); ssh_buffer_append_str(&buffer, " }\n"); } if (ssh_x509_cert_get_ext_key_usage(cert, &oid_list, &critical)) { ssh_buffer_append_str(&buffer, " extended-key-usage = { \n"); while (oid_list != NULL) { oids = ssh_oid_find_by_oid_of_type(ssh_custr(oid_list->oid), SSH_OID_EXT_KEY_USAGE); if (oids == NULL) ssh_buffer_append_cstrs(&buffer, " (", oid_list->oid, ")\n", NULL); else ssh_buffer_append_cstrs(&buffer, " ", oids->std_name, " (", oid_list->oid, ")\n", NULL); oid_list = oid_list->next; } ssh_buffer_append_str(&buffer, " }\n"); } ssh_buffer_append_str(&buffer, "}\n"); return cm_debug_renderer_return(&buffer, buf, len); } return 0; }
int main(int argc, char **argv) { SshExternalKeyTestCtx test_ctx; int i; SshPrivateKey prv_key; SshPublicKey pub_key; SshMPInteger n; parse_arguments(argc, argv); ssh_pk_provider_register(&ssh_pk_if_modn_generator); /* Initialize the event loop and the test context. */ ssh_event_loop_initialize(); ssh_debug_set_level_string(debug_level_string); ssh_global_init(); /* Initialize the crypto library. */ if (ssh_crypto_library_initialize() != SSH_CRYPTO_OK) ssh_fatal("Cannot initialize the crypto library"); test_ctx = ssh_xcalloc(1, sizeof(*test_ctx)); test_ctx->accelerated_encrypts_left = default_accelerated_encrypts; test_ctx->timer = ssh_time_measure_allocate(); SSH_DEBUG(3, ("Reading the test key. Please wait....")); prv_key = get_prv_key("accelerator-test.prv"); if (ssh_private_key_select_scheme(prv_key, SSH_PKF_ENCRYPT, "rsa-none-none", SSH_PKF_END) != SSH_CRYPTO_OK) ssh_fatal("Could not select the scheme for private key"); if (ssh_private_key_derive_public_key(prv_key, &pub_key) != SSH_CRYPTO_OK) { ssh_fatal("Can not derive a public key from a " "stored private key"); } if (ssh_public_key_select_scheme(pub_key, SSH_PKF_ENCRYPT, "rsa-none-none", SSH_PKF_END) != SSH_CRYPTO_OK) ssh_fatal("Could not select the scheme for public key"); n = ssh_mprz_malloc(); /* Get information about the RSA key. E and N are needed for nFast. */ if (ssh_public_key_get_info(pub_key, SSH_PKF_MODULO_N, n, SSH_PKF_END) != SSH_CRYPTO_OK) { return FALSE; } #if 0 n_bytes = (ssh_mprz_get_size(n, 2) + 7) / 8; if (n_bytes == 0 || (n_bytes & 3) != 0) n_bytes += (4 - (n_bytes & 3)); test_ctx->big_buf = ssh_xmalloc(n_bytes); test_ctx->big_buf_len = n_bytes; ssh_mprz_get_buf(test_ctx->big_buf, test_ctx->big_buf_len, n); ssh_mprz_free(n); test_ctx->big_buf_len = 128; test_ctx->big_buf[0] = 1; #else #if 0 n_bytes = ssh_mprz_get_size(n, 8); test_ctx->big_buf = ssh_xmalloc(n_bytes); test_ctx->big_buf_len = n_bytes; ssh_mprz_init(&r); ssh_mprz_rand(&r, n_bytes * 8); ssh_mprz_mod(&r, &r, n); ssh_mprz_get_buf(test_ctx->big_buf, test_ctx->big_buf_len, &r); ssh_mprz_free(n); ssh_mprz_clear(&r); #else test_ctx->big_buf = ssh_xmalloc(129); test_ctx->big_buf_len = 129; memcpy(test_ctx->big_buf, "\x00\x50\xe7\x85\x86\x40\xf8\x9b" "\xb8\xeb\x19\x64\xd8\x51\x33\xd7" "\x4f\xac\x32\x5d\x03\x66\x3d\x0c" "\xbe\xfd\x40\x29\x82\xb7\x61\x09" "\x15\x37\x4f\xe1\xd0\x57\xb0\x6d" "\x16\x49\x73\x25\x20\x3d\xa8\xfa" "\xf6\xb4\x72\xec\x75\xc8\x42\xc7" "\x99\x64\x63\x23\x29\xe0\x65\xa1" "\x2a\xc2\xb7\xf1\x5b\xb4\x9b\x30" "\xdb\xc7\x22\xb9\xf9\xde\xb5\x09" "\xb5\xe0\x0a\xca\xc5\xf9\xaf\x8f" "\x54\xf2\x9a\x06\x2b\xc1\xc2\x65" "\x87\xb3\xd5\xec\xd3\x8a\x2f\xa7" "\x5f\x69\x34\xe7\x7f\xeb\xaf\x56" "\x3c\x3d\x71\x3f\x73\xba\x8b\xa7" "\xd3\xe5\x6d\x98\xc8\x01\x6b\x18" "\x14", 129); #endif #endif test_ctx->pub_key = pub_key; test_ctx->prv_key = prv_key; test_ek_add(test_ctx); #ifndef WIN32 ssh_register_signal(SIGUSR1, test_signal_handler, test_ctx); #endif ssh_event_loop_run(); /* Uninitialize. */ for (i = 0; i < test_ctx->num_prv_keys; i++) ssh_private_key_free(test_ctx->prv_keys[i]); for (i = 0; i < test_ctx->num_pub_keys; i++) ssh_public_key_free(test_ctx->pub_keys[i]); ssh_xfree(test_ctx->prv_keys); ssh_xfree(test_ctx->pub_keys); ssh_xfree(test_ctx); return 0; }