1 /* $OpenBSD: key.c,v 1.122 2014/07/22 01:18:50 dtucker Exp $ */
3 * placed in the public domain
14 #define SSH_KEY_NO_DEFINE
24 key_add_private(Key
*k
)
28 if ((r
= sshkey_add_private(k
)) != 0)
29 fatal("%s: %s", __func__
, ssh_err(r
));
33 key_new_private(int type
)
37 if ((ret
= sshkey_new_private(type
)) == NULL
)
38 fatal("%s: failed", __func__
);
43 key_fingerprint_raw(const Key
*k
, enum fp_type dgst_type
,
44 u_int
*dgst_raw_length
)
50 if (dgst_raw_length
!= NULL
)
52 if ((r
= sshkey_fingerprint_raw(k
, dgst_type
, &ret
, &dlen
)) != 0)
53 fatal("%s: %s", __func__
, ssh_err(r
));
55 fatal("%s: giant len %zu", __func__
, dlen
);
56 *dgst_raw_length
= dlen
;
61 key_read(Key
*ret
, char **cpp
)
63 return sshkey_read(ret
, cpp
) == 0 ? 1 : -1;
67 key_write(const Key
*key
, FILE *f
)
69 return sshkey_write(key
, f
) == 0 ? 1 : 0;
73 key_generate(int type
, u_int bits
)
78 if ((r
= sshkey_generate(type
, bits
, &ret
)) != 0)
79 fatal("%s: %s", __func__
, ssh_err(r
));
84 key_cert_copy(const Key
*from_key
, Key
*to_key
)
88 if ((r
= sshkey_cert_copy(from_key
, to_key
)) != 0)
89 fatal("%s: %s", __func__
, ssh_err(r
));
93 key_from_private(const Key
*k
)
98 if ((r
= sshkey_from_private(k
, &ret
)) != 0)
99 fatal("%s: %s", __func__
, ssh_err(r
));
104 fatal_on_fatal_errors(int r
, const char *func
, int extra_fatal
)
106 if (r
== SSH_ERR_INTERNAL_ERROR
||
107 r
== SSH_ERR_ALLOC_FAIL
||
108 (extra_fatal
!= 0 && r
== extra_fatal
))
109 fatal("%s: %s", func
, ssh_err(r
));
113 key_from_blob(const u_char
*blob
, u_int blen
)
118 if ((r
= sshkey_from_blob(blob
, blen
, &ret
)) != 0) {
119 fatal_on_fatal_errors(r
, __func__
, 0);
120 error("%s: %s", __func__
, ssh_err(r
));
127 key_to_blob(const Key
*key
, u_char
**blobp
, u_int
*lenp
)
137 if ((r
= sshkey_to_blob(key
, &blob
, &blen
)) != 0) {
138 fatal_on_fatal_errors(r
, __func__
, 0);
139 error("%s: %s", __func__
, ssh_err(r
));
143 fatal("%s: giant len %zu", __func__
, blen
);
152 key_sign(const Key
*key
, u_char
**sigp
, u_int
*lenp
,
153 const u_char
*data
, u_int datalen
)
163 if ((r
= sshkey_sign(key
, &sig
, &siglen
,
164 data
, datalen
, datafellows
)) != 0) {
165 fatal_on_fatal_errors(r
, __func__
, 0);
166 error("%s: %s", __func__
, ssh_err(r
));
169 if (siglen
> INT_MAX
)
170 fatal("%s: giant len %zu", __func__
, siglen
);
179 key_verify(const Key
*key
, const u_char
*signature
, u_int signaturelen
,
180 const u_char
*data
, u_int datalen
)
184 if ((r
= sshkey_verify(key
, signature
, signaturelen
,
185 data
, datalen
, datafellows
)) != 0) {
186 fatal_on_fatal_errors(r
, __func__
, 0);
187 error("%s: %s", __func__
, ssh_err(r
));
188 return r
== SSH_ERR_SIGNATURE_INVALID
? 0 : -1;
194 key_demote(const Key
*k
)
199 if ((r
= sshkey_demote(k
, &ret
)) != 0)
200 fatal("%s: %s", __func__
, ssh_err(r
));
205 key_to_certified(Key
*k
, int legacy
)
209 if ((r
= sshkey_to_certified(k
, legacy
)) != 0) {
210 fatal_on_fatal_errors(r
, __func__
, 0);
211 error("%s: %s", __func__
, ssh_err(r
));
218 key_drop_cert(Key
*k
)
222 if ((r
= sshkey_drop_cert(k
)) != 0) {
223 fatal_on_fatal_errors(r
, __func__
, 0);
224 error("%s: %s", __func__
, ssh_err(r
));
231 key_certify(Key
*k
, Key
*ca
)
235 if ((r
= sshkey_certify(k
, ca
)) != 0) {
236 fatal_on_fatal_errors(r
, __func__
, 0);
237 error("%s: %s", __func__
, ssh_err(r
));
244 key_cert_check_authority(const Key
*k
, int want_host
, int require_principal
,
245 const char *name
, const char **reason
)
249 if ((r
= sshkey_cert_check_authority(k
, want_host
, require_principal
,
250 name
, reason
)) != 0) {
251 fatal_on_fatal_errors(r
, __func__
, 0);
252 error("%s: %s", __func__
, ssh_err(r
));
258 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
260 key_ec_validate_public(const EC_GROUP
*group
, const EC_POINT
*public)
264 if ((r
= sshkey_ec_validate_public(group
, public)) != 0) {
265 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
266 error("%s: %s", __func__
, ssh_err(r
));
273 key_ec_validate_private(const EC_KEY
*key
)
277 if ((r
= sshkey_ec_validate_private(key
)) != 0) {
278 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
279 error("%s: %s", __func__
, ssh_err(r
));
284 #endif /* WITH_OPENSSL */
287 key_private_serialize(const Key
*key
, struct sshbuf
*b
)
291 if ((r
= sshkey_private_serialize(key
, b
)) != 0)
292 fatal("%s: %s", __func__
, ssh_err(r
));
296 key_private_deserialize(struct sshbuf
*blob
)
301 if ((r
= sshkey_private_deserialize(blob
, &ret
)) != 0) {
302 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
303 error("%s: %s", __func__
, ssh_err(r
));
312 key_save_private(Key
*key
, const char *filename
, const char *passphrase
,
313 const char *comment
, int force_new_format
, const char *new_format_cipher
,
314 int new_format_rounds
)
318 if ((r
= sshkey_save_private(key
, filename
, passphrase
, comment
,
319 force_new_format
, new_format_cipher
, new_format_rounds
)) != 0) {
320 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
321 error("%s: %s", __func__
, ssh_err(r
));
328 key_load_file(int fd
, const char *filename
, struct sshbuf
*blob
)
332 if ((r
= sshkey_load_file(fd
, filename
, blob
)) != 0) {
333 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
334 error("%s: %s", __func__
, ssh_err(r
));
341 key_load_cert(const char *filename
)
346 if ((r
= sshkey_load_cert(filename
, &ret
)) != 0) {
347 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
348 /* Old authfile.c ignored all file errors. */
349 if (r
== SSH_ERR_SYSTEM_ERROR
)
350 debug("%s: %s", __func__
, ssh_err(r
));
352 error("%s: %s", __func__
, ssh_err(r
));
360 key_load_public(const char *filename
, char **commentp
)
365 if ((r
= sshkey_load_public(filename
, &ret
, commentp
)) != 0) {
366 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
367 /* Old authfile.c ignored all file errors. */
368 if (r
== SSH_ERR_SYSTEM_ERROR
)
369 debug("%s: %s", __func__
, ssh_err(r
));
371 error("%s: %s", __func__
, ssh_err(r
));
378 key_load_private(const char *path
, const char *passphrase
,
384 if ((r
= sshkey_load_private(path
, passphrase
, &ret
, commentp
)) != 0) {
385 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
386 /* Old authfile.c ignored all file errors. */
387 if (r
== SSH_ERR_SYSTEM_ERROR
||
388 r
== SSH_ERR_KEY_WRONG_PASSPHRASE
)
389 debug("%s: %s", __func__
, ssh_err(r
));
391 error("%s: %s", __func__
, ssh_err(r
));
398 key_load_private_cert(int type
, const char *filename
, const char *passphrase
,
404 if ((r
= sshkey_load_private_cert(type
, filename
, passphrase
,
405 &ret
, perm_ok
)) != 0) {
406 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
407 /* Old authfile.c ignored all file errors. */
408 if (r
== SSH_ERR_SYSTEM_ERROR
||
409 r
== SSH_ERR_KEY_WRONG_PASSPHRASE
)
410 debug("%s: %s", __func__
, ssh_err(r
));
412 error("%s: %s", __func__
, ssh_err(r
));
419 key_load_private_type(int type
, const char *filename
, const char *passphrase
,
420 char **commentp
, int *perm_ok
)
425 if ((r
= sshkey_load_private_type(type
, filename
, passphrase
,
426 &ret
, commentp
, perm_ok
)) != 0) {
427 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
428 /* Old authfile.c ignored all file errors. */
429 if (r
== SSH_ERR_SYSTEM_ERROR
||
430 (r
== SSH_ERR_KEY_WRONG_PASSPHRASE
))
431 debug("%s: %s", __func__
, ssh_err(r
));
433 error("%s: %s", __func__
, ssh_err(r
));
441 key_load_private_pem(int fd
, int type
, const char *passphrase
,
447 if ((r
= sshkey_load_private_pem(fd
, type
, passphrase
,
448 &ret
, commentp
)) != 0) {
449 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
450 if (r
== SSH_ERR_KEY_WRONG_PASSPHRASE
)
451 debug("%s: %s", __func__
, ssh_err(r
));
453 error("%s: %s", __func__
, ssh_err(r
));
458 #endif /* WITH_OPENSSL */
461 key_perm_ok(int fd
, const char *filename
)
463 return sshkey_perm_ok(fd
, filename
) == 0 ? 1 : 0;
467 key_in_file(Key
*key
, const char *filename
, int strict_type
)
471 if ((r
= sshkey_in_file(key
, filename
, strict_type
)) != 0) {
472 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
473 if (r
== SSH_ERR_SYSTEM_ERROR
&& errno
== ENOENT
)
475 error("%s: %s", __func__
, ssh_err(r
));
476 return r
== SSH_ERR_KEY_NOT_FOUND
? 0 : -1;