1 /* $OpenBSD: key.c,v 1.130 2016/05/02 09:36:42 djm Exp $ */
3 * placed in the public domain
14 #define SSH_KEY_NO_DEFINE
24 key_add_private(Key
*k
)
28 if ((r
= sshkey_add_private(k
)) != 0)
29 fatal("%s: %s", __func__
, ssh_err(r
));
33 key_new_private(int type
)
37 if ((ret
= sshkey_new_private(type
)) == NULL
)
38 fatal("%s: failed", __func__
);
43 key_read(Key
*ret
, char **cpp
)
45 return sshkey_read(ret
, cpp
) == 0 ? 1 : -1;
49 key_write(const Key
*key
, FILE *f
)
51 return sshkey_write(key
, f
) == 0 ? 1 : 0;
55 key_generate(int type
, u_int bits
)
60 if ((r
= sshkey_generate(type
, bits
, &ret
)) != 0)
61 fatal("%s: %s", __func__
, ssh_err(r
));
66 key_cert_copy(const Key
*from_key
, Key
*to_key
)
70 if ((r
= sshkey_cert_copy(from_key
, to_key
)) != 0)
71 fatal("%s: %s", __func__
, ssh_err(r
));
75 key_from_private(const Key
*k
)
80 if ((r
= sshkey_from_private(k
, &ret
)) != 0)
81 fatal("%s: %s", __func__
, ssh_err(r
));
86 fatal_on_fatal_errors(int r
, const char *func
, int extra_fatal
)
88 if (r
== SSH_ERR_INTERNAL_ERROR
||
89 r
== SSH_ERR_ALLOC_FAIL
||
90 (extra_fatal
!= 0 && r
== extra_fatal
))
91 fatal("%s: %s", func
, ssh_err(r
));
95 key_from_blob(const u_char
*blob
, u_int blen
)
100 if ((r
= sshkey_from_blob(blob
, blen
, &ret
)) != 0) {
101 fatal_on_fatal_errors(r
, __func__
, 0);
102 error("%s: %s", __func__
, ssh_err(r
));
109 key_to_blob(const Key
*key
, u_char
**blobp
, u_int
*lenp
)
119 if ((r
= sshkey_to_blob(key
, &blob
, &blen
)) != 0) {
120 fatal_on_fatal_errors(r
, __func__
, 0);
121 error("%s: %s", __func__
, ssh_err(r
));
125 fatal("%s: giant len %zu", __func__
, blen
);
134 key_sign(const Key
*key
, u_char
**sigp
, u_int
*lenp
,
135 const u_char
*data
, u_int datalen
, const char *alg
)
145 if ((r
= sshkey_sign(key
, &sig
, &siglen
,
146 data
, datalen
, alg
, datafellows
)) != 0) {
147 fatal_on_fatal_errors(r
, __func__
, 0);
148 error("%s: %s", __func__
, ssh_err(r
));
151 if (siglen
> INT_MAX
)
152 fatal("%s: giant len %zu", __func__
, siglen
);
161 key_verify(const Key
*key
, const u_char
*signature
, u_int signaturelen
,
162 const u_char
*data
, u_int datalen
)
166 if ((r
= sshkey_verify(key
, signature
, signaturelen
,
167 data
, datalen
, datafellows
)) != 0) {
168 fatal_on_fatal_errors(r
, __func__
, 0);
169 error("%s: %s", __func__
, ssh_err(r
));
170 return r
== SSH_ERR_SIGNATURE_INVALID
? 0 : -1;
176 key_demote(const Key
*k
)
181 if ((r
= sshkey_demote(k
, &ret
)) != 0)
182 fatal("%s: %s", __func__
, ssh_err(r
));
187 key_to_certified(Key
*k
)
191 if ((r
= sshkey_to_certified(k
)) != 0) {
192 fatal_on_fatal_errors(r
, __func__
, 0);
193 error("%s: %s", __func__
, ssh_err(r
));
200 key_drop_cert(Key
*k
)
204 if ((r
= sshkey_drop_cert(k
)) != 0) {
205 fatal_on_fatal_errors(r
, __func__
, 0);
206 error("%s: %s", __func__
, ssh_err(r
));
213 key_certify(Key
*k
, Key
*ca
)
217 if ((r
= sshkey_certify(k
, ca
, NULL
)) != 0) {
218 fatal_on_fatal_errors(r
, __func__
, 0);
219 error("%s: %s", __func__
, ssh_err(r
));
226 key_cert_check_authority(const Key
*k
, int want_host
, int require_principal
,
227 const char *name
, const char **reason
)
231 if ((r
= sshkey_cert_check_authority(k
, want_host
, require_principal
,
232 name
, reason
)) != 0) {
233 fatal_on_fatal_errors(r
, __func__
, 0);
234 error("%s: %s", __func__
, ssh_err(r
));
240 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
242 key_ec_validate_public(const EC_GROUP
*group
, const EC_POINT
*public)
246 if ((r
= sshkey_ec_validate_public(group
, public)) != 0) {
247 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
248 error("%s: %s", __func__
, ssh_err(r
));
255 key_ec_validate_private(const EC_KEY
*key
)
259 if ((r
= sshkey_ec_validate_private(key
)) != 0) {
260 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
261 error("%s: %s", __func__
, ssh_err(r
));
266 #endif /* WITH_OPENSSL */
269 key_private_serialize(const Key
*key
, struct sshbuf
*b
)
273 if ((r
= sshkey_private_serialize(key
, b
)) != 0)
274 fatal("%s: %s", __func__
, ssh_err(r
));
278 key_private_deserialize(struct sshbuf
*blob
)
283 if ((r
= sshkey_private_deserialize(blob
, &ret
)) != 0) {
284 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
285 error("%s: %s", __func__
, ssh_err(r
));
294 key_save_private(Key
*key
, const char *filename
, const char *passphrase
,
295 const char *comment
, int force_new_format
, const char *new_format_cipher
,
296 int new_format_rounds
)
300 if ((r
= sshkey_save_private(key
, filename
, passphrase
, comment
,
301 force_new_format
, new_format_cipher
, new_format_rounds
)) != 0) {
302 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
303 error("%s: %s", __func__
, ssh_err(r
));
310 key_load_file(int fd
, const char *filename
, struct sshbuf
*blob
)
314 if ((r
= sshkey_load_file(fd
, blob
)) != 0) {
315 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
316 error("%s: %s", __func__
, ssh_err(r
));
323 key_load_cert(const char *filename
)
328 if ((r
= sshkey_load_cert(filename
, &ret
)) != 0) {
329 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
330 /* Old authfile.c ignored all file errors. */
331 if (r
== SSH_ERR_SYSTEM_ERROR
)
332 debug("%s: %s", __func__
, ssh_err(r
));
334 error("%s: %s", __func__
, ssh_err(r
));
342 key_load_public(const char *filename
, char **commentp
)
347 if ((r
= sshkey_load_public(filename
, &ret
, commentp
)) != 0) {
348 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
349 /* Old authfile.c ignored all file errors. */
350 if (r
== SSH_ERR_SYSTEM_ERROR
)
351 debug("%s: %s", __func__
, ssh_err(r
));
353 error("%s: %s", __func__
, ssh_err(r
));
360 key_load_private(const char *path
, const char *passphrase
,
366 if ((r
= sshkey_load_private(path
, passphrase
, &ret
, commentp
)) != 0) {
367 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
368 /* Old authfile.c ignored all file errors. */
369 if (r
== SSH_ERR_SYSTEM_ERROR
||
370 r
== SSH_ERR_KEY_WRONG_PASSPHRASE
)
371 debug("%s: %s", __func__
, ssh_err(r
));
373 error("%s: %s", __func__
, ssh_err(r
));
380 key_load_private_cert(int type
, const char *filename
, const char *passphrase
,
386 if ((r
= sshkey_load_private_cert(type
, filename
, passphrase
,
387 &ret
, perm_ok
)) != 0) {
388 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
389 /* Old authfile.c ignored all file errors. */
390 if (r
== SSH_ERR_SYSTEM_ERROR
||
391 r
== SSH_ERR_KEY_WRONG_PASSPHRASE
)
392 debug("%s: %s", __func__
, ssh_err(r
));
394 error("%s: %s", __func__
, ssh_err(r
));
401 key_load_private_type(int type
, const char *filename
, const char *passphrase
,
402 char **commentp
, int *perm_ok
)
407 if ((r
= sshkey_load_private_type(type
, filename
, passphrase
,
408 &ret
, commentp
, perm_ok
)) != 0) {
409 fatal_on_fatal_errors(r
, __func__
, SSH_ERR_LIBCRYPTO_ERROR
);
410 /* Old authfile.c ignored all file errors. */
411 if (r
== SSH_ERR_SYSTEM_ERROR
||
412 (r
== SSH_ERR_KEY_WRONG_PASSPHRASE
))
413 debug("%s: %s", __func__
, ssh_err(r
));
415 error("%s: %s", __func__
, ssh_err(r
));
422 key_perm_ok(int fd
, const char *filename
)
424 return sshkey_perm_ok(fd
, filename
) == 0 ? 1 : 0;