* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $OpenBSD: krl.c,v 1.44 2019/09/06 04:53:27 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.45 2019/10/31 21:23:19 djm Exp $ */
#include "includes.h"
goto out;
if ((r = sshkey_sign(sign_keys[i], &sblob, &slen,
- sshbuf_ptr(buf), sshbuf_len(buf), NULL, 0)) != 0)
+ sshbuf_ptr(buf), sshbuf_len(buf), NULL, NULL, 0)) != 0)
goto out;
KRL_DBG(("%s: signature sig len %zu", __func__, slen));
if ((r = sshbuf_put_string(buf, sblob, slen)) != 0)
-/* $OpenBSD: monitor.c,v 1.199 2019/10/07 23:10:38 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.200 2019/10/31 21:23:19 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
if ((key = get_hostkey_by_index(keyid)) != NULL) {
if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg,
- compat)) != 0)
+ NULL, compat)) != 0)
fatal("%s: sshkey_sign failed: %s",
__func__, ssh_err(r));
} else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL &&
-/* $OpenBSD: monitor_wrap.c,v 1.113 2019/06/28 13:35:04 deraadt Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.114 2019/10/31 21:23:19 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
int
mm_sshkey_sign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, const char *hostkey_alg, u_int compat)
+ const u_char *data, size_t datalen, const char *hostkey_alg,
+ const char *sk_provider, u_int compat)
{
struct kex *kex = *pmonitor->m_pkex;
struct sshbuf *m;
int r;
debug3("%s entering", __func__);
-
+ if (sk_provider != NULL)
+ fatal("%s: sk_provider != NULL", __func__);
if ((m = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
if ((r = sshbuf_put_u32(m, ndx)) != 0 ||
-/* $OpenBSD: monitor_wrap.h,v 1.42 2019/09/06 05:23:55 djm Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.43 2019/10/31 21:23:19 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
DH *mm_choose_dh(int, int, int);
#endif
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
- const u_char *, size_t, const char *, u_int compat);
+ const u_char *, size_t, const char *, const char *, u_int compat);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void);
-/* $OpenBSD: ssh-agent.c,v 1.238 2019/10/31 21:22:01 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.239 2019/10/31 21:23:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
if ((r = provider_sign(id->sk_provider, id->key, &signature,
&slen, data, dlen, agent_decode_alg(key, flags),
compat)) != 0) {
- error("%s: sshkey_sign: %s", __func__, ssh_err(r));
+ error("%s: sign: %s", __func__, ssh_err(r));
goto send;
}
} else {
if ((r = sshkey_sign(id->key, &signature, &slen,
- data, dlen, agent_decode_alg(key, flags), compat)) != 0) {
+ data, dlen, agent_decode_alg(key, flags),
+ NULL, compat)) != 0) {
error("%s: sshkey_sign: %s", __func__, ssh_err(r));
goto send;
}
-/* $OpenBSD: ssh-keygen.c,v 1.357 2019/10/31 21:17:09 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.358 2019/10/31 21:23:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
error("%s: remaining bytes in key blob %d", __func__, rlen);
/* try the key */
- if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 ||
- sshkey_verify(key, sig, slen, data, sizeof(data), NULL, 0) != 0) {
+ if (sshkey_sign(key, &sig, &slen, data, sizeof(data),
+ NULL, NULL, 0) != 0 ||
+ sshkey_verify(key, sig, slen, data, sizeof(data),
+ NULL, 0) != 0) {
sshkey_free(key);
free(sig);
return NULL;
static int
agent_signer(struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen,
- const char *alg, u_int compat, void *ctx)
+ const char *alg, const char *sk_provider, u_int compat, void *ctx)
{
int *agent_fdp = (int *)ctx;
if (agent_fd != -1 && (ca->flags & SSHKEY_FLAG_EXT) != 0) {
if ((r = sshkey_certify_custom(public, ca,
- key_type_name, agent_signer, &agent_fd)) != 0)
+ key_type_name, sk_provider, agent_signer,
+ &agent_fd)) != 0)
fatal("Couldn't certify key %s via agent: %s",
tmp, ssh_err(r));
} else {
- if ((sshkey_certify(public, ca, key_type_name)) != 0)
+ if ((sshkey_certify(public, ca, key_type_name,
+ sk_provider)) != 0)
fatal("Couldn't certify key %s: %s",
tmp, ssh_err(r));
}
else
fprintf(stderr, "Signing file %s\n", filename);
}
- if ((r = sshsig_sign_fd(signkey, NULL, fd, sig_namespace,
+ if ((r = sshsig_sign_fd(signkey, NULL, sk_provider, fd, sig_namespace,
&sigbuf, signer, signer_ctx)) != 0) {
error("Signing %s failed: %s", filename, ssh_err(r));
goto out;
-/* $OpenBSD: ssh-keysign.c,v 1.61 2019/10/02 00:42:30 djm Exp $ */
+/* $OpenBSD: ssh-keysign.c,v 1.62 2019/10/31 21:23:19 djm Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
sshkey_type(key), fp ? fp : "");
}
- if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, NULL, 0))
- != 0)
+ if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen,
+ NULL, NULL, 0)) != 0)
fatal("sshkey_sign failed: %s", ssh_err(r));
free(data);
-/* $OpenBSD: ssh_api.c,v 1.18 2019/09/13 04:36:43 dtucker Exp $ */
+/* $OpenBSD: ssh_api.c,v 1.19 2019/10/31 21:23:19 djm Exp $ */
/*
* Copyright (c) 2012 Markus Friedl. All rights reserved.
*
*/
int use_privsep = 0;
int mm_sshkey_sign(struct sshkey *, u_char **, u_int *,
- u_char *, u_int, char *, u_int);
+ const u_char *, u_int, const char *, const char *, u_int);
#ifdef WITH_OPENSSL
DH *mm_choose_dh(int, int, int);
int
mm_sshkey_sign(struct sshkey *key, u_char **sigp, u_int *lenp,
- u_char *data, u_int datalen, char *alg, u_int compat)
+ const u_char *data, u_int datalen, const char *alg, const char *sk_provider,
+ u_int compat)
{
return (-1);
}
const u_char *data, size_t dlen, const char *alg)
{
return sshkey_sign(privkey, signature, slen, data, dlen,
- alg, ssh->compat);
+ alg, NULL, ssh->compat);
}
-/* $OpenBSD: sshconnect2.c,v 1.309 2019/10/31 21:18:28 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.310 2019/10/31 21:23:19 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
}
sign_key = prv;
}
-
- if (sshkey_type_plain(sign_key->type) == KEY_ECDSA_SK) {
- if (options.sk_provider == NULL) {
- /* Shouldn't happen here; checked in pubkey_prepare() */
- fatal("%s: missing SecurityKeyProvider", __func__);
- }
- if ((r = sshsk_ecdsa_sign(options.sk_provider, sign_key,
- sigp, lenp, data, datalen, compat)) != 0) {
- debug("%s: sshsk_ecdsa_sign: %s", __func__, ssh_err(r));
- goto out;
- }
- } else if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen,
- alg, compat)) != 0) {
+ if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen,
+ alg, options.sk_provider, compat)) != 0) {
debug("%s: sshkey_sign: %s", __func__, ssh_err(r));
goto out;
}
-/* $OpenBSD: sshd.c,v 1.538 2019/10/29 07:47:27 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.539 2019/10/31 21:23:19 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
if (use_privsep) {
if (privkey) {
if (mm_sshkey_sign(ssh, privkey, signature, slenp,
- data, dlen, alg, ssh->compat) < 0)
+ data, dlen, alg, NULL, ssh->compat) < 0)
fatal("%s: privkey sign failed", __func__);
} else {
if (mm_sshkey_sign(ssh, pubkey, signature, slenp,
- data, dlen, alg, ssh->compat) < 0)
+ data, dlen, alg, NULL, ssh->compat) < 0)
fatal("%s: pubkey sign failed", __func__);
}
} else {
if (privkey) {
if (sshkey_sign(privkey, signature, slenp, data, dlen,
- alg, ssh->compat) < 0)
+ alg, NULL, ssh->compat) < 0)
fatal("%s: privkey sign failed", __func__);
} else {
if ((r = ssh_agent_sign(auth_sock, pubkey,
-/* $OpenBSD: sshkey.c,v 1.85 2019/10/31 21:15:14 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.86 2019/10/31 21:23:19 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "match.h"
+#include "ssh-sk.h"
#ifdef WITH_XMSS
#include "sshkey-xmss.h"
int
sshkey_sign(struct sshkey *key,
u_char **sigp, size_t *lenp,
- const u_char *data, size_t datalen, const char *alg, u_int compat)
+ const u_char *data, size_t datalen,
+ const char *alg, const char *sk_provider, u_int compat)
{
int was_shielded = sshkey_is_shielded(key);
int r2, r = SSH_ERR_INTERNAL_ERROR;
case KEY_ECDSA:
r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
break;
+ case KEY_ECDSA_SK_CERT:
+ case KEY_ECDSA_SK:
+ r = sshsk_ecdsa_sign(sk_provider, key, sigp, lenp,
+ data, datalen, compat);
+ break;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT:
case KEY_RSA:
/* Sign a certified key, (re-)generating the signed certblob. */
int
sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
- sshkey_certify_signer *signer, void *signer_ctx)
+ const char *sk_provider, sshkey_certify_signer *signer, void *signer_ctx)
{
struct sshbuf *principals = NULL;
u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
/* Sign the whole mess */
if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
- sshbuf_len(cert), alg, 0, signer_ctx)) != 0)
+ sshbuf_len(cert), alg, sk_provider, 0, signer_ctx)) != 0)
goto out;
/* Check and update signature_type against what was actually used */
if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
static int
default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen,
- const char *alg, u_int compat, void *ctx)
+ const char *alg, const char *sk_provider, u_int compat, void *ctx)
{
if (ctx != NULL)
return SSH_ERR_INVALID_ARGUMENT;
- return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat);
+ return sshkey_sign(key, sigp, lenp, data, datalen, alg,
+ sk_provider, compat);
}
int
-sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
+sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg,
+ const char *sk_provider)
{
- return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL);
+ return sshkey_certify_custom(k, ca, alg, sk_provider,
+ default_key_sign, NULL);
}
int
-/* $OpenBSD: sshkey.h,v 1.35 2019/10/31 21:15:14 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.36 2019/10/31 21:23:19 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
char *, size_t) __attribute__((__bounded__(__string__, 2, 3)));
int sshkey_check_cert_sigtype(const struct sshkey *, const char *);
-int sshkey_certify(struct sshkey *, struct sshkey *, const char *);
+int sshkey_certify(struct sshkey *, struct sshkey *,
+ const char *, const char *);
/* Variant allowing use of a custom signature function (e.g. for ssh-agent) */
typedef int sshkey_certify_signer(struct sshkey *, u_char **, size_t *,
- const u_char *, size_t, const char *, u_int, void *);
+ const u_char *, size_t, const char *, const char *, u_int, void *);
int sshkey_certify_custom(struct sshkey *, struct sshkey *, const char *,
- sshkey_certify_signer *, void *);
+ const char *, sshkey_certify_signer *, void *);
int sshkey_ecdsa_nid_from_name(const char *);
int sshkey_curve_name_to_nid(const char *);
int sshkey_putb_plain(const struct sshkey *, struct sshbuf *);
int sshkey_sign(struct sshkey *, u_char **, size_t *,
- const u_char *, size_t, const char *, u_int);
+ const u_char *, size_t, const char *, const char *, u_int);
int sshkey_verify(const struct sshkey *, const u_char *, size_t,
const u_char *, size_t, const char *, u_int);
int sshkey_check_sigtype(const u_char *, size_t, const char *);
static int
sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
- const struct sshbuf *h_message, const char *sig_namespace,
- struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
+ const char *sk_provider, const struct sshbuf *h_message,
+ const char *sig_namespace, struct sshbuf **out,
+ sshsig_signer *signer, void *signer_ctx)
{
int r;
size_t slen = 0;
if (signer != NULL) {
if ((r = signer(key, &sig, &slen,
sshbuf_ptr(tosign), sshbuf_len(tosign),
- sign_alg, 0, signer_ctx)) != 0) {
+ sign_alg, sk_provider, 0, signer_ctx)) != 0) {
error("Couldn't sign message: %s", ssh_err(r));
goto done;
}
} else {
if ((r = sshkey_sign(key, &sig, &slen,
sshbuf_ptr(tosign), sshbuf_len(tosign),
- sign_alg, 0)) != 0) {
+ sign_alg, sk_provider, 0)) != 0) {
error("Couldn't sign message: %s", ssh_err(r));
goto done;
}
}
int
-sshsig_signb(struct sshkey *key, const char *hashalg,
+sshsig_signb(struct sshkey *key, const char *hashalg, const char *sk_provider,
const struct sshbuf *message, const char *sig_namespace,
struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
{
error("%s: hash_buffer failed: %s", __func__, ssh_err(r));
goto out;
}
- if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out,
- signer, signer_ctx)) != 0)
+ if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
+ sig_namespace, out, signer, signer_ctx)) != 0)
goto out;
/* success */
r = 0;
}
int
-sshsig_sign_fd(struct sshkey *key, const char *hashalg,
+sshsig_sign_fd(struct sshkey *key, const char *hashalg, const char *sk_provider,
int fd, const char *sig_namespace, struct sshbuf **out,
sshsig_signer *signer, void *signer_ctx)
{
error("%s: hash_file failed: %s", __func__, ssh_err(r));
return r;
}
- if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out,
- signer, signer_ctx)) != 0)
+ if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
+ sig_namespace, out, signer, signer_ctx)) != 0)
goto out;
/* success */
r = 0;
struct sshsigopt;
typedef int sshsig_signer(struct sshkey *, u_char **, size_t *,
- const u_char *, size_t, const char *, u_int, void *);
+ const u_char *, size_t, const char *, const char *, u_int, void *);
/* Buffer-oriented API */
* out is populated with the detached signature, or NULL on failure.
*/
int sshsig_signb(struct sshkey *key, const char *hashalg,
- const struct sshbuf *message, const char *sig_namespace,
- struct sshbuf **out, sshsig_signer *signer, void *signer_ctx);
+ const char *sk_provider, const struct sshbuf *message,
+ const char *sig_namespace, struct sshbuf **out,
+ sshsig_signer *signer, void *signer_ctx);
/*
* Verifies that a detached signature is valid and optionally returns key
* out is populated with the detached signature, or NULL on failure.
*/
int sshsig_sign_fd(struct sshkey *key, const char *hashalg,
- int fd, const char *sig_namespace, struct sshbuf **out,
- sshsig_signer *signer, void *signer_ctx);
+ const char *sk_provider, int fd, const char *sig_namespace,
+ struct sshbuf **out, sshsig_signer *signer, void *signer_ctx);
/*
* Verifies that a detached signature over a file is valid and optionally
projects / thirdparty / openssh-portable.git / commitdiff
