1 /* $OpenBSD: key.c,v 1.129 2015/12/04 16:41:28 markus Exp $ */
3 * placed in the public domain
14 #define SSH_KEY_NO_DEFINE
24 key_add_private(Key *k)
28 if ((r = sshkey_add_private(k)) != 0)
29 fatal("%s: %s", __func__, ssh_err(r));
33 key_new_private(int type)
37 if ((ret = sshkey_new_private(type)) == NULL)
38 fatal("%s: failed", __func__);
43 key_read(Key *ret, char **cpp)
45 return sshkey_read(ret, cpp) == 0 ? 1 : -1;
49 key_write(const Key *key, FILE *f)
51 return sshkey_write(key, f) == 0 ? 1 : 0;
55 key_generate(int type, u_int bits)
60 if ((r = sshkey_generate(type, bits, &ret)) != 0)
61 fatal("%s: %s", __func__, ssh_err(r));
66 key_cert_copy(const Key *from_key, Key *to_key)
70 if ((r = sshkey_cert_copy(from_key, to_key)) != 0)
71 fatal("%s: %s", __func__, ssh_err(r));
75 key_from_private(const Key *k)
80 if ((r = sshkey_from_private(k, &ret)) != 0)
81 fatal("%s: %s", __func__, ssh_err(r));
86 fatal_on_fatal_errors(int r, const char *func, int extra_fatal)
88 if (r == SSH_ERR_INTERNAL_ERROR ||
89 r == SSH_ERR_ALLOC_FAIL ||
90 (extra_fatal != 0 && r == extra_fatal))
91 fatal("%s: %s", func, ssh_err(r));
95 key_from_blob(const u_char *blob, u_int blen)
100 if ((r = sshkey_from_blob(blob, blen, &ret)) != 0) {
101 fatal_on_fatal_errors(r, __func__, 0);
102 error("%s: %s", __func__, ssh_err(r));
109 key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
119 if ((r = sshkey_to_blob(key, &blob, &blen)) != 0) {
120 fatal_on_fatal_errors(r, __func__, 0);
121 error("%s: %s", __func__, ssh_err(r));
125 fatal("%s: giant len %zu", __func__, blen);
134 key_sign(const Key *key, u_char **sigp, u_int *lenp,
135 const u_char *data, u_int datalen, const char *alg)
145 if ((r = sshkey_sign(key, &sig, &siglen,
146 data, datalen, alg, datafellows)) != 0) {
147 fatal_on_fatal_errors(r, __func__, 0);
148 error("%s: %s", __func__, ssh_err(r));
151 if (siglen > INT_MAX)
152 fatal("%s: giant len %zu", __func__, siglen);
161 key_verify(const Key *key, const u_char *signature, u_int signaturelen,
162 const u_char *data, u_int datalen)
166 if ((r = sshkey_verify(key, signature, signaturelen,
167 data, datalen, datafellows)) != 0) {
168 fatal_on_fatal_errors(r, __func__, 0);
169 error("%s: %s", __func__, ssh_err(r));
170 return r == SSH_ERR_SIGNATURE_INVALID ? 0 : -1;
176 key_demote(const Key *k)
181 if ((r = sshkey_demote(k, &ret)) != 0)
182 fatal("%s: %s", __func__, ssh_err(r));
187 key_to_certified(Key *k)
191 if ((r = sshkey_to_certified(k)) != 0) {
192 fatal_on_fatal_errors(r, __func__, 0);
193 error("%s: %s", __func__, ssh_err(r));
200 key_drop_cert(Key *k)
204 if ((r = sshkey_drop_cert(k)) != 0) {
205 fatal_on_fatal_errors(r, __func__, 0);
206 error("%s: %s", __func__, ssh_err(r));
213 key_certify(Key *k, Key *ca)
217 if ((r = sshkey_certify(k, ca)) != 0) {
218 fatal_on_fatal_errors(r, __func__, 0);
219 error("%s: %s", __func__, ssh_err(r));
226 key_cert_check_authority(const Key *k, int want_host, int require_principal,
227 const char *name, const char **reason)
231 if ((r = sshkey_cert_check_authority(k, want_host, require_principal,
232 name, reason)) != 0) {
233 fatal_on_fatal_errors(r, __func__, 0);
234 error("%s: %s", __func__, ssh_err(r));
240 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
242 key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
246 if ((r = sshkey_ec_validate_public(group, public)) != 0) {
247 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
248 error("%s: %s", __func__, ssh_err(r));
255 key_ec_validate_private(const EC_KEY *key)
259 if ((r = sshkey_ec_validate_private(key)) != 0) {
260 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
261 error("%s: %s", __func__, ssh_err(r));
266 #endif /* WITH_OPENSSL */
269 key_private_serialize(const Key *key, struct sshbuf *b)
273 if ((r = sshkey_private_serialize(key, b)) != 0)
274 fatal("%s: %s", __func__, ssh_err(r));
278 key_private_deserialize(struct sshbuf *blob)
283 if ((r = sshkey_private_deserialize(blob, &ret)) != 0) {
284 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
285 error("%s: %s", __func__, ssh_err(r));
294 key_save_private(Key *key, const char *filename, const char *passphrase,
295 const char *comment, int force_new_format, const char *new_format_cipher,
296 int new_format_rounds)
300 if ((r = sshkey_save_private(key, filename, passphrase, comment,
301 force_new_format, new_format_cipher, new_format_rounds)) != 0) {
302 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
303 error("%s: %s", __func__, ssh_err(r));
310 key_load_file(int fd, const char *filename, struct sshbuf *blob)
314 if ((r = sshkey_load_file(fd, blob)) != 0) {
315 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
316 error("%s: %s", __func__, ssh_err(r));
323 key_load_cert(const char *filename)
328 if ((r = sshkey_load_cert(filename, &ret)) != 0) {
329 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
330 /* Old authfile.c ignored all file errors. */
331 if (r == SSH_ERR_SYSTEM_ERROR)
332 debug("%s: %s", __func__, ssh_err(r));
334 error("%s: %s", __func__, ssh_err(r));
342 key_load_public(const char *filename, char **commentp)
347 if ((r = sshkey_load_public(filename, &ret, commentp)) != 0) {
348 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
349 /* Old authfile.c ignored all file errors. */
350 if (r == SSH_ERR_SYSTEM_ERROR)
351 debug("%s: %s", __func__, ssh_err(r));
353 error("%s: %s", __func__, ssh_err(r));
360 key_load_private(const char *path, const char *passphrase,
366 if ((r = sshkey_load_private(path, passphrase, &ret, commentp)) != 0) {
367 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
368 /* Old authfile.c ignored all file errors. */
369 if (r == SSH_ERR_SYSTEM_ERROR ||
370 r == SSH_ERR_KEY_WRONG_PASSPHRASE)
371 debug("%s: %s", __func__, ssh_err(r));
373 error("%s: %s", __func__, ssh_err(r));
380 key_load_private_cert(int type, const char *filename, const char *passphrase,
386 if ((r = sshkey_load_private_cert(type, filename, passphrase,
387 &ret, perm_ok)) != 0) {
388 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
389 /* Old authfile.c ignored all file errors. */
390 if (r == SSH_ERR_SYSTEM_ERROR ||
391 r == SSH_ERR_KEY_WRONG_PASSPHRASE)
392 debug("%s: %s", __func__, ssh_err(r));
394 error("%s: %s", __func__, ssh_err(r));
401 key_load_private_type(int type, const char *filename, const char *passphrase,
402 char **commentp, int *perm_ok)
407 if ((r = sshkey_load_private_type(type, filename, passphrase,
408 &ret, commentp, perm_ok)) != 0) {
409 fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
410 /* Old authfile.c ignored all file errors. */
411 if (r == SSH_ERR_SYSTEM_ERROR ||
412 (r == SSH_ERR_KEY_WRONG_PASSPHRASE))
413 debug("%s: %s", __func__, ssh_err(r));
415 error("%s: %s", __func__, ssh_err(r));
422 key_perm_ok(int fd, const char *filename)
424 return sshkey_perm_ok(fd, filename) == 0 ? 1 : 0;