diff --git a/include/libssh/pki.h b/include/libssh/pki.h index ca87ddd8..8657f0f0 100644 --- a/include/libssh/pki.h +++ b/include/libssh/pki.h @@ -46,7 +46,9 @@ struct ssh_key_struct { void *cert; }; +ssh_key ssh_key_dup(const ssh_key key); void ssh_key_clean (ssh_key key); +ssh_key pki_key_dup(const ssh_key key, int demote); ssh_key ssh_pki_publickey_from_privatekey(const ssh_key privkey); ssh_string ssh_pki_do_sign(ssh_session session, ssh_buffer sigbuf, @@ -61,7 +63,6 @@ enum ssh_keytypes_e pki_privatekey_type_from_string(const char *privkey); ssh_key pki_private_key_from_base64(ssh_session session, const char *b64_key, const char *passphrase); -ssh_key pki_publickey_from_privatekey(const ssh_key privkey); int pki_pubkey_build_dss(ssh_key key, ssh_string p, ssh_string q, diff --git a/src/pki.c b/src/pki.c index 21a22484..aa32fc4a 100644 --- a/src/pki.c +++ b/src/pki.c @@ -69,6 +69,15 @@ ssh_key ssh_key_new (void) { return ptr; } +ssh_key ssh_key_dup(const ssh_key key) +{ + if (key == NULL) { + return NULL; + } + + return pki_key_dup(key, 0); +} + /** * @brief clean up the key and deallocate all existing keys * @param[in] key ssh_key to clean @@ -591,7 +600,12 @@ fail: * @return A public key, NULL on error. */ ssh_key ssh_pki_publickey_from_privatekey(const ssh_key privkey) { - return pki_publickey_from_privatekey(privkey); + + if (privkey == NULL || !ssh_key_is_private(privkey)) { + return NULL; + } + + return pki_key_dup(privkey, 1); } /* diff --git a/src/pki_crypto.c b/src/pki_crypto.c index 2f95d297..821d3ccb 100644 --- a/src/pki_crypto.c +++ b/src/pki_crypto.c @@ -67,6 +67,146 @@ static int pem_get_password(char *buf, int size, int rwflag, void *userdata) { return 0; } +ssh_key pki_key_dup(const ssh_key key, int demote) +{ + ssh_key new; + + new = ssh_key_new(); + if (new == NULL) { + return NULL; + } + + new->type = key->type; + new->type_c = key->type_c; + new->flags = key->flags; + + switch (key->type) { + case SSH_KEYTYPE_DSS: + new->dsa = DSA_new(); + if (new->dsa == NULL) { + goto fail; + } + + /* + * p = public prime number + * q = public 160-bit subprime, q | p-1 + * g = public generator of subgroup + * pub_key = public key y = g^x + * priv_key = private key x + */ + new->dsa->p = BN_dup(key->dsa->p); + if (new->dsa->p == NULL) { + goto fail; + } + + new->dsa->q = BN_dup(key->dsa->q); + if (new->dsa->q == NULL) { + goto fail; + } + + new->dsa->g = BN_dup(key->dsa->g); + if (new->dsa->g == NULL) { + goto fail; + } + + new->dsa->pub_key = BN_dup(key->dsa->pub_key); + if (new->dsa->pub_key == NULL) { + goto fail; + } + + if (!demote && (key->flags == SSH_KEY_FLAG_PRIVATE)) { + new->dsa->priv_key = BN_dup(key->dsa->priv_key); + if (new->dsa->priv_key == NULL) { + goto fail; + } + } + + break; + case SSH_KEYTYPE_RSA: + case SSH_KEYTYPE_RSA1: + new->rsa = RSA_new(); + if (new->rsa == NULL) { + goto fail; + } + + /* + * n = public modulus + * e = public exponent + * d = private exponent + * p = secret prime factor + * q = secret prime factor + * dmp1 = d mod (p-1) + * dmq1 = d mod (q-1) + * iqmp = q^-1 mod p + */ + new->rsa->n = BN_dup(key->rsa->n); + if (new->rsa->n == NULL) { + goto fail; + } + + new->rsa->e = BN_dup(key->rsa->e); + if (new->rsa->e == NULL) { + goto fail; + } + + if (!demote && (key->flags == SSH_KEY_FLAG_PRIVATE)) { + new->rsa->d = BN_dup(key->rsa->d); + if (new->rsa->d == NULL) { + goto fail; + } + + /* p, q, dmp1, dmq1 and iqmp may be NULL in private keys, but the + * RSA operations are much faster when these values are available. + */ + if (key->rsa->p != NULL) { + new->rsa->p = BN_dup(key->rsa->p); + if (new->rsa->p == NULL) { + goto fail; + } + } + + if (key->rsa->q != NULL) { + new->rsa->q = BN_dup(key->rsa->q); + if (new->rsa->q == NULL) { + goto fail; + } + } + + if (key->rsa->dmp1 != NULL) { + new->rsa->dmp1 = BN_dup(key->rsa->dmp1); + if (new->rsa->dmp1 == NULL) { + goto fail; + } + } + + if (key->rsa->dmq1 != NULL) { + new->rsa->dmq1 = BN_dup(key->rsa->dmq1); + if (new->rsa->dmq1 == NULL) { + goto fail; + } + } + + if (key->rsa->iqmp != NULL) { + new->rsa->iqmp = BN_dup(key->rsa->iqmp); + if (new->rsa->iqmp == NULL) { + goto fail; + } + } + } + + break; + case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_UNKNOWN: + ssh_key_free(new); + return NULL; + } + + return new; +fail: + ssh_key_free(new); + return NULL; +} + ssh_key pki_private_key_from_base64(ssh_session session, const char *b64_key, const char *passphrase) { @@ -207,63 +347,6 @@ int pki_pubkey_build_rsa(ssh_key key, return SSH_OK; } -ssh_key pki_publickey_from_privatekey(ssh_key privkey) { - ssh_key pubkey = NULL; - - if (privkey == NULL || !ssh_key_is_private(privkey)) { - return NULL; - } - - pubkey = ssh_key_new(); - if (pubkey == NULL) { - return NULL; - } - pubkey->type = privkey->type; - - switch (pubkey->type) { - case SSH_KEYTYPE_DSS: - pubkey->dsa = DSA_new(); - if (pubkey->dsa == NULL) { - goto fail; - } - pubkey->dsa->p = BN_dup(privkey->dsa->p); - pubkey->dsa->q = BN_dup(privkey->dsa->q); - pubkey->dsa->g = BN_dup(privkey->dsa->g); - pubkey->dsa->pub_key = BN_dup(privkey->dsa->pub_key); - if (pubkey->dsa->p == NULL || - pubkey->dsa->q == NULL || - pubkey->dsa->g == NULL || - pubkey->dsa->pub_key == NULL) { - goto fail; - } - break; - case SSH_KEYTYPE_RSA: - case SSH_KEYTYPE_RSA1: - pubkey->rsa = RSA_new(); - if (pubkey->rsa == NULL) { - goto fail; - } - pubkey->rsa->e = BN_dup(privkey->rsa->e); - pubkey->rsa->n = BN_dup(privkey->rsa->n); - if (pubkey->rsa->e == NULL || - pubkey->rsa->n == NULL) { - goto fail; - } - break; - case SSH_KEYTYPE_ECDSA: - case SSH_KEYTYPE_UNKNOWN: - ssh_key_free(pubkey); - return NULL; - } - pubkey->type_c = ssh_key_type_to_char(privkey->type); - - return pubkey; -fail: - ssh_key_free(pubkey); - - return NULL; -} - struct signature_struct *pki_do_sign(ssh_key privatekey, const unsigned char *hash) { struct signature_struct *sign; diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c index 9ef51c9e..c2668315 100644 --- a/src/pki_gcrypt.c +++ b/src/pki_gcrypt.c @@ -732,31 +732,35 @@ int pki_pubkey_build_rsa(ssh_key key, return SSH_OK; } -ssh_key pki_publickey_from_privatekey(ssh_key privkey) { - ssh_key pubkey = NULL; +ssh_key pki_key_dup(const ssh_key key, int demote) +{ + ssh_key new; gcry_sexp_t sexp; + gcry_error_t err; const char *tmp = NULL; + size_t size; + ssh_string p = NULL; ssh_string q = NULL; ssh_string g = NULL; ssh_string y = NULL; + ssh_string x = NULL; + ssh_string e = NULL; ssh_string n = NULL; - size_t size; + ssh_string d = NULL; + ssh_string u = NULL; - if (privkey == NULL || !ssh_key_is_private(privkey)) { + new = ssh_key_new(); + if (new == NULL) { return NULL; } + new->type = key->type; + new->type_c = key->type_c; - pubkey = ssh_key_new(); - if (pubkey == NULL) { - return NULL; - } - pubkey->type = privkey->type; - - switch(pubkey->type) { + switch(key->type) { case SSH_KEYTYPE_DSS: - sexp = gcry_sexp_find_token(privkey->dsa, "p", 0); + sexp = gcry_sexp_find_token(key->dsa, "p", 0); if (sexp == NULL) { goto fail; } @@ -765,51 +769,76 @@ ssh_key pki_publickey_from_privatekey(ssh_key privkey) { if (p == NULL) { goto fail; } - ssh_string_fill(p,(char *) tmp, size); + ssh_string_fill(p, (char *)tmp, size); gcry_sexp_release(sexp); - sexp = gcry_sexp_find_token(privkey->dsa,"q",0); + sexp = gcry_sexp_find_token(key->dsa, "q", 0); if (sexp == NULL) { goto fail; } - tmp = gcry_sexp_nth_data(sexp,1,&size); + tmp = gcry_sexp_nth_data(sexp, 1, &size); q = ssh_string_new(size); if (q == NULL) { goto fail; } - ssh_string_fill(q,(char *) tmp,size); + ssh_string_fill(q, (char *)tmp, size); gcry_sexp_release(sexp); - sexp = gcry_sexp_find_token(privkey->dsa, "g", 0); + sexp = gcry_sexp_find_token(key->dsa, "g", 0); if (sexp == NULL) { goto fail; } - tmp = gcry_sexp_nth_data(sexp,1,&size); + tmp = gcry_sexp_nth_data(sexp, 1, &size); g = ssh_string_new(size); if (g == NULL) { goto fail; } - ssh_string_fill(g,(char *) tmp,size); + ssh_string_fill(g, (char *)tmp, size); gcry_sexp_release(sexp); - sexp = gcry_sexp_find_token(privkey->dsa,"y",0); + sexp = gcry_sexp_find_token(key->dsa, "y", 0); if (sexp == NULL) { goto fail; } - tmp = gcry_sexp_nth_data(sexp,1,&size); + tmp = gcry_sexp_nth_data(sexp, 1, &size); y = ssh_string_new(size); if (y == NULL) { goto fail; } - ssh_string_fill(y,(char *) tmp,size); + ssh_string_fill(y, (char *)tmp, size); gcry_sexp_release(sexp); - gcry_sexp_build(&pubkey->dsa, NULL, - "(public-key(dsa(p %b)(q %b)(g %b)(y %b)))", - ssh_string_len(p), ssh_string_data(p), - ssh_string_len(q), ssh_string_data(q), - ssh_string_len(g), ssh_string_data(g), - ssh_string_len(y), ssh_string_data(y)); + if (!demote && (key->flags == SSH_KEY_FLAG_PRIVATE)) { + sexp = gcry_sexp_find_token(key->dsa, "x", 0); + if (sexp == NULL) { + goto fail; + } + tmp = gcry_sexp_nth_data(sexp, 1, &size); + y = ssh_string_new(size); + if (y == NULL) { + goto fail; + } + ssh_string_fill(y, (char *)tmp, size); + gcry_sexp_release(sexp); + + err = gcry_sexp_build(&new->dsa, NULL, + "(private-key(dsa(p %b)(q %b)(g %b)(y %b)(x %b)))", + ssh_string_len(p), ssh_string_data(p), + ssh_string_len(q), ssh_string_data(q), + ssh_string_len(g), ssh_string_data(g), + ssh_string_len(y), ssh_string_data(y), + ssh_string_len(x), ssh_string_data(x)); + } else { + err = gcry_sexp_build(&new->dsa, NULL, + "(public-key(dsa(p %b)(q %b)(g %b)(y %b)))", + ssh_string_len(p), ssh_string_data(p), + ssh_string_len(q), ssh_string_data(q), + ssh_string_len(g), ssh_string_data(g), + ssh_string_len(y), ssh_string_data(y)); + } + if (err) { + goto fail; + } ssh_string_burn(p); ssh_string_free(p); @@ -819,10 +848,12 @@ ssh_key pki_publickey_from_privatekey(ssh_key privkey) { ssh_string_free(g); ssh_string_burn(y); ssh_string_free(y); + ssh_string_burn(x); + ssh_string_free(x); break; case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA1: - sexp = gcry_sexp_find_token(privkey->rsa, "n", 0); + sexp = gcry_sexp_find_token(key->rsa, "n", 0); if (sexp == NULL) { goto fail; } @@ -831,10 +862,10 @@ ssh_key pki_publickey_from_privatekey(ssh_key privkey) { if (n == NULL) { goto fail; } - ssh_string_fill(n, (char *) tmp, size); + ssh_string_fill(n, (char *)tmp, size); gcry_sexp_release(sexp); - sexp = gcry_sexp_find_token(privkey->rsa, "e", 0); + sexp = gcry_sexp_find_token(key->rsa, "e", 0); if (sexp == NULL) { goto fail; } @@ -843,14 +874,74 @@ ssh_key pki_publickey_from_privatekey(ssh_key privkey) { if (e == NULL) { goto fail; } - ssh_string_fill(e, (char *) tmp, size); + ssh_string_fill(e, (char *)tmp, size); gcry_sexp_release(sexp); - gcry_sexp_build(&pubkey->rsa, NULL, - "(public-key(rsa(n %b)(e %b)))", - ssh_string_len(n), ssh_string_data(n), - ssh_string_len(e), ssh_string_data(e)); - if (pubkey->rsa == NULL) { + if (!demote && (key->flags == SSH_KEY_FLAG_PRIVATE)) { + sexp = gcry_sexp_find_token(key->rsa, "d", 0); + if (sexp == NULL) { + goto fail; + } + tmp = gcry_sexp_nth_data(sexp, 1, &size); + d = ssh_string_new(size); + if (e == NULL) { + goto fail; + } + ssh_string_fill(d, (char *)tmp, size); + gcry_sexp_release(sexp); + + sexp = gcry_sexp_find_token(key->rsa, "p", 0); + if (sexp == NULL) { + goto fail; + } + tmp = gcry_sexp_nth_data(sexp, 1, &size); + p = ssh_string_new(size); + if (p == NULL) { + goto fail; + } + ssh_string_fill(p, (char *)tmp, size); + gcry_sexp_release(sexp); + + sexp = gcry_sexp_find_token(key->rsa, "q", 0); + if (sexp == NULL) { + goto fail; + } + tmp = gcry_sexp_nth_data(sexp, 1, &size); + q = ssh_string_new(size); + if (q == NULL) { + goto fail; + } + ssh_string_fill(q, (char *)tmp, size); + gcry_sexp_release(sexp); + + sexp = gcry_sexp_find_token(key->rsa, "u", 0); + if (sexp == NULL) { + goto fail; + } + tmp = gcry_sexp_nth_data(sexp, 1, &size); + u = ssh_string_new(size); + if (u == NULL) { + goto fail; + } + ssh_string_fill(u, (char *)tmp, size); + gcry_sexp_release(sexp); + + err = gcry_sexp_build(&new->rsa, NULL, + "(private-key(rsa(n %b)(e %b)(d %b)(p %b)(q %b)(u %b)))", + ssh_string_len(n), ssh_string_data(n), + ssh_string_len(e), ssh_string_data(e), + ssh_string_len(d), ssh_string_data(d), + ssh_string_len(p), ssh_string_data(p), + ssh_string_len(q), ssh_string_data(q), + ssh_string_len(u), ssh_string_data(u)); + } else { + err = gcry_sexp_build(&new->rsa, NULL, + "(public-key(rsa(n %b)(e %b)))", + ssh_string_len(n), ssh_string_data(n), + ssh_string_len(e), ssh_string_data(e)); + } + + if (err) { goto fail; } @@ -858,15 +949,23 @@ ssh_key pki_publickey_from_privatekey(ssh_key privkey) { ssh_string_free(e); ssh_string_burn(n); ssh_string_free(n); + ssh_string_burn(d); + ssh_string_free(d); + ssh_string_burn(p); + ssh_string_free(p); + ssh_string_burn(q); + ssh_string_free(q); + ssh_string_burn(u); + ssh_string_free(u); + break; case SSH_KEYTYPE_ECDSA: case SSH_KEYTYPE_UNKNOWN: - ssh_key_free(pubkey); + ssh_key_free(new); return NULL; } - pubkey->type_c = ssh_key_type_to_char(privkey->type); - return pubkey; + return new; fail: gcry_sexp_release(sexp); ssh_string_burn(p); @@ -877,13 +976,17 @@ fail: ssh_string_free(g); ssh_string_burn(y); ssh_string_free(y); + ssh_string_burn(x); + ssh_string_free(x); ssh_string_burn(e); ssh_string_free(e); ssh_string_burn(n); ssh_string_free(n); + ssh_string_burn(u); + ssh_string_free(u); - ssh_key_free(pubkey); + ssh_key_free(new); return NULL; }