diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h index b42ace86..68ddbac1 100644 --- a/include/libssh/libssh.h +++ b/include/libssh/libssh.h @@ -293,10 +293,13 @@ enum ssh_keytypes_e{ SSH_KEYTYPE_DSS=1, SSH_KEYTYPE_RSA, SSH_KEYTYPE_RSA1, - SSH_KEYTYPE_ECDSA, + SSH_KEYTYPE_ECDSA, /* deprecated */ SSH_KEYTYPE_ED25519, SSH_KEYTYPE_DSS_CERT01, - SSH_KEYTYPE_RSA_CERT01 + SSH_KEYTYPE_RSA_CERT01, + SSH_KEYTYPE_ECDSA_P256, + SSH_KEYTYPE_ECDSA_P384, + SSH_KEYTYPE_ECDSA_P521, }; enum ssh_keycmp_e { diff --git a/include/libssh/pki.h b/include/libssh/pki.h index 17c142c1..19e1ad54 100644 --- a/include/libssh/pki.h +++ b/include/libssh/pki.h @@ -101,6 +101,9 @@ ssh_key_get_signature_algorithm(ssh_session session, enum ssh_keytypes_e type); enum ssh_keytypes_e ssh_key_type_from_signature_name(const char *name); +#define is_ecdsa_key_type(t) \ + ((t) >= SSH_KEYTYPE_ECDSA_P256 && (t) <= SSH_KEYTYPE_ECDSA_P521) + /* SSH Signature Functions */ ssh_signature ssh_signature_new(void); void ssh_signature_free(ssh_signature sign); diff --git a/src/auth.c b/src/auth.c index 2e26d97f..92279060 100644 --- a/src/auth.c +++ b/src/auth.c @@ -515,26 +515,13 @@ int ssh_userauth_try_publickey(ssh_session session, return SSH_ERROR; } - switch (pubkey->type) { - case SSH_KEYTYPE_UNKNOWN: - ssh_set_error(session, - SSH_REQUEST_DENIED, + /* Check if the given public key algorithm is allowed */ + sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type); + if (sig_type_c == NULL) { + ssh_set_error(session, SSH_REQUEST_DENIED, "Invalid key type (unknown)"); return SSH_AUTH_DENIED; - case SSH_KEYTYPE_ECDSA: - sig_type_c = ssh_pki_key_ecdsa_name(pubkey); - break; - case SSH_KEYTYPE_DSS: - case SSH_KEYTYPE_RSA: - case SSH_KEYTYPE_RSA1: - case SSH_KEYTYPE_ED25519: - case SSH_KEYTYPE_DSS_CERT01: - case SSH_KEYTYPE_RSA_CERT01: - sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type); - break; } - - /* Check if the given public key algorithm is allowed */ if (!ssh_key_algorithm_allowed(session, sig_type_c)) { ssh_set_error(session, SSH_REQUEST_DENIED, "The key algorithm '%s' is not allowed to be used by" @@ -651,26 +638,13 @@ int ssh_userauth_publickey(ssh_session session, /* Cert auth requires presenting the cert type name (*-cert@openssh.com) */ key_type = privkey->cert != NULL ? privkey->cert_type : privkey->type; - switch (key_type) { - case SSH_KEYTYPE_UNKNOWN: - ssh_set_error(session, - SSH_REQUEST_DENIED, + /* Check if the given public key algorithm is allowed */ + sig_type_c = ssh_key_get_signature_algorithm(session, key_type); + if (sig_type_c == NULL) { + ssh_set_error(session, SSH_REQUEST_DENIED, "Invalid key type (unknown)"); return SSH_AUTH_DENIED; - case SSH_KEYTYPE_ECDSA: - sig_type_c = ssh_pki_key_ecdsa_name(privkey); - break; - case SSH_KEYTYPE_DSS: - case SSH_KEYTYPE_RSA: - case SSH_KEYTYPE_RSA1: - case SSH_KEYTYPE_ED25519: - case SSH_KEYTYPE_DSS_CERT01: - case SSH_KEYTYPE_RSA_CERT01: - sig_type_c = ssh_key_get_signature_algorithm(session, key_type); - break; } - - /* Check if the given public key algorithm is allowed */ if (!ssh_key_algorithm_allowed(session, sig_type_c)) { ssh_set_error(session, SSH_REQUEST_DENIED, "The key algorithm '%s' is not allowed to be used by" @@ -777,9 +751,14 @@ static int ssh_userauth_agent_publickey(ssh_session session, if (rc < 0) { goto fail; } - sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type); /* Check if the given public key algorithm is allowed */ + sig_type_c = ssh_key_get_signature_algorithm(session, pubkey->type); + if (sig_type_c == NULL) { + ssh_set_error(session, SSH_REQUEST_DENIED, + "Invalid key type (unknown)"); + return SSH_AUTH_DENIED; + } if (!ssh_key_algorithm_allowed(session, sig_type_c)) { ssh_set_error(session, SSH_REQUEST_DENIED, "The key algorithm '%s' is not allowed to be used by" diff --git a/src/bind.c b/src/bind.c index eb723216..a1f25de2 100644 --- a/src/bind.c +++ b/src/bind.c @@ -176,7 +176,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) { return SSH_ERROR; } - if (ssh_key_type(sshbind->ecdsa) != SSH_KEYTYPE_ECDSA) { + if (!is_ecdsa_key_type(ssh_key_type(sshbind->ecdsa))) { ssh_set_error(sshbind, SSH_FATAL, "The ECDSA host key has the wrong type"); ssh_key_free(sshbind->ecdsa); diff --git a/src/known_hosts.c b/src/known_hosts.c index cf883c42..093188ec 100644 --- a/src/known_hosts.c +++ b/src/known_hosts.c @@ -373,13 +373,7 @@ int ssh_is_server_known(ssh_session session) { } if (match) { ssh_key pubkey = ssh_dh_get_current_server_publickey(session); - const char *pubkey_type = NULL; - - if (ssh_key_type(pubkey) == SSH_KEYTYPE_ECDSA) { - pubkey_type = ssh_pki_key_ecdsa_name(pubkey); - } else { - pubkey_type = ssh_key_type_to_char(ssh_key_type(pubkey)); - } + const char *pubkey_type = ssh_key_type_to_char(ssh_key_type(pubkey)); /* We got a match. Now check the key type */ if (strcmp(pubkey_type, type) != 0) { diff --git a/src/options.c b/src/options.c index a5e0f31a..4e1a5830 100644 --- a/src/options.c +++ b/src/options.c @@ -1653,7 +1653,9 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type, "without DSA support"); #endif break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_ECC bind_key_loc = &sshbind->ecdsa; bind_key_path_loc = &sshbind->ecdsakey; @@ -1715,7 +1717,9 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type, "without DSA support"); #endif break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_ECC bind_key_loc = &sshbind->ecdsa; #else diff --git a/src/pki.c b/src/pki.c index b196e915..77b0ba92 100644 --- a/src/pki.c +++ b/src/pki.c @@ -74,7 +74,10 @@ enum ssh_keytypes_e pki_privatekey_type_from_string(const char *privkey) { } if (strncmp(privkey, ECDSA_HEADER_BEGIN, strlen(ECDSA_HEADER_BEGIN)) == 0) { - return SSH_KEYTYPE_ECDSA; + /* We don't know what the curve is at this point, so we don't actually + * know the type. We figure out the actual curve and fix things up in + * pki_private_key_from_base64 */ + return SSH_KEYTYPE_ECDSA_P256; } return SSH_KEYTYPE_UNKNOWN; @@ -185,8 +188,9 @@ void ssh_key_free (ssh_key key){ * @brief returns the type of a ssh key * @param[in] key the ssh_key handle * @returns one of SSH_KEYTYPE_RSA, SSH_KEYTYPE_DSS, - * SSH_KEYTYPE_ECDSA, SSH_KEYTYPE_ED25519, - * SSH_KEYTYPE_DSS_CERT01, SSH_KEYTYPE_RSA_CERT01 + * SSH_KEYTYPE_ECDSA_P256, SSH_KEYTYPE_ECDSA_P384, + * SSH_KEYTYPE_ECDSA_P521, SSH_KEYTYPE_ED25519, SSH_KEYTYPE_DSS_CERT01, + * or SSH_KEYTYPE_RSA_CERT01. * @returns SSH_KEYTYPE_UNKNOWN if the type is unknown */ enum ssh_keytypes_e ssh_key_type(const ssh_key key){ @@ -241,7 +245,13 @@ const char *ssh_key_type_to_char(enum ssh_keytypes_e type) { case SSH_KEYTYPE_RSA: return "ssh-rsa"; case SSH_KEYTYPE_ECDSA: - return "ssh-ecdsa"; + return "ssh-ecdsa"; /* deprecated. invalid value */ + case SSH_KEYTYPE_ECDSA_P256: + return "ecdsa-sha2-nistp256"; + case SSH_KEYTYPE_ECDSA_P384: + return "ecdsa-sha2-nistp384"; + case SSH_KEYTYPE_ECDSA_P521: + return "ecdsa-sha2-nistp521"; case SSH_KEYTYPE_ED25519: return "ssh-ed25519"; case SSH_KEYTYPE_DSS_CERT01: @@ -398,10 +408,12 @@ enum ssh_keytypes_e ssh_key_type_from_name(const char *name) { return SSH_KEYTYPE_DSS; } else if (strcmp(name, "ssh-ecdsa") == 0 || strcmp(name, "ecdsa") == 0 - || strcmp(name, "ecdsa-sha2-nistp256") == 0 - || strcmp(name, "ecdsa-sha2-nistp384") == 0 - || strcmp(name, "ecdsa-sha2-nistp521") == 0) { - return SSH_KEYTYPE_ECDSA; + || strcmp(name, "ecdsa-sha2-nistp256") == 0) { + return SSH_KEYTYPE_ECDSA_P256; + } else if (strcmp(name, "ecdsa-sha2-nistp384") == 0) { + return SSH_KEYTYPE_ECDSA_P384; + } else if (strcmp(name, "ecdsa-sha2-nistp521") == 0) { + return SSH_KEYTYPE_ECDSA_P521; } else if (strcmp(name, "ssh-ed25519") == 0){ return SSH_KEYTYPE_ED25519; } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { @@ -517,7 +529,9 @@ void ssh_signature_free(ssh_signature sig) SAFE_FREE(sig->rsa_sig); #endif break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_GCRYPT_ECC gcry_sexp_release(sig->ecdsa_sig); #elif defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_ECC) @@ -533,6 +547,7 @@ void ssh_signature_free(ssh_signature sig) case SSH_KEYTYPE_DSS_CERT01: case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA1: + case SSH_KEYTYPE_ECDSA: case SSH_KEYTYPE_UNKNOWN: break; } @@ -973,7 +988,9 @@ int pki_import_privkey_buffer(enum ssh_keytypes_e type, } break; #ifdef HAVE_ECC - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { ssh_string e = NULL; ssh_string exp = NULL; @@ -1001,9 +1018,6 @@ int pki_import_privkey_buffer(enum ssh_keytypes_e type, SSH_LOG(SSH_LOG_WARN, "Failed to build ECDSA private key"); goto fail; } - - /* Update key type */ - key->type_c = ssh_pki_key_ecdsa_name(key); } break; #endif @@ -1120,7 +1134,10 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer, } break; #ifdef HAVE_ECC - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA: /* deprecated */ + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { ssh_string e = NULL; ssh_string i = NULL; @@ -1147,7 +1164,9 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer, } /* Update key type */ - key->type_c = ssh_pki_key_ecdsa_name(key); + if (type == SSH_KEYTYPE_ECDSA) { + key->type_c = ssh_pki_key_ecdsa_name(key); + } } break; #endif @@ -1539,7 +1558,6 @@ int ssh_pki_import_cert_file(const char *filename, ssh_key *pkey) * @param[in] parameter Parameter to the creation of key: * rsa : length of the key in bits (e.g. 1024, 2048, 4096) * dsa : length of the key in bits (e.g. 1024, 2048, 3072) - * ecdsa : bits of the key (e.g. 256, 384, 521) * @param[out] pkey A pointer to store the allocated private key. You need * to free the memory. * @@ -1572,7 +1590,7 @@ int ssh_pki_generate(enum ssh_keytypes_e type, int parameter, goto error; break; #ifdef HAVE_ECC - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA: /* deprecated */ rc = pki_key_generate_ecdsa(key, parameter); if (rc == SSH_ERROR) { goto error; @@ -1581,6 +1599,24 @@ int ssh_pki_generate(enum ssh_keytypes_e type, int parameter, /* Update key type */ key->type_c = ssh_pki_key_ecdsa_name(key); break; + case SSH_KEYTYPE_ECDSA_P256: + rc = pki_key_generate_ecdsa(key, 256); + if (rc == SSH_ERROR) { + goto error; + } + break; + case SSH_KEYTYPE_ECDSA_P384: + rc = pki_key_generate_ecdsa(key, 384); + if (rc == SSH_ERROR) { + goto error; + } + break; + case SSH_KEYTYPE_ECDSA_P521: + rc = pki_key_generate_ecdsa(key, 521); + if (rc == SSH_ERROR) { + goto error; + } + break; #endif case SSH_KEYTYPE_ED25519: rc = pki_key_generate_ed25519(key); @@ -1939,7 +1975,7 @@ int ssh_pki_signature_verify(ssh_session session, return SSH_ERROR; } - if (key->type == SSH_KEYTYPE_ECDSA) { + if (is_ecdsa_key_type(key->type)) { #if HAVE_ECC unsigned char ehash[EVP_DIGEST_LEN] = {0}; uint32_t elen; @@ -2028,7 +2064,7 @@ ssh_string ssh_pki_do_sign(ssh_session session, } ssh_string_fill(session_id, crypto->session_id, crypto->digest_len); - if (privkey->type == SSH_KEYTYPE_ECDSA) { + if (is_ecdsa_key_type(privkey->type)) { #ifdef HAVE_ECC unsigned char ehash[EVP_DIGEST_LEN] = {0}; uint32_t elen; @@ -2211,7 +2247,7 @@ ssh_string ssh_srv_pki_do_sign_sessionid(ssh_session session, return NULL; } - if (privkey->type == SSH_KEYTYPE_ECDSA) { + if (is_ecdsa_key_type(privkey->type)) { #ifdef HAVE_ECC unsigned char ehash[EVP_DIGEST_LEN] = {0}; uint32_t elen; diff --git a/src/pki_crypto.c b/src/pki_crypto.c index c27e8184..d5dd3f63 100644 --- a/src/pki_crypto.c +++ b/src/pki_crypto.c @@ -92,6 +92,24 @@ static int pki_key_ecdsa_to_nid(EC_KEY *k) return -1; } +static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(EC_KEY *k) +{ + static int nid; + + nid = pki_key_ecdsa_to_nid(k); + + switch (nid) { + case NID_X9_62_prime256v1: + return SSH_KEYTYPE_ECDSA_P256; + case NID_secp384r1: + return SSH_KEYTYPE_ECDSA_P384; + case NID_secp521r1: + return SSH_KEYTYPE_ECDSA_P521; + default: + return SSH_KEYTYPE_UNKNOWN; + } +} + const char *pki_key_ecdsa_nid_to_name(int nid) { switch (nid) { @@ -451,7 +469,9 @@ ssh_key pki_key_dup(const ssh_key key, int demote) break; } - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_OPENSSL_ECC new->ecdsa_nid = key->ecdsa_nid; @@ -551,26 +571,24 @@ int pki_key_generate_dss(ssh_key key, int parameter){ #ifdef HAVE_OPENSSL_ECC int pki_key_generate_ecdsa(ssh_key key, int parameter) { - int nid; int ok; switch (parameter) { case 384: - nid = NID_secp384r1; + key->ecdsa_nid = NID_secp384r1; + key->type = SSH_KEYTYPE_ECDSA_P384; break; case 521: - nid = NID_secp521r1; + key->ecdsa_nid = NID_secp521r1; + key->type = SSH_KEYTYPE_ECDSA_P521; break; case 256: default: - nid = NID_X9_62_prime256v1; + key->ecdsa_nid = NID_X9_62_prime256v1; + key->type = SSH_KEYTYPE_ECDSA_P256; } - key->ecdsa_nid = nid; - key->type = SSH_KEYTYPE_ECDSA; - key->type_c = pki_key_ecdsa_nid_to_name(nid); - - key->ecdsa = EC_KEY_new_by_curve_name(nid); + key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid); if (key->ecdsa == NULL) { return SSH_ERROR; } @@ -650,7 +668,9 @@ int pki_key_compare(const ssh_key k1, } break; } - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_OPENSSL_ECC { const EC_POINT *p1 = EC_KEY_get0_public_key(k1->ecdsa); @@ -756,7 +776,9 @@ ssh_string pki_private_key_to_pem(const ssh_key key, } break; #ifdef HAVE_ECC - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: if (passphrase == NULL) { struct pem_get_password_struct pgp = { auth_fn, auth_data }; @@ -818,7 +840,7 @@ ssh_key pki_private_key_from_base64(const char *b64_key, DSA *dsa = NULL; RSA *rsa = NULL; ed25519_privkey *ed25519 = NULL; - ssh_key key; + ssh_key key = NULL; enum ssh_keytypes_e type; #ifdef HAVE_OPENSSL_ECC EC_KEY *ecdsa = NULL; @@ -884,7 +906,9 @@ ssh_key pki_private_key_from_base64(const char *b64_key, } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_OPENSSL_ECC if (passphrase == NULL) { if (auth_fn) { @@ -908,12 +932,21 @@ ssh_key pki_private_key_from_base64(const char *b64_key, return NULL; } + /* pki_privatekey_type_from_string always returns P256 for ECDSA + * keys, so we need to figure out the correct type here */ + type = pki_key_ecdsa_to_key_type(ecdsa); + if (type == SSH_KEYTYPE_UNKNOWN) { + SSH_LOG(SSH_LOG_WARN, "Invalid private key."); + goto fail; + } + break; #endif case SSH_KEYTYPE_ED25519: /* Cannot open ed25519 keys with libcrypto */ case SSH_KEYTYPE_DSS_CERT01: case SSH_KEYTYPE_RSA_CERT01: + case SSH_KEYTYPE_ECDSA: case SSH_KEYTYPE_UNKNOWN: BIO_free(mem); SSH_LOG(SSH_LOG_WARN, "Unknown or invalid private key type %d", type); @@ -933,9 +966,8 @@ ssh_key pki_private_key_from_base64(const char *b64_key, key->ecdsa = ecdsa; key->ed25519_privkey = ed25519; #ifdef HAVE_OPENSSL_ECC - if (key->type == SSH_KEYTYPE_ECDSA) { + if (is_ecdsa_key_type(key->type)) { key->ecdsa_nid = pki_key_ecdsa_to_nid(key->ecdsa); - key->type_c = pki_key_ecdsa_nid_to_name(key->ecdsa_nid); } #endif @@ -1237,27 +1269,10 @@ ssh_string pki_publickey_to_blob(const ssh_key key) break; } - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_OPENSSL_ECC - rc = ssh_buffer_reinit(buffer); - if (rc < 0) { - ssh_buffer_free(buffer); - return NULL; - } - - type_s = ssh_string_from_char(pki_key_ecdsa_nid_to_name(key->ecdsa_nid)); - if (type_s == NULL) { - ssh_buffer_free(buffer); - return NULL; - } - - rc = ssh_buffer_add_ssh_string(buffer, type_s); - ssh_string_free(type_s); - if (rc < 0) { - ssh_buffer_free(buffer); - return NULL; - } - type_s = ssh_string_from_char(pki_key_ecdsa_nid_to_char(key->ecdsa_nid)); if (type_s == NULL) { ssh_buffer_free(buffer); @@ -1461,7 +1476,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) case SSH_KEYTYPE_RSA1: sig_blob = ssh_string_copy(sig->rsa_sig); break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_OPENSSL_ECC { ssh_string r; @@ -1614,8 +1631,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, } sig->type = type; + sig->type_c = ssh_key_signature_to_char(type, hash_type); sig->hash_type = hash_type; - sig->type_c = pubkey->type_c; /* for all types but RSA */ len = ssh_string_len(sig_blob); @@ -1688,9 +1705,10 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, if (sig == NULL) { return NULL; } - sig->type_c = ssh_key_signature_to_char(type, hash_type); break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_OPENSSL_ECC sig->ecdsa_sig = ECDSA_SIG_new(); if (sig->ecdsa_sig == NULL) { @@ -1874,7 +1892,9 @@ int pki_signature_verify(ssh_session session, return SSH_ERROR; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_OPENSSL_ECC rc = ECDSA_do_verify(hash, hlen, @@ -1919,8 +1939,8 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey, } sig->type = privkey->type; + sig->type_c = ssh_key_signature_to_char(privkey->type, hash_type); sig->hash_type = hash_type; - sig->type_c = privkey->type_c; switch(privkey->type) { case SSH_KEYTYPE_DSS: @@ -1942,7 +1962,6 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey, break; case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA1: - sig->type_c = ssh_key_signature_to_char(privkey->type, hash_type); sig->rsa_sig = _RSA_do_sign_hash(hash, hlen, privkey->rsa, hash_type); if (sig->rsa_sig == NULL) { ssh_signature_free(sig); @@ -1950,7 +1969,9 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey, } sig->dsa_sig = NULL; break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_OPENSSL_ECC sig->ecdsa_sig = ECDSA_do_sign(hash, hlen, privkey->ecdsa); if (sig->ecdsa_sig == NULL) { @@ -2005,7 +2026,7 @@ ssh_signature pki_do_sign_sessionid_hash(const ssh_key key, } sig->type = key->type; - sig->type_c = key->type_c; + sig->type_c = ssh_key_signature_to_char(key->type, hash_type); switch(key->type) { case SSH_KEYTYPE_DSS: @@ -2017,14 +2038,15 @@ ssh_signature pki_do_sign_sessionid_hash(const ssh_key key, break; case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA1: - sig->type_c = ssh_key_signature_to_char(key->type, hash_type); sig->rsa_sig = _RSA_do_sign_hash(hash, hlen, key->rsa, hash_type); if (sig->rsa_sig == NULL) { ssh_signature_free(sig); return NULL; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_OPENSSL_ECC sig->ecdsa_sig = ECDSA_do_sign(hash, hlen, key->ecdsa); if (sig->ecdsa_sig == NULL) { diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c index cf9ac781..0e55078c 100644 --- a/src/pki_gcrypt.c +++ b/src/pki_gcrypt.c @@ -427,7 +427,9 @@ static ssh_buffer privatekey_string_to_buffer(const char *pkey, int type, header_begin = RSA_HEADER_BEGIN; header_end = RSA_HEADER_END; break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: header_begin = ECDSA_HEADER_BEGIN; header_end = ECDSA_HEADER_END; break; @@ -737,6 +739,24 @@ static int pki_key_ecdsa_to_nid(gcry_sexp_t k) return -1; } +static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(gcry_sexp_t k) +{ + static int nid; + + nid = pki_key_ecdsa_to_nid(k); + + switch (nid) { + case NID_gcrypt_nistp256: + return SSH_KEYTYPE_ECDSA_P256; + case NID_gcrypt_nistp384: + return SSH_KEYTYPE_ECDSA_P384; + case NID_gcrypt_nistp521: + return SSH_KEYTYPE_ECDSA_P521; + default: + return SSH_KEYTYPE_UNKNOWN; + } +} + static const char *pki_key_ecdsa_nid_to_gcrypt_name(int nid) { switch (nid) { @@ -843,7 +863,7 @@ static int b64decode_ecdsa_privatekey(const char *pkey, gcry_sexp_t *r, int ok; buffer = privatekey_string_to_buffer(pkey, - SSH_KEYTYPE_ECDSA, + SSH_KEYTYPE_ECDSA_P256, cb, userdata, desc); @@ -978,7 +998,9 @@ ssh_key pki_private_key_from_base64(const char *b64_key, goto fail; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #if HAVE_GCRYPT_ECC if (passphrase == NULL) { if (auth_fn != NULL) { @@ -1006,6 +1028,14 @@ ssh_key pki_private_key_from_base64(const char *b64_key, SSH_LOG(SSH_LOG_WARN, "Parsing private key"); goto fail; } + + /* pki_privatekey_type_from_string always returns P256 for ECDSA + * keys, so we need to figure out the correct type here */ + type = pki_key_ecdsa_to_key_type(ecdsa); + if (type == SSH_KEYTYPE_UNKNOWN) { + SSH_LOG(SSH_LOG_WARN, "Invalid private key."); + goto fail; + } break; #endif case SSH_KEYTYPE_ED25519: @@ -1029,9 +1059,8 @@ ssh_key pki_private_key_from_base64(const char *b64_key, key->rsa = rsa; key->ecdsa = ecdsa; #ifdef HAVE_GCRYPT_ECC - if (key->type == SSH_KEYTYPE_ECDSA) { + if (is_ecdsa_key_type(key->type)) { key->ecdsa_nid = pki_key_ecdsa_to_nid(key->ecdsa); - key->type_c = pki_key_ecdsa_nid_to_name(key->ecdsa_nid); } #endif @@ -1256,7 +1285,9 @@ ssh_key pki_key_dup(const ssh_key key, int demote) } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_GCRYPT_ECC new->ecdsa_nid = key->ecdsa_nid; @@ -1336,7 +1367,9 @@ static int pki_key_generate(ssh_key key, int parameter, const char *type_s, int case SSH_KEYTYPE_DSS: rc = gcry_pk_genkey(&key->dsa, parms); break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: rc = gcry_pk_genkey(&key->ecdsa, parms); break; default: @@ -1357,22 +1390,24 @@ int pki_key_generate_dss(ssh_key key, int parameter){ #ifdef HAVE_GCRYPT_ECC int pki_key_generate_ecdsa(ssh_key key, int parameter) { - int nid; - switch (parameter) { case 384: - nid = NID_gcrypt_nistp384; - break; + key->ecdsa_nid = NID_gcrypt_nistp384; + key->type = SSH_KEYTYPE_ECDSA_P384; + return pki_key_generate(key, parameter, "ecdsa", + SSH_KEYTYPE_ECDSA_P384); case 521: - nid = NID_gcrypt_nistp521; - break; + key->ecdsa_nid = NID_gcrypt_nistp521; + key->type = SSH_KEYTYPE_ECDSA_P521; + return pki_key_generate(key, parameter, "ecdsa", + SSH_KEYTYPE_ECDSA_P521); case 256: default: - nid = NID_gcrypt_nistp256; + key->ecdsa_nid = NID_gcrypt_nistp256; + key->type = SSH_KEYTYPE_ECDSA_P256; + return pki_key_generate(key, parameter, "ecdsa", + SSH_KEYTYPE_ECDSA_P256); } - - key->ecdsa_nid = nid; - return pki_key_generate(key, parameter, "ecdsa", SSH_KEYTYPE_ECDSA); } #endif @@ -1471,7 +1506,9 @@ int pki_key_compare(const ssh_key k1, case SSH_KEYTYPE_ED25519: /* ed25519 keys handled globaly */ return 0; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_GCRYPT_ECC if (k1->ecdsa_nid != k2->ecdsa_nid) { return 1; @@ -1488,6 +1525,7 @@ int pki_key_compare(const ssh_key k1, #endif case SSH_KEYTYPE_DSS_CERT01: case SSH_KEYTYPE_RSA_CERT01: + case SSH_KEYTYPE_ECDSA: case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_UNKNOWN: return 1; @@ -1634,7 +1672,9 @@ ssh_string pki_publickey_to_blob(const ssh_key key) goto fail; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_GCRYPT_ECC type_s = ssh_string_from_char( pki_key_ecdsa_nid_to_char(key->ecdsa_nid)); @@ -1788,7 +1828,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) case SSH_KEYTYPE_ED25519: sig_blob = pki_ed25519_sig_to_blob(sig); break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_GCRYPT_ECC { ssh_string R; @@ -1877,8 +1919,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, } sig->type = type; + sig->type_c = ssh_key_signature_to_char(type, hash_type); sig->hash_type = hash_type; - sig->type_c = pubkey->type_c; /* for all types but RSA */ len = ssh_string_len(sig_blob); @@ -1944,7 +1986,6 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, ssh_signature_free(sig); return NULL; } - sig->type_c = ssh_key_signature_to_char(type, hash_type); break; case SSH_KEYTYPE_ED25519: rc = pki_ed25519_sig_from_blob(sig, sig_blob); @@ -1953,7 +1994,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, return NULL; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_GCRYPT_ECC { /* build ecdsa siganature */ ssh_buffer b; @@ -2138,7 +2181,9 @@ int pki_signature_verify(ssh_session session, return SSH_ERROR; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_GCRYPT_ECC err = gcry_sexp_build(&sexp, NULL, @@ -2198,8 +2243,8 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey, return NULL; } sig->type = privkey->type; + sig->type_c = ssh_key_signature_to_char(privkey->type, hash_type); sig->hash_type = hash_type; - sig->type_c = privkey->type_c; switch (privkey->type) { case SSH_KEYTYPE_DSS: /* That is to mark the number as positive */ @@ -2224,7 +2269,6 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey, } break; case SSH_KEYTYPE_RSA: - sig->type_c = ssh_key_signature_to_char(privkey->type, hash_type); switch (hash_type) { case SSH_DIGEST_SHA1: case SSH_DIGEST_AUTO: @@ -2265,7 +2309,9 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey, return NULL; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_GCRYPT_ECC err = gcry_sexp_build(&sexp, NULL, @@ -2319,7 +2365,7 @@ ssh_signature pki_do_sign_sessionid_hash(const ssh_key key, } sig->type = key->type; - sig->type_c = key->type_c; + sig->type_c = ssh_key_signature_to_char(key->type, hash_type); switch(key->type) { case SSH_KEYTYPE_DSS: @@ -2344,7 +2390,6 @@ ssh_signature pki_do_sign_sessionid_hash(const ssh_key key, } break; case SSH_KEYTYPE_RSA: - sig->type_c = ssh_key_signature_to_char(key->type, hash_type); switch (hash_type) { case SSH_DIGEST_SHA1: hash_c = "sha1"; @@ -2378,7 +2423,9 @@ ssh_signature pki_do_sign_sessionid_hash(const ssh_key key, break; case SSH_KEYTYPE_ED25519: /* ED25519 handled in caller */ - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: #ifdef HAVE_GCRYPT_ECC err = gcry_sexp_build(&sexp, NULL, diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c index 57a4ffae..0e7437bd 100644 --- a/src/pki_mbedcrypto.c +++ b/src/pki_mbedcrypto.c @@ -61,6 +61,24 @@ static int pki_key_ecdsa_to_nid(mbedtls_ecdsa_context *ecdsa) return -1; } +static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(mbedtls_ecdsa_context *ecdsa) +{ + static int nid; + + nid = pki_key_ecdsa_to_nid(ecdsa); + + switch (nid) { + case NID_mbedtls_nistp256: + return SSH_KEYTYPE_ECDSA_P256; + case NID_mbedtls_nistp384: + return SSH_KEYTYPE_ECDSA_P384; + case NID_mbedtls_nistp521: + return SSH_KEYTYPE_ECDSA_P521; + default: + return SSH_KEYTYPE_UNKNOWN; + } +} + ssh_key pki_private_key_from_base64(const char *b64_key, const char *passphrase, ssh_auth_callback auth_fn, void *auth_data) { @@ -121,7 +139,9 @@ ssh_key pki_private_key_from_base64(const char *b64_key, const char *passphrase, goto fail; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: ecdsa = malloc(sizeof(mbedtls_pk_context)); if (ecdsa == NULL) { return NULL; @@ -173,10 +193,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key, const char *passphrase, goto fail; } - key->type = type; - key->type_c = ssh_key_type_to_char(type); - key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC; - key->rsa = rsa; if (ecdsa != NULL) { mbedtls_ecp_keypair *keypair = mbedtls_pk_ec(*ecdsa); @@ -189,16 +205,27 @@ ssh_key pki_private_key_from_base64(const char *b64_key, const char *passphrase, mbedtls_ecdsa_from_keypair(key->ecdsa, keypair); mbedtls_pk_free(ecdsa); SAFE_FREE(ecdsa); + + key->ecdsa_nid = pki_key_ecdsa_to_nid(key->ecdsa); + + /* pki_privatekey_type_from_string always returns P256 for ECDSA + * keys, so we need to figure out the correct type here */ + type = pki_key_ecdsa_to_key_type(key->ecdsa); + if (type == SSH_KEYTYPE_UNKNOWN) { + SSH_LOG(SSH_LOG_WARN, "Invalid private key."); + goto fail; + } } else { key->ecdsa = NULL; } + + key->type = type; + key->type_c = ssh_key_type_to_char(type); + key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC; + key->rsa = rsa; key->ed25519_privkey = ed25519; rsa = NULL; ecdsa = NULL; - if (key->type == SSH_KEYTYPE_ECDSA) { - key->ecdsa_nid = pki_key_ecdsa_to_nid(key->ecdsa); - key->type_c = pki_key_ecdsa_nid_to_name(key->ecdsa_nid); - } return key; fail: @@ -401,7 +428,9 @@ ssh_key pki_key_dup(const ssh_key key, int demote) break; } - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: new->ecdsa_nid = key->ecdsa_nid; new->ecdsa = malloc(sizeof(mbedtls_ecdsa_context)); @@ -511,7 +540,9 @@ int pki_key_compare(const ssh_key k1, const ssh_key k2, enum ssh_keycmp_e what) } break; } - case SSH_KEYTYPE_ECDSA: { + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { mbedtls_ecp_keypair *ecdsa1 = k1->ecdsa; mbedtls_ecp_keypair *ecdsa2 = k2->ecdsa; @@ -678,27 +709,9 @@ ssh_string pki_publickey_to_blob(const ssh_key key) break; } - case SSH_KEYTYPE_ECDSA: - rc = ssh_buffer_reinit(buffer); - if (rc < 0) { - ssh_buffer_free(buffer); - return NULL; - } - - type_s = - ssh_string_from_char(pki_key_ecdsa_nid_to_name(key->ecdsa_nid)); - if (type_s == NULL) { - ssh_buffer_free(buffer); - return NULL; - } - - rc = ssh_buffer_add_ssh_string(buffer, type_s); - ssh_string_free(type_s); - if (rc < 0) { - ssh_buffer_free(buffer); - return NULL; - } - + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: type_s = ssh_string_from_char(pki_key_ecdsa_nid_to_char(key->ecdsa_nid)); if (type_s == NULL) { @@ -773,7 +786,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) case SSH_KEYTYPE_RSA: sig_blob = ssh_string_copy(sig->rsa_sig); break; - case SSH_KEYTYPE_ECDSA: { + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { ssh_string r; ssh_string s; ssh_buffer b; @@ -911,8 +926,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, } sig->type = type; + sig->type_c = ssh_key_signature_to_char(type, hash_type); sig->hash_type = hash_type; - sig->type_c = pubkey->type_c; /* for all types but RSA */ switch(type) { case SSH_KEYTYPE_RSA: @@ -920,9 +935,10 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, if (sig == NULL) { return NULL; } - sig->type_c = ssh_key_signature_to_char(type, hash_type); break; - case SSH_KEYTYPE_ECDSA: { + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { ssh_buffer b; ssh_string r; ssh_string s; @@ -1050,7 +1066,9 @@ int pki_signature_verify(ssh_session session, const ssh_signature sig, const return SSH_ERROR; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: rc = mbedtls_ecdsa_verify(&key->ecdsa->grp, hash, hlen, &key->ecdsa->Q, sig->ecdsa_sig.r, sig->ecdsa_sig.s); if (rc != 0) { @@ -1157,19 +1175,20 @@ ssh_signature pki_do_sign_hash(const ssh_key privkey, } sig->type = privkey->type; + sig->type_c = ssh_key_signature_to_char(privkey->type, hash_type); sig->hash_type = hash_type; - sig->type_c = privkey->type_c; switch(privkey->type) { case SSH_KEYTYPE_RSA: - sig->type_c = ssh_key_signature_to_char(privkey->type, hash_type); sig->rsa_sig = rsa_do_sign_hash(hash, hlen, privkey->rsa, hash_type); if (sig->rsa_sig == NULL) { ssh_signature_free(sig); return NULL; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: sig->ecdsa_sig.r = bignum_new(); if (sig->ecdsa_sig.r == NULL) { return NULL; @@ -1231,18 +1250,19 @@ ssh_signature pki_do_sign_sessionid_hash(const ssh_key key, } sig->type = key->type; - sig->type_c = key->type_c; + sig->type_c = ssh_key_signature_to_char(key->type, hash_type); switch (key->type) { case SSH_KEYTYPE_RSA: - sig->type_c = ssh_key_signature_to_char(key->type, hash_type); sig->rsa_sig = rsa_do_sign_hash(hash, hlen, key->rsa, hash_type); if (sig->rsa_sig == NULL) { ssh_signature_free(sig); return NULL; } break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: sig->ecdsa_sig.r = bignum_new(); if (sig->ecdsa_sig.r == NULL) { return NULL; @@ -1452,26 +1472,24 @@ fail: int pki_key_generate_ecdsa(ssh_key key, int parameter) { - int nid; int ok; switch (parameter) { case 384: - nid = NID_mbedtls_nistp384; + key->ecdsa_nid = NID_mbedtls_nistp384; + key->type = SSH_KEYTYPE_ECDSA_P384; break; case 521: - nid = NID_mbedtls_nistp521; + key->ecdsa_nid = NID_mbedtls_nistp521; + key->type = SSH_KEYTYPE_ECDSA_P521; break; case 256: default: - nid = NID_mbedtls_nistp256; + key->ecdsa_nid = NID_mbedtls_nistp256; + key->type = SSH_KEYTYPE_ECDSA_P256; break; } - key->ecdsa_nid = nid; - key->type = SSH_KEYTYPE_ECDSA; - key->type_c = pki_key_ecdsa_nid_to_name(nid); - key->ecdsa = malloc(sizeof(mbedtls_ecdsa_context)); if (key->ecdsa == NULL) { return SSH_ERROR; @@ -1480,7 +1498,7 @@ int pki_key_generate_ecdsa(ssh_key key, int parameter) mbedtls_ecdsa_init(key->ecdsa); ok = mbedtls_ecdsa_genkey(key->ecdsa, - pki_key_ecdsa_nid_to_mbed_gid(nid), + pki_key_ecdsa_nid_to_mbed_gid(key->ecdsa_nid), mbedtls_ctr_drbg_random, ssh_get_mbedtls_ctr_drbg_context()); diff --git a/src/server.c b/src/server.c index 6a6071ad..91de94a5 100644 --- a/src/server.c +++ b/src/server.c @@ -242,7 +242,9 @@ int ssh_get_key_params(ssh_session session, ssh_key *privkey){ case SSH_KEYTYPE_RSA: *privkey = session->srv.rsa_key; break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: *privkey = session->srv.ecdsa_key; break; case SSH_KEYTYPE_ED25519: diff --git a/tests/client/torture_knownhosts_verify.c b/tests/client/torture_knownhosts_verify.c index 2a2b32d0..c9f4f633 100644 --- a/tests/client/torture_knownhosts_verify.c +++ b/tests/client/torture_knownhosts_verify.c @@ -161,15 +161,15 @@ static void torture_knownhosts_precheck(void **state) assert_non_null(file); fprintf(file, "127.0.0.10 %s\n", - torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA)); fprintf(file, "127.0.0.10 %s\n", - torture_get_testkey_pub(SSH_KEYTYPE_ED25519, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_ED25519)); fprintf(file, "127.0.0.10 %s\n", - torture_get_testkey_pub(SSH_KEYTYPE_ECDSA, 521)); + torture_get_testkey_pub(SSH_KEYTYPE_ECDSA_P521)); fclose(file); @@ -229,7 +229,7 @@ static void torture_knownhosts_other(void **state) assert_non_null(file); fprintf(file, "127.0.0.10 %s\n", - torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA)); fclose(file); rc = ssh_connect(session); diff --git a/tests/server/torture_server.c b/tests/server/torture_server.c index 25742645..19dda32c 100644 --- a/tests/server/torture_server.c +++ b/tests/server/torture_server.c @@ -109,28 +109,28 @@ static int setup_default_server(void **state) "%s/sshd/ssh_host_ed25519_key", s->socket_dir); torture_write_file(ed25519_hostkey, - torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0)); #ifdef HAVE_DSA snprintf(dsa_hostkey, sizeof(dsa_hostkey), "%s/sshd/ssh_host_dsa_key", s->socket_dir); - torture_write_file(dsa_hostkey, torture_get_testkey(SSH_KEYTYPE_DSS, 0, 0)); + torture_write_file(dsa_hostkey, torture_get_testkey(SSH_KEYTYPE_DSS, 0)); #endif /* HAVE_DSA */ snprintf(rsa_hostkey, sizeof(rsa_hostkey), "%s/sshd/ssh_host_rsa_key", s->socket_dir); - torture_write_file(rsa_hostkey, torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0)); + torture_write_file(rsa_hostkey, torture_get_testkey(SSH_KEYTYPE_RSA, 0)); snprintf(ecdsa_hostkey, sizeof(ecdsa_hostkey), "%s/sshd/ssh_host_ecdsa_key", s->socket_dir); torture_write_file(ecdsa_hostkey, - torture_get_testkey(SSH_KEYTYPE_ECDSA, 521, 0)); + torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0)); sftp_server = getenv("TORTURE_SFTP_SERVER"); if (sftp_server == NULL) { @@ -449,7 +449,7 @@ static void torture_server_hostkey_mismatch(void **state) assert_non_null(file); fprintf(file, "127.0.0.10 %s\n", - torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA)); fclose(file); rc = ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, known_hosts_file); diff --git a/tests/server/torture_server_auth_kbdint.c b/tests/server/torture_server_auth_kbdint.c index 829a8715..9cb9a20c 100644 --- a/tests/server/torture_server_auth_kbdint.c +++ b/tests/server/torture_server_auth_kbdint.c @@ -551,7 +551,7 @@ static int setup_kbdint_server(void **state) "%s/sshd/ssh_host_ed25519_key", s->socket_dir); torture_write_file(ed25519_hostkey, - torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0)); /* Create the server state */ ss = (struct server_state_st *)calloc(1, sizeof(struct server_state_st)); diff --git a/tests/torture.c b/tests/torture.c index 73ef8faf..6d37e7a2 100644 --- a/tests/torture.c +++ b/tests/torture.c @@ -373,7 +373,9 @@ ssh_bind torture_ssh_bind(const char *addr, case SSH_KEYTYPE_RSA: opts = SSH_BIND_OPTIONS_RSAKEY; break; - case SSH_KEYTYPE_ECDSA: + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: opts = SSH_BIND_OPTIONS_ECDSAKEY; break; default: @@ -714,16 +716,15 @@ static void torture_setup_create_sshd_config(void **state, bool pam) if (!written) { torture_write_file(ed25519_hostkey, - torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, - 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0)); #ifdef HAVE_DSA torture_write_file(dsa_hostkey, - torture_get_testkey(SSH_KEYTYPE_DSS, 0, 0)); + torture_get_testkey(SSH_KEYTYPE_DSS, 0)); #endif /* HAVE_DSA */ torture_write_file(rsa_hostkey, - torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0)); + torture_get_testkey(SSH_KEYTYPE_RSA, 0)); torture_write_file(ecdsa_hostkey, - torture_get_testkey(SSH_KEYTYPE_ECDSA, 521, 0)); + torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0)); torture_write_file(trusted_ca_pubkey, torture_rsa_certauth_pub); } diff --git a/tests/torture_key.c b/tests/torture_key.c index 2ad9585c..d8a7fae5 100644 --- a/tests/torture_key.c +++ b/tests/torture_key.c @@ -497,7 +497,6 @@ static const char torture_ed25519_public_testkey[] = "BU6Nh3PmAiqX aris@kalix86"; static const char *torture_get_testkey_internal(enum ssh_keytypes_e type, - int bits, bool with_passphrase, int pubkey, int format) @@ -529,35 +528,33 @@ static const char *torture_get_testkey_internal(enum ssh_keytypes_e type, return torture_rsa_private_openssh_testkey; } return torture_rsa_private_testkey; - case SSH_KEYTYPE_ECDSA: - if (bits == 521) { - if (pubkey) { - return torture_ecdsa521_public_testkey; - } else if (with_passphrase) { - if (format == 1) { - return torture_ecdsa521_private_openssh_testkey_passphrase; - } - return torture_ecdsa521_private_testkey_passphrase; - } + case SSH_KEYTYPE_ECDSA_P521: + if (pubkey) { + return torture_ecdsa521_public_testkey; + } else if (with_passphrase) { if (format == 1) { - return torture_ecdsa521_private_openssh_testkey; + return torture_ecdsa521_private_openssh_testkey_passphrase; } - return torture_ecdsa521_private_testkey; - } else if (bits == 384) { - if (pubkey) { - return torture_ecdsa384_public_testkey; - } else if (with_passphrase){ - if (format == 1) { - return torture_ecdsa384_private_openssh_testkey_passphrase; - } - return torture_ecdsa384_private_testkey_passphrase; - } - if (format == 1) { - return torture_ecdsa384_private_openssh_testkey; - } - return torture_ecdsa384_private_testkey; + return torture_ecdsa521_private_testkey_passphrase; } - + if (format == 1) { + return torture_ecdsa521_private_openssh_testkey; + } + return torture_ecdsa521_private_testkey; + case SSH_KEYTYPE_ECDSA_P384: + if (pubkey) { + return torture_ecdsa384_public_testkey; + } else if (with_passphrase){ + if (format == 1) { + return torture_ecdsa384_private_openssh_testkey_passphrase; + } + return torture_ecdsa384_private_testkey_passphrase; + } + if (format == 1) { + return torture_ecdsa384_private_openssh_testkey; + } + return torture_ecdsa384_private_testkey; + case SSH_KEYTYPE_ECDSA_P256: if (pubkey) { return torture_ecdsa256_public_testkey; } else if (with_passphrase){ @@ -590,6 +587,7 @@ static const char *torture_get_testkey_internal(enum ssh_keytypes_e type, case SSH_KEYTYPE_RSA_CERT01: return torture_rsa_testkey_cert; case SSH_KEYTYPE_RSA1: + case SSH_KEYTYPE_ECDSA: case SSH_KEYTYPE_UNKNOWN: return NULL; } @@ -599,23 +597,21 @@ static const char *torture_get_testkey_internal(enum ssh_keytypes_e type, /* Return the encrypted private key in a new OpenSSH format */ const char *torture_get_openssh_testkey(enum ssh_keytypes_e type, - int ecda_bits, bool with_passphrase) { - return torture_get_testkey_internal(type, ecda_bits, with_passphrase, 0, 1); + return torture_get_testkey_internal(type, with_passphrase, 0, 1); } /* Return the private key in the legacy PEM format */ const char *torture_get_testkey(enum ssh_keytypes_e type, - int ecda_bits, bool with_passphrase) { - return torture_get_testkey_internal(type, ecda_bits, with_passphrase, 0, 0); + return torture_get_testkey_internal(type, with_passphrase, 0, 0); } -const char *torture_get_testkey_pub(enum ssh_keytypes_e type, int ecda_bits) +const char *torture_get_testkey_pub(enum ssh_keytypes_e type) { - return torture_get_testkey_internal(type, ecda_bits, 0, 1, 0); + return torture_get_testkey_internal(type, 0, 1, 0); } const char *torture_get_testkey_passphrase(void) diff --git a/tests/torture_key.h b/tests/torture_key.h index 1ae85099..961fdb96 100644 --- a/tests/torture_key.h +++ b/tests/torture_key.h @@ -30,15 +30,13 @@ /* Return the encrypted private key in a new OpenSSH format */ const char *torture_get_openssh_testkey(enum ssh_keytypes_e type, - int ecdsa_bits, bool with_passphrase); /* Return the private key in the legacy PEM format */ const char *torture_get_testkey(enum ssh_keytypes_e type, - int ecdsa_bits, bool with_passphrase); const char *torture_get_testkey_passphrase(void); -const char *torture_get_testkey_pub(enum ssh_keytypes_e type, int ecdsa_bits); +const char *torture_get_testkey_pub(enum ssh_keytypes_e type); #endif /* _TORTURE_KEY_H */ diff --git a/tests/unittests/torture_bind_config.c b/tests/unittests/torture_bind_config.c index 3ff88aea..4fcc6613 100644 --- a/tests/unittests/torture_bind_config.c +++ b/tests/unittests/torture_bind_config.c @@ -140,17 +140,17 @@ static int setup_config_files(void **state) /* For ed25519 the test keys are not available in legacy PEM format. Using * the new OpenSSH format for all algorithms */ torture_write_file(LIBSSH_RSA_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_RSA, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_RSA, 0)); torture_write_file(LIBSSH_ED25519_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0)); #ifdef HAVE_ECC torture_write_file(LIBSSH_ECDSA_521_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA, 521, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA_P521, 0)); #endif #ifdef HAVE_DSA torture_write_file(LIBSSH_DSA_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0)); #endif torture_write_file(LIBSSH_TEST_BIND_CONFIG_LISTENADDRESS, diff --git a/tests/unittests/torture_hashes.c b/tests/unittests/torture_hashes.c index acf5405f..8bd97442 100644 --- a/tests/unittests/torture_hashes.c +++ b/tests/unittests/torture_hashes.c @@ -16,7 +16,7 @@ static int setup_rsa_key(void **state) const char *q; - b64_key = strdup(torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + b64_key = strdup(torture_get_testkey_pub(SSH_KEYTYPE_RSA)); assert_non_null(b64_key); q = p = b64_key; diff --git a/tests/unittests/torture_keyfiles.c b/tests/unittests/torture_keyfiles.c index 908624a3..aea05972 100644 --- a/tests/unittests/torture_keyfiles.c +++ b/tests/unittests/torture_keyfiles.c @@ -19,9 +19,9 @@ static int setup_rsa_key(void **state) unlink(LIBSSH_RSA_TESTKEY ".pub"); torture_write_file(LIBSSH_RSA_TESTKEY, - torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0)); + torture_get_testkey(SSH_KEYTYPE_RSA, 0)); torture_write_file(LIBSSH_RSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA)); session = ssh_new(); *state = session; @@ -38,9 +38,9 @@ static int setup_dsa_key(void **state) unlink(LIBSSH_DSA_TESTKEY ".pub"); torture_write_file(LIBSSH_DSA_TESTKEY, - torture_get_testkey(SSH_KEYTYPE_DSS, 0, 0)); + torture_get_testkey(SSH_KEYTYPE_DSS, 0)); torture_write_file(LIBSSH_DSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_DSS, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_DSS)); session = ssh_new(); *state = session; @@ -70,15 +70,15 @@ static int setup_both_keys_passphrase(void **state) ssh_session session; torture_write_file(LIBSSH_RSA_TESTKEY, - torture_get_testkey(SSH_KEYTYPE_RSA, 0, 1)); + torture_get_testkey(SSH_KEYTYPE_RSA, 1)); torture_write_file(LIBSSH_RSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA)); #ifdef HAVE_DSA torture_write_file(LIBSSH_DSA_TESTKEY, - torture_get_testkey(SSH_KEYTYPE_DSS, 0, 1)); + torture_get_testkey(SSH_KEYTYPE_DSS, 1)); torture_write_file(LIBSSH_DSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_DSS, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_DSS)); #endif session = ssh_new(); diff --git a/tests/unittests/torture_knownhosts_parsing.c b/tests/unittests/torture_knownhosts_parsing.c index 5c46c439..1641db79 100644 --- a/tests/unittests/torture_knownhosts_parsing.c +++ b/tests/unittests/torture_knownhosts_parsing.c @@ -132,7 +132,7 @@ static void torture_knownhosts_parse_line_ecdsa(void **state) { assert_string_equal(entry->hostname, "localhost"); assert_non_null(entry->unparsed); assert_non_null(entry->publickey); - assert_int_equal(ssh_key_type(entry->publickey), SSH_KEYTYPE_ECDSA); + assert_int_equal(ssh_key_type(entry->publickey), SSH_KEYTYPE_ECDSA_P256); SSH_KNOWNHOSTS_ENTRY_FREE(entry); } diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c index a7140b7c..bfe40ce8 100644 --- a/tests/unittests/torture_options.c +++ b/tests/unittests/torture_options.c @@ -781,17 +781,17 @@ static int ssh_bind_setup_files(void **state) /* For ed25519 the test keys are not available in legacy PEM format. Using * the new OpenSSH format for all algorithms */ torture_write_file(LIBSSH_RSA_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_RSA, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_RSA 0)); torture_write_file(LIBSSH_ED25519_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0)); #ifdef HAVE_ECC torture_write_file(LIBSSH_ECDSA_521_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA, 521, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA_P521, 0)); #endif #ifdef HAVE_DSA torture_write_file(LIBSSH_DSA_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0)); #endif torture_write_file(LIBSSH_CUSTOM_BIND_CONFIG_FILE, "Port 42\n"); @@ -867,7 +867,7 @@ static void torture_bind_options_import_key(void **state) SSH_KEY_FREE(key); /* set rsa key */ - base64_key = torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0); + base64_key = torture_get_testkey(SSH_KEYTYPE_RSA, 0); rc = ssh_pki_import_privkey_base64(base64_key, NULL, NULL, NULL, &key); assert_int_equal(rc, SSH_OK); assert_non_null(key); @@ -876,7 +876,7 @@ static void torture_bind_options_import_key(void **state) assert_int_equal(rc, 0); #ifdef HAVE_DSA /* set dsa key */ - base64_key = torture_get_testkey(SSH_KEYTYPE_DSS, 0, 0); + base64_key = torture_get_testkey(SSH_KEYTYPE_DSS, 0); rc = ssh_pki_import_privkey_base64(base64_key, NULL, NULL, NULL, &key); assert_int_equal(rc, SSH_OK); assert_non_null(key); @@ -886,7 +886,7 @@ static void torture_bind_options_import_key(void **state) #endif #ifdef HAVE_ECC /* set ecdsa key */ - base64_key = torture_get_testkey(SSH_KEYTYPE_ECDSA, 521, 0); + base64_key = torture_get_testkey(SSH_KEYTYPE_ECDSA_P521, 0); rc = ssh_pki_import_privkey_base64(base64_key, NULL, NULL, NULL, &key); assert_int_equal(rc, SSH_OK); assert_non_null(key); diff --git a/tests/unittests/torture_pki.c b/tests/unittests/torture_pki.c index 3888a94e..0a4b894c 100644 --- a/tests/unittests/torture_pki.c +++ b/tests/unittests/torture_pki.c @@ -57,16 +57,25 @@ struct key_attrs { }; struct key_attrs key_attrs_list[] = { - {0, 0, "", 0, 0, ""}, /* UNKNOWN */ + {0, 0, "", 0, 0, ""}, /* UNKNOWN */ #ifdef HAVE_DSA - {1, 1, "ssh-dss", 1024, 20, "ssh-dss" }, /* DSS */ + {1, 1, "ssh-dss", 1024, 20, "ssh-dss" }, /* DSS */ #else - {0, 0, "", 0, 0, ""}, /* DSS */ + {0, 0, "", 0, 0, ""}, /* DSS */ #endif - {1, 1, "ssh-rsa", 2048, 20, "ssh-rsa"}, /* RSA */ - {0, 0, "", 0, 0, ""}, /* RSA1 */ - {1, 1, "ecdsa-sha2-nistp521", 521, 64, "ecdsa-sha2-nistp521"}, /* ECDSA */ - {1, 1, "ssh-ed25519", 0, 33, "ssh-ed25519"}, /* ED25519 */ + {1, 1, "ssh-rsa", 2048, 20, "ssh-rsa"}, /* RSA */ + {0, 0, "", 0, 0, ""}, /* RSA1 */ + {0, 0, "", 0, 0, ""}, /* ECDSA */ + {1, 1, "ssh-ed25519", 0, 33, "ssh-ed25519"}, /* ED25519 */ +#ifdef HAVE_DSA + {0, 0, "", 0, 0, ""}, /* DSS CERT */ +#else + {0, 0, "", 0, 0, ""}, /* DSS CERT */ +#endif + {0, 0, "", 0, 0, ""}, /* RSA CERT */ + {1, 1, "ecdsa-sha2-nistp256", 0, 64, "ecdsa-sha2-nistp256"}, /* ECDSA P256 */ + {1, 1, "ecdsa-sha2-nistp384", 0, 64, "ecdsa-sha2-nistp384"}, /* ECDSA P384 */ + {1, 1, "ecdsa-sha2-nistp521", 0, 64, "ecdsa-sha2-nistp521"}, /* ECDSA P521 */ }; /* Maps to enum ssh_digest_e */ diff --git a/tests/unittests/torture_pki_dsa.c b/tests/unittests/torture_pki_dsa.c index d686d04a..094a07ac 100644 --- a/tests/unittests/torture_pki_dsa.c +++ b/tests/unittests/torture_pki_dsa.c @@ -49,13 +49,13 @@ static int setup_dsa_key(void **state) printf("Changed directory to: %s\n", tmp_dir); torture_write_file(LIBSSH_DSA_TESTKEY, - torture_get_testkey(SSH_KEYTYPE_DSS, 0, 0)); + torture_get_testkey(SSH_KEYTYPE_DSS, 0)); torture_write_file(LIBSSH_DSA_TESTKEY_PASSPHRASE, - torture_get_testkey(SSH_KEYTYPE_DSS, 0, 1)); + torture_get_testkey(SSH_KEYTYPE_DSS, 1)); torture_write_file(LIBSSH_DSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_DSS, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_DSS)); torture_write_file(LIBSSH_DSA_TESTKEY "-cert.pub", - torture_get_testkey_pub(SSH_KEYTYPE_DSS_CERT01, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_DSS_CERT01)); return 0; } @@ -85,13 +85,13 @@ static int setup_openssh_dsa_key(void **state) assert_int_equal(rc, 0); torture_write_file(LIBSSH_DSA_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0)); torture_write_file(LIBSSH_DSA_TESTKEY_PASSPHRASE, - torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0, 1)); + torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 1)); torture_write_file(LIBSSH_DSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_DSS, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_DSS)); torture_write_file(LIBSSH_DSA_TESTKEY "-cert.pub", - torture_get_testkey_pub(SSH_KEYTYPE_DSS_CERT01, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_DSS_CERT01)); return 0; } @@ -158,7 +158,7 @@ static void torture_pki_dsa_import_privkey_base64(void **state) (void) state; /* unused */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0, 0), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0), passphrase, NULL, NULL, @@ -258,7 +258,7 @@ static void torture_pki_dsa_import_privkey_base64_passphrase(void **state) (void) state; /* unused */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0, 1), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1), passphrase, NULL, NULL, @@ -272,7 +272,7 @@ static void torture_pki_dsa_import_privkey_base64_passphrase(void **state) SSH_KEY_FREE(key); /* test if it returns -1 if passphrase is wrong */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0, 1), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1), "wrong passphrase !!", NULL, NULL, @@ -283,7 +283,7 @@ static void torture_pki_dsa_import_privkey_base64_passphrase(void **state) /* test if it returns -1 if passphrase is NULL */ /* libcrypto asks for a passphrase, so skip this test */ #ifndef HAVE_LIBCRYPTO - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0, 1), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1), NULL, NULL, NULL, @@ -292,7 +292,7 @@ static void torture_pki_dsa_import_privkey_base64_passphrase(void **state) assert_null(key); #endif - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0, 1), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1), passphrase, NULL, NULL, @@ -306,7 +306,7 @@ static void torture_pki_dsa_import_privkey_base64_passphrase(void **state) SSH_KEY_FREE(key); /* test if it returns -1 if passphrase is wrong */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0, 1), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1), "wrong passphrase !!", NULL, NULL, @@ -320,7 +320,7 @@ static void torture_pki_dsa_import_privkey_base64_passphrase(void **state) #ifndef HAVE_LIBCRYPTO /* test if it returns -1 if passphrase is NULL */ /* libcrypto asks for a passphrase, so skip this test */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0, 1), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 1), NULL, NULL, NULL, @@ -343,7 +343,7 @@ torture_pki_dsa_import_openssh_privkey_base64_passphrase(void **state) (void) state; /* unused */ - keystring = torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 0, 1); + keystring = torture_get_openssh_testkey(SSH_KEYTYPE_DSS, 1); assert_non_null(keystring); rc = ssh_pki_import_privkey_base64(keystring, @@ -424,7 +424,7 @@ static void torture_pki_dsa_publickey_from_privatekey(void **state) (void) state; /* unused */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0, 0), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_DSS, 0), passphrase, NULL, NULL, @@ -476,7 +476,7 @@ static void torture_pki_dsa_publickey_base64(void **state) (void) state; /* unused */ - key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_DSS, 0)); + key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_DSS)); assert_non_null(key_buf); keylen = strlen(key_buf); @@ -550,8 +550,8 @@ static void torture_pki_dsa_generate_pubkey_from_privkey(void **state) sizeof(pubkey_generated)); assert_true(rc == 0); - len = torture_pubkey_len(torture_get_testkey_pub(SSH_KEYTYPE_DSS, 0)); - assert_memory_equal(torture_get_testkey_pub(SSH_KEYTYPE_DSS, 0), + len = torture_pubkey_len(torture_get_testkey_pub(SSH_KEYTYPE_DSS)); + assert_memory_equal(torture_get_testkey_pub(SSH_KEYTYPE_DSS), pubkey_generated, len); diff --git a/tests/unittests/torture_pki_ecdsa.c b/tests/unittests/torture_pki_ecdsa.c index 989daf55..c4d4dbdd 100644 --- a/tests/unittests/torture_pki_ecdsa.c +++ b/tests/unittests/torture_pki_ecdsa.c @@ -19,6 +19,7 @@ const unsigned char ECDSA_HASH[] = "12345678901234567890"; struct pki_st { char *cwd; char *temp_dir; + enum ssh_keytypes_e type; }; static int setup_ecdsa_key(void **state, int ecdsa_bits) @@ -47,12 +48,24 @@ static int setup_ecdsa_key(void **state, int ecdsa_bits) printf("Changed directory to: %s\n", tmp_dir); + switch (ecdsa_bits) { + case 521: + test_state->type = SSH_KEYTYPE_ECDSA_P521; + break; + case 384: + test_state->type = SSH_KEYTYPE_ECDSA_P384; + break; + default: + test_state->type = SSH_KEYTYPE_ECDSA_P256; + break; + } + torture_write_file(LIBSSH_ECDSA_TESTKEY, - torture_get_testkey(SSH_KEYTYPE_ECDSA, ecdsa_bits, 0)); + torture_get_testkey(test_state->type, 0)); torture_write_file(LIBSSH_ECDSA_TESTKEY_PASSPHRASE, - torture_get_testkey(SSH_KEYTYPE_ECDSA, ecdsa_bits, 1)); + torture_get_testkey(test_state->type, 1)); torture_write_file(LIBSSH_ECDSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_ECDSA, ecdsa_bits)); + torture_get_testkey_pub(test_state->type)); return 0; } @@ -84,15 +97,25 @@ static int setup_openssh_ecdsa_key(void **state, int ecdsa_bits) printf("Changed directory to: %s\n", tmp_dir); - keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA, ecdsa_bits, 0); - torture_write_file(LIBSSH_ECDSA_TESTKEY, - keystring); + switch (ecdsa_bits) { + case 521: + test_state->type = SSH_KEYTYPE_ECDSA_P521; + break; + case 384: + test_state->type = SSH_KEYTYPE_ECDSA_P384; + break; + default: + test_state->type = SSH_KEYTYPE_ECDSA_P256; + break; + } - keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ECDSA, ecdsa_bits, 1); - torture_write_file(LIBSSH_ECDSA_TESTKEY_PASSPHRASE, - keystring); + keystring = torture_get_openssh_testkey(test_state->type, 0); + torture_write_file(LIBSSH_ECDSA_TESTKEY, keystring); + + keystring = torture_get_openssh_testkey(test_state->type, 1); + torture_write_file(LIBSSH_ECDSA_TESTKEY_PASSPHRASE, keystring); torture_write_file(LIBSSH_ECDSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_ECDSA, ecdsa_bits)); + torture_get_testkey_pub(test_state->type)); return 0; } @@ -249,8 +272,7 @@ static void torture_pki_ecdsa_publickey_base64(void **state) const char *q = NULL; ssh_key key = NULL; int rc; - - (void) state; /* unused */ + struct pki_st *test_state = *((struct pki_st **)state); key_buf = torture_pki_read_file(LIBSSH_ECDSA_TESTKEY ".pub"); assert_non_null(key_buf); @@ -262,7 +284,7 @@ static void torture_pki_ecdsa_publickey_base64(void **state) } type = ssh_key_type_from_name(q); - assert_true(type == SSH_KEYTYPE_ECDSA); + assert_true(type == test_state->type); q = ++p; while (p != NULL && *p != '\0' && *p != ' ') p++; @@ -427,6 +449,24 @@ static void torture_pki_generate_key_ecdsa(void **state) ssh_session session=ssh_new(); (void) state; + rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA_P256, 0, &key); + assert_true(rc == SSH_OK); + assert_non_null(key); + sign = pki_do_sign(key, ECDSA_HASH, 20); + assert_non_null(sign); + rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); + assert_true(rc == SSH_OK); + type = ssh_key_type(key); + assert_true(type == SSH_KEYTYPE_ECDSA_P256); + type_char = ssh_key_type_to_char(type); + assert_true(strcmp(type_char, "ecdsa-sha2-nistp256") == 0); + etype_char = ssh_pki_key_ecdsa_name(key); + assert_true(strcmp(etype_char, "ecdsa-sha2-nistp256") == 0); + + ssh_signature_free(sign); + SSH_KEY_FREE(key); + + /* deprecated */ rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA, 256, &key); assert_true(rc == SSH_OK); assert_non_null(key); @@ -435,15 +475,33 @@ static void torture_pki_generate_key_ecdsa(void **state) rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); assert_true(rc == SSH_OK); type = ssh_key_type(key); - assert_true(type == SSH_KEYTYPE_ECDSA); + assert_true(type == SSH_KEYTYPE_ECDSA_P256); type_char = ssh_key_type_to_char(type); - assert_true(strcmp(type_char, "ssh-ecdsa") == 0); + assert_true(strcmp(type_char, "ecdsa-sha2-nistp256") == 0); etype_char = ssh_pki_key_ecdsa_name(key); assert_true(strcmp(etype_char, "ecdsa-sha2-nistp256") == 0); ssh_signature_free(sign); SSH_KEY_FREE(key); + rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA_P384, 0, &key); + assert_true(rc == SSH_OK); + assert_non_null(key); + sign = pki_do_sign(key, ECDSA_HASH, 20); + assert_non_null(sign); + rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); + assert_true(rc == SSH_OK); + type = ssh_key_type(key); + assert_true(type == SSH_KEYTYPE_ECDSA_P384); + type_char = ssh_key_type_to_char(type); + assert_true(strcmp(type_char, "ecdsa-sha2-nistp384") == 0); + etype_char =ssh_pki_key_ecdsa_name(key); + assert_true(strcmp(etype_char, "ecdsa-sha2-nistp384") == 0); + + ssh_signature_free(sign); + SSH_KEY_FREE(key); + + /* deprecated */ rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA, 384, &key); assert_true(rc == SSH_OK); assert_non_null(key); @@ -452,15 +510,33 @@ static void torture_pki_generate_key_ecdsa(void **state) rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); assert_true(rc == SSH_OK); type = ssh_key_type(key); - assert_true(type == SSH_KEYTYPE_ECDSA); + assert_true(type == SSH_KEYTYPE_ECDSA_P384); type_char = ssh_key_type_to_char(type); - assert_true(strcmp(type_char, "ssh-ecdsa") == 0); + assert_true(strcmp(type_char, "ecdsa-sha2-nistp384") == 0); etype_char =ssh_pki_key_ecdsa_name(key); assert_true(strcmp(etype_char, "ecdsa-sha2-nistp384") == 0); ssh_signature_free(sign); SSH_KEY_FREE(key); + rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA_P521, 0, &key); + assert_true(rc == SSH_OK); + assert_non_null(key); + sign = pki_do_sign(key, ECDSA_HASH, 20); + assert_non_null(sign); + rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); + assert_true(rc == SSH_OK); + type = ssh_key_type(key); + assert_true(type == SSH_KEYTYPE_ECDSA_P521); + type_char = ssh_key_type_to_char(type); + assert_true(strcmp(type_char, "ecdsa-sha2-nistp521") == 0); + etype_char =ssh_pki_key_ecdsa_name(key); + assert_true(strcmp(etype_char, "ecdsa-sha2-nistp521") == 0); + + ssh_signature_free(sign); + SSH_KEY_FREE(key); + + /* deprecated */ rc = ssh_pki_generate(SSH_KEYTYPE_ECDSA, 521, &key); assert_true(rc == SSH_OK); assert_non_null(key); @@ -469,9 +545,9 @@ static void torture_pki_generate_key_ecdsa(void **state) rc = pki_signature_verify(session,sign,key,ECDSA_HASH,20); assert_true(rc == SSH_OK); type = ssh_key_type(key); - assert_true(type == SSH_KEYTYPE_ECDSA); + assert_true(type == SSH_KEYTYPE_ECDSA_P521); type_char = ssh_key_type_to_char(type); - assert_true(strcmp(type_char, "ssh-ecdsa") == 0); + assert_true(strcmp(type_char, "ecdsa-sha2-nistp521") == 0); etype_char =ssh_pki_key_ecdsa_name(key); assert_true(strcmp(etype_char, "ecdsa-sha2-nistp521") == 0); diff --git a/tests/unittests/torture_pki_ed25519.c b/tests/unittests/torture_pki_ed25519.c index 74c54763..2141f349 100644 --- a/tests/unittests/torture_pki_ed25519.c +++ b/tests/unittests/torture_pki_ed25519.c @@ -52,13 +52,13 @@ static int setup_ed25519_key(void **state) printf("Changed directory to: %s\n", tmp_dir); - keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 0); + keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0); torture_write_file(LIBSSH_ED25519_TESTKEY, keystring); - keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 1); + keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1); torture_write_file(LIBSSH_ED25519_TESTKEY_PASSPHRASE, keystring); torture_write_file(LIBSSH_ED25519_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_ED25519,0)); + torture_get_testkey_pub(SSH_KEYTYPE_ED25519)); return 0; } @@ -158,7 +158,6 @@ static void torture_pki_ed25519_import_export_privkey_base64(void **state) (void) state; /* unused */ rc = ssh_pki_import_privkey_base64(torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, - 0, false), passphrase, NULL, @@ -210,7 +209,7 @@ static void torture_pki_ed25519_publickey_from_privatekey(void **state) (void) state; /* unused */ - keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 0); + keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0); rc = ssh_pki_import_privkey_base64(keystring, passphrase, NULL, @@ -240,7 +239,7 @@ static void torture_pki_ed25519_publickey_base64(void **state) (void) state; /* unused */ - key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_ED25519, 0)); + key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_ED25519)); assert_non_null(key_buf); q = p = key_buf; @@ -305,8 +304,8 @@ static void torture_pki_ed25519_generate_pubkey_from_privkey(void **state) sizeof(pubkey_generated)); assert_true(rc == 0); - len = torture_pubkey_len(torture_get_testkey_pub(SSH_KEYTYPE_ED25519, 0)); - assert_memory_equal(torture_get_testkey_pub(SSH_KEYTYPE_ED25519, 0), + len = torture_pubkey_len(torture_get_testkey_pub(SSH_KEYTYPE_ED25519)); + assert_memory_equal(torture_get_testkey_pub(SSH_KEYTYPE_ED25519), pubkey_generated, len); @@ -469,7 +468,7 @@ static void torture_pki_ed25519_sign(void **state) sig = ssh_signature_new(); assert_non_null(sig); - keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 0); + keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0); rc = ssh_pki_import_privkey_base64(keystring, NULL, NULL, @@ -498,7 +497,7 @@ static void torture_pki_ed25519_verify(void **state){ ssh_key pubkey = NULL; ssh_signature sig = NULL; ssh_string blob = ssh_string_new(ED25519_SIG_LEN); - char *pkey_ptr = strdup(strchr(torture_get_testkey_pub(SSH_KEYTYPE_ED25519,0), ' ') + 1); + char *pkey_ptr = strdup(strchr(torture_get_testkey_pub(SSH_KEYTYPE_ED25519), ' ') + 1); char *ptr = NULL; int rc; (void) state; @@ -531,7 +530,7 @@ static void torture_pki_ed25519_verify_bad(void **state){ ssh_key pubkey = NULL; ssh_signature sig = NULL; ssh_string blob = ssh_string_new(ED25519_SIG_LEN); - char *pkey_ptr = strdup(strchr(torture_get_testkey_pub(SSH_KEYTYPE_ED25519,0), ' ') + 1); + char *pkey_ptr = strdup(strchr(torture_get_testkey_pub(SSH_KEYTYPE_ED25519), ' ') + 1); char *ptr = NULL; int rc; int i; @@ -574,7 +573,7 @@ static void torture_pki_ed25519_import_privkey_base64_passphrase(void **state) (void) state; /* unused */ /* same for ED25519 */ - testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 1); + testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1); rc = ssh_pki_import_privkey_base64(testkey, passphrase, NULL, @@ -608,7 +607,7 @@ static void torture_pki_ed25519_privkey_dup(void **state) (void) state; /* unused */ - testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0, 1); + testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1); rc = ssh_pki_import_privkey_base64(testkey, passphrase, NULL, @@ -631,7 +630,7 @@ static void torture_pki_ed25519_pubkey_dup(void **state) { ssh_key pubkey = NULL; ssh_key dup = NULL; - const char *p = strchr(torture_get_testkey_pub(SSH_KEYTYPE_ED25519, 0), ' '); + const char *p = strchr(torture_get_testkey_pub(SSH_KEYTYPE_ED25519), ' '); char *pub_str = NULL; char *q = NULL; int rc; diff --git a/tests/unittests/torture_pki_rsa.c b/tests/unittests/torture_pki_rsa.c index 2bf63fcb..af7571a1 100644 --- a/tests/unittests/torture_pki_rsa.c +++ b/tests/unittests/torture_pki_rsa.c @@ -52,13 +52,13 @@ static int setup_rsa_key(void **state) printf("Changed directory to: %s\n", tmp_dir); torture_write_file(LIBSSH_RSA_TESTKEY, - torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0)); + torture_get_testkey(SSH_KEYTYPE_RSA, 0)); torture_write_file(LIBSSH_RSA_TESTKEY_PASSPHRASE, - torture_get_testkey(SSH_KEYTYPE_RSA, 0, 1)); + torture_get_testkey(SSH_KEYTYPE_RSA, 1)); torture_write_file(LIBSSH_RSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA)); torture_write_file(LIBSSH_RSA_TESTKEY "-cert.pub", - torture_get_testkey_pub(SSH_KEYTYPE_RSA_CERT01, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA_CERT01)); return 0; } @@ -88,13 +88,13 @@ static int setup_openssh_rsa_key(void **state) assert_int_equal(rc, 0); torture_write_file(LIBSSH_RSA_TESTKEY, - torture_get_openssh_testkey(SSH_KEYTYPE_RSA, 0, 0)); + torture_get_openssh_testkey(SSH_KEYTYPE_RSA, 0)); torture_write_file(LIBSSH_RSA_TESTKEY_PASSPHRASE, - torture_get_openssh_testkey(SSH_KEYTYPE_RSA, 0, 1)); + torture_get_openssh_testkey(SSH_KEYTYPE_RSA, 1)); torture_write_file(LIBSSH_RSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA)); torture_write_file(LIBSSH_RSA_TESTKEY "-cert.pub", - torture_get_testkey_pub(SSH_KEYTYPE_RSA_CERT01, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA_CERT01)); return 0; } @@ -161,7 +161,7 @@ static void torture_pki_rsa_import_privkey_base64_NULL_key(void **state) (void) state; /* unused */ /* test if it returns -1 if key is NULL */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 0), passphrase, NULL, NULL, @@ -224,7 +224,7 @@ static void torture_pki_rsa_publickey_from_privatekey(void **state) (void) state; /* unused */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 0), passphrase, NULL, NULL, @@ -266,7 +266,7 @@ static void torture_pki_rsa_copy_cert_to_privkey(void **state) assert_true(rc == SSH_OK); assert_non_null(pubkey); - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 0), passphrase, NULL, NULL, @@ -333,7 +333,7 @@ static void torture_pki_rsa_publickey_base64(void **state) (void) state; /* unused */ - key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_RSA)); assert_non_null(key_buf); q = p = key_buf; @@ -398,8 +398,8 @@ static void torture_pki_rsa_generate_pubkey_from_privkey(void **state) { sizeof(pubkey_generated)); assert_true(rc == 0); - len = torture_pubkey_len(torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); - assert_memory_equal(torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0), + len = torture_pubkey_len(torture_get_testkey_pub(SSH_KEYTYPE_RSA)); + assert_memory_equal(torture_get_testkey_pub(SSH_KEYTYPE_RSA), pubkey_generated, len); @@ -641,7 +641,7 @@ static void torture_pki_rsa_import_privkey_base64_passphrase(void **state) (void) state; /* unused */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 0, 1), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 1), passphrase, NULL, NULL, @@ -655,7 +655,7 @@ static void torture_pki_rsa_import_privkey_base64_passphrase(void **state) SSH_KEY_FREE(key); /* test if it returns -1 if passphrase is wrong */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 0, 1), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 1), "wrong passphrase !!", NULL, NULL, @@ -666,7 +666,7 @@ static void torture_pki_rsa_import_privkey_base64_passphrase(void **state) #ifndef HAVE_LIBCRYPTO /* test if it returns -1 if passphrase is NULL */ /* libcrypto asks for a passphrase, so skip this test */ - rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 0, 1), + rc = ssh_pki_import_privkey_base64(torture_get_testkey(SSH_KEYTYPE_RSA, 1), NULL, NULL, NULL, @@ -686,7 +686,7 @@ torture_pki_rsa_import_openssh_privkey_base64_passphrase(void **state) (void) state; /* unused */ - keystring = torture_get_openssh_testkey(SSH_KEYTYPE_RSA, 0, 1); + keystring = torture_get_openssh_testkey(SSH_KEYTYPE_RSA, 1); assert_non_null(keystring); rc = ssh_pki_import_privkey_base64(keystring, diff --git a/tests/unittests/torture_server_x11.c b/tests/unittests/torture_server_x11.c index 236ead9e..72314c5a 100644 --- a/tests/unittests/torture_server_x11.c +++ b/tests/unittests/torture_server_x11.c @@ -40,8 +40,8 @@ static int setup(void **state) { assert_return_code(h->fd, errno); close(h->fd); - h->key_type = SSH_KEYTYPE_ECDSA; - h->hostkey = torture_get_testkey(h->key_type, 0, 0); + h->key_type = SSH_KEYTYPE_ECDSA_P256; + h->hostkey = torture_get_testkey(h->key_type, 0); torture_write_file(h->hostkey_path, h->hostkey); diff --git a/tests/unittests/torture_threads_pki_rsa.c b/tests/unittests/torture_threads_pki_rsa.c index 112afb24..e333da3b 100644 --- a/tests/unittests/torture_threads_pki_rsa.c +++ b/tests/unittests/torture_threads_pki_rsa.c @@ -98,13 +98,13 @@ static int setup_rsa_key(void **state) printf("Changed directory to: %s\n", tmp_dir); torture_write_file(LIBSSH_RSA_TESTKEY, - torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0)); + torture_get_testkey(SSH_KEYTYPE_RSA, 0)); torture_write_file(LIBSSH_RSA_TESTKEY_PASSPHRASE, - torture_get_testkey(SSH_KEYTYPE_RSA, 0, 1)); + torture_get_testkey(SSH_KEYTYPE_RSA, 1)); torture_write_file(LIBSSH_RSA_TESTKEY ".pub", - torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA)); torture_write_file(LIBSSH_RSA_TESTKEY "-cert.pub", - torture_get_testkey_pub(SSH_KEYTYPE_RSA_CERT01, 0)); + torture_get_testkey_pub(SSH_KEYTYPE_RSA_CERT01)); return 0; } @@ -201,7 +201,7 @@ static void *thread_pki_rsa_import_privkey_base64_NULL_key(void *threadid) (void) threadid; /* unused */ - testkey = torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0); + testkey = torture_get_testkey(SSH_KEYTYPE_RSA, 0); assert_non_null(testkey); /* test if it returns -1 if key is NULL */ @@ -306,7 +306,7 @@ static void *thread_pki_rsa_publickey_from_privatekey(void *threadid) (void) threadid; /* unused */ - testkey = torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0); + testkey = torture_get_testkey(SSH_KEYTYPE_RSA, 0); rc = ssh_pki_import_privkey_base64(testkey, passphrase, NULL, @@ -362,7 +362,7 @@ static void *thread_pki_rsa_copy_cert_to_privkey(void *threadid) assert_true(rc == SSH_OK); assert_non_null(pubkey); - testkey = torture_get_testkey(SSH_KEYTYPE_RSA, 0, 0); + testkey = torture_get_testkey(SSH_KEYTYPE_RSA, 0); assert_non_null(testkey); rc = ssh_pki_import_privkey_base64(testkey, @@ -454,7 +454,7 @@ static void *thread_pki_rsa_publickey_base64(void *threadid) (void) threadid; /* unused */ - key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0)); + key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_RSA)); assert_non_null(key_buf); q = p = key_buf; @@ -636,7 +636,7 @@ static void *thread_pki_rsa_import_privkey_base64_passphrase(void *threadid) (void) threadid; /* unused */ - testkey = torture_get_testkey(SSH_KEYTYPE_RSA, 0, 1); + testkey = torture_get_testkey(SSH_KEYTYPE_RSA, 1); assert_non_null(testkey); rc = ssh_pki_import_privkey_base64(testkey,