RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

delete support for legacy v00 certificates; "sure"
 markus@ dtucker@

Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
This commit is contained in:
djm@openbsd.org 2015-07-03 03:43:18 +00:00 committed by Damien Miller
parent 564d63e1b4
commit c28fc62d78
12 changed files with 68 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
auth-options.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-options.c,v 1.67 2015/05/01 03:20:54 djm Exp $ */
/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -588,35 +588,21 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
char *cert_forced_command = NULL;
int cert_source_address_done = 0;
if (sshkey_cert_is_legacy(k)) {
/* All options are in the one field for v00 certs */
if (parse_option_list(k->cert->critical, pw,
OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1,
&cert_no_port_forwarding_flag,
&cert_no_agent_forwarding_flag,
&cert_no_x11_forwarding_flag,
&cert_no_pty_flag,
&cert_no_user_rc,
&cert_forced_command,
&cert_source_address_done) == -1)
return -1;
} else {
/* Separate options and extensions for v01 certs */
if (parse_option_list(k->cert->critical, pw,
OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
&cert_forced_command,
&cert_source_address_done) == -1)
return -1;
if (parse_option_list(k->cert->extensions, pw,
OPTIONS_EXTENSIONS, 0,
&cert_no_port_forwarding_flag,
&cert_no_agent_forwarding_flag,
&cert_no_x11_forwarding_flag,
&cert_no_pty_flag,
&cert_no_user_rc,
NULL, NULL) == -1)
return -1;
}
/* Separate options and extensions for v01 certs */
if (parse_option_list(k->cert->critical, pw,
OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
&cert_forced_command,
&cert_source_address_done) == -1)
return -1;
if (parse_option_list(k->cert->extensions, pw,
OPTIONS_EXTENSIONS, 0,
&cert_no_port_forwarding_flag,
&cert_no_agent_forwarding_flag,
&cert_no_x11_forwarding_flag,
&cert_no_pty_flag,
&cert_no_user_rc,
NULL, NULL) == -1)
return -1;
no_port_forwarding_flag |= cert_no_port_forwarding_flag;
no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;

4
authfd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authfd.c,v 1.97 2015/03/26 19:32:19 markus Exp $ */
/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -560,10 +560,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
#ifdef WITH_OPENSSL
case KEY_RSA:
case KEY_RSA_CERT:
case KEY_RSA_CERT_V00:
case KEY_DSA:
case KEY_DSA_CERT:
case KEY_DSA_CERT_V00:
case KEY_ECDSA:
case KEY_ECDSA_CERT:
#endif

4
authfile.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authfile.c,v 1.114 2015/04/17 13:32:09 djm Exp $ */
/* $OpenBSD: authfile.c,v 1.115 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
@ -467,7 +467,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
goto out;
}
if ((r = sshkey_to_certified(key, sshkey_cert_is_legacy(cert))) != 0 ||
if ((r = sshkey_to_certified(key)) != 0 ||
(r = sshkey_cert_copy(cert, key)) != 0)
goto out;
r = 0;

6
key.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.c,v 1.127 2015/01/28 22:36:00 djm Exp $ */
/* $OpenBSD: key.c,v 1.128 2015/07/03 03:43:18 djm Exp $ */
/*
* placed in the public domain
*/
@ -184,11 +184,11 @@ key_demote(const Key *k)
}
int
key_to_certified(Key *k, int legacy)
key_to_certified(Key *k)
{
int r;
if ((r = sshkey_to_certified(k, legacy)) != 0) {
if ((r = sshkey_to_certified(k)) != 0) {
fatal_on_fatal_errors(r, __func__, 0);
error("%s: %s", __func__, ssh_err(r));
return -1;

5
key.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: key.h,v 1.47 2015/01/28 22:36:00 djm Exp $ */
/* $OpenBSD: key.h,v 1.48 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -51,7 +51,6 @@ typedef struct sshkey Key;
#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
#define key_is_cert sshkey_is_cert
#define key_type_plain sshkey_type_plain
#define key_cert_is_legacy sshkey_cert_is_legacy
#define key_curve_name_to_nid sshkey_curve_name_to_nid
#define key_curve_nid_to_bits sshkey_curve_nid_to_bits
#define key_curve_nid_to_name sshkey_curve_nid_to_name
@ -69,7 +68,7 @@ int key_read(Key *, char **);
Key *key_generate(int, u_int);
Key *key_from_private(const Key *);
int key_to_certified(Key *, int);
int key_to_certified(Key *);
int key_drop_cert(Key *);
int key_certify(Key *, Key *);
void key_cert_copy(const Key *, Key *);

10
krl.c
View File

@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $OpenBSD: krl.c,v 1.32 2015/06/24 23:47:23 djm Exp $ */
/* $OpenBSD: krl.c,v 1.33 2015/07/03 03:43:18 djm Exp $ */
#include "includes.h"
@ -429,7 +429,7 @@ ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key)
if (!sshkey_is_cert(key))
return ssh_krl_revoke_key_sha1(krl, key);
if (sshkey_cert_is_legacy(key) || key->cert->serial == 0) {
if (key->cert->serial == 0) {
return ssh_krl_revoke_cert_by_key_id(krl,
key->cert->signature_key,
key->cert->key_id);
@ -1180,10 +1180,10 @@ is_cert_revoked(const struct sshkey *key, struct revoked_certs *rc)
}
/*
* Legacy cert formats lack serial numbers. Zero serials numbers
* are ignored (it's the default when the CA doesn't specify one).
* Zero serials numbers are ignored (it's the default when the
* CA doesn't specify one).
*/
if (sshkey_cert_is_legacy(key) || key->cert->serial == 0)
if (key->cert->serial == 0)
return 0;
memset(&rs, 0, sizeof(rs));

4
myproposal.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: myproposal.h,v 1.44 2015/05/27 23:51:10 dtucker Exp $ */
/* $OpenBSD: myproposal.h,v 1.45 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -101,8 +101,6 @@
"ssh-ed25519-cert-v01@openssh.com," \
"ssh-rsa-cert-v01@openssh.com," \
"ssh-dss-cert-v01@openssh.com," \
"ssh-rsa-cert-v00@openssh.com," \
"ssh-dss-cert-v00@openssh.com," \
HOSTKEY_ECDSA_METHODS \
"ssh-ed25519," \
"ssh-rsa," \

5
ssh-add.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-add.c,v 1.122 2015/03/26 12:32:38 naddy Exp $ */
/* $OpenBSD: ssh-add.c,v 1.123 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -302,8 +302,7 @@ add_file(int agent_fd, const char *filename, int key_only)
}
/* Graft with private bits */
if ((r = sshkey_to_certified(private,
sshkey_cert_is_legacy(cert))) != 0) {
if ((r = sshkey_to_certified(private)) != 0) {
error("%s: sshkey_to_certified: %s", __func__, ssh_err(r));
sshkey_free(cert);
goto out;

67
ssh-keygen.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.274 2015/05/28 07:37:31 djm Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.275 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -239,7 +239,6 @@ ask_filename(struct passwd *pw, const char *prompt)
name = _PATH_SSH_CLIENT_IDENTITY;
break;
case KEY_DSA_CERT:
case KEY_DSA_CERT_V00:
case KEY_DSA:
name = _PATH_SSH_CLIENT_ID_DSA;
break;
@ -250,7 +249,6 @@ ask_filename(struct passwd *pw, const char *prompt)
break;
#endif
case KEY_RSA_CERT:
case KEY_RSA_CERT_V00:
case KEY_RSA:
name = _PATH_SSH_CLIENT_ID_RSA;
break;
@ -1575,25 +1573,6 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
struct sshkey *ca, *public;
char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;
FILE *f;
int v00 = 0; /* legacy keys */
if (key_type_name != NULL) {
switch (sshkey_type_from_name(key_type_name)) {
case KEY_RSA_CERT_V00:
case KEY_DSA_CERT_V00:
v00 = 1;
break;
case KEY_UNSPEC:
if (strcasecmp(key_type_name, "v00") == 0) {
v00 = 1;
break;
} else if (strcasecmp(key_type_name, "v01") == 0)
break;
/* FALLTHROUGH */
default:
fatal("unknown key type %s", key_type_name);
}
}
#ifdef ENABLE_PKCS11
pkcs11_init(1);
@ -1630,7 +1609,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
__func__, tmp, sshkey_type(public));
/* Prepare certificate to sign */
if ((r = sshkey_to_certified(public, v00)) != 0)
if ((r = sshkey_to_certified(public)) != 0)
fatal("Could not upgrade key %s to certificate: %s",
tmp, ssh_err(r));
public->cert->type = cert_key_type;
@ -1640,15 +1619,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
public->cert->principals = plist;
public->cert->valid_after = cert_valid_from;
public->cert->valid_before = cert_valid_to;
if (v00) {
prepare_options_buf(public->cert->critical,
OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);
} else {
prepare_options_buf(public->cert->critical,
OPTIONS_CRITICAL);
prepare_options_buf(public->cert->extensions,
OPTIONS_EXTENSIONS);
}
prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);
prepare_options_buf(public->cert->extensions,
OPTIONS_EXTENSIONS);
if ((r = sshkey_from_private(ca,
&public->cert->signature_key)) != 0)
fatal("key_from_private (ca key): %s", ssh_err(r));
@ -1833,7 +1806,7 @@ add_cert_option(char *opt)
}
static void
show_options(struct sshbuf *optbuf, int v00, int in_critical)
show_options(struct sshbuf *optbuf, int in_critical)
{
char *name, *arg;
struct sshbuf *options, *option = NULL;
@ -1848,14 +1821,14 @@ show_options(struct sshbuf *optbuf, int v00, int in_critical)
(r = sshbuf_froms(options, &option)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
printf(" %s", name);
if ((v00 || !in_critical) &&
if (!in_critical &&
(strcmp(name, "permit-X11-forwarding") == 0 ||
strcmp(name, "permit-agent-forwarding") == 0 ||
strcmp(name, "permit-port-forwarding") == 0 ||
strcmp(name, "permit-pty") == 0 ||
strcmp(name, "permit-user-rc") == 0))
printf("\n");
else if ((v00 || in_critical) &&
else if (in_critical &&
(strcmp(name, "force-command") == 0 ||
strcmp(name, "source-address") == 0)) {
if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)
@ -1882,7 +1855,7 @@ do_show_cert(struct passwd *pw)
struct sshkey *key;
struct stat st;
char *key_fp, *ca_fp;
u_int i, v00;
u_int i;
int r;
if (!have_identity)
@ -1894,7 +1867,6 @@ do_show_cert(struct passwd *pw)
identity_file, ssh_err(r));
if (!sshkey_is_cert(key))
fatal("%s is not a certificate", identity_file);
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
ca_fp = sshkey_fingerprint(key->cert->signature_key,
@ -1909,10 +1881,7 @@ do_show_cert(struct passwd *pw)
printf(" Signing CA: %s %s\n",
sshkey_type(key->cert->signature_key), ca_fp);
printf(" Key ID: \"%s\"\n", key->cert->key_id);
if (!v00) {
printf(" Serial: %llu\n",
(unsigned long long)key->cert->serial);
}
printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);
printf(" Valid: %s\n",
fmt_validity(key->cert->valid_after, key->cert->valid_before));
printf(" Principals: ");
@ -1929,16 +1898,14 @@ do_show_cert(struct passwd *pw)
printf("(none)\n");
else {
printf("\n");
show_options(key->cert->critical, v00, 1);
show_options(key->cert->critical, 1);
}
if (!v00) {
printf(" Extensions: ");
if (sshbuf_len(key->cert->extensions) == 0)
printf("(none)\n");
else {
printf("\n");
show_options(key->cert->extensions, v00, 0);
}
printf(" Extensions: ");
if (sshbuf_len(key->cert->extensions) == 0)
printf("(none)\n");
else {
printf("\n");
show_options(key->cert->extensions, 0);
}
exit(0);
}

6
sshd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshd.c,v 1.450 2015/05/24 23:39:16 djm Exp $ */
/* $OpenBSD: sshd.c,v 1.451 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -815,8 +815,6 @@ list_hostkey_types(void)
if (key == NULL)
continue;
switch (key->type) {
case KEY_RSA_CERT_V00:
case KEY_DSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
@ -843,8 +841,6 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
for (i = 0; i < options.num_host_key_files; i++) {
switch (type) {
case KEY_RSA_CERT_V00:
case KEY_DSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:

108
sshkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */
/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@ -111,10 +111,6 @@ static const struct keytype keytypes[] = {
KEY_ECDSA_CERT, NID_secp521r1, 1 },
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
{ "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
KEY_RSA_CERT_V00, 0, 1 },
{ "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
KEY_DSA_CERT_V00, 0, 1 },
#endif /* WITH_OPENSSL */
{ NULL, NULL, -1, -1, 0 }
};
@ -272,11 +268,9 @@ sshkey_size(const struct sshkey *k)
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
return BN_num_bits(k->rsa->n);
case KEY_DSA:
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
return BN_num_bits(k->dsa->p);
case KEY_ECDSA:
@ -290,18 +284,6 @@ sshkey_size(const struct sshkey *k)
return 0;
}
int
sshkey_cert_is_legacy(const struct sshkey *k)
{
switch (k->type) {
case KEY_DSA_CERT_V00:
case KEY_RSA_CERT_V00:
return 1;
default:
return 0;
}
}
static int
sshkey_type_is_valid_ca(int type)
{
@ -329,10 +311,8 @@ int
sshkey_type_plain(int type)
{
switch (type) {
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
return KEY_RSA;
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
return KEY_DSA;
case KEY_ECDSA_CERT:
@ -497,7 +477,6 @@ sshkey_new(int type)
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((rsa = RSA_new()) == NULL ||
(rsa->n = BN_new()) == NULL ||
@ -510,7 +489,6 @@ sshkey_new(int type)
k->rsa = rsa;
break;
case KEY_DSA:
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((dsa = DSA_new()) == NULL ||
(dsa->p = BN_new()) == NULL ||
@ -558,7 +536,6 @@ sshkey_add_private(struct sshkey *k)
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
if (bn_maybe_alloc_failed(k->rsa->d) ||
@ -570,7 +547,6 @@ sshkey_add_private(struct sshkey *k)
return SSH_ERR_ALLOC_FAIL;
break;
case KEY_DSA:
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if (bn_maybe_alloc_failed(k->dsa->priv_key))
return SSH_ERR_ALLOC_FAIL;
@ -616,14 +592,12 @@ sshkey_free(struct sshkey *k)
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if (k->rsa != NULL)
RSA_free(k->rsa);
k->rsa = NULL;
break;
case KEY_DSA:
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if (k->dsa != NULL)
DSA_free(k->dsa);
@ -695,13 +669,11 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
switch (a->type) {
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA:
return a->rsa != NULL && b->rsa != NULL &&
BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
BN_cmp(a->rsa->n, b->rsa->n) == 0;
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_DSA:
return a->dsa != NULL && b->dsa != NULL &&
@ -772,8 +744,6 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain)
switch (type) {
#ifdef WITH_OPENSSL
case KEY_DSA_CERT_V00:
case KEY_RSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
@ -1297,8 +1267,6 @@ sshkey_read(struct sshkey *ret, char **cpp)
case KEY_DSA:
case KEY_ECDSA:
case KEY_ED25519:
case KEY_DSA_CERT_V00:
case KEY_RSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
@ -1797,7 +1765,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_DSA:
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((n = sshkey_new(k->type)) == NULL)
return SSH_ERR_ALLOC_FAIL;
@ -1829,7 +1796,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA:
case KEY_RSA1:
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((n = sshkey_new(k->type)) == NULL)
return SSH_ERR_ALLOC_FAIL;
@ -1873,21 +1839,20 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
u_char *sig = NULL;
size_t signed_len = 0, slen = 0, kidlen = 0;
int ret = SSH_ERR_INTERNAL_ERROR;
int v00 = sshkey_cert_is_legacy(key);
/* Copy the entire key blob for verification and later serialisation */
if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
return ret;
if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) ||
/* Parse body of certificate up to signature */
if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
(ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
(ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
(ret = sshbuf_froms(b, &principals)) != 0 ||
(ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
(ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
(ret = sshbuf_froms(b, &crit)) != 0 ||
(!v00 && (ret = sshbuf_froms(b, &exts)) != 0) ||
(v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) ||
(ret = sshbuf_froms(b, &exts)) != 0 ||
(ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
(ret = sshbuf_froms(b, &ca)) != 0) {
/* XXX debug print error for ret */
@ -1924,9 +1889,8 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
goto out;
}
oprincipals = key->cert->principals;
key->cert->principals = realloc(key->cert->principals,
(key->cert->nprincipals + 1) *
sizeof(*key->cert->principals));
key->cert->principals = reallocarray(key->cert->principals,
key->cert->nprincipals + 1, sizeof(*key->cert->principals));
if (key->cert->principals == NULL) {
free(principal);
key->cert->principals = oprincipals;
@ -1947,7 +1911,6 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
/*
* Validate critical options and extensions sections format.
* NB. extensions are not present in v00 certs.
*/
while (sshbuf_len(crit) != 0) {
if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
@ -2032,7 +1995,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
}
/* FALLTHROUGH */
case KEY_RSA:
case KEY_RSA_CERT_V00:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@ -2054,7 +2016,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
}
/* FALLTHROUGH */
case KEY_DSA:
case KEY_DSA_CERT_V00:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@ -2224,7 +2185,6 @@ sshkey_sign(const struct sshkey *key,
return SSH_ERR_INVALID_ARGUMENT;
switch (key->type) {
#ifdef WITH_OPENSSL
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_DSA:
return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
@ -2233,7 +2193,6 @@ sshkey_sign(const struct sshkey *key,
case KEY_ECDSA:
return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA:
return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
@ -2258,7 +2217,6 @@ sshkey_verify(const struct sshkey *key,
return SSH_ERR_INVALID_ARGUMENT;
switch (key->type) {
#ifdef WITH_OPENSSL
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_DSA:
return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
@ -2267,7 +2225,6 @@ sshkey_verify(const struct sshkey *key,
case KEY_ECDSA:
return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA:
return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
@ -2303,7 +2260,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((ret = sshkey_cert_copy(k, pk)) != 0)
goto fail;
@ -2317,7 +2273,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
goto fail;
}
break;
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((ret = sshkey_cert_copy(k, pk)) != 0)
goto fail;
@ -2376,27 +2331,23 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
/* Convert a plain key to their _CERT equivalent */
int
sshkey_to_certified(struct sshkey *k, int legacy)
sshkey_to_certified(struct sshkey *k)
{
int newtype;
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_RSA:
newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
newtype = KEY_RSA_CERT;
break;
case KEY_DSA:
newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
newtype = KEY_DSA_CERT;
break;
case KEY_ECDSA:
if (legacy)
return SSH_ERR_INVALID_ARGUMENT;
newtype = KEY_ECDSA_CERT;
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
if (legacy)
return SSH_ERR_INVALID_ARGUMENT;
newtype = KEY_ED25519_CERT;
break;
default:
@ -2448,15 +2399,12 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
/* -v01 certs put nonce first */
arc4random_buf(&nonce, sizeof(nonce));
if (!sshkey_cert_is_legacy(k)) {
if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
goto out;
}
if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
goto out;
/* XXX this substantially duplicates to_blob(); refactor */
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
(ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
@ -2474,7 +2422,6 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
goto out;
break;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
(ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
@ -2491,13 +2438,8 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
goto out;
}
/* -v01 certs have a serial number next */
if (!sshkey_cert_is_legacy(k)) {
if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0)
goto out;
}
if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
(ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
(ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
goto out;
@ -2513,22 +2455,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
(ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
(ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
(ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0)
goto out;
/* -v01 certs have non-critical options here */
if (!sshkey_cert_is_legacy(k)) {
if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0)
goto out;
}
/* -v00 certs put the nonce at the end */
if (sshkey_cert_is_legacy(k)) {
if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
goto out;
}
if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
(ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
(ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
(ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
goto out;
@ -2628,7 +2557,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
(r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
goto out;
break;
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
@ -2649,7 +2577,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
(r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
goto out;
break;
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
@ -2740,7 +2667,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
(r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
goto out;
break;
case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshkey_add_private(k)) != 0 ||
@ -2813,7 +2739,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
(r = rsa_generate_additional_parameters(k->rsa)) != 0)
goto out;
break;
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshkey_add_private(k)) != 0 ||
@ -2863,7 +2788,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
/* enable blinding */
switch (k->type) {
case KEY_RSA:
case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA1:
if (RSA_blinding_on(k->rsa, NULL) != 1) {

7
sshkey.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshkey.h,v 1.6 2015/05/21 04:55:51 djm Exp $ */
/* $OpenBSD: sshkey.h,v 1.7 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -62,8 +62,6 @@ enum sshkey_types {
KEY_DSA_CERT,
KEY_ECDSA_CERT,
KEY_ED25519_CERT,
KEY_RSA_CERT_V00,
KEY_DSA_CERT_V00,
KEY_UNSPEC
};
@ -137,13 +135,12 @@ int sshkey_type_from_name(const char *);
int sshkey_is_cert(const struct sshkey *);
int sshkey_type_is_cert(int);
int sshkey_type_plain(int);
int sshkey_to_certified(struct sshkey *, int);
int sshkey_to_certified(struct sshkey *);
int sshkey_drop_cert(struct sshkey *);
int sshkey_certify(struct sshkey *, struct sshkey *);
int sshkey_cert_copy(const struct sshkey *, struct sshkey *);
int sshkey_cert_check_authority(const struct sshkey *, int, int,
const char *, const char **);
int sshkey_cert_is_legacy(const struct sshkey *);
int sshkey_ecdsa_nid_from_name(const char *);
int sshkey_curve_name_to_nid(const char *);