summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-07-03 03:43:18 +0000
committerDamien Miller <djm@mindrot.org>2015-07-15 15:35:09 +1000
commitc28fc62d789d860c75e23a9fa9fb250eb2beca57 (patch)
tree9b540db8aed167256bb61cd9df90dbedb31cc79d
parent564d63e1b4a9637a209d42a9d49646781fc9caef (diff)
upstream commit
delete support for legacy v00 certificates; "sure" markus@ dtucker@ Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
Diffstat
-rw-r--r--auth-options.c46
-rw-r--r--authfd.c4
-rw-r--r--authfile.c4
-rw-r--r--key.c6
-rw-r--r--key.h5
-rw-r--r--krl.c10
-rw-r--r--myproposal.h4
-rw-r--r--ssh-add.c5
-rw-r--r--ssh-keygen.c67
-rw-r--r--sshd.c6
-rw-r--r--sshkey.c108
-rw-r--r--sshkey.h7
12 files changed, 68 insertions, 204 deletions
diff --git a/auth-options.c b/auth-options.c
index facfc025b..e387697d3 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-options.c,v 1.67 2015/05/01 03:20:54 djm Exp $ */ 1/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -588,35 +588,21 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
588 char *cert_forced_command = NULL; 588 char *cert_forced_command = NULL;
589 int cert_source_address_done = 0; 589 int cert_source_address_done = 0;
590 590
591 if (sshkey_cert_is_legacy(k)) { 591 /* Separate options and extensions for v01 certs */
592 /* All options are in the one field for v00 certs */ 592 if (parse_option_list(k->cert->critical, pw,
593 if (parse_option_list(k->cert->critical, pw, 593 OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
594 OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1, 594 &cert_forced_command,
595 &cert_no_port_forwarding_flag, 595 &cert_source_address_done) == -1)
596 &cert_no_agent_forwarding_flag, 596 return -1;
597 &cert_no_x11_forwarding_flag, 597 if (parse_option_list(k->cert->extensions, pw,
598 &cert_no_pty_flag, 598 OPTIONS_EXTENSIONS, 0,
599 &cert_no_user_rc, 599 &cert_no_port_forwarding_flag,
600 &cert_forced_command, 600 &cert_no_agent_forwarding_flag,
601 &cert_source_address_done) == -1) 601 &cert_no_x11_forwarding_flag,
602 return -1; 602 &cert_no_pty_flag,
603 } else { 603 &cert_no_user_rc,
604 /* Separate options and extensions for v01 certs */ 604 NULL, NULL) == -1)
605 if (parse_option_list(k->cert->critical, pw, 605 return -1;
606 OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
607 &cert_forced_command,
608 &cert_source_address_done) == -1)
609 return -1;
610 if (parse_option_list(k->cert->extensions, pw,
611 OPTIONS_EXTENSIONS, 0,
612 &cert_no_port_forwarding_flag,
613 &cert_no_agent_forwarding_flag,
614 &cert_no_x11_forwarding_flag,
615 &cert_no_pty_flag,
616 &cert_no_user_rc,
617 NULL, NULL) == -1)
618 return -1;
619 }
620 606
621 no_port_forwarding_flag |= cert_no_port_forwarding_flag; 607 no_port_forwarding_flag |= cert_no_port_forwarding_flag;
622 no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; 608 no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
diff --git a/authfd.c b/authfd.c
index 82915a43d..eaa142648 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfd.c,v 1.97 2015/03/26 19:32:19 markus Exp $ */ 1/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -560,10 +560,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
560#ifdef WITH_OPENSSL 560#ifdef WITH_OPENSSL
561 case KEY_RSA: 561 case KEY_RSA:
562 case KEY_RSA_CERT: 562 case KEY_RSA_CERT:
563 case KEY_RSA_CERT_V00:
564 case KEY_DSA: 563 case KEY_DSA:
565 case KEY_DSA_CERT: 564 case KEY_DSA_CERT:
566 case KEY_DSA_CERT_V00:
567 case KEY_ECDSA: 565 case KEY_ECDSA:
568 case KEY_ECDSA_CERT: 566 case KEY_ECDSA_CERT:
569#endif 567#endif
diff --git a/authfile.c b/authfile.c
index 728b136a7..6ba638098 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: authfile.c,v 1.114 2015/04/17 13:32:09 djm Exp $ */ 1/* $OpenBSD: authfile.c,v 1.115 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
4 * 4 *
@@ -467,7 +467,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
467 goto out; 467 goto out;
468 } 468 }
469 469
470 if ((r = sshkey_to_certified(key, sshkey_cert_is_legacy(cert))) != 0 || 470 if ((r = sshkey_to_certified(key)) != 0 ||
471 (r = sshkey_cert_copy(cert, key)) != 0) 471 (r = sshkey_cert_copy(cert, key)) != 0)
472 goto out; 472 goto out;
473 r = 0; 473 r = 0;
diff --git a/key.c b/key.c
index bbe027b66..0ba98b6f3 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.c,v 1.127 2015/01/28 22:36:00 djm Exp $ */ 1/* $OpenBSD: key.c,v 1.128 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * placed in the public domain 3 * placed in the public domain
4 */ 4 */
@@ -184,11 +184,11 @@ key_demote(const Key *k)
184} 184}
185 185
186int 186int
187key_to_certified(Key *k, int legacy) 187key_to_certified(Key *k)
188{ 188{
189 int r; 189 int r;
190 190
191 if ((r = sshkey_to_certified(k, legacy)) != 0) { 191 if ((r = sshkey_to_certified(k)) != 0) {
192 fatal_on_fatal_errors(r, __func__, 0); 192 fatal_on_fatal_errors(r, __func__, 0);
193 error("%s: %s", __func__, ssh_err(r)); 193 error("%s: %s", __func__, ssh_err(r));
194 return -1; 194 return -1;
diff --git a/key.h b/key.h
index 89fd5cfdf..903bdf673 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: key.h,v 1.47 2015/01/28 22:36:00 djm Exp $ */ 1/* $OpenBSD: key.h,v 1.48 2015/07/03 03:43:18 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -51,7 +51,6 @@ typedef struct sshkey Key;
51#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid 51#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
52#define key_is_cert sshkey_is_cert 52#define key_is_cert sshkey_is_cert
53#define key_type_plain sshkey_type_plain 53#define key_type_plain sshkey_type_plain
54#define key_cert_is_legacy sshkey_cert_is_legacy
55#define key_curve_name_to_nid sshkey_curve_name_to_nid 54#define key_curve_name_to_nid sshkey_curve_name_to_nid
56#define key_curve_nid_to_bits sshkey_curve_nid_to_bits 55#define key_curve_nid_to_bits sshkey_curve_nid_to_bits
57#define key_curve_nid_to_name sshkey_curve_nid_to_name 56#define key_curve_nid_to_name sshkey_curve_nid_to_name
@@ -69,7 +68,7 @@ int key_read(Key *, char **);
69 68
70Key *key_generate(int, u_int); 69Key *key_generate(int, u_int);
71Key *key_from_private(const Key *); 70Key *key_from_private(const Key *);
72int key_to_certified(Key *, int); 71int key_to_certified(Key *);
73int key_drop_cert(Key *); 72int key_drop_cert(Key *);
74int key_certify(Key *, Key *); 73int key_certify(Key *, Key *);
75void key_cert_copy(const Key *, Key *); 74void key_cert_copy(const Key *, Key *);
diff --git a/krl.c b/krl.c
index a98252ef8..4075df853 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16 16
17/* $OpenBSD: krl.c,v 1.32 2015/06/24 23:47:23 djm Exp $ */ 17/* $OpenBSD: krl.c,v 1.33 2015/07/03 03:43:18 djm Exp $ */
18 18
19#include "includes.h" 19#include "includes.h"
20 20
@@ -429,7 +429,7 @@ ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key)
429 if (!sshkey_is_cert(key)) 429 if (!sshkey_is_cert(key))
430 return ssh_krl_revoke_key_sha1(krl, key); 430 return ssh_krl_revoke_key_sha1(krl, key);
431 431
432 if (sshkey_cert_is_legacy(key) || key->cert->serial == 0) { 432 if (key->cert->serial == 0) {
433 return ssh_krl_revoke_cert_by_key_id(krl, 433 return ssh_krl_revoke_cert_by_key_id(krl,
434 key->cert->signature_key, 434 key->cert->signature_key,
435 key->cert->key_id); 435 key->cert->key_id);
@@ -1180,10 +1180,10 @@ is_cert_revoked(const struct sshkey *key, struct revoked_certs *rc)
1180 } 1180 }
1181 1181
1182 /* 1182 /*
1183 * Legacy cert formats lack serial numbers. Zero serials numbers 1183 * Zero serials numbers are ignored (it's the default when the
1184 * are ignored (it's the default when the CA doesn't specify one). 1184 * CA doesn't specify one).
1185 */ 1185 */
1186 if (sshkey_cert_is_legacy(key) || key->cert->serial == 0) 1186 if (key->cert->serial == 0)
1187 return 0; 1187 return 0;
1188 1188
1189 memset(&rs, 0, sizeof(rs)); 1189 memset(&rs, 0, sizeof(rs));
diff --git a/myproposal.h b/myproposal.h
index 84b63bcd5..f0b9caa55 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: myproposal.h,v 1.44 2015/05/27 23:51:10 dtucker Exp $ */ 1/* $OpenBSD: myproposal.h,v 1.45 2015/07/03 03:43:18 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -101,8 +101,6 @@
101 "ssh-ed25519-cert-v01@openssh.com," \ 101 "ssh-ed25519-cert-v01@openssh.com," \
102 "ssh-rsa-cert-v01@openssh.com," \ 102 "ssh-rsa-cert-v01@openssh.com," \
103 "ssh-dss-cert-v01@openssh.com," \ 103 "ssh-dss-cert-v01@openssh.com," \
104 "ssh-rsa-cert-v00@openssh.com," \
105 "ssh-dss-cert-v00@openssh.com," \
106 HOSTKEY_ECDSA_METHODS \ 104 HOSTKEY_ECDSA_METHODS \
107 "ssh-ed25519," \ 105 "ssh-ed25519," \
108 "ssh-rsa," \ 106 "ssh-rsa," \
diff --git a/ssh-add.c b/ssh-add.c
index 9c8da5437..d6271d78e 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-add.c,v 1.122 2015/03/26 12:32:38 naddy Exp $ */ 1/* $OpenBSD: ssh-add.c,v 1.123 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -302,8 +302,7 @@ add_file(int agent_fd, const char *filename, int key_only)
302 } 302 }
303 303
304 /* Graft with private bits */ 304 /* Graft with private bits */
305 if ((r = sshkey_to_certified(private, 305 if ((r = sshkey_to_certified(private)) != 0) {
306 sshkey_cert_is_legacy(cert))) != 0) {
307 error("%s: sshkey_to_certified: %s", __func__, ssh_err(r)); 306 error("%s: sshkey_to_certified: %s", __func__, ssh_err(r));
308 sshkey_free(cert); 307 sshkey_free(cert);
309 goto out; 308 goto out;
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 8259d87e7..b546366f1 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.274 2015/05/28 07:37:31 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.275 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -239,7 +239,6 @@ ask_filename(struct passwd *pw, const char *prompt)
239 name = _PATH_SSH_CLIENT_IDENTITY; 239 name = _PATH_SSH_CLIENT_IDENTITY;
240 break; 240 break;
241 case KEY_DSA_CERT: 241 case KEY_DSA_CERT:
242 case KEY_DSA_CERT_V00:
243 case KEY_DSA: 242 case KEY_DSA:
244 name = _PATH_SSH_CLIENT_ID_DSA; 243 name = _PATH_SSH_CLIENT_ID_DSA;
245 break; 244 break;
@@ -250,7 +249,6 @@ ask_filename(struct passwd *pw, const char *prompt)
250 break; 249 break;
251#endif 250#endif
252 case KEY_RSA_CERT: 251 case KEY_RSA_CERT:
253 case KEY_RSA_CERT_V00:
254 case KEY_RSA: 252 case KEY_RSA:
255 name = _PATH_SSH_CLIENT_ID_RSA; 253 name = _PATH_SSH_CLIENT_ID_RSA;
256 break; 254 break;
@@ -1575,25 +1573,6 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1575 struct sshkey *ca, *public; 1573 struct sshkey *ca, *public;
1576 char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; 1574 char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;
1577 FILE *f; 1575 FILE *f;
1578 int v00 = 0; /* legacy keys */
1579
1580 if (key_type_name != NULL) {
1581 switch (sshkey_type_from_name(key_type_name)) {
1582 case KEY_RSA_CERT_V00:
1583 case KEY_DSA_CERT_V00:
1584 v00 = 1;
1585 break;
1586 case KEY_UNSPEC:
1587 if (strcasecmp(key_type_name, "v00") == 0) {
1588 v00 = 1;
1589 break;
1590 } else if (strcasecmp(key_type_name, "v01") == 0)
1591 break;
1592 /* FALLTHROUGH */
1593 default:
1594 fatal("unknown key type %s", key_type_name);
1595 }
1596 }
1597 1576
1598#ifdef ENABLE_PKCS11 1577#ifdef ENABLE_PKCS11
1599 pkcs11_init(1); 1578 pkcs11_init(1);
@@ -1630,7 +1609,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1630 __func__, tmp, sshkey_type(public)); 1609 __func__, tmp, sshkey_type(public));
1631 1610
1632 /* Prepare certificate to sign */ 1611 /* Prepare certificate to sign */
1633 if ((r = sshkey_to_certified(public, v00)) != 0) 1612 if ((r = sshkey_to_certified(public)) != 0)
1634 fatal("Could not upgrade key %s to certificate: %s", 1613 fatal("Could not upgrade key %s to certificate: %s",
1635 tmp, ssh_err(r)); 1614 tmp, ssh_err(r));
1636 public->cert->type = cert_key_type; 1615 public->cert->type = cert_key_type;
@@ -1640,15 +1619,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1640 public->cert->principals = plist; 1619 public->cert->principals = plist;
1641 public->cert->valid_after = cert_valid_from; 1620 public->cert->valid_after = cert_valid_from;
1642 public->cert->valid_before = cert_valid_to; 1621 public->cert->valid_before = cert_valid_to;
1643 if (v00) { 1622 prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);
1644 prepare_options_buf(public->cert->critical, 1623 prepare_options_buf(public->cert->extensions,
1645 OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); 1624 OPTIONS_EXTENSIONS);
1646 } else {
1647 prepare_options_buf(public->cert->critical,
1648 OPTIONS_CRITICAL);
1649 prepare_options_buf(public->cert->extensions,
1650 OPTIONS_EXTENSIONS);
1651 }
1652 if ((r = sshkey_from_private(ca, 1625 if ((r = sshkey_from_private(ca,
1653 &public->cert->signature_key)) != 0) 1626 &public->cert->signature_key)) != 0)
1654 fatal("key_from_private (ca key): %s", ssh_err(r)); 1627 fatal("key_from_private (ca key): %s", ssh_err(r));
@@ -1833,7 +1806,7 @@ add_cert_option(char *opt)
1833} 1806}
1834 1807
1835static void 1808static void
1836show_options(struct sshbuf *optbuf, int v00, int in_critical) 1809show_options(struct sshbuf *optbuf, int in_critical)
1837{ 1810{
1838 char *name, *arg; 1811 char *name, *arg;
1839 struct sshbuf *options, *option = NULL; 1812 struct sshbuf *options, *option = NULL;
@@ -1848,14 +1821,14 @@ show_options(struct sshbuf *optbuf, int v00, int in_critical)
1848 (r = sshbuf_froms(options, &option)) != 0) 1821 (r = sshbuf_froms(options, &option)) != 0)
1849 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 1822 fatal("%s: buffer error: %s", __func__, ssh_err(r));
1850 printf(" %s", name); 1823 printf(" %s", name);
1851 if ((v00 || !in_critical) && 1824 if (!in_critical &&
1852 (strcmp(name, "permit-X11-forwarding") == 0 || 1825 (strcmp(name, "permit-X11-forwarding") == 0 ||
1853 strcmp(name, "permit-agent-forwarding") == 0 || 1826 strcmp(name, "permit-agent-forwarding") == 0 ||
1854 strcmp(name, "permit-port-forwarding") == 0 || 1827 strcmp(name, "permit-port-forwarding") == 0 ||
1855 strcmp(name, "permit-pty") == 0 || 1828 strcmp(name, "permit-pty") == 0 ||
1856 strcmp(name, "permit-user-rc") == 0)) 1829 strcmp(name, "permit-user-rc") == 0))
1857 printf("\n"); 1830 printf("\n");
1858 else if ((v00 || in_critical) && 1831 else if (in_critical &&
1859 (strcmp(name, "force-command") == 0 || 1832 (strcmp(name, "force-command") == 0 ||
1860 strcmp(name, "source-address") == 0)) { 1833 strcmp(name, "source-address") == 0)) {
1861 if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) 1834 if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)
@@ -1882,7 +1855,7 @@ do_show_cert(struct passwd *pw)
1882 struct sshkey *key; 1855 struct sshkey *key;
1883 struct stat st; 1856 struct stat st;
1884 char *key_fp, *ca_fp; 1857 char *key_fp, *ca_fp;
1885 u_int i, v00; 1858 u_int i;
1886 int r; 1859 int r;
1887 1860
1888 if (!have_identity) 1861 if (!have_identity)
@@ -1894,7 +1867,6 @@ do_show_cert(struct passwd *pw)
1894 identity_file, ssh_err(r)); 1867 identity_file, ssh_err(r));
1895 if (!sshkey_is_cert(key)) 1868 if (!sshkey_is_cert(key))
1896 fatal("%s is not a certificate", identity_file); 1869 fatal("%s is not a certificate", identity_file);
1897 v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
1898 1870
1899 key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); 1871 key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
1900 ca_fp = sshkey_fingerprint(key->cert->signature_key, 1872 ca_fp = sshkey_fingerprint(key->cert->signature_key,
@@ -1909,10 +1881,7 @@ do_show_cert(struct passwd *pw)
1909 printf(" Signing CA: %s %s\n", 1881 printf(" Signing CA: %s %s\n",
1910 sshkey_type(key->cert->signature_key), ca_fp); 1882 sshkey_type(key->cert->signature_key), ca_fp);
1911 printf(" Key ID: \"%s\"\n", key->cert->key_id); 1883 printf(" Key ID: \"%s\"\n", key->cert->key_id);
1912 if (!v00) { 1884 printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);
1913 printf(" Serial: %llu\n",
1914 (unsigned long long)key->cert->serial);
1915 }
1916 printf(" Valid: %s\n", 1885 printf(" Valid: %s\n",
1917 fmt_validity(key->cert->valid_after, key->cert->valid_before)); 1886 fmt_validity(key->cert->valid_after, key->cert->valid_before));
1918 printf(" Principals: "); 1887 printf(" Principals: ");
@@ -1929,16 +1898,14 @@ do_show_cert(struct passwd *pw)
1929 printf("(none)\n"); 1898 printf("(none)\n");
1930 else { 1899 else {
1931 printf("\n"); 1900 printf("\n");
1932 show_options(key->cert->critical, v00, 1); 1901 show_options(key->cert->critical, 1);
1933 } 1902 }
1934 if (!v00) { 1903 printf(" Extensions: ");
1935 printf(" Extensions: "); 1904 if (sshbuf_len(key->cert->extensions) == 0)
1936 if (sshbuf_len(key->cert->extensions) == 0) 1905 printf("(none)\n");
1937 printf("(none)\n"); 1906 else {
1938 else { 1907 printf("\n");
1939 printf("\n"); 1908 show_options(key->cert->extensions, 0);
1940 show_options(key->cert->extensions, v00, 0);
1941 }
1942 } 1909 }
1943 exit(0); 1910 exit(0);
1944} 1911}
diff --git a/sshd.c b/sshd.c
index 6f8c6f2b1..15af4e8e5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.450 2015/05/24 23:39:16 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.451 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -815,8 +815,6 @@ list_hostkey_types(void)
815 if (key == NULL) 815 if (key == NULL)
816 continue; 816 continue;
817 switch (key->type) { 817 switch (key->type) {
818 case KEY_RSA_CERT_V00:
819 case KEY_DSA_CERT_V00:
820 case KEY_RSA_CERT: 818 case KEY_RSA_CERT:
821 case KEY_DSA_CERT: 819 case KEY_DSA_CERT:
822 case KEY_ECDSA_CERT: 820 case KEY_ECDSA_CERT:
@@ -843,8 +841,6 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
843 841
844 for (i = 0; i < options.num_host_key_files; i++) { 842 for (i = 0; i < options.num_host_key_files; i++) {
845 switch (type) { 843 switch (type) {
846 case KEY_RSA_CERT_V00:
847 case KEY_DSA_CERT_V00:
848 case KEY_RSA_CERT: 844 case KEY_RSA_CERT:
849 case KEY_DSA_CERT: 845 case KEY_DSA_CERT:
850 case KEY_ECDSA_CERT: 846 case KEY_ECDSA_CERT:
diff --git a/sshkey.c b/sshkey.c
index cfe598080..dbb16e2fd 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */ 1/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -111,10 +111,6 @@ static const struct keytype keytypes[] = {
111 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 111 KEY_ECDSA_CERT, NID_secp521r1, 1 },
112# endif /* OPENSSL_HAS_NISTP521 */ 112# endif /* OPENSSL_HAS_NISTP521 */
113# endif /* OPENSSL_HAS_ECC */ 113# endif /* OPENSSL_HAS_ECC */
114 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
115 KEY_RSA_CERT_V00, 0, 1 },
116 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
117 KEY_DSA_CERT_V00, 0, 1 },
118#endif /* WITH_OPENSSL */ 114#endif /* WITH_OPENSSL */
119 { NULL, NULL, -1, -1, 0 } 115 { NULL, NULL, -1, -1, 0 }
120}; 116};
@@ -272,11 +268,9 @@ sshkey_size(const struct sshkey *k)
272#ifdef WITH_OPENSSL 268#ifdef WITH_OPENSSL
273 case KEY_RSA1: 269 case KEY_RSA1:
274 case KEY_RSA: 270 case KEY_RSA:
275 case KEY_RSA_CERT_V00:
276 case KEY_RSA_CERT: 271 case KEY_RSA_CERT:
277 return BN_num_bits(k->rsa->n); 272 return BN_num_bits(k->rsa->n);
278 case KEY_DSA: 273 case KEY_DSA:
279 case KEY_DSA_CERT_V00:
280 case KEY_DSA_CERT: 274 case KEY_DSA_CERT:
281 return BN_num_bits(k->dsa->p); 275 return BN_num_bits(k->dsa->p);
282 case KEY_ECDSA: 276 case KEY_ECDSA:
@@ -290,18 +284,6 @@ sshkey_size(const struct sshkey *k)
290 return 0; 284 return 0;
291} 285}
292 286
293int
294sshkey_cert_is_legacy(const struct sshkey *k)
295{
296 switch (k->type) {
297 case KEY_DSA_CERT_V00:
298 case KEY_RSA_CERT_V00:
299 return 1;
300 default:
301 return 0;
302 }
303}
304
305static int 287static int
306sshkey_type_is_valid_ca(int type) 288sshkey_type_is_valid_ca(int type)
307{ 289{
@@ -329,10 +311,8 @@ int
329sshkey_type_plain(int type) 311sshkey_type_plain(int type)
330{ 312{
331 switch (type) { 313 switch (type) {
332 case KEY_RSA_CERT_V00:
333 case KEY_RSA_CERT: 314 case KEY_RSA_CERT:
334 return KEY_RSA; 315 return KEY_RSA;
335 case KEY_DSA_CERT_V00:
336 case KEY_DSA_CERT: 316 case KEY_DSA_CERT:
337 return KEY_DSA; 317 return KEY_DSA;
338 case KEY_ECDSA_CERT: 318 case KEY_ECDSA_CERT:
@@ -497,7 +477,6 @@ sshkey_new(int type)
497#ifdef WITH_OPENSSL 477#ifdef WITH_OPENSSL
498 case KEY_RSA1: 478 case KEY_RSA1:
499 case KEY_RSA: 479 case KEY_RSA:
500 case KEY_RSA_CERT_V00:
501 case KEY_RSA_CERT: 480 case KEY_RSA_CERT:
502 if ((rsa = RSA_new()) == NULL || 481 if ((rsa = RSA_new()) == NULL ||
503 (rsa->n = BN_new()) == NULL || 482 (rsa->n = BN_new()) == NULL ||
@@ -510,7 +489,6 @@ sshkey_new(int type)
510 k->rsa = rsa; 489 k->rsa = rsa;
511 break; 490 break;
512 case KEY_DSA: 491 case KEY_DSA:
513 case KEY_DSA_CERT_V00:
514 case KEY_DSA_CERT: 492 case KEY_DSA_CERT:
515 if ((dsa = DSA_new()) == NULL || 493 if ((dsa = DSA_new()) == NULL ||
516 (dsa->p = BN_new()) == NULL || 494 (dsa->p = BN_new()) == NULL ||
@@ -558,7 +536,6 @@ sshkey_add_private(struct sshkey *k)
558#ifdef WITH_OPENSSL 536#ifdef WITH_OPENSSL
559 case KEY_RSA1: 537 case KEY_RSA1:
560 case KEY_RSA: 538 case KEY_RSA:
561 case KEY_RSA_CERT_V00:
562 case KEY_RSA_CERT: 539 case KEY_RSA_CERT:
563#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 540#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
564 if (bn_maybe_alloc_failed(k->rsa->d) || 541 if (bn_maybe_alloc_failed(k->rsa->d) ||
@@ -570,7 +547,6 @@ sshkey_add_private(struct sshkey *k)
570 return SSH_ERR_ALLOC_FAIL; 547 return SSH_ERR_ALLOC_FAIL;
571 break; 548 break;
572 case KEY_DSA: 549 case KEY_DSA:
573 case KEY_DSA_CERT_V00:
574 case KEY_DSA_CERT: 550 case KEY_DSA_CERT:
575 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 551 if (bn_maybe_alloc_failed(k->dsa->priv_key))
576 return SSH_ERR_ALLOC_FAIL; 552 return SSH_ERR_ALLOC_FAIL;
@@ -616,14 +592,12 @@ sshkey_free(struct sshkey *k)
616#ifdef WITH_OPENSSL 592#ifdef WITH_OPENSSL
617 case KEY_RSA1: 593 case KEY_RSA1:
618 case KEY_RSA: 594 case KEY_RSA:
619 case KEY_RSA_CERT_V00:
620 case KEY_RSA_CERT: 595 case KEY_RSA_CERT:
621 if (k->rsa != NULL) 596 if (k->rsa != NULL)
622 RSA_free(k->rsa); 597 RSA_free(k->rsa);
623 k->rsa = NULL; 598 k->rsa = NULL;
624 break; 599 break;
625 case KEY_DSA: 600 case KEY_DSA:
626 case KEY_DSA_CERT_V00:
627 case KEY_DSA_CERT: 601 case KEY_DSA_CERT:
628 if (k->dsa != NULL) 602 if (k->dsa != NULL)
629 DSA_free(k->dsa); 603 DSA_free(k->dsa);
@@ -695,13 +669,11 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
695 switch (a->type) { 669 switch (a->type) {
696#ifdef WITH_OPENSSL 670#ifdef WITH_OPENSSL
697 case KEY_RSA1: 671 case KEY_RSA1:
698 case KEY_RSA_CERT_V00:
699 case KEY_RSA_CERT: 672 case KEY_RSA_CERT:
700 case KEY_RSA: 673 case KEY_RSA:
701 return a->rsa != NULL && b->rsa != NULL && 674 return a->rsa != NULL && b->rsa != NULL &&
702 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 675 BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
703 BN_cmp(a->rsa->n, b->rsa->n) == 0; 676 BN_cmp(a->rsa->n, b->rsa->n) == 0;
704 case KEY_DSA_CERT_V00:
705 case KEY_DSA_CERT: 677 case KEY_DSA_CERT:
706 case KEY_DSA: 678 case KEY_DSA:
707 return a->dsa != NULL && b->dsa != NULL && 679 return a->dsa != NULL && b->dsa != NULL &&
@@ -772,8 +744,6 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain)
772 744
773 switch (type) { 745 switch (type) {
774#ifdef WITH_OPENSSL 746#ifdef WITH_OPENSSL
775 case KEY_DSA_CERT_V00:
776 case KEY_RSA_CERT_V00:
777 case KEY_DSA_CERT: 747 case KEY_DSA_CERT:
778 case KEY_ECDSA_CERT: 748 case KEY_ECDSA_CERT:
779 case KEY_RSA_CERT: 749 case KEY_RSA_CERT:
@@ -1297,8 +1267,6 @@ sshkey_read(struct sshkey *ret, char **cpp)
1297 case KEY_DSA: 1267 case KEY_DSA:
1298 case KEY_ECDSA: 1268 case KEY_ECDSA:
1299 case KEY_ED25519: 1269 case KEY_ED25519:
1300 case KEY_DSA_CERT_V00:
1301 case KEY_RSA_CERT_V00:
1302 case KEY_DSA_CERT: 1270 case KEY_DSA_CERT:
1303 case KEY_ECDSA_CERT: 1271 case KEY_ECDSA_CERT:
1304 case KEY_RSA_CERT: 1272 case KEY_RSA_CERT:
@@ -1797,7 +1765,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1797 switch (k->type) { 1765 switch (k->type) {
1798#ifdef WITH_OPENSSL 1766#ifdef WITH_OPENSSL
1799 case KEY_DSA: 1767 case KEY_DSA:
1800 case KEY_DSA_CERT_V00:
1801 case KEY_DSA_CERT: 1768 case KEY_DSA_CERT:
1802 if ((n = sshkey_new(k->type)) == NULL) 1769 if ((n = sshkey_new(k->type)) == NULL)
1803 return SSH_ERR_ALLOC_FAIL; 1770 return SSH_ERR_ALLOC_FAIL;
@@ -1829,7 +1796,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1829# endif /* OPENSSL_HAS_ECC */ 1796# endif /* OPENSSL_HAS_ECC */
1830 case KEY_RSA: 1797 case KEY_RSA:
1831 case KEY_RSA1: 1798 case KEY_RSA1:
1832 case KEY_RSA_CERT_V00:
1833 case KEY_RSA_CERT: 1799 case KEY_RSA_CERT:
1834 if ((n = sshkey_new(k->type)) == NULL) 1800 if ((n = sshkey_new(k->type)) == NULL)
1835 return SSH_ERR_ALLOC_FAIL; 1801 return SSH_ERR_ALLOC_FAIL;
@@ -1873,21 +1839,20 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1873 u_char *sig = NULL; 1839 u_char *sig = NULL;
1874 size_t signed_len = 0, slen = 0, kidlen = 0; 1840 size_t signed_len = 0, slen = 0, kidlen = 0;
1875 int ret = SSH_ERR_INTERNAL_ERROR; 1841 int ret = SSH_ERR_INTERNAL_ERROR;
1876 int v00 = sshkey_cert_is_legacy(key);
1877 1842
1878 /* Copy the entire key blob for verification and later serialisation */ 1843 /* Copy the entire key blob for verification and later serialisation */
1879 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1844 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1880 return ret; 1845 return ret;
1881 1846
1882 if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || 1847 /* Parse body of certificate up to signature */
1848 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
1883 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1849 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
1884 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1850 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
1885 (ret = sshbuf_froms(b, &principals)) != 0 || 1851 (ret = sshbuf_froms(b, &principals)) != 0 ||
1886 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1852 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
1887 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1853 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
1888 (ret = sshbuf_froms(b, &crit)) != 0 || 1854 (ret = sshbuf_froms(b, &crit)) != 0 ||
1889 (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) || 1855 (ret = sshbuf_froms(b, &exts)) != 0 ||
1890 (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) ||
1891 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1856 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
1892 (ret = sshbuf_froms(b, &ca)) != 0) { 1857 (ret = sshbuf_froms(b, &ca)) != 0) {
1893 /* XXX debug print error for ret */ 1858 /* XXX debug print error for ret */
@@ -1924,9 +1889,8 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1924 goto out; 1889 goto out;
1925 } 1890 }
1926 oprincipals = key->cert->principals; 1891 oprincipals = key->cert->principals;
1927 key->cert->principals = realloc(key->cert->principals, 1892 key->cert->principals = reallocarray(key->cert->principals,
1928 (key->cert->nprincipals + 1) * 1893 key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1929 sizeof(*key->cert->principals));
1930 if (key->cert->principals == NULL) { 1894 if (key->cert->principals == NULL) {
1931 free(principal); 1895 free(principal);
1932 key->cert->principals = oprincipals; 1896 key->cert->principals = oprincipals;
@@ -1947,7 +1911,6 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1947 1911
1948 /* 1912 /*
1949 * Validate critical options and extensions sections format. 1913 * Validate critical options and extensions sections format.
1950 * NB. extensions are not present in v00 certs.
1951 */ 1914 */
1952 while (sshbuf_len(crit) != 0) { 1915 while (sshbuf_len(crit) != 0) {
1953 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1916 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
@@ -2032,7 +1995,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
2032 } 1995 }
2033 /* FALLTHROUGH */ 1996 /* FALLTHROUGH */
2034 case KEY_RSA: 1997 case KEY_RSA:
2035 case KEY_RSA_CERT_V00:
2036 if ((key = sshkey_new(type)) == NULL) { 1998 if ((key = sshkey_new(type)) == NULL) {
2037 ret = SSH_ERR_ALLOC_FAIL; 1999 ret = SSH_ERR_ALLOC_FAIL;
2038 goto out; 2000 goto out;
@@ -2054,7 +2016,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
2054 } 2016 }
2055 /* FALLTHROUGH */ 2017 /* FALLTHROUGH */
2056 case KEY_DSA: 2018 case KEY_DSA:
2057 case KEY_DSA_CERT_V00:
2058 if ((key = sshkey_new(type)) == NULL) { 2019 if ((key = sshkey_new(type)) == NULL) {
2059 ret = SSH_ERR_ALLOC_FAIL; 2020 ret = SSH_ERR_ALLOC_FAIL;
2060 goto out; 2021 goto out;
@@ -2224,7 +2185,6 @@ sshkey_sign(const struct sshkey *key,
2224 return SSH_ERR_INVALID_ARGUMENT; 2185 return SSH_ERR_INVALID_ARGUMENT;
2225 switch (key->type) { 2186 switch (key->type) {
2226#ifdef WITH_OPENSSL 2187#ifdef WITH_OPENSSL
2227 case KEY_DSA_CERT_V00:
2228 case KEY_DSA_CERT: 2188 case KEY_DSA_CERT:
2229 case KEY_DSA: 2189 case KEY_DSA:
2230 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2190 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
@@ -2233,7 +2193,6 @@ sshkey_sign(const struct sshkey *key,
2233 case KEY_ECDSA: 2193 case KEY_ECDSA:
2234 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2194 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2235# endif /* OPENSSL_HAS_ECC */ 2195# endif /* OPENSSL_HAS_ECC */
2236 case KEY_RSA_CERT_V00:
2237 case KEY_RSA_CERT: 2196 case KEY_RSA_CERT:
2238 case KEY_RSA: 2197 case KEY_RSA:
2239 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2198 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
@@ -2258,7 +2217,6 @@ sshkey_verify(const struct sshkey *key,
2258 return SSH_ERR_INVALID_ARGUMENT; 2217 return SSH_ERR_INVALID_ARGUMENT;
2259 switch (key->type) { 2218 switch (key->type) {
2260#ifdef WITH_OPENSSL 2219#ifdef WITH_OPENSSL
2261 case KEY_DSA_CERT_V00:
2262 case KEY_DSA_CERT: 2220 case KEY_DSA_CERT:
2263 case KEY_DSA: 2221 case KEY_DSA:
2264 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2222 return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
@@ -2267,7 +2225,6 @@ sshkey_verify(const struct sshkey *key,
2267 case KEY_ECDSA: 2225 case KEY_ECDSA:
2268 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2226 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2269# endif /* OPENSSL_HAS_ECC */ 2227# endif /* OPENSSL_HAS_ECC */
2270 case KEY_RSA_CERT_V00:
2271 case KEY_RSA_CERT: 2228 case KEY_RSA_CERT:
2272 case KEY_RSA: 2229 case KEY_RSA:
2273 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2230 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
@@ -2303,7 +2260,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2303 2260
2304 switch (k->type) { 2261 switch (k->type) {
2305#ifdef WITH_OPENSSL 2262#ifdef WITH_OPENSSL
2306 case KEY_RSA_CERT_V00:
2307 case KEY_RSA_CERT: 2263 case KEY_RSA_CERT:
2308 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2264 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2309 goto fail; 2265 goto fail;
@@ -2317,7 +2273,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2317 goto fail; 2273 goto fail;
2318 } 2274 }
2319 break; 2275 break;
2320 case KEY_DSA_CERT_V00:
2321 case KEY_DSA_CERT: 2276 case KEY_DSA_CERT:
2322 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2277 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2323 goto fail; 2278 goto fail;
@@ -2376,27 +2331,23 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2376 2331
2377/* Convert a plain key to their _CERT equivalent */ 2332/* Convert a plain key to their _CERT equivalent */
2378int 2333int
2379sshkey_to_certified(struct sshkey *k, int legacy) 2334sshkey_to_certified(struct sshkey *k)
2380{ 2335{
2381 int newtype; 2336 int newtype;
2382 2337
2383 switch (k->type) { 2338 switch (k->type) {
2384#ifdef WITH_OPENSSL 2339#ifdef WITH_OPENSSL
2385 case KEY_RSA: 2340 case KEY_RSA:
2386 newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; 2341 newtype = KEY_RSA_CERT;
2387 break; 2342 break;
2388 case KEY_DSA: 2343 case KEY_DSA:
2389 newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; 2344 newtype = KEY_DSA_CERT;
2390 break; 2345 break;
2391 case KEY_ECDSA: 2346 case KEY_ECDSA:
2392 if (legacy)
2393 return SSH_ERR_INVALID_ARGUMENT;
2394 newtype = KEY_ECDSA_CERT; 2347 newtype = KEY_ECDSA_CERT;
2395 break; 2348 break;
2396#endif /* WITH_OPENSSL */ 2349#endif /* WITH_OPENSSL */
2397 case KEY_ED25519: 2350 case KEY_ED25519:
2398 if (legacy)
2399 return SSH_ERR_INVALID_ARGUMENT;
2400 newtype = KEY_ED25519_CERT; 2351 newtype = KEY_ED25519_CERT;
2401 break; 2352 break;
2402 default: 2353 default:
@@ -2448,15 +2399,12 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2448 2399
2449 /* -v01 certs put nonce first */ 2400 /* -v01 certs put nonce first */
2450 arc4random_buf(&nonce, sizeof(nonce)); 2401 arc4random_buf(&nonce, sizeof(nonce));
2451 if (!sshkey_cert_is_legacy(k)) { 2402 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2452 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2403 goto out;
2453 goto out;
2454 }
2455 2404
2456 /* XXX this substantially duplicates to_blob(); refactor */ 2405 /* XXX this substantially duplicates to_blob(); refactor */
2457 switch (k->type) { 2406 switch (k->type) {
2458#ifdef WITH_OPENSSL 2407#ifdef WITH_OPENSSL
2459 case KEY_DSA_CERT_V00:
2460 case KEY_DSA_CERT: 2408 case KEY_DSA_CERT:
2461 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2409 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
2462 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2410 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
@@ -2474,7 +2422,6 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2474 goto out; 2422 goto out;
2475 break; 2423 break;
2476# endif /* OPENSSL_HAS_ECC */ 2424# endif /* OPENSSL_HAS_ECC */
2477 case KEY_RSA_CERT_V00:
2478 case KEY_RSA_CERT: 2425 case KEY_RSA_CERT:
2479 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2426 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
2480 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2427 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
@@ -2491,13 +2438,8 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2491 goto out; 2438 goto out;
2492 } 2439 }
2493 2440
2494 /* -v01 certs have a serial number next */ 2441 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
2495 if (!sshkey_cert_is_legacy(k)) { 2442 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
2496 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0)
2497 goto out;
2498 }
2499
2500 if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
2501 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2443 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2502 goto out; 2444 goto out;
2503 2445
@@ -2513,22 +2455,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2513 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2455 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
2514 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2456 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
2515 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2457 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
2516 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) 2458 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
2517 goto out; 2459 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
2518 2460 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2519 /* -v01 certs have non-critical options here */
2520 if (!sshkey_cert_is_legacy(k)) {
2521 if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0)
2522 goto out;
2523 }
2524
2525 /* -v00 certs put the nonce at the end */
2526 if (sshkey_cert_is_legacy(k)) {
2527 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2528 goto out;
2529 }
2530
2531 if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2532 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2461 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2533 goto out; 2462 goto out;
2534 2463
@@ -2628,7 +2557,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2628 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2557 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
2629 goto out; 2558 goto out;
2630 break; 2559 break;
2631 case KEY_RSA_CERT_V00:
2632 case KEY_RSA_CERT: 2560 case KEY_RSA_CERT:
2633 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2561 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2634 r = SSH_ERR_INVALID_ARGUMENT; 2562 r = SSH_ERR_INVALID_ARGUMENT;
@@ -2649,7 +2577,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2649 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2577 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
2650 goto out; 2578 goto out;
2651 break; 2579 break;
2652 case KEY_DSA_CERT_V00:
2653 case KEY_DSA_CERT: 2580 case KEY_DSA_CERT:
2654 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2581 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2655 r = SSH_ERR_INVALID_ARGUMENT; 2582 r = SSH_ERR_INVALID_ARGUMENT;
@@ -2740,7 +2667,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2740 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2667 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
2741 goto out; 2668 goto out;
2742 break; 2669 break;
2743 case KEY_DSA_CERT_V00:
2744 case KEY_DSA_CERT: 2670 case KEY_DSA_CERT:
2745 if ((r = sshkey_froms(buf, &k)) != 0 || 2671 if ((r = sshkey_froms(buf, &k)) != 0 ||
2746 (r = sshkey_add_private(k)) != 0 || 2672 (r = sshkey_add_private(k)) != 0 ||
@@ -2813,7 +2739,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2813 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2739 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2814 goto out; 2740 goto out;
2815 break; 2741 break;
2816 case KEY_RSA_CERT_V00:
2817 case KEY_RSA_CERT: 2742 case KEY_RSA_CERT:
2818 if ((r = sshkey_froms(buf, &k)) != 0 || 2743 if ((r = sshkey_froms(buf, &k)) != 0 ||
2819 (r = sshkey_add_private(k)) != 0 || 2744 (r = sshkey_add_private(k)) != 0 ||
@@ -2863,7 +2788,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2863 /* enable blinding */ 2788 /* enable blinding */
2864 switch (k->type) { 2789 switch (k->type) {
2865 case KEY_RSA: 2790 case KEY_RSA:
2866 case KEY_RSA_CERT_V00:
2867 case KEY_RSA_CERT: 2791 case KEY_RSA_CERT:
2868 case KEY_RSA1: 2792 case KEY_RSA1:
2869 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2793 if (RSA_blinding_on(k->rsa, NULL) != 1) {
diff --git a/sshkey.h b/sshkey.h
index cdac0e255..85a6968fd 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey.h,v 1.6 2015/05/21 04:55:51 djm Exp $ */ 1/* $OpenBSD: sshkey.h,v 1.7 2015/07/03 03:43:18 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -62,8 +62,6 @@ enum sshkey_types {
62 KEY_DSA_CERT, 62 KEY_DSA_CERT,
63 KEY_ECDSA_CERT, 63 KEY_ECDSA_CERT,
64 KEY_ED25519_CERT, 64 KEY_ED25519_CERT,
65 KEY_RSA_CERT_V00,
66 KEY_DSA_CERT_V00,
67 KEY_UNSPEC 65 KEY_UNSPEC
68}; 66};
69 67
@@ -137,13 +135,12 @@ int sshkey_type_from_name(const char *);
137int sshkey_is_cert(const struct sshkey *); 135int sshkey_is_cert(const struct sshkey *);
138int sshkey_type_is_cert(int); 136int sshkey_type_is_cert(int);
139int sshkey_type_plain(int); 137int sshkey_type_plain(int);
140int sshkey_to_certified(struct sshkey *, int); 138int sshkey_to_certified(struct sshkey *);
141int sshkey_drop_cert(struct sshkey *); 139int sshkey_drop_cert(struct sshkey *);
142int sshkey_certify(struct sshkey *, struct sshkey *); 140int sshkey_certify(struct sshkey *, struct sshkey *);
143int sshkey_cert_copy(const struct sshkey *, struct sshkey *); 141int sshkey_cert_copy(const struct sshkey *, struct sshkey *);
144int sshkey_cert_check_authority(const struct sshkey *, int, int, 142int sshkey_cert_check_authority(const struct sshkey *, int, int,
145 const char *, const char **); 143 const char *, const char **);
146int sshkey_cert_is_legacy(const struct sshkey *);
147 144
148int sshkey_ecdsa_nid_from_name(const char *); 145int sshkey_ecdsa_nid_from_name(const char *);
149int sshkey_curve_name_to_nid(const char *); 146int sshkey_curve_name_to_nid(const char *);
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-27 09:41:42 +0000