upstream commit

unifdef WITH_SSH1 ok markus@ Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
author: djm@openbsd.org <djm@openbsd.org> 2017-04-30 23:10:43 +0000
committer: Damien Miller <djm@mindrot.org> 2017-05-01 09:37:40 +1000
commit: 56912dea6ef63dae4eb1194e5d88973a7c6c5740 (patch)
tree: c0425585449d257a90a42efce5f602f7ce16779f /authfd.c
parent: d4084cd230f7319056559b00db8b99296dad49d5 (diff)
1 files changed, 1 insertions, 122 deletions
diff --git a/authfd.c b/authfd.c
index a634bcb81..915a6da48 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.100 2015/12/04 16:41:28 markus Exp $ */
+/* $OpenBSD: authfd.c,v 1.101 2017/04/30 23:10:43 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -199,43 +199,6 @@ ssh_lock_agent(int sock, int lock, const char *password)
        return r;
 }
-#ifdef WITH_SSH1
-static int
-deserialise_identity1(struct sshbuf *ids, struct sshkey **keyp, char **commentp)
-{
-        struct sshkey *key;
-        int r, keybits;
-        u_int32_t bits;
-        char *comment = NULL;
-        if ((key = sshkey_new(KEY_RSA1)) == NULL)
-                return SSH_ERR_ALLOC_FAIL;
-        if ((r = sshbuf_get_u32(ids, &bits)) != 0 ||
-            (r = sshbuf_get_bignum1(ids, key->rsa->e)) != 0 ||
-            (r = sshbuf_get_bignum1(ids, key->rsa->n)) != 0 ||
-            (r = sshbuf_get_cstring(ids, &comment, NULL)) != 0)
-                goto out;
-        keybits = BN_num_bits(key->rsa->n);
-        /* XXX previously we just warned here. I think we should be strict */
-        if (keybits < 0 || bits != (u_int)keybits) {
-                r = SSH_ERR_KEY_BITS_MISMATCH;
-                goto out;
-        }
-        if (keyp != NULL) {
-                *keyp = key;
-                key = NULL;
-        }
-        if (commentp != NULL) {
-                *commentp = comment;
-                comment = NULL;
-        }
-        r = 0;
- out:
-        sshkey_free(key);
-        free(comment);
-        return r;
-}
-#endif
 static int
 deserialise_identity2(struct sshbuf *ids, struct sshkey **keyp, char **commentp)
@@ -331,11 +294,6 @@ ssh_fetch_identitylist(int sock, int version, struct ssh_identitylist **idlp)
        for (i = 0; i < num;) {
                switch (version) {
                case 1:
-#ifdef WITH_SSH1
-                        if ((r = deserialise_identity1(msg,
-                            &(idl->keys[i]), &(idl->comments[i]))) != 0)
-                                goto out;
-#endif
                        break;
                case 2:
                        if ((r = deserialise_identity2(msg,
@@ -385,46 +343,6 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
 * otherwise.
 */
-#ifdef WITH_SSH1
-int
-ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
-    u_char session_id[16], u_char response[16])
-{
-        struct sshbuf *msg;
-        int r;
-        u_char type;
-        if (key->type != KEY_RSA1)
-                return SSH_ERR_INVALID_ARGUMENT;
-        if ((msg = sshbuf_new()) == NULL)
-                return SSH_ERR_ALLOC_FAIL;
-        if ((r = sshbuf_put_u8(msg, SSH_AGENTC_RSA_CHALLENGE)) != 0 ||
-            (r = sshbuf_put_u32(msg, BN_num_bits(key->rsa->n))) != 0 ||
-            (r = sshbuf_put_bignum1(msg, key->rsa->e)) != 0 ||
-            (r = sshbuf_put_bignum1(msg, key->rsa->n)) != 0 ||
-            (r = sshbuf_put_bignum1(msg, challenge)) != 0 ||
-            (r = sshbuf_put(msg, session_id, 16)) != 0 ||
-            (r = sshbuf_put_u32(msg, 1)) != 0) /* Response type for proto 1.1 */
-                goto out;
-        if ((r = ssh_request_reply(sock, msg, msg)) != 0)
-                goto out;
-        if ((r = sshbuf_get_u8(msg, &type)) != 0)
-                goto out;
-        if (agent_failed(type)) {
-                r = SSH_ERR_AGENT_FAILURE;
-                goto out;
-        } else if (type != SSH_AGENT_RSA_RESPONSE) {
-                r = SSH_ERR_INVALID_FORMAT;
-                goto out;
-        }
-        if ((r = sshbuf_get(msg, response, 16)) != 0)
-                goto out;
-        r = 0;
- out:
-        sshbuf_free(msg);
-        return r;
-}
-#endif
 /* encode signature algoritm in flag bits, so we can keep the msg format */
 static u_int
@@ -494,25 +412,6 @@ ssh_agent_sign(int sock, struct sshkey *key,
 /* Encode key for a message to the agent. */
-#ifdef WITH_SSH1
-static int
-ssh_encode_identity_rsa1(struct sshbuf *b, RSA *key, const char *comment)
-{
-        int r;
-        /* To keep within the protocol: p < q for ssh. in SSL p > q */
-        if ((r = sshbuf_put_u32(b, BN_num_bits(key->n))) != 0 ||
-            (r = sshbuf_put_bignum1(b, key->n)) != 0 ||
-            (r = sshbuf_put_bignum1(b, key->e)) != 0 ||
-            (r = sshbuf_put_bignum1(b, key->d)) != 0 ||
-            (r = sshbuf_put_bignum1(b, key->iqmp)) != 0 ||
-            (r = sshbuf_put_bignum1(b, key->q)) != 0 ||
-            (r = sshbuf_put_bignum1(b, key->p)) != 0 ||
-            (r = sshbuf_put_cstring(b, comment)) != 0)
-                return r;
-        return 0;
-}
-#endif
 static int
 ssh_encode_identity_ssh2(struct sshbuf *b, struct sshkey *key,
@@ -561,16 +460,6 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
                return SSH_ERR_ALLOC_FAIL;
        switch (key->type) {
-#ifdef WITH_SSH1
-        case KEY_RSA1:
-                type = constrained ?
-                    SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
-                    SSH_AGENTC_ADD_RSA_IDENTITY;
-                if ((r = sshbuf_put_u8(msg, type)) != 0 ||
-                    (r = ssh_encode_identity_rsa1(msg, key->rsa, comment)) != 0)
-                        goto out;
-                break;
-#endif
 #ifdef WITH_OPENSSL
        case KEY_RSA:
        case KEY_RSA_CERT:
@@ -620,16 +509,6 @@ ssh_remove_identity(int sock, struct sshkey *key)
        if ((msg = sshbuf_new()) == NULL)
                return SSH_ERR_ALLOC_FAIL;
-#ifdef WITH_SSH1
-        if (key->type == KEY_RSA1) {
-                if ((r = sshbuf_put_u8(msg,
-                    SSH_AGENTC_REMOVE_RSA_IDENTITY)) != 0 ||
-                    (r = sshbuf_put_u32(msg, BN_num_bits(key->rsa->n))) != 0 ||
-                    (r = sshbuf_put_bignum1(msg, key->rsa->e)) != 0 ||
-                    (r = sshbuf_put_bignum1(msg, key->rsa->n)) != 0)
-                        goto out;
-        } else
-#endif
        if (key->type != KEY_UNSPEC) {
                if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
                        goto out;
author	djm@openbsd.org <djm@openbsd.org>	2017-04-30 23:10:43 +0000
committer	Damien Miller <djm@mindrot.org>	2017-05-01 09:37:40 +1000
commit	56912dea6ef63dae4eb1194e5d88973a7c6c5740 (patch)
tree	c0425585449d257a90a42efce5f602f7ce16779f /authfd.c
parent	d4084cd230f7319056559b00db8b99296dad49d5 (diff)

diff --git a/authfd.c b/authfd.c index a634bcb81..915a6da48 100644 --- a/authfd.c +++ b/authfd.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: authfd.c,v 1.100 2015/12/04 16:41:28 markus Exp $ */	1	/* $OpenBSD: authfd.c,v 1.101 2017/04/30 23:10:43 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -199,43 +199,6 @@ ssh_lock_agent(int sock, int lock, const char *password)
199	return r;	199	return r;
200	}	200	}
201		201
202	#ifdef WITH_SSH1
203	static int
204	deserialise_identity1(struct sshbuf ids, struct sshkey keyp, char *commentp)
205	{
206	struct sshkey *key;
207	int r, keybits;
208	u_int32_t bits;
209	char *comment = NULL;
210
211	if ((key = sshkey_new(KEY_RSA1)) == NULL)
212	return SSH_ERR_ALLOC_FAIL;
213	if ((r = sshbuf_get_u32(ids, &bits)) != 0 \|\|
214	(r = sshbuf_get_bignum1(ids, key->rsa->e)) != 0 \|\|
215	(r = sshbuf_get_bignum1(ids, key->rsa->n)) != 0 \|\|
216	(r = sshbuf_get_cstring(ids, &comment, NULL)) != 0)
217	goto out;
218	keybits = BN_num_bits(key->rsa->n);
219	/* XXX previously we just warned here. I think we should be strict */
220	if (keybits < 0 \|\| bits != (u_int)keybits) {
221	r = SSH_ERR_KEY_BITS_MISMATCH;
222	goto out;
223	}
224	if (keyp != NULL) {
225	*keyp = key;
226	key = NULL;
227	}
228	if (commentp != NULL) {
229	*commentp = comment;
230	comment = NULL;
231	}
232	r = 0;
233	out:
234	sshkey_free(key);
235	free(comment);
236	return r;
237	}
238	#endif
239		202
240	static int	203	static int
241	deserialise_identity2(struct sshbuf ids, struct sshkey keyp, char *commentp)	204	deserialise_identity2(struct sshbuf ids, struct sshkey keyp, char *commentp)
@@ -331,11 +294,6 @@ ssh_fetch_identitylist(int sock, int version, struct ssh_identitylist **idlp)
331	for (i = 0; i < num;) {	294	for (i = 0; i < num;) {
332	switch (version) {	295	switch (version) {
333	case 1:	296	case 1:
334	#ifdef WITH_SSH1
335	if ((r = deserialise_identity1(msg,
336	&(idl->keys[i]), &(idl->comments[i]))) != 0)
337	goto out;
338	#endif
339	break;	297	break;
340	case 2:	298	case 2:
341	if ((r = deserialise_identity2(msg,	299	if ((r = deserialise_identity2(msg,
@@ -385,46 +343,6 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
385	* otherwise.	343	* otherwise.
386	*/	344	*/
387		345
388	#ifdef WITH_SSH1
389	int
390	ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
391	u_char session_id[16], u_char response[16])
392	{
393	struct sshbuf *msg;
394	int r;
395	u_char type;
396
397	if (key->type != KEY_RSA1)
398	return SSH_ERR_INVALID_ARGUMENT;
399	if ((msg = sshbuf_new()) == NULL)
400	return SSH_ERR_ALLOC_FAIL;
401	if ((r = sshbuf_put_u8(msg, SSH_AGENTC_RSA_CHALLENGE)) != 0 \|\|
402	(r = sshbuf_put_u32(msg, BN_num_bits(key->rsa->n))) != 0 \|\|
403	(r = sshbuf_put_bignum1(msg, key->rsa->e)) != 0 \|\|
404	(r = sshbuf_put_bignum1(msg, key->rsa->n)) != 0 \|\|
405	(r = sshbuf_put_bignum1(msg, challenge)) != 0 \|\|
406	(r = sshbuf_put(msg, session_id, 16)) != 0 \|\|
407	(r = sshbuf_put_u32(msg, 1)) != 0) /* Response type for proto 1.1 */
408	goto out;
409	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
410	goto out;
411	if ((r = sshbuf_get_u8(msg, &type)) != 0)
412	goto out;
413	if (agent_failed(type)) {
414	r = SSH_ERR_AGENT_FAILURE;
415	goto out;
416	} else if (type != SSH_AGENT_RSA_RESPONSE) {
417	r = SSH_ERR_INVALID_FORMAT;
418	goto out;
419	}
420	if ((r = sshbuf_get(msg, response, 16)) != 0)
421	goto out;
422	r = 0;
423	out:
424	sshbuf_free(msg);
425	return r;
426	}
427	#endif
428		346
429	/* encode signature algoritm in flag bits, so we can keep the msg format */	347	/* encode signature algoritm in flag bits, so we can keep the msg format */
430	static u_int	348	static u_int
@@ -494,25 +412,6 @@ ssh_agent_sign(int sock, struct sshkey *key,
494		412
495	/* Encode key for a message to the agent. */	413	/* Encode key for a message to the agent. */
496		414
497	#ifdef WITH_SSH1
498	static int
499	ssh_encode_identity_rsa1(struct sshbuf b, RSA key, const char *comment)
500	{
501	int r;
502
503	/* To keep within the protocol: p < q for ssh. in SSL p > q */
504	if ((r = sshbuf_put_u32(b, BN_num_bits(key->n))) != 0 \|\|
505	(r = sshbuf_put_bignum1(b, key->n)) != 0 \|\|
506	(r = sshbuf_put_bignum1(b, key->e)) != 0 \|\|
507	(r = sshbuf_put_bignum1(b, key->d)) != 0 \|\|
508	(r = sshbuf_put_bignum1(b, key->iqmp)) != 0 \|\|
509	(r = sshbuf_put_bignum1(b, key->q)) != 0 \|\|
510	(r = sshbuf_put_bignum1(b, key->p)) != 0 \|\|
511	(r = sshbuf_put_cstring(b, comment)) != 0)
512	return r;
513	return 0;
514	}
515	#endif
516		415
517	static int	416	static int
518	ssh_encode_identity_ssh2(struct sshbuf b, struct sshkey key,	417	ssh_encode_identity_ssh2(struct sshbuf b, struct sshkey key,
@@ -561,16 +460,6 @@ ssh_add_identity_constrained(int sock, struct sshkey key, const char comment,
561	return SSH_ERR_ALLOC_FAIL;	460	return SSH_ERR_ALLOC_FAIL;
562		461
563	switch (key->type) {	462	switch (key->type) {
564	#ifdef WITH_SSH1
565	case KEY_RSA1:
566	type = constrained ?
567	SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
568	SSH_AGENTC_ADD_RSA_IDENTITY;
569	if ((r = sshbuf_put_u8(msg, type)) != 0 \|\|
570	(r = ssh_encode_identity_rsa1(msg, key->rsa, comment)) != 0)
571	goto out;
572	break;
573	#endif
574	#ifdef WITH_OPENSSL	463	#ifdef WITH_OPENSSL
575	case KEY_RSA:	464	case KEY_RSA:
576	case KEY_RSA_CERT:	465	case KEY_RSA_CERT:
@@ -620,16 +509,6 @@ ssh_remove_identity(int sock, struct sshkey *key)
620	if ((msg = sshbuf_new()) == NULL)	509	if ((msg = sshbuf_new()) == NULL)
621	return SSH_ERR_ALLOC_FAIL;	510	return SSH_ERR_ALLOC_FAIL;
622		511
623	#ifdef WITH_SSH1
624	if (key->type == KEY_RSA1) {
625	if ((r = sshbuf_put_u8(msg,
626	SSH_AGENTC_REMOVE_RSA_IDENTITY)) != 0 \|\|
627	(r = sshbuf_put_u32(msg, BN_num_bits(key->rsa->n))) != 0 \|\|
628	(r = sshbuf_put_bignum1(msg, key->rsa->e)) != 0 \|\|
629	(r = sshbuf_put_bignum1(msg, key->rsa->n)) != 0)
630	goto out;
631	} else
632	#endif
633	if (key->type != KEY_UNSPEC) {	512	if (key->type != KEY_UNSPEC) {
634	if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)	513	if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
635	goto out;	514	goto out;