summaryrefslogtreecommitdiff
path: root/sshkey.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-07-03 03:43:18 +0000
committerDamien Miller <djm@mindrot.org>2015-07-15 15:35:09 +1000
commitc28fc62d789d860c75e23a9fa9fb250eb2beca57 (patch)
tree9b540db8aed167256bb61cd9df90dbedb31cc79d /sshkey.c
parent564d63e1b4a9637a209d42a9d49646781fc9caef (diff)
upstream commit
delete support for legacy v00 certificates; "sure" markus@ dtucker@ Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
Diffstat (limited to 'sshkey.c')
-rw-r--r--sshkey.c108
1 files changed, 16 insertions, 92 deletions
diff --git a/sshkey.c b/sshkey.c
index cfe598080..dbb16e2fd 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */ 1/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -111,10 +111,6 @@ static const struct keytype keytypes[] = {
111 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 111 KEY_ECDSA_CERT, NID_secp521r1, 1 },
112# endif /* OPENSSL_HAS_NISTP521 */ 112# endif /* OPENSSL_HAS_NISTP521 */
113# endif /* OPENSSL_HAS_ECC */ 113# endif /* OPENSSL_HAS_ECC */
114 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
115 KEY_RSA_CERT_V00, 0, 1 },
116 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
117 KEY_DSA_CERT_V00, 0, 1 },
118#endif /* WITH_OPENSSL */ 114#endif /* WITH_OPENSSL */
119 { NULL, NULL, -1, -1, 0 } 115 { NULL, NULL, -1, -1, 0 }
120}; 116};
@@ -272,11 +268,9 @@ sshkey_size(const struct sshkey *k)
272#ifdef WITH_OPENSSL 268#ifdef WITH_OPENSSL
273 case KEY_RSA1: 269 case KEY_RSA1:
274 case KEY_RSA: 270 case KEY_RSA:
275 case KEY_RSA_CERT_V00:
276 case KEY_RSA_CERT: 271 case KEY_RSA_CERT:
277 return BN_num_bits(k->rsa->n); 272 return BN_num_bits(k->rsa->n);
278 case KEY_DSA: 273 case KEY_DSA:
279 case KEY_DSA_CERT_V00:
280 case KEY_DSA_CERT: 274 case KEY_DSA_CERT:
281 return BN_num_bits(k->dsa->p); 275 return BN_num_bits(k->dsa->p);
282 case KEY_ECDSA: 276 case KEY_ECDSA:
@@ -290,18 +284,6 @@ sshkey_size(const struct sshkey *k)
290 return 0; 284 return 0;
291} 285}
292 286
293int
294sshkey_cert_is_legacy(const struct sshkey *k)
295{
296 switch (k->type) {
297 case KEY_DSA_CERT_V00:
298 case KEY_RSA_CERT_V00:
299 return 1;
300 default:
301 return 0;
302 }
303}
304
305static int 287static int
306sshkey_type_is_valid_ca(int type) 288sshkey_type_is_valid_ca(int type)
307{ 289{
@@ -329,10 +311,8 @@ int
329sshkey_type_plain(int type) 311sshkey_type_plain(int type)
330{ 312{
331 switch (type) { 313 switch (type) {
332 case KEY_RSA_CERT_V00:
333 case KEY_RSA_CERT: 314 case KEY_RSA_CERT:
334 return KEY_RSA; 315 return KEY_RSA;
335 case KEY_DSA_CERT_V00:
336 case KEY_DSA_CERT: 316 case KEY_DSA_CERT:
337 return KEY_DSA; 317 return KEY_DSA;
338 case KEY_ECDSA_CERT: 318 case KEY_ECDSA_CERT:
@@ -497,7 +477,6 @@ sshkey_new(int type)
497#ifdef WITH_OPENSSL 477#ifdef WITH_OPENSSL
498 case KEY_RSA1: 478 case KEY_RSA1:
499 case KEY_RSA: 479 case KEY_RSA:
500 case KEY_RSA_CERT_V00:
501 case KEY_RSA_CERT: 480 case KEY_RSA_CERT:
502 if ((rsa = RSA_new()) == NULL || 481 if ((rsa = RSA_new()) == NULL ||
503 (rsa->n = BN_new()) == NULL || 482 (rsa->n = BN_new()) == NULL ||
@@ -510,7 +489,6 @@ sshkey_new(int type)
510 k->rsa = rsa; 489 k->rsa = rsa;
511 break; 490 break;
512 case KEY_DSA: 491 case KEY_DSA:
513 case KEY_DSA_CERT_V00:
514 case KEY_DSA_CERT: 492 case KEY_DSA_CERT:
515 if ((dsa = DSA_new()) == NULL || 493 if ((dsa = DSA_new()) == NULL ||
516 (dsa->p = BN_new()) == NULL || 494 (dsa->p = BN_new()) == NULL ||
@@ -558,7 +536,6 @@ sshkey_add_private(struct sshkey *k)
558#ifdef WITH_OPENSSL 536#ifdef WITH_OPENSSL
559 case KEY_RSA1: 537 case KEY_RSA1:
560 case KEY_RSA: 538 case KEY_RSA:
561 case KEY_RSA_CERT_V00:
562 case KEY_RSA_CERT: 539 case KEY_RSA_CERT:
563#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 540#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
564 if (bn_maybe_alloc_failed(k->rsa->d) || 541 if (bn_maybe_alloc_failed(k->rsa->d) ||
@@ -570,7 +547,6 @@ sshkey_add_private(struct sshkey *k)
570 return SSH_ERR_ALLOC_FAIL; 547 return SSH_ERR_ALLOC_FAIL;
571 break; 548 break;
572 case KEY_DSA: 549 case KEY_DSA:
573 case KEY_DSA_CERT_V00:
574 case KEY_DSA_CERT: 550 case KEY_DSA_CERT:
575 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 551 if (bn_maybe_alloc_failed(k->dsa->priv_key))
576 return SSH_ERR_ALLOC_FAIL; 552 return SSH_ERR_ALLOC_FAIL;
@@ -616,14 +592,12 @@ sshkey_free(struct sshkey *k)
616#ifdef WITH_OPENSSL 592#ifdef WITH_OPENSSL
617 case KEY_RSA1: 593 case KEY_RSA1:
618 case KEY_RSA: 594 case KEY_RSA:
619 case KEY_RSA_CERT_V00:
620 case KEY_RSA_CERT: 595 case KEY_RSA_CERT:
621 if (k->rsa != NULL) 596 if (k->rsa != NULL)
622 RSA_free(k->rsa); 597 RSA_free(k->rsa);
623 k->rsa = NULL; 598 k->rsa = NULL;
624 break; 599 break;
625 case KEY_DSA: 600 case KEY_DSA:
626 case KEY_DSA_CERT_V00:
627 case KEY_DSA_CERT: 601 case KEY_DSA_CERT:
628 if (k->dsa != NULL) 602 if (k->dsa != NULL)
629 DSA_free(k->dsa); 603 DSA_free(k->dsa);
@@ -695,13 +669,11 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
695 switch (a->type) { 669 switch (a->type) {
696#ifdef WITH_OPENSSL 670#ifdef WITH_OPENSSL
697 case KEY_RSA1: 671 case KEY_RSA1:
698 case KEY_RSA_CERT_V00:
699 case KEY_RSA_CERT: 672 case KEY_RSA_CERT:
700 case KEY_RSA: 673 case KEY_RSA:
701 return a->rsa != NULL && b->rsa != NULL && 674 return a->rsa != NULL && b->rsa != NULL &&
702 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 675 BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
703 BN_cmp(a->rsa->n, b->rsa->n) == 0; 676 BN_cmp(a->rsa->n, b->rsa->n) == 0;
704 case KEY_DSA_CERT_V00:
705 case KEY_DSA_CERT: 677 case KEY_DSA_CERT:
706 case KEY_DSA: 678 case KEY_DSA:
707 return a->dsa != NULL && b->dsa != NULL && 679 return a->dsa != NULL && b->dsa != NULL &&
@@ -772,8 +744,6 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain)
772 744
773 switch (type) { 745 switch (type) {
774#ifdef WITH_OPENSSL 746#ifdef WITH_OPENSSL
775 case KEY_DSA_CERT_V00:
776 case KEY_RSA_CERT_V00:
777 case KEY_DSA_CERT: 747 case KEY_DSA_CERT:
778 case KEY_ECDSA_CERT: 748 case KEY_ECDSA_CERT:
779 case KEY_RSA_CERT: 749 case KEY_RSA_CERT:
@@ -1297,8 +1267,6 @@ sshkey_read(struct sshkey *ret, char **cpp)
1297 case KEY_DSA: 1267 case KEY_DSA:
1298 case KEY_ECDSA: 1268 case KEY_ECDSA:
1299 case KEY_ED25519: 1269 case KEY_ED25519:
1300 case KEY_DSA_CERT_V00:
1301 case KEY_RSA_CERT_V00:
1302 case KEY_DSA_CERT: 1270 case KEY_DSA_CERT:
1303 case KEY_ECDSA_CERT: 1271 case KEY_ECDSA_CERT:
1304 case KEY_RSA_CERT: 1272 case KEY_RSA_CERT:
@@ -1797,7 +1765,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1797 switch (k->type) { 1765 switch (k->type) {
1798#ifdef WITH_OPENSSL 1766#ifdef WITH_OPENSSL
1799 case KEY_DSA: 1767 case KEY_DSA:
1800 case KEY_DSA_CERT_V00:
1801 case KEY_DSA_CERT: 1768 case KEY_DSA_CERT:
1802 if ((n = sshkey_new(k->type)) == NULL) 1769 if ((n = sshkey_new(k->type)) == NULL)
1803 return SSH_ERR_ALLOC_FAIL; 1770 return SSH_ERR_ALLOC_FAIL;
@@ -1829,7 +1796,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1829# endif /* OPENSSL_HAS_ECC */ 1796# endif /* OPENSSL_HAS_ECC */
1830 case KEY_RSA: 1797 case KEY_RSA:
1831 case KEY_RSA1: 1798 case KEY_RSA1:
1832 case KEY_RSA_CERT_V00:
1833 case KEY_RSA_CERT: 1799 case KEY_RSA_CERT:
1834 if ((n = sshkey_new(k->type)) == NULL) 1800 if ((n = sshkey_new(k->type)) == NULL)
1835 return SSH_ERR_ALLOC_FAIL; 1801 return SSH_ERR_ALLOC_FAIL;
@@ -1873,21 +1839,20 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1873 u_char *sig = NULL; 1839 u_char *sig = NULL;
1874 size_t signed_len = 0, slen = 0, kidlen = 0; 1840 size_t signed_len = 0, slen = 0, kidlen = 0;
1875 int ret = SSH_ERR_INTERNAL_ERROR; 1841 int ret = SSH_ERR_INTERNAL_ERROR;
1876 int v00 = sshkey_cert_is_legacy(key);
1877 1842
1878 /* Copy the entire key blob for verification and later serialisation */ 1843 /* Copy the entire key blob for verification and later serialisation */
1879 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1844 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1880 return ret; 1845 return ret;
1881 1846
1882 if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || 1847 /* Parse body of certificate up to signature */
1848 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
1883 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1849 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
1884 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1850 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
1885 (ret = sshbuf_froms(b, &principals)) != 0 || 1851 (ret = sshbuf_froms(b, &principals)) != 0 ||
1886 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1852 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
1887 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1853 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
1888 (ret = sshbuf_froms(b, &crit)) != 0 || 1854 (ret = sshbuf_froms(b, &crit)) != 0 ||
1889 (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) || 1855 (ret = sshbuf_froms(b, &exts)) != 0 ||
1890 (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) ||
1891 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1856 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
1892 (ret = sshbuf_froms(b, &ca)) != 0) { 1857 (ret = sshbuf_froms(b, &ca)) != 0) {
1893 /* XXX debug print error for ret */ 1858 /* XXX debug print error for ret */
@@ -1924,9 +1889,8 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1924 goto out; 1889 goto out;
1925 } 1890 }
1926 oprincipals = key->cert->principals; 1891 oprincipals = key->cert->principals;
1927 key->cert->principals = realloc(key->cert->principals, 1892 key->cert->principals = reallocarray(key->cert->principals,
1928 (key->cert->nprincipals + 1) * 1893 key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1929 sizeof(*key->cert->principals));
1930 if (key->cert->principals == NULL) { 1894 if (key->cert->principals == NULL) {
1931 free(principal); 1895 free(principal);
1932 key->cert->principals = oprincipals; 1896 key->cert->principals = oprincipals;
@@ -1947,7 +1911,6 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1947 1911
1948 /* 1912 /*
1949 * Validate critical options and extensions sections format. 1913 * Validate critical options and extensions sections format.
1950 * NB. extensions are not present in v00 certs.
1951 */ 1914 */
1952 while (sshbuf_len(crit) != 0) { 1915 while (sshbuf_len(crit) != 0) {
1953 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1916 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
@@ -2032,7 +1995,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
2032 } 1995 }
2033 /* FALLTHROUGH */ 1996 /* FALLTHROUGH */
2034 case KEY_RSA: 1997 case KEY_RSA:
2035 case KEY_RSA_CERT_V00:
2036 if ((key = sshkey_new(type)) == NULL) { 1998 if ((key = sshkey_new(type)) == NULL) {
2037 ret = SSH_ERR_ALLOC_FAIL; 1999 ret = SSH_ERR_ALLOC_FAIL;
2038 goto out; 2000 goto out;
@@ -2054,7 +2016,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
2054 } 2016 }
2055 /* FALLTHROUGH */ 2017 /* FALLTHROUGH */
2056 case KEY_DSA: 2018 case KEY_DSA:
2057 case KEY_DSA_CERT_V00:
2058 if ((key = sshkey_new(type)) == NULL) { 2019 if ((key = sshkey_new(type)) == NULL) {
2059 ret = SSH_ERR_ALLOC_FAIL; 2020 ret = SSH_ERR_ALLOC_FAIL;
2060 goto out; 2021 goto out;
@@ -2224,7 +2185,6 @@ sshkey_sign(const struct sshkey *key,
2224 return SSH_ERR_INVALID_ARGUMENT; 2185 return SSH_ERR_INVALID_ARGUMENT;
2225 switch (key->type) { 2186 switch (key->type) {
2226#ifdef WITH_OPENSSL 2187#ifdef WITH_OPENSSL
2227 case KEY_DSA_CERT_V00:
2228 case KEY_DSA_CERT: 2188 case KEY_DSA_CERT:
2229 case KEY_DSA: 2189 case KEY_DSA:
2230 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2190 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
@@ -2233,7 +2193,6 @@ sshkey_sign(const struct sshkey *key,
2233 case KEY_ECDSA: 2193 case KEY_ECDSA:
2234 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2194 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2235# endif /* OPENSSL_HAS_ECC */ 2195# endif /* OPENSSL_HAS_ECC */
2236 case KEY_RSA_CERT_V00:
2237 case KEY_RSA_CERT: 2196 case KEY_RSA_CERT:
2238 case KEY_RSA: 2197 case KEY_RSA:
2239 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2198 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
@@ -2258,7 +2217,6 @@ sshkey_verify(const struct sshkey *key,
2258 return SSH_ERR_INVALID_ARGUMENT; 2217 return SSH_ERR_INVALID_ARGUMENT;
2259 switch (key->type) { 2218 switch (key->type) {
2260#ifdef WITH_OPENSSL 2219#ifdef WITH_OPENSSL
2261 case KEY_DSA_CERT_V00:
2262 case KEY_DSA_CERT: 2220 case KEY_DSA_CERT:
2263 case KEY_DSA: 2221 case KEY_DSA:
2264 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2222 return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
@@ -2267,7 +2225,6 @@ sshkey_verify(const struct sshkey *key,
2267 case KEY_ECDSA: 2225 case KEY_ECDSA:
2268 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2226 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2269# endif /* OPENSSL_HAS_ECC */ 2227# endif /* OPENSSL_HAS_ECC */
2270 case KEY_RSA_CERT_V00:
2271 case KEY_RSA_CERT: 2228 case KEY_RSA_CERT:
2272 case KEY_RSA: 2229 case KEY_RSA:
2273 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2230 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
@@ -2303,7 +2260,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2303 2260
2304 switch (k->type) { 2261 switch (k->type) {
2305#ifdef WITH_OPENSSL 2262#ifdef WITH_OPENSSL
2306 case KEY_RSA_CERT_V00:
2307 case KEY_RSA_CERT: 2263 case KEY_RSA_CERT:
2308 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2264 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2309 goto fail; 2265 goto fail;
@@ -2317,7 +2273,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2317 goto fail; 2273 goto fail;
2318 } 2274 }
2319 break; 2275 break;
2320 case KEY_DSA_CERT_V00:
2321 case KEY_DSA_CERT: 2276 case KEY_DSA_CERT:
2322 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2277 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2323 goto fail; 2278 goto fail;
@@ -2376,27 +2331,23 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2376 2331
2377/* Convert a plain key to their _CERT equivalent */ 2332/* Convert a plain key to their _CERT equivalent */
2378int 2333int
2379sshkey_to_certified(struct sshkey *k, int legacy) 2334sshkey_to_certified(struct sshkey *k)
2380{ 2335{
2381 int newtype; 2336 int newtype;
2382 2337
2383 switch (k->type) { 2338 switch (k->type) {
2384#ifdef WITH_OPENSSL 2339#ifdef WITH_OPENSSL
2385 case KEY_RSA: 2340 case KEY_RSA:
2386 newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; 2341 newtype = KEY_RSA_CERT;
2387 break; 2342 break;
2388 case KEY_DSA: 2343 case KEY_DSA:
2389 newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; 2344 newtype = KEY_DSA_CERT;
2390 break; 2345 break;
2391 case KEY_ECDSA: 2346 case KEY_ECDSA:
2392 if (legacy)
2393 return SSH_ERR_INVALID_ARGUMENT;
2394 newtype = KEY_ECDSA_CERT; 2347 newtype = KEY_ECDSA_CERT;
2395 break; 2348 break;
2396#endif /* WITH_OPENSSL */ 2349#endif /* WITH_OPENSSL */
2397 case KEY_ED25519: 2350 case KEY_ED25519:
2398 if (legacy)
2399 return SSH_ERR_INVALID_ARGUMENT;
2400 newtype = KEY_ED25519_CERT; 2351 newtype = KEY_ED25519_CERT;
2401 break; 2352 break;
2402 default: 2353 default:
@@ -2448,15 +2399,12 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2448 2399
2449 /* -v01 certs put nonce first */ 2400 /* -v01 certs put nonce first */
2450 arc4random_buf(&nonce, sizeof(nonce)); 2401 arc4random_buf(&nonce, sizeof(nonce));
2451 if (!sshkey_cert_is_legacy(k)) { 2402 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2452 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2403 goto out;
2453 goto out;
2454 }
2455 2404
2456 /* XXX this substantially duplicates to_blob(); refactor */ 2405 /* XXX this substantially duplicates to_blob(); refactor */
2457 switch (k->type) { 2406 switch (k->type) {
2458#ifdef WITH_OPENSSL 2407#ifdef WITH_OPENSSL
2459 case KEY_DSA_CERT_V00:
2460 case KEY_DSA_CERT: 2408 case KEY_DSA_CERT:
2461 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2409 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
2462 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2410 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
@@ -2474,7 +2422,6 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2474 goto out; 2422 goto out;
2475 break; 2423 break;
2476# endif /* OPENSSL_HAS_ECC */ 2424# endif /* OPENSSL_HAS_ECC */
2477 case KEY_RSA_CERT_V00:
2478 case KEY_RSA_CERT: 2425 case KEY_RSA_CERT:
2479 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2426 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
2480 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2427 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
@@ -2491,13 +2438,8 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2491 goto out; 2438 goto out;
2492 } 2439 }
2493 2440
2494 /* -v01 certs have a serial number next */ 2441 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
2495 if (!sshkey_cert_is_legacy(k)) { 2442 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
2496 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0)
2497 goto out;
2498 }
2499
2500 if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
2501 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2443 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2502 goto out; 2444 goto out;
2503 2445
@@ -2513,22 +2455,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2513 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2455 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
2514 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2456 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
2515 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2457 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
2516 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) 2458 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
2517 goto out; 2459 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
2518 2460 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2519 /* -v01 certs have non-critical options here */
2520 if (!sshkey_cert_is_legacy(k)) {
2521 if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0)
2522 goto out;
2523 }
2524
2525 /* -v00 certs put the nonce at the end */
2526 if (sshkey_cert_is_legacy(k)) {
2527 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2528 goto out;
2529 }
2530
2531 if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2532 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2461 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2533 goto out; 2462 goto out;
2534 2463
@@ -2628,7 +2557,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2628 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2557 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
2629 goto out; 2558 goto out;
2630 break; 2559 break;
2631 case KEY_RSA_CERT_V00:
2632 case KEY_RSA_CERT: 2560 case KEY_RSA_CERT:
2633 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2561 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2634 r = SSH_ERR_INVALID_ARGUMENT; 2562 r = SSH_ERR_INVALID_ARGUMENT;
@@ -2649,7 +2577,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2649 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2577 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
2650 goto out; 2578 goto out;
2651 break; 2579 break;
2652 case KEY_DSA_CERT_V00:
2653 case KEY_DSA_CERT: 2580 case KEY_DSA_CERT:
2654 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2581 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2655 r = SSH_ERR_INVALID_ARGUMENT; 2582 r = SSH_ERR_INVALID_ARGUMENT;
@@ -2740,7 +2667,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2740 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2667 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
2741 goto out; 2668 goto out;
2742 break; 2669 break;
2743 case KEY_DSA_CERT_V00:
2744 case KEY_DSA_CERT: 2670 case KEY_DSA_CERT:
2745 if ((r = sshkey_froms(buf, &k)) != 0 || 2671 if ((r = sshkey_froms(buf, &k)) != 0 ||
2746 (r = sshkey_add_private(k)) != 0 || 2672 (r = sshkey_add_private(k)) != 0 ||
@@ -2813,7 +2739,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2813 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2739 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2814 goto out; 2740 goto out;
2815 break; 2741 break;
2816 case KEY_RSA_CERT_V00:
2817 case KEY_RSA_CERT: 2742 case KEY_RSA_CERT:
2818 if ((r = sshkey_froms(buf, &k)) != 0 || 2743 if ((r = sshkey_froms(buf, &k)) != 0 ||
2819 (r = sshkey_add_private(k)) != 0 || 2744 (r = sshkey_add_private(k)) != 0 ||
@@ -2863,7 +2788,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2863 /* enable blinding */ 2788 /* enable blinding */
2864 switch (k->type) { 2789 switch (k->type) {
2865 case KEY_RSA: 2790 case KEY_RSA:
2866 case KEY_RSA_CERT_V00:
2867 case KEY_RSA_CERT: 2791 case KEY_RSA_CERT:
2868 case KEY_RSA1: 2792 case KEY_RSA1:
2869 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2793 if (RSA_blinding_on(k->rsa, NULL) != 1) {
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-09 15:42:52 +0000