summaryrefslogtreecommitdiff
path: root/sshkey.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-02-29 12:15:15 +0000
committerColin Watson <cjwatson@debian.org>2016-02-29 12:15:15 +0000
commitc52a95cc4754e6630c96fe65ae0c65eb41d2c590 (patch)
tree793395934013923b7b2426382c0676edcd4be3d4 /sshkey.c
parenteeff4de96f5d7365750dc56912c2c62b5c28db6b (diff)
parent72b061d4ba0f909501c595d709ea76e06b01e5c9 (diff)
Import openssh_7.2p1.orig.tar.gz
Diffstat (limited to 'sshkey.c')
-rw-r--r--sshkey.c210
1 files changed, 112 insertions, 98 deletions
diff --git a/sshkey.c b/sshkey.c
index 32dd8f225..87b093e91 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */ 1/* $OpenBSD: sshkey.c,v 1.31 2015/12/11 04:21:12 mmcc Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -83,36 +83,39 @@ struct keytype {
83 int type; 83 int type;
84 int nid; 84 int nid;
85 int cert; 85 int cert;
86 int sigonly;
86}; 87};
87static const struct keytype keytypes[] = { 88static const struct keytype keytypes[] = {
88 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, 89 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
89 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 90 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
90 KEY_ED25519_CERT, 0, 1 }, 91 KEY_ED25519_CERT, 0, 1, 0 },
91#ifdef WITH_OPENSSL 92#ifdef WITH_OPENSSL
92 { NULL, "RSA1", KEY_RSA1, 0, 0 }, 93 { NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
93 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, 94 { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
94 { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, 95 { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
96 { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
97 { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
95# ifdef OPENSSL_HAS_ECC 98# ifdef OPENSSL_HAS_ECC
96 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, 99 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
97 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, 100 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
98# ifdef OPENSSL_HAS_NISTP521 101# ifdef OPENSSL_HAS_NISTP521
99 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, 102 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
100# endif /* OPENSSL_HAS_NISTP521 */ 103# endif /* OPENSSL_HAS_NISTP521 */
101# endif /* OPENSSL_HAS_ECC */ 104# endif /* OPENSSL_HAS_ECC */
102 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, 105 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
103 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, 106 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
104# ifdef OPENSSL_HAS_ECC 107# ifdef OPENSSL_HAS_ECC
105 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 108 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
106 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 109 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
107 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 110 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
108 KEY_ECDSA_CERT, NID_secp384r1, 1 }, 111 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
109# ifdef OPENSSL_HAS_NISTP521 112# ifdef OPENSSL_HAS_NISTP521
110 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 113 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
111 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 114 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
112# endif /* OPENSSL_HAS_NISTP521 */ 115# endif /* OPENSSL_HAS_NISTP521 */
113# endif /* OPENSSL_HAS_ECC */ 116# endif /* OPENSSL_HAS_ECC */
114#endif /* WITH_OPENSSL */ 117#endif /* WITH_OPENSSL */
115 { NULL, NULL, -1, -1, 0 } 118 { NULL, NULL, -1, -1, 0, 0 }
116}; 119};
117 120
118const char * 121const char *
@@ -200,7 +203,7 @@ key_alg_list(int certs_only, int plain_only)
200 const struct keytype *kt; 203 const struct keytype *kt;
201 204
202 for (kt = keytypes; kt->type != -1; kt++) { 205 for (kt = keytypes; kt->type != -1; kt++) {
203 if (kt->name == NULL) 206 if (kt->name == NULL || kt->sigonly)
204 continue; 207 continue;
205 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 208 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
206 continue; 209 continue;
@@ -417,20 +420,14 @@ cert_free(struct sshkey_cert *cert)
417 420
418 if (cert == NULL) 421 if (cert == NULL)
419 return; 422 return;
420 if (cert->certblob != NULL) 423 sshbuf_free(cert->certblob);
421 sshbuf_free(cert->certblob); 424 sshbuf_free(cert->critical);
422 if (cert->critical != NULL) 425 sshbuf_free(cert->extensions);
423 sshbuf_free(cert->critical); 426 free(cert->key_id);
424 if (cert->extensions != NULL)
425 sshbuf_free(cert->extensions);
426 if (cert->key_id != NULL)
427 free(cert->key_id);
428 for (i = 0; i < cert->nprincipals; i++) 427 for (i = 0; i < cert->nprincipals; i++)
429 free(cert->principals[i]); 428 free(cert->principals[i]);
430 if (cert->principals != NULL) 429 free(cert->principals);
431 free(cert->principals); 430 sshkey_free(cert->signature_key);
432 if (cert->signature_key != NULL)
433 sshkey_free(cert->signature_key);
434 explicit_bzero(cert, sizeof(*cert)); 431 explicit_bzero(cert, sizeof(*cert));
435 free(cert); 432 free(cert);
436} 433}
@@ -1216,7 +1213,7 @@ read_decimal_bignum(char **cpp, BIGNUM *v)
1216 return SSH_ERR_BIGNUM_TOO_LARGE; 1213 return SSH_ERR_BIGNUM_TOO_LARGE;
1217 if (cp[e] == '\0') 1214 if (cp[e] == '\0')
1218 skip = 0; 1215 skip = 0;
1219 else if (index(" \t\r\n", cp[e]) == NULL) 1216 else if (strchr(" \t\r\n", cp[e]) == NULL)
1220 return SSH_ERR_INVALID_FORMAT; 1217 return SSH_ERR_INVALID_FORMAT;
1221 cp[e] = '\0'; 1218 cp[e] = '\0';
1222 if (BN_dec2bn(&v, cp) <= 0) 1219 if (BN_dec2bn(&v, cp) <= 0)
@@ -1232,11 +1229,10 @@ sshkey_read(struct sshkey *ret, char **cpp)
1232{ 1229{
1233 struct sshkey *k; 1230 struct sshkey *k;
1234 int retval = SSH_ERR_INVALID_FORMAT; 1231 int retval = SSH_ERR_INVALID_FORMAT;
1235 char *cp, *space; 1232 char *ep, *cp, *space;
1236 int r, type, curve_nid = -1; 1233 int r, type, curve_nid = -1;
1237 struct sshbuf *blob; 1234 struct sshbuf *blob;
1238#ifdef WITH_SSH1 1235#ifdef WITH_SSH1
1239 char *ep;
1240 u_long bits; 1236 u_long bits;
1241#endif /* WITH_SSH1 */ 1237#endif /* WITH_SSH1 */
1242 1238
@@ -1247,7 +1243,7 @@ sshkey_read(struct sshkey *ret, char **cpp)
1247#ifdef WITH_SSH1 1243#ifdef WITH_SSH1
1248 /* Get number of bits. */ 1244 /* Get number of bits. */
1249 bits = strtoul(cp, &ep, 10); 1245 bits = strtoul(cp, &ep, 10);
1250 if (*cp == '\0' || index(" \t\r\n", *ep) == NULL || 1246 if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL ||
1251 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) 1247 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
1252 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ 1248 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
1253 /* Get public exponent, public modulus. */ 1249 /* Get public exponent, public modulus. */
@@ -1255,10 +1251,10 @@ sshkey_read(struct sshkey *ret, char **cpp)
1255 return r; 1251 return r;
1256 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) 1252 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0)
1257 return r; 1253 return r;
1258 *cpp = ep;
1259 /* validate the claimed number of bits */ 1254 /* validate the claimed number of bits */
1260 if (BN_num_bits(ret->rsa->n) != (int)bits) 1255 if (BN_num_bits(ret->rsa->n) != (int)bits)
1261 return SSH_ERR_KEY_BITS_MISMATCH; 1256 return SSH_ERR_KEY_BITS_MISMATCH;
1257 *cpp = ep;
1262 retval = 0; 1258 retval = 0;
1263#endif /* WITH_SSH1 */ 1259#endif /* WITH_SSH1 */
1264 break; 1260 break;
@@ -1296,9 +1292,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
1296 *space++ = '\0'; 1292 *space++ = '\0';
1297 while (*space == ' ' || *space == '\t') 1293 while (*space == ' ' || *space == '\t')
1298 space++; 1294 space++;
1299 *cpp = space; 1295 ep = space;
1300 } else 1296 } else
1301 *cpp = cp + strlen(cp); 1297 ep = cp + strlen(cp);
1302 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1298 if ((r = sshbuf_b64tod(blob, cp)) != 0) {
1303 sshbuf_free(blob); 1299 sshbuf_free(blob);
1304 return r; 1300 return r;
@@ -1329,8 +1325,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
1329 ret->cert = k->cert; 1325 ret->cert = k->cert;
1330 k->cert = NULL; 1326 k->cert = NULL;
1331 } 1327 }
1328 switch (sshkey_type_plain(ret->type)) {
1332#ifdef WITH_OPENSSL 1329#ifdef WITH_OPENSSL
1333 if (sshkey_type_plain(ret->type) == KEY_RSA) { 1330 case KEY_RSA:
1334 if (ret->rsa != NULL) 1331 if (ret->rsa != NULL)
1335 RSA_free(ret->rsa); 1332 RSA_free(ret->rsa);
1336 ret->rsa = k->rsa; 1333 ret->rsa = k->rsa;
@@ -1338,8 +1335,8 @@ sshkey_read(struct sshkey *ret, char **cpp)
1338#ifdef DEBUG_PK 1335#ifdef DEBUG_PK
1339 RSA_print_fp(stderr, ret->rsa, 8); 1336 RSA_print_fp(stderr, ret->rsa, 8);
1340#endif 1337#endif
1341 } 1338 break;
1342 if (sshkey_type_plain(ret->type) == KEY_DSA) { 1339 case KEY_DSA:
1343 if (ret->dsa != NULL) 1340 if (ret->dsa != NULL)
1344 DSA_free(ret->dsa); 1341 DSA_free(ret->dsa);
1345 ret->dsa = k->dsa; 1342 ret->dsa = k->dsa;
@@ -1347,9 +1344,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
1347#ifdef DEBUG_PK 1344#ifdef DEBUG_PK
1348 DSA_print_fp(stderr, ret->dsa, 8); 1345 DSA_print_fp(stderr, ret->dsa, 8);
1349#endif 1346#endif
1350 } 1347 break;
1351# ifdef OPENSSL_HAS_ECC 1348# ifdef OPENSSL_HAS_ECC
1352 if (sshkey_type_plain(ret->type) == KEY_ECDSA) { 1349 case KEY_ECDSA:
1353 if (ret->ecdsa != NULL) 1350 if (ret->ecdsa != NULL)
1354 EC_KEY_free(ret->ecdsa); 1351 EC_KEY_free(ret->ecdsa);
1355 ret->ecdsa = k->ecdsa; 1352 ret->ecdsa = k->ecdsa;
@@ -1359,17 +1356,19 @@ sshkey_read(struct sshkey *ret, char **cpp)
1359#ifdef DEBUG_PK 1356#ifdef DEBUG_PK
1360 sshkey_dump_ec_key(ret->ecdsa); 1357 sshkey_dump_ec_key(ret->ecdsa);
1361#endif 1358#endif
1362 } 1359 break;
1363# endif /* OPENSSL_HAS_ECC */ 1360# endif /* OPENSSL_HAS_ECC */
1364#endif /* WITH_OPENSSL */ 1361#endif /* WITH_OPENSSL */
1365 if (sshkey_type_plain(ret->type) == KEY_ED25519) { 1362 case KEY_ED25519:
1366 free(ret->ed25519_pk); 1363 free(ret->ed25519_pk);
1367 ret->ed25519_pk = k->ed25519_pk; 1364 ret->ed25519_pk = k->ed25519_pk;
1368 k->ed25519_pk = NULL; 1365 k->ed25519_pk = NULL;
1369#ifdef DEBUG_PK 1366#ifdef DEBUG_PK
1370 /* XXX */ 1367 /* XXX */
1371#endif 1368#endif
1369 break;
1372 } 1370 }
1371 *cpp = ep;
1373 retval = 0; 1372 retval = 0;
1374/*XXXX*/ 1373/*XXXX*/
1375 sshkey_free(k); 1374 sshkey_free(k);
@@ -1717,7 +1716,7 @@ sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
1717 1716
1718 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1717 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
1719 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1718 (ret = sshbuf_putb(to->critical, from->critical)) != 0 ||
1720 (ret = sshbuf_putb(to->extensions, from->extensions) != 0)) 1719 (ret = sshbuf_putb(to->extensions, from->extensions)) != 0)
1721 return ret; 1720 return ret;
1722 1721
1723 to->serial = from->serial; 1722 to->serial = from->serial;
@@ -1758,9 +1757,7 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1758 struct sshkey *n = NULL; 1757 struct sshkey *n = NULL;
1759 int ret = SSH_ERR_INTERNAL_ERROR; 1758 int ret = SSH_ERR_INTERNAL_ERROR;
1760 1759
1761 if (pkp != NULL) 1760 *pkp = NULL;
1762 *pkp = NULL;
1763
1764 switch (k->type) { 1761 switch (k->type) {
1765#ifdef WITH_OPENSSL 1762#ifdef WITH_OPENSSL
1766 case KEY_DSA: 1763 case KEY_DSA:
@@ -2174,7 +2171,7 @@ sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
2174int 2171int
2175sshkey_sign(const struct sshkey *key, 2172sshkey_sign(const struct sshkey *key,
2176 u_char **sigp, size_t *lenp, 2173 u_char **sigp, size_t *lenp,
2177 const u_char *data, size_t datalen, u_int compat) 2174 const u_char *data, size_t datalen, const char *alg, u_int compat)
2178{ 2175{
2179 if (sigp != NULL) 2176 if (sigp != NULL)
2180 *sigp = NULL; 2177 *sigp = NULL;
@@ -2194,7 +2191,7 @@ sshkey_sign(const struct sshkey *key,
2194# endif /* OPENSSL_HAS_ECC */ 2191# endif /* OPENSSL_HAS_ECC */
2195 case KEY_RSA_CERT: 2192 case KEY_RSA_CERT:
2196 case KEY_RSA: 2193 case KEY_RSA:
2197 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2194 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
2198#endif /* WITH_OPENSSL */ 2195#endif /* WITH_OPENSSL */
2199 case KEY_ED25519: 2196 case KEY_ED25519:
2200 case KEY_ED25519_CERT: 2197 case KEY_ED25519_CERT:
@@ -2226,7 +2223,7 @@ sshkey_verify(const struct sshkey *key,
2226# endif /* OPENSSL_HAS_ECC */ 2223# endif /* OPENSSL_HAS_ECC */
2227 case KEY_RSA_CERT: 2224 case KEY_RSA_CERT:
2228 case KEY_RSA: 2225 case KEY_RSA:
2229 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2226 return ssh_rsa_verify(key, sig, siglen, data, dlen);
2230#endif /* WITH_OPENSSL */ 2227#endif /* WITH_OPENSSL */
2231 case KEY_ED25519: 2228 case KEY_ED25519:
2232 case KEY_ED25519_CERT: 2229 case KEY_ED25519_CERT:
@@ -2243,9 +2240,7 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2243 struct sshkey *pk; 2240 struct sshkey *pk;
2244 int ret = SSH_ERR_INTERNAL_ERROR; 2241 int ret = SSH_ERR_INTERNAL_ERROR;
2245 2242
2246 if (dkp != NULL) 2243 *dkp = NULL;
2247 *dkp = NULL;
2248
2249 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2244 if ((pk = calloc(1, sizeof(*pk))) == NULL)
2250 return SSH_ERR_ALLOC_FAIL; 2245 return SSH_ERR_ALLOC_FAIL;
2251 pk->type = k->type; 2246 pk->type = k->type;
@@ -2462,7 +2457,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2462 2457
2463 /* Sign the whole mess */ 2458 /* Sign the whole mess */
2464 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2459 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2465 sshbuf_len(cert), 0)) != 0) 2460 sshbuf_len(cert), NULL, 0)) != 0)
2466 goto out; 2461 goto out;
2467 2462
2468 /* Append signature and we are done */ 2463 /* Append signature and we are done */
@@ -2472,12 +2467,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2472 out: 2467 out:
2473 if (ret != 0) 2468 if (ret != 0)
2474 sshbuf_reset(cert); 2469 sshbuf_reset(cert);
2475 if (sig_blob != NULL) 2470 free(sig_blob);
2476 free(sig_blob); 2471 free(ca_blob);
2477 if (ca_blob != NULL) 2472 sshbuf_free(principals);
2478 free(ca_blob);
2479 if (principals != NULL)
2480 sshbuf_free(principals);
2481 return ret; 2473 return ret;
2482} 2474}
2483 2475
@@ -2538,6 +2530,43 @@ sshkey_cert_check_authority(const struct sshkey *k,
2538 return 0; 2530 return 0;
2539} 2531}
2540 2532
2533size_t
2534sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
2535{
2536 char from[32], to[32], ret[64];
2537 time_t tt;
2538 struct tm *tm;
2539
2540 *from = *to = '\0';
2541 if (cert->valid_after == 0 &&
2542 cert->valid_before == 0xffffffffffffffffULL)
2543 return strlcpy(s, "forever", l);
2544
2545 if (cert->valid_after != 0) {
2546 /* XXX revisit INT_MAX in 2038 :) */
2547 tt = cert->valid_after > INT_MAX ?
2548 INT_MAX : cert->valid_after;
2549 tm = localtime(&tt);
2550 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
2551 }
2552 if (cert->valid_before != 0xffffffffffffffffULL) {
2553 /* XXX revisit INT_MAX in 2038 :) */
2554 tt = cert->valid_before > INT_MAX ?
2555 INT_MAX : cert->valid_before;
2556 tm = localtime(&tt);
2557 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
2558 }
2559
2560 if (cert->valid_after == 0)
2561 snprintf(ret, sizeof(ret), "before %s", to);
2562 else if (cert->valid_before == 0xffffffffffffffffULL)
2563 snprintf(ret, sizeof(ret), "after %s", from);
2564 else
2565 snprintf(ret, sizeof(ret), "from %s to %s", from, to);
2566
2567 return strlcpy(s, ret, l);
2568}
2569
2541int 2570int
2542sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2571sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2543{ 2572{
@@ -2701,7 +2730,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2701 goto out; 2730 goto out;
2702 } 2731 }
2703 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2732 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2704 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2733 EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2705 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2734 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2706 goto out; 2735 goto out;
2707 break; 2736 break;
@@ -2719,7 +2748,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2719 goto out; 2748 goto out;
2720 } 2749 }
2721 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2750 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2722 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2751 EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2723 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2752 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2724 goto out; 2753 goto out;
2725 break; 2754 break;
@@ -2741,10 +2770,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2741 case KEY_RSA_CERT: 2770 case KEY_RSA_CERT:
2742 if ((r = sshkey_froms(buf, &k)) != 0 || 2771 if ((r = sshkey_froms(buf, &k)) != 0 ||
2743 (r = sshkey_add_private(k)) != 0 || 2772 (r = sshkey_add_private(k)) != 0 ||
2744 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || 2773 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
2745 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || 2774 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
2746 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || 2775 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
2747 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || 2776 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
2748 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2777 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2749 goto out; 2778 goto out;
2750 break; 2779 break;
@@ -3431,9 +3460,9 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob,
3431 3460
3432 /* Store public key. This will be in plain text. */ 3461 /* Store public key. This will be in plain text. */
3433 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || 3462 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 ||
3434 (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) || 3463 (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 ||
3435 (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) || 3464 (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 ||
3436 (r = sshbuf_put_cstring(encrypted, comment) != 0)) 3465 (r = sshbuf_put_cstring(encrypted, comment)) != 0)
3437 goto out; 3466 goto out;
3438 3467
3439 /* Allocate space for the private part of the key in the buffer. */ 3468 /* Allocate space for the private part of the key in the buffer. */
@@ -3454,10 +3483,8 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob,
3454 out: 3483 out:
3455 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3484 explicit_bzero(&ciphercontext, sizeof(ciphercontext));
3456 explicit_bzero(buf, sizeof(buf)); 3485 explicit_bzero(buf, sizeof(buf));
3457 if (buffer != NULL) 3486 sshbuf_free(buffer);
3458 sshbuf_free(buffer); 3487 sshbuf_free(encrypted);
3459 if (encrypted != NULL)
3460 sshbuf_free(encrypted);
3461 3488
3462 return r; 3489 return r;
3463} 3490}
@@ -3611,10 +3638,8 @@ sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob,
3611 pub = NULL; 3638 pub = NULL;
3612 3639
3613 out: 3640 out:
3614 if (copy != NULL) 3641 sshbuf_free(copy);
3615 sshbuf_free(copy); 3642 sshkey_free(pub);
3616 if (pub != NULL)
3617 sshkey_free(pub);
3618 return r; 3643 return r;
3619} 3644}
3620 3645
@@ -3726,14 +3751,10 @@ sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase,
3726 } 3751 }
3727 out: 3752 out:
3728 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3753 explicit_bzero(&ciphercontext, sizeof(ciphercontext));
3729 if (comment != NULL) 3754 free(comment);
3730 free(comment); 3755 sshkey_free(prv);
3731 if (prv != NULL) 3756 sshbuf_free(copy);
3732 sshkey_free(prv); 3757 sshbuf_free(decrypted);
3733 if (copy != NULL)
3734 sshbuf_free(copy);
3735 if (decrypted != NULL)
3736 sshbuf_free(decrypted);
3737 return r; 3758 return r;
3738} 3759}
3739#endif /* WITH_SSH1 */ 3760#endif /* WITH_SSH1 */
@@ -3823,8 +3844,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
3823 BIO_free(bio); 3844 BIO_free(bio);
3824 if (pk != NULL) 3845 if (pk != NULL)
3825 EVP_PKEY_free(pk); 3846 EVP_PKEY_free(pk);
3826 if (prv != NULL) 3847 sshkey_free(prv);
3827 sshkey_free(prv);
3828 return r; 3848 return r;
3829} 3849}
3830#endif /* WITH_OPENSSL */ 3850#endif /* WITH_OPENSSL */
@@ -3833,8 +3853,6 @@ int
3833sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3853sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3834 const char *passphrase, struct sshkey **keyp, char **commentp) 3854 const char *passphrase, struct sshkey **keyp, char **commentp)
3835{ 3855{
3836 int r;
3837
3838 *keyp = NULL; 3856 *keyp = NULL;
3839 if (commentp != NULL) 3857 if (commentp != NULL)
3840 *commentp = NULL; 3858 *commentp = NULL;
@@ -3856,8 +3874,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3856 return sshkey_parse_private2(blob, type, passphrase, 3874 return sshkey_parse_private2(blob, type, passphrase,
3857 keyp, commentp); 3875 keyp, commentp);
3858 case KEY_UNSPEC: 3876 case KEY_UNSPEC:
3859 if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, 3877 if (sshkey_parse_private2(blob, type, passphrase, keyp,
3860 commentp)) == 0) 3878 commentp) == 0)
3861 return 0; 3879 return 0;
3862#ifdef WITH_OPENSSL 3880#ifdef WITH_OPENSSL
3863 return sshkey_parse_private_pem_fileblob(blob, type, 3881 return sshkey_parse_private_pem_fileblob(blob, type,
@@ -3872,10 +3890,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3872 3890
3873int 3891int
3874sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3892sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
3875 const char *filename, struct sshkey **keyp, char **commentp) 3893 struct sshkey **keyp, char **commentp)
3876{ 3894{
3877 int r;
3878
3879 if (keyp != NULL) 3895 if (keyp != NULL)
3880 *keyp = NULL; 3896 *keyp = NULL;
3881 if (commentp != NULL) 3897 if (commentp != NULL)
@@ -3883,13 +3899,11 @@ sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
3883 3899
3884#ifdef WITH_SSH1 3900#ifdef WITH_SSH1
3885 /* it's a SSH v1 key if the public key part is readable */ 3901 /* it's a SSH v1 key if the public key part is readable */
3886 if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) { 3902 if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
3887 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, 3903 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
3888 passphrase, keyp, commentp); 3904 passphrase, keyp, commentp);
3889 } 3905 }
3890#endif /* WITH_SSH1 */ 3906#endif /* WITH_SSH1 */
3891 if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3907 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
3892 passphrase, keyp, commentp)) == 0) 3908 passphrase, keyp, commentp);
3893 return 0;
3894 return r;
3895} 3909}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-14 05:25:01 +0000