diff options
Diffstat (limited to 'sshkey.c')
-rw-r--r-- | sshkey.c | 212 |
1 files changed, 113 insertions, 99 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.31 2015/12/11 04:21:12 mmcc Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
@@ -83,37 +83,40 @@ struct keytype { | |||
83 | int type; | 83 | int type; |
84 | int nid; | 84 | int nid; |
85 | int cert; | 85 | int cert; |
86 | int sigonly; | ||
86 | }; | 87 | }; |
87 | static const struct keytype keytypes[] = { | 88 | static const struct keytype keytypes[] = { |
88 | { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, | 89 | { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, |
89 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", | 90 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", |
90 | KEY_ED25519_CERT, 0, 1 }, | 91 | KEY_ED25519_CERT, 0, 1, 0 }, |
91 | #ifdef WITH_OPENSSL | 92 | #ifdef WITH_OPENSSL |
92 | { NULL, "RSA1", KEY_RSA1, 0, 0 }, | 93 | { NULL, "RSA1", KEY_RSA1, 0, 0, 0 }, |
93 | { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, | 94 | { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, |
94 | { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, | 95 | { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, |
96 | { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, | ||
97 | { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, | ||
95 | # ifdef OPENSSL_HAS_ECC | 98 | # ifdef OPENSSL_HAS_ECC |
96 | { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, | 99 | { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, |
97 | { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, | 100 | { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, |
98 | # ifdef OPENSSL_HAS_NISTP521 | 101 | # ifdef OPENSSL_HAS_NISTP521 |
99 | { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, | 102 | { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, |
100 | # endif /* OPENSSL_HAS_NISTP521 */ | 103 | # endif /* OPENSSL_HAS_NISTP521 */ |
101 | # endif /* OPENSSL_HAS_ECC */ | 104 | # endif /* OPENSSL_HAS_ECC */ |
102 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, | 105 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, |
103 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, | 106 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, |
104 | # ifdef OPENSSL_HAS_ECC | 107 | # ifdef OPENSSL_HAS_ECC |
105 | { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", | 108 | { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", |
106 | KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, | 109 | KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, |
107 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", | 110 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", |
108 | KEY_ECDSA_CERT, NID_secp384r1, 1 }, | 111 | KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, |
109 | # ifdef OPENSSL_HAS_NISTP521 | 112 | # ifdef OPENSSL_HAS_NISTP521 |
110 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", | 113 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", |
111 | KEY_ECDSA_CERT, NID_secp521r1, 1 }, | 114 | KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, |
112 | # endif /* OPENSSL_HAS_NISTP521 */ | 115 | # endif /* OPENSSL_HAS_NISTP521 */ |
113 | # endif /* OPENSSL_HAS_ECC */ | 116 | # endif /* OPENSSL_HAS_ECC */ |
114 | #endif /* WITH_OPENSSL */ | 117 | #endif /* WITH_OPENSSL */ |
115 | { "null", "null", KEY_NULL, 0, 0 }, | 118 | { "null", "null", KEY_NULL, 0, 0, 0 }, |
116 | { NULL, NULL, -1, -1, 0 } | 119 | { NULL, NULL, -1, -1, 0, 0 } |
117 | }; | 120 | }; |
118 | 121 | ||
119 | const char * | 122 | const char * |
@@ -201,7 +204,7 @@ key_alg_list(int certs_only, int plain_only) | |||
201 | const struct keytype *kt; | 204 | const struct keytype *kt; |
202 | 205 | ||
203 | for (kt = keytypes; kt->type != -1; kt++) { | 206 | for (kt = keytypes; kt->type != -1; kt++) { |
204 | if (kt->name == NULL || kt->type == KEY_NULL) | 207 | if (kt->name == NULL || kt->sigonly || kt->type == KEY_NULL) |
205 | continue; | 208 | continue; |
206 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | 209 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
207 | continue; | 210 | continue; |
@@ -418,20 +421,14 @@ cert_free(struct sshkey_cert *cert) | |||
418 | 421 | ||
419 | if (cert == NULL) | 422 | if (cert == NULL) |
420 | return; | 423 | return; |
421 | if (cert->certblob != NULL) | 424 | sshbuf_free(cert->certblob); |
422 | sshbuf_free(cert->certblob); | 425 | sshbuf_free(cert->critical); |
423 | if (cert->critical != NULL) | 426 | sshbuf_free(cert->extensions); |
424 | sshbuf_free(cert->critical); | 427 | free(cert->key_id); |
425 | if (cert->extensions != NULL) | ||
426 | sshbuf_free(cert->extensions); | ||
427 | if (cert->key_id != NULL) | ||
428 | free(cert->key_id); | ||
429 | for (i = 0; i < cert->nprincipals; i++) | 428 | for (i = 0; i < cert->nprincipals; i++) |
430 | free(cert->principals[i]); | 429 | free(cert->principals[i]); |
431 | if (cert->principals != NULL) | 430 | free(cert->principals); |
432 | free(cert->principals); | 431 | sshkey_free(cert->signature_key); |
433 | if (cert->signature_key != NULL) | ||
434 | sshkey_free(cert->signature_key); | ||
435 | explicit_bzero(cert, sizeof(*cert)); | 432 | explicit_bzero(cert, sizeof(*cert)); |
436 | free(cert); | 433 | free(cert); |
437 | } | 434 | } |
@@ -1217,7 +1214,7 @@ read_decimal_bignum(char **cpp, BIGNUM *v) | |||
1217 | return SSH_ERR_BIGNUM_TOO_LARGE; | 1214 | return SSH_ERR_BIGNUM_TOO_LARGE; |
1218 | if (cp[e] == '\0') | 1215 | if (cp[e] == '\0') |
1219 | skip = 0; | 1216 | skip = 0; |
1220 | else if (index(" \t\r\n", cp[e]) == NULL) | 1217 | else if (strchr(" \t\r\n", cp[e]) == NULL) |
1221 | return SSH_ERR_INVALID_FORMAT; | 1218 | return SSH_ERR_INVALID_FORMAT; |
1222 | cp[e] = '\0'; | 1219 | cp[e] = '\0'; |
1223 | if (BN_dec2bn(&v, cp) <= 0) | 1220 | if (BN_dec2bn(&v, cp) <= 0) |
@@ -1233,11 +1230,10 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1233 | { | 1230 | { |
1234 | struct sshkey *k; | 1231 | struct sshkey *k; |
1235 | int retval = SSH_ERR_INVALID_FORMAT; | 1232 | int retval = SSH_ERR_INVALID_FORMAT; |
1236 | char *cp, *space; | 1233 | char *ep, *cp, *space; |
1237 | int r, type, curve_nid = -1; | 1234 | int r, type, curve_nid = -1; |
1238 | struct sshbuf *blob; | 1235 | struct sshbuf *blob; |
1239 | #ifdef WITH_SSH1 | 1236 | #ifdef WITH_SSH1 |
1240 | char *ep; | ||
1241 | u_long bits; | 1237 | u_long bits; |
1242 | #endif /* WITH_SSH1 */ | 1238 | #endif /* WITH_SSH1 */ |
1243 | 1239 | ||
@@ -1248,7 +1244,7 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1248 | #ifdef WITH_SSH1 | 1244 | #ifdef WITH_SSH1 |
1249 | /* Get number of bits. */ | 1245 | /* Get number of bits. */ |
1250 | bits = strtoul(cp, &ep, 10); | 1246 | bits = strtoul(cp, &ep, 10); |
1251 | if (*cp == '\0' || index(" \t\r\n", *ep) == NULL || | 1247 | if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL || |
1252 | bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) | 1248 | bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) |
1253 | return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ | 1249 | return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ |
1254 | /* Get public exponent, public modulus. */ | 1250 | /* Get public exponent, public modulus. */ |
@@ -1256,10 +1252,10 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1256 | return r; | 1252 | return r; |
1257 | if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) | 1253 | if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) |
1258 | return r; | 1254 | return r; |
1259 | *cpp = ep; | ||
1260 | /* validate the claimed number of bits */ | 1255 | /* validate the claimed number of bits */ |
1261 | if (BN_num_bits(ret->rsa->n) != (int)bits) | 1256 | if (BN_num_bits(ret->rsa->n) != (int)bits) |
1262 | return SSH_ERR_KEY_BITS_MISMATCH; | 1257 | return SSH_ERR_KEY_BITS_MISMATCH; |
1258 | *cpp = ep; | ||
1263 | retval = 0; | 1259 | retval = 0; |
1264 | #endif /* WITH_SSH1 */ | 1260 | #endif /* WITH_SSH1 */ |
1265 | break; | 1261 | break; |
@@ -1297,9 +1293,9 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1297 | *space++ = '\0'; | 1293 | *space++ = '\0'; |
1298 | while (*space == ' ' || *space == '\t') | 1294 | while (*space == ' ' || *space == '\t') |
1299 | space++; | 1295 | space++; |
1300 | *cpp = space; | 1296 | ep = space; |
1301 | } else | 1297 | } else |
1302 | *cpp = cp + strlen(cp); | 1298 | ep = cp + strlen(cp); |
1303 | if ((r = sshbuf_b64tod(blob, cp)) != 0) { | 1299 | if ((r = sshbuf_b64tod(blob, cp)) != 0) { |
1304 | sshbuf_free(blob); | 1300 | sshbuf_free(blob); |
1305 | return r; | 1301 | return r; |
@@ -1330,8 +1326,9 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1330 | ret->cert = k->cert; | 1326 | ret->cert = k->cert; |
1331 | k->cert = NULL; | 1327 | k->cert = NULL; |
1332 | } | 1328 | } |
1329 | switch (sshkey_type_plain(ret->type)) { | ||
1333 | #ifdef WITH_OPENSSL | 1330 | #ifdef WITH_OPENSSL |
1334 | if (sshkey_type_plain(ret->type) == KEY_RSA) { | 1331 | case KEY_RSA: |
1335 | if (ret->rsa != NULL) | 1332 | if (ret->rsa != NULL) |
1336 | RSA_free(ret->rsa); | 1333 | RSA_free(ret->rsa); |
1337 | ret->rsa = k->rsa; | 1334 | ret->rsa = k->rsa; |
@@ -1339,8 +1336,8 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1339 | #ifdef DEBUG_PK | 1336 | #ifdef DEBUG_PK |
1340 | RSA_print_fp(stderr, ret->rsa, 8); | 1337 | RSA_print_fp(stderr, ret->rsa, 8); |
1341 | #endif | 1338 | #endif |
1342 | } | 1339 | break; |
1343 | if (sshkey_type_plain(ret->type) == KEY_DSA) { | 1340 | case KEY_DSA: |
1344 | if (ret->dsa != NULL) | 1341 | if (ret->dsa != NULL) |
1345 | DSA_free(ret->dsa); | 1342 | DSA_free(ret->dsa); |
1346 | ret->dsa = k->dsa; | 1343 | ret->dsa = k->dsa; |
@@ -1348,9 +1345,9 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1348 | #ifdef DEBUG_PK | 1345 | #ifdef DEBUG_PK |
1349 | DSA_print_fp(stderr, ret->dsa, 8); | 1346 | DSA_print_fp(stderr, ret->dsa, 8); |
1350 | #endif | 1347 | #endif |
1351 | } | 1348 | break; |
1352 | # ifdef OPENSSL_HAS_ECC | 1349 | # ifdef OPENSSL_HAS_ECC |
1353 | if (sshkey_type_plain(ret->type) == KEY_ECDSA) { | 1350 | case KEY_ECDSA: |
1354 | if (ret->ecdsa != NULL) | 1351 | if (ret->ecdsa != NULL) |
1355 | EC_KEY_free(ret->ecdsa); | 1352 | EC_KEY_free(ret->ecdsa); |
1356 | ret->ecdsa = k->ecdsa; | 1353 | ret->ecdsa = k->ecdsa; |
@@ -1360,17 +1357,19 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1360 | #ifdef DEBUG_PK | 1357 | #ifdef DEBUG_PK |
1361 | sshkey_dump_ec_key(ret->ecdsa); | 1358 | sshkey_dump_ec_key(ret->ecdsa); |
1362 | #endif | 1359 | #endif |
1363 | } | 1360 | break; |
1364 | # endif /* OPENSSL_HAS_ECC */ | 1361 | # endif /* OPENSSL_HAS_ECC */ |
1365 | #endif /* WITH_OPENSSL */ | 1362 | #endif /* WITH_OPENSSL */ |
1366 | if (sshkey_type_plain(ret->type) == KEY_ED25519) { | 1363 | case KEY_ED25519: |
1367 | free(ret->ed25519_pk); | 1364 | free(ret->ed25519_pk); |
1368 | ret->ed25519_pk = k->ed25519_pk; | 1365 | ret->ed25519_pk = k->ed25519_pk; |
1369 | k->ed25519_pk = NULL; | 1366 | k->ed25519_pk = NULL; |
1370 | #ifdef DEBUG_PK | 1367 | #ifdef DEBUG_PK |
1371 | /* XXX */ | 1368 | /* XXX */ |
1372 | #endif | 1369 | #endif |
1370 | break; | ||
1373 | } | 1371 | } |
1372 | *cpp = ep; | ||
1374 | retval = 0; | 1373 | retval = 0; |
1375 | /*XXXX*/ | 1374 | /*XXXX*/ |
1376 | sshkey_free(k); | 1375 | sshkey_free(k); |
@@ -1718,7 +1717,7 @@ sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) | |||
1718 | 1717 | ||
1719 | if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || | 1718 | if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || |
1720 | (ret = sshbuf_putb(to->critical, from->critical)) != 0 || | 1719 | (ret = sshbuf_putb(to->critical, from->critical)) != 0 || |
1721 | (ret = sshbuf_putb(to->extensions, from->extensions) != 0)) | 1720 | (ret = sshbuf_putb(to->extensions, from->extensions)) != 0) |
1722 | return ret; | 1721 | return ret; |
1723 | 1722 | ||
1724 | to->serial = from->serial; | 1723 | to->serial = from->serial; |
@@ -1759,9 +1758,7 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) | |||
1759 | struct sshkey *n = NULL; | 1758 | struct sshkey *n = NULL; |
1760 | int ret = SSH_ERR_INTERNAL_ERROR; | 1759 | int ret = SSH_ERR_INTERNAL_ERROR; |
1761 | 1760 | ||
1762 | if (pkp != NULL) | 1761 | *pkp = NULL; |
1763 | *pkp = NULL; | ||
1764 | |||
1765 | switch (k->type) { | 1762 | switch (k->type) { |
1766 | #ifdef WITH_OPENSSL | 1763 | #ifdef WITH_OPENSSL |
1767 | case KEY_DSA: | 1764 | case KEY_DSA: |
@@ -2175,7 +2172,7 @@ sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) | |||
2175 | int | 2172 | int |
2176 | sshkey_sign(const struct sshkey *key, | 2173 | sshkey_sign(const struct sshkey *key, |
2177 | u_char **sigp, size_t *lenp, | 2174 | u_char **sigp, size_t *lenp, |
2178 | const u_char *data, size_t datalen, u_int compat) | 2175 | const u_char *data, size_t datalen, const char *alg, u_int compat) |
2179 | { | 2176 | { |
2180 | if (sigp != NULL) | 2177 | if (sigp != NULL) |
2181 | *sigp = NULL; | 2178 | *sigp = NULL; |
@@ -2195,7 +2192,7 @@ sshkey_sign(const struct sshkey *key, | |||
2195 | # endif /* OPENSSL_HAS_ECC */ | 2192 | # endif /* OPENSSL_HAS_ECC */ |
2196 | case KEY_RSA_CERT: | 2193 | case KEY_RSA_CERT: |
2197 | case KEY_RSA: | 2194 | case KEY_RSA: |
2198 | return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); | 2195 | return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); |
2199 | #endif /* WITH_OPENSSL */ | 2196 | #endif /* WITH_OPENSSL */ |
2200 | case KEY_ED25519: | 2197 | case KEY_ED25519: |
2201 | case KEY_ED25519_CERT: | 2198 | case KEY_ED25519_CERT: |
@@ -2227,7 +2224,7 @@ sshkey_verify(const struct sshkey *key, | |||
2227 | # endif /* OPENSSL_HAS_ECC */ | 2224 | # endif /* OPENSSL_HAS_ECC */ |
2228 | case KEY_RSA_CERT: | 2225 | case KEY_RSA_CERT: |
2229 | case KEY_RSA: | 2226 | case KEY_RSA: |
2230 | return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); | 2227 | return ssh_rsa_verify(key, sig, siglen, data, dlen); |
2231 | #endif /* WITH_OPENSSL */ | 2228 | #endif /* WITH_OPENSSL */ |
2232 | case KEY_ED25519: | 2229 | case KEY_ED25519: |
2233 | case KEY_ED25519_CERT: | 2230 | case KEY_ED25519_CERT: |
@@ -2244,9 +2241,7 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp) | |||
2244 | struct sshkey *pk; | 2241 | struct sshkey *pk; |
2245 | int ret = SSH_ERR_INTERNAL_ERROR; | 2242 | int ret = SSH_ERR_INTERNAL_ERROR; |
2246 | 2243 | ||
2247 | if (dkp != NULL) | 2244 | *dkp = NULL; |
2248 | *dkp = NULL; | ||
2249 | |||
2250 | if ((pk = calloc(1, sizeof(*pk))) == NULL) | 2245 | if ((pk = calloc(1, sizeof(*pk))) == NULL) |
2251 | return SSH_ERR_ALLOC_FAIL; | 2246 | return SSH_ERR_ALLOC_FAIL; |
2252 | pk->type = k->type; | 2247 | pk->type = k->type; |
@@ -2463,7 +2458,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) | |||
2463 | 2458 | ||
2464 | /* Sign the whole mess */ | 2459 | /* Sign the whole mess */ |
2465 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | 2460 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
2466 | sshbuf_len(cert), 0)) != 0) | 2461 | sshbuf_len(cert), NULL, 0)) != 0) |
2467 | goto out; | 2462 | goto out; |
2468 | 2463 | ||
2469 | /* Append signature and we are done */ | 2464 | /* Append signature and we are done */ |
@@ -2473,12 +2468,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) | |||
2473 | out: | 2468 | out: |
2474 | if (ret != 0) | 2469 | if (ret != 0) |
2475 | sshbuf_reset(cert); | 2470 | sshbuf_reset(cert); |
2476 | if (sig_blob != NULL) | 2471 | free(sig_blob); |
2477 | free(sig_blob); | 2472 | free(ca_blob); |
2478 | if (ca_blob != NULL) | 2473 | sshbuf_free(principals); |
2479 | free(ca_blob); | ||
2480 | if (principals != NULL) | ||
2481 | sshbuf_free(principals); | ||
2482 | return ret; | 2474 | return ret; |
2483 | } | 2475 | } |
2484 | 2476 | ||
@@ -2539,6 +2531,43 @@ sshkey_cert_check_authority(const struct sshkey *k, | |||
2539 | return 0; | 2531 | return 0; |
2540 | } | 2532 | } |
2541 | 2533 | ||
2534 | size_t | ||
2535 | sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) | ||
2536 | { | ||
2537 | char from[32], to[32], ret[64]; | ||
2538 | time_t tt; | ||
2539 | struct tm *tm; | ||
2540 | |||
2541 | *from = *to = '\0'; | ||
2542 | if (cert->valid_after == 0 && | ||
2543 | cert->valid_before == 0xffffffffffffffffULL) | ||
2544 | return strlcpy(s, "forever", l); | ||
2545 | |||
2546 | if (cert->valid_after != 0) { | ||
2547 | /* XXX revisit INT_MAX in 2038 :) */ | ||
2548 | tt = cert->valid_after > INT_MAX ? | ||
2549 | INT_MAX : cert->valid_after; | ||
2550 | tm = localtime(&tt); | ||
2551 | strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); | ||
2552 | } | ||
2553 | if (cert->valid_before != 0xffffffffffffffffULL) { | ||
2554 | /* XXX revisit INT_MAX in 2038 :) */ | ||
2555 | tt = cert->valid_before > INT_MAX ? | ||
2556 | INT_MAX : cert->valid_before; | ||
2557 | tm = localtime(&tt); | ||
2558 | strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); | ||
2559 | } | ||
2560 | |||
2561 | if (cert->valid_after == 0) | ||
2562 | snprintf(ret, sizeof(ret), "before %s", to); | ||
2563 | else if (cert->valid_before == 0xffffffffffffffffULL) | ||
2564 | snprintf(ret, sizeof(ret), "after %s", from); | ||
2565 | else | ||
2566 | snprintf(ret, sizeof(ret), "from %s to %s", from, to); | ||
2567 | |||
2568 | return strlcpy(s, ret, l); | ||
2569 | } | ||
2570 | |||
2542 | int | 2571 | int |
2543 | sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) | 2572 | sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) |
2544 | { | 2573 | { |
@@ -2702,7 +2731,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) | |||
2702 | goto out; | 2731 | goto out; |
2703 | } | 2732 | } |
2704 | if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | 2733 | if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), |
2705 | EC_KEY_get0_public_key(k->ecdsa)) != 0) || | 2734 | EC_KEY_get0_public_key(k->ecdsa))) != 0 || |
2706 | (r = sshkey_ec_validate_private(k->ecdsa)) != 0) | 2735 | (r = sshkey_ec_validate_private(k->ecdsa)) != 0) |
2707 | goto out; | 2736 | goto out; |
2708 | break; | 2737 | break; |
@@ -2720,7 +2749,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) | |||
2720 | goto out; | 2749 | goto out; |
2721 | } | 2750 | } |
2722 | if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | 2751 | if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), |
2723 | EC_KEY_get0_public_key(k->ecdsa)) != 0) || | 2752 | EC_KEY_get0_public_key(k->ecdsa))) != 0 || |
2724 | (r = sshkey_ec_validate_private(k->ecdsa)) != 0) | 2753 | (r = sshkey_ec_validate_private(k->ecdsa)) != 0) |
2725 | goto out; | 2754 | goto out; |
2726 | break; | 2755 | break; |
@@ -2742,10 +2771,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) | |||
2742 | case KEY_RSA_CERT: | 2771 | case KEY_RSA_CERT: |
2743 | if ((r = sshkey_froms(buf, &k)) != 0 || | 2772 | if ((r = sshkey_froms(buf, &k)) != 0 || |
2744 | (r = sshkey_add_private(k)) != 0 || | 2773 | (r = sshkey_add_private(k)) != 0 || |
2745 | (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || | 2774 | (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || |
2746 | (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || | 2775 | (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || |
2747 | (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || | 2776 | (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || |
2748 | (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || | 2777 | (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || |
2749 | (r = rsa_generate_additional_parameters(k->rsa)) != 0) | 2778 | (r = rsa_generate_additional_parameters(k->rsa)) != 0) |
2750 | goto out; | 2779 | goto out; |
2751 | break; | 2780 | break; |
@@ -3432,9 +3461,9 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, | |||
3432 | 3461 | ||
3433 | /* Store public key. This will be in plain text. */ | 3462 | /* Store public key. This will be in plain text. */ |
3434 | if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || | 3463 | if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || |
3435 | (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) || | 3464 | (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 || |
3436 | (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) || | 3465 | (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 || |
3437 | (r = sshbuf_put_cstring(encrypted, comment) != 0)) | 3466 | (r = sshbuf_put_cstring(encrypted, comment)) != 0) |
3438 | goto out; | 3467 | goto out; |
3439 | 3468 | ||
3440 | /* Allocate space for the private part of the key in the buffer. */ | 3469 | /* Allocate space for the private part of the key in the buffer. */ |
@@ -3455,10 +3484,8 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, | |||
3455 | out: | 3484 | out: |
3456 | explicit_bzero(&ciphercontext, sizeof(ciphercontext)); | 3485 | explicit_bzero(&ciphercontext, sizeof(ciphercontext)); |
3457 | explicit_bzero(buf, sizeof(buf)); | 3486 | explicit_bzero(buf, sizeof(buf)); |
3458 | if (buffer != NULL) | 3487 | sshbuf_free(buffer); |
3459 | sshbuf_free(buffer); | 3488 | sshbuf_free(encrypted); |
3460 | if (encrypted != NULL) | ||
3461 | sshbuf_free(encrypted); | ||
3462 | 3489 | ||
3463 | return r; | 3490 | return r; |
3464 | } | 3491 | } |
@@ -3612,10 +3639,8 @@ sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, | |||
3612 | pub = NULL; | 3639 | pub = NULL; |
3613 | 3640 | ||
3614 | out: | 3641 | out: |
3615 | if (copy != NULL) | 3642 | sshbuf_free(copy); |
3616 | sshbuf_free(copy); | 3643 | sshkey_free(pub); |
3617 | if (pub != NULL) | ||
3618 | sshkey_free(pub); | ||
3619 | return r; | 3644 | return r; |
3620 | } | 3645 | } |
3621 | 3646 | ||
@@ -3727,14 +3752,10 @@ sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, | |||
3727 | } | 3752 | } |
3728 | out: | 3753 | out: |
3729 | explicit_bzero(&ciphercontext, sizeof(ciphercontext)); | 3754 | explicit_bzero(&ciphercontext, sizeof(ciphercontext)); |
3730 | if (comment != NULL) | 3755 | free(comment); |
3731 | free(comment); | 3756 | sshkey_free(prv); |
3732 | if (prv != NULL) | 3757 | sshbuf_free(copy); |
3733 | sshkey_free(prv); | 3758 | sshbuf_free(decrypted); |
3734 | if (copy != NULL) | ||
3735 | sshbuf_free(copy); | ||
3736 | if (decrypted != NULL) | ||
3737 | sshbuf_free(decrypted); | ||
3738 | return r; | 3759 | return r; |
3739 | } | 3760 | } |
3740 | #endif /* WITH_SSH1 */ | 3761 | #endif /* WITH_SSH1 */ |
@@ -3824,8 +3845,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, | |||
3824 | BIO_free(bio); | 3845 | BIO_free(bio); |
3825 | if (pk != NULL) | 3846 | if (pk != NULL) |
3826 | EVP_PKEY_free(pk); | 3847 | EVP_PKEY_free(pk); |
3827 | if (prv != NULL) | 3848 | sshkey_free(prv); |
3828 | sshkey_free(prv); | ||
3829 | return r; | 3849 | return r; |
3830 | } | 3850 | } |
3831 | #endif /* WITH_OPENSSL */ | 3851 | #endif /* WITH_OPENSSL */ |
@@ -3834,8 +3854,6 @@ int | |||
3834 | sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, | 3854 | sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, |
3835 | const char *passphrase, struct sshkey **keyp, char **commentp) | 3855 | const char *passphrase, struct sshkey **keyp, char **commentp) |
3836 | { | 3856 | { |
3837 | int r; | ||
3838 | |||
3839 | *keyp = NULL; | 3857 | *keyp = NULL; |
3840 | if (commentp != NULL) | 3858 | if (commentp != NULL) |
3841 | *commentp = NULL; | 3859 | *commentp = NULL; |
@@ -3857,8 +3875,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, | |||
3857 | return sshkey_parse_private2(blob, type, passphrase, | 3875 | return sshkey_parse_private2(blob, type, passphrase, |
3858 | keyp, commentp); | 3876 | keyp, commentp); |
3859 | case KEY_UNSPEC: | 3877 | case KEY_UNSPEC: |
3860 | if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, | 3878 | if (sshkey_parse_private2(blob, type, passphrase, keyp, |
3861 | commentp)) == 0) | 3879 | commentp) == 0) |
3862 | return 0; | 3880 | return 0; |
3863 | #ifdef WITH_OPENSSL | 3881 | #ifdef WITH_OPENSSL |
3864 | return sshkey_parse_private_pem_fileblob(blob, type, | 3882 | return sshkey_parse_private_pem_fileblob(blob, type, |
@@ -3873,10 +3891,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, | |||
3873 | 3891 | ||
3874 | int | 3892 | int |
3875 | sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, | 3893 | sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, |
3876 | const char *filename, struct sshkey **keyp, char **commentp) | 3894 | struct sshkey **keyp, char **commentp) |
3877 | { | 3895 | { |
3878 | int r; | ||
3879 | |||
3880 | if (keyp != NULL) | 3896 | if (keyp != NULL) |
3881 | *keyp = NULL; | 3897 | *keyp = NULL; |
3882 | if (commentp != NULL) | 3898 | if (commentp != NULL) |
@@ -3884,13 +3900,11 @@ sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, | |||
3884 | 3900 | ||
3885 | #ifdef WITH_SSH1 | 3901 | #ifdef WITH_SSH1 |
3886 | /* it's a SSH v1 key if the public key part is readable */ | 3902 | /* it's a SSH v1 key if the public key part is readable */ |
3887 | if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) { | 3903 | if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) { |
3888 | return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, | 3904 | return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, |
3889 | passphrase, keyp, commentp); | 3905 | passphrase, keyp, commentp); |
3890 | } | 3906 | } |
3891 | #endif /* WITH_SSH1 */ | 3907 | #endif /* WITH_SSH1 */ |
3892 | if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, | 3908 | return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, |
3893 | passphrase, keyp, commentp)) == 0) | 3909 | passphrase, keyp, commentp); |
3894 | return 0; | ||
3895 | return r; | ||
3896 | } | 3910 | } |