summaryrefslogtreecommitdiff
path: root/sshkey.c
diff options
context:
space:
mode:
Diffstat (limited to 'sshkey.c')
-rw-r--r--sshkey.c212
1 files changed, 113 insertions, 99 deletions
diff --git a/sshkey.c b/sshkey.c
index 5368e7cd3..e595b1149 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */ 1/* $OpenBSD: sshkey.c,v 1.31 2015/12/11 04:21:12 mmcc Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -83,37 +83,40 @@ struct keytype {
83 int type; 83 int type;
84 int nid; 84 int nid;
85 int cert; 85 int cert;
86 int sigonly;
86}; 87};
87static const struct keytype keytypes[] = { 88static const struct keytype keytypes[] = {
88 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, 89 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
89 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 90 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
90 KEY_ED25519_CERT, 0, 1 }, 91 KEY_ED25519_CERT, 0, 1, 0 },
91#ifdef WITH_OPENSSL 92#ifdef WITH_OPENSSL
92 { NULL, "RSA1", KEY_RSA1, 0, 0 }, 93 { NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
93 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, 94 { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
94 { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, 95 { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
96 { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
97 { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
95# ifdef OPENSSL_HAS_ECC 98# ifdef OPENSSL_HAS_ECC
96 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, 99 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
97 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, 100 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
98# ifdef OPENSSL_HAS_NISTP521 101# ifdef OPENSSL_HAS_NISTP521
99 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, 102 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
100# endif /* OPENSSL_HAS_NISTP521 */ 103# endif /* OPENSSL_HAS_NISTP521 */
101# endif /* OPENSSL_HAS_ECC */ 104# endif /* OPENSSL_HAS_ECC */
102 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, 105 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
103 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, 106 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
104# ifdef OPENSSL_HAS_ECC 107# ifdef OPENSSL_HAS_ECC
105 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 108 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
106 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 109 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
107 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 110 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
108 KEY_ECDSA_CERT, NID_secp384r1, 1 }, 111 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
109# ifdef OPENSSL_HAS_NISTP521 112# ifdef OPENSSL_HAS_NISTP521
110 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 113 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
111 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 114 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
112# endif /* OPENSSL_HAS_NISTP521 */ 115# endif /* OPENSSL_HAS_NISTP521 */
113# endif /* OPENSSL_HAS_ECC */ 116# endif /* OPENSSL_HAS_ECC */
114#endif /* WITH_OPENSSL */ 117#endif /* WITH_OPENSSL */
115 { "null", "null", KEY_NULL, 0, 0 }, 118 { "null", "null", KEY_NULL, 0, 0, 0 },
116 { NULL, NULL, -1, -1, 0 } 119 { NULL, NULL, -1, -1, 0, 0 }
117}; 120};
118 121
119const char * 122const char *
@@ -201,7 +204,7 @@ key_alg_list(int certs_only, int plain_only)
201 const struct keytype *kt; 204 const struct keytype *kt;
202 205
203 for (kt = keytypes; kt->type != -1; kt++) { 206 for (kt = keytypes; kt->type != -1; kt++) {
204 if (kt->name == NULL || kt->type == KEY_NULL) 207 if (kt->name == NULL || kt->sigonly || kt->type == KEY_NULL)
205 continue; 208 continue;
206 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 209 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
207 continue; 210 continue;
@@ -418,20 +421,14 @@ cert_free(struct sshkey_cert *cert)
418 421
419 if (cert == NULL) 422 if (cert == NULL)
420 return; 423 return;
421 if (cert->certblob != NULL) 424 sshbuf_free(cert->certblob);
422 sshbuf_free(cert->certblob); 425 sshbuf_free(cert->critical);
423 if (cert->critical != NULL) 426 sshbuf_free(cert->extensions);
424 sshbuf_free(cert->critical); 427 free(cert->key_id);
425 if (cert->extensions != NULL)
426 sshbuf_free(cert->extensions);
427 if (cert->key_id != NULL)
428 free(cert->key_id);
429 for (i = 0; i < cert->nprincipals; i++) 428 for (i = 0; i < cert->nprincipals; i++)
430 free(cert->principals[i]); 429 free(cert->principals[i]);
431 if (cert->principals != NULL) 430 free(cert->principals);
432 free(cert->principals); 431 sshkey_free(cert->signature_key);
433 if (cert->signature_key != NULL)
434 sshkey_free(cert->signature_key);
435 explicit_bzero(cert, sizeof(*cert)); 432 explicit_bzero(cert, sizeof(*cert));
436 free(cert); 433 free(cert);
437} 434}
@@ -1217,7 +1214,7 @@ read_decimal_bignum(char **cpp, BIGNUM *v)
1217 return SSH_ERR_BIGNUM_TOO_LARGE; 1214 return SSH_ERR_BIGNUM_TOO_LARGE;
1218 if (cp[e] == '\0') 1215 if (cp[e] == '\0')
1219 skip = 0; 1216 skip = 0;
1220 else if (index(" \t\r\n", cp[e]) == NULL) 1217 else if (strchr(" \t\r\n", cp[e]) == NULL)
1221 return SSH_ERR_INVALID_FORMAT; 1218 return SSH_ERR_INVALID_FORMAT;
1222 cp[e] = '\0'; 1219 cp[e] = '\0';
1223 if (BN_dec2bn(&v, cp) <= 0) 1220 if (BN_dec2bn(&v, cp) <= 0)
@@ -1233,11 +1230,10 @@ sshkey_read(struct sshkey *ret, char **cpp)
1233{ 1230{
1234 struct sshkey *k; 1231 struct sshkey *k;
1235 int retval = SSH_ERR_INVALID_FORMAT; 1232 int retval = SSH_ERR_INVALID_FORMAT;
1236 char *cp, *space; 1233 char *ep, *cp, *space;
1237 int r, type, curve_nid = -1; 1234 int r, type, curve_nid = -1;
1238 struct sshbuf *blob; 1235 struct sshbuf *blob;
1239#ifdef WITH_SSH1 1236#ifdef WITH_SSH1
1240 char *ep;
1241 u_long bits; 1237 u_long bits;
1242#endif /* WITH_SSH1 */ 1238#endif /* WITH_SSH1 */
1243 1239
@@ -1248,7 +1244,7 @@ sshkey_read(struct sshkey *ret, char **cpp)
1248#ifdef WITH_SSH1 1244#ifdef WITH_SSH1
1249 /* Get number of bits. */ 1245 /* Get number of bits. */
1250 bits = strtoul(cp, &ep, 10); 1246 bits = strtoul(cp, &ep, 10);
1251 if (*cp == '\0' || index(" \t\r\n", *ep) == NULL || 1247 if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL ||
1252 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) 1248 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
1253 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ 1249 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
1254 /* Get public exponent, public modulus. */ 1250 /* Get public exponent, public modulus. */
@@ -1256,10 +1252,10 @@ sshkey_read(struct sshkey *ret, char **cpp)
1256 return r; 1252 return r;
1257 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) 1253 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0)
1258 return r; 1254 return r;
1259 *cpp = ep;
1260 /* validate the claimed number of bits */ 1255 /* validate the claimed number of bits */
1261 if (BN_num_bits(ret->rsa->n) != (int)bits) 1256 if (BN_num_bits(ret->rsa->n) != (int)bits)
1262 return SSH_ERR_KEY_BITS_MISMATCH; 1257 return SSH_ERR_KEY_BITS_MISMATCH;
1258 *cpp = ep;
1263 retval = 0; 1259 retval = 0;
1264#endif /* WITH_SSH1 */ 1260#endif /* WITH_SSH1 */
1265 break; 1261 break;
@@ -1297,9 +1293,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
1297 *space++ = '\0'; 1293 *space++ = '\0';
1298 while (*space == ' ' || *space == '\t') 1294 while (*space == ' ' || *space == '\t')
1299 space++; 1295 space++;
1300 *cpp = space; 1296 ep = space;
1301 } else 1297 } else
1302 *cpp = cp + strlen(cp); 1298 ep = cp + strlen(cp);
1303 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1299 if ((r = sshbuf_b64tod(blob, cp)) != 0) {
1304 sshbuf_free(blob); 1300 sshbuf_free(blob);
1305 return r; 1301 return r;
@@ -1330,8 +1326,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
1330 ret->cert = k->cert; 1326 ret->cert = k->cert;
1331 k->cert = NULL; 1327 k->cert = NULL;
1332 } 1328 }
1329 switch (sshkey_type_plain(ret->type)) {
1333#ifdef WITH_OPENSSL 1330#ifdef WITH_OPENSSL
1334 if (sshkey_type_plain(ret->type) == KEY_RSA) { 1331 case KEY_RSA:
1335 if (ret->rsa != NULL) 1332 if (ret->rsa != NULL)
1336 RSA_free(ret->rsa); 1333 RSA_free(ret->rsa);
1337 ret->rsa = k->rsa; 1334 ret->rsa = k->rsa;
@@ -1339,8 +1336,8 @@ sshkey_read(struct sshkey *ret, char **cpp)
1339#ifdef DEBUG_PK 1336#ifdef DEBUG_PK
1340 RSA_print_fp(stderr, ret->rsa, 8); 1337 RSA_print_fp(stderr, ret->rsa, 8);
1341#endif 1338#endif
1342 } 1339 break;
1343 if (sshkey_type_plain(ret->type) == KEY_DSA) { 1340 case KEY_DSA:
1344 if (ret->dsa != NULL) 1341 if (ret->dsa != NULL)
1345 DSA_free(ret->dsa); 1342 DSA_free(ret->dsa);
1346 ret->dsa = k->dsa; 1343 ret->dsa = k->dsa;
@@ -1348,9 +1345,9 @@ sshkey_read(struct sshkey *ret, char **cpp)
1348#ifdef DEBUG_PK 1345#ifdef DEBUG_PK
1349 DSA_print_fp(stderr, ret->dsa, 8); 1346 DSA_print_fp(stderr, ret->dsa, 8);
1350#endif 1347#endif
1351 } 1348 break;
1352# ifdef OPENSSL_HAS_ECC 1349# ifdef OPENSSL_HAS_ECC
1353 if (sshkey_type_plain(ret->type) == KEY_ECDSA) { 1350 case KEY_ECDSA:
1354 if (ret->ecdsa != NULL) 1351 if (ret->ecdsa != NULL)
1355 EC_KEY_free(ret->ecdsa); 1352 EC_KEY_free(ret->ecdsa);
1356 ret->ecdsa = k->ecdsa; 1353 ret->ecdsa = k->ecdsa;
@@ -1360,17 +1357,19 @@ sshkey_read(struct sshkey *ret, char **cpp)
1360#ifdef DEBUG_PK 1357#ifdef DEBUG_PK
1361 sshkey_dump_ec_key(ret->ecdsa); 1358 sshkey_dump_ec_key(ret->ecdsa);
1362#endif 1359#endif
1363 } 1360 break;
1364# endif /* OPENSSL_HAS_ECC */ 1361# endif /* OPENSSL_HAS_ECC */
1365#endif /* WITH_OPENSSL */ 1362#endif /* WITH_OPENSSL */
1366 if (sshkey_type_plain(ret->type) == KEY_ED25519) { 1363 case KEY_ED25519:
1367 free(ret->ed25519_pk); 1364 free(ret->ed25519_pk);
1368 ret->ed25519_pk = k->ed25519_pk; 1365 ret->ed25519_pk = k->ed25519_pk;
1369 k->ed25519_pk = NULL; 1366 k->ed25519_pk = NULL;
1370#ifdef DEBUG_PK 1367#ifdef DEBUG_PK
1371 /* XXX */ 1368 /* XXX */
1372#endif 1369#endif
1370 break;
1373 } 1371 }
1372 *cpp = ep;
1374 retval = 0; 1373 retval = 0;
1375/*XXXX*/ 1374/*XXXX*/
1376 sshkey_free(k); 1375 sshkey_free(k);
@@ -1718,7 +1717,7 @@ sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
1718 1717
1719 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1718 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
1720 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1719 (ret = sshbuf_putb(to->critical, from->critical)) != 0 ||
1721 (ret = sshbuf_putb(to->extensions, from->extensions) != 0)) 1720 (ret = sshbuf_putb(to->extensions, from->extensions)) != 0)
1722 return ret; 1721 return ret;
1723 1722
1724 to->serial = from->serial; 1723 to->serial = from->serial;
@@ -1759,9 +1758,7 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1759 struct sshkey *n = NULL; 1758 struct sshkey *n = NULL;
1760 int ret = SSH_ERR_INTERNAL_ERROR; 1759 int ret = SSH_ERR_INTERNAL_ERROR;
1761 1760
1762 if (pkp != NULL) 1761 *pkp = NULL;
1763 *pkp = NULL;
1764
1765 switch (k->type) { 1762 switch (k->type) {
1766#ifdef WITH_OPENSSL 1763#ifdef WITH_OPENSSL
1767 case KEY_DSA: 1764 case KEY_DSA:
@@ -2175,7 +2172,7 @@ sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
2175int 2172int
2176sshkey_sign(const struct sshkey *key, 2173sshkey_sign(const struct sshkey *key,
2177 u_char **sigp, size_t *lenp, 2174 u_char **sigp, size_t *lenp,
2178 const u_char *data, size_t datalen, u_int compat) 2175 const u_char *data, size_t datalen, const char *alg, u_int compat)
2179{ 2176{
2180 if (sigp != NULL) 2177 if (sigp != NULL)
2181 *sigp = NULL; 2178 *sigp = NULL;
@@ -2195,7 +2192,7 @@ sshkey_sign(const struct sshkey *key,
2195# endif /* OPENSSL_HAS_ECC */ 2192# endif /* OPENSSL_HAS_ECC */
2196 case KEY_RSA_CERT: 2193 case KEY_RSA_CERT:
2197 case KEY_RSA: 2194 case KEY_RSA:
2198 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2195 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
2199#endif /* WITH_OPENSSL */ 2196#endif /* WITH_OPENSSL */
2200 case KEY_ED25519: 2197 case KEY_ED25519:
2201 case KEY_ED25519_CERT: 2198 case KEY_ED25519_CERT:
@@ -2227,7 +2224,7 @@ sshkey_verify(const struct sshkey *key,
2227# endif /* OPENSSL_HAS_ECC */ 2224# endif /* OPENSSL_HAS_ECC */
2228 case KEY_RSA_CERT: 2225 case KEY_RSA_CERT:
2229 case KEY_RSA: 2226 case KEY_RSA:
2230 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2227 return ssh_rsa_verify(key, sig, siglen, data, dlen);
2231#endif /* WITH_OPENSSL */ 2228#endif /* WITH_OPENSSL */
2232 case KEY_ED25519: 2229 case KEY_ED25519:
2233 case KEY_ED25519_CERT: 2230 case KEY_ED25519_CERT:
@@ -2244,9 +2241,7 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2244 struct sshkey *pk; 2241 struct sshkey *pk;
2245 int ret = SSH_ERR_INTERNAL_ERROR; 2242 int ret = SSH_ERR_INTERNAL_ERROR;
2246 2243
2247 if (dkp != NULL) 2244 *dkp = NULL;
2248 *dkp = NULL;
2249
2250 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2245 if ((pk = calloc(1, sizeof(*pk))) == NULL)
2251 return SSH_ERR_ALLOC_FAIL; 2246 return SSH_ERR_ALLOC_FAIL;
2252 pk->type = k->type; 2247 pk->type = k->type;
@@ -2463,7 +2458,7 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2463 2458
2464 /* Sign the whole mess */ 2459 /* Sign the whole mess */
2465 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2460 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2466 sshbuf_len(cert), 0)) != 0) 2461 sshbuf_len(cert), NULL, 0)) != 0)
2467 goto out; 2462 goto out;
2468 2463
2469 /* Append signature and we are done */ 2464 /* Append signature and we are done */
@@ -2473,12 +2468,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
2473 out: 2468 out:
2474 if (ret != 0) 2469 if (ret != 0)
2475 sshbuf_reset(cert); 2470 sshbuf_reset(cert);
2476 if (sig_blob != NULL) 2471 free(sig_blob);
2477 free(sig_blob); 2472 free(ca_blob);
2478 if (ca_blob != NULL) 2473 sshbuf_free(principals);
2479 free(ca_blob);
2480 if (principals != NULL)
2481 sshbuf_free(principals);
2482 return ret; 2474 return ret;
2483} 2475}
2484 2476
@@ -2539,6 +2531,43 @@ sshkey_cert_check_authority(const struct sshkey *k,
2539 return 0; 2531 return 0;
2540} 2532}
2541 2533
2534size_t
2535sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
2536{
2537 char from[32], to[32], ret[64];
2538 time_t tt;
2539 struct tm *tm;
2540
2541 *from = *to = '\0';
2542 if (cert->valid_after == 0 &&
2543 cert->valid_before == 0xffffffffffffffffULL)
2544 return strlcpy(s, "forever", l);
2545
2546 if (cert->valid_after != 0) {
2547 /* XXX revisit INT_MAX in 2038 :) */
2548 tt = cert->valid_after > INT_MAX ?
2549 INT_MAX : cert->valid_after;
2550 tm = localtime(&tt);
2551 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
2552 }
2553 if (cert->valid_before != 0xffffffffffffffffULL) {
2554 /* XXX revisit INT_MAX in 2038 :) */
2555 tt = cert->valid_before > INT_MAX ?
2556 INT_MAX : cert->valid_before;
2557 tm = localtime(&tt);
2558 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
2559 }
2560
2561 if (cert->valid_after == 0)
2562 snprintf(ret, sizeof(ret), "before %s", to);
2563 else if (cert->valid_before == 0xffffffffffffffffULL)
2564 snprintf(ret, sizeof(ret), "after %s", from);
2565 else
2566 snprintf(ret, sizeof(ret), "from %s to %s", from, to);
2567
2568 return strlcpy(s, ret, l);
2569}
2570
2542int 2571int
2543sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2572sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2544{ 2573{
@@ -2702,7 +2731,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2702 goto out; 2731 goto out;
2703 } 2732 }
2704 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2733 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2705 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2734 EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2706 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2735 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2707 goto out; 2736 goto out;
2708 break; 2737 break;
@@ -2720,7 +2749,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2720 goto out; 2749 goto out;
2721 } 2750 }
2722 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2751 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2723 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2752 EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2724 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2753 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2725 goto out; 2754 goto out;
2726 break; 2755 break;
@@ -2742,10 +2771,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2742 case KEY_RSA_CERT: 2771 case KEY_RSA_CERT:
2743 if ((r = sshkey_froms(buf, &k)) != 0 || 2772 if ((r = sshkey_froms(buf, &k)) != 0 ||
2744 (r = sshkey_add_private(k)) != 0 || 2773 (r = sshkey_add_private(k)) != 0 ||
2745 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || 2774 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
2746 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || 2775 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
2747 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || 2776 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
2748 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || 2777 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
2749 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2778 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2750 goto out; 2779 goto out;
2751 break; 2780 break;
@@ -3432,9 +3461,9 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob,
3432 3461
3433 /* Store public key. This will be in plain text. */ 3462 /* Store public key. This will be in plain text. */
3434 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || 3463 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 ||
3435 (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) || 3464 (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 ||
3436 (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) || 3465 (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 ||
3437 (r = sshbuf_put_cstring(encrypted, comment) != 0)) 3466 (r = sshbuf_put_cstring(encrypted, comment)) != 0)
3438 goto out; 3467 goto out;
3439 3468
3440 /* Allocate space for the private part of the key in the buffer. */ 3469 /* Allocate space for the private part of the key in the buffer. */
@@ -3455,10 +3484,8 @@ sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob,
3455 out: 3484 out:
3456 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3485 explicit_bzero(&ciphercontext, sizeof(ciphercontext));
3457 explicit_bzero(buf, sizeof(buf)); 3486 explicit_bzero(buf, sizeof(buf));
3458 if (buffer != NULL) 3487 sshbuf_free(buffer);
3459 sshbuf_free(buffer); 3488 sshbuf_free(encrypted);
3460 if (encrypted != NULL)
3461 sshbuf_free(encrypted);
3462 3489
3463 return r; 3490 return r;
3464} 3491}
@@ -3612,10 +3639,8 @@ sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob,
3612 pub = NULL; 3639 pub = NULL;
3613 3640
3614 out: 3641 out:
3615 if (copy != NULL) 3642 sshbuf_free(copy);
3616 sshbuf_free(copy); 3643 sshkey_free(pub);
3617 if (pub != NULL)
3618 sshkey_free(pub);
3619 return r; 3644 return r;
3620} 3645}
3621 3646
@@ -3727,14 +3752,10 @@ sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase,
3727 } 3752 }
3728 out: 3753 out:
3729 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3754 explicit_bzero(&ciphercontext, sizeof(ciphercontext));
3730 if (comment != NULL) 3755 free(comment);
3731 free(comment); 3756 sshkey_free(prv);
3732 if (prv != NULL) 3757 sshbuf_free(copy);
3733 sshkey_free(prv); 3758 sshbuf_free(decrypted);
3734 if (copy != NULL)
3735 sshbuf_free(copy);
3736 if (decrypted != NULL)
3737 sshbuf_free(decrypted);
3738 return r; 3759 return r;
3739} 3760}
3740#endif /* WITH_SSH1 */ 3761#endif /* WITH_SSH1 */
@@ -3824,8 +3845,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
3824 BIO_free(bio); 3845 BIO_free(bio);
3825 if (pk != NULL) 3846 if (pk != NULL)
3826 EVP_PKEY_free(pk); 3847 EVP_PKEY_free(pk);
3827 if (prv != NULL) 3848 sshkey_free(prv);
3828 sshkey_free(prv);
3829 return r; 3849 return r;
3830} 3850}
3831#endif /* WITH_OPENSSL */ 3851#endif /* WITH_OPENSSL */
@@ -3834,8 +3854,6 @@ int
3834sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3854sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3835 const char *passphrase, struct sshkey **keyp, char **commentp) 3855 const char *passphrase, struct sshkey **keyp, char **commentp)
3836{ 3856{
3837 int r;
3838
3839 *keyp = NULL; 3857 *keyp = NULL;
3840 if (commentp != NULL) 3858 if (commentp != NULL)
3841 *commentp = NULL; 3859 *commentp = NULL;
@@ -3857,8 +3875,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3857 return sshkey_parse_private2(blob, type, passphrase, 3875 return sshkey_parse_private2(blob, type, passphrase,
3858 keyp, commentp); 3876 keyp, commentp);
3859 case KEY_UNSPEC: 3877 case KEY_UNSPEC:
3860 if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, 3878 if (sshkey_parse_private2(blob, type, passphrase, keyp,
3861 commentp)) == 0) 3879 commentp) == 0)
3862 return 0; 3880 return 0;
3863#ifdef WITH_OPENSSL 3881#ifdef WITH_OPENSSL
3864 return sshkey_parse_private_pem_fileblob(blob, type, 3882 return sshkey_parse_private_pem_fileblob(blob, type,
@@ -3873,10 +3891,8 @@ sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3873 3891
3874int 3892int
3875sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3893sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
3876 const char *filename, struct sshkey **keyp, char **commentp) 3894 struct sshkey **keyp, char **commentp)
3877{ 3895{
3878 int r;
3879
3880 if (keyp != NULL) 3896 if (keyp != NULL)
3881 *keyp = NULL; 3897 *keyp = NULL;
3882 if (commentp != NULL) 3898 if (commentp != NULL)
@@ -3884,13 +3900,11 @@ sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
3884 3900
3885#ifdef WITH_SSH1 3901#ifdef WITH_SSH1
3886 /* it's a SSH v1 key if the public key part is readable */ 3902 /* it's a SSH v1 key if the public key part is readable */
3887 if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) { 3903 if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
3888 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, 3904 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
3889 passphrase, keyp, commentp); 3905 passphrase, keyp, commentp);
3890 } 3906 }
3891#endif /* WITH_SSH1 */ 3907#endif /* WITH_SSH1 */
3892 if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3908 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
3893 passphrase, keyp, commentp)) == 0) 3909 passphrase, keyp, commentp);
3894 return 0;
3895 return r;
3896} 3910}
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-29 21:49:12 +0000