key.c (207319) | key.c (215116) |
---|---|
1/* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */ | 1/* $OpenBSD: key.c,v 1.90 2010/07/13 23:13:16 djm Exp $ */ |
2/* 3 * read_bignum(): 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be --- 37 unchanged lines hidden (view full) --- 47#include <string.h> 48 49#include "xmalloc.h" 50#include "key.h" 51#include "rsa.h" 52#include "uuencode.h" 53#include "buffer.h" 54#include "log.h" | 2/* 3 * read_bignum(): 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be --- 37 unchanged lines hidden (view full) --- 47#include <string.h> 48 49#include "xmalloc.h" 50#include "key.h" 51#include "rsa.h" 52#include "uuencode.h" 53#include "buffer.h" 54#include "log.h" |
55#include "misc.h" |
|
55#include "ssh2.h" 56 57static struct KeyCert * 58cert_new(void) 59{ 60 struct KeyCert *cert; 61 62 cert = xcalloc(1, sizeof(*cert)); 63 buffer_init(&cert->certblob); | 56#include "ssh2.h" 57 58static struct KeyCert * 59cert_new(void) 60{ 61 struct KeyCert *cert; 62 63 cert = xcalloc(1, sizeof(*cert)); 64 buffer_init(&cert->certblob); |
64 buffer_init(&cert->constraints); | 65 buffer_init(&cert->critical); 66 buffer_init(&cert->extensions); |
65 cert->key_id = NULL; 66 cert->principals = NULL; 67 cert->signature_key = NULL; 68 return cert; 69} 70 71Key * 72key_new(int type) --- 4 unchanged lines hidden (view full) --- 77 k = xcalloc(1, sizeof(*k)); 78 k->type = type; 79 k->dsa = NULL; 80 k->rsa = NULL; 81 k->cert = NULL; 82 switch (k->type) { 83 case KEY_RSA1: 84 case KEY_RSA: | 67 cert->key_id = NULL; 68 cert->principals = NULL; 69 cert->signature_key = NULL; 70 return cert; 71} 72 73Key * 74key_new(int type) --- 4 unchanged lines hidden (view full) --- 79 k = xcalloc(1, sizeof(*k)); 80 k->type = type; 81 k->dsa = NULL; 82 k->rsa = NULL; 83 k->cert = NULL; 84 switch (k->type) { 85 case KEY_RSA1: 86 case KEY_RSA: |
87 case KEY_RSA_CERT_V00: |
|
85 case KEY_RSA_CERT: 86 if ((rsa = RSA_new()) == NULL) 87 fatal("key_new: RSA_new failed"); 88 if ((rsa->n = BN_new()) == NULL) 89 fatal("key_new: BN_new failed"); 90 if ((rsa->e = BN_new()) == NULL) 91 fatal("key_new: BN_new failed"); 92 k->rsa = rsa; 93 break; 94 case KEY_DSA: | 88 case KEY_RSA_CERT: 89 if ((rsa = RSA_new()) == NULL) 90 fatal("key_new: RSA_new failed"); 91 if ((rsa->n = BN_new()) == NULL) 92 fatal("key_new: BN_new failed"); 93 if ((rsa->e = BN_new()) == NULL) 94 fatal("key_new: BN_new failed"); 95 k->rsa = rsa; 96 break; 97 case KEY_DSA: |
98 case KEY_DSA_CERT_V00: |
|
95 case KEY_DSA_CERT: 96 if ((dsa = DSA_new()) == NULL) 97 fatal("key_new: DSA_new failed"); 98 if ((dsa->p = BN_new()) == NULL) 99 fatal("key_new: BN_new failed"); 100 if ((dsa->q = BN_new()) == NULL) 101 fatal("key_new: BN_new failed"); 102 if ((dsa->g = BN_new()) == NULL) --- 16 unchanged lines hidden (view full) --- 119} 120 121void 122key_add_private(Key *k) 123{ 124 switch (k->type) { 125 case KEY_RSA1: 126 case KEY_RSA: | 99 case KEY_DSA_CERT: 100 if ((dsa = DSA_new()) == NULL) 101 fatal("key_new: DSA_new failed"); 102 if ((dsa->p = BN_new()) == NULL) 103 fatal("key_new: BN_new failed"); 104 if ((dsa->q = BN_new()) == NULL) 105 fatal("key_new: BN_new failed"); 106 if ((dsa->g = BN_new()) == NULL) --- 16 unchanged lines hidden (view full) --- 123} 124 125void 126key_add_private(Key *k) 127{ 128 switch (k->type) { 129 case KEY_RSA1: 130 case KEY_RSA: |
131 case KEY_RSA_CERT_V00: |
|
127 case KEY_RSA_CERT: 128 if ((k->rsa->d = BN_new()) == NULL) 129 fatal("key_new_private: BN_new failed"); 130 if ((k->rsa->iqmp = BN_new()) == NULL) 131 fatal("key_new_private: BN_new failed"); 132 if ((k->rsa->q = BN_new()) == NULL) 133 fatal("key_new_private: BN_new failed"); 134 if ((k->rsa->p = BN_new()) == NULL) 135 fatal("key_new_private: BN_new failed"); 136 if ((k->rsa->dmq1 = BN_new()) == NULL) 137 fatal("key_new_private: BN_new failed"); 138 if ((k->rsa->dmp1 = BN_new()) == NULL) 139 fatal("key_new_private: BN_new failed"); 140 break; 141 case KEY_DSA: | 132 case KEY_RSA_CERT: 133 if ((k->rsa->d = BN_new()) == NULL) 134 fatal("key_new_private: BN_new failed"); 135 if ((k->rsa->iqmp = BN_new()) == NULL) 136 fatal("key_new_private: BN_new failed"); 137 if ((k->rsa->q = BN_new()) == NULL) 138 fatal("key_new_private: BN_new failed"); 139 if ((k->rsa->p = BN_new()) == NULL) 140 fatal("key_new_private: BN_new failed"); 141 if ((k->rsa->dmq1 = BN_new()) == NULL) 142 fatal("key_new_private: BN_new failed"); 143 if ((k->rsa->dmp1 = BN_new()) == NULL) 144 fatal("key_new_private: BN_new failed"); 145 break; 146 case KEY_DSA: |
147 case KEY_DSA_CERT_V00: |
|
142 case KEY_DSA_CERT: 143 if ((k->dsa->priv_key = BN_new()) == NULL) 144 fatal("key_new_private: BN_new failed"); 145 break; 146 case KEY_UNSPEC: 147 break; 148 default: 149 break; --- 10 unchanged lines hidden (view full) --- 160} 161 162static void 163cert_free(struct KeyCert *cert) 164{ 165 u_int i; 166 167 buffer_free(&cert->certblob); | 148 case KEY_DSA_CERT: 149 if ((k->dsa->priv_key = BN_new()) == NULL) 150 fatal("key_new_private: BN_new failed"); 151 break; 152 case KEY_UNSPEC: 153 break; 154 default: 155 break; --- 10 unchanged lines hidden (view full) --- 166} 167 168static void 169cert_free(struct KeyCert *cert) 170{ 171 u_int i; 172 173 buffer_free(&cert->certblob); |
168 buffer_free(&cert->constraints); | 174 buffer_free(&cert->critical); 175 buffer_free(&cert->extensions); |
169 if (cert->key_id != NULL) 170 xfree(cert->key_id); 171 for (i = 0; i < cert->nprincipals; i++) 172 xfree(cert->principals[i]); 173 if (cert->principals != NULL) 174 xfree(cert->principals); 175 if (cert->signature_key != NULL) 176 key_free(cert->signature_key); 177} 178 179void 180key_free(Key *k) 181{ 182 if (k == NULL) 183 fatal("key_free: key is NULL"); 184 switch (k->type) { 185 case KEY_RSA1: 186 case KEY_RSA: | 176 if (cert->key_id != NULL) 177 xfree(cert->key_id); 178 for (i = 0; i < cert->nprincipals; i++) 179 xfree(cert->principals[i]); 180 if (cert->principals != NULL) 181 xfree(cert->principals); 182 if (cert->signature_key != NULL) 183 key_free(cert->signature_key); 184} 185 186void 187key_free(Key *k) 188{ 189 if (k == NULL) 190 fatal("key_free: key is NULL"); 191 switch (k->type) { 192 case KEY_RSA1: 193 case KEY_RSA: |
194 case KEY_RSA_CERT_V00: |
|
187 case KEY_RSA_CERT: 188 if (k->rsa != NULL) 189 RSA_free(k->rsa); 190 k->rsa = NULL; 191 break; 192 case KEY_DSA: | 195 case KEY_RSA_CERT: 196 if (k->rsa != NULL) 197 RSA_free(k->rsa); 198 k->rsa = NULL; 199 break; 200 case KEY_DSA: |
201 case KEY_DSA_CERT_V00: |
|
193 case KEY_DSA_CERT: 194 if (k->dsa != NULL) 195 DSA_free(k->dsa); 196 k->dsa = NULL; 197 break; 198 case KEY_UNSPEC: 199 break; 200 default: --- 13 unchanged lines hidden (view full) --- 214cert_compare(struct KeyCert *a, struct KeyCert *b) 215{ 216 if (a == NULL && b == NULL) 217 return 1; 218 if (a == NULL || b == NULL) 219 return 0; 220 if (buffer_len(&a->certblob) != buffer_len(&b->certblob)) 221 return 0; | 202 case KEY_DSA_CERT: 203 if (k->dsa != NULL) 204 DSA_free(k->dsa); 205 k->dsa = NULL; 206 break; 207 case KEY_UNSPEC: 208 break; 209 default: --- 13 unchanged lines hidden (view full) --- 223cert_compare(struct KeyCert *a, struct KeyCert *b) 224{ 225 if (a == NULL && b == NULL) 226 return 1; 227 if (a == NULL || b == NULL) 228 return 0; 229 if (buffer_len(&a->certblob) != buffer_len(&b->certblob)) 230 return 0; |
222 if (memcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob), | 231 if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob), |
223 buffer_len(&a->certblob)) != 0) 224 return 0; 225 return 1; 226} 227 228/* 229 * Compare public portions of key only, allowing comparisons between 230 * certificates and plain keys too. 231 */ 232int 233key_equal_public(const Key *a, const Key *b) 234{ 235 if (a == NULL || b == NULL || 236 key_type_plain(a->type) != key_type_plain(b->type)) 237 return 0; 238 239 switch (a->type) { 240 case KEY_RSA1: | 232 buffer_len(&a->certblob)) != 0) 233 return 0; 234 return 1; 235} 236 237/* 238 * Compare public portions of key only, allowing comparisons between 239 * certificates and plain keys too. 240 */ 241int 242key_equal_public(const Key *a, const Key *b) 243{ 244 if (a == NULL || b == NULL || 245 key_type_plain(a->type) != key_type_plain(b->type)) 246 return 0; 247 248 switch (a->type) { 249 case KEY_RSA1: |
250 case KEY_RSA_CERT_V00: |
|
241 case KEY_RSA_CERT: 242 case KEY_RSA: 243 return a->rsa != NULL && b->rsa != NULL && 244 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 245 BN_cmp(a->rsa->n, b->rsa->n) == 0; | 251 case KEY_RSA_CERT: 252 case KEY_RSA: 253 return a->rsa != NULL && b->rsa != NULL && 254 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 255 BN_cmp(a->rsa->n, b->rsa->n) == 0; |
256 case KEY_DSA_CERT_V00: |
|
246 case KEY_DSA_CERT: 247 case KEY_DSA: 248 return a->dsa != NULL && b->dsa != NULL && 249 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 250 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 251 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 252 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 253 default: --- 45 unchanged lines hidden (view full) --- 299 blob = xmalloc(len); 300 BN_bn2bin(k->rsa->n, blob); 301 BN_bn2bin(k->rsa->e, blob + nlen); 302 break; 303 case KEY_DSA: 304 case KEY_RSA: 305 key_to_blob(k, &blob, &len); 306 break; | 257 case KEY_DSA_CERT: 258 case KEY_DSA: 259 return a->dsa != NULL && b->dsa != NULL && 260 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 261 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 262 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 263 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 264 default: --- 45 unchanged lines hidden (view full) --- 310 blob = xmalloc(len); 311 BN_bn2bin(k->rsa->n, blob); 312 BN_bn2bin(k->rsa->e, blob + nlen); 313 break; 314 case KEY_DSA: 315 case KEY_RSA: 316 key_to_blob(k, &blob, &len); 317 break; |
318 case KEY_DSA_CERT_V00: 319 case KEY_RSA_CERT_V00: |
|
307 case KEY_DSA_CERT: 308 case KEY_RSA_CERT: 309 /* We want a fingerprint of the _key_ not of the cert */ 310 otype = k->type; 311 k->type = key_type_plain(k->type); 312 key_to_blob(k, &blob, &len); 313 k->type = otype; 314 break; --- 311 unchanged lines hidden (view full) --- 626 "actual %d", bits, BN_num_bits(ret->rsa->n)); 627 return -1; 628 } 629 success = 1; 630 break; 631 case KEY_UNSPEC: 632 case KEY_RSA: 633 case KEY_DSA: | 320 case KEY_DSA_CERT: 321 case KEY_RSA_CERT: 322 /* We want a fingerprint of the _key_ not of the cert */ 323 otype = k->type; 324 k->type = key_type_plain(k->type); 325 key_to_blob(k, &blob, &len); 326 k->type = otype; 327 break; --- 311 unchanged lines hidden (view full) --- 639 "actual %d", bits, BN_num_bits(ret->rsa->n)); 640 return -1; 641 } 642 success = 1; 643 break; 644 case KEY_UNSPEC: 645 case KEY_RSA: 646 case KEY_DSA: |
647 case KEY_DSA_CERT_V00: 648 case KEY_RSA_CERT_V00: |
|
634 case KEY_DSA_CERT: 635 case KEY_RSA_CERT: 636 space = strchr(cp, ' '); 637 if (space == NULL) { 638 debug3("key_read: missing whitespace"); 639 return -1; 640 } 641 *space = '\0'; --- 110 unchanged lines hidden (view full) --- 752 bits = BN_num_bits(key->rsa->n); 753 fprintf(f, "%u", bits); 754 if (write_bignum(f, key->rsa->e) && 755 write_bignum(f, key->rsa->n)) 756 return 1; 757 error("key_write: failed for RSA key"); 758 return 0; 759 case KEY_DSA: | 649 case KEY_DSA_CERT: 650 case KEY_RSA_CERT: 651 space = strchr(cp, ' '); 652 if (space == NULL) { 653 debug3("key_read: missing whitespace"); 654 return -1; 655 } 656 *space = '\0'; --- 110 unchanged lines hidden (view full) --- 767 bits = BN_num_bits(key->rsa->n); 768 fprintf(f, "%u", bits); 769 if (write_bignum(f, key->rsa->e) && 770 write_bignum(f, key->rsa->n)) 771 return 1; 772 error("key_write: failed for RSA key"); 773 return 0; 774 case KEY_DSA: |
775 case KEY_DSA_CERT_V00: |
|
760 case KEY_DSA_CERT: 761 if (key->dsa == NULL) 762 return 0; 763 break; 764 case KEY_RSA: | 776 case KEY_DSA_CERT: 777 if (key->dsa == NULL) 778 return 0; 779 break; 780 case KEY_RSA: |
781 case KEY_RSA_CERT_V00: |
|
765 case KEY_RSA_CERT: 766 if (key->rsa == NULL) 767 return 0; 768 break; 769 default: 770 return 0; 771 } 772 --- 15 unchanged lines hidden (view full) --- 788{ 789 switch (k->type) { 790 case KEY_RSA1: 791 return "RSA1"; 792 case KEY_RSA: 793 return "RSA"; 794 case KEY_DSA: 795 return "DSA"; | 782 case KEY_RSA_CERT: 783 if (key->rsa == NULL) 784 return 0; 785 break; 786 default: 787 return 0; 788 } 789 --- 15 unchanged lines hidden (view full) --- 805{ 806 switch (k->type) { 807 case KEY_RSA1: 808 return "RSA1"; 809 case KEY_RSA: 810 return "RSA"; 811 case KEY_DSA: 812 return "DSA"; |
813 case KEY_RSA_CERT_V00: 814 return "RSA-CERT-V00"; 815 case KEY_DSA_CERT_V00: 816 return "DSA-CERT-V00"; |
|
796 case KEY_RSA_CERT: 797 return "RSA-CERT"; 798 case KEY_DSA_CERT: 799 return "DSA-CERT"; 800 } 801 return "unknown"; 802} 803 --- 13 unchanged lines hidden (view full) --- 817const char * 818key_ssh_name(const Key *k) 819{ 820 switch (k->type) { 821 case KEY_RSA: 822 return "ssh-rsa"; 823 case KEY_DSA: 824 return "ssh-dss"; | 817 case KEY_RSA_CERT: 818 return "RSA-CERT"; 819 case KEY_DSA_CERT: 820 return "DSA-CERT"; 821 } 822 return "unknown"; 823} 824 --- 13 unchanged lines hidden (view full) --- 838const char * 839key_ssh_name(const Key *k) 840{ 841 switch (k->type) { 842 case KEY_RSA: 843 return "ssh-rsa"; 844 case KEY_DSA: 845 return "ssh-dss"; |
825 case KEY_RSA_CERT: | 846 case KEY_RSA_CERT_V00: |
826 return "ssh-rsa-cert-v00@openssh.com"; | 847 return "ssh-rsa-cert-v00@openssh.com"; |
827 case KEY_DSA_CERT: | 848 case KEY_DSA_CERT_V00: |
828 return "ssh-dss-cert-v00@openssh.com"; | 849 return "ssh-dss-cert-v00@openssh.com"; |
850 case KEY_RSA_CERT: 851 return "ssh-rsa-cert-v01@openssh.com"; 852 case KEY_DSA_CERT: 853 return "ssh-dss-cert-v01@openssh.com"; |
|
829 } 830 return "ssh-unknown"; 831} 832 833u_int 834key_size(const Key *k) 835{ 836 switch (k->type) { 837 case KEY_RSA1: 838 case KEY_RSA: | 854 } 855 return "ssh-unknown"; 856} 857 858u_int 859key_size(const Key *k) 860{ 861 switch (k->type) { 862 case KEY_RSA1: 863 case KEY_RSA: |
864 case KEY_RSA_CERT_V00: |
|
839 case KEY_RSA_CERT: 840 return BN_num_bits(k->rsa->n); 841 case KEY_DSA: | 865 case KEY_RSA_CERT: 866 return BN_num_bits(k->rsa->n); 867 case KEY_DSA: |
868 case KEY_DSA_CERT_V00: |
|
842 case KEY_DSA_CERT: 843 return BN_num_bits(k->dsa->p); 844 } 845 return 0; 846} 847 848static RSA * 849rsa_generate_private_key(u_int bits) --- 27 unchanged lines hidden (view full) --- 877 switch (type) { 878 case KEY_DSA: 879 k->dsa = dsa_generate_private_key(bits); 880 break; 881 case KEY_RSA: 882 case KEY_RSA1: 883 k->rsa = rsa_generate_private_key(bits); 884 break; | 869 case KEY_DSA_CERT: 870 return BN_num_bits(k->dsa->p); 871 } 872 return 0; 873} 874 875static RSA * 876rsa_generate_private_key(u_int bits) --- 27 unchanged lines hidden (view full) --- 904 switch (type) { 905 case KEY_DSA: 906 k->dsa = dsa_generate_private_key(bits); 907 break; 908 case KEY_RSA: 909 case KEY_RSA1: 910 k->rsa = rsa_generate_private_key(bits); 911 break; |
912 case KEY_RSA_CERT_V00: 913 case KEY_DSA_CERT_V00: |
|
885 case KEY_RSA_CERT: 886 case KEY_DSA_CERT: 887 fatal("key_generate: cert keys cannot be generated directly"); 888 default: 889 fatal("key_generate: unknown type %d", type); 890 } 891 k->type = type; 892 return k; --- 14 unchanged lines hidden (view full) --- 907 if ((from = from_key->cert) == NULL) 908 return; 909 910 to = to_key->cert = cert_new(); 911 912 buffer_append(&to->certblob, buffer_ptr(&from->certblob), 913 buffer_len(&from->certblob)); 914 | 914 case KEY_RSA_CERT: 915 case KEY_DSA_CERT: 916 fatal("key_generate: cert keys cannot be generated directly"); 917 default: 918 fatal("key_generate: unknown type %d", type); 919 } 920 k->type = type; 921 return k; --- 14 unchanged lines hidden (view full) --- 936 if ((from = from_key->cert) == NULL) 937 return; 938 939 to = to_key->cert = cert_new(); 940 941 buffer_append(&to->certblob, buffer_ptr(&from->certblob), 942 buffer_len(&from->certblob)); 943 |
915 buffer_append(&to->constraints, buffer_ptr(&from->constraints), 916 buffer_len(&from->constraints)); | 944 buffer_append(&to->critical, 945 buffer_ptr(&from->critical), buffer_len(&from->critical)); 946 buffer_append(&to->extensions, 947 buffer_ptr(&from->extensions), buffer_len(&from->extensions)); |
917 | 948 |
949 to->serial = from->serial; |
|
918 to->type = from->type; 919 to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id); 920 to->valid_after = from->valid_after; 921 to->valid_before = from->valid_before; 922 to->signature_key = from->signature_key == NULL ? 923 NULL : key_from_private(from->signature_key); 924 925 to->nprincipals = from->nprincipals; --- 9 unchanged lines hidden (view full) --- 935} 936 937Key * 938key_from_private(const Key *k) 939{ 940 Key *n = NULL; 941 switch (k->type) { 942 case KEY_DSA: | 950 to->type = from->type; 951 to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id); 952 to->valid_after = from->valid_after; 953 to->valid_before = from->valid_before; 954 to->signature_key = from->signature_key == NULL ? 955 NULL : key_from_private(from->signature_key); 956 957 to->nprincipals = from->nprincipals; --- 9 unchanged lines hidden (view full) --- 967} 968 969Key * 970key_from_private(const Key *k) 971{ 972 Key *n = NULL; 973 switch (k->type) { 974 case KEY_DSA: |
975 case KEY_DSA_CERT_V00: |
|
943 case KEY_DSA_CERT: 944 n = key_new(k->type); 945 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 946 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 947 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 948 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) 949 fatal("key_from_private: BN_copy failed"); 950 break; 951 case KEY_RSA: 952 case KEY_RSA1: | 976 case KEY_DSA_CERT: 977 n = key_new(k->type); 978 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 979 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 980 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 981 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) 982 fatal("key_from_private: BN_copy failed"); 983 break; 984 case KEY_RSA: 985 case KEY_RSA1: |
986 case KEY_RSA_CERT_V00: |
|
953 case KEY_RSA_CERT: 954 n = key_new(k->type); 955 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 956 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) 957 fatal("key_from_private: BN_copy failed"); 958 break; 959 default: 960 fatal("key_from_private: unknown type %d", k->type); --- 13 unchanged lines hidden (view full) --- 974 return KEY_RSA; 975 } else if (strcmp(name, "dsa") == 0) { 976 return KEY_DSA; 977 } else if (strcmp(name, "ssh-rsa") == 0) { 978 return KEY_RSA; 979 } else if (strcmp(name, "ssh-dss") == 0) { 980 return KEY_DSA; 981 } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) { | 987 case KEY_RSA_CERT: 988 n = key_new(k->type); 989 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 990 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) 991 fatal("key_from_private: BN_copy failed"); 992 break; 993 default: 994 fatal("key_from_private: unknown type %d", k->type); --- 13 unchanged lines hidden (view full) --- 1008 return KEY_RSA; 1009 } else if (strcmp(name, "dsa") == 0) { 1010 return KEY_DSA; 1011 } else if (strcmp(name, "ssh-rsa") == 0) { 1012 return KEY_RSA; 1013 } else if (strcmp(name, "ssh-dss") == 0) { 1014 return KEY_DSA; 1015 } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) { |
982 return KEY_RSA_CERT; | 1016 return KEY_RSA_CERT_V00; |
983 } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { | 1017 } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { |
1018 return KEY_DSA_CERT_V00; 1019 } else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) { 1020 return KEY_RSA_CERT; 1021 } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) { |
|
984 return KEY_DSA_CERT; 985 } 986 debug2("key_type_from_name: unknown key type '%s'", name); 987 return KEY_UNSPEC; 988} 989 990int 991key_names_valid2(const char *names) --- 15 unchanged lines hidden (view full) --- 1007 debug3("key names ok: [%s]", names); 1008 xfree(s); 1009 return 1; 1010} 1011 1012static int 1013cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) 1014{ | 1022 return KEY_DSA_CERT; 1023 } 1024 debug2("key_type_from_name: unknown key type '%s'", name); 1025 return KEY_UNSPEC; 1026} 1027 1028int 1029key_names_valid2(const char *names) --- 15 unchanged lines hidden (view full) --- 1045 debug3("key names ok: [%s]", names); 1046 xfree(s); 1047 return 1; 1048} 1049 1050static int 1051cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) 1052{ |
1015 u_char *principals, *constraints, *sig_key, *sig; 1016 u_int signed_len, plen, clen, sklen, slen, kidlen; | 1053 u_char *principals, *critical, *exts, *sig_key, *sig; 1054 u_int signed_len, plen, clen, sklen, slen, kidlen, elen; |
1017 Buffer tmp; 1018 char *principal; 1019 int ret = -1; | 1055 Buffer tmp; 1056 char *principal; 1057 int ret = -1; |
1058 int v00 = key->type == KEY_DSA_CERT_V00 || 1059 key->type == KEY_RSA_CERT_V00; |
|
1020 1021 buffer_init(&tmp); 1022 1023 /* Copy the entire key blob for verification and later serialisation */ 1024 buffer_append(&key->cert->certblob, blob, blen); 1025 | 1060 1061 buffer_init(&tmp); 1062 1063 /* Copy the entire key blob for verification and later serialisation */ 1064 buffer_append(&key->cert->certblob, blob, blen); 1065 |
1026 principals = constraints = sig_key = sig = NULL; 1027 if (buffer_get_int_ret(&key->cert->type, b) != 0 || | 1066 elen = 0; /* Not touched for v00 certs */ 1067 principals = exts = critical = sig_key = sig = NULL; 1068 if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) || 1069 buffer_get_int_ret(&key->cert->type, b) != 0 || |
1028 (key->cert->key_id = buffer_get_string_ret(b, &kidlen)) == NULL || 1029 (principals = buffer_get_string_ret(b, &plen)) == NULL || 1030 buffer_get_int64_ret(&key->cert->valid_after, b) != 0 || 1031 buffer_get_int64_ret(&key->cert->valid_before, b) != 0 || | 1070 (key->cert->key_id = buffer_get_string_ret(b, &kidlen)) == NULL || 1071 (principals = buffer_get_string_ret(b, &plen)) == NULL || 1072 buffer_get_int64_ret(&key->cert->valid_after, b) != 0 || 1073 buffer_get_int64_ret(&key->cert->valid_before, b) != 0 || |
1032 (constraints = buffer_get_string_ret(b, &clen)) == NULL || 1033 /* skip nonce */ buffer_get_string_ptr_ret(b, NULL) == NULL || 1034 /* skip reserved */ buffer_get_string_ptr_ret(b, NULL) == NULL || | 1074 (critical = buffer_get_string_ret(b, &clen)) == NULL || 1075 (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) || 1076 (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */ 1077 buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */ |
1035 (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) { 1036 error("%s: parse error", __func__); 1037 goto out; 1038 } 1039 1040 if (kidlen != strlen(key->cert->key_id)) { 1041 error("%s: key ID contains \\0 character", __func__); 1042 goto out; --- 30 unchanged lines hidden (view full) --- 1073 } 1074 key->cert->principals = xrealloc(key->cert->principals, 1075 key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1076 key->cert->principals[key->cert->nprincipals++] = principal; 1077 } 1078 1079 buffer_clear(&tmp); 1080 | 1078 (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) { 1079 error("%s: parse error", __func__); 1080 goto out; 1081 } 1082 1083 if (kidlen != strlen(key->cert->key_id)) { 1084 error("%s: key ID contains \\0 character", __func__); 1085 goto out; --- 30 unchanged lines hidden (view full) --- 1116 } 1117 key->cert->principals = xrealloc(key->cert->principals, 1118 key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1119 key->cert->principals[key->cert->nprincipals++] = principal; 1120 } 1121 1122 buffer_clear(&tmp); 1123 |
1081 buffer_append(&key->cert->constraints, constraints, clen); 1082 buffer_append(&tmp, constraints, clen); | 1124 buffer_append(&key->cert->critical, critical, clen); 1125 buffer_append(&tmp, critical, clen); |
1083 /* validate structure */ 1084 while (buffer_len(&tmp) != 0) { 1085 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1086 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { | 1126 /* validate structure */ 1127 while (buffer_len(&tmp) != 0) { 1128 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1129 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { |
1087 error("%s: Constraints data invalid", __func__); | 1130 error("%s: critical option data invalid", __func__); |
1088 goto out; 1089 } 1090 } 1091 buffer_clear(&tmp); 1092 | 1131 goto out; 1132 } 1133 } 1134 buffer_clear(&tmp); 1135 |
1136 buffer_append(&key->cert->extensions, exts, elen); 1137 buffer_append(&tmp, exts, elen); 1138 /* validate structure */ 1139 while (buffer_len(&tmp) != 0) { 1140 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1141 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { 1142 error("%s: extension data invalid", __func__); 1143 goto out; 1144 } 1145 } 1146 buffer_clear(&tmp); 1147 |
|
1093 if ((key->cert->signature_key = key_from_blob(sig_key, 1094 sklen)) == NULL) { 1095 error("%s: Signature key invalid", __func__); 1096 goto out; 1097 } 1098 if (key->cert->signature_key->type != KEY_RSA && 1099 key->cert->signature_key->type != KEY_DSA) { 1100 error("%s: Invalid signature key type %s (%d)", __func__, --- 15 unchanged lines hidden (view full) --- 1116 __func__); 1117 goto out; 1118 } 1119 1120 out: 1121 buffer_free(&tmp); 1122 if (principals != NULL) 1123 xfree(principals); | 1148 if ((key->cert->signature_key = key_from_blob(sig_key, 1149 sklen)) == NULL) { 1150 error("%s: Signature key invalid", __func__); 1151 goto out; 1152 } 1153 if (key->cert->signature_key->type != KEY_RSA && 1154 key->cert->signature_key->type != KEY_DSA) { 1155 error("%s: Invalid signature key type %s (%d)", __func__, --- 15 unchanged lines hidden (view full) --- 1171 __func__); 1172 goto out; 1173 } 1174 1175 out: 1176 buffer_free(&tmp); 1177 if (principals != NULL) 1178 xfree(principals); |
1124 if (constraints != NULL) 1125 xfree(constraints); | 1179 if (critical != NULL) 1180 xfree(critical); 1181 if (exts != NULL) 1182 xfree(exts); |
1126 if (sig_key != NULL) 1127 xfree(sig_key); 1128 if (sig != NULL) 1129 xfree(sig); 1130 return ret; 1131} 1132 1133Key * --- 12 unchanged lines hidden (view full) --- 1146 if ((ktype = buffer_get_string_ret(&b, NULL)) == NULL) { 1147 error("key_from_blob: can't read key type"); 1148 goto out; 1149 } 1150 1151 type = key_type_from_name(ktype); 1152 1153 switch (type) { | 1183 if (sig_key != NULL) 1184 xfree(sig_key); 1185 if (sig != NULL) 1186 xfree(sig); 1187 return ret; 1188} 1189 1190Key * --- 12 unchanged lines hidden (view full) --- 1203 if ((ktype = buffer_get_string_ret(&b, NULL)) == NULL) { 1204 error("key_from_blob: can't read key type"); 1205 goto out; 1206 } 1207 1208 type = key_type_from_name(ktype); 1209 1210 switch (type) { |
1154 case KEY_RSA: | |
1155 case KEY_RSA_CERT: | 1211 case KEY_RSA_CERT: |
1212 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1213 /* FALLTHROUGH */ 1214 case KEY_RSA: 1215 case KEY_RSA_CERT_V00: |
|
1156 key = key_new(type); 1157 if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 || 1158 buffer_get_bignum2_ret(&b, key->rsa->n) == -1) { 1159 error("key_from_blob: can't read rsa key"); 1160 badkey: 1161 key_free(key); 1162 key = NULL; 1163 goto out; 1164 } 1165#ifdef DEBUG_PK 1166 RSA_print_fp(stderr, key->rsa, 8); 1167#endif 1168 break; | 1216 key = key_new(type); 1217 if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 || 1218 buffer_get_bignum2_ret(&b, key->rsa->n) == -1) { 1219 error("key_from_blob: can't read rsa key"); 1220 badkey: 1221 key_free(key); 1222 key = NULL; 1223 goto out; 1224 } 1225#ifdef DEBUG_PK 1226 RSA_print_fp(stderr, key->rsa, 8); 1227#endif 1228 break; |
1169 case KEY_DSA: | |
1170 case KEY_DSA_CERT: | 1229 case KEY_DSA_CERT: |
1230 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1231 /* FALLTHROUGH */ 1232 case KEY_DSA: 1233 case KEY_DSA_CERT_V00: |
|
1171 key = key_new(type); 1172 if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 || 1173 buffer_get_bignum2_ret(&b, key->dsa->q) == -1 || 1174 buffer_get_bignum2_ret(&b, key->dsa->g) == -1 || 1175 buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) { 1176 error("key_from_blob: can't read dsa key"); 1177 goto badkey; 1178 } --- 29 unchanged lines hidden (view full) --- 1208 int len; 1209 1210 if (key == NULL) { 1211 error("key_to_blob: key == NULL"); 1212 return 0; 1213 } 1214 buffer_init(&b); 1215 switch (key->type) { | 1234 key = key_new(type); 1235 if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 || 1236 buffer_get_bignum2_ret(&b, key->dsa->q) == -1 || 1237 buffer_get_bignum2_ret(&b, key->dsa->g) == -1 || 1238 buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) { 1239 error("key_from_blob: can't read dsa key"); 1240 goto badkey; 1241 } --- 29 unchanged lines hidden (view full) --- 1271 int len; 1272 1273 if (key == NULL) { 1274 error("key_to_blob: key == NULL"); 1275 return 0; 1276 } 1277 buffer_init(&b); 1278 switch (key->type) { |
1279 case KEY_DSA_CERT_V00: 1280 case KEY_RSA_CERT_V00: |
|
1216 case KEY_DSA_CERT: 1217 case KEY_RSA_CERT: 1218 /* Use the existing blob */ 1219 buffer_append(&b, buffer_ptr(&key->cert->certblob), 1220 buffer_len(&key->cert->certblob)); 1221 break; 1222 case KEY_DSA: 1223 buffer_put_cstring(&b, key_ssh_name(key)); --- 26 unchanged lines hidden (view full) --- 1250 1251int 1252key_sign( 1253 const Key *key, 1254 u_char **sigp, u_int *lenp, 1255 const u_char *data, u_int datalen) 1256{ 1257 switch (key->type) { | 1281 case KEY_DSA_CERT: 1282 case KEY_RSA_CERT: 1283 /* Use the existing blob */ 1284 buffer_append(&b, buffer_ptr(&key->cert->certblob), 1285 buffer_len(&key->cert->certblob)); 1286 break; 1287 case KEY_DSA: 1288 buffer_put_cstring(&b, key_ssh_name(key)); --- 26 unchanged lines hidden (view full) --- 1315 1316int 1317key_sign( 1318 const Key *key, 1319 u_char **sigp, u_int *lenp, 1320 const u_char *data, u_int datalen) 1321{ 1322 switch (key->type) { |
1323 case KEY_DSA_CERT_V00: |
|
1258 case KEY_DSA_CERT: 1259 case KEY_DSA: 1260 return ssh_dss_sign(key, sigp, lenp, data, datalen); | 1324 case KEY_DSA_CERT: 1325 case KEY_DSA: 1326 return ssh_dss_sign(key, sigp, lenp, data, datalen); |
1327 case KEY_RSA_CERT_V00: |
|
1261 case KEY_RSA_CERT: 1262 case KEY_RSA: 1263 return ssh_rsa_sign(key, sigp, lenp, data, datalen); 1264 default: 1265 error("key_sign: invalid key type %d", key->type); 1266 return -1; 1267 } 1268} --- 7 unchanged lines hidden (view full) --- 1276 const Key *key, 1277 const u_char *signature, u_int signaturelen, 1278 const u_char *data, u_int datalen) 1279{ 1280 if (signaturelen == 0) 1281 return -1; 1282 1283 switch (key->type) { | 1328 case KEY_RSA_CERT: 1329 case KEY_RSA: 1330 return ssh_rsa_sign(key, sigp, lenp, data, datalen); 1331 default: 1332 error("key_sign: invalid key type %d", key->type); 1333 return -1; 1334 } 1335} --- 7 unchanged lines hidden (view full) --- 1343 const Key *key, 1344 const u_char *signature, u_int signaturelen, 1345 const u_char *data, u_int datalen) 1346{ 1347 if (signaturelen == 0) 1348 return -1; 1349 1350 switch (key->type) { |
1351 case KEY_DSA_CERT_V00: |
|
1284 case KEY_DSA_CERT: 1285 case KEY_DSA: 1286 return ssh_dss_verify(key, signature, signaturelen, data, datalen); | 1352 case KEY_DSA_CERT: 1353 case KEY_DSA: 1354 return ssh_dss_verify(key, signature, signaturelen, data, datalen); |
1355 case KEY_RSA_CERT_V00: |
|
1287 case KEY_RSA_CERT: 1288 case KEY_RSA: 1289 return ssh_rsa_verify(key, signature, signaturelen, data, datalen); 1290 default: 1291 error("key_verify: invalid key type %d", key->type); 1292 return -1; 1293 } 1294} --- 6 unchanged lines hidden (view full) --- 1301 1302 pk = xcalloc(1, sizeof(*pk)); 1303 pk->type = k->type; 1304 pk->flags = k->flags; 1305 pk->dsa = NULL; 1306 pk->rsa = NULL; 1307 1308 switch (k->type) { | 1356 case KEY_RSA_CERT: 1357 case KEY_RSA: 1358 return ssh_rsa_verify(key, signature, signaturelen, data, datalen); 1359 default: 1360 error("key_verify: invalid key type %d", key->type); 1361 return -1; 1362 } 1363} --- 6 unchanged lines hidden (view full) --- 1370 1371 pk = xcalloc(1, sizeof(*pk)); 1372 pk->type = k->type; 1373 pk->flags = k->flags; 1374 pk->dsa = NULL; 1375 pk->rsa = NULL; 1376 1377 switch (k->type) { |
1378 case KEY_RSA_CERT_V00: |
|
1309 case KEY_RSA_CERT: 1310 key_cert_copy(k, pk); 1311 /* FALLTHROUGH */ 1312 case KEY_RSA1: 1313 case KEY_RSA: 1314 if ((pk->rsa = RSA_new()) == NULL) 1315 fatal("key_demote: RSA_new failed"); 1316 if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL) 1317 fatal("key_demote: BN_dup failed"); 1318 if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL) 1319 fatal("key_demote: BN_dup failed"); 1320 break; | 1379 case KEY_RSA_CERT: 1380 key_cert_copy(k, pk); 1381 /* FALLTHROUGH */ 1382 case KEY_RSA1: 1383 case KEY_RSA: 1384 if ((pk->rsa = RSA_new()) == NULL) 1385 fatal("key_demote: RSA_new failed"); 1386 if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL) 1387 fatal("key_demote: BN_dup failed"); 1388 if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL) 1389 fatal("key_demote: BN_dup failed"); 1390 break; |
1391 case KEY_DSA_CERT_V00: |
|
1321 case KEY_DSA_CERT: 1322 key_cert_copy(k, pk); 1323 /* FALLTHROUGH */ 1324 case KEY_DSA: 1325 if ((pk->dsa = DSA_new()) == NULL) 1326 fatal("key_demote: DSA_new failed"); 1327 if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL) 1328 fatal("key_demote: BN_dup failed"); --- 10 unchanged lines hidden (view full) --- 1339 } 1340 1341 return (pk); 1342} 1343 1344int 1345key_is_cert(const Key *k) 1346{ | 1392 case KEY_DSA_CERT: 1393 key_cert_copy(k, pk); 1394 /* FALLTHROUGH */ 1395 case KEY_DSA: 1396 if ((pk->dsa = DSA_new()) == NULL) 1397 fatal("key_demote: DSA_new failed"); 1398 if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL) 1399 fatal("key_demote: BN_dup failed"); --- 10 unchanged lines hidden (view full) --- 1410 } 1411 1412 return (pk); 1413} 1414 1415int 1416key_is_cert(const Key *k) 1417{ |
1347 return k != NULL && 1348 (k->type == KEY_RSA_CERT || k->type == KEY_DSA_CERT); | 1418 if (k == NULL) 1419 return 0; 1420 switch (k->type) { 1421 case KEY_RSA_CERT_V00: 1422 case KEY_DSA_CERT_V00: 1423 case KEY_RSA_CERT: 1424 case KEY_DSA_CERT: 1425 return 1; 1426 default: 1427 return 0; 1428 } |
1349} 1350 1351/* Return the cert-less equivalent to a certified key type */ 1352int 1353key_type_plain(int type) 1354{ 1355 switch (type) { | 1429} 1430 1431/* Return the cert-less equivalent to a certified key type */ 1432int 1433key_type_plain(int type) 1434{ 1435 switch (type) { |
1436 case KEY_RSA_CERT_V00: |
|
1356 case KEY_RSA_CERT: 1357 return KEY_RSA; | 1437 case KEY_RSA_CERT: 1438 return KEY_RSA; |
1439 case KEY_DSA_CERT_V00: |
|
1358 case KEY_DSA_CERT: 1359 return KEY_DSA; 1360 default: 1361 return type; 1362 } 1363} 1364 1365/* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */ 1366int | 1440 case KEY_DSA_CERT: 1441 return KEY_DSA; 1442 default: 1443 return type; 1444 } 1445} 1446 1447/* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */ 1448int |
1367key_to_certified(Key *k) | 1449key_to_certified(Key *k, int legacy) |
1368{ 1369 switch (k->type) { 1370 case KEY_RSA: 1371 k->cert = cert_new(); | 1450{ 1451 switch (k->type) { 1452 case KEY_RSA: 1453 k->cert = cert_new(); |
1372 k->type = KEY_RSA_CERT; | 1454 k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; |
1373 return 0; 1374 case KEY_DSA: 1375 k->cert = cert_new(); | 1455 return 0; 1456 case KEY_DSA: 1457 k->cert = cert_new(); |
1376 k->type = KEY_DSA_CERT; | 1458 k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; |
1377 return 0; 1378 default: 1379 error("%s: key has incorrect type %s", __func__, key_type(k)); 1380 return -1; 1381 } 1382} 1383 1384/* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */ 1385int 1386key_drop_cert(Key *k) 1387{ 1388 switch (k->type) { | 1459 return 0; 1460 default: 1461 error("%s: key has incorrect type %s", __func__, key_type(k)); 1462 return -1; 1463 } 1464} 1465 1466/* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */ 1467int 1468key_drop_cert(Key *k) 1469{ 1470 switch (k->type) { |
1471 case KEY_RSA_CERT_V00: |
|
1389 case KEY_RSA_CERT: 1390 cert_free(k->cert); 1391 k->type = KEY_RSA; 1392 return 0; | 1472 case KEY_RSA_CERT: 1473 cert_free(k->cert); 1474 k->type = KEY_RSA; 1475 return 0; |
1476 case KEY_DSA_CERT_V00: |
|
1393 case KEY_DSA_CERT: 1394 cert_free(k->cert); 1395 k->type = KEY_DSA; 1396 return 0; 1397 default: 1398 error("%s: key has incorrect type %s", __func__, key_type(k)); 1399 return -1; 1400 } --- 24 unchanged lines hidden (view full) --- 1425 return -1; 1426 } 1427 1428 key_to_blob(ca, &ca_blob, &ca_len); 1429 1430 buffer_clear(&k->cert->certblob); 1431 buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); 1432 | 1477 case KEY_DSA_CERT: 1478 cert_free(k->cert); 1479 k->type = KEY_DSA; 1480 return 0; 1481 default: 1482 error("%s: key has incorrect type %s", __func__, key_type(k)); 1483 return -1; 1484 } --- 24 unchanged lines hidden (view full) --- 1509 return -1; 1510 } 1511 1512 key_to_blob(ca, &ca_blob, &ca_len); 1513 1514 buffer_clear(&k->cert->certblob); 1515 buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); 1516 |
1517 /* -v01 certs put nonce first */ 1518 if (k->type == KEY_DSA_CERT || k->type == KEY_RSA_CERT) { 1519 arc4random_buf(&nonce, sizeof(nonce)); 1520 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); 1521 } 1522 |
|
1433 switch (k->type) { | 1523 switch (k->type) { |
1524 case KEY_DSA_CERT_V00: |
|
1434 case KEY_DSA_CERT: 1435 buffer_put_bignum2(&k->cert->certblob, k->dsa->p); 1436 buffer_put_bignum2(&k->cert->certblob, k->dsa->q); 1437 buffer_put_bignum2(&k->cert->certblob, k->dsa->g); 1438 buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key); 1439 break; | 1525 case KEY_DSA_CERT: 1526 buffer_put_bignum2(&k->cert->certblob, k->dsa->p); 1527 buffer_put_bignum2(&k->cert->certblob, k->dsa->q); 1528 buffer_put_bignum2(&k->cert->certblob, k->dsa->g); 1529 buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key); 1530 break; |
1531 case KEY_RSA_CERT_V00: |
|
1440 case KEY_RSA_CERT: 1441 buffer_put_bignum2(&k->cert->certblob, k->rsa->e); 1442 buffer_put_bignum2(&k->cert->certblob, k->rsa->n); 1443 break; 1444 default: 1445 error("%s: key has incorrect type %s", __func__, key_type(k)); 1446 buffer_clear(&k->cert->certblob); 1447 xfree(ca_blob); 1448 return -1; 1449 } 1450 | 1532 case KEY_RSA_CERT: 1533 buffer_put_bignum2(&k->cert->certblob, k->rsa->e); 1534 buffer_put_bignum2(&k->cert->certblob, k->rsa->n); 1535 break; 1536 default: 1537 error("%s: key has incorrect type %s", __func__, key_type(k)); 1538 buffer_clear(&k->cert->certblob); 1539 xfree(ca_blob); 1540 return -1; 1541 } 1542 |
1543 /* -v01 certs have a serial number next */ 1544 if (k->type == KEY_DSA_CERT || k->type == KEY_RSA_CERT) 1545 buffer_put_int64(&k->cert->certblob, k->cert->serial); 1546 |
|
1451 buffer_put_int(&k->cert->certblob, k->cert->type); 1452 buffer_put_cstring(&k->cert->certblob, k->cert->key_id); 1453 1454 buffer_init(&principals); 1455 for (i = 0; i < k->cert->nprincipals; i++) 1456 buffer_put_cstring(&principals, k->cert->principals[i]); 1457 buffer_put_string(&k->cert->certblob, buffer_ptr(&principals), 1458 buffer_len(&principals)); 1459 buffer_free(&principals); 1460 1461 buffer_put_int64(&k->cert->certblob, k->cert->valid_after); 1462 buffer_put_int64(&k->cert->certblob, k->cert->valid_before); 1463 buffer_put_string(&k->cert->certblob, | 1547 buffer_put_int(&k->cert->certblob, k->cert->type); 1548 buffer_put_cstring(&k->cert->certblob, k->cert->key_id); 1549 1550 buffer_init(&principals); 1551 for (i = 0; i < k->cert->nprincipals; i++) 1552 buffer_put_cstring(&principals, k->cert->principals[i]); 1553 buffer_put_string(&k->cert->certblob, buffer_ptr(&principals), 1554 buffer_len(&principals)); 1555 buffer_free(&principals); 1556 1557 buffer_put_int64(&k->cert->certblob, k->cert->valid_after); 1558 buffer_put_int64(&k->cert->certblob, k->cert->valid_before); 1559 buffer_put_string(&k->cert->certblob, |
1464 buffer_ptr(&k->cert->constraints), 1465 buffer_len(&k->cert->constraints)); | 1560 buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical)); |
1466 | 1561 |
1467 arc4random_buf(&nonce, sizeof(nonce)); 1468 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); | 1562 /* -v01 certs have non-critical options here */ 1563 if (k->type == KEY_DSA_CERT || k->type == KEY_RSA_CERT) { 1564 buffer_put_string(&k->cert->certblob, 1565 buffer_ptr(&k->cert->extensions), 1566 buffer_len(&k->cert->extensions)); 1567 } 1568 1569 /* -v00 certs put the nonce at the end */ 1570 if (k->type == KEY_DSA_CERT_V00 || k->type == KEY_RSA_CERT_V00) 1571 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); 1572 |
1469 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ 1470 buffer_put_string(&k->cert->certblob, ca_blob, ca_len); 1471 xfree(ca_blob); 1472 1473 /* Sign the whole mess */ 1474 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), 1475 buffer_len(&k->cert->certblob)) != 0) { 1476 error("%s: signature operation failed", __func__); --- 38 unchanged lines hidden (view full) --- 1515 *reason = "Certificate invalid: expired"; 1516 return -1; 1517 } 1518 if (k->cert->nprincipals == 0) { 1519 if (require_principal) { 1520 *reason = "Certificate lacks principal list"; 1521 return -1; 1522 } | 1573 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ 1574 buffer_put_string(&k->cert->certblob, ca_blob, ca_len); 1575 xfree(ca_blob); 1576 1577 /* Sign the whole mess */ 1578 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), 1579 buffer_len(&k->cert->certblob)) != 0) { 1580 error("%s: signature operation failed", __func__); --- 38 unchanged lines hidden (view full) --- 1619 *reason = "Certificate invalid: expired"; 1620 return -1; 1621 } 1622 if (k->cert->nprincipals == 0) { 1623 if (require_principal) { 1624 *reason = "Certificate lacks principal list"; 1625 return -1; 1626 } |
1523 } else { | 1627 } else if (name != NULL) { |
1524 principal_matches = 0; 1525 for (i = 0; i < k->cert->nprincipals; i++) { 1526 if (strcmp(name, k->cert->principals[i]) == 0) { 1527 principal_matches = 1; 1528 break; 1529 } 1530 } 1531 if (!principal_matches) { 1532 *reason = "Certificate invalid: name is not a listed " 1533 "principal"; 1534 return -1; 1535 } 1536 } 1537 return 0; 1538} | 1628 principal_matches = 0; 1629 for (i = 0; i < k->cert->nprincipals; i++) { 1630 if (strcmp(name, k->cert->principals[i]) == 0) { 1631 principal_matches = 1; 1632 break; 1633 } 1634 } 1635 if (!principal_matches) { 1636 *reason = "Certificate invalid: name is not a listed " 1637 "principal"; 1638 return -1; 1639 } 1640 } 1641 return 0; 1642} |
1643 1644int 1645key_cert_is_legacy(Key *k) 1646{ 1647 switch (k->type) { 1648 case KEY_DSA_CERT_V00: 1649 case KEY_RSA_CERT_V00: 1650 return 1; 1651 default: 1652 return 0; 1653 } 1654} |
|