Deleted Added
full compact
sshkey.c (294336) sshkey.c (294464)
1/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */
1/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */
2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:

--- 96 unchanged lines hidden (view full) ---

106 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
107 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
108 KEY_ECDSA_CERT, NID_secp384r1, 1 },
109# ifdef OPENSSL_HAS_NISTP521
110 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
111 KEY_ECDSA_CERT, NID_secp521r1, 1 },
112# endif /* OPENSSL_HAS_NISTP521 */
113# endif /* OPENSSL_HAS_ECC */
2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:

--- 96 unchanged lines hidden (view full) ---

106 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
107 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
108 KEY_ECDSA_CERT, NID_secp384r1, 1 },
109# ifdef OPENSSL_HAS_NISTP521
110 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
111 KEY_ECDSA_CERT, NID_secp521r1, 1 },
112# endif /* OPENSSL_HAS_NISTP521 */
113# endif /* OPENSSL_HAS_ECC */
114 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
115 KEY_RSA_CERT_V00, 0, 1 },
116 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
117 KEY_DSA_CERT_V00, 0, 1 },
118#endif /* WITH_OPENSSL */
119 { NULL, NULL, -1, -1, 0 }
120};
121
122const char *
123sshkey_type(const struct sshkey *k)
124{
125 const struct keytype *kt;

--- 141 unchanged lines hidden (view full) ---

267
268u_int
269sshkey_size(const struct sshkey *k)
270{
271 switch (k->type) {
272#ifdef WITH_OPENSSL
273 case KEY_RSA1:
274 case KEY_RSA:
114#endif /* WITH_OPENSSL */
115 { NULL, NULL, -1, -1, 0 }
116};
117
118const char *
119sshkey_type(const struct sshkey *k)
120{
121 const struct keytype *kt;

--- 141 unchanged lines hidden (view full) ---

263
264u_int
265sshkey_size(const struct sshkey *k)
266{
267 switch (k->type) {
268#ifdef WITH_OPENSSL
269 case KEY_RSA1:
270 case KEY_RSA:
275 case KEY_RSA_CERT_V00:
276 case KEY_RSA_CERT:
277 return BN_num_bits(k->rsa->n);
278 case KEY_DSA:
271 case KEY_RSA_CERT:
272 return BN_num_bits(k->rsa->n);
273 case KEY_DSA:
279 case KEY_DSA_CERT_V00:
280 case KEY_DSA_CERT:
281 return BN_num_bits(k->dsa->p);
282 case KEY_ECDSA:
283 case KEY_ECDSA_CERT:
284 return sshkey_curve_nid_to_bits(k->ecdsa_nid);
285#endif /* WITH_OPENSSL */
286 case KEY_ED25519:
287 case KEY_ED25519_CERT:
288 return 256; /* XXX */
289 }
290 return 0;
291}
292
274 case KEY_DSA_CERT:
275 return BN_num_bits(k->dsa->p);
276 case KEY_ECDSA:
277 case KEY_ECDSA_CERT:
278 return sshkey_curve_nid_to_bits(k->ecdsa_nid);
279#endif /* WITH_OPENSSL */
280 case KEY_ED25519:
281 case KEY_ED25519_CERT:
282 return 256; /* XXX */
283 }
284 return 0;
285}
286
293int
294sshkey_cert_is_legacy(const struct sshkey *k)
295{
296 switch (k->type) {
297 case KEY_DSA_CERT_V00:
298 case KEY_RSA_CERT_V00:
299 return 1;
300 default:
301 return 0;
302 }
303}
304
305static int
306sshkey_type_is_valid_ca(int type)
307{
308 switch (type) {
309 case KEY_RSA:
310 case KEY_DSA:
311 case KEY_ECDSA:
312 case KEY_ED25519:

--- 11 unchanged lines hidden (view full) ---

324 return sshkey_type_is_cert(k->type);
325}
326
327/* Return the cert-less equivalent to a certified key type */
328int
329sshkey_type_plain(int type)
330{
331 switch (type) {
287static int
288sshkey_type_is_valid_ca(int type)
289{
290 switch (type) {
291 case KEY_RSA:
292 case KEY_DSA:
293 case KEY_ECDSA:
294 case KEY_ED25519:

--- 11 unchanged lines hidden (view full) ---

306 return sshkey_type_is_cert(k->type);
307}
308
309/* Return the cert-less equivalent to a certified key type */
310int
311sshkey_type_plain(int type)
312{
313 switch (type) {
332 case KEY_RSA_CERT_V00:
333 case KEY_RSA_CERT:
334 return KEY_RSA;
314 case KEY_RSA_CERT:
315 return KEY_RSA;
335 case KEY_DSA_CERT_V00:
336 case KEY_DSA_CERT:
337 return KEY_DSA;
338 case KEY_ECDSA_CERT:
339 return KEY_ECDSA;
340 case KEY_ED25519_CERT:
341 return KEY_ED25519;
342 default:
343 return type;

--- 148 unchanged lines hidden (view full) ---

492 k->rsa = NULL;
493 k->cert = NULL;
494 k->ed25519_sk = NULL;
495 k->ed25519_pk = NULL;
496 switch (k->type) {
497#ifdef WITH_OPENSSL
498 case KEY_RSA1:
499 case KEY_RSA:
316 case KEY_DSA_CERT:
317 return KEY_DSA;
318 case KEY_ECDSA_CERT:
319 return KEY_ECDSA;
320 case KEY_ED25519_CERT:
321 return KEY_ED25519;
322 default:
323 return type;

--- 148 unchanged lines hidden (view full) ---

472 k->rsa = NULL;
473 k->cert = NULL;
474 k->ed25519_sk = NULL;
475 k->ed25519_pk = NULL;
476 switch (k->type) {
477#ifdef WITH_OPENSSL
478 case KEY_RSA1:
479 case KEY_RSA:
500 case KEY_RSA_CERT_V00:
501 case KEY_RSA_CERT:
502 if ((rsa = RSA_new()) == NULL ||
503 (rsa->n = BN_new()) == NULL ||
504 (rsa->e = BN_new()) == NULL) {
505 if (rsa != NULL)
506 RSA_free(rsa);
507 free(k);
508 return NULL;
509 }
510 k->rsa = rsa;
511 break;
512 case KEY_DSA:
480 case KEY_RSA_CERT:
481 if ((rsa = RSA_new()) == NULL ||
482 (rsa->n = BN_new()) == NULL ||
483 (rsa->e = BN_new()) == NULL) {
484 if (rsa != NULL)
485 RSA_free(rsa);
486 free(k);
487 return NULL;
488 }
489 k->rsa = rsa;
490 break;
491 case KEY_DSA:
513 case KEY_DSA_CERT_V00:
514 case KEY_DSA_CERT:
515 if ((dsa = DSA_new()) == NULL ||
516 (dsa->p = BN_new()) == NULL ||
517 (dsa->q = BN_new()) == NULL ||
518 (dsa->g = BN_new()) == NULL ||
519 (dsa->pub_key = BN_new()) == NULL) {
520 if (dsa != NULL)
521 DSA_free(dsa);

--- 31 unchanged lines hidden (view full) ---

553
554int
555sshkey_add_private(struct sshkey *k)
556{
557 switch (k->type) {
558#ifdef WITH_OPENSSL
559 case KEY_RSA1:
560 case KEY_RSA:
492 case KEY_DSA_CERT:
493 if ((dsa = DSA_new()) == NULL ||
494 (dsa->p = BN_new()) == NULL ||
495 (dsa->q = BN_new()) == NULL ||
496 (dsa->g = BN_new()) == NULL ||
497 (dsa->pub_key = BN_new()) == NULL) {
498 if (dsa != NULL)
499 DSA_free(dsa);

--- 31 unchanged lines hidden (view full) ---

531
532int
533sshkey_add_private(struct sshkey *k)
534{
535 switch (k->type) {
536#ifdef WITH_OPENSSL
537 case KEY_RSA1:
538 case KEY_RSA:
561 case KEY_RSA_CERT_V00:
562 case KEY_RSA_CERT:
563#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
564 if (bn_maybe_alloc_failed(k->rsa->d) ||
565 bn_maybe_alloc_failed(k->rsa->iqmp) ||
566 bn_maybe_alloc_failed(k->rsa->q) ||
567 bn_maybe_alloc_failed(k->rsa->p) ||
568 bn_maybe_alloc_failed(k->rsa->dmq1) ||
569 bn_maybe_alloc_failed(k->rsa->dmp1))
570 return SSH_ERR_ALLOC_FAIL;
571 break;
572 case KEY_DSA:
539 case KEY_RSA_CERT:
540#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
541 if (bn_maybe_alloc_failed(k->rsa->d) ||
542 bn_maybe_alloc_failed(k->rsa->iqmp) ||
543 bn_maybe_alloc_failed(k->rsa->q) ||
544 bn_maybe_alloc_failed(k->rsa->p) ||
545 bn_maybe_alloc_failed(k->rsa->dmq1) ||
546 bn_maybe_alloc_failed(k->rsa->dmp1))
547 return SSH_ERR_ALLOC_FAIL;
548 break;
549 case KEY_DSA:
573 case KEY_DSA_CERT_V00:
574 case KEY_DSA_CERT:
575 if (bn_maybe_alloc_failed(k->dsa->priv_key))
576 return SSH_ERR_ALLOC_FAIL;
577 break;
578#undef bn_maybe_alloc_failed
579 case KEY_ECDSA:
580 case KEY_ECDSA_CERT:
581 /* Cannot do anything until we know the group */

--- 29 unchanged lines hidden (view full) ---

611sshkey_free(struct sshkey *k)
612{
613 if (k == NULL)
614 return;
615 switch (k->type) {
616#ifdef WITH_OPENSSL
617 case KEY_RSA1:
618 case KEY_RSA:
550 case KEY_DSA_CERT:
551 if (bn_maybe_alloc_failed(k->dsa->priv_key))
552 return SSH_ERR_ALLOC_FAIL;
553 break;
554#undef bn_maybe_alloc_failed
555 case KEY_ECDSA:
556 case KEY_ECDSA_CERT:
557 /* Cannot do anything until we know the group */

--- 29 unchanged lines hidden (view full) ---

587sshkey_free(struct sshkey *k)
588{
589 if (k == NULL)
590 return;
591 switch (k->type) {
592#ifdef WITH_OPENSSL
593 case KEY_RSA1:
594 case KEY_RSA:
619 case KEY_RSA_CERT_V00:
620 case KEY_RSA_CERT:
621 if (k->rsa != NULL)
622 RSA_free(k->rsa);
623 k->rsa = NULL;
624 break;
625 case KEY_DSA:
595 case KEY_RSA_CERT:
596 if (k->rsa != NULL)
597 RSA_free(k->rsa);
598 k->rsa = NULL;
599 break;
600 case KEY_DSA:
626 case KEY_DSA_CERT_V00:
627 case KEY_DSA_CERT:
628 if (k->dsa != NULL)
629 DSA_free(k->dsa);
630 k->dsa = NULL;
631 break;
632# ifdef OPENSSL_HAS_ECC
633 case KEY_ECDSA:
634 case KEY_ECDSA_CERT:

--- 55 unchanged lines hidden (view full) ---

690
691 if (a == NULL || b == NULL ||
692 sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
693 return 0;
694
695 switch (a->type) {
696#ifdef WITH_OPENSSL
697 case KEY_RSA1:
601 case KEY_DSA_CERT:
602 if (k->dsa != NULL)
603 DSA_free(k->dsa);
604 k->dsa = NULL;
605 break;
606# ifdef OPENSSL_HAS_ECC
607 case KEY_ECDSA:
608 case KEY_ECDSA_CERT:

--- 55 unchanged lines hidden (view full) ---

664
665 if (a == NULL || b == NULL ||
666 sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
667 return 0;
668
669 switch (a->type) {
670#ifdef WITH_OPENSSL
671 case KEY_RSA1:
698 case KEY_RSA_CERT_V00:
699 case KEY_RSA_CERT:
700 case KEY_RSA:
701 return a->rsa != NULL && b->rsa != NULL &&
702 BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
703 BN_cmp(a->rsa->n, b->rsa->n) == 0;
672 case KEY_RSA_CERT:
673 case KEY_RSA:
674 return a->rsa != NULL && b->rsa != NULL &&
675 BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
676 BN_cmp(a->rsa->n, b->rsa->n) == 0;
704 case KEY_DSA_CERT_V00:
705 case KEY_DSA_CERT:
706 case KEY_DSA:
707 return a->dsa != NULL && b->dsa != NULL &&
708 BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
709 BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
710 BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
711 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
712# ifdef OPENSSL_HAS_ECC

--- 54 unchanged lines hidden (view full) ---

767 if (sshbuf_len(key->cert->certblob) == 0)
768 return SSH_ERR_KEY_LACKS_CERTBLOB;
769 }
770 type = force_plain ? sshkey_type_plain(key->type) : key->type;
771 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
772
773 switch (type) {
774#ifdef WITH_OPENSSL
677 case KEY_DSA_CERT:
678 case KEY_DSA:
679 return a->dsa != NULL && b->dsa != NULL &&
680 BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
681 BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
682 BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
683 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
684# ifdef OPENSSL_HAS_ECC

--- 54 unchanged lines hidden (view full) ---

739 if (sshbuf_len(key->cert->certblob) == 0)
740 return SSH_ERR_KEY_LACKS_CERTBLOB;
741 }
742 type = force_plain ? sshkey_type_plain(key->type) : key->type;
743 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
744
745 switch (type) {
746#ifdef WITH_OPENSSL
775 case KEY_DSA_CERT_V00:
776 case KEY_RSA_CERT_V00:
777 case KEY_DSA_CERT:
778 case KEY_ECDSA_CERT:
779 case KEY_RSA_CERT:
780#endif /* WITH_OPENSSL */
781 case KEY_ED25519_CERT:
782 /* Use the existing blob */
783 /* XXX modified flag? */
784 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)

--- 507 unchanged lines hidden (view full) ---

1292 retval = 0;
1293#endif /* WITH_SSH1 */
1294 break;
1295 case KEY_UNSPEC:
1296 case KEY_RSA:
1297 case KEY_DSA:
1298 case KEY_ECDSA:
1299 case KEY_ED25519:
747 case KEY_DSA_CERT:
748 case KEY_ECDSA_CERT:
749 case KEY_RSA_CERT:
750#endif /* WITH_OPENSSL */
751 case KEY_ED25519_CERT:
752 /* Use the existing blob */
753 /* XXX modified flag? */
754 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)

--- 507 unchanged lines hidden (view full) ---

1262 retval = 0;
1263#endif /* WITH_SSH1 */
1264 break;
1265 case KEY_UNSPEC:
1266 case KEY_RSA:
1267 case KEY_DSA:
1268 case KEY_ECDSA:
1269 case KEY_ED25519:
1300 case KEY_DSA_CERT_V00:
1301 case KEY_RSA_CERT_V00:
1302 case KEY_DSA_CERT:
1303 case KEY_ECDSA_CERT:
1304 case KEY_RSA_CERT:
1305 case KEY_ED25519_CERT:
1306 space = strchr(cp, ' ');
1307 if (space == NULL)
1308 return SSH_ERR_INVALID_FORMAT;
1309 *space = '\0';

--- 482 unchanged lines hidden (view full) ---

1792 int ret = SSH_ERR_INTERNAL_ERROR;
1793
1794 if (pkp != NULL)
1795 *pkp = NULL;
1796
1797 switch (k->type) {
1798#ifdef WITH_OPENSSL
1799 case KEY_DSA:
1270 case KEY_DSA_CERT:
1271 case KEY_ECDSA_CERT:
1272 case KEY_RSA_CERT:
1273 case KEY_ED25519_CERT:
1274 space = strchr(cp, ' ');
1275 if (space == NULL)
1276 return SSH_ERR_INVALID_FORMAT;
1277 *space = '\0';

--- 482 unchanged lines hidden (view full) ---

1760 int ret = SSH_ERR_INTERNAL_ERROR;
1761
1762 if (pkp != NULL)
1763 *pkp = NULL;
1764
1765 switch (k->type) {
1766#ifdef WITH_OPENSSL
1767 case KEY_DSA:
1800 case KEY_DSA_CERT_V00:
1801 case KEY_DSA_CERT:
1802 if ((n = sshkey_new(k->type)) == NULL)
1803 return SSH_ERR_ALLOC_FAIL;
1804 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1805 (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
1806 (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
1807 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) {
1808 sshkey_free(n);

--- 15 unchanged lines hidden (view full) ---

1824 EC_KEY_get0_public_key(k->ecdsa)) != 1) {
1825 sshkey_free(n);
1826 return SSH_ERR_LIBCRYPTO_ERROR;
1827 }
1828 break;
1829# endif /* OPENSSL_HAS_ECC */
1830 case KEY_RSA:
1831 case KEY_RSA1:
1768 case KEY_DSA_CERT:
1769 if ((n = sshkey_new(k->type)) == NULL)
1770 return SSH_ERR_ALLOC_FAIL;
1771 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1772 (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
1773 (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
1774 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) {
1775 sshkey_free(n);

--- 15 unchanged lines hidden (view full) ---

1791 EC_KEY_get0_public_key(k->ecdsa)) != 1) {
1792 sshkey_free(n);
1793 return SSH_ERR_LIBCRYPTO_ERROR;
1794 }
1795 break;
1796# endif /* OPENSSL_HAS_ECC */
1797 case KEY_RSA:
1798 case KEY_RSA1:
1832 case KEY_RSA_CERT_V00:
1833 case KEY_RSA_CERT:
1834 if ((n = sshkey_new(k->type)) == NULL)
1835 return SSH_ERR_ALLOC_FAIL;
1836 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
1837 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) {
1838 sshkey_free(n);
1839 return SSH_ERR_ALLOC_FAIL;
1840 }

--- 27 unchanged lines hidden (view full) ---

1868static int
1869cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1870{
1871 struct sshbuf *principals = NULL, *crit = NULL;
1872 struct sshbuf *exts = NULL, *ca = NULL;
1873 u_char *sig = NULL;
1874 size_t signed_len = 0, slen = 0, kidlen = 0;
1875 int ret = SSH_ERR_INTERNAL_ERROR;
1799 case KEY_RSA_CERT:
1800 if ((n = sshkey_new(k->type)) == NULL)
1801 return SSH_ERR_ALLOC_FAIL;
1802 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
1803 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) {
1804 sshkey_free(n);
1805 return SSH_ERR_ALLOC_FAIL;
1806 }

--- 27 unchanged lines hidden (view full) ---

1834static int
1835cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1836{
1837 struct sshbuf *principals = NULL, *crit = NULL;
1838 struct sshbuf *exts = NULL, *ca = NULL;
1839 u_char *sig = NULL;
1840 size_t signed_len = 0, slen = 0, kidlen = 0;
1841 int ret = SSH_ERR_INTERNAL_ERROR;
1876 int v00 = sshkey_cert_is_legacy(key);
1877
1878 /* Copy the entire key blob for verification and later serialisation */
1879 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1880 return ret;
1881
1842
1843 /* Copy the entire key blob for verification and later serialisation */
1844 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1845 return ret;
1846
1882 if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) ||
1847 /* Parse body of certificate up to signature */
1848 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
1883 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
1884 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
1885 (ret = sshbuf_froms(b, &principals)) != 0 ||
1886 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
1887 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
1888 (ret = sshbuf_froms(b, &crit)) != 0 ||
1849 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
1850 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
1851 (ret = sshbuf_froms(b, &principals)) != 0 ||
1852 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
1853 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
1854 (ret = sshbuf_froms(b, &crit)) != 0 ||
1889 (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) ||
1890 (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) ||
1855 (ret = sshbuf_froms(b, &exts)) != 0 ||
1891 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
1892 (ret = sshbuf_froms(b, &ca)) != 0) {
1893 /* XXX debug print error for ret */
1894 ret = SSH_ERR_INVALID_FORMAT;
1895 goto out;
1896 }
1897
1898 /* Signature is left in the buffer so we can calculate this length */

--- 20 unchanged lines hidden (view full) ---

1919 goto out;
1920 }
1921 if ((ret = sshbuf_get_cstring(principals, &principal,
1922 NULL)) != 0) {
1923 ret = SSH_ERR_INVALID_FORMAT;
1924 goto out;
1925 }
1926 oprincipals = key->cert->principals;
1856 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
1857 (ret = sshbuf_froms(b, &ca)) != 0) {
1858 /* XXX debug print error for ret */
1859 ret = SSH_ERR_INVALID_FORMAT;
1860 goto out;
1861 }
1862
1863 /* Signature is left in the buffer so we can calculate this length */

--- 20 unchanged lines hidden (view full) ---

1884 goto out;
1885 }
1886 if ((ret = sshbuf_get_cstring(principals, &principal,
1887 NULL)) != 0) {
1888 ret = SSH_ERR_INVALID_FORMAT;
1889 goto out;
1890 }
1891 oprincipals = key->cert->principals;
1927 key->cert->principals = realloc(key->cert->principals,
1928 (key->cert->nprincipals + 1) *
1929 sizeof(*key->cert->principals));
1892 key->cert->principals = reallocarray(key->cert->principals,
1893 key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1930 if (key->cert->principals == NULL) {
1931 free(principal);
1932 key->cert->principals = oprincipals;
1933 ret = SSH_ERR_ALLOC_FAIL;
1934 goto out;
1935 }
1936 key->cert->principals[key->cert->nprincipals++] = principal;
1937 }

--- 4 unchanged lines hidden (view full) ---

1942 */
1943 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||
1944 (exts != NULL &&
1945 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
1946 goto out;
1947
1948 /*
1949 * Validate critical options and extensions sections format.
1894 if (key->cert->principals == NULL) {
1895 free(principal);
1896 key->cert->principals = oprincipals;
1897 ret = SSH_ERR_ALLOC_FAIL;
1898 goto out;
1899 }
1900 key->cert->principals[key->cert->nprincipals++] = principal;
1901 }

--- 4 unchanged lines hidden (view full) ---

1906 */
1907 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||
1908 (exts != NULL &&
1909 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
1910 goto out;
1911
1912 /*
1913 * Validate critical options and extensions sections format.
1950 * NB. extensions are not present in v00 certs.
1951 */
1952 while (sshbuf_len(crit) != 0) {
1953 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
1954 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
1955 sshbuf_reset(key->cert->critical);
1956 ret = SSH_ERR_INVALID_FORMAT;
1957 goto out;
1958 }

--- 68 unchanged lines hidden (view full) ---

2027 case KEY_RSA_CERT:
2028 /* Skip nonce */
2029 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2030 ret = SSH_ERR_INVALID_FORMAT;
2031 goto out;
2032 }
2033 /* FALLTHROUGH */
2034 case KEY_RSA:
1914 */
1915 while (sshbuf_len(crit) != 0) {
1916 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
1917 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
1918 sshbuf_reset(key->cert->critical);
1919 ret = SSH_ERR_INVALID_FORMAT;
1920 goto out;
1921 }

--- 68 unchanged lines hidden (view full) ---

1990 case KEY_RSA_CERT:
1991 /* Skip nonce */
1992 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
1993 ret = SSH_ERR_INVALID_FORMAT;
1994 goto out;
1995 }
1996 /* FALLTHROUGH */
1997 case KEY_RSA:
2035 case KEY_RSA_CERT_V00:
2036 if ((key = sshkey_new(type)) == NULL) {
2037 ret = SSH_ERR_ALLOC_FAIL;
2038 goto out;
2039 }
2040 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 ||
2041 sshbuf_get_bignum2(b, key->rsa->n) != 0) {
2042 ret = SSH_ERR_INVALID_FORMAT;
2043 goto out;

--- 5 unchanged lines hidden (view full) ---

2049 case KEY_DSA_CERT:
2050 /* Skip nonce */
2051 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2052 ret = SSH_ERR_INVALID_FORMAT;
2053 goto out;
2054 }
2055 /* FALLTHROUGH */
2056 case KEY_DSA:
1998 if ((key = sshkey_new(type)) == NULL) {
1999 ret = SSH_ERR_ALLOC_FAIL;
2000 goto out;
2001 }
2002 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 ||
2003 sshbuf_get_bignum2(b, key->rsa->n) != 0) {
2004 ret = SSH_ERR_INVALID_FORMAT;
2005 goto out;

--- 5 unchanged lines hidden (view full) ---

2011 case KEY_DSA_CERT:
2012 /* Skip nonce */
2013 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2014 ret = SSH_ERR_INVALID_FORMAT;
2015 goto out;
2016 }
2017 /* FALLTHROUGH */
2018 case KEY_DSA:
2057 case KEY_DSA_CERT_V00:
2058 if ((key = sshkey_new(type)) == NULL) {
2059 ret = SSH_ERR_ALLOC_FAIL;
2060 goto out;
2061 }
2062 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 ||
2063 sshbuf_get_bignum2(b, key->dsa->q) != 0 ||
2064 sshbuf_get_bignum2(b, key->dsa->g) != 0 ||
2065 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) {

--- 153 unchanged lines hidden (view full) ---

2219 if (sigp != NULL)
2220 *sigp = NULL;
2221 if (lenp != NULL)
2222 *lenp = 0;
2223 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2224 return SSH_ERR_INVALID_ARGUMENT;
2225 switch (key->type) {
2226#ifdef WITH_OPENSSL
2019 if ((key = sshkey_new(type)) == NULL) {
2020 ret = SSH_ERR_ALLOC_FAIL;
2021 goto out;
2022 }
2023 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 ||
2024 sshbuf_get_bignum2(b, key->dsa->q) != 0 ||
2025 sshbuf_get_bignum2(b, key->dsa->g) != 0 ||
2026 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) {

--- 153 unchanged lines hidden (view full) ---

2180 if (sigp != NULL)
2181 *sigp = NULL;
2182 if (lenp != NULL)
2183 *lenp = 0;
2184 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2185 return SSH_ERR_INVALID_ARGUMENT;
2186 switch (key->type) {
2187#ifdef WITH_OPENSSL
2227 case KEY_DSA_CERT_V00:
2228 case KEY_DSA_CERT:
2229 case KEY_DSA:
2230 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
2231# ifdef OPENSSL_HAS_ECC
2232 case KEY_ECDSA_CERT:
2233 case KEY_ECDSA:
2234 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2235# endif /* OPENSSL_HAS_ECC */
2188 case KEY_DSA_CERT:
2189 case KEY_DSA:
2190 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
2191# ifdef OPENSSL_HAS_ECC
2192 case KEY_ECDSA_CERT:
2193 case KEY_ECDSA:
2194 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2195# endif /* OPENSSL_HAS_ECC */
2236 case KEY_RSA_CERT_V00:
2237 case KEY_RSA_CERT:
2238 case KEY_RSA:
2239 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
2240#endif /* WITH_OPENSSL */
2241 case KEY_ED25519:
2242 case KEY_ED25519_CERT:
2243 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
2244 default:

--- 8 unchanged lines hidden (view full) ---

2253sshkey_verify(const struct sshkey *key,
2254 const u_char *sig, size_t siglen,
2255 const u_char *data, size_t dlen, u_int compat)
2256{
2257 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2258 return SSH_ERR_INVALID_ARGUMENT;
2259 switch (key->type) {
2260#ifdef WITH_OPENSSL
2196 case KEY_RSA_CERT:
2197 case KEY_RSA:
2198 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
2199#endif /* WITH_OPENSSL */
2200 case KEY_ED25519:
2201 case KEY_ED25519_CERT:
2202 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
2203 default:

--- 8 unchanged lines hidden (view full) ---

2212sshkey_verify(const struct sshkey *key,
2213 const u_char *sig, size_t siglen,
2214 const u_char *data, size_t dlen, u_int compat)
2215{
2216 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2217 return SSH_ERR_INVALID_ARGUMENT;
2218 switch (key->type) {
2219#ifdef WITH_OPENSSL
2261 case KEY_DSA_CERT_V00:
2262 case KEY_DSA_CERT:
2263 case KEY_DSA:
2264 return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
2265# ifdef OPENSSL_HAS_ECC
2266 case KEY_ECDSA_CERT:
2267 case KEY_ECDSA:
2268 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2269# endif /* OPENSSL_HAS_ECC */
2220 case KEY_DSA_CERT:
2221 case KEY_DSA:
2222 return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
2223# ifdef OPENSSL_HAS_ECC
2224 case KEY_ECDSA_CERT:
2225 case KEY_ECDSA:
2226 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2227# endif /* OPENSSL_HAS_ECC */
2270 case KEY_RSA_CERT_V00:
2271 case KEY_RSA_CERT:
2272 case KEY_RSA:
2273 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
2274#endif /* WITH_OPENSSL */
2275 case KEY_ED25519:
2276 case KEY_ED25519_CERT:
2277 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
2278 default:

--- 19 unchanged lines hidden (view full) ---

2298 pk->dsa = NULL;
2299 pk->ecdsa = NULL;
2300 pk->rsa = NULL;
2301 pk->ed25519_pk = NULL;
2302 pk->ed25519_sk = NULL;
2303
2304 switch (k->type) {
2305#ifdef WITH_OPENSSL
2228 case KEY_RSA_CERT:
2229 case KEY_RSA:
2230 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
2231#endif /* WITH_OPENSSL */
2232 case KEY_ED25519:
2233 case KEY_ED25519_CERT:
2234 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
2235 default:

--- 19 unchanged lines hidden (view full) ---

2255 pk->dsa = NULL;
2256 pk->ecdsa = NULL;
2257 pk->rsa = NULL;
2258 pk->ed25519_pk = NULL;
2259 pk->ed25519_sk = NULL;
2260
2261 switch (k->type) {
2262#ifdef WITH_OPENSSL
2306 case KEY_RSA_CERT_V00:
2307 case KEY_RSA_CERT:
2308 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2309 goto fail;
2310 /* FALLTHROUGH */
2311 case KEY_RSA1:
2312 case KEY_RSA:
2313 if ((pk->rsa = RSA_new()) == NULL ||
2314 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL ||
2315 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) {
2316 ret = SSH_ERR_ALLOC_FAIL;
2317 goto fail;
2318 }
2319 break;
2263 case KEY_RSA_CERT:
2264 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2265 goto fail;
2266 /* FALLTHROUGH */
2267 case KEY_RSA1:
2268 case KEY_RSA:
2269 if ((pk->rsa = RSA_new()) == NULL ||
2270 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL ||
2271 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) {
2272 ret = SSH_ERR_ALLOC_FAIL;
2273 goto fail;
2274 }
2275 break;
2320 case KEY_DSA_CERT_V00:
2321 case KEY_DSA_CERT:
2322 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2323 goto fail;
2324 /* FALLTHROUGH */
2325 case KEY_DSA:
2326 if ((pk->dsa = DSA_new()) == NULL ||
2327 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL ||
2328 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL ||

--- 42 unchanged lines hidden (view full) ---

2371 return ret;
2372 }
2373 *dkp = pk;
2374 return 0;
2375}
2376
2377/* Convert a plain key to their _CERT equivalent */
2378int
2276 case KEY_DSA_CERT:
2277 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2278 goto fail;
2279 /* FALLTHROUGH */
2280 case KEY_DSA:
2281 if ((pk->dsa = DSA_new()) == NULL ||
2282 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL ||
2283 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL ||

--- 42 unchanged lines hidden (view full) ---

2326 return ret;
2327 }
2328 *dkp = pk;
2329 return 0;
2330}
2331
2332/* Convert a plain key to their _CERT equivalent */
2333int
2379sshkey_to_certified(struct sshkey *k, int legacy)
2334sshkey_to_certified(struct sshkey *k)
2380{
2381 int newtype;
2382
2383 switch (k->type) {
2384#ifdef WITH_OPENSSL
2385 case KEY_RSA:
2335{
2336 int newtype;
2337
2338 switch (k->type) {
2339#ifdef WITH_OPENSSL
2340 case KEY_RSA:
2386 newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
2341 newtype = KEY_RSA_CERT;
2387 break;
2388 case KEY_DSA:
2342 break;
2343 case KEY_DSA:
2389 newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
2344 newtype = KEY_DSA_CERT;
2390 break;
2391 case KEY_ECDSA:
2345 break;
2346 case KEY_ECDSA:
2392 if (legacy)
2393 return SSH_ERR_INVALID_ARGUMENT;
2394 newtype = KEY_ECDSA_CERT;
2395 break;
2396#endif /* WITH_OPENSSL */
2397 case KEY_ED25519:
2347 newtype = KEY_ECDSA_CERT;
2348 break;
2349#endif /* WITH_OPENSSL */
2350 case KEY_ED25519:
2398 if (legacy)
2399 return SSH_ERR_INVALID_ARGUMENT;
2400 newtype = KEY_ED25519_CERT;
2401 break;
2402 default:
2403 return SSH_ERR_INVALID_ARGUMENT;
2404 }
2405 if ((k->cert = cert_new()) == NULL)
2406 return SSH_ERR_ALLOC_FAIL;
2407 k->type = newtype;

--- 35 unchanged lines hidden (view full) ---

2443
2444 cert = k->cert->certblob; /* for readability */
2445 sshbuf_reset(cert);
2446 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
2447 goto out;
2448
2449 /* -v01 certs put nonce first */
2450 arc4random_buf(&nonce, sizeof(nonce));
2351 newtype = KEY_ED25519_CERT;
2352 break;
2353 default:
2354 return SSH_ERR_INVALID_ARGUMENT;
2355 }
2356 if ((k->cert = cert_new()) == NULL)
2357 return SSH_ERR_ALLOC_FAIL;
2358 k->type = newtype;

--- 35 unchanged lines hidden (view full) ---

2394
2395 cert = k->cert->certblob; /* for readability */
2396 sshbuf_reset(cert);
2397 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
2398 goto out;
2399
2400 /* -v01 certs put nonce first */
2401 arc4random_buf(&nonce, sizeof(nonce));
2451 if (!sshkey_cert_is_legacy(k)) {
2452 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2453 goto out;
2454 }
2402 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2403 goto out;
2455
2456 /* XXX this substantially duplicates to_blob(); refactor */
2457 switch (k->type) {
2458#ifdef WITH_OPENSSL
2404
2405 /* XXX this substantially duplicates to_blob(); refactor */
2406 switch (k->type) {
2407#ifdef WITH_OPENSSL
2459 case KEY_DSA_CERT_V00:
2460 case KEY_DSA_CERT:
2461 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
2462 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
2463 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 ||
2464 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0)
2465 goto out;
2466 break;
2467# ifdef OPENSSL_HAS_ECC
2468 case KEY_ECDSA_CERT:
2469 if ((ret = sshbuf_put_cstring(cert,
2470 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
2471 (ret = sshbuf_put_ec(cert,
2472 EC_KEY_get0_public_key(k->ecdsa),
2473 EC_KEY_get0_group(k->ecdsa))) != 0)
2474 goto out;
2475 break;
2476# endif /* OPENSSL_HAS_ECC */
2408 case KEY_DSA_CERT:
2409 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
2410 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
2411 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 ||
2412 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0)
2413 goto out;
2414 break;
2415# ifdef OPENSSL_HAS_ECC
2416 case KEY_ECDSA_CERT:
2417 if ((ret = sshbuf_put_cstring(cert,
2418 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
2419 (ret = sshbuf_put_ec(cert,
2420 EC_KEY_get0_public_key(k->ecdsa),
2421 EC_KEY_get0_group(k->ecdsa))) != 0)
2422 goto out;
2423 break;
2424# endif /* OPENSSL_HAS_ECC */
2477 case KEY_RSA_CERT_V00:
2478 case KEY_RSA_CERT:
2479 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
2480 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
2481 goto out;
2482 break;
2483#endif /* WITH_OPENSSL */
2484 case KEY_ED25519_CERT:
2485 if ((ret = sshbuf_put_string(cert,
2486 k->ed25519_pk, ED25519_PK_SZ)) != 0)
2487 goto out;
2488 break;
2489 default:
2490 ret = SSH_ERR_INVALID_ARGUMENT;
2491 goto out;
2492 }
2493
2425 case KEY_RSA_CERT:
2426 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
2427 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
2428 goto out;
2429 break;
2430#endif /* WITH_OPENSSL */
2431 case KEY_ED25519_CERT:
2432 if ((ret = sshbuf_put_string(cert,
2433 k->ed25519_pk, ED25519_PK_SZ)) != 0)
2434 goto out;
2435 break;
2436 default:
2437 ret = SSH_ERR_INVALID_ARGUMENT;
2438 goto out;
2439 }
2440
2494 /* -v01 certs have a serial number next */
2495 if (!sshkey_cert_is_legacy(k)) {
2496 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0)
2497 goto out;
2498 }
2499
2500 if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
2441 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
2442 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
2501 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2502 goto out;
2503
2504 if ((principals = sshbuf_new()) == NULL) {
2505 ret = SSH_ERR_ALLOC_FAIL;
2506 goto out;
2507 }
2508 for (i = 0; i < k->cert->nprincipals; i++) {
2509 if ((ret = sshbuf_put_cstring(principals,
2510 k->cert->principals[i])) != 0)
2511 goto out;
2512 }
2513 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
2514 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
2515 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
2443 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2444 goto out;
2445
2446 if ((principals = sshbuf_new()) == NULL) {
2447 ret = SSH_ERR_ALLOC_FAIL;
2448 goto out;
2449 }
2450 for (i = 0; i < k->cert->nprincipals; i++) {
2451 if ((ret = sshbuf_put_cstring(principals,
2452 k->cert->principals[i])) != 0)
2453 goto out;
2454 }
2455 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
2456 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
2457 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
2516 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0)
2517 goto out;
2518
2519 /* -v01 certs have non-critical options here */
2520 if (!sshkey_cert_is_legacy(k)) {
2521 if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0)
2522 goto out;
2523 }
2524
2525 /* -v00 certs put the nonce at the end */
2526 if (sshkey_cert_is_legacy(k)) {
2527 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2528 goto out;
2529 }
2530
2531 if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2458 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
2459 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
2460 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2532 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2533 goto out;
2534
2535 /* Sign the whole mess */
2536 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2537 sshbuf_len(cert), 0)) != 0)
2538 goto out;
2539

--- 83 unchanged lines hidden (view full) ---

2623 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 ||
2624 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 ||
2625 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
2626 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||
2627 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 ||
2628 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
2629 goto out;
2630 break;
2461 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2462 goto out;
2463
2464 /* Sign the whole mess */
2465 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2466 sshbuf_len(cert), 0)) != 0)
2467 goto out;
2468

--- 83 unchanged lines hidden (view full) ---

2552 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 ||
2553 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 ||
2554 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
2555 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||
2556 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 ||
2557 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
2558 goto out;
2559 break;
2631 case KEY_RSA_CERT_V00:
2632 case KEY_RSA_CERT:
2633 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2634 r = SSH_ERR_INVALID_ARGUMENT;
2635 goto out;
2636 }
2637 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2638 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
2639 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||

--- 4 unchanged lines hidden (view full) ---

2644 case KEY_DSA:
2645 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 ||
2646 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 ||
2647 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 ||
2648 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 ||
2649 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
2650 goto out;
2651 break;
2560 case KEY_RSA_CERT:
2561 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2562 r = SSH_ERR_INVALID_ARGUMENT;
2563 goto out;
2564 }
2565 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2566 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
2567 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||

--- 4 unchanged lines hidden (view full) ---

2572 case KEY_DSA:
2573 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 ||
2574 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 ||
2575 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 ||
2576 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 ||
2577 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
2578 goto out;
2579 break;
2652 case KEY_DSA_CERT_V00:
2653 case KEY_DSA_CERT:
2654 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2655 r = SSH_ERR_INVALID_ARGUMENT;
2656 goto out;
2657 }
2658 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2659 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
2660 goto out;

--- 74 unchanged lines hidden (view full) ---

2735 }
2736 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 ||
2737 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 ||
2738 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 ||
2739 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 ||
2740 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
2741 goto out;
2742 break;
2580 case KEY_DSA_CERT:
2581 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2582 r = SSH_ERR_INVALID_ARGUMENT;
2583 goto out;
2584 }
2585 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2586 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
2587 goto out;

--- 74 unchanged lines hidden (view full) ---

2662 }
2663 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 ||
2664 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 ||
2665 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 ||
2666 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 ||
2667 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
2668 goto out;
2669 break;
2743 case KEY_DSA_CERT_V00:
2744 case KEY_DSA_CERT:
2745 if ((r = sshkey_froms(buf, &k)) != 0 ||
2746 (r = sshkey_add_private(k)) != 0 ||
2747 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
2748 goto out;
2749 break;
2750# ifdef OPENSSL_HAS_ECC
2751 case KEY_ECDSA:

--- 56 unchanged lines hidden (view full) ---

2808 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 ||
2809 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
2810 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
2811 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
2812 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
2813 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2814 goto out;
2815 break;
2670 case KEY_DSA_CERT:
2671 if ((r = sshkey_froms(buf, &k)) != 0 ||
2672 (r = sshkey_add_private(k)) != 0 ||
2673 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
2674 goto out;
2675 break;
2676# ifdef OPENSSL_HAS_ECC
2677 case KEY_ECDSA:

--- 56 unchanged lines hidden (view full) ---

2734 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 ||
2735 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
2736 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
2737 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
2738 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
2739 (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2740 goto out;
2741 break;
2816 case KEY_RSA_CERT_V00:
2817 case KEY_RSA_CERT:
2818 if ((r = sshkey_froms(buf, &k)) != 0 ||
2819 (r = sshkey_add_private(k)) != 0 ||
2820 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) ||
2821 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) ||
2822 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) ||
2823 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) ||
2824 (r = rsa_generate_additional_parameters(k->rsa)) != 0)

--- 33 unchanged lines hidden (view full) ---

2858 default:
2859 r = SSH_ERR_KEY_TYPE_UNKNOWN;
2860 goto out;
2861 }
2862#ifdef WITH_OPENSSL
2863 /* enable blinding */
2864 switch (k->type) {
2865 case KEY_RSA:
2742 case KEY_RSA_CERT:
2743 if ((r = sshkey_froms(buf, &k)) != 0 ||
2744 (r = sshkey_add_private(k)) != 0 ||
2745 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) ||
2746 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) ||
2747 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) ||
2748 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) ||
2749 (r = rsa_generate_additional_parameters(k->rsa)) != 0)

--- 33 unchanged lines hidden (view full) ---

2783 default:
2784 r = SSH_ERR_KEY_TYPE_UNKNOWN;
2785 goto out;
2786 }
2787#ifdef WITH_OPENSSL
2788 /* enable blinding */
2789 switch (k->type) {
2790 case KEY_RSA:
2866 case KEY_RSA_CERT_V00:
2867 case KEY_RSA_CERT:
2868 case KEY_RSA1:
2869 if (RSA_blinding_on(k->rsa, NULL) != 1) {
2870 r = SSH_ERR_LIBCRYPTO_ERROR;
2871 goto out;
2872 }
2873 break;
2874 }

--- 1098 unchanged lines hidden ---
2791 case KEY_RSA_CERT:
2792 case KEY_RSA1:
2793 if (RSA_blinding_on(k->rsa, NULL) != 1) {
2794 r = SSH_ERR_LIBCRYPTO_ERROR;
2795 goto out;
2796 }
2797 break;
2798 }

--- 1098 unchanged lines hidden ---