| sshkey.c (294336) | sshkey.c (294464) |
|---|---|
| 1/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */ | 1/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */ |
| 2/* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: --- 96 unchanged lines hidden (view full) --- 106 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 107 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 108 KEY_ECDSA_CERT, NID_secp384r1, 1 }, 109# ifdef OPENSSL_HAS_NISTP521 110 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 111 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 112# endif /* OPENSSL_HAS_NISTP521 */ 113# endif /* OPENSSL_HAS_ECC */ | 2/* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: --- 96 unchanged lines hidden (view full) --- 106 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 107 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 108 KEY_ECDSA_CERT, NID_secp384r1, 1 }, 109# ifdef OPENSSL_HAS_NISTP521 110 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 111 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 112# endif /* OPENSSL_HAS_NISTP521 */ 113# endif /* OPENSSL_HAS_ECC */ |
| 114 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", 115 KEY_RSA_CERT_V00, 0, 1 }, 116 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", 117 KEY_DSA_CERT_V00, 0, 1 }, | |
| 118#endif /* WITH_OPENSSL */ 119 { NULL, NULL, -1, -1, 0 } 120}; 121 122const char * 123sshkey_type(const struct sshkey *k) 124{ 125 const struct keytype *kt; --- 141 unchanged lines hidden (view full) --- 267 268u_int 269sshkey_size(const struct sshkey *k) 270{ 271 switch (k->type) { 272#ifdef WITH_OPENSSL 273 case KEY_RSA1: 274 case KEY_RSA: | 114#endif /* WITH_OPENSSL */ 115 { NULL, NULL, -1, -1, 0 } 116}; 117 118const char * 119sshkey_type(const struct sshkey *k) 120{ 121 const struct keytype *kt; --- 141 unchanged lines hidden (view full) --- 263 264u_int 265sshkey_size(const struct sshkey *k) 266{ 267 switch (k->type) { 268#ifdef WITH_OPENSSL 269 case KEY_RSA1: 270 case KEY_RSA: |
| 275 case KEY_RSA_CERT_V00: | |
| 276 case KEY_RSA_CERT: 277 return BN_num_bits(k->rsa->n); 278 case KEY_DSA: | 271 case KEY_RSA_CERT: 272 return BN_num_bits(k->rsa->n); 273 case KEY_DSA: |
| 279 case KEY_DSA_CERT_V00: | |
| 280 case KEY_DSA_CERT: 281 return BN_num_bits(k->dsa->p); 282 case KEY_ECDSA: 283 case KEY_ECDSA_CERT: 284 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 285#endif /* WITH_OPENSSL */ 286 case KEY_ED25519: 287 case KEY_ED25519_CERT: 288 return 256; /* XXX */ 289 } 290 return 0; 291} 292 | 274 case KEY_DSA_CERT: 275 return BN_num_bits(k->dsa->p); 276 case KEY_ECDSA: 277 case KEY_ECDSA_CERT: 278 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 279#endif /* WITH_OPENSSL */ 280 case KEY_ED25519: 281 case KEY_ED25519_CERT: 282 return 256; /* XXX */ 283 } 284 return 0; 285} 286 |
| 293int 294sshkey_cert_is_legacy(const struct sshkey *k) 295{ 296 switch (k->type) { 297 case KEY_DSA_CERT_V00: 298 case KEY_RSA_CERT_V00: 299 return 1; 300 default: 301 return 0; 302 } 303} 304 | |
| 305static int 306sshkey_type_is_valid_ca(int type) 307{ 308 switch (type) { 309 case KEY_RSA: 310 case KEY_DSA: 311 case KEY_ECDSA: 312 case KEY_ED25519: --- 11 unchanged lines hidden (view full) --- 324 return sshkey_type_is_cert(k->type); 325} 326 327/* Return the cert-less equivalent to a certified key type */ 328int 329sshkey_type_plain(int type) 330{ 331 switch (type) { | 287static int 288sshkey_type_is_valid_ca(int type) 289{ 290 switch (type) { 291 case KEY_RSA: 292 case KEY_DSA: 293 case KEY_ECDSA: 294 case KEY_ED25519: --- 11 unchanged lines hidden (view full) --- 306 return sshkey_type_is_cert(k->type); 307} 308 309/* Return the cert-less equivalent to a certified key type */ 310int 311sshkey_type_plain(int type) 312{ 313 switch (type) { |
| 332 case KEY_RSA_CERT_V00: | |
| 333 case KEY_RSA_CERT: 334 return KEY_RSA; | 314 case KEY_RSA_CERT: 315 return KEY_RSA; |
| 335 case KEY_DSA_CERT_V00: | |
| 336 case KEY_DSA_CERT: 337 return KEY_DSA; 338 case KEY_ECDSA_CERT: 339 return KEY_ECDSA; 340 case KEY_ED25519_CERT: 341 return KEY_ED25519; 342 default: 343 return type; --- 148 unchanged lines hidden (view full) --- 492 k->rsa = NULL; 493 k->cert = NULL; 494 k->ed25519_sk = NULL; 495 k->ed25519_pk = NULL; 496 switch (k->type) { 497#ifdef WITH_OPENSSL 498 case KEY_RSA1: 499 case KEY_RSA: | 316 case KEY_DSA_CERT: 317 return KEY_DSA; 318 case KEY_ECDSA_CERT: 319 return KEY_ECDSA; 320 case KEY_ED25519_CERT: 321 return KEY_ED25519; 322 default: 323 return type; --- 148 unchanged lines hidden (view full) --- 472 k->rsa = NULL; 473 k->cert = NULL; 474 k->ed25519_sk = NULL; 475 k->ed25519_pk = NULL; 476 switch (k->type) { 477#ifdef WITH_OPENSSL 478 case KEY_RSA1: 479 case KEY_RSA: |
| 500 case KEY_RSA_CERT_V00: | |
| 501 case KEY_RSA_CERT: 502 if ((rsa = RSA_new()) == NULL || 503 (rsa->n = BN_new()) == NULL || 504 (rsa->e = BN_new()) == NULL) { 505 if (rsa != NULL) 506 RSA_free(rsa); 507 free(k); 508 return NULL; 509 } 510 k->rsa = rsa; 511 break; 512 case KEY_DSA: | 480 case KEY_RSA_CERT: 481 if ((rsa = RSA_new()) == NULL || 482 (rsa->n = BN_new()) == NULL || 483 (rsa->e = BN_new()) == NULL) { 484 if (rsa != NULL) 485 RSA_free(rsa); 486 free(k); 487 return NULL; 488 } 489 k->rsa = rsa; 490 break; 491 case KEY_DSA: |
| 513 case KEY_DSA_CERT_V00: | |
| 514 case KEY_DSA_CERT: 515 if ((dsa = DSA_new()) == NULL || 516 (dsa->p = BN_new()) == NULL || 517 (dsa->q = BN_new()) == NULL || 518 (dsa->g = BN_new()) == NULL || 519 (dsa->pub_key = BN_new()) == NULL) { 520 if (dsa != NULL) 521 DSA_free(dsa); --- 31 unchanged lines hidden (view full) --- 553 554int 555sshkey_add_private(struct sshkey *k) 556{ 557 switch (k->type) { 558#ifdef WITH_OPENSSL 559 case KEY_RSA1: 560 case KEY_RSA: | 492 case KEY_DSA_CERT: 493 if ((dsa = DSA_new()) == NULL || 494 (dsa->p = BN_new()) == NULL || 495 (dsa->q = BN_new()) == NULL || 496 (dsa->g = BN_new()) == NULL || 497 (dsa->pub_key = BN_new()) == NULL) { 498 if (dsa != NULL) 499 DSA_free(dsa); --- 31 unchanged lines hidden (view full) --- 531 532int 533sshkey_add_private(struct sshkey *k) 534{ 535 switch (k->type) { 536#ifdef WITH_OPENSSL 537 case KEY_RSA1: 538 case KEY_RSA: |
| 561 case KEY_RSA_CERT_V00: | |
| 562 case KEY_RSA_CERT: 563#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 564 if (bn_maybe_alloc_failed(k->rsa->d) || 565 bn_maybe_alloc_failed(k->rsa->iqmp) || 566 bn_maybe_alloc_failed(k->rsa->q) || 567 bn_maybe_alloc_failed(k->rsa->p) || 568 bn_maybe_alloc_failed(k->rsa->dmq1) || 569 bn_maybe_alloc_failed(k->rsa->dmp1)) 570 return SSH_ERR_ALLOC_FAIL; 571 break; 572 case KEY_DSA: | 539 case KEY_RSA_CERT: 540#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 541 if (bn_maybe_alloc_failed(k->rsa->d) || 542 bn_maybe_alloc_failed(k->rsa->iqmp) || 543 bn_maybe_alloc_failed(k->rsa->q) || 544 bn_maybe_alloc_failed(k->rsa->p) || 545 bn_maybe_alloc_failed(k->rsa->dmq1) || 546 bn_maybe_alloc_failed(k->rsa->dmp1)) 547 return SSH_ERR_ALLOC_FAIL; 548 break; 549 case KEY_DSA: |
| 573 case KEY_DSA_CERT_V00: | |
| 574 case KEY_DSA_CERT: 575 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 576 return SSH_ERR_ALLOC_FAIL; 577 break; 578#undef bn_maybe_alloc_failed 579 case KEY_ECDSA: 580 case KEY_ECDSA_CERT: 581 /* Cannot do anything until we know the group */ --- 29 unchanged lines hidden (view full) --- 611sshkey_free(struct sshkey *k) 612{ 613 if (k == NULL) 614 return; 615 switch (k->type) { 616#ifdef WITH_OPENSSL 617 case KEY_RSA1: 618 case KEY_RSA: | 550 case KEY_DSA_CERT: 551 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 552 return SSH_ERR_ALLOC_FAIL; 553 break; 554#undef bn_maybe_alloc_failed 555 case KEY_ECDSA: 556 case KEY_ECDSA_CERT: 557 /* Cannot do anything until we know the group */ --- 29 unchanged lines hidden (view full) --- 587sshkey_free(struct sshkey *k) 588{ 589 if (k == NULL) 590 return; 591 switch (k->type) { 592#ifdef WITH_OPENSSL 593 case KEY_RSA1: 594 case KEY_RSA: |
| 619 case KEY_RSA_CERT_V00: | |
| 620 case KEY_RSA_CERT: 621 if (k->rsa != NULL) 622 RSA_free(k->rsa); 623 k->rsa = NULL; 624 break; 625 case KEY_DSA: | 595 case KEY_RSA_CERT: 596 if (k->rsa != NULL) 597 RSA_free(k->rsa); 598 k->rsa = NULL; 599 break; 600 case KEY_DSA: |
| 626 case KEY_DSA_CERT_V00: | |
| 627 case KEY_DSA_CERT: 628 if (k->dsa != NULL) 629 DSA_free(k->dsa); 630 k->dsa = NULL; 631 break; 632# ifdef OPENSSL_HAS_ECC 633 case KEY_ECDSA: 634 case KEY_ECDSA_CERT: --- 55 unchanged lines hidden (view full) --- 690 691 if (a == NULL || b == NULL || 692 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 693 return 0; 694 695 switch (a->type) { 696#ifdef WITH_OPENSSL 697 case KEY_RSA1: | 601 case KEY_DSA_CERT: 602 if (k->dsa != NULL) 603 DSA_free(k->dsa); 604 k->dsa = NULL; 605 break; 606# ifdef OPENSSL_HAS_ECC 607 case KEY_ECDSA: 608 case KEY_ECDSA_CERT: --- 55 unchanged lines hidden (view full) --- 664 665 if (a == NULL || b == NULL || 666 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 667 return 0; 668 669 switch (a->type) { 670#ifdef WITH_OPENSSL 671 case KEY_RSA1: |
| 698 case KEY_RSA_CERT_V00: | |
| 699 case KEY_RSA_CERT: 700 case KEY_RSA: 701 return a->rsa != NULL && b->rsa != NULL && 702 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 703 BN_cmp(a->rsa->n, b->rsa->n) == 0; | 672 case KEY_RSA_CERT: 673 case KEY_RSA: 674 return a->rsa != NULL && b->rsa != NULL && 675 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 676 BN_cmp(a->rsa->n, b->rsa->n) == 0; |
| 704 case KEY_DSA_CERT_V00: | |
| 705 case KEY_DSA_CERT: 706 case KEY_DSA: 707 return a->dsa != NULL && b->dsa != NULL && 708 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 709 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 710 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 711 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 712# ifdef OPENSSL_HAS_ECC --- 54 unchanged lines hidden (view full) --- 767 if (sshbuf_len(key->cert->certblob) == 0) 768 return SSH_ERR_KEY_LACKS_CERTBLOB; 769 } 770 type = force_plain ? sshkey_type_plain(key->type) : key->type; 771 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 772 773 switch (type) { 774#ifdef WITH_OPENSSL | 677 case KEY_DSA_CERT: 678 case KEY_DSA: 679 return a->dsa != NULL && b->dsa != NULL && 680 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 681 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 682 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 683 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 684# ifdef OPENSSL_HAS_ECC --- 54 unchanged lines hidden (view full) --- 739 if (sshbuf_len(key->cert->certblob) == 0) 740 return SSH_ERR_KEY_LACKS_CERTBLOB; 741 } 742 type = force_plain ? sshkey_type_plain(key->type) : key->type; 743 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 744 745 switch (type) { 746#ifdef WITH_OPENSSL |
| 775 case KEY_DSA_CERT_V00: 776 case KEY_RSA_CERT_V00: | |
| 777 case KEY_DSA_CERT: 778 case KEY_ECDSA_CERT: 779 case KEY_RSA_CERT: 780#endif /* WITH_OPENSSL */ 781 case KEY_ED25519_CERT: 782 /* Use the existing blob */ 783 /* XXX modified flag? */ 784 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) --- 507 unchanged lines hidden (view full) --- 1292 retval = 0; 1293#endif /* WITH_SSH1 */ 1294 break; 1295 case KEY_UNSPEC: 1296 case KEY_RSA: 1297 case KEY_DSA: 1298 case KEY_ECDSA: 1299 case KEY_ED25519: | 747 case KEY_DSA_CERT: 748 case KEY_ECDSA_CERT: 749 case KEY_RSA_CERT: 750#endif /* WITH_OPENSSL */ 751 case KEY_ED25519_CERT: 752 /* Use the existing blob */ 753 /* XXX modified flag? */ 754 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) --- 507 unchanged lines hidden (view full) --- 1262 retval = 0; 1263#endif /* WITH_SSH1 */ 1264 break; 1265 case KEY_UNSPEC: 1266 case KEY_RSA: 1267 case KEY_DSA: 1268 case KEY_ECDSA: 1269 case KEY_ED25519: |
| 1300 case KEY_DSA_CERT_V00: 1301 case KEY_RSA_CERT_V00: | |
| 1302 case KEY_DSA_CERT: 1303 case KEY_ECDSA_CERT: 1304 case KEY_RSA_CERT: 1305 case KEY_ED25519_CERT: 1306 space = strchr(cp, ' '); 1307 if (space == NULL) 1308 return SSH_ERR_INVALID_FORMAT; 1309 *space = '\0'; --- 482 unchanged lines hidden (view full) --- 1792 int ret = SSH_ERR_INTERNAL_ERROR; 1793 1794 if (pkp != NULL) 1795 *pkp = NULL; 1796 1797 switch (k->type) { 1798#ifdef WITH_OPENSSL 1799 case KEY_DSA: | 1270 case KEY_DSA_CERT: 1271 case KEY_ECDSA_CERT: 1272 case KEY_RSA_CERT: 1273 case KEY_ED25519_CERT: 1274 space = strchr(cp, ' '); 1275 if (space == NULL) 1276 return SSH_ERR_INVALID_FORMAT; 1277 *space = '\0'; --- 482 unchanged lines hidden (view full) --- 1760 int ret = SSH_ERR_INTERNAL_ERROR; 1761 1762 if (pkp != NULL) 1763 *pkp = NULL; 1764 1765 switch (k->type) { 1766#ifdef WITH_OPENSSL 1767 case KEY_DSA: |
| 1800 case KEY_DSA_CERT_V00: | |
| 1801 case KEY_DSA_CERT: 1802 if ((n = sshkey_new(k->type)) == NULL) 1803 return SSH_ERR_ALLOC_FAIL; 1804 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1805 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1806 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1807 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1808 sshkey_free(n); --- 15 unchanged lines hidden (view full) --- 1824 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1825 sshkey_free(n); 1826 return SSH_ERR_LIBCRYPTO_ERROR; 1827 } 1828 break; 1829# endif /* OPENSSL_HAS_ECC */ 1830 case KEY_RSA: 1831 case KEY_RSA1: | 1768 case KEY_DSA_CERT: 1769 if ((n = sshkey_new(k->type)) == NULL) 1770 return SSH_ERR_ALLOC_FAIL; 1771 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1772 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1773 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1774 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1775 sshkey_free(n); --- 15 unchanged lines hidden (view full) --- 1791 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1792 sshkey_free(n); 1793 return SSH_ERR_LIBCRYPTO_ERROR; 1794 } 1795 break; 1796# endif /* OPENSSL_HAS_ECC */ 1797 case KEY_RSA: 1798 case KEY_RSA1: |
| 1832 case KEY_RSA_CERT_V00: | |
| 1833 case KEY_RSA_CERT: 1834 if ((n = sshkey_new(k->type)) == NULL) 1835 return SSH_ERR_ALLOC_FAIL; 1836 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1837 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1838 sshkey_free(n); 1839 return SSH_ERR_ALLOC_FAIL; 1840 } --- 27 unchanged lines hidden (view full) --- 1868static int 1869cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1870{ 1871 struct sshbuf *principals = NULL, *crit = NULL; 1872 struct sshbuf *exts = NULL, *ca = NULL; 1873 u_char *sig = NULL; 1874 size_t signed_len = 0, slen = 0, kidlen = 0; 1875 int ret = SSH_ERR_INTERNAL_ERROR; | 1799 case KEY_RSA_CERT: 1800 if ((n = sshkey_new(k->type)) == NULL) 1801 return SSH_ERR_ALLOC_FAIL; 1802 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1803 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1804 sshkey_free(n); 1805 return SSH_ERR_ALLOC_FAIL; 1806 } --- 27 unchanged lines hidden (view full) --- 1834static int 1835cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1836{ 1837 struct sshbuf *principals = NULL, *crit = NULL; 1838 struct sshbuf *exts = NULL, *ca = NULL; 1839 u_char *sig = NULL; 1840 size_t signed_len = 0, slen = 0, kidlen = 0; 1841 int ret = SSH_ERR_INTERNAL_ERROR; |
| 1876 int v00 = sshkey_cert_is_legacy(key); | |
| 1877 1878 /* Copy the entire key blob for verification and later serialisation */ 1879 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1880 return ret; 1881 | 1842 1843 /* Copy the entire key blob for verification and later serialisation */ 1844 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1845 return ret; 1846 |
| 1882 if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || | 1847 /* Parse body of certificate up to signature */ 1848 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || |
| 1883 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1884 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1885 (ret = sshbuf_froms(b, &principals)) != 0 || 1886 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1887 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1888 (ret = sshbuf_froms(b, &crit)) != 0 || | 1849 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1850 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1851 (ret = sshbuf_froms(b, &principals)) != 0 || 1852 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1853 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1854 (ret = sshbuf_froms(b, &crit)) != 0 || |
| 1889 (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) || 1890 (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) || | 1855 (ret = sshbuf_froms(b, &exts)) != 0 || |
| 1891 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1892 (ret = sshbuf_froms(b, &ca)) != 0) { 1893 /* XXX debug print error for ret */ 1894 ret = SSH_ERR_INVALID_FORMAT; 1895 goto out; 1896 } 1897 1898 /* Signature is left in the buffer so we can calculate this length */ --- 20 unchanged lines hidden (view full) --- 1919 goto out; 1920 } 1921 if ((ret = sshbuf_get_cstring(principals, &principal, 1922 NULL)) != 0) { 1923 ret = SSH_ERR_INVALID_FORMAT; 1924 goto out; 1925 } 1926 oprincipals = key->cert->principals; | 1856 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1857 (ret = sshbuf_froms(b, &ca)) != 0) { 1858 /* XXX debug print error for ret */ 1859 ret = SSH_ERR_INVALID_FORMAT; 1860 goto out; 1861 } 1862 1863 /* Signature is left in the buffer so we can calculate this length */ --- 20 unchanged lines hidden (view full) --- 1884 goto out; 1885 } 1886 if ((ret = sshbuf_get_cstring(principals, &principal, 1887 NULL)) != 0) { 1888 ret = SSH_ERR_INVALID_FORMAT; 1889 goto out; 1890 } 1891 oprincipals = key->cert->principals; |
| 1927 key->cert->principals = realloc(key->cert->principals, 1928 (key->cert->nprincipals + 1) * 1929 sizeof(*key->cert->principals)); | 1892 key->cert->principals = reallocarray(key->cert->principals, 1893 key->cert->nprincipals + 1, sizeof(*key->cert->principals)); |
| 1930 if (key->cert->principals == NULL) { 1931 free(principal); 1932 key->cert->principals = oprincipals; 1933 ret = SSH_ERR_ALLOC_FAIL; 1934 goto out; 1935 } 1936 key->cert->principals[key->cert->nprincipals++] = principal; 1937 } --- 4 unchanged lines hidden (view full) --- 1942 */ 1943 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1944 (exts != NULL && 1945 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1946 goto out; 1947 1948 /* 1949 * Validate critical options and extensions sections format. | 1894 if (key->cert->principals == NULL) { 1895 free(principal); 1896 key->cert->principals = oprincipals; 1897 ret = SSH_ERR_ALLOC_FAIL; 1898 goto out; 1899 } 1900 key->cert->principals[key->cert->nprincipals++] = principal; 1901 } --- 4 unchanged lines hidden (view full) --- 1906 */ 1907 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1908 (exts != NULL && 1909 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1910 goto out; 1911 1912 /* 1913 * Validate critical options and extensions sections format. |
| 1950 * NB. extensions are not present in v00 certs. | |
| 1951 */ 1952 while (sshbuf_len(crit) != 0) { 1953 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1954 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1955 sshbuf_reset(key->cert->critical); 1956 ret = SSH_ERR_INVALID_FORMAT; 1957 goto out; 1958 } --- 68 unchanged lines hidden (view full) --- 2027 case KEY_RSA_CERT: 2028 /* Skip nonce */ 2029 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2030 ret = SSH_ERR_INVALID_FORMAT; 2031 goto out; 2032 } 2033 /* FALLTHROUGH */ 2034 case KEY_RSA: | 1914 */ 1915 while (sshbuf_len(crit) != 0) { 1916 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1917 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1918 sshbuf_reset(key->cert->critical); 1919 ret = SSH_ERR_INVALID_FORMAT; 1920 goto out; 1921 } --- 68 unchanged lines hidden (view full) --- 1990 case KEY_RSA_CERT: 1991 /* Skip nonce */ 1992 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1993 ret = SSH_ERR_INVALID_FORMAT; 1994 goto out; 1995 } 1996 /* FALLTHROUGH */ 1997 case KEY_RSA: |
| 2035 case KEY_RSA_CERT_V00: | |
| 2036 if ((key = sshkey_new(type)) == NULL) { 2037 ret = SSH_ERR_ALLOC_FAIL; 2038 goto out; 2039 } 2040 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 || 2041 sshbuf_get_bignum2(b, key->rsa->n) != 0) { 2042 ret = SSH_ERR_INVALID_FORMAT; 2043 goto out; --- 5 unchanged lines hidden (view full) --- 2049 case KEY_DSA_CERT: 2050 /* Skip nonce */ 2051 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2052 ret = SSH_ERR_INVALID_FORMAT; 2053 goto out; 2054 } 2055 /* FALLTHROUGH */ 2056 case KEY_DSA: | 1998 if ((key = sshkey_new(type)) == NULL) { 1999 ret = SSH_ERR_ALLOC_FAIL; 2000 goto out; 2001 } 2002 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 || 2003 sshbuf_get_bignum2(b, key->rsa->n) != 0) { 2004 ret = SSH_ERR_INVALID_FORMAT; 2005 goto out; --- 5 unchanged lines hidden (view full) --- 2011 case KEY_DSA_CERT: 2012 /* Skip nonce */ 2013 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2014 ret = SSH_ERR_INVALID_FORMAT; 2015 goto out; 2016 } 2017 /* FALLTHROUGH */ 2018 case KEY_DSA: |
| 2057 case KEY_DSA_CERT_V00: | |
| 2058 if ((key = sshkey_new(type)) == NULL) { 2059 ret = SSH_ERR_ALLOC_FAIL; 2060 goto out; 2061 } 2062 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 || 2063 sshbuf_get_bignum2(b, key->dsa->q) != 0 || 2064 sshbuf_get_bignum2(b, key->dsa->g) != 0 || 2065 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) { --- 153 unchanged lines hidden (view full) --- 2219 if (sigp != NULL) 2220 *sigp = NULL; 2221 if (lenp != NULL) 2222 *lenp = 0; 2223 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2224 return SSH_ERR_INVALID_ARGUMENT; 2225 switch (key->type) { 2226#ifdef WITH_OPENSSL | 2019 if ((key = sshkey_new(type)) == NULL) { 2020 ret = SSH_ERR_ALLOC_FAIL; 2021 goto out; 2022 } 2023 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 || 2024 sshbuf_get_bignum2(b, key->dsa->q) != 0 || 2025 sshbuf_get_bignum2(b, key->dsa->g) != 0 || 2026 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) { --- 153 unchanged lines hidden (view full) --- 2180 if (sigp != NULL) 2181 *sigp = NULL; 2182 if (lenp != NULL) 2183 *lenp = 0; 2184 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2185 return SSH_ERR_INVALID_ARGUMENT; 2186 switch (key->type) { 2187#ifdef WITH_OPENSSL |
| 2227 case KEY_DSA_CERT_V00: | |
| 2228 case KEY_DSA_CERT: 2229 case KEY_DSA: 2230 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2231# ifdef OPENSSL_HAS_ECC 2232 case KEY_ECDSA_CERT: 2233 case KEY_ECDSA: 2234 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2235# endif /* OPENSSL_HAS_ECC */ | 2188 case KEY_DSA_CERT: 2189 case KEY_DSA: 2190 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2191# ifdef OPENSSL_HAS_ECC 2192 case KEY_ECDSA_CERT: 2193 case KEY_ECDSA: 2194 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2195# endif /* OPENSSL_HAS_ECC */ |
| 2236 case KEY_RSA_CERT_V00: | |
| 2237 case KEY_RSA_CERT: 2238 case KEY_RSA: 2239 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2240#endif /* WITH_OPENSSL */ 2241 case KEY_ED25519: 2242 case KEY_ED25519_CERT: 2243 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2244 default: --- 8 unchanged lines hidden (view full) --- 2253sshkey_verify(const struct sshkey *key, 2254 const u_char *sig, size_t siglen, 2255 const u_char *data, size_t dlen, u_int compat) 2256{ 2257 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2258 return SSH_ERR_INVALID_ARGUMENT; 2259 switch (key->type) { 2260#ifdef WITH_OPENSSL | 2196 case KEY_RSA_CERT: 2197 case KEY_RSA: 2198 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2199#endif /* WITH_OPENSSL */ 2200 case KEY_ED25519: 2201 case KEY_ED25519_CERT: 2202 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2203 default: --- 8 unchanged lines hidden (view full) --- 2212sshkey_verify(const struct sshkey *key, 2213 const u_char *sig, size_t siglen, 2214 const u_char *data, size_t dlen, u_int compat) 2215{ 2216 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2217 return SSH_ERR_INVALID_ARGUMENT; 2218 switch (key->type) { 2219#ifdef WITH_OPENSSL |
| 2261 case KEY_DSA_CERT_V00: | |
| 2262 case KEY_DSA_CERT: 2263 case KEY_DSA: 2264 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2265# ifdef OPENSSL_HAS_ECC 2266 case KEY_ECDSA_CERT: 2267 case KEY_ECDSA: 2268 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2269# endif /* OPENSSL_HAS_ECC */ | 2220 case KEY_DSA_CERT: 2221 case KEY_DSA: 2222 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2223# ifdef OPENSSL_HAS_ECC 2224 case KEY_ECDSA_CERT: 2225 case KEY_ECDSA: 2226 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2227# endif /* OPENSSL_HAS_ECC */ |
| 2270 case KEY_RSA_CERT_V00: | |
| 2271 case KEY_RSA_CERT: 2272 case KEY_RSA: 2273 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2274#endif /* WITH_OPENSSL */ 2275 case KEY_ED25519: 2276 case KEY_ED25519_CERT: 2277 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2278 default: --- 19 unchanged lines hidden (view full) --- 2298 pk->dsa = NULL; 2299 pk->ecdsa = NULL; 2300 pk->rsa = NULL; 2301 pk->ed25519_pk = NULL; 2302 pk->ed25519_sk = NULL; 2303 2304 switch (k->type) { 2305#ifdef WITH_OPENSSL | 2228 case KEY_RSA_CERT: 2229 case KEY_RSA: 2230 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2231#endif /* WITH_OPENSSL */ 2232 case KEY_ED25519: 2233 case KEY_ED25519_CERT: 2234 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2235 default: --- 19 unchanged lines hidden (view full) --- 2255 pk->dsa = NULL; 2256 pk->ecdsa = NULL; 2257 pk->rsa = NULL; 2258 pk->ed25519_pk = NULL; 2259 pk->ed25519_sk = NULL; 2260 2261 switch (k->type) { 2262#ifdef WITH_OPENSSL |
| 2306 case KEY_RSA_CERT_V00: | |
| 2307 case KEY_RSA_CERT: 2308 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2309 goto fail; 2310 /* FALLTHROUGH */ 2311 case KEY_RSA1: 2312 case KEY_RSA: 2313 if ((pk->rsa = RSA_new()) == NULL || 2314 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2315 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2316 ret = SSH_ERR_ALLOC_FAIL; 2317 goto fail; 2318 } 2319 break; | 2263 case KEY_RSA_CERT: 2264 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2265 goto fail; 2266 /* FALLTHROUGH */ 2267 case KEY_RSA1: 2268 case KEY_RSA: 2269 if ((pk->rsa = RSA_new()) == NULL || 2270 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2271 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2272 ret = SSH_ERR_ALLOC_FAIL; 2273 goto fail; 2274 } 2275 break; |
| 2320 case KEY_DSA_CERT_V00: | |
| 2321 case KEY_DSA_CERT: 2322 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2323 goto fail; 2324 /* FALLTHROUGH */ 2325 case KEY_DSA: 2326 if ((pk->dsa = DSA_new()) == NULL || 2327 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2328 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || --- 42 unchanged lines hidden (view full) --- 2371 return ret; 2372 } 2373 *dkp = pk; 2374 return 0; 2375} 2376 2377/* Convert a plain key to their _CERT equivalent */ 2378int | 2276 case KEY_DSA_CERT: 2277 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2278 goto fail; 2279 /* FALLTHROUGH */ 2280 case KEY_DSA: 2281 if ((pk->dsa = DSA_new()) == NULL || 2282 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2283 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || --- 42 unchanged lines hidden (view full) --- 2326 return ret; 2327 } 2328 *dkp = pk; 2329 return 0; 2330} 2331 2332/* Convert a plain key to their _CERT equivalent */ 2333int |
| 2379sshkey_to_certified(struct sshkey *k, int legacy) | 2334sshkey_to_certified(struct sshkey *k) |
| 2380{ 2381 int newtype; 2382 2383 switch (k->type) { 2384#ifdef WITH_OPENSSL 2385 case KEY_RSA: | 2335{ 2336 int newtype; 2337 2338 switch (k->type) { 2339#ifdef WITH_OPENSSL 2340 case KEY_RSA: |
| 2386 newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; | 2341 newtype = KEY_RSA_CERT; |
| 2387 break; 2388 case KEY_DSA: | 2342 break; 2343 case KEY_DSA: |
| 2389 newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; | 2344 newtype = KEY_DSA_CERT; |
| 2390 break; 2391 case KEY_ECDSA: | 2345 break; 2346 case KEY_ECDSA: |
| 2392 if (legacy) 2393 return SSH_ERR_INVALID_ARGUMENT; | |
| 2394 newtype = KEY_ECDSA_CERT; 2395 break; 2396#endif /* WITH_OPENSSL */ 2397 case KEY_ED25519: | 2347 newtype = KEY_ECDSA_CERT; 2348 break; 2349#endif /* WITH_OPENSSL */ 2350 case KEY_ED25519: |
| 2398 if (legacy) 2399 return SSH_ERR_INVALID_ARGUMENT; | |
| 2400 newtype = KEY_ED25519_CERT; 2401 break; 2402 default: 2403 return SSH_ERR_INVALID_ARGUMENT; 2404 } 2405 if ((k->cert = cert_new()) == NULL) 2406 return SSH_ERR_ALLOC_FAIL; 2407 k->type = newtype; --- 35 unchanged lines hidden (view full) --- 2443 2444 cert = k->cert->certblob; /* for readability */ 2445 sshbuf_reset(cert); 2446 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2447 goto out; 2448 2449 /* -v01 certs put nonce first */ 2450 arc4random_buf(&nonce, sizeof(nonce)); | 2351 newtype = KEY_ED25519_CERT; 2352 break; 2353 default: 2354 return SSH_ERR_INVALID_ARGUMENT; 2355 } 2356 if ((k->cert = cert_new()) == NULL) 2357 return SSH_ERR_ALLOC_FAIL; 2358 k->type = newtype; --- 35 unchanged lines hidden (view full) --- 2394 2395 cert = k->cert->certblob; /* for readability */ 2396 sshbuf_reset(cert); 2397 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2398 goto out; 2399 2400 /* -v01 certs put nonce first */ 2401 arc4random_buf(&nonce, sizeof(nonce)); |
| 2451 if (!sshkey_cert_is_legacy(k)) { 2452 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2453 goto out; 2454 } | 2402 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2403 goto out; |
| 2455 2456 /* XXX this substantially duplicates to_blob(); refactor */ 2457 switch (k->type) { 2458#ifdef WITH_OPENSSL | 2404 2405 /* XXX this substantially duplicates to_blob(); refactor */ 2406 switch (k->type) { 2407#ifdef WITH_OPENSSL |
| 2459 case KEY_DSA_CERT_V00: | |
| 2460 case KEY_DSA_CERT: 2461 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2462 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2463 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2464 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2465 goto out; 2466 break; 2467# ifdef OPENSSL_HAS_ECC 2468 case KEY_ECDSA_CERT: 2469 if ((ret = sshbuf_put_cstring(cert, 2470 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2471 (ret = sshbuf_put_ec(cert, 2472 EC_KEY_get0_public_key(k->ecdsa), 2473 EC_KEY_get0_group(k->ecdsa))) != 0) 2474 goto out; 2475 break; 2476# endif /* OPENSSL_HAS_ECC */ | 2408 case KEY_DSA_CERT: 2409 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2410 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2411 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2412 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2413 goto out; 2414 break; 2415# ifdef OPENSSL_HAS_ECC 2416 case KEY_ECDSA_CERT: 2417 if ((ret = sshbuf_put_cstring(cert, 2418 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2419 (ret = sshbuf_put_ec(cert, 2420 EC_KEY_get0_public_key(k->ecdsa), 2421 EC_KEY_get0_group(k->ecdsa))) != 0) 2422 goto out; 2423 break; 2424# endif /* OPENSSL_HAS_ECC */ |
| 2477 case KEY_RSA_CERT_V00: | |
| 2478 case KEY_RSA_CERT: 2479 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2480 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2481 goto out; 2482 break; 2483#endif /* WITH_OPENSSL */ 2484 case KEY_ED25519_CERT: 2485 if ((ret = sshbuf_put_string(cert, 2486 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2487 goto out; 2488 break; 2489 default: 2490 ret = SSH_ERR_INVALID_ARGUMENT; 2491 goto out; 2492 } 2493 | 2425 case KEY_RSA_CERT: 2426 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2427 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2428 goto out; 2429 break; 2430#endif /* WITH_OPENSSL */ 2431 case KEY_ED25519_CERT: 2432 if ((ret = sshbuf_put_string(cert, 2433 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2434 goto out; 2435 break; 2436 default: 2437 ret = SSH_ERR_INVALID_ARGUMENT; 2438 goto out; 2439 } 2440 |
| 2494 /* -v01 certs have a serial number next */ 2495 if (!sshkey_cert_is_legacy(k)) { 2496 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0) 2497 goto out; 2498 } 2499 2500 if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || | 2441 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2442 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || |
| 2501 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2502 goto out; 2503 2504 if ((principals = sshbuf_new()) == NULL) { 2505 ret = SSH_ERR_ALLOC_FAIL; 2506 goto out; 2507 } 2508 for (i = 0; i < k->cert->nprincipals; i++) { 2509 if ((ret = sshbuf_put_cstring(principals, 2510 k->cert->principals[i])) != 0) 2511 goto out; 2512 } 2513 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2514 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2515 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || | 2443 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2444 goto out; 2445 2446 if ((principals = sshbuf_new()) == NULL) { 2447 ret = SSH_ERR_ALLOC_FAIL; 2448 goto out; 2449 } 2450 for (i = 0; i < k->cert->nprincipals; i++) { 2451 if ((ret = sshbuf_put_cstring(principals, 2452 k->cert->principals[i])) != 0) 2453 goto out; 2454 } 2455 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2456 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2457 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || |
| 2516 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) 2517 goto out; 2518 2519 /* -v01 certs have non-critical options here */ 2520 if (!sshkey_cert_is_legacy(k)) { 2521 if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0) 2522 goto out; 2523 } 2524 2525 /* -v00 certs put the nonce at the end */ 2526 if (sshkey_cert_is_legacy(k)) { 2527 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2528 goto out; 2529 } 2530 2531 if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ | 2458 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2459 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2460 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ |
| 2532 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2533 goto out; 2534 2535 /* Sign the whole mess */ 2536 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2537 sshbuf_len(cert), 0)) != 0) 2538 goto out; 2539 --- 83 unchanged lines hidden (view full) --- 2623 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2624 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2625 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2626 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2627 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2628 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2629 goto out; 2630 break; | 2461 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2462 goto out; 2463 2464 /* Sign the whole mess */ 2465 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2466 sshbuf_len(cert), 0)) != 0) 2467 goto out; 2468 --- 83 unchanged lines hidden (view full) --- 2552 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2553 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2554 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2555 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2556 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2557 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2558 goto out; 2559 break; |
| 2631 case KEY_RSA_CERT_V00: | |
| 2632 case KEY_RSA_CERT: 2633 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2634 r = SSH_ERR_INVALID_ARGUMENT; 2635 goto out; 2636 } 2637 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2638 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2639 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || --- 4 unchanged lines hidden (view full) --- 2644 case KEY_DSA: 2645 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2646 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2647 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2648 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2649 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2650 goto out; 2651 break; | 2560 case KEY_RSA_CERT: 2561 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2562 r = SSH_ERR_INVALID_ARGUMENT; 2563 goto out; 2564 } 2565 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2566 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2567 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || --- 4 unchanged lines hidden (view full) --- 2572 case KEY_DSA: 2573 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2574 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2575 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2576 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2577 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2578 goto out; 2579 break; |
| 2652 case KEY_DSA_CERT_V00: | |
| 2653 case KEY_DSA_CERT: 2654 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2655 r = SSH_ERR_INVALID_ARGUMENT; 2656 goto out; 2657 } 2658 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2659 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2660 goto out; --- 74 unchanged lines hidden (view full) --- 2735 } 2736 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2737 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2738 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2739 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2740 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2741 goto out; 2742 break; | 2580 case KEY_DSA_CERT: 2581 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2582 r = SSH_ERR_INVALID_ARGUMENT; 2583 goto out; 2584 } 2585 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2586 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2587 goto out; --- 74 unchanged lines hidden (view full) --- 2662 } 2663 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2664 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2665 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2666 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2667 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2668 goto out; 2669 break; |
| 2743 case KEY_DSA_CERT_V00: | |
| 2744 case KEY_DSA_CERT: 2745 if ((r = sshkey_froms(buf, &k)) != 0 || 2746 (r = sshkey_add_private(k)) != 0 || 2747 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2748 goto out; 2749 break; 2750# ifdef OPENSSL_HAS_ECC 2751 case KEY_ECDSA: --- 56 unchanged lines hidden (view full) --- 2808 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2809 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2810 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2811 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2812 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2813 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2814 goto out; 2815 break; | 2670 case KEY_DSA_CERT: 2671 if ((r = sshkey_froms(buf, &k)) != 0 || 2672 (r = sshkey_add_private(k)) != 0 || 2673 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2674 goto out; 2675 break; 2676# ifdef OPENSSL_HAS_ECC 2677 case KEY_ECDSA: --- 56 unchanged lines hidden (view full) --- 2734 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2735 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2736 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2737 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2738 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2739 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2740 goto out; 2741 break; |
| 2816 case KEY_RSA_CERT_V00: | |
| 2817 case KEY_RSA_CERT: 2818 if ((r = sshkey_froms(buf, &k)) != 0 || 2819 (r = sshkey_add_private(k)) != 0 || 2820 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || 2821 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || 2822 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || 2823 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || 2824 (r = rsa_generate_additional_parameters(k->rsa)) != 0) --- 33 unchanged lines hidden (view full) --- 2858 default: 2859 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2860 goto out; 2861 } 2862#ifdef WITH_OPENSSL 2863 /* enable blinding */ 2864 switch (k->type) { 2865 case KEY_RSA: | 2742 case KEY_RSA_CERT: 2743 if ((r = sshkey_froms(buf, &k)) != 0 || 2744 (r = sshkey_add_private(k)) != 0 || 2745 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || 2746 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || 2747 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || 2748 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || 2749 (r = rsa_generate_additional_parameters(k->rsa)) != 0) --- 33 unchanged lines hidden (view full) --- 2783 default: 2784 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2785 goto out; 2786 } 2787#ifdef WITH_OPENSSL 2788 /* enable blinding */ 2789 switch (k->type) { 2790 case KEY_RSA: |
| 2866 case KEY_RSA_CERT_V00: | |
| 2867 case KEY_RSA_CERT: 2868 case KEY_RSA1: 2869 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2870 r = SSH_ERR_LIBCRYPTO_ERROR; 2871 goto out; 2872 } 2873 break; 2874 } --- 1098 unchanged lines hidden --- | 2791 case KEY_RSA_CERT: 2792 case KEY_RSA1: 2793 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2794 r = SSH_ERR_LIBCRYPTO_ERROR; 2795 goto out; 2796 } 2797 break; 2798 } --- 1098 unchanged lines hidden --- |