1c1
< /* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */
---
> /* $OpenBSD: sshkey.c,v 1.31 2015/12/11 04:21:12 mmcc Exp $ */
85a86
> int sigonly;
88c89
< { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
---
> { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
90c91
< KEY_ED25519_CERT, 0, 1 },
---
> KEY_ED25519_CERT, 0, 1, 0 },
92,94c93,97
< { NULL, "RSA1", KEY_RSA1, 0, 0 },
< { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
< { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
---
> { NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
> { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
> { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
> { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
> { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
96,97c99,100
< { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
< { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
---
> { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
> { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
99c102
< { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
---
> { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
102,103c105,106
< { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
< { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
---
> { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
> { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
106c109
< KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
---
> KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
108c111
< KEY_ECDSA_CERT, NID_secp384r1, 1 },
---
> KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
111c114
< KEY_ECDSA_CERT, NID_secp521r1, 1 },
---
> KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
115c118
< { NULL, NULL, -1, -1, 0 }
---
> { NULL, NULL, -1, -1, 0, 0 }
203c206
< if (kt->name == NULL)
---
> if (kt->name == NULL || kt->sigonly)
420,427c423,426
< if (cert->certblob != NULL)
< sshbuf_free(cert->certblob);
< if (cert->critical != NULL)
< sshbuf_free(cert->critical);
< if (cert->extensions != NULL)
< sshbuf_free(cert->extensions);
< if (cert->key_id != NULL)
< free(cert->key_id);
---
> sshbuf_free(cert->certblob);
> sshbuf_free(cert->critical);
> sshbuf_free(cert->extensions);
> free(cert->key_id);
430,433c429,430
< if (cert->principals != NULL)
< free(cert->principals);
< if (cert->signature_key != NULL)
< sshkey_free(cert->signature_key);
---
> free(cert->principals);
> sshkey_free(cert->signature_key);
1219c1216
< else if (index(" \t\r\n", cp[e]) == NULL)
---
> else if (strchr(" \t\r\n", cp[e]) == NULL)
1235c1232
< char *cp, *space;
---
> char *ep, *cp, *space;
1239d1235
< char *ep;
1250c1246
< if (*cp == '\0' || index(" \t\r\n", *ep) == NULL ||
---
> if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL ||
1258d1253
< *cpp = ep;
1261a1257
> *cpp = ep;
1299c1295
< *cpp = space;
---
> ep = space;
1301c1297
< *cpp = cp + strlen(cp);
---
> ep = cp + strlen(cp);
1331a1328
> switch (sshkey_type_plain(ret->type)) {
1333c1330
< if (sshkey_type_plain(ret->type) == KEY_RSA) {
---
> case KEY_RSA:
1341,1342c1338,1339
< }
< if (sshkey_type_plain(ret->type) == KEY_DSA) {
---
> break;
> case KEY_DSA:
1350c1347
< }
---
> break;
1352c1349
< if (sshkey_type_plain(ret->type) == KEY_ECDSA) {
---
> case KEY_ECDSA:
1362c1359
< }
---
> break;
1365c1362
< if (sshkey_type_plain(ret->type) == KEY_ED25519) {
---
> case KEY_ED25519:
1371a1369
> break;
1372a1371
> *cpp = ep;
1720c1719
< (ret = sshbuf_putb(to->extensions, from->extensions) != 0))
---
> (ret = sshbuf_putb(to->extensions, from->extensions)) != 0)
1761,1763c1760
< if (pkp != NULL)
< *pkp = NULL;
<
---
> *pkp = NULL;
2177c2174
< const u_char *data, size_t datalen, u_int compat)
---
> const u_char *data, size_t datalen, const char *alg, u_int compat)
2197c2194
< return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
---
> return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
2229c2226
< return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
---
> return ssh_rsa_verify(key, sig, siglen, data, dlen);
2246,2248c2243
< if (dkp != NULL)
< *dkp = NULL;
<
---
> *dkp = NULL;
2465c2460
< sshbuf_len(cert), 0)) != 0)
---
> sshbuf_len(cert), NULL, 0)) != 0)
2475,2480c2470,2472
< if (sig_blob != NULL)
< free(sig_blob);
< if (ca_blob != NULL)
< free(ca_blob);
< if (principals != NULL)
< sshbuf_free(principals);
---
> free(sig_blob);
> free(ca_blob);
> sshbuf_free(principals);
2540a2533,2569
> size_t
> sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
> {
> char from[32], to[32], ret[64];
> time_t tt;
> struct tm *tm;
>
> *from = *to = '\0';
> if (cert->valid_after == 0 &&
> cert->valid_before == 0xffffffffffffffffULL)
> return strlcpy(s, "forever", l);
>
> if (cert->valid_after != 0) {
> /* XXX revisit INT_MAX in 2038 :) */
> tt = cert->valid_after > INT_MAX ?
> INT_MAX : cert->valid_after;
> tm = localtime(&tt);
> strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
> }
> if (cert->valid_before != 0xffffffffffffffffULL) {
> /* XXX revisit INT_MAX in 2038 :) */
> tt = cert->valid_before > INT_MAX ?
> INT_MAX : cert->valid_before;
> tm = localtime(&tt);
> strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
> }
>
> if (cert->valid_after == 0)
> snprintf(ret, sizeof(ret), "before %s", to);
> else if (cert->valid_before == 0xffffffffffffffffULL)
> snprintf(ret, sizeof(ret), "after %s", from);
> else
> snprintf(ret, sizeof(ret), "from %s to %s", from, to);
>
> return strlcpy(s, ret, l);
> }
>
2704c2733
< EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
---
> EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2722c2751
< EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
---
> EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2744,2747c2773,2776
< (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) ||
< (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) ||
< (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) ||
< (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) ||
---
> (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
> (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
> (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
> (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
3434,3436c3463,3465
< (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) ||
< (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) ||
< (r = sshbuf_put_cstring(encrypted, comment) != 0))
---
> (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 ||
> (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 ||
> (r = sshbuf_put_cstring(encrypted, comment)) != 0)
3457,3460c3486,3487
< if (buffer != NULL)
< sshbuf_free(buffer);
< if (encrypted != NULL)
< sshbuf_free(encrypted);
---
> sshbuf_free(buffer);
> sshbuf_free(encrypted);
3614,3617c3641,3642
< if (copy != NULL)
< sshbuf_free(copy);
< if (pub != NULL)
< sshkey_free(pub);
---
> sshbuf_free(copy);
> sshkey_free(pub);
3729,3736c3754,3757
< if (comment != NULL)
< free(comment);
< if (prv != NULL)
< sshkey_free(prv);
< if (copy != NULL)
< sshbuf_free(copy);
< if (decrypted != NULL)
< sshbuf_free(decrypted);
---
> free(comment);
> sshkey_free(prv);
> sshbuf_free(copy);
> sshbuf_free(decrypted);
3826,3827c3847
< if (prv != NULL)
< sshkey_free(prv);
---
> sshkey_free(prv);
3836,3837d3855
< int r;
<
3859,3860c3877,3878
< if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
< commentp)) == 0)
---
> if (sshkey_parse_private2(blob, type, passphrase, keyp,
> commentp) == 0)
3875c3893
< const char *filename, struct sshkey **keyp, char **commentp)
---
> struct sshkey **keyp, char **commentp)
3877,3878d3894
< int r;
<
3886c3902
< if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) {
---
> if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
3891,3894c3907,3908
< if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
< passphrase, keyp, commentp)) == 0)
< return 0;
< return r;
---
> return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
> passphrase, keyp, commentp);
< /* $OpenBSD: sshkey.c,v 1.21 2015/08/19 23:19:01 djm Exp $ */
---
> /* $OpenBSD: sshkey.c,v 1.31 2015/12/11 04:21:12 mmcc Exp $ */
85a86
> int sigonly;
88c89
< { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
---
> { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
90c91
< KEY_ED25519_CERT, 0, 1 },
---
> KEY_ED25519_CERT, 0, 1, 0 },
92,94c93,97
< { NULL, "RSA1", KEY_RSA1, 0, 0 },
< { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
< { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
---
> { NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
> { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
> { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
> { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
> { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
96,97c99,100
< { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
< { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
---
> { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
> { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
99c102
< { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
---
> { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
102,103c105,106
< { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
< { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
---
> { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
> { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
106c109
< KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
---
> KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
108c111
< KEY_ECDSA_CERT, NID_secp384r1, 1 },
---
> KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
111c114
< KEY_ECDSA_CERT, NID_secp521r1, 1 },
---
> KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
115c118
< { NULL, NULL, -1, -1, 0 }
---
> { NULL, NULL, -1, -1, 0, 0 }
203c206
< if (kt->name == NULL)
---
> if (kt->name == NULL || kt->sigonly)
420,427c423,426
< if (cert->certblob != NULL)
< sshbuf_free(cert->certblob);
< if (cert->critical != NULL)
< sshbuf_free(cert->critical);
< if (cert->extensions != NULL)
< sshbuf_free(cert->extensions);
< if (cert->key_id != NULL)
< free(cert->key_id);
---
> sshbuf_free(cert->certblob);
> sshbuf_free(cert->critical);
> sshbuf_free(cert->extensions);
> free(cert->key_id);
430,433c429,430
< if (cert->principals != NULL)
< free(cert->principals);
< if (cert->signature_key != NULL)
< sshkey_free(cert->signature_key);
---
> free(cert->principals);
> sshkey_free(cert->signature_key);
1219c1216
< else if (index(" \t\r\n", cp[e]) == NULL)
---
> else if (strchr(" \t\r\n", cp[e]) == NULL)
1235c1232
< char *cp, *space;
---
> char *ep, *cp, *space;
1239d1235
< char *ep;
1250c1246
< if (*cp == '\0' || index(" \t\r\n", *ep) == NULL ||
---
> if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL ||
1258d1253
< *cpp = ep;
1261a1257
> *cpp = ep;
1299c1295
< *cpp = space;
---
> ep = space;
1301c1297
< *cpp = cp + strlen(cp);
---
> ep = cp + strlen(cp);
1331a1328
> switch (sshkey_type_plain(ret->type)) {
1333c1330
< if (sshkey_type_plain(ret->type) == KEY_RSA) {
---
> case KEY_RSA:
1341,1342c1338,1339
< }
< if (sshkey_type_plain(ret->type) == KEY_DSA) {
---
> break;
> case KEY_DSA:
1350c1347
< }
---
> break;
1352c1349
< if (sshkey_type_plain(ret->type) == KEY_ECDSA) {
---
> case KEY_ECDSA:
1362c1359
< }
---
> break;
1365c1362
< if (sshkey_type_plain(ret->type) == KEY_ED25519) {
---
> case KEY_ED25519:
1371a1369
> break;
1372a1371
> *cpp = ep;
1720c1719
< (ret = sshbuf_putb(to->extensions, from->extensions) != 0))
---
> (ret = sshbuf_putb(to->extensions, from->extensions)) != 0)
1761,1763c1760
< if (pkp != NULL)
< *pkp = NULL;
<
---
> *pkp = NULL;
2177c2174
< const u_char *data, size_t datalen, u_int compat)
---
> const u_char *data, size_t datalen, const char *alg, u_int compat)
2197c2194
< return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
---
> return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
2229c2226
< return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
---
> return ssh_rsa_verify(key, sig, siglen, data, dlen);
2246,2248c2243
< if (dkp != NULL)
< *dkp = NULL;
<
---
> *dkp = NULL;
2465c2460
< sshbuf_len(cert), 0)) != 0)
---
> sshbuf_len(cert), NULL, 0)) != 0)
2475,2480c2470,2472
< if (sig_blob != NULL)
< free(sig_blob);
< if (ca_blob != NULL)
< free(ca_blob);
< if (principals != NULL)
< sshbuf_free(principals);
---
> free(sig_blob);
> free(ca_blob);
> sshbuf_free(principals);
2540a2533,2569
> size_t
> sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
> {
> char from[32], to[32], ret[64];
> time_t tt;
> struct tm *tm;
>
> *from = *to = '\0';
> if (cert->valid_after == 0 &&
> cert->valid_before == 0xffffffffffffffffULL)
> return strlcpy(s, "forever", l);
>
> if (cert->valid_after != 0) {
> /* XXX revisit INT_MAX in 2038 :) */
> tt = cert->valid_after > INT_MAX ?
> INT_MAX : cert->valid_after;
> tm = localtime(&tt);
> strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
> }
> if (cert->valid_before != 0xffffffffffffffffULL) {
> /* XXX revisit INT_MAX in 2038 :) */
> tt = cert->valid_before > INT_MAX ?
> INT_MAX : cert->valid_before;
> tm = localtime(&tt);
> strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
> }
>
> if (cert->valid_after == 0)
> snprintf(ret, sizeof(ret), "before %s", to);
> else if (cert->valid_before == 0xffffffffffffffffULL)
> snprintf(ret, sizeof(ret), "after %s", from);
> else
> snprintf(ret, sizeof(ret), "from %s to %s", from, to);
>
> return strlcpy(s, ret, l);
> }
>
2704c2733
< EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
---
> EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2722c2751
< EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
---
> EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2744,2747c2773,2776
< (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) ||
< (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) ||
< (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) ||
< (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) ||
---
> (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
> (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
> (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
> (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
3434,3436c3463,3465
< (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) ||
< (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) ||
< (r = sshbuf_put_cstring(encrypted, comment) != 0))
---
> (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 ||
> (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 ||
> (r = sshbuf_put_cstring(encrypted, comment)) != 0)
3457,3460c3486,3487
< if (buffer != NULL)
< sshbuf_free(buffer);
< if (encrypted != NULL)
< sshbuf_free(encrypted);
---
> sshbuf_free(buffer);
> sshbuf_free(encrypted);
3614,3617c3641,3642
< if (copy != NULL)
< sshbuf_free(copy);
< if (pub != NULL)
< sshkey_free(pub);
---
> sshbuf_free(copy);
> sshkey_free(pub);
3729,3736c3754,3757
< if (comment != NULL)
< free(comment);
< if (prv != NULL)
< sshkey_free(prv);
< if (copy != NULL)
< sshbuf_free(copy);
< if (decrypted != NULL)
< sshbuf_free(decrypted);
---
> free(comment);
> sshkey_free(prv);
> sshbuf_free(copy);
> sshbuf_free(decrypted);
3826,3827c3847
< if (prv != NULL)
< sshkey_free(prv);
---
> sshkey_free(prv);
3836,3837d3855
< int r;
<
3859,3860c3877,3878
< if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
< commentp)) == 0)
---
> if (sshkey_parse_private2(blob, type, passphrase, keyp,
> commentp) == 0)
3875c3893
< const char *filename, struct sshkey **keyp, char **commentp)
---
> struct sshkey **keyp, char **commentp)
3877,3878d3894
< int r;
<
3886c3902
< if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) {
---
> if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
3891,3894c3907,3908
< if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
< passphrase, keyp, commentp)) == 0)
< return 0;
< return r;
---
> return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
> passphrase, keyp, commentp);