diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2015-07-03 03:43:19 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2015-07-03 03:43:19 +0000 |
commit | 3b0f395da9db6dff9b414b7aec854bb4514684bd (patch) | |
tree | fb6578fc758018b5ac0f02d7db99b5f75853838d | |
parent | 798598d3516d3a49cce8d5dd156268c4132cd5df (diff) |
delete support for legacy v00 certificates; "sure" markus@ dtucker@
-rw-r--r-- | usr.bin/ssh/auth-options.c | 46 | ||||
-rw-r--r-- | usr.bin/ssh/authfd.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/authfile.c | 4 | ||||
-rw-r--r-- | usr.bin/ssh/key.c | 6 | ||||
-rw-r--r-- | usr.bin/ssh/key.h | 5 | ||||
-rw-r--r-- | usr.bin/ssh/krl.c | 10 | ||||
-rw-r--r-- | usr.bin/ssh/myproposal.h | 4 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-add.c | 5 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keygen.c | 67 | ||||
-rw-r--r-- | usr.bin/ssh/sshd.c | 6 | ||||
-rw-r--r-- | usr.bin/ssh/sshkey.c | 108 | ||||
-rw-r--r-- | usr.bin/ssh/sshkey.h | 7 |
12 files changed, 68 insertions, 204 deletions
diff --git a/usr.bin/ssh/auth-options.c b/usr.bin/ssh/auth-options.c index cf51ac3dd54..874f5cb4d36 100644 --- a/usr.bin/ssh/auth-options.c +++ b/usr.bin/ssh/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.67 2015/05/01 03:20:54 djm Exp $ */ +/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -585,35 +585,21 @@ auth_cert_options(struct sshkey *k, struct passwd *pw) char *cert_forced_command = NULL; int cert_source_address_done = 0; - if (sshkey_cert_is_legacy(k)) { - /* All options are in the one field for v00 certs */ - if (parse_option_list(k->cert->critical, pw, - OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1, - &cert_no_port_forwarding_flag, - &cert_no_agent_forwarding_flag, - &cert_no_x11_forwarding_flag, - &cert_no_pty_flag, - &cert_no_user_rc, - &cert_forced_command, - &cert_source_address_done) == -1) - return -1; - } else { - /* Separate options and extensions for v01 certs */ - if (parse_option_list(k->cert->critical, pw, - OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, - &cert_forced_command, - &cert_source_address_done) == -1) - return -1; - if (parse_option_list(k->cert->extensions, pw, - OPTIONS_EXTENSIONS, 0, - &cert_no_port_forwarding_flag, - &cert_no_agent_forwarding_flag, - &cert_no_x11_forwarding_flag, - &cert_no_pty_flag, - &cert_no_user_rc, - NULL, NULL) == -1) - return -1; - } + /* Separate options and extensions for v01 certs */ + if (parse_option_list(k->cert->critical, pw, + OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL, + &cert_forced_command, + &cert_source_address_done) == -1) + return -1; + if (parse_option_list(k->cert->extensions, pw, + OPTIONS_EXTENSIONS, 0, + &cert_no_port_forwarding_flag, + &cert_no_agent_forwarding_flag, + &cert_no_x11_forwarding_flag, + &cert_no_pty_flag, + &cert_no_user_rc, + NULL, NULL) == -1) + return -1; no_port_forwarding_flag |= cert_no_port_forwarding_flag; no_agent_forwarding_flag |= cert_no_agent_forwarding_flag; diff --git a/usr.bin/ssh/authfd.c b/usr.bin/ssh/authfd.c index fab5e6d0278..3f6ca56bf03 100644 --- a/usr.bin/ssh/authfd.c +++ b/usr.bin/ssh/authfd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.c,v 1.97 2015/03/26 19:32:19 markus Exp $ */ +/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -558,10 +558,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment, #ifdef WITH_OPENSSL case KEY_RSA: case KEY_RSA_CERT: - case KEY_RSA_CERT_V00: case KEY_DSA: case KEY_DSA_CERT: - case KEY_DSA_CERT_V00: case KEY_ECDSA: case KEY_ECDSA_CERT: #endif diff --git a/usr.bin/ssh/authfile.c b/usr.bin/ssh/authfile.c index 78fb3ac98fe..dc90551cb30 100644 --- a/usr.bin/ssh/authfile.c +++ b/usr.bin/ssh/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.114 2015/04/17 13:32:09 djm Exp $ */ +/* $OpenBSD: authfile.c,v 1.115 2015/07/03 03:43:18 djm Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -462,7 +462,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase, goto out; } - if ((r = sshkey_to_certified(key, sshkey_cert_is_legacy(cert))) != 0 || + if ((r = sshkey_to_certified(key)) != 0 || (r = sshkey_cert_copy(cert, key)) != 0) goto out; r = 0; diff --git a/usr.bin/ssh/key.c b/usr.bin/ssh/key.c index 0dea76a6a73..15804b6d7d7 100644 --- a/usr.bin/ssh/key.c +++ b/usr.bin/ssh/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.127 2015/01/28 22:36:00 djm Exp $ */ +/* $OpenBSD: key.c,v 1.128 2015/07/03 03:43:18 djm Exp $ */ /* * placed in the public domain */ @@ -182,11 +182,11 @@ key_demote(const Key *k) } int -key_to_certified(Key *k, int legacy) +key_to_certified(Key *k) { int r; - if ((r = sshkey_to_certified(k, legacy)) != 0) { + if ((r = sshkey_to_certified(k)) != 0) { fatal_on_fatal_errors(r, __func__, 0); error("%s: %s", __func__, ssh_err(r)); return -1; diff --git a/usr.bin/ssh/key.h b/usr.bin/ssh/key.h index a33d72d616a..cfe0f290318 100644 --- a/usr.bin/ssh/key.h +++ b/usr.bin/ssh/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.47 2015/01/28 22:36:00 djm Exp $ */ +/* $OpenBSD: key.h,v 1.48 2015/07/03 03:43:18 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -51,7 +51,6 @@ typedef struct sshkey Key; #define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid #define key_is_cert sshkey_is_cert #define key_type_plain sshkey_type_plain -#define key_cert_is_legacy sshkey_cert_is_legacy #define key_curve_name_to_nid sshkey_curve_name_to_nid #define key_curve_nid_to_bits sshkey_curve_nid_to_bits #define key_curve_nid_to_name sshkey_curve_nid_to_name @@ -69,7 +68,7 @@ int key_read(Key *, char **); Key *key_generate(int, u_int); Key *key_from_private(const Key *); -int key_to_certified(Key *, int); +int key_to_certified(Key *); int key_drop_cert(Key *); int key_certify(Key *, Key *); void key_cert_copy(const Key *, Key *); diff --git a/usr.bin/ssh/krl.c b/usr.bin/ssh/krl.c index 983b577cfce..cdc00bed25d 100644 --- a/usr.bin/ssh/krl.c +++ b/usr.bin/ssh/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.32 2015/06/24 23:47:23 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.33 2015/07/03 03:43:18 djm Exp $ */ #include <sys/param.h> /* MIN */ #include <sys/types.h> @@ -427,7 +427,7 @@ ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key) if (!sshkey_is_cert(key)) return ssh_krl_revoke_key_sha1(krl, key); - if (sshkey_cert_is_legacy(key) || key->cert->serial == 0) { + if (key->cert->serial == 0) { return ssh_krl_revoke_cert_by_key_id(krl, key->cert->signature_key, key->cert->key_id); @@ -1178,10 +1178,10 @@ is_cert_revoked(const struct sshkey *key, struct revoked_certs *rc) } /* - * Legacy cert formats lack serial numbers. Zero serials numbers - * are ignored (it's the default when the CA doesn't specify one). + * Zero serials numbers are ignored (it's the default when the + * CA doesn't specify one). */ - if (sshkey_cert_is_legacy(key) || key->cert->serial == 0) + if (key->cert->serial == 0) return 0; memset(&rs, 0, sizeof(rs)); diff --git a/usr.bin/ssh/myproposal.h b/usr.bin/ssh/myproposal.h index 3323ce53467..3aeda1b3433 100644 --- a/usr.bin/ssh/myproposal.h +++ b/usr.bin/ssh/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.44 2015/05/27 23:51:10 dtucker Exp $ */ +/* $OpenBSD: myproposal.h,v 1.45 2015/07/03 03:43:18 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -48,8 +48,6 @@ "ssh-ed25519-cert-v01@openssh.com," \ "ssh-rsa-cert-v01@openssh.com," \ "ssh-dss-cert-v01@openssh.com," \ - "ssh-rsa-cert-v00@openssh.com," \ - "ssh-dss-cert-v00@openssh.com," \ "ecdsa-sha2-nistp256," \ "ecdsa-sha2-nistp384," \ "ecdsa-sha2-nistp521," \ diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c index b2677666312..239ef970f76 100644 --- a/usr.bin/ssh/ssh-add.c +++ b/usr.bin/ssh/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.122 2015/03/26 12:32:38 naddy Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.123 2015/07/03 03:43:18 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -294,8 +294,7 @@ add_file(int agent_fd, const char *filename, int key_only) } /* Graft with private bits */ - if ((r = sshkey_to_certified(private, - sshkey_cert_is_legacy(cert))) != 0) { + if ((r = sshkey_to_certified(private)) != 0) { error("%s: sshkey_to_certified: %s", __func__, ssh_err(r)); sshkey_free(cert); goto out; diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index f879576b7cb..3dd6b1c0f1a 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.274 2015/05/28 07:37:31 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.275 2015/07/03 03:43:18 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -234,7 +234,6 @@ ask_filename(struct passwd *pw, const char *prompt) name = _PATH_SSH_CLIENT_IDENTITY; break; case KEY_DSA_CERT: - case KEY_DSA_CERT_V00: case KEY_DSA: name = _PATH_SSH_CLIENT_ID_DSA; break; @@ -243,7 +242,6 @@ ask_filename(struct passwd *pw, const char *prompt) name = _PATH_SSH_CLIENT_ID_ECDSA; break; case KEY_RSA_CERT: - case KEY_RSA_CERT_V00: case KEY_RSA: name = _PATH_SSH_CLIENT_ID_RSA; break; @@ -1560,25 +1558,6 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) struct sshkey *ca, *public; char *otmp, *tmp, *cp, *out, *comment, **plist = NULL; FILE *f; - int v00 = 0; /* legacy keys */ - - if (key_type_name != NULL) { - switch (sshkey_type_from_name(key_type_name)) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: - v00 = 1; - break; - case KEY_UNSPEC: - if (strcasecmp(key_type_name, "v00") == 0) { - v00 = 1; - break; - } else if (strcasecmp(key_type_name, "v01") == 0) - break; - /* FALLTHROUGH */ - default: - fatal("unknown key type %s", key_type_name); - } - } #ifdef ENABLE_PKCS11 pkcs11_init(1); @@ -1615,7 +1594,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) __func__, tmp, sshkey_type(public)); /* Prepare certificate to sign */ - if ((r = sshkey_to_certified(public, v00)) != 0) + if ((r = sshkey_to_certified(public)) != 0) fatal("Could not upgrade key %s to certificate: %s", tmp, ssh_err(r)); public->cert->type = cert_key_type; @@ -1625,15 +1604,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) public->cert->principals = plist; public->cert->valid_after = cert_valid_from; public->cert->valid_before = cert_valid_to; - if (v00) { - prepare_options_buf(public->cert->critical, - OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); - } else { - prepare_options_buf(public->cert->critical, - OPTIONS_CRITICAL); - prepare_options_buf(public->cert->extensions, - OPTIONS_EXTENSIONS); - } + prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL); + prepare_options_buf(public->cert->extensions, + OPTIONS_EXTENSIONS); if ((r = sshkey_from_private(ca, &public->cert->signature_key)) != 0) fatal("key_from_private (ca key): %s", ssh_err(r)); @@ -1818,7 +1791,7 @@ add_cert_option(char *opt) } static void -show_options(struct sshbuf *optbuf, int v00, int in_critical) +show_options(struct sshbuf *optbuf, int in_critical) { char *name, *arg; struct sshbuf *options, *option = NULL; @@ -1833,14 +1806,14 @@ show_options(struct sshbuf *optbuf, int v00, int in_critical) (r = sshbuf_froms(options, &option)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); printf(" %s", name); - if ((v00 || !in_critical) && + if (!in_critical && (strcmp(name, "permit-X11-forwarding") == 0 || strcmp(name, "permit-agent-forwarding") == 0 || strcmp(name, "permit-port-forwarding") == 0 || strcmp(name, "permit-pty") == 0 || strcmp(name, "permit-user-rc") == 0)) printf("\n"); - else if ((v00 || in_critical) && + else if (in_critical && (strcmp(name, "force-command") == 0 || strcmp(name, "source-address") == 0)) { if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) @@ -1867,7 +1840,7 @@ do_show_cert(struct passwd *pw) struct sshkey *key; struct stat st; char *key_fp, *ca_fp; - u_int i, v00; + u_int i; int r; if (!have_identity) @@ -1879,7 +1852,6 @@ do_show_cert(struct passwd *pw) identity_file, ssh_err(r)); if (!sshkey_is_cert(key)) fatal("%s is not a certificate", identity_file); - v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); ca_fp = sshkey_fingerprint(key->cert->signature_key, @@ -1894,10 +1866,7 @@ do_show_cert(struct passwd *pw) printf(" Signing CA: %s %s\n", sshkey_type(key->cert->signature_key), ca_fp); printf(" Key ID: \"%s\"\n", key->cert->key_id); - if (!v00) { - printf(" Serial: %llu\n", - (unsigned long long)key->cert->serial); - } + printf(" Serial: %llu\n", (unsigned long long)key->cert->serial); printf(" Valid: %s\n", fmt_validity(key->cert->valid_after, key->cert->valid_before)); printf(" Principals: "); @@ -1914,16 +1883,14 @@ do_show_cert(struct passwd *pw) printf("(none)\n"); else { printf("\n"); - show_options(key->cert->critical, v00, 1); + show_options(key->cert->critical, 1); } - if (!v00) { - printf(" Extensions: "); - if (sshbuf_len(key->cert->extensions) == 0) - printf("(none)\n"); - else { - printf("\n"); - show_options(key->cert->extensions, v00, 0); - } + printf(" Extensions: "); + if (sshbuf_len(key->cert->extensions) == 0) + printf("(none)\n"); + else { + printf("\n"); + show_options(key->cert->extensions, 0); } exit(0); } diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index b40dd78ab75..0b4a62420d5 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.450 2015/05/24 23:39:16 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.451 2015/07/03 03:43:18 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -778,8 +778,6 @@ list_hostkey_types(void) if (key == NULL) continue; switch (key->type) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: @@ -806,8 +804,6 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh) for (i = 0; i < options.num_host_key_files; i++) { switch (type) { - case KEY_RSA_CERT_V00: - case KEY_DSA_CERT_V00: case KEY_RSA_CERT: case KEY_DSA_CERT: case KEY_ECDSA_CERT: diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index 50782cb1e5f..e6dc3cb1aaa 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -99,10 +99,6 @@ static const struct keytype keytypes[] = { KEY_ECDSA_CERT, NID_secp384r1, 1 }, { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", KEY_ECDSA_CERT, NID_secp521r1, 1 }, - { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", - KEY_RSA_CERT_V00, 0, 1 }, - { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", - KEY_DSA_CERT_V00, 0, 1 }, #endif /* WITH_OPENSSL */ { NULL, NULL, -1, -1, 0 } }; @@ -260,11 +256,9 @@ sshkey_size(const struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA1: case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: return BN_num_bits(k->rsa->n); case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: return BN_num_bits(k->dsa->p); case KEY_ECDSA: @@ -278,18 +272,6 @@ sshkey_size(const struct sshkey *k) return 0; } -int -sshkey_cert_is_legacy(const struct sshkey *k) -{ - switch (k->type) { - case KEY_DSA_CERT_V00: - case KEY_RSA_CERT_V00: - return 1; - default: - return 0; - } -} - static int sshkey_type_is_valid_ca(int type) { @@ -317,10 +299,8 @@ int sshkey_type_plain(int type) { switch (type) { - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: return KEY_RSA; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: return KEY_DSA; case KEY_ECDSA_CERT: @@ -477,7 +457,6 @@ sshkey_new(int type) #ifdef WITH_OPENSSL case KEY_RSA1: case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((rsa = RSA_new()) == NULL || (rsa->n = BN_new()) == NULL || @@ -490,7 +469,6 @@ sshkey_new(int type) k->rsa = rsa; break; case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((dsa = DSA_new()) == NULL || (dsa->p = BN_new()) == NULL || @@ -538,7 +516,6 @@ sshkey_add_private(struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA1: case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) if (bn_maybe_alloc_failed(k->rsa->d) || @@ -550,7 +527,6 @@ sshkey_add_private(struct sshkey *k) return SSH_ERR_ALLOC_FAIL; break; case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if (bn_maybe_alloc_failed(k->dsa->priv_key)) return SSH_ERR_ALLOC_FAIL; @@ -596,14 +572,12 @@ sshkey_free(struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA1: case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if (k->rsa != NULL) RSA_free(k->rsa); k->rsa = NULL; break; case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if (k->dsa != NULL) DSA_free(k->dsa); @@ -673,13 +647,11 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) switch (a->type) { #ifdef WITH_OPENSSL case KEY_RSA1: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA: return a->rsa != NULL && b->rsa != NULL && BN_cmp(a->rsa->e, b->rsa->e) == 0 && BN_cmp(a->rsa->n, b->rsa->n) == 0; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: case KEY_DSA: return a->dsa != NULL && b->dsa != NULL && @@ -748,8 +720,6 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) switch (type) { #ifdef WITH_OPENSSL - case KEY_DSA_CERT_V00: - case KEY_RSA_CERT_V00: case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: @@ -1271,8 +1241,6 @@ sshkey_read(struct sshkey *ret, char **cpp) case KEY_DSA: case KEY_ECDSA: case KEY_ED25519: - case KEY_DSA_CERT_V00: - case KEY_RSA_CERT_V00: case KEY_DSA_CERT: case KEY_ECDSA_CERT: case KEY_RSA_CERT: @@ -1763,7 +1731,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) switch (k->type) { #ifdef WITH_OPENSSL case KEY_DSA: - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((n = sshkey_new(k->type)) == NULL) return SSH_ERR_ALLOC_FAIL; @@ -1793,7 +1760,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) break; case KEY_RSA: case KEY_RSA1: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((n = sshkey_new(k->type)) == NULL) return SSH_ERR_ALLOC_FAIL; @@ -1837,21 +1803,20 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) u_char *sig = NULL; size_t signed_len = 0, slen = 0, kidlen = 0; int ret = SSH_ERR_INTERNAL_ERROR; - int v00 = sshkey_cert_is_legacy(key); /* Copy the entire key blob for verification and later serialisation */ if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) return ret; - if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || + /* Parse body of certificate up to signature */ + if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || (ret = sshbuf_froms(b, &principals)) != 0 || (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || (ret = sshbuf_froms(b, &crit)) != 0 || - (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) || - (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) || + (ret = sshbuf_froms(b, &exts)) != 0 || (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || (ret = sshbuf_froms(b, &ca)) != 0) { /* XXX debug print error for ret */ @@ -1888,9 +1853,8 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) goto out; } oprincipals = key->cert->principals; - key->cert->principals = realloc(key->cert->principals, - (key->cert->nprincipals + 1) * - sizeof(*key->cert->principals)); + key->cert->principals = reallocarray(key->cert->principals, + key->cert->nprincipals + 1, sizeof(*key->cert->principals)); if (key->cert->principals == NULL) { free(principal); key->cert->principals = oprincipals; @@ -1911,7 +1875,6 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) /* * Validate critical options and extensions sections format. - * NB. extensions are not present in v00 certs. */ while (sshbuf_len(crit) != 0) { if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || @@ -1996,7 +1959,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, } /* FALLTHROUGH */ case KEY_RSA: - case KEY_RSA_CERT_V00: if ((key = sshkey_new(type)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; @@ -2018,7 +1980,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, } /* FALLTHROUGH */ case KEY_DSA: - case KEY_DSA_CERT_V00: if ((key = sshkey_new(type)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; @@ -2186,14 +2147,12 @@ sshkey_sign(const struct sshkey *key, return SSH_ERR_INVALID_ARGUMENT; switch (key->type) { #ifdef WITH_OPENSSL - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: case KEY_DSA: return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); case KEY_ECDSA_CERT: case KEY_ECDSA: return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA: return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); @@ -2218,14 +2177,12 @@ sshkey_verify(const struct sshkey *key, return SSH_ERR_INVALID_ARGUMENT; switch (key->type) { #ifdef WITH_OPENSSL - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: case KEY_DSA: return ssh_dss_verify(key, sig, siglen, data, dlen, compat); case KEY_ECDSA_CERT: case KEY_ECDSA: return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA: return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); @@ -2261,7 +2218,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp) switch (k->type) { #ifdef WITH_OPENSSL - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((ret = sshkey_cert_copy(k, pk)) != 0) goto fail; @@ -2275,7 +2231,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp) goto fail; } break; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((ret = sshkey_cert_copy(k, pk)) != 0) goto fail; @@ -2332,27 +2287,23 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp) /* Convert a plain key to their _CERT equivalent */ int -sshkey_to_certified(struct sshkey *k, int legacy) +sshkey_to_certified(struct sshkey *k) { int newtype; switch (k->type) { #ifdef WITH_OPENSSL case KEY_RSA: - newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; + newtype = KEY_RSA_CERT; break; case KEY_DSA: - newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; + newtype = KEY_DSA_CERT; break; case KEY_ECDSA: - if (legacy) - return SSH_ERR_INVALID_ARGUMENT; newtype = KEY_ECDSA_CERT; break; #endif /* WITH_OPENSSL */ case KEY_ED25519: - if (legacy) - return SSH_ERR_INVALID_ARGUMENT; newtype = KEY_ED25519_CERT; break; default: @@ -2404,15 +2355,12 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) /* -v01 certs put nonce first */ arc4random_buf(&nonce, sizeof(nonce)); - if (!sshkey_cert_is_legacy(k)) { - if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) - goto out; - } + if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) + goto out; /* XXX this substantially duplicates to_blob(); refactor */ switch (k->type) { #ifdef WITH_OPENSSL - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || @@ -2428,7 +2376,6 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) EC_KEY_get0_group(k->ecdsa))) != 0) goto out; break; - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) @@ -2445,13 +2392,8 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) goto out; } - /* -v01 certs have a serial number next */ - if (!sshkey_cert_is_legacy(k)) { - if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0) - goto out; - } - - if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || + if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || + (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) goto out; @@ -2467,22 +2409,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca) if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || - (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) - goto out; - - /* -v01 certs have non-critical options here */ - if (!sshkey_cert_is_legacy(k)) { - if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0) - goto out; - } - - /* -v00 certs put the nonce at the end */ - if (sshkey_cert_is_legacy(k)) { - if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) - goto out; - } - - if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ + (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || + (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || + (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) goto out; @@ -2582,7 +2511,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) goto out; break; - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { r = SSH_ERR_INVALID_ARGUMENT; @@ -2603,7 +2531,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) goto out; break; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { r = SSH_ERR_INVALID_ARGUMENT; @@ -2692,7 +2619,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) goto out; break; - case KEY_DSA_CERT_V00: case KEY_DSA_CERT: if ((r = sshkey_froms(buf, &k)) != 0 || (r = sshkey_add_private(k)) != 0 || @@ -2763,7 +2689,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) (r = rsa_generate_additional_parameters(k->rsa)) != 0) goto out; break; - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: if ((r = sshkey_froms(buf, &k)) != 0 || (r = sshkey_add_private(k)) != 0 || @@ -2813,7 +2738,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) /* enable blinding */ switch (k->type) { case KEY_RSA: - case KEY_RSA_CERT_V00: case KEY_RSA_CERT: case KEY_RSA1: if (RSA_blinding_on(k->rsa, NULL) != 1) { diff --git a/usr.bin/ssh/sshkey.h b/usr.bin/ssh/sshkey.h index e656b4a619f..54d99bc0553 100644 --- a/usr.bin/ssh/sshkey.h +++ b/usr.bin/ssh/sshkey.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.6 2015/05/21 04:55:51 djm Exp $ */ +/* $OpenBSD: sshkey.h,v 1.7 2015/07/03 03:43:18 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -56,8 +56,6 @@ enum sshkey_types { KEY_DSA_CERT, KEY_ECDSA_CERT, KEY_ED25519_CERT, - KEY_RSA_CERT_V00, - KEY_DSA_CERT_V00, KEY_UNSPEC }; @@ -131,13 +129,12 @@ int sshkey_type_from_name(const char *); int sshkey_is_cert(const struct sshkey *); int sshkey_type_is_cert(int); int sshkey_type_plain(int); -int sshkey_to_certified(struct sshkey *, int); +int sshkey_to_certified(struct sshkey *); int sshkey_drop_cert(struct sshkey *); int sshkey_certify(struct sshkey *, struct sshkey *); int sshkey_cert_copy(const struct sshkey *, struct sshkey *); int sshkey_cert_check_authority(const struct sshkey *, int, int, const char *, const char **); -int sshkey_cert_is_legacy(const struct sshkey *); int sshkey_ecdsa_nid_from_name(const char *); int sshkey_curve_name_to_nid(const char *); |