summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-07-03 05:43:18 +0200
committerDamien Miller <djm@mindrot.org>2015-07-15 07:35:09 +0200
commitc28fc62d789d860c75e23a9fa9fb250eb2beca57 (patch)
tree9b540db8aed167256bb61cd9df90dbedb31cc79d
parentupstream commit (diff)
downloadopenssh-c28fc62d789d860c75e23a9fa9fb250eb2beca57.tar.xz
openssh-c28fc62d789d860c75e23a9fa9fb250eb2beca57.zip
upstream commit
delete support for legacy v00 certificates; "sure" markus@ dtucker@ Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
-rw-r--r--auth-options.c46
-rw-r--r--authfd.c4
-rw-r--r--authfile.c4
-rw-r--r--key.c6
-rw-r--r--key.h5
-rw-r--r--krl.c10
-rw-r--r--myproposal.h4
-rw-r--r--ssh-add.c5
-rw-r--r--ssh-keygen.c67
-rw-r--r--sshd.c6
-rw-r--r--sshkey.c108
-rw-r--r--sshkey.h7
12 files changed, 68 insertions, 204 deletions
diff --git a/auth-options.c b/auth-options.c
index facfc025b..e387697d3 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.67 2015/05/01 03:20:54 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -588,35 +588,21 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
char *cert_forced_command = NULL;
int cert_source_address_done = 0;
- if (sshkey_cert_is_legacy(k)) {
- /* All options are in the one field for v00 certs */
- if (parse_option_list(k->cert->critical, pw,
- OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1,
- &cert_no_port_forwarding_flag,
- &cert_no_agent_forwarding_flag,
- &cert_no_x11_forwarding_flag,
- &cert_no_pty_flag,
- &cert_no_user_rc,
- &cert_forced_command,
- &cert_source_address_done) == -1)
- return -1;
- } else {
- /* Separate options and extensions for v01 certs */
- if (parse_option_list(k->cert->critical, pw,
- OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
- &cert_forced_command,
- &cert_source_address_done) == -1)
- return -1;
- if (parse_option_list(k->cert->extensions, pw,
- OPTIONS_EXTENSIONS, 0,
- &cert_no_port_forwarding_flag,
- &cert_no_agent_forwarding_flag,
- &cert_no_x11_forwarding_flag,
- &cert_no_pty_flag,
- &cert_no_user_rc,
- NULL, NULL) == -1)
- return -1;
- }
+ /* Separate options and extensions for v01 certs */
+ if (parse_option_list(k->cert->critical, pw,
+ OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
+ &cert_forced_command,
+ &cert_source_address_done) == -1)
+ return -1;
+ if (parse_option_list(k->cert->extensions, pw,
+ OPTIONS_EXTENSIONS, 0,
+ &cert_no_port_forwarding_flag,
+ &cert_no_agent_forwarding_flag,
+ &cert_no_x11_forwarding_flag,
+ &cert_no_pty_flag,
+ &cert_no_user_rc,
+ NULL, NULL) == -1)
+ return -1;
no_port_forwarding_flag |= cert_no_port_forwarding_flag;
no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
diff --git a/authfd.c b/authfd.c
index 82915a43d..eaa142648 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.97 2015/03/26 19:32:19 markus Exp $ */
+/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -560,10 +560,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
#ifdef WITH_OPENSSL
case KEY_RSA:
case KEY_RSA_CERT:
- case KEY_RSA_CERT_V00:
case KEY_DSA:
case KEY_DSA_CERT:
- case KEY_DSA_CERT_V00:
case KEY_ECDSA:
case KEY_ECDSA_CERT:
#endif
diff --git a/authfile.c b/authfile.c
index 728b136a7..6ba638098 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.114 2015/04/17 13:32:09 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.115 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
@@ -467,7 +467,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
goto out;
}
- if ((r = sshkey_to_certified(key, sshkey_cert_is_legacy(cert))) != 0 ||
+ if ((r = sshkey_to_certified(key)) != 0 ||
(r = sshkey_cert_copy(cert, key)) != 0)
goto out;
r = 0;
diff --git a/key.c b/key.c
index bbe027b66..0ba98b6f3 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.127 2015/01/28 22:36:00 djm Exp $ */
+/* $OpenBSD: key.c,v 1.128 2015/07/03 03:43:18 djm Exp $ */
/*
* placed in the public domain
*/
@@ -184,11 +184,11 @@ key_demote(const Key *k)
}
int
-key_to_certified(Key *k, int legacy)
+key_to_certified(Key *k)
{
int r;
- if ((r = sshkey_to_certified(k, legacy)) != 0) {
+ if ((r = sshkey_to_certified(k)) != 0) {
fatal_on_fatal_errors(r, __func__, 0);
error("%s: %s", __func__, ssh_err(r));
return -1;
diff --git a/key.h b/key.h
index 89fd5cfdf..903bdf673 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.h,v 1.47 2015/01/28 22:36:00 djm Exp $ */
+/* $OpenBSD: key.h,v 1.48 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -51,7 +51,6 @@ typedef struct sshkey Key;
#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
#define key_is_cert sshkey_is_cert
#define key_type_plain sshkey_type_plain
-#define key_cert_is_legacy sshkey_cert_is_legacy
#define key_curve_name_to_nid sshkey_curve_name_to_nid
#define key_curve_nid_to_bits sshkey_curve_nid_to_bits
#define key_curve_nid_to_name sshkey_curve_nid_to_name
@@ -69,7 +68,7 @@ int key_read(Key *, char **);
Key *key_generate(int, u_int);
Key *key_from_private(const Key *);
-int key_to_certified(Key *, int);
+int key_to_certified(Key *);
int key_drop_cert(Key *);
int key_certify(Key *, Key *);
void key_cert_copy(const Key *, Key *);
diff --git a/krl.c b/krl.c
index a98252ef8..4075df853 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $OpenBSD: krl.c,v 1.32 2015/06/24 23:47:23 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.33 2015/07/03 03:43:18 djm Exp $ */
#include "includes.h"
@@ -429,7 +429,7 @@ ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key)
if (!sshkey_is_cert(key))
return ssh_krl_revoke_key_sha1(krl, key);
- if (sshkey_cert_is_legacy(key) || key->cert->serial == 0) {
+ if (key->cert->serial == 0) {
return ssh_krl_revoke_cert_by_key_id(krl,
key->cert->signature_key,
key->cert->key_id);
@@ -1180,10 +1180,10 @@ is_cert_revoked(const struct sshkey *key, struct revoked_certs *rc)
}
/*
- * Legacy cert formats lack serial numbers. Zero serials numbers
- * are ignored (it's the default when the CA doesn't specify one).
+ * Zero serials numbers are ignored (it's the default when the
+ * CA doesn't specify one).
*/
- if (sshkey_cert_is_legacy(key) || key->cert->serial == 0)
+ if (key->cert->serial == 0)
return 0;
memset(&rs, 0, sizeof(rs));
diff --git a/myproposal.h b/myproposal.h
index 84b63bcd5..f0b9caa55 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.44 2015/05/27 23:51:10 dtucker Exp $ */
+/* $OpenBSD: myproposal.h,v 1.45 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -101,8 +101,6 @@
"ssh-ed25519-cert-v01@openssh.com," \
"ssh-rsa-cert-v01@openssh.com," \
"ssh-dss-cert-v01@openssh.com," \
- "ssh-rsa-cert-v00@openssh.com," \
- "ssh-dss-cert-v00@openssh.com," \
HOSTKEY_ECDSA_METHODS \
"ssh-ed25519," \
"ssh-rsa," \
diff --git a/ssh-add.c b/ssh-add.c
index 9c8da5437..d6271d78e 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.122 2015/03/26 12:32:38 naddy Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.123 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -302,8 +302,7 @@ add_file(int agent_fd, const char *filename, int key_only)
}
/* Graft with private bits */
- if ((r = sshkey_to_certified(private,
- sshkey_cert_is_legacy(cert))) != 0) {
+ if ((r = sshkey_to_certified(private)) != 0) {
error("%s: sshkey_to_certified: %s", __func__, ssh_err(r));
sshkey_free(cert);
goto out;
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 8259d87e7..b546366f1 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.274 2015/05/28 07:37:31 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.275 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -239,7 +239,6 @@ ask_filename(struct passwd *pw, const char *prompt)
name = _PATH_SSH_CLIENT_IDENTITY;
break;
case KEY_DSA_CERT:
- case KEY_DSA_CERT_V00:
case KEY_DSA:
name = _PATH_SSH_CLIENT_ID_DSA;
break;
@@ -250,7 +249,6 @@ ask_filename(struct passwd *pw, const char *prompt)
break;
#endif
case KEY_RSA_CERT:
- case KEY_RSA_CERT_V00:
case KEY_RSA:
name = _PATH_SSH_CLIENT_ID_RSA;
break;
@@ -1575,25 +1573,6 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
struct sshkey *ca, *public;
char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;
FILE *f;
- int v00 = 0; /* legacy keys */
-
- if (key_type_name != NULL) {
- switch (sshkey_type_from_name(key_type_name)) {
- case KEY_RSA_CERT_V00:
- case KEY_DSA_CERT_V00:
- v00 = 1;
- break;
- case KEY_UNSPEC:
- if (strcasecmp(key_type_name, "v00") == 0) {
- v00 = 1;
- break;
- } else if (strcasecmp(key_type_name, "v01") == 0)
- break;
- /* FALLTHROUGH */
- default:
- fatal("unknown key type %s", key_type_name);
- }
- }
#ifdef ENABLE_PKCS11
pkcs11_init(1);
@@ -1630,7 +1609,7 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
__func__, tmp, sshkey_type(public));
/* Prepare certificate to sign */
- if ((r = sshkey_to_certified(public, v00)) != 0)
+ if ((r = sshkey_to_certified(public)) != 0)
fatal("Could not upgrade key %s to certificate: %s",
tmp, ssh_err(r));
public->cert->type = cert_key_type;
@@ -1640,15 +1619,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
public->cert->principals = plist;
public->cert->valid_after = cert_valid_from;
public->cert->valid_before = cert_valid_to;
- if (v00) {
- prepare_options_buf(public->cert->critical,
- OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);
- } else {
- prepare_options_buf(public->cert->critical,
- OPTIONS_CRITICAL);
- prepare_options_buf(public->cert->extensions,
- OPTIONS_EXTENSIONS);
- }
+ prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);
+ prepare_options_buf(public->cert->extensions,
+ OPTIONS_EXTENSIONS);
if ((r = sshkey_from_private(ca,
&public->cert->signature_key)) != 0)
fatal("key_from_private (ca key): %s", ssh_err(r));
@@ -1833,7 +1806,7 @@ add_cert_option(char *opt)
}
static void
-show_options(struct sshbuf *optbuf, int v00, int in_critical)
+show_options(struct sshbuf *optbuf, int in_critical)
{
char *name, *arg;
struct sshbuf *options, *option = NULL;
@@ -1848,14 +1821,14 @@ show_options(struct sshbuf *optbuf, int v00, int in_critical)
(r = sshbuf_froms(options, &option)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
printf(" %s", name);
- if ((v00 || !in_critical) &&
+ if (!in_critical &&
(strcmp(name, "permit-X11-forwarding") == 0 ||
strcmp(name, "permit-agent-forwarding") == 0 ||
strcmp(name, "permit-port-forwarding") == 0 ||
strcmp(name, "permit-pty") == 0 ||
strcmp(name, "permit-user-rc") == 0))
printf("\n");
- else if ((v00 || in_critical) &&
+ else if (in_critical &&
(strcmp(name, "force-command") == 0 ||
strcmp(name, "source-address") == 0)) {
if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)
@@ -1882,7 +1855,7 @@ do_show_cert(struct passwd *pw)
struct sshkey *key;
struct stat st;
char *key_fp, *ca_fp;
- u_int i, v00;
+ u_int i;
int r;
if (!have_identity)
@@ -1894,7 +1867,6 @@ do_show_cert(struct passwd *pw)
identity_file, ssh_err(r));
if (!sshkey_is_cert(key))
fatal("%s is not a certificate", identity_file);
- v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
ca_fp = sshkey_fingerprint(key->cert->signature_key,
@@ -1909,10 +1881,7 @@ do_show_cert(struct passwd *pw)
printf(" Signing CA: %s %s\n",
sshkey_type(key->cert->signature_key), ca_fp);
printf(" Key ID: \"%s\"\n", key->cert->key_id);
- if (!v00) {
- printf(" Serial: %llu\n",
- (unsigned long long)key->cert->serial);
- }
+ printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);
printf(" Valid: %s\n",
fmt_validity(key->cert->valid_after, key->cert->valid_before));
printf(" Principals: ");
@@ -1929,16 +1898,14 @@ do_show_cert(struct passwd *pw)
printf("(none)\n");
else {
printf("\n");
- show_options(key->cert->critical, v00, 1);
+ show_options(key->cert->critical, 1);
}
- if (!v00) {
- printf(" Extensions: ");
- if (sshbuf_len(key->cert->extensions) == 0)
- printf("(none)\n");
- else {
- printf("\n");
- show_options(key->cert->extensions, v00, 0);
- }
+ printf(" Extensions: ");
+ if (sshbuf_len(key->cert->extensions) == 0)
+ printf("(none)\n");
+ else {
+ printf("\n");
+ show_options(key->cert->extensions, 0);
}
exit(0);
}
diff --git a/sshd.c b/sshd.c
index 6f8c6f2b1..15af4e8e5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.450 2015/05/24 23:39:16 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.451 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -815,8 +815,6 @@ list_hostkey_types(void)
if (key == NULL)
continue;
switch (key->type) {
- case KEY_RSA_CERT_V00:
- case KEY_DSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
@@ -843,8 +841,6 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
for (i = 0; i < options.num_host_key_files; i++) {
switch (type) {
- case KEY_RSA_CERT_V00:
- case KEY_DSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
diff --git a/sshkey.c b/sshkey.c
index cfe598080..dbb16e2fd 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -111,10 +111,6 @@ static const struct keytype keytypes[] = {
KEY_ECDSA_CERT, NID_secp521r1, 1 },
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
- { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
- KEY_RSA_CERT_V00, 0, 1 },
- { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
- KEY_DSA_CERT_V00, 0, 1 },
#endif /* WITH_OPENSSL */
{ NULL, NULL, -1, -1, 0 }
};
@@ -272,11 +268,9 @@ sshkey_size(const struct sshkey *k)
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
return BN_num_bits(k->rsa->n);
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
return BN_num_bits(k->dsa->p);
case KEY_ECDSA:
@@ -290,18 +284,6 @@ sshkey_size(const struct sshkey *k)
return 0;
}
-int
-sshkey_cert_is_legacy(const struct sshkey *k)
-{
- switch (k->type) {
- case KEY_DSA_CERT_V00:
- case KEY_RSA_CERT_V00:
- return 1;
- default:
- return 0;
- }
-}
-
static int
sshkey_type_is_valid_ca(int type)
{
@@ -329,10 +311,8 @@ int
sshkey_type_plain(int type)
{
switch (type) {
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
return KEY_RSA;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
return KEY_DSA;
case KEY_ECDSA_CERT:
@@ -497,7 +477,6 @@ sshkey_new(int type)
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((rsa = RSA_new()) == NULL ||
(rsa->n = BN_new()) == NULL ||
@@ -510,7 +489,6 @@ sshkey_new(int type)
k->rsa = rsa;
break;
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((dsa = DSA_new()) == NULL ||
(dsa->p = BN_new()) == NULL ||
@@ -558,7 +536,6 @@ sshkey_add_private(struct sshkey *k)
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
if (bn_maybe_alloc_failed(k->rsa->d) ||
@@ -570,7 +547,6 @@ sshkey_add_private(struct sshkey *k)
return SSH_ERR_ALLOC_FAIL;
break;
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if (bn_maybe_alloc_failed(k->dsa->priv_key))
return SSH_ERR_ALLOC_FAIL;
@@ -616,14 +592,12 @@ sshkey_free(struct sshkey *k)
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if (k->rsa != NULL)
RSA_free(k->rsa);
k->rsa = NULL;
break;
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if (k->dsa != NULL)
DSA_free(k->dsa);
@@ -695,13 +669,11 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
switch (a->type) {
#ifdef WITH_OPENSSL
case KEY_RSA1:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA:
return a->rsa != NULL && b->rsa != NULL &&
BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
BN_cmp(a->rsa->n, b->rsa->n) == 0;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_DSA:
return a->dsa != NULL && b->dsa != NULL &&
@@ -772,8 +744,6 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain)
switch (type) {
#ifdef WITH_OPENSSL
- case KEY_DSA_CERT_V00:
- case KEY_RSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
@@ -1297,8 +1267,6 @@ sshkey_read(struct sshkey *ret, char **cpp)
case KEY_DSA:
case KEY_ECDSA:
case KEY_ED25519:
- case KEY_DSA_CERT_V00:
- case KEY_RSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
@@ -1797,7 +1765,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((n = sshkey_new(k->type)) == NULL)
return SSH_ERR_ALLOC_FAIL;
@@ -1829,7 +1796,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA:
case KEY_RSA1:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((n = sshkey_new(k->type)) == NULL)
return SSH_ERR_ALLOC_FAIL;
@@ -1873,21 +1839,20 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
u_char *sig = NULL;
size_t signed_len = 0, slen = 0, kidlen = 0;
int ret = SSH_ERR_INTERNAL_ERROR;
- int v00 = sshkey_cert_is_legacy(key);
/* Copy the entire key blob for verification and later serialisation */
if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
return ret;
- if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) ||
+ /* Parse body of certificate up to signature */
+ if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
(ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
(ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
(ret = sshbuf_froms(b, &principals)) != 0 ||
(ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
(ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
(ret = sshbuf_froms(b, &crit)) != 0 ||
- (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) ||
- (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) ||
+ (ret = sshbuf_froms(b, &exts)) != 0 ||
(ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
(ret = sshbuf_froms(b, &ca)) != 0) {
/* XXX debug print error for ret */
@@ -1924,9 +1889,8 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
goto out;
}
oprincipals = key->cert->principals;
- key->cert->principals = realloc(key->cert->principals,
- (key->cert->nprincipals + 1) *
- sizeof(*key->cert->principals));
+ key->cert->principals = reallocarray(key->cert->principals,
+ key->cert->nprincipals + 1, sizeof(*key->cert->principals));
if (key->cert->principals == NULL) {
free(principal);
key->cert->principals = oprincipals;
@@ -1947,7 +1911,6 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
/*
* Validate critical options and extensions sections format.
- * NB. extensions are not present in v00 certs.
*/
while (sshbuf_len(crit) != 0) {
if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
@@ -2032,7 +1995,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
}
/* FALLTHROUGH */
case KEY_RSA:
- case KEY_RSA_CERT_V00:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@@ -2054,7 +2016,6 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
}
/* FALLTHROUGH */
case KEY_DSA:
- case KEY_DSA_CERT_V00:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@@ -2224,7 +2185,6 @@ sshkey_sign(const struct sshkey *key,
return SSH_ERR_INVALID_ARGUMENT;
switch (key->type) {
#ifdef WITH_OPENSSL
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_DSA:
return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
@@ -2233,7 +2193,6 @@ sshkey_sign(const struct sshkey *key,
case KEY_ECDSA:
return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
# endif /* OPENSSL_HAS_ECC */
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA:
return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
@@ -2258,7 +2217,6 @@ sshkey_verify(const struct sshkey *key,
return SSH_ERR_INVALID_ARGUMENT;
switch (key->type) {
#ifdef WITH_OPENSSL
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_DSA:
return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
@@ -2267,7 +2225,6 @@ sshkey_verify(const struct sshkey *key,
case KEY_ECDSA:
return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
# endif /* OPENSSL_HAS_ECC */
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA:
return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
@@ -2303,7 +2260,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
switch (k->type) {
#ifdef WITH_OPENSSL
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((ret = sshkey_cert_copy(k, pk)) != 0)
goto fail;
@@ -2317,7 +2273,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
goto fail;
}
break;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((ret = sshkey_cert_copy(k, pk)) != 0)
goto fail;
@@ -2376,27 +2331,23 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
/* Convert a plain key to their _CERT equivalent */
int
-sshkey_to_certified(struct sshkey *k, int legacy)
+sshkey_to_certified(struct sshkey *k)
{
int newtype;
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_RSA:
- newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
+ newtype = KEY_RSA_CERT;
break;
case KEY_DSA:
- newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
+ newtype = KEY_DSA_CERT;
break;
case KEY_ECDSA:
- if (legacy)
- return SSH_ERR_INVALID_ARGUMENT;
newtype = KEY_ECDSA_CERT;
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
- if (legacy)
- return SSH_ERR_INVALID_ARGUMENT;
newtype = KEY_ED25519_CERT;
break;
default:
@@ -2448,15 +2399,12 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
/* -v01 certs put nonce first */
arc4random_buf(&nonce, sizeof(nonce));
- if (!sshkey_cert_is_legacy(k)) {
- if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
- goto out;
- }
+ if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
+ goto out;
/* XXX this substantially duplicates to_blob(); refactor */
switch (k->type) {
#ifdef WITH_OPENSSL
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
(ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
@@ -2474,7 +2422,6 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
goto out;
break;
# endif /* OPENSSL_HAS_ECC */
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
(ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
@@ -2491,13 +2438,8 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
goto out;
}
- /* -v01 certs have a serial number next */
- if (!sshkey_cert_is_legacy(k)) {
- if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0)
- goto out;
- }
-
- if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
+ if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
+ (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
(ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
goto out;
@@ -2513,22 +2455,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca)
if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
(ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
(ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
- (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0)
- goto out;
-
- /* -v01 certs have non-critical options here */
- if (!sshkey_cert_is_legacy(k)) {
- if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0)
- goto out;
- }
-
- /* -v00 certs put the nonce at the end */
- if (sshkey_cert_is_legacy(k)) {
- if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
- goto out;
- }
-
- if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
+ (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
+ (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
+ (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
goto out;
@@ -2628,7 +2557,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
(r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
goto out;
break;
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
@@ -2649,7 +2577,6 @@ sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
(r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
goto out;
break;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
@@ -2740,7 +2667,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
(r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
goto out;
break;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshkey_add_private(k)) != 0 ||
@@ -2813,7 +2739,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
(r = rsa_generate_additional_parameters(k->rsa)) != 0)
goto out;
break;
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshkey_add_private(k)) != 0 ||
@@ -2863,7 +2788,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
/* enable blinding */
switch (k->type) {
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA1:
if (RSA_blinding_on(k->rsa, NULL) != 1) {
diff --git a/sshkey.h b/sshkey.h
index cdac0e255..85a6968fd 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.6 2015/05/21 04:55:51 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.7 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -62,8 +62,6 @@ enum sshkey_types {
KEY_DSA_CERT,
KEY_ECDSA_CERT,
KEY_ED25519_CERT,
- KEY_RSA_CERT_V00,
- KEY_DSA_CERT_V00,
KEY_UNSPEC
};
@@ -137,13 +135,12 @@ int sshkey_type_from_name(const char *);
int sshkey_is_cert(const struct sshkey *);
int sshkey_type_is_cert(int);
int sshkey_type_plain(int);
-int sshkey_to_certified(struct sshkey *, int);
+int sshkey_to_certified(struct sshkey *);
int sshkey_drop_cert(struct sshkey *);
int sshkey_certify(struct sshkey *, struct sshkey *);
int sshkey_cert_copy(const struct sshkey *, struct sshkey *);
int sshkey_cert_check_authority(const struct sshkey *, int, int,
const char *, const char **);
-int sshkey_cert_is_legacy(const struct sshkey *);
int sshkey_ecdsa_nid_from_name(const char *);
int sshkey_curve_name_to_nid(const char *);