-/* $OpenBSD: auth-options.c,v 1.67 2015/05/01 03:20:54 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
char *cert_forced_command = NULL;
int cert_source_address_done = 0;
- if (sshkey_cert_is_legacy(k)) {
- /* All options are in the one field for v00 certs */
- if (parse_option_list(k->cert->critical, pw,
- OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1,
- &cert_no_port_forwarding_flag,
- &cert_no_agent_forwarding_flag,
- &cert_no_x11_forwarding_flag,
- &cert_no_pty_flag,
- &cert_no_user_rc,
- &cert_forced_command,
- &cert_source_address_done) == -1)
- return -1;
- } else {
- /* Separate options and extensions for v01 certs */
- if (parse_option_list(k->cert->critical, pw,
- OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
- &cert_forced_command,
- &cert_source_address_done) == -1)
- return -1;
- if (parse_option_list(k->cert->extensions, pw,
- OPTIONS_EXTENSIONS, 0,
- &cert_no_port_forwarding_flag,
- &cert_no_agent_forwarding_flag,
- &cert_no_x11_forwarding_flag,
- &cert_no_pty_flag,
- &cert_no_user_rc,
- NULL, NULL) == -1)
- return -1;
- }
+ /* Separate options and extensions for v01 certs */
+ if (parse_option_list(k->cert->critical, pw,
+ OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
+ &cert_forced_command,
+ &cert_source_address_done) == -1)
+ return -1;
+ if (parse_option_list(k->cert->extensions, pw,
+ OPTIONS_EXTENSIONS, 0,
+ &cert_no_port_forwarding_flag,
+ &cert_no_agent_forwarding_flag,
+ &cert_no_x11_forwarding_flag,
+ &cert_no_pty_flag,
+ &cert_no_user_rc,
+ NULL, NULL) == -1)
+ return -1;
no_port_forwarding_flag |= cert_no_port_forwarding_flag;
no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
-/* $OpenBSD: authfd.c,v 1.97 2015/03/26 19:32:19 markus Exp $ */
+/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
#ifdef WITH_OPENSSL
case KEY_RSA:
case KEY_RSA_CERT:
- case KEY_RSA_CERT_V00:
case KEY_DSA:
case KEY_DSA_CERT:
- case KEY_DSA_CERT_V00:
case KEY_ECDSA:
case KEY_ECDSA_CERT:
#endif
-/* $OpenBSD: authfile.c,v 1.114 2015/04/17 13:32:09 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.115 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
goto out;
}
- if ((r = sshkey_to_certified(key, sshkey_cert_is_legacy(cert))) != 0 ||
+ if ((r = sshkey_to_certified(key)) != 0 ||
(r = sshkey_cert_copy(cert, key)) != 0)
goto out;
r = 0;
-/* $OpenBSD: key.c,v 1.127 2015/01/28 22:36:00 djm Exp $ */
+/* $OpenBSD: key.c,v 1.128 2015/07/03 03:43:18 djm Exp $ */
/*
* placed in the public domain
*/
}
int
-key_to_certified(Key *k, int legacy)
+key_to_certified(Key *k)
{
int r;
- if ((r = sshkey_to_certified(k, legacy)) != 0) {
+ if ((r = sshkey_to_certified(k)) != 0) {
fatal_on_fatal_errors(r, __func__, 0);
error("%s: %s", __func__, ssh_err(r));
return -1;
-/* $OpenBSD: key.h,v 1.47 2015/01/28 22:36:00 djm Exp $ */
+/* $OpenBSD: key.h,v 1.48 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
#define key_is_cert sshkey_is_cert
#define key_type_plain sshkey_type_plain
-#define key_cert_is_legacy sshkey_cert_is_legacy
#define key_curve_name_to_nid sshkey_curve_name_to_nid
#define key_curve_nid_to_bits sshkey_curve_nid_to_bits
#define key_curve_nid_to_name sshkey_curve_nid_to_name
Key *key_generate(int, u_int);
Key *key_from_private(const Key *);
-int key_to_certified(Key *, int);
+int key_to_certified(Key *);
int key_drop_cert(Key *);
int key_certify(Key *, Key *);
void key_cert_copy(const Key *, Key *);
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $OpenBSD: krl.c,v 1.32 2015/06/24 23:47:23 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.33 2015/07/03 03:43:18 djm Exp $ */
#include "includes.h"
if (!sshkey_is_cert(key))
return ssh_krl_revoke_key_sha1(krl, key);
- if (sshkey_cert_is_legacy(key) || key->cert->serial == 0) {
+ if (key->cert->serial == 0) {
return ssh_krl_revoke_cert_by_key_id(krl,
key->cert->signature_key,
key->cert->key_id);
}
/*
- * Legacy cert formats lack serial numbers. Zero serials numbers
- * are ignored (it's the default when the CA doesn't specify one).
+ * Zero serials numbers are ignored (it's the default when the
+ * CA doesn't specify one).
*/
- if (sshkey_cert_is_legacy(key) || key->cert->serial == 0)
+ if (key->cert->serial == 0)
return 0;
memset(&rs, 0, sizeof(rs));
-/* $OpenBSD: myproposal.h,v 1.44 2015/05/27 23:51:10 dtucker Exp $ */
+/* $OpenBSD: myproposal.h,v 1.45 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
"ssh-ed25519-cert-v01@openssh.com," \
"ssh-rsa-cert-v01@openssh.com," \
"ssh-dss-cert-v01@openssh.com," \
- "ssh-rsa-cert-v00@openssh.com," \
- "ssh-dss-cert-v00@openssh.com," \
HOSTKEY_ECDSA_METHODS \
"ssh-ed25519," \
"ssh-rsa," \
-/* $OpenBSD: ssh-add.c,v 1.122 2015/03/26 12:32:38 naddy Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.123 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
}
/* Graft with private bits */
- if ((r = sshkey_to_certified(private,
- sshkey_cert_is_legacy(cert))) != 0) {
+ if ((r = sshkey_to_certified(private)) != 0) {
error("%s: sshkey_to_certified: %s", __func__, ssh_err(r));
sshkey_free(cert);
goto out;
-/* $OpenBSD: ssh-keygen.c,v 1.274 2015/05/28 07:37:31 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.275 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
name = _PATH_SSH_CLIENT_IDENTITY;
break;
case KEY_DSA_CERT:
- case KEY_DSA_CERT_V00:
case KEY_DSA:
name = _PATH_SSH_CLIENT_ID_DSA;
break;
break;
#endif
case KEY_RSA_CERT:
- case KEY_RSA_CERT_V00:
case KEY_RSA:
name = _PATH_SSH_CLIENT_ID_RSA;
break;
struct sshkey *ca, *public;
char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;
FILE *f;
- int v00 = 0; /* legacy keys */
-
- if (key_type_name != NULL) {
- switch (sshkey_type_from_name(key_type_name)) {
- case KEY_RSA_CERT_V00:
- case KEY_DSA_CERT_V00:
- v00 = 1;
- break;
- case KEY_UNSPEC:
- if (strcasecmp(key_type_name, "v00") == 0) {
- v00 = 1;
- break;
- } else if (strcasecmp(key_type_name, "v01") == 0)
- break;
- /* FALLTHROUGH */
- default:
- fatal("unknown key type %s", key_type_name);
- }
- }
#ifdef ENABLE_PKCS11
pkcs11_init(1);
__func__, tmp, sshkey_type(public));
/* Prepare certificate to sign */
- if ((r = sshkey_to_certified(public, v00)) != 0)
+ if ((r = sshkey_to_certified(public)) != 0)
fatal("Could not upgrade key %s to certificate: %s",
tmp, ssh_err(r));
public->cert->type = cert_key_type;
public->cert->principals = plist;
public->cert->valid_after = cert_valid_from;
public->cert->valid_before = cert_valid_to;
- if (v00) {
- prepare_options_buf(public->cert->critical,
- OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);
- } else {
- prepare_options_buf(public->cert->critical,
- OPTIONS_CRITICAL);
- prepare_options_buf(public->cert->extensions,
- OPTIONS_EXTENSIONS);
- }
+ prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);
+ prepare_options_buf(public->cert->extensions,
+ OPTIONS_EXTENSIONS);
if ((r = sshkey_from_private(ca,
&public->cert->signature_key)) != 0)
fatal("key_from_private (ca key): %s", ssh_err(r));
}
static void
-show_options(struct sshbuf *optbuf, int v00, int in_critical)
+show_options(struct sshbuf *optbuf, int in_critical)
{
char *name, *arg;
struct sshbuf *options, *option = NULL;
(r = sshbuf_froms(options, &option)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
printf(" %s", name);
- if ((v00 || !in_critical) &&
+ if (!in_critical &&
(strcmp(name, "permit-X11-forwarding") == 0 ||
strcmp(name, "permit-agent-forwarding") == 0 ||
strcmp(name, "permit-port-forwarding") == 0 ||
strcmp(name, "permit-pty") == 0 ||
strcmp(name, "permit-user-rc") == 0))
printf("\n");
- else if ((v00 || in_critical) &&
+ else if (in_critical &&
(strcmp(name, "force-command") == 0 ||
strcmp(name, "source-address") == 0)) {
if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)
struct sshkey *key;
struct stat st;
char *key_fp, *ca_fp;
- u_int i, v00;
+ u_int i;
int r;
if (!have_identity)
identity_file, ssh_err(r));
if (!sshkey_is_cert(key))
fatal("%s is not a certificate", identity_file);
- v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
ca_fp = sshkey_fingerprint(key->cert->signature_key,
printf(" Signing CA: %s %s\n",
sshkey_type(key->cert->signature_key), ca_fp);
printf(" Key ID: \"%s\"\n", key->cert->key_id);
- if (!v00) {
- printf(" Serial: %llu\n",
- (unsigned long long)key->cert->serial);
- }
+ printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);
printf(" Valid: %s\n",
fmt_validity(key->cert->valid_after, key->cert->valid_before));
printf(" Principals: ");
printf("(none)\n");
else {
printf("\n");
- show_options(key->cert->critical, v00, 1);
+ show_options(key->cert->critical, 1);
}
- if (!v00) {
- printf(" Extensions: ");
- if (sshbuf_len(key->cert->extensions) == 0)
- printf("(none)\n");
- else {
- printf("\n");
- show_options(key->cert->extensions, v00, 0);
- }
+ printf(" Extensions: ");
+ if (sshbuf_len(key->cert->extensions) == 0)
+ printf("(none)\n");
+ else {
+ printf("\n");
+ show_options(key->cert->extensions, 0);
}
exit(0);
}
-/* $OpenBSD: sshd.c,v 1.450 2015/05/24 23:39:16 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.451 2015/07/03 03:43:18 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
if (key == NULL)
continue;
switch (key->type) {
- case KEY_RSA_CERT_V00:
- case KEY_DSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
for (i = 0; i < options.num_host_key_files; i++) {
switch (type) {
- case KEY_RSA_CERT_V00:
- case KEY_DSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
-/* $OpenBSD: sshkey.c,v 1.19 2015/05/21 04:55:51 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
KEY_ECDSA_CERT, NID_secp521r1, 1 },
# endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */
- { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
- KEY_RSA_CERT_V00, 0, 1 },
- { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
- KEY_DSA_CERT_V00, 0, 1 },
#endif /* WITH_OPENSSL */
{ NULL, NULL, -1, -1, 0 }
};
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
return BN_num_bits(k->rsa->n);
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
return BN_num_bits(k->dsa->p);
case KEY_ECDSA:
return 0;
}
-int
-sshkey_cert_is_legacy(const struct sshkey *k)
-{
- switch (k->type) {
- case KEY_DSA_CERT_V00:
- case KEY_RSA_CERT_V00:
- return 1;
- default:
- return 0;
- }
-}
-
static int
sshkey_type_is_valid_ca(int type)
{
sshkey_type_plain(int type)
{
switch (type) {
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
return KEY_RSA;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
return KEY_DSA;
case KEY_ECDSA_CERT:
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((rsa = RSA_new()) == NULL ||
(rsa->n = BN_new()) == NULL ||
k->rsa = rsa;
break;
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((dsa = DSA_new()) == NULL ||
(dsa->p = BN_new()) == NULL ||
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
if (bn_maybe_alloc_failed(k->rsa->d) ||
return SSH_ERR_ALLOC_FAIL;
break;
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if (bn_maybe_alloc_failed(k->dsa->priv_key))
return SSH_ERR_ALLOC_FAIL;
#ifdef WITH_OPENSSL
case KEY_RSA1:
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if (k->rsa != NULL)
RSA_free(k->rsa);
k->rsa = NULL;
break;
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if (k->dsa != NULL)
DSA_free(k->dsa);
switch (a->type) {
#ifdef WITH_OPENSSL
case KEY_RSA1:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA:
return a->rsa != NULL && b->rsa != NULL &&
BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
BN_cmp(a->rsa->n, b->rsa->n) == 0;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_DSA:
return a->dsa != NULL && b->dsa != NULL &&
switch (type) {
#ifdef WITH_OPENSSL
- case KEY_DSA_CERT_V00:
- case KEY_RSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
case KEY_DSA:
case KEY_ECDSA:
case KEY_ED25519:
- case KEY_DSA_CERT_V00:
- case KEY_RSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_RSA_CERT:
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_DSA:
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((n = sshkey_new(k->type)) == NULL)
return SSH_ERR_ALLOC_FAIL;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA:
case KEY_RSA1:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((n = sshkey_new(k->type)) == NULL)
return SSH_ERR_ALLOC_FAIL;
u_char *sig = NULL;
size_t signed_len = 0, slen = 0, kidlen = 0;
int ret = SSH_ERR_INTERNAL_ERROR;
- int v00 = sshkey_cert_is_legacy(key);
/* Copy the entire key blob for verification and later serialisation */
if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
return ret;
- if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) ||
+ /* Parse body of certificate up to signature */
+ if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
(ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
(ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
(ret = sshbuf_froms(b, &principals)) != 0 ||
(ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
(ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
(ret = sshbuf_froms(b, &crit)) != 0 ||
- (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) ||
- (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) ||
+ (ret = sshbuf_froms(b, &exts)) != 0 ||
(ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
(ret = sshbuf_froms(b, &ca)) != 0) {
/* XXX debug print error for ret */
goto out;
}
oprincipals = key->cert->principals;
- key->cert->principals = realloc(key->cert->principals,
- (key->cert->nprincipals + 1) *
- sizeof(*key->cert->principals));
+ key->cert->principals = reallocarray(key->cert->principals,
+ key->cert->nprincipals + 1, sizeof(*key->cert->principals));
if (key->cert->principals == NULL) {
free(principal);
key->cert->principals = oprincipals;
/*
* Validate critical options and extensions sections format.
- * NB. extensions are not present in v00 certs.
*/
while (sshbuf_len(crit) != 0) {
if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
}
/* FALLTHROUGH */
case KEY_RSA:
- case KEY_RSA_CERT_V00:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* FALLTHROUGH */
case KEY_DSA:
- case KEY_DSA_CERT_V00:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
return SSH_ERR_INVALID_ARGUMENT;
switch (key->type) {
#ifdef WITH_OPENSSL
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_DSA:
return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
case KEY_ECDSA:
return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
# endif /* OPENSSL_HAS_ECC */
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA:
return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
return SSH_ERR_INVALID_ARGUMENT;
switch (key->type) {
#ifdef WITH_OPENSSL
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
case KEY_DSA:
return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
case KEY_ECDSA:
return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
# endif /* OPENSSL_HAS_ECC */
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA:
return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
switch (k->type) {
#ifdef WITH_OPENSSL
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((ret = sshkey_cert_copy(k, pk)) != 0)
goto fail;
goto fail;
}
break;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((ret = sshkey_cert_copy(k, pk)) != 0)
goto fail;
/* Convert a plain key to their _CERT equivalent */
int
-sshkey_to_certified(struct sshkey *k, int legacy)
+sshkey_to_certified(struct sshkey *k)
{
int newtype;
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_RSA:
- newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
+ newtype = KEY_RSA_CERT;
break;
case KEY_DSA:
- newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
+ newtype = KEY_DSA_CERT;
break;
case KEY_ECDSA:
- if (legacy)
- return SSH_ERR_INVALID_ARGUMENT;
newtype = KEY_ECDSA_CERT;
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
- if (legacy)
- return SSH_ERR_INVALID_ARGUMENT;
newtype = KEY_ED25519_CERT;
break;
default:
/* -v01 certs put nonce first */
arc4random_buf(&nonce, sizeof(nonce));
- if (!sshkey_cert_is_legacy(k)) {
- if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
- goto out;
- }
+ if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
+ goto out;
/* XXX this substantially duplicates to_blob(); refactor */
switch (k->type) {
#ifdef WITH_OPENSSL
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
(ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
goto out;
break;
# endif /* OPENSSL_HAS_ECC */
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
(ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
goto out;
}
- /* -v01 certs have a serial number next */
- if (!sshkey_cert_is_legacy(k)) {
- if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0)
- goto out;
- }
-
- if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
+ if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
+ (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
(ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
goto out;
if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
(ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
(ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
- (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0)
- goto out;
-
- /* -v01 certs have non-critical options here */
- if (!sshkey_cert_is_legacy(k)) {
- if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0)
- goto out;
- }
-
- /* -v00 certs put the nonce at the end */
- if (sshkey_cert_is_legacy(k)) {
- if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
- goto out;
- }
-
- if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
+ (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
+ (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
+ (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
goto out;
(r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
goto out;
break;
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
(r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
goto out;
break;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
(r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
goto out;
break;
- case KEY_DSA_CERT_V00:
case KEY_DSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshkey_add_private(k)) != 0 ||
(r = rsa_generate_additional_parameters(k->rsa)) != 0)
goto out;
break;
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshkey_add_private(k)) != 0 ||
/* enable blinding */
switch (k->type) {
case KEY_RSA:
- case KEY_RSA_CERT_V00:
case KEY_RSA_CERT:
case KEY_RSA1:
if (RSA_blinding_on(k->rsa, NULL) != 1) {
-/* $OpenBSD: sshkey.h,v 1.6 2015/05/21 04:55:51 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.7 2015/07/03 03:43:18 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
KEY_DSA_CERT,
KEY_ECDSA_CERT,
KEY_ED25519_CERT,
- KEY_RSA_CERT_V00,
- KEY_DSA_CERT_V00,
KEY_UNSPEC
};
int sshkey_is_cert(const struct sshkey *);
int sshkey_type_is_cert(int);
int sshkey_type_plain(int);
-int sshkey_to_certified(struct sshkey *, int);
+int sshkey_to_certified(struct sshkey *);
int sshkey_drop_cert(struct sshkey *);
int sshkey_certify(struct sshkey *, struct sshkey *);
int sshkey_cert_copy(const struct sshkey *, struct sshkey *);
int sshkey_cert_check_authority(const struct sshkey *, int, int,
const char *, const char **);
-int sshkey_cert_is_legacy(const struct sshkey *);
int sshkey_ecdsa_nid_from_name(const char *);
int sshkey_curve_name_to_nid(const char *);
projects / thirdparty / openssh-portable.git / commitdiff
