upstream commit

small refactor and add some convenience functions; ok markus
2015-01-26 02:59:11 +00:00 · 2015-01-26 02:59:11 +00:00 · 60b1825262
parent a5a3e3328d
commit 60b1825262
3 changed files with 86 additions and 50 deletions
--- a/krl.c
+++ b/krl.c
@ -14,7 +14,7 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* $OpenBSD: krl.c,v 1.29 2015/01/20 23:14:00 deraadt Exp $ */
+/* $OpenBSD: krl.c,v 1.30 2015/01/26 02:59:11 djm Exp $ */
 #include "includes.h"
@ -555,13 +555,10 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
 		return SSH_ERR_ALLOC_FAIL;
 	/* Store the header: CA scope key, reserved */
-	if ((r = sshkey_to_blob_buf(rc->ca_key, sect)) != 0 ||
+	if ((r = sshkey_puts(rc->ca_key, buf)) != 0 ||
 	    (r = sshbuf_put_stringb(buf, sect)) != 0 ||
 	    (r = sshbuf_put_string(buf, NULL, 0)) != 0)
 		goto out;
 	sshbuf_reset(sect);
 	/* Store the revoked serials.  */
 	for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials);
 	     rs != NULL;
@ -759,14 +756,10 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
 	}
 	for (i = 0; i < nsign_keys; i++) {
-		sshbuf_reset(sect);
+		KRL_DBG(("%s: signature key %s", __func__,
-		if ((r = sshkey_to_blob_buf(sign_keys[i], sect)) != 0)
+		    sshkey_ssh_name(sign_keys[i])));
 			goto out;
 		KRL_DBG(("%s: signature key len %zu", __func__,
 		    sshbuf_len(sect)));
 		if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 ||
-		    (r = sshbuf_put_stringb(buf, sect)) != 0)
+		    (r = sshkey_puts(sign_keys[i], buf)) != 0)
 			goto out;
 		if ((r = sshkey_sign(sign_keys[i], &sblob, &slen,
--- a/sshkey.c
+++ b/sshkey.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.13 2015/01/16 06:40:12 deraadt Exp $ */
+/* $OpenBSD: sshkey.c,v 1.14 2015/01/26 02:59:11 djm Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
 * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@ -73,7 +73,7 @@
 /* Version identification string for SSH v1 identity files. */
 #define LEGACY_BEGIN		"SSH PRIVATE KEY FILE FORMAT 1.1\n"
-static int sshkey_from_blob_internal(const u_char *blob, size_t blen,
+static int sshkey_from_blob_internal(struct sshbuf *buf,
    struct sshkey **keyp, int allow_cert);
 /* Supported key types */
@ -824,13 +824,28 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain)
 }
 int
-sshkey_to_blob_buf(const struct sshkey *key, struct sshbuf *b)
+sshkey_putb(const struct sshkey *key, struct sshbuf *b)
 {
 	return to_blob_buf(key, b, 0);
 }
 int
-sshkey_plain_to_blob_buf(const struct sshkey *key, struct sshbuf *b)
+sshkey_puts(const struct sshkey *key, struct sshbuf *b)
 {
 	struct sshbuf *tmp;
 	int r;
 	if ((tmp = sshbuf_new()) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
 	r = to_blob_buf(key, tmp, 0);
 	if (r == 0)
 		r = sshbuf_put_stringb(b, tmp);
 	sshbuf_free(tmp);
 	return r;
 }
 int
 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b)
 {
 	return to_blob_buf(key, b, 1);
 }
@ -1450,7 +1465,7 @@ sshkey_write(const struct sshkey *key, FILE *f)
 			ret = SSH_ERR_ALLOC_FAIL;
 			goto out;
 		}
-		if ((ret = sshkey_to_blob_buf(key, bb)) != 0)
+		if ((ret = sshkey_putb(key, bb)) != 0)
 			goto out;
 		if ((uu = sshbuf_dtob64(bb)) == NULL) {
 			ret = SSH_ERR_ALLOC_FAIL;
@ -1827,17 +1842,17 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
 }
 static int
-cert_parse(struct sshbuf *b, struct sshkey *key, const u_char *blob,
+cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
    size_t blen)
 {
-	struct sshbuf *principals = NULL, *crit = NULL, *exts = NULL;
+	struct sshbuf *principals = NULL, *crit = NULL;
-	u_char *sig_key = NULL, *sig = NULL;
+	struct sshbuf *exts = NULL, *ca = NULL;
-	size_t signed_len = 0, sklen = 0, slen = 0, kidlen = 0;
+	u_char *sig = NULL;
 	size_t signed_len = 0, slen = 0, kidlen = 0;
 	int ret = SSH_ERR_INTERNAL_ERROR;
 	int v00 = sshkey_cert_is_legacy(key);
 	/* Copy the entire key blob for verification and later serialisation */
-	if ((ret = sshbuf_put(key->cert->certblob, blob, blen)) != 0)
+	if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
 		return ret;
 	if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) ||
@ -1850,7 +1865,7 @@ cert_parse(struct sshbuf *b, struct sshkey *key, const u_char *blob,
 	    (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) ||
 	    (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) ||
 	    (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
-	    (ret = sshbuf_get_string(b, &sig_key, &sklen)) != 0) {
+	    (ret = sshbuf_froms(b, &ca)) != 0) {
 		/* XXX debug print error for ret */
 		ret = SSH_ERR_INVALID_FORMAT;
 		goto out;
@ -1928,8 +1943,7 @@ cert_parse(struct sshbuf *b, struct sshkey *key, const u_char *blob,
 	}
 	/* Parse CA key and check signature */
-	if (sshkey_from_blob_internal(sig_key, sklen,
+	if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
 	    &key->cert->signature_key, 0) != 0) {
 		ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
 		goto out;
 	}
@ -1944,34 +1958,36 @@ cert_parse(struct sshbuf *b, struct sshkey *key, const u_char *blob,
 	/* Success */
 	ret = 0;
 out:
 	sshbuf_free(ca);
 	sshbuf_free(crit);
 	sshbuf_free(exts);
 	sshbuf_free(principals);
 	free(sig_key);
 	free(sig);
 	return ret;
 }
 static int
-sshkey_from_blob_internal(const u_char *blob, size_t blen,
+sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
-    struct sshkey **keyp, int allow_cert)
+    int allow_cert)
 {
 	struct sshbuf *b = NULL;
 	int type, ret = SSH_ERR_INTERNAL_ERROR;
 	char *ktype = NULL, *curve = NULL;
 	struct sshkey *key = NULL;
 	size_t len;
 	u_char *pk = NULL;
 	struct sshbuf *copy;
 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
 	EC_POINT *q = NULL;
 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
 #ifdef DEBUG_PK /* XXX */
-	dump_base64(stderr, blob, blen);
+	sshbuf_dump(b, stderr);
 #endif
 	*keyp = NULL;
-	if ((b = sshbuf_from(blob, blen)) == NULL)
+	if ((copy = sshbuf_fromb(b)) == NULL) {
-		return SSH_ERR_ALLOC_FAIL;
+		ret = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
 	if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
 		ret = SSH_ERR_INVALID_FORMAT;
 		goto out;
@ -1985,6 +2001,7 @@ sshkey_from_blob_internal(const u_char *blob, size_t blen,
 	switch (type) {
 #ifdef WITH_OPENSSL
 	case KEY_RSA_CERT:
 		/* Skip nonce */
 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
 			ret = SSH_ERR_INVALID_FORMAT;
 			goto out;
@ -2006,6 +2023,7 @@ sshkey_from_blob_internal(const u_char *blob, size_t blen,
 #endif
 		break;
 	case KEY_DSA_CERT:
 		/* Skip nonce */
 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
 			ret = SSH_ERR_INVALID_FORMAT;
 			goto out;
@ -2029,6 +2047,7 @@ sshkey_from_blob_internal(const u_char *blob, size_t blen,
 #endif
 		break;
 	case KEY_ECDSA_CERT:
 		/* Skip nonce */
 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
 			ret = SSH_ERR_INVALID_FORMAT;
 			goto out;
@ -2081,6 +2100,7 @@ sshkey_from_blob_internal(const u_char *blob, size_t blen,
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 	case KEY_ED25519_CERT:
 		/* Skip nonce */
 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
 			ret = SSH_ERR_INVALID_FORMAT;
 			goto out;
@ -2112,8 +2132,7 @@ sshkey_from_blob_internal(const u_char *blob, size_t blen,
 	}
 	/* Parse certificate potion */
-	if (sshkey_is_cert(key) &&
+	if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
 	   (ret = cert_parse(b, key, blob, blen)) != 0)
 		goto out;
 	if (key != NULL && sshbuf_len(b) != 0) {
@ -2124,7 +2143,7 @@ sshkey_from_blob_internal(const u_char *blob, size_t blen,
 	*keyp = key;
 	key = NULL;
 out:
-	sshbuf_free(b);
+	sshbuf_free(copy);
 	sshkey_free(key);
 	free(ktype);
 	free(curve);
@ -2139,7 +2158,33 @@ sshkey_from_blob_internal(const u_char *blob, size_t blen,
 int
 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp)
 {
-	return sshkey_from_blob_internal(blob, blen, keyp, 1);
+	struct sshbuf *b;
 	int r;
 	if ((b = sshbuf_from(blob, blen)) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
 	r = sshkey_from_blob_internal(b, keyp, 1);
 	sshbuf_free(b);
 	return r;
 }
 int
 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp)
 {
 	return sshkey_from_blob_internal(b, keyp, 1);
 }
 int
 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
 {
 	struct sshbuf *b;
 	int r;
 	if ((r = sshbuf_froms(buf, &b)) != 0)
 		return r;
 	r = sshkey_from_blob_internal(b, keyp, 1);
 	sshbuf_free(b);
 	return r;
 }
 int
@ -2644,8 +2689,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
 {
 	char *tname = NULL, *curve = NULL;
 	struct sshkey *k = NULL;
-	const u_char *cert;
+	size_t pklen = 0, sklen = 0;
 	size_t len, pklen = 0, sklen = 0;
 	int type, r = SSH_ERR_INTERNAL_ERROR;
 	u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
 #ifdef WITH_OPENSSL
@ -2673,8 +2717,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
 		break;
 	case KEY_DSA_CERT_V00:
 	case KEY_DSA_CERT:
-		if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 ||
+		if ((r = sshkey_froms(buf, &k)) != 0 ||
 		    (r = sshkey_from_blob(cert, len, &k)) != 0 ||
 		    (r = sshkey_add_private(k)) != 0 ||
 		    (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
 			goto out;
@ -2717,8 +2760,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
 			r = SSH_ERR_LIBCRYPTO_ERROR;
 			goto out;
 		}
-		if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 ||
+		if ((r = sshkey_froms(buf, &k)) != 0 ||
 		    (r = sshkey_from_blob(cert, len, &k)) != 0 ||
 		    (r = sshkey_add_private(k)) != 0 ||
 		    (r = sshbuf_get_bignum2(buf, exponent)) != 0)
 			goto out;
@ -2748,8 +2790,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
 		break;
 	case KEY_RSA_CERT_V00:
 	case KEY_RSA_CERT:
-		if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 ||
+		if ((r = sshkey_froms(buf, &k)) != 0 ||
 		    (r = sshkey_from_blob(cert, len, &k)) != 0 ||
 		    (r = sshkey_add_private(k)) != 0 ||
 		    (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) ||
 		    (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) ||
@ -2776,8 +2817,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
 		ed25519_pk = ed25519_sk = NULL;
 		break;
 	case KEY_ED25519_CERT:
-		if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 ||
+		if ((r = sshkey_froms(buf, &k)) != 0 ||
 		    (r = sshkey_from_blob(cert, len, &k)) != 0 ||
 		    (r = sshkey_add_private(k)) != 0 ||
 		    (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
 		    (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
--- a/sshkey.h
+++ b/sshkey.h
@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.4 2015/01/13 07:39:19 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.5 2015/01/26 02:59:11 djm Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@ -160,10 +160,13 @@ int		 sshkey_names_valid2(const char *, int);
 char		*key_alg_list(int, int);
 int	 sshkey_from_blob(const u_char *, size_t, struct sshkey **);
-int	 sshkey_to_blob_buf(const struct sshkey *, struct sshbuf *);
+int	 sshkey_fromb(struct sshbuf *, struct sshkey **);
 int	 sshkey_froms(struct sshbuf *, struct sshkey **);
 int	 sshkey_to_blob(const struct sshkey *, u_char **, size_t *);
-int	 sshkey_plain_to_blob_buf(const struct sshkey *, struct sshbuf *);
+int	 sshkey_putb(const struct sshkey *, struct sshbuf *);
 int	 sshkey_puts(const struct sshkey *, struct sshbuf *);
 int	 sshkey_plain_to_blob(const struct sshkey *, u_char **, size_t *);
 int	 sshkey_putb_plain(const struct sshkey *, struct sshbuf *);
 int	 sshkey_sign(const struct sshkey *, u_char **, size_t *,
    const u_char *, size_t, u_int);