Commit 5467fbcb authored by markus@openbsd.org's avatar markus@openbsd.org Committed by Damien Miller

upstream: remove legacy key emulation layer; ok djm@

OpenBSD-Commit-ID: 2b1f9619259e222bbd4fe9a8d3a0973eafb9dd8d
parent 5dc4c59d
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -90,7 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
compat.o crc32.o fatal.o hostfile.o \
log.o match.o moduli.o nchan.o packet.o opacket.o \
readpass.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
atomicio.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o smult_curve25519_ref.o \
......
/* $OpenBSD: auth2.c,v 1.148 2018/07/09 21:35:50 markus Exp $ */
/* $OpenBSD: auth2.c,v 1.149 2018/07/11 18:53:29 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
......@@ -45,7 +45,7 @@
#include "misc.h"
#include "servconf.h"
#include "compat.h"
#include "key.h"
#include "sshkey.h"
#include "hostfile.h"
#include "auth.h"
#include "dispatch.h"
......
/* $OpenBSD: channels.c,v 1.382 2018/06/25 22:28:33 djm Exp $ */
/* $OpenBSD: channels.c,v 1.383 2018/07/11 18:53:29 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -79,7 +79,7 @@
#include "channels.h"
#include "compat.h"
#include "canohost.h"
#include "key.h"
#include "sshkey.h"
#include "authfd.h"
#include "pathnames.h"
#include "match.h"
......
/* $OpenBSD: clientloop.c,v 1.316 2018/07/09 21:20:26 markus Exp $ */
/* $OpenBSD: clientloop.c,v 1.317 2018/07/11 18:53:29 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -95,7 +95,7 @@
#include "compat.h"
#include "channels.h"
#include "dispatch.h"
#include "key.h"
#include "sshkey.h"
#include "cipher.h"
#include "kex.h"
#include "myproposal.h"
......
/* $OpenBSD: kex.h,v 1.90 2018/07/10 09:36:58 sf Exp $ */
/* $OpenBSD: kex.h,v 1.91 2018/07/11 18:53:29 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
......@@ -27,7 +27,6 @@
#define KEX_H
#include "mac.h"
#include "key.h" /* XXX for typedef */
#ifdef WITH_LEAKMALLOC
#include "leakmalloc.h"
......
/* $OpenBSD: key.c,v 1.132 2017/12/18 02:25:15 djm Exp $ */
/*
* placed in the public domain
*/
#include "includes.h"
#include <sys/types.h>
#include <errno.h>
#include <stdarg.h>
#include <stdio.h>
#include <limits.h>
#define SSH_KEY_NO_DEFINE
#include "key.h"
#include "compat.h"
#include "sshkey.h"
#include "ssherr.h"
#include "log.h"
#include "authfile.h"
static void
fatal_on_fatal_errors(int r, const char *func, int extra_fatal)
{
if (r == SSH_ERR_INTERNAL_ERROR ||
r == SSH_ERR_ALLOC_FAIL ||
(extra_fatal != 0 && r == extra_fatal))
fatal("%s: %s", func, ssh_err(r));
}
Key *
key_from_blob(const u_char *blob, u_int blen)
{
int r;
Key *ret = NULL;
if ((r = sshkey_from_blob(blob, blen, &ret)) != 0) {
fatal_on_fatal_errors(r, __func__, 0);
error("%s: %s", __func__, ssh_err(r));
return NULL;
}
return ret;
}
int
key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
{
u_char *blob;
size_t blen;
int r;
if (blobp != NULL)
*blobp = NULL;
if (lenp != NULL)
*lenp = 0;
if ((r = sshkey_to_blob(key, &blob, &blen)) != 0) {
fatal_on_fatal_errors(r, __func__, 0);
error("%s: %s", __func__, ssh_err(r));
return 0;
}
if (blen > INT_MAX)
fatal("%s: giant len %zu", __func__, blen);
if (blobp != NULL)
*blobp = blob;
if (lenp != NULL)
*lenp = blen;
return blen;
}
int
key_sign(const Key *key, u_char **sigp, u_int *lenp,
const u_char *data, u_int datalen, const char *alg)
{
int r;
u_char *sig;
size_t siglen;
if (sigp != NULL)
*sigp = NULL;
if (lenp != NULL)
*lenp = 0;
if ((r = sshkey_sign(key, &sig, &siglen,
data, datalen, alg, datafellows)) != 0) {
fatal_on_fatal_errors(r, __func__, 0);
error("%s: %s", __func__, ssh_err(r));
return -1;
}
if (siglen > INT_MAX)
fatal("%s: giant len %zu", __func__, siglen);
if (sigp != NULL)
*sigp = sig;
if (lenp != NULL)
*lenp = siglen;
return 0;
}
Key *
key_demote(const Key *k)
{
int r;
Key *ret = NULL;
if ((r = sshkey_demote(k, &ret)) != 0)
fatal("%s: %s", __func__, ssh_err(r));
return ret;
}
int
key_drop_cert(Key *k)
{
int r;
if ((r = sshkey_drop_cert(k)) != 0) {
fatal_on_fatal_errors(r, __func__, 0);
error("%s: %s", __func__, ssh_err(r));
return -1;
}
return 0;
}
int
key_cert_check_authority(const Key *k, int want_host, int require_principal,
const char *name, const char **reason)
{
int r;
if ((r = sshkey_cert_check_authority(k, want_host, require_principal,
name, reason)) != 0) {
fatal_on_fatal_errors(r, __func__, 0);
error("%s: %s", __func__, ssh_err(r));
return -1;
}
return 0;
}
/* authfile.c */
Key *
key_load_cert(const char *filename)
{
int r;
Key *ret = NULL;
if ((r = sshkey_load_cert(filename, &ret)) != 0) {
fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
/* Old authfile.c ignored all file errors. */
if (r == SSH_ERR_SYSTEM_ERROR)
debug("%s: %s", __func__, ssh_err(r));
else
error("%s: %s", __func__, ssh_err(r));
return NULL;
}
return ret;
}
Key *
key_load_public(const char *filename, char **commentp)
{
int r;
Key *ret = NULL;
if ((r = sshkey_load_public(filename, &ret, commentp)) != 0) {
fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
/* Old authfile.c ignored all file errors. */
if (r == SSH_ERR_SYSTEM_ERROR)
debug("%s: %s", __func__, ssh_err(r));
else
error("%s: %s", __func__, ssh_err(r));
return NULL;
}
return ret;
}
Key *
key_load_private(const char *path, const char *passphrase,
char **commentp)
{
int r;
Key *ret = NULL;
if ((r = sshkey_load_private(path, passphrase, &ret, commentp)) != 0) {
fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
/* Old authfile.c ignored all file errors. */
if (r == SSH_ERR_SYSTEM_ERROR ||
r == SSH_ERR_KEY_WRONG_PASSPHRASE)
debug("%s: %s", __func__, ssh_err(r));
else
error("%s: %s", __func__, ssh_err(r));
return NULL;
}
return ret;
}
Key *
key_load_private_cert(int type, const char *filename, const char *passphrase,
int *perm_ok)
{
int r;
Key *ret = NULL;
if ((r = sshkey_load_private_cert(type, filename, passphrase,
&ret, perm_ok)) != 0) {
fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
/* Old authfile.c ignored all file errors. */
if (r == SSH_ERR_SYSTEM_ERROR ||
r == SSH_ERR_KEY_WRONG_PASSPHRASE)
debug("%s: %s", __func__, ssh_err(r));
else
error("%s: %s", __func__, ssh_err(r));
return NULL;
}
return ret;
}
Key *
key_load_private_type(int type, const char *filename, const char *passphrase,
char **commentp, int *perm_ok)
{
int r;
Key *ret = NULL;
if ((r = sshkey_load_private_type(type, filename, passphrase,
&ret, commentp, perm_ok)) != 0) {
fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
/* Old authfile.c ignored all file errors. */
if (r == SSH_ERR_SYSTEM_ERROR ||
(r == SSH_ERR_KEY_WRONG_PASSPHRASE))
debug("%s: %s", __func__, ssh_err(r));
else
error("%s: %s", __func__, ssh_err(r));
return NULL;
}
return ret;
}
/* $OpenBSD: key.h,v 1.52 2017/12/18 02:25:15 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef KEY_H
#define KEY_H
#include "sshkey.h"
typedef struct sshkey Key;
#define types sshkey_types
#define fp_type sshkey_fp_type
#define fp_rep sshkey_fp_rep
#ifndef SSH_KEY_NO_DEFINE
#define key_free sshkey_free
#define key_equal_public sshkey_equal_public
#define key_equal sshkey_equal
#define key_type sshkey_type
#define key_ssh_name sshkey_ssh_name
#define key_ssh_name_plain sshkey_ssh_name_plain
#define key_type_from_name sshkey_type_from_name
#define key_is_cert sshkey_is_cert
#define key_type_plain sshkey_type_plain
#endif
void key_free(Key *);
Key *key_demote(const Key *);
int key_drop_cert(Key *);
int key_cert_check_authority(const Key *, int, int, const char *,
const char **);
Key *key_from_blob(const u_char *, u_int);
int key_to_blob(const Key *, u_char **, u_int *);
int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int,
const char *);
/* authfile.c */
Key *key_load_cert(const char *);
Key *key_load_public(const char *, char **);
Key *key_load_private(const char *, const char *, char **);
Key *key_load_private_cert(int, const char *, const char *, int *);
Key *key_load_private_type(int, const char *, const char *, char **, int *);
#endif
......@@ -168,7 +168,7 @@
#include <unistd.h>
#include "xmalloc.h"
#include "key.h"
#include "sshkey.h"
#include "hostfile.h"
#include "ssh.h"
#include "loginrec.h"
......
/* $OpenBSD: monitor.c,v 1.184 2018/07/10 09:13:30 djm Exp $ */
/* $OpenBSD: monitor.c,v 1.185 2018/07/11 18:53:29 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
......@@ -68,7 +68,7 @@
#include "atomicio.h"
#include "xmalloc.h"
#include "ssh.h"
#include "key.h"
#include "sshkey.h"
#include "sshbuf.h"
#include "hostfile.h"
#include "auth.h"
......@@ -630,14 +630,15 @@ mm_answer_sign(int sock, struct sshbuf *m)
char *alg = NULL;
size_t datlen, siglen, alglen;
int r, is_proof = 0;
u_int keyid;
u_int keyid, compat;
const char proof_req[] = "hostkeys-prove-00@openssh.com";
debug3("%s", __func__);
if ((r = sshbuf_get_u32(m, &keyid)) != 0 ||
(r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
(r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
(r = sshbuf_get_cstring(m, &alg, &alglen)) != 0 ||
(r = sshbuf_get_u32(m, &compat)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (keyid > INT_MAX)
fatal("%s: invalid key ID", __func__);
......@@ -687,13 +688,13 @@ mm_answer_sign(int sock, struct sshbuf *m)
if ((key = get_hostkey_by_index(keyid)) != NULL) {
if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg,
datafellows)) != 0)
compat)) != 0)
fatal("%s: sshkey_sign failed: %s",
__func__, ssh_err(r));
} else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL &&
auth_sock > 0) {
if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen,
p, datlen, alg, datafellows)) != 0) {
p, datlen, alg, compat)) != 0) {
fatal("%s: ssh_agent_sign failed: %s",
__func__, ssh_err(r));
}
......@@ -1208,7 +1209,7 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
if (key != NULL && authctxt->valid) {
/* These should not make it past the privsep child */
if (key_type_plain(key->type) == KEY_RSA &&
if (sshkey_type_plain(key->type) == KEY_RSA &&
(datafellows & SSH_BUG_RSASIGMD5) != 0)
fatal("%s: passed a SSH_BUG_RSASIGMD5 key", __func__);
......
/* $OpenBSD: monitor_wrap.c,v 1.105 2018/07/10 09:36:58 sf Exp $ */
/* $OpenBSD: monitor_wrap.c,v 1.106 2018/07/11 18:53:29 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
......@@ -51,7 +51,7 @@
#include "dh.h"
#endif
#include "sshbuf.h"
#include "key.h"
#include "sshkey.h"
#include "cipher.h"
#include "kex.h"
#include "hostfile.h"
......@@ -225,12 +225,11 @@ mm_choose_dh(int min, int nbits, int max)
#endif
int
mm_key_sign(struct sshkey *key, u_char **sigp, u_int *lenp,
const u_char *data, u_int datalen, const char *hostkey_alg)
mm_sshkey_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, const char *hostkey_alg, u_int compat)
{
struct kex *kex = *pmonitor->m_pkex;
struct sshbuf *m;
size_t xxxlen;
u_int ndx = kex->host_key_index(key, 0, active_state);
int r;
......@@ -240,18 +239,16 @@ mm_key_sign(struct sshkey *key, u_char **sigp, u_int *lenp,
fatal("%s: sshbuf_new failed", __func__);
if ((r = sshbuf_put_u32(m, ndx)) != 0 ||
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
(r = sshbuf_put_cstring(m, hostkey_alg)) != 0)
(r = sshbuf_put_cstring(m, hostkey_alg)) != 0 ||
(r = sshbuf_put_u32(m, compat)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_SIGN, m);
debug3("%s: waiting for MONITOR_ANS_SIGN", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_SIGN, m);
if ((r = sshbuf_get_string(m, sigp, &xxxlen)) != 0)
if ((r = sshbuf_get_string(m, sigp, lenp)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (xxxlen > 0xffffffff)
fatal("%s: bad length %zu", __func__, xxxlen);
*lenp = xxxlen; /* XXX fix API: size_t vs u_int */
sshbuf_free(m);
return (0);
......
/* $OpenBSD: monitor_wrap.h,v 1.37 2018/03/03 03:15:51 djm Exp $ */
/* $OpenBSD: monitor_wrap.h,v 1.38 2018/07/11 18:53:29 markus Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
......@@ -41,8 +41,8 @@ struct sshauthopt;
void mm_log_handler(LogLevel, const char *, void *);
int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int,
const char *);
int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
const char *, u_int compat);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
......
/* $OpenBSD: mux.c,v 1.73 2018/07/09 21:18:10 markus Exp $ */
/* $OpenBSD: mux.c,v 1.74 2018/07/11 18:53:29 markus Exp $ */
/*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
*
......@@ -76,7 +76,7 @@
#include "packet.h"
#include "monitor_fdpass.h"
#include "sshpty.h"
#include "key.h"
#include "sshkey.h"
#include "readconf.h"
#include "clientloop.h"
#include "ssherr.h"
......
......@@ -29,7 +29,7 @@
#include "xmalloc.h"
#include "sshbuf.h"
#include "ssherr.h"
#include "key.h"
#include "sshkey.h"
#include "hostfile.h"
#include "auth.h"
#include "ssh.h"
......
......@@ -22,7 +22,7 @@
#include "log.h"
#include "misc.h"
#include "servconf.h"
#include "key.h"
#include "sshkey.h"
#include "hostfile.h"
#include "auth.h"
#include "auth-pam.h"
......
/* $OpenBSD: servconf.c,v 1.338 2018/07/09 21:29:36 markus Exp $ */
/* $OpenBSD: servconf.c,v 1.339 2018/07/11 18:53:29 markus Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
......@@ -51,7 +51,7 @@
#include "compat.h"
#include "pathnames.h"
#include "cipher.h"
#include "key.h"
#include "sshkey.h"
#include "kex.h"
#include "mac.h"
#include "match.h"
......
/* $OpenBSD: serverloop.c,v 1.207 2018/07/09 21:29:36 markus Exp $ */
/* $OpenBSD: serverloop.c,v 1.208 2018/07/11 18:53:29 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -67,7 +67,7 @@
#include "channels.h"
#include "compat.h"
#include "ssh2.h"
#include "key.h"
#include "sshkey.h"
#include "cipher.h"
#include "kex.h"
#include "hostfile.h"
......
/* $OpenBSD: session.c,v 1.303 2018/07/09 21:26:02 markus Exp $ */
/* $OpenBSD: session.c,v 1.304 2018/07/11 18:53:29 markus Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
......@@ -75,7 +75,7 @@
#include "uidswap.h"
#include "compat.h"
#include "channels.h"
#include "key.h"
#include "sshkey.h"
#include "cipher.h"
#ifdef GSSAPI
#include "ssh-gss.h"
......
/* $OpenBSD: ssh.c,v 1.482 2018/07/09 21:03:30 markus Exp $ */
/* $OpenBSD: ssh.c,v 1.483 2018/07/11 18:53:29 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
......@@ -89,7 +89,7 @@
#include "packet.h"
#include "sshbuf.h"
#include "channels.h"
#include "key.h"
#include "sshkey.h"
#include "authfd.h"
#include "authfile.h"
#include "pathnames.h"
......@@ -503,6 +503,30 @@ resolve_canonicalize(char **hostp, int port)
return NULL;
}
/*
* Check the result of hostkey loading, ignoring some errors and
* fatal()ing for others.
*/
static void
check_load(int r, const char *path, const char *message)
{
switch (r) {
case 0:
break;
case SSH_ERR_INTERNAL_ERROR:
case SSH_ERR_ALLOC_FAIL:
fatal("load %s \"%s\": %s", message, path, ssh_err(r));
case SSH_ERR_SYSTEM_ERROR:
/* Ignore missing files */
if (errno == ENOENT)
break;
/* FALLTHROUGH */
default:
error("load %s \"%s\": %s", message, path, ssh_err(r));
break;
}
}
/*
* Read per-user configuration file. Ignore the system wide config
* file if the user specifies a config file on the command line.
......@@ -1388,7 +1412,7 @@ main(int ac, char **av)
/*
* If we successfully made the connection, load the host private key
* in case we will need it later for combined rsa-rhosts
* in case we will need it later for hostbased
* authentication. This must be done before releasing extra
* privileges, because the file is only readable by root.
* If we cannot access the private keys, load the public keys
......@@ -1400,35 +1424,32 @@ main(int ac, char **av)
if (options.hostbased_authentication) {
sensitive_data.nkeys = 11;
sensitive_data.keys = xcalloc(sensitive_data.nkeys,
sizeof(struct sshkey)); /* XXX */
for (i = 0; i < sensitive_data.nkeys; i++)
sensitive_data.keys[i] = NULL;
sizeof(struct sshkey));
/* XXX check errors? */
#define L_KEY(t,p,o) \
check_load(sshkey_load_private_type(t, p, "", \
&(sensitive_data.keys[o]), NULL, NULL), p, "key")
#define L_KEYCERT(t,p,o) \
check_load(sshkey_load_private_cert(t, p, "", \
&(sensitive_data.keys[o]), NULL), p, "cert and key")
#define L_PUBKEY(p,o) \
check_load(sshkey_load_public(p, &(sensitive_data.keys[o]), NULL), \
p, "pubkey")
#define L_CERT(p,o) \
check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), p, "cert")
PRIV_START;
#ifdef OPENSSL_HAS_ECC
sensitive_data.keys[1] = key_load_private_cert(KEY_ECDSA,
_PATH_HOST_ECDSA_KEY_FILE, "", NULL);
#endif
sensitive_data.keys[2] = key_load_private_cert(KEY_ED25519,
_PATH_HOST_ED25519_KEY_FILE, "", NULL);
sensitive_data.keys[3] = key_load_private_cert(KEY_RSA,
_PATH_HOST_RSA_KEY_FILE, "", NULL);
sensitive_data.keys[4] = key_load_private_cert(KEY_DSA,
_PATH_HOST_DSA_KEY_FILE, "", NULL);
#ifdef OPENSSL_HAS_ECC
sensitive_data.keys[5] = key_load_private_type(KEY_ECDSA,
_PATH_HOST_ECDSA_KEY_FILE, "", NULL, NULL);
#endif
sensitive_data.keys[6] = key_load_private_type(KEY_ED25519,
_PATH_HOST_ED25519_KEY_FILE, "", NULL, NULL);
sensitive_data.keys[7] = key_load_private_type(KEY_RSA,
_PATH_HOST_RSA_KEY_FILE, "", NULL, NULL);
sensitive_data.keys[8] = key_load_private_type(KEY_DSA,
_PATH_HOST_DSA_KEY_FILE, "", NULL, NULL);
sensitive_data.keys[9] = key_load_private_cert(KEY_XMSS,
_PATH_HOST_XMSS_KEY_FILE, "", NULL);
sensitive_data.keys[10] = key_load_private_type(KEY_XMSS,
_PATH_HOST_XMSS_KEY_FILE, "", NULL, NULL);
L_KEYCERT(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, 1);
L_KEYCERT(KEY_ED25519, _PATH_HOST_ED25519_KEY_FILE, 2);
L_KEYCERT(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, 3);
L_KEYCERT(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, 4);
L_KEY(KEY_ECDSA, _PATH_HOST_ECDSA_KEY_FILE, 5);
L_KEY(KEY_ED25519, _PATH_HOST_ED25519_KEY_FILE, 6);
L_KEY(KEY_RSA, _PATH_HOST_RSA_KEY_FILE, 7);
L_KEY(KEY_DSA, _PATH_HOST_DSA_KEY_FILE, 8);
L_KEYCERT(KEY_XMSS, _PATH_HOST_XMSS_KEY_FILE, 9);
L_KEY(KEY_XMSS, _PATH_HOST_XMSS_KEY_FILE, 10);
PRIV_END;
if (options.hostbased_authentication == 1 &&
......@@ -1437,31 +1458,18 @@ main(int ac, char **av)
sensitive_data.keys[6] == NULL &&
sensitive_data.keys[7] == NULL &&
sensitive_data.keys[8] == NULL &&
sensitive_data.keys[9] == NULL) {
#ifdef OPENSSL_HAS_ECC
sensitive_data.keys[1] = key_load_cert(
_PATH_HOST_ECDSA_KEY_FILE);
#endif
sensitive_data.keys[2] = key_load_cert(
_PATH_HOST_ED25519_KEY_FILE);
sensitive_data.keys[3] = key_load_cert(
_PATH_HOST_RSA_KEY_FILE);
sensitive_data.keys[4] = key_load_cert(
_PATH_HOST_DSA_KEY_FILE);
#ifdef OPENSSL_HAS_ECC
sensitive_data.keys[5] = key_load_public(
_PATH_HOST_ECDSA_KEY_FILE, NULL);
#endif
sensitive_data.keys[6] = key_load_public(
_PATH_HOST_ED25519_KEY_FILE, NULL);
sensitive_data.keys[7] = key_load_public(
_PATH_HOST_RSA_KEY_FILE, NULL);
sensitive_data.keys[8] = key_load_public(
_PATH_HOST_DSA_KEY_FILE, NULL);
sensitive_data.keys[9] = key_load_cert(
_PATH_HOST_XMSS_KEY_FILE);
sensitive_data.keys[10] = key_load_public(
_PATH_HOST_XMSS_KEY_FILE, NULL);
sensitive_data.keys[9] == NULL &&
sensitive_data.keys[10] == NULL) {
L_CERT(_PATH_HOST_ECDSA_KEY_FILE, 1);
L_CERT(_PATH_HOST_ED25519_KEY_FILE, 2);
L_CERT(_PATH_HOST_RSA_KEY_FILE, 3);
L_CERT(_PATH_HOST_DSA_KEY_FILE, 4);
L_PUBKEY(_PATH_HOST_ECDSA_KEY_FILE, 5);
L_PUBKEY(_PATH_HOST_ED25519_KEY_FILE, 6);
L_PUBKEY(_PATH_HOST_RSA_KEY_FILE, 7);
L_PUBKEY(_PATH_HOST_DSA_KEY_FILE, 8);
L_CERT(_PATH_HOST_XMSS_KEY_FILE, 9);
L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 10);
sensitive_data.external_keysign = 1;
}
}
......@@ -1546,7 +1554,7 @@ main(int ac, char **av)
if (sensitive_data.keys[i] != NULL) {
/* Destroys contents safely */
debug3("clear hostkey %d", i);
key_free(sensitive_data.keys[i]);
sshkey_free(sensitive_data.keys[i]);
sensitive_data.keys[i] = NULL;
}
}
......@@ -1556,7 +1564,7 @@ main(int ac, char **av)
free(options.identity_files[i]);