1 /* $OpenBSD: sshkey.c,v 1.148 2024/12/03 15:53:51 tb Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/types.h> 29 #include <sys/mman.h> 30 #include <netinet/in.h> 31 32 #ifdef WITH_OPENSSL 33 #include <openssl/evp.h> 34 #include <openssl/err.h> 35 #include <openssl/pem.h> 36 #endif 37 38 #include "crypto_api.h" 39 40 #include <errno.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <util.h> 45 #include <limits.h> 46 #include <resolv.h> 47 48 #include "ssh2.h" 49 #include "ssherr.h" 50 #include "misc.h" 51 #include "sshbuf.h" 52 #include "cipher.h" 53 #include "digest.h" 54 #define SSHKEY_INTERNAL 55 #include "sshkey.h" 56 #include "match.h" 57 #include "ssh-sk.h" 58 59 #ifdef WITH_XMSS 60 #include "sshkey-xmss.h" 61 #include "xmss_fast.h" 62 #endif 63 64 /* openssh private key file format */ 65 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 66 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 67 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 68 #define MARK_END_LEN (sizeof(MARK_END) - 1) 69 #define KDFNAME "bcrypt" 70 #define AUTH_MAGIC "openssh-key-v1" 71 #define SALT_LEN 16 72 #define DEFAULT_CIPHERNAME "aes256-ctr" 73 #define DEFAULT_ROUNDS 24 74 75 /* 76 * Constants relating to "shielding" support; protection of keys expected 77 * to remain in memory for long durations 78 */ 79 #define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024) 80 #define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */ 81 #define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512 82 83 int sshkey_private_serialize_opt(struct sshkey *key, 84 struct sshbuf *buf, enum sshkey_serialize_rep); 85 static int sshkey_from_blob_internal(struct sshbuf *buf, 86 struct sshkey **keyp, int allow_cert); 87 88 /* Supported key types */ 89 extern const struct sshkey_impl sshkey_ed25519_impl; 90 extern const struct sshkey_impl sshkey_ed25519_cert_impl; 91 extern const struct sshkey_impl sshkey_ed25519_sk_impl; 92 extern const struct sshkey_impl sshkey_ed25519_sk_cert_impl; 93 #ifdef WITH_OPENSSL 94 extern const struct sshkey_impl sshkey_ecdsa_sk_impl; 95 extern const struct sshkey_impl sshkey_ecdsa_sk_cert_impl; 96 extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_impl; 97 extern const struct sshkey_impl sshkey_ecdsa_nistp256_impl; 98 extern const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl; 99 extern const struct sshkey_impl sshkey_ecdsa_nistp384_impl; 100 extern const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl; 101 extern const struct sshkey_impl sshkey_ecdsa_nistp521_impl; 102 extern const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl; 103 extern const struct sshkey_impl sshkey_rsa_impl; 104 extern const struct sshkey_impl sshkey_rsa_cert_impl; 105 extern const struct sshkey_impl sshkey_rsa_sha256_impl; 106 extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl; 107 extern const struct sshkey_impl sshkey_rsa_sha512_impl; 108 extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl; 109 # ifdef WITH_DSA 110 extern const struct sshkey_impl sshkey_dss_impl; 111 extern const struct sshkey_impl sshkey_dsa_cert_impl; 112 # endif 113 #endif /* WITH_OPENSSL */ 114 #ifdef WITH_XMSS 115 extern const struct sshkey_impl sshkey_xmss_impl; 116 extern const struct sshkey_impl sshkey_xmss_cert_impl; 117 #endif 118 119 const struct sshkey_impl * const keyimpls[] = { 120 &sshkey_ed25519_impl, 121 &sshkey_ed25519_cert_impl, 122 &sshkey_ed25519_sk_impl, 123 &sshkey_ed25519_sk_cert_impl, 124 #ifdef WITH_OPENSSL 125 &sshkey_ecdsa_nistp256_impl, 126 &sshkey_ecdsa_nistp256_cert_impl, 127 &sshkey_ecdsa_nistp384_impl, 128 &sshkey_ecdsa_nistp384_cert_impl, 129 &sshkey_ecdsa_nistp521_impl, 130 &sshkey_ecdsa_nistp521_cert_impl, 131 &sshkey_ecdsa_sk_impl, 132 &sshkey_ecdsa_sk_cert_impl, 133 &sshkey_ecdsa_sk_webauthn_impl, 134 # ifdef WITH_DSA 135 &sshkey_dss_impl, 136 &sshkey_dsa_cert_impl, 137 # endif 138 &sshkey_rsa_impl, 139 &sshkey_rsa_cert_impl, 140 &sshkey_rsa_sha256_impl, 141 &sshkey_rsa_sha256_cert_impl, 142 &sshkey_rsa_sha512_impl, 143 &sshkey_rsa_sha512_cert_impl, 144 #endif /* WITH_OPENSSL */ 145 #ifdef WITH_XMSS 146 &sshkey_xmss_impl, 147 &sshkey_xmss_cert_impl, 148 #endif 149 NULL 150 }; 151 152 static const struct sshkey_impl * 153 sshkey_impl_from_type(int type) 154 { 155 int i; 156 157 for (i = 0; keyimpls[i] != NULL; i++) { 158 if (keyimpls[i]->type == type) 159 return keyimpls[i]; 160 } 161 return NULL; 162 } 163 164 static const struct sshkey_impl * 165 sshkey_impl_from_type_nid(int type, int nid) 166 { 167 int i; 168 169 for (i = 0; keyimpls[i] != NULL; i++) { 170 if (keyimpls[i]->type == type && 171 (keyimpls[i]->nid == 0 || keyimpls[i]->nid == nid)) 172 return keyimpls[i]; 173 } 174 return NULL; 175 } 176 177 static const struct sshkey_impl * 178 sshkey_impl_from_key(const struct sshkey *k) 179 { 180 if (k == NULL) 181 return NULL; 182 return sshkey_impl_from_type_nid(k->type, k->ecdsa_nid); 183 } 184 185 const char * 186 sshkey_type(const struct sshkey *k) 187 { 188 const struct sshkey_impl *impl; 189 190 if ((impl = sshkey_impl_from_key(k)) == NULL) 191 return "unknown"; 192 return impl->shortname; 193 } 194 195 static const char * 196 sshkey_ssh_name_from_type_nid(int type, int nid) 197 { 198 const struct sshkey_impl *impl; 199 200 if ((impl = sshkey_impl_from_type_nid(type, nid)) == NULL) 201 return "ssh-unknown"; 202 return impl->name; 203 } 204 205 int 206 sshkey_type_is_cert(int type) 207 { 208 const struct sshkey_impl *impl; 209 210 if ((impl = sshkey_impl_from_type(type)) == NULL) 211 return 0; 212 return impl->cert; 213 } 214 215 const char * 216 sshkey_ssh_name(const struct sshkey *k) 217 { 218 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 219 } 220 221 const char * 222 sshkey_ssh_name_plain(const struct sshkey *k) 223 { 224 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 225 k->ecdsa_nid); 226 } 227 228 static int 229 type_from_name(const char *name, int allow_short) 230 { 231 int i; 232 const struct sshkey_impl *impl; 233 234 for (i = 0; keyimpls[i] != NULL; i++) { 235 impl = keyimpls[i]; 236 if (impl->name != NULL && strcmp(name, impl->name) == 0) 237 return impl->type; 238 /* Only allow shortname matches for plain key types */ 239 if (allow_short && !impl->cert && impl->shortname != NULL && 240 strcasecmp(impl->shortname, name) == 0) 241 return impl->type; 242 } 243 return KEY_UNSPEC; 244 } 245 246 int 247 sshkey_type_from_name(const char *name) 248 { 249 return type_from_name(name, 0); 250 } 251 252 int 253 sshkey_type_from_shortname(const char *name) 254 { 255 return type_from_name(name, 1); 256 } 257 258 static int 259 key_type_is_ecdsa_variant(int type) 260 { 261 switch (type) { 262 case KEY_ECDSA: 263 case KEY_ECDSA_CERT: 264 case KEY_ECDSA_SK: 265 case KEY_ECDSA_SK_CERT: 266 return 1; 267 } 268 return 0; 269 } 270 271 int 272 sshkey_ecdsa_nid_from_name(const char *name) 273 { 274 int i; 275 276 for (i = 0; keyimpls[i] != NULL; i++) { 277 if (!key_type_is_ecdsa_variant(keyimpls[i]->type)) 278 continue; 279 if (keyimpls[i]->name != NULL && 280 strcmp(name, keyimpls[i]->name) == 0) 281 return keyimpls[i]->nid; 282 } 283 return -1; 284 } 285 286 int 287 sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs) 288 { 289 int ktype; 290 291 if (sigalgs == NULL || *sigalgs == '\0' || 292 (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC) 293 return 0; 294 else if (ktype == KEY_RSA) { 295 return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 || 296 match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 || 297 match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1; 298 } else if (ktype == KEY_RSA_CERT) { 299 return match_pattern_list("ssh-rsa-cert-v01@openssh.com", 300 sigalgs, 0) == 1 || 301 match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", 302 sigalgs, 0) == 1 || 303 match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", 304 sigalgs, 0) == 1; 305 } else 306 return match_pattern_list(keyname, sigalgs, 0) == 1; 307 } 308 309 char * 310 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 311 { 312 char *tmp, *ret = NULL; 313 size_t i, nlen, rlen = 0; 314 const struct sshkey_impl *impl; 315 316 for (i = 0; keyimpls[i] != NULL; i++) { 317 impl = keyimpls[i]; 318 if (impl->name == NULL) 319 continue; 320 if (!include_sigonly && impl->sigonly) 321 continue; 322 if ((certs_only && !impl->cert) || (plain_only && impl->cert)) 323 continue; 324 if (ret != NULL) 325 ret[rlen++] = sep; 326 nlen = strlen(impl->name); 327 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 328 free(ret); 329 return NULL; 330 } 331 ret = tmp; 332 memcpy(ret + rlen, impl->name, nlen + 1); 333 rlen += nlen; 334 } 335 return ret; 336 } 337 338 int 339 sshkey_names_valid2(const char *names, int allow_wildcard, int plain_only) 340 { 341 char *s, *cp, *p; 342 const struct sshkey_impl *impl; 343 int i, type; 344 345 if (names == NULL || strcmp(names, "") == 0) 346 return 0; 347 if ((s = cp = strdup(names)) == NULL) 348 return 0; 349 for ((p = strsep(&cp, ",")); p && *p != '\0'; 350 (p = strsep(&cp, ","))) { 351 type = sshkey_type_from_name(p); 352 if (type == KEY_UNSPEC) { 353 if (allow_wildcard) { 354 /* 355 * Try matching key types against the string. 356 * If any has a positive or negative match then 357 * the component is accepted. 358 */ 359 impl = NULL; 360 for (i = 0; keyimpls[i] != NULL; i++) { 361 if (match_pattern_list( 362 keyimpls[i]->name, p, 0) != 0) { 363 impl = keyimpls[i]; 364 break; 365 } 366 } 367 if (impl != NULL) 368 continue; 369 } 370 free(s); 371 return 0; 372 } else if (plain_only && sshkey_type_is_cert(type)) { 373 free(s); 374 return 0; 375 } 376 } 377 free(s); 378 return 1; 379 } 380 381 u_int 382 sshkey_size(const struct sshkey *k) 383 { 384 const struct sshkey_impl *impl; 385 386 if ((impl = sshkey_impl_from_key(k)) == NULL) 387 return 0; 388 if (impl->funcs->size != NULL) 389 return impl->funcs->size(k); 390 return impl->keybits; 391 } 392 393 static int 394 sshkey_type_is_valid_ca(int type) 395 { 396 const struct sshkey_impl *impl; 397 398 if ((impl = sshkey_impl_from_type(type)) == NULL) 399 return 0; 400 /* All non-certificate types may act as CAs */ 401 return !impl->cert; 402 } 403 404 int 405 sshkey_is_cert(const struct sshkey *k) 406 { 407 if (k == NULL) 408 return 0; 409 return sshkey_type_is_cert(k->type); 410 } 411 412 int 413 sshkey_is_sk(const struct sshkey *k) 414 { 415 if (k == NULL) 416 return 0; 417 switch (sshkey_type_plain(k->type)) { 418 case KEY_ECDSA_SK: 419 case KEY_ED25519_SK: 420 return 1; 421 default: 422 return 0; 423 } 424 } 425 426 /* Return the cert-less equivalent to a certified key type */ 427 int 428 sshkey_type_plain(int type) 429 { 430 switch (type) { 431 case KEY_RSA_CERT: 432 return KEY_RSA; 433 case KEY_DSA_CERT: 434 return KEY_DSA; 435 case KEY_ECDSA_CERT: 436 return KEY_ECDSA; 437 case KEY_ECDSA_SK_CERT: 438 return KEY_ECDSA_SK; 439 case KEY_ED25519_CERT: 440 return KEY_ED25519; 441 case KEY_ED25519_SK_CERT: 442 return KEY_ED25519_SK; 443 case KEY_XMSS_CERT: 444 return KEY_XMSS; 445 default: 446 return type; 447 } 448 } 449 450 /* Return the cert equivalent to a plain key type */ 451 static int 452 sshkey_type_certified(int type) 453 { 454 switch (type) { 455 case KEY_RSA: 456 return KEY_RSA_CERT; 457 case KEY_DSA: 458 return KEY_DSA_CERT; 459 case KEY_ECDSA: 460 return KEY_ECDSA_CERT; 461 case KEY_ECDSA_SK: 462 return KEY_ECDSA_SK_CERT; 463 case KEY_ED25519: 464 return KEY_ED25519_CERT; 465 case KEY_ED25519_SK: 466 return KEY_ED25519_SK_CERT; 467 case KEY_XMSS: 468 return KEY_XMSS_CERT; 469 default: 470 return -1; 471 } 472 } 473 474 #ifdef WITH_OPENSSL 475 static const EVP_MD * 476 ssh_digest_to_md(int hash_alg) 477 { 478 switch (hash_alg) { 479 case SSH_DIGEST_SHA1: 480 return EVP_sha1(); 481 case SSH_DIGEST_SHA256: 482 return EVP_sha256(); 483 case SSH_DIGEST_SHA384: 484 return EVP_sha384(); 485 case SSH_DIGEST_SHA512: 486 return EVP_sha512(); 487 } 488 return NULL; 489 } 490 491 int 492 sshkey_pkey_digest_sign(EVP_PKEY *pkey, int hash_alg, u_char **sigp, 493 size_t *lenp, const u_char *data, size_t datalen) 494 { 495 EVP_MD_CTX *ctx = NULL; 496 u_char *sig = NULL; 497 int ret; 498 size_t slen; 499 const EVP_MD *evpmd; 500 501 *sigp = NULL; 502 *lenp = 0; 503 504 slen = EVP_PKEY_size(pkey); 505 if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM || 506 (evpmd = ssh_digest_to_md(hash_alg)) == NULL) 507 return SSH_ERR_INVALID_ARGUMENT; 508 509 if ((sig = malloc(slen)) == NULL) 510 return SSH_ERR_ALLOC_FAIL; 511 512 if ((ctx = EVP_MD_CTX_new()) == NULL) { 513 ret = SSH_ERR_ALLOC_FAIL; 514 goto out; 515 } 516 if (EVP_DigestSignInit(ctx, NULL, evpmd, NULL, pkey) != 1 || 517 EVP_DigestSign(ctx, sig, &slen, data, datalen) != 1) { 518 ret = SSH_ERR_LIBCRYPTO_ERROR; 519 goto out; 520 } 521 522 *sigp = sig; 523 *lenp = slen; 524 /* Now owned by the caller */ 525 sig = NULL; 526 ret = 0; 527 528 out: 529 EVP_MD_CTX_free(ctx); 530 free(sig); 531 return ret; 532 } 533 534 int 535 sshkey_pkey_digest_verify(EVP_PKEY *pkey, int hash_alg, const u_char *data, 536 size_t datalen, u_char *sigbuf, size_t siglen) 537 { 538 EVP_MD_CTX *ctx = NULL; 539 int ret = SSH_ERR_INTERNAL_ERROR; 540 const EVP_MD *evpmd; 541 542 if ((evpmd = ssh_digest_to_md(hash_alg)) == NULL) 543 return SSH_ERR_INVALID_ARGUMENT; 544 if ((ctx = EVP_MD_CTX_new()) == NULL) 545 return SSH_ERR_ALLOC_FAIL; 546 if (EVP_DigestVerifyInit(ctx, NULL, evpmd, NULL, pkey) != 1) { 547 ret = SSH_ERR_LIBCRYPTO_ERROR; 548 goto out; 549 } 550 switch (EVP_DigestVerify(ctx, sigbuf, siglen, data, datalen)) { 551 case 1: 552 ret = 0; 553 break; 554 case 0: 555 ret = SSH_ERR_SIGNATURE_INVALID; 556 break; 557 default: 558 ret = SSH_ERR_LIBCRYPTO_ERROR; 559 break; 560 } 561 562 out: 563 EVP_MD_CTX_free(ctx); 564 return ret; 565 } 566 567 /* XXX: these are really begging for a table-driven approach */ 568 int 569 sshkey_curve_name_to_nid(const char *name) 570 { 571 if (strcmp(name, "nistp256") == 0) 572 return NID_X9_62_prime256v1; 573 else if (strcmp(name, "nistp384") == 0) 574 return NID_secp384r1; 575 else if (strcmp(name, "nistp521") == 0) 576 return NID_secp521r1; 577 else 578 return -1; 579 } 580 581 u_int 582 sshkey_curve_nid_to_bits(int nid) 583 { 584 switch (nid) { 585 case NID_X9_62_prime256v1: 586 return 256; 587 case NID_secp384r1: 588 return 384; 589 case NID_secp521r1: 590 return 521; 591 default: 592 return 0; 593 } 594 } 595 596 int 597 sshkey_ecdsa_bits_to_nid(int bits) 598 { 599 switch (bits) { 600 case 256: 601 return NID_X9_62_prime256v1; 602 case 384: 603 return NID_secp384r1; 604 case 521: 605 return NID_secp521r1; 606 default: 607 return -1; 608 } 609 } 610 611 const char * 612 sshkey_curve_nid_to_name(int nid) 613 { 614 switch (nid) { 615 case NID_X9_62_prime256v1: 616 return "nistp256"; 617 case NID_secp384r1: 618 return "nistp384"; 619 case NID_secp521r1: 620 return "nistp521"; 621 default: 622 return NULL; 623 } 624 } 625 626 int 627 sshkey_ec_nid_to_hash_alg(int nid) 628 { 629 int kbits = sshkey_curve_nid_to_bits(nid); 630 631 if (kbits <= 0) 632 return -1; 633 634 /* RFC5656 section 6.2.1 */ 635 if (kbits <= 256) 636 return SSH_DIGEST_SHA256; 637 else if (kbits <= 384) 638 return SSH_DIGEST_SHA384; 639 else 640 return SSH_DIGEST_SHA512; 641 } 642 #endif /* WITH_OPENSSL */ 643 644 static void 645 cert_free(struct sshkey_cert *cert) 646 { 647 u_int i; 648 649 if (cert == NULL) 650 return; 651 sshbuf_free(cert->certblob); 652 sshbuf_free(cert->critical); 653 sshbuf_free(cert->extensions); 654 free(cert->key_id); 655 for (i = 0; i < cert->nprincipals; i++) 656 free(cert->principals[i]); 657 free(cert->principals); 658 sshkey_free(cert->signature_key); 659 free(cert->signature_type); 660 freezero(cert, sizeof(*cert)); 661 } 662 663 static struct sshkey_cert * 664 cert_new(void) 665 { 666 struct sshkey_cert *cert; 667 668 if ((cert = calloc(1, sizeof(*cert))) == NULL) 669 return NULL; 670 if ((cert->certblob = sshbuf_new()) == NULL || 671 (cert->critical = sshbuf_new()) == NULL || 672 (cert->extensions = sshbuf_new()) == NULL) { 673 cert_free(cert); 674 return NULL; 675 } 676 cert->key_id = NULL; 677 cert->principals = NULL; 678 cert->signature_key = NULL; 679 cert->signature_type = NULL; 680 return cert; 681 } 682 683 struct sshkey * 684 sshkey_new(int type) 685 { 686 struct sshkey *k; 687 const struct sshkey_impl *impl = NULL; 688 689 if (type != KEY_UNSPEC && 690 (impl = sshkey_impl_from_type(type)) == NULL) 691 return NULL; 692 693 /* All non-certificate types may act as CAs */ 694 if ((k = calloc(1, sizeof(*k))) == NULL) 695 return NULL; 696 k->type = type; 697 k->ecdsa_nid = -1; 698 if (impl != NULL && impl->funcs->alloc != NULL) { 699 if (impl->funcs->alloc(k) != 0) { 700 free(k); 701 return NULL; 702 } 703 } 704 if (sshkey_is_cert(k)) { 705 if ((k->cert = cert_new()) == NULL) { 706 sshkey_free(k); 707 return NULL; 708 } 709 } 710 711 return k; 712 } 713 714 /* Frees common FIDO fields */ 715 void 716 sshkey_sk_cleanup(struct sshkey *k) 717 { 718 free(k->sk_application); 719 sshbuf_free(k->sk_key_handle); 720 sshbuf_free(k->sk_reserved); 721 k->sk_application = NULL; 722 k->sk_key_handle = k->sk_reserved = NULL; 723 } 724 725 static int 726 sshkey_prekey_alloc(u_char **prekeyp, size_t len) 727 { 728 u_char *prekey; 729 730 *prekeyp = NULL; 731 if ((prekey = mmap(NULL, len, PROT_READ|PROT_WRITE, 732 MAP_ANON|MAP_PRIVATE|MAP_CONCEAL, -1, 0)) == MAP_FAILED) 733 return SSH_ERR_SYSTEM_ERROR; 734 *prekeyp = prekey; 735 return 0; 736 } 737 738 static void 739 sshkey_prekey_free(void *prekey, size_t len) 740 { 741 if (prekey == NULL) 742 return; 743 munmap(prekey, len); 744 } 745 746 static void 747 sshkey_free_contents(struct sshkey *k) 748 { 749 const struct sshkey_impl *impl; 750 751 if (k == NULL) 752 return; 753 if ((impl = sshkey_impl_from_type(k->type)) != NULL && 754 impl->funcs->cleanup != NULL) 755 impl->funcs->cleanup(k); 756 if (sshkey_is_cert(k)) 757 cert_free(k->cert); 758 freezero(k->shielded_private, k->shielded_len); 759 sshkey_prekey_free(k->shield_prekey, k->shield_prekey_len); 760 } 761 762 void 763 sshkey_free(struct sshkey *k) 764 { 765 sshkey_free_contents(k); 766 freezero(k, sizeof(*k)); 767 } 768 769 static int 770 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 771 { 772 if (a == NULL && b == NULL) 773 return 1; 774 if (a == NULL || b == NULL) 775 return 0; 776 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 777 return 0; 778 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 779 sshbuf_len(a->certblob)) != 0) 780 return 0; 781 return 1; 782 } 783 784 /* Compares FIDO-specific pubkey fields only */ 785 int 786 sshkey_sk_fields_equal(const struct sshkey *a, const struct sshkey *b) 787 { 788 if (a->sk_application == NULL || b->sk_application == NULL) 789 return 0; 790 if (strcmp(a->sk_application, b->sk_application) != 0) 791 return 0; 792 return 1; 793 } 794 795 /* 796 * Compare public portions of key only, allowing comparisons between 797 * certificates and plain keys too. 798 */ 799 int 800 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 801 { 802 const struct sshkey_impl *impl; 803 804 if (a == NULL || b == NULL || 805 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 806 return 0; 807 if ((impl = sshkey_impl_from_type(a->type)) == NULL) 808 return 0; 809 return impl->funcs->equal(a, b); 810 } 811 812 int 813 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 814 { 815 if (a == NULL || b == NULL || a->type != b->type) 816 return 0; 817 if (sshkey_is_cert(a)) { 818 if (!cert_compare(a->cert, b->cert)) 819 return 0; 820 } 821 return sshkey_equal_public(a, b); 822 } 823 824 825 /* Serialise common FIDO key parts */ 826 int 827 sshkey_serialize_sk(const struct sshkey *key, struct sshbuf *b) 828 { 829 int r; 830 831 if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0) 832 return r; 833 834 return 0; 835 } 836 837 static int 838 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, 839 enum sshkey_serialize_rep opts) 840 { 841 int type, ret = SSH_ERR_INTERNAL_ERROR; 842 const char *typename; 843 const struct sshkey_impl *impl; 844 845 if (key == NULL) 846 return SSH_ERR_INVALID_ARGUMENT; 847 848 type = force_plain ? sshkey_type_plain(key->type) : key->type; 849 850 if (sshkey_type_is_cert(type)) { 851 if (key->cert == NULL) 852 return SSH_ERR_EXPECTED_CERT; 853 if (sshbuf_len(key->cert->certblob) == 0) 854 return SSH_ERR_KEY_LACKS_CERTBLOB; 855 /* Use the existing blob */ 856 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 857 return ret; 858 return 0; 859 } 860 if ((impl = sshkey_impl_from_type(type)) == NULL) 861 return SSH_ERR_KEY_TYPE_UNKNOWN; 862 863 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 864 if ((ret = sshbuf_put_cstring(b, typename)) != 0) 865 return ret; 866 return impl->funcs->serialize_public(key, b, opts); 867 } 868 869 int 870 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 871 { 872 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); 873 } 874 875 int 876 sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, 877 enum sshkey_serialize_rep opts) 878 { 879 struct sshbuf *tmp; 880 int r; 881 882 if ((tmp = sshbuf_new()) == NULL) 883 return SSH_ERR_ALLOC_FAIL; 884 r = to_blob_buf(key, tmp, 0, opts); 885 if (r == 0) 886 r = sshbuf_put_stringb(b, tmp); 887 sshbuf_free(tmp); 888 return r; 889 } 890 891 int 892 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 893 { 894 return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); 895 } 896 897 int 898 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 899 { 900 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); 901 } 902 903 static int 904 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, 905 enum sshkey_serialize_rep opts) 906 { 907 int ret = SSH_ERR_INTERNAL_ERROR; 908 size_t len; 909 struct sshbuf *b = NULL; 910 911 if (lenp != NULL) 912 *lenp = 0; 913 if (blobp != NULL) 914 *blobp = NULL; 915 if ((b = sshbuf_new()) == NULL) 916 return SSH_ERR_ALLOC_FAIL; 917 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) 918 goto out; 919 len = sshbuf_len(b); 920 if (lenp != NULL) 921 *lenp = len; 922 if (blobp != NULL) { 923 if ((*blobp = malloc(len)) == NULL) { 924 ret = SSH_ERR_ALLOC_FAIL; 925 goto out; 926 } 927 memcpy(*blobp, sshbuf_ptr(b), len); 928 } 929 ret = 0; 930 out: 931 sshbuf_free(b); 932 return ret; 933 } 934 935 int 936 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 937 { 938 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); 939 } 940 941 int 942 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 943 { 944 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); 945 } 946 947 int 948 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 949 u_char **retp, size_t *lenp) 950 { 951 u_char *blob = NULL, *ret = NULL; 952 size_t blob_len = 0; 953 int r = SSH_ERR_INTERNAL_ERROR; 954 955 if (retp != NULL) 956 *retp = NULL; 957 if (lenp != NULL) 958 *lenp = 0; 959 if (ssh_digest_bytes(dgst_alg) == 0) { 960 r = SSH_ERR_INVALID_ARGUMENT; 961 goto out; 962 } 963 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) 964 != 0) 965 goto out; 966 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 967 r = SSH_ERR_ALLOC_FAIL; 968 goto out; 969 } 970 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 971 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 972 goto out; 973 /* success */ 974 if (retp != NULL) { 975 *retp = ret; 976 ret = NULL; 977 } 978 if (lenp != NULL) 979 *lenp = ssh_digest_bytes(dgst_alg); 980 r = 0; 981 out: 982 free(ret); 983 if (blob != NULL) 984 freezero(blob, blob_len); 985 return r; 986 } 987 988 static char * 989 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 990 { 991 char *ret; 992 size_t plen = strlen(alg) + 1; 993 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 994 995 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 996 return NULL; 997 strlcpy(ret, alg, rlen); 998 strlcat(ret, ":", rlen); 999 if (dgst_raw_len == 0) 1000 return ret; 1001 if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) { 1002 freezero(ret, rlen); 1003 return NULL; 1004 } 1005 /* Trim padding characters from end */ 1006 ret[strcspn(ret, "=")] = '\0'; 1007 return ret; 1008 } 1009 1010 static char * 1011 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 1012 { 1013 char *retval, hex[5]; 1014 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 1015 1016 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 1017 return NULL; 1018 strlcpy(retval, alg, rlen); 1019 strlcat(retval, ":", rlen); 1020 for (i = 0; i < dgst_raw_len; i++) { 1021 snprintf(hex, sizeof(hex), "%s%02x", 1022 i > 0 ? ":" : "", dgst_raw[i]); 1023 strlcat(retval, hex, rlen); 1024 } 1025 return retval; 1026 } 1027 1028 static char * 1029 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 1030 { 1031 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 1032 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 1033 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 1034 u_int i, j = 0, rounds, seed = 1; 1035 char *retval; 1036 1037 rounds = (dgst_raw_len / 2) + 1; 1038 if ((retval = calloc(rounds, 6)) == NULL) 1039 return NULL; 1040 retval[j++] = 'x'; 1041 for (i = 0; i < rounds; i++) { 1042 u_int idx0, idx1, idx2, idx3, idx4; 1043 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 1044 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 1045 seed) % 6; 1046 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 1047 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 1048 (seed / 6)) % 6; 1049 retval[j++] = vowels[idx0]; 1050 retval[j++] = consonants[idx1]; 1051 retval[j++] = vowels[idx2]; 1052 if ((i + 1) < rounds) { 1053 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 1054 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 1055 retval[j++] = consonants[idx3]; 1056 retval[j++] = '-'; 1057 retval[j++] = consonants[idx4]; 1058 seed = ((seed * 5) + 1059 ((((u_int)(dgst_raw[2 * i])) * 7) + 1060 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 1061 } 1062 } else { 1063 idx0 = seed % 6; 1064 idx1 = 16; 1065 idx2 = seed / 6; 1066 retval[j++] = vowels[idx0]; 1067 retval[j++] = consonants[idx1]; 1068 retval[j++] = vowels[idx2]; 1069 } 1070 } 1071 retval[j++] = 'x'; 1072 retval[j++] = '\0'; 1073 return retval; 1074 } 1075 1076 /* 1077 * Draw an ASCII-Art representing the fingerprint so human brain can 1078 * profit from its built-in pattern recognition ability. 1079 * This technique is called "random art" and can be found in some 1080 * scientific publications like this original paper: 1081 * 1082 * "Hash Visualization: a New Technique to improve Real-World Security", 1083 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1084 * Techniques and E-Commerce (CrypTEC '99) 1085 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1086 * 1087 * The subject came up in a talk by Dan Kaminsky, too. 1088 * 1089 * If you see the picture is different, the key is different. 1090 * If the picture looks the same, you still know nothing. 1091 * 1092 * The algorithm used here is a worm crawling over a discrete plane, 1093 * leaving a trace (augmenting the field) everywhere it goes. 1094 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1095 * makes the respective movement vector be ignored for this turn. 1096 * Graphs are not unambiguous, because circles in graphs can be 1097 * walked in either direction. 1098 */ 1099 1100 /* 1101 * Field sizes for the random art. Have to be odd, so the starting point 1102 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1103 * Else pictures would be too dense, and drawing the frame would 1104 * fail, too, because the key type would not fit in anymore. 1105 */ 1106 #define FLDBASE 8 1107 #define FLDSIZE_Y (FLDBASE + 1) 1108 #define FLDSIZE_X (FLDBASE * 2 + 1) 1109 static char * 1110 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1111 const struct sshkey *k) 1112 { 1113 /* 1114 * Chars to be used after each other every time the worm 1115 * intersects with itself. Matter of taste. 1116 */ 1117 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1118 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1119 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1120 size_t i, tlen, hlen; 1121 u_int b; 1122 int x, y, r; 1123 size_t len = strlen(augmentation_string) - 1; 1124 1125 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1126 return NULL; 1127 1128 /* initialize field */ 1129 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1130 x = FLDSIZE_X / 2; 1131 y = FLDSIZE_Y / 2; 1132 1133 /* process raw key */ 1134 for (i = 0; i < dgst_raw_len; i++) { 1135 int input; 1136 /* each byte conveys four 2-bit move commands */ 1137 input = dgst_raw[i]; 1138 for (b = 0; b < 4; b++) { 1139 /* evaluate 2 bit, rest is shifted later */ 1140 x += (input & 0x1) ? 1 : -1; 1141 y += (input & 0x2) ? 1 : -1; 1142 1143 /* assure we are still in bounds */ 1144 x = MAXIMUM(x, 0); 1145 y = MAXIMUM(y, 0); 1146 x = MINIMUM(x, FLDSIZE_X - 1); 1147 y = MINIMUM(y, FLDSIZE_Y - 1); 1148 1149 /* augment the field */ 1150 if (field[x][y] < len - 2) 1151 field[x][y]++; 1152 input = input >> 2; 1153 } 1154 } 1155 1156 /* mark starting point and end point*/ 1157 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1158 field[x][y] = len; 1159 1160 /* assemble title */ 1161 r = snprintf(title, sizeof(title), "[%s %u]", 1162 sshkey_type(k), sshkey_size(k)); 1163 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1164 if (r < 0 || r > (int)sizeof(title)) 1165 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1166 tlen = (r <= 0) ? 0 : strlen(title); 1167 1168 /* assemble hash ID. */ 1169 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1170 hlen = (r <= 0) ? 0 : strlen(hash); 1171 1172 /* output upper border */ 1173 p = retval; 1174 *p++ = '+'; 1175 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1176 *p++ = '-'; 1177 memcpy(p, title, tlen); 1178 p += tlen; 1179 for (i += tlen; i < FLDSIZE_X; i++) 1180 *p++ = '-'; 1181 *p++ = '+'; 1182 *p++ = '\n'; 1183 1184 /* output content */ 1185 for (y = 0; y < FLDSIZE_Y; y++) { 1186 *p++ = '|'; 1187 for (x = 0; x < FLDSIZE_X; x++) 1188 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1189 *p++ = '|'; 1190 *p++ = '\n'; 1191 } 1192 1193 /* output lower border */ 1194 *p++ = '+'; 1195 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1196 *p++ = '-'; 1197 memcpy(p, hash, hlen); 1198 p += hlen; 1199 for (i += hlen; i < FLDSIZE_X; i++) 1200 *p++ = '-'; 1201 *p++ = '+'; 1202 1203 return retval; 1204 } 1205 1206 char * 1207 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1208 enum sshkey_fp_rep dgst_rep) 1209 { 1210 char *retval = NULL; 1211 u_char *dgst_raw; 1212 size_t dgst_raw_len; 1213 1214 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1215 return NULL; 1216 switch (dgst_rep) { 1217 case SSH_FP_DEFAULT: 1218 if (dgst_alg == SSH_DIGEST_MD5) { 1219 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1220 dgst_raw, dgst_raw_len); 1221 } else { 1222 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1223 dgst_raw, dgst_raw_len); 1224 } 1225 break; 1226 case SSH_FP_HEX: 1227 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1228 dgst_raw, dgst_raw_len); 1229 break; 1230 case SSH_FP_BASE64: 1231 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1232 dgst_raw, dgst_raw_len); 1233 break; 1234 case SSH_FP_BUBBLEBABBLE: 1235 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1236 break; 1237 case SSH_FP_RANDOMART: 1238 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1239 dgst_raw, dgst_raw_len, k); 1240 break; 1241 default: 1242 freezero(dgst_raw, dgst_raw_len); 1243 return NULL; 1244 } 1245 freezero(dgst_raw, dgst_raw_len); 1246 return retval; 1247 } 1248 1249 static int 1250 peek_type_nid(const char *s, size_t l, int *nid) 1251 { 1252 const struct sshkey_impl *impl; 1253 int i; 1254 1255 for (i = 0; keyimpls[i] != NULL; i++) { 1256 impl = keyimpls[i]; 1257 if (impl->name == NULL || strlen(impl->name) != l) 1258 continue; 1259 if (memcmp(s, impl->name, l) == 0) { 1260 *nid = -1; 1261 if (key_type_is_ecdsa_variant(impl->type)) 1262 *nid = impl->nid; 1263 return impl->type; 1264 } 1265 } 1266 return KEY_UNSPEC; 1267 } 1268 1269 /* XXX this can now be made const char * */ 1270 int 1271 sshkey_read(struct sshkey *ret, char **cpp) 1272 { 1273 struct sshkey *k; 1274 char *cp, *blobcopy; 1275 size_t space; 1276 int r, type, curve_nid = -1; 1277 struct sshbuf *blob; 1278 1279 if (ret == NULL) 1280 return SSH_ERR_INVALID_ARGUMENT; 1281 if (ret->type != KEY_UNSPEC && sshkey_impl_from_type(ret->type) == NULL) 1282 return SSH_ERR_INVALID_ARGUMENT; 1283 1284 /* Decode type */ 1285 cp = *cpp; 1286 space = strcspn(cp, " \t"); 1287 if (space == strlen(cp)) 1288 return SSH_ERR_INVALID_FORMAT; 1289 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) 1290 return SSH_ERR_INVALID_FORMAT; 1291 1292 /* skip whitespace */ 1293 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1294 ; 1295 if (*cp == '\0') 1296 return SSH_ERR_INVALID_FORMAT; 1297 if (ret->type != KEY_UNSPEC && ret->type != type) 1298 return SSH_ERR_KEY_TYPE_MISMATCH; 1299 if ((blob = sshbuf_new()) == NULL) 1300 return SSH_ERR_ALLOC_FAIL; 1301 1302 /* find end of keyblob and decode */ 1303 space = strcspn(cp, " \t"); 1304 if ((blobcopy = strndup(cp, space)) == NULL) { 1305 sshbuf_free(blob); 1306 return SSH_ERR_ALLOC_FAIL; 1307 } 1308 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { 1309 free(blobcopy); 1310 sshbuf_free(blob); 1311 return r; 1312 } 1313 free(blobcopy); 1314 if ((r = sshkey_fromb(blob, &k)) != 0) { 1315 sshbuf_free(blob); 1316 return r; 1317 } 1318 sshbuf_free(blob); 1319 1320 /* skip whitespace and leave cp at start of comment */ 1321 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1322 ; 1323 1324 /* ensure type of blob matches type at start of line */ 1325 if (k->type != type) { 1326 sshkey_free(k); 1327 return SSH_ERR_KEY_TYPE_MISMATCH; 1328 } 1329 if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) { 1330 sshkey_free(k); 1331 return SSH_ERR_EC_CURVE_MISMATCH; 1332 } 1333 1334 /* Fill in ret from parsed key */ 1335 sshkey_free_contents(ret); 1336 *ret = *k; 1337 freezero(k, sizeof(*k)); 1338 1339 /* success */ 1340 *cpp = cp; 1341 return 0; 1342 } 1343 1344 int 1345 sshkey_to_base64(const struct sshkey *key, char **b64p) 1346 { 1347 int r = SSH_ERR_INTERNAL_ERROR; 1348 struct sshbuf *b = NULL; 1349 char *uu = NULL; 1350 1351 if (b64p != NULL) 1352 *b64p = NULL; 1353 if ((b = sshbuf_new()) == NULL) 1354 return SSH_ERR_ALLOC_FAIL; 1355 if ((r = sshkey_putb(key, b)) != 0) 1356 goto out; 1357 if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) { 1358 r = SSH_ERR_ALLOC_FAIL; 1359 goto out; 1360 } 1361 /* Success */ 1362 if (b64p != NULL) { 1363 *b64p = uu; 1364 uu = NULL; 1365 } 1366 r = 0; 1367 out: 1368 sshbuf_free(b); 1369 free(uu); 1370 return r; 1371 } 1372 1373 int 1374 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1375 { 1376 int r = SSH_ERR_INTERNAL_ERROR; 1377 char *uu = NULL; 1378 1379 if ((r = sshkey_to_base64(key, &uu)) != 0) 1380 goto out; 1381 if ((r = sshbuf_putf(b, "%s %s", 1382 sshkey_ssh_name(key), uu)) != 0) 1383 goto out; 1384 r = 0; 1385 out: 1386 free(uu); 1387 return r; 1388 } 1389 1390 int 1391 sshkey_write(const struct sshkey *key, FILE *f) 1392 { 1393 struct sshbuf *b = NULL; 1394 int r = SSH_ERR_INTERNAL_ERROR; 1395 1396 if ((b = sshbuf_new()) == NULL) 1397 return SSH_ERR_ALLOC_FAIL; 1398 if ((r = sshkey_format_text(key, b)) != 0) 1399 goto out; 1400 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1401 if (feof(f)) 1402 errno = EPIPE; 1403 r = SSH_ERR_SYSTEM_ERROR; 1404 goto out; 1405 } 1406 /* Success */ 1407 r = 0; 1408 out: 1409 sshbuf_free(b); 1410 return r; 1411 } 1412 1413 const char * 1414 sshkey_cert_type(const struct sshkey *k) 1415 { 1416 switch (k->cert->type) { 1417 case SSH2_CERT_TYPE_USER: 1418 return "user"; 1419 case SSH2_CERT_TYPE_HOST: 1420 return "host"; 1421 default: 1422 return "unknown"; 1423 } 1424 } 1425 1426 int 1427 sshkey_check_rsa_length(const struct sshkey *k, int min_size) 1428 { 1429 #ifdef WITH_OPENSSL 1430 int nbits; 1431 1432 if (k == NULL || k->pkey == NULL || 1433 (k->type != KEY_RSA && k->type != KEY_RSA_CERT)) 1434 return 0; 1435 nbits = EVP_PKEY_bits(k->pkey); 1436 if (nbits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1437 (min_size > 0 && nbits < min_size)) 1438 return SSH_ERR_KEY_LENGTH; 1439 #endif /* WITH_OPENSSL */ 1440 return 0; 1441 } 1442 1443 #ifdef WITH_OPENSSL 1444 int 1445 sshkey_ecdsa_key_to_nid(const EC_KEY *k) 1446 { 1447 const EC_GROUP *g; 1448 int nid; 1449 1450 if (k == NULL || (g = EC_KEY_get0_group(k)) == NULL) 1451 return -1; 1452 if ((nid = EC_GROUP_get_curve_name(g)) <= 0) 1453 return -1; 1454 return nid; 1455 } 1456 1457 int 1458 sshkey_ecdsa_pkey_to_nid(EVP_PKEY *pkey) 1459 { 1460 return sshkey_ecdsa_key_to_nid(EVP_PKEY_get0_EC_KEY(pkey)); 1461 } 1462 #endif /* WITH_OPENSSL */ 1463 1464 int 1465 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1466 { 1467 struct sshkey *k; 1468 int ret = SSH_ERR_INTERNAL_ERROR; 1469 const struct sshkey_impl *impl; 1470 1471 if (keyp == NULL || sshkey_type_is_cert(type)) 1472 return SSH_ERR_INVALID_ARGUMENT; 1473 *keyp = NULL; 1474 if ((impl = sshkey_impl_from_type(type)) == NULL) 1475 return SSH_ERR_KEY_TYPE_UNKNOWN; 1476 if (impl->funcs->generate == NULL) 1477 return SSH_ERR_FEATURE_UNSUPPORTED; 1478 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1479 return SSH_ERR_ALLOC_FAIL; 1480 k->type = type; 1481 if ((ret = impl->funcs->generate(k, bits)) != 0) { 1482 sshkey_free(k); 1483 return ret; 1484 } 1485 /* success */ 1486 *keyp = k; 1487 return 0; 1488 } 1489 1490 int 1491 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1492 { 1493 u_int i; 1494 const struct sshkey_cert *from; 1495 struct sshkey_cert *to; 1496 int r = SSH_ERR_INTERNAL_ERROR; 1497 1498 if (to_key == NULL || (from = from_key->cert) == NULL) 1499 return SSH_ERR_INVALID_ARGUMENT; 1500 1501 if ((to = cert_new()) == NULL) 1502 return SSH_ERR_ALLOC_FAIL; 1503 1504 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1505 (r = sshbuf_putb(to->critical, from->critical)) != 0 || 1506 (r = sshbuf_putb(to->extensions, from->extensions)) != 0) 1507 goto out; 1508 1509 to->serial = from->serial; 1510 to->type = from->type; 1511 if (from->key_id == NULL) 1512 to->key_id = NULL; 1513 else if ((to->key_id = strdup(from->key_id)) == NULL) { 1514 r = SSH_ERR_ALLOC_FAIL; 1515 goto out; 1516 } 1517 to->valid_after = from->valid_after; 1518 to->valid_before = from->valid_before; 1519 if (from->signature_key == NULL) 1520 to->signature_key = NULL; 1521 else if ((r = sshkey_from_private(from->signature_key, 1522 &to->signature_key)) != 0) 1523 goto out; 1524 if (from->signature_type != NULL && 1525 (to->signature_type = strdup(from->signature_type)) == NULL) { 1526 r = SSH_ERR_ALLOC_FAIL; 1527 goto out; 1528 } 1529 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { 1530 r = SSH_ERR_INVALID_ARGUMENT; 1531 goto out; 1532 } 1533 if (from->nprincipals > 0) { 1534 if ((to->principals = calloc(from->nprincipals, 1535 sizeof(*to->principals))) == NULL) { 1536 r = SSH_ERR_ALLOC_FAIL; 1537 goto out; 1538 } 1539 for (i = 0; i < from->nprincipals; i++) { 1540 to->principals[i] = strdup(from->principals[i]); 1541 if (to->principals[i] == NULL) { 1542 to->nprincipals = i; 1543 r = SSH_ERR_ALLOC_FAIL; 1544 goto out; 1545 } 1546 } 1547 } 1548 to->nprincipals = from->nprincipals; 1549 1550 /* success */ 1551 cert_free(to_key->cert); 1552 to_key->cert = to; 1553 to = NULL; 1554 r = 0; 1555 out: 1556 cert_free(to); 1557 return r; 1558 } 1559 1560 int 1561 sshkey_copy_public_sk(const struct sshkey *from, struct sshkey *to) 1562 { 1563 /* Append security-key application string */ 1564 if ((to->sk_application = strdup(from->sk_application)) == NULL) 1565 return SSH_ERR_ALLOC_FAIL; 1566 return 0; 1567 } 1568 1569 int 1570 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1571 { 1572 struct sshkey *n = NULL; 1573 int r = SSH_ERR_INTERNAL_ERROR; 1574 const struct sshkey_impl *impl; 1575 1576 *pkp = NULL; 1577 if ((impl = sshkey_impl_from_key(k)) == NULL) 1578 return SSH_ERR_KEY_TYPE_UNKNOWN; 1579 if ((n = sshkey_new(k->type)) == NULL) { 1580 r = SSH_ERR_ALLOC_FAIL; 1581 goto out; 1582 } 1583 if ((r = impl->funcs->copy_public(k, n)) != 0) 1584 goto out; 1585 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) 1586 goto out; 1587 /* success */ 1588 *pkp = n; 1589 n = NULL; 1590 r = 0; 1591 out: 1592 sshkey_free(n); 1593 return r; 1594 } 1595 1596 int 1597 sshkey_is_shielded(struct sshkey *k) 1598 { 1599 return k != NULL && k->shielded_private != NULL; 1600 } 1601 1602 int 1603 sshkey_shield_private(struct sshkey *k) 1604 { 1605 struct sshbuf *prvbuf = NULL; 1606 u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH]; 1607 struct sshcipher_ctx *cctx = NULL; 1608 const struct sshcipher *cipher; 1609 size_t i, enclen = 0; 1610 struct sshkey *kswap = NULL, tmp; 1611 int r = SSH_ERR_INTERNAL_ERROR; 1612 1613 #ifdef DEBUG_PK 1614 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 1615 #endif 1616 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 1617 r = SSH_ERR_INVALID_ARGUMENT; 1618 goto out; 1619 } 1620 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 1621 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 1622 r = SSH_ERR_INTERNAL_ERROR; 1623 goto out; 1624 } 1625 1626 /* Prepare a random pre-key, and from it an ephemeral key */ 1627 if ((r = sshkey_prekey_alloc(&prekey, SSHKEY_SHIELD_PREKEY_LEN)) != 0) 1628 goto out; 1629 arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN); 1630 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 1631 prekey, SSHKEY_SHIELD_PREKEY_LEN, 1632 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 1633 goto out; 1634 #ifdef DEBUG_PK 1635 fprintf(stderr, "%s: key+iv\n", __func__); 1636 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 1637 stderr); 1638 #endif 1639 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 1640 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0) 1641 goto out; 1642 1643 /* Serialise and encrypt the private key using the ephemeral key */ 1644 if ((prvbuf = sshbuf_new()) == NULL) { 1645 r = SSH_ERR_ALLOC_FAIL; 1646 goto out; 1647 } 1648 if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0) 1649 goto out; 1650 if ((r = sshkey_private_serialize_opt(k, prvbuf, 1651 SSHKEY_SERIALIZE_SHIELD)) != 0) 1652 goto out; 1653 /* pad to cipher blocksize */ 1654 i = 0; 1655 while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) { 1656 if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0) 1657 goto out; 1658 } 1659 #ifdef DEBUG_PK 1660 fprintf(stderr, "%s: serialised\n", __func__); 1661 sshbuf_dump(prvbuf, stderr); 1662 #endif 1663 /* encrypt */ 1664 enclen = sshbuf_len(prvbuf); 1665 if ((enc = malloc(enclen)) == NULL) { 1666 r = SSH_ERR_ALLOC_FAIL; 1667 goto out; 1668 } 1669 if ((r = cipher_crypt(cctx, 0, enc, 1670 sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0) 1671 goto out; 1672 #ifdef DEBUG_PK 1673 fprintf(stderr, "%s: encrypted\n", __func__); 1674 sshbuf_dump_data(enc, enclen, stderr); 1675 #endif 1676 1677 /* Make a scrubbed, public-only copy of our private key argument */ 1678 if ((r = sshkey_from_private(k, &kswap)) != 0) 1679 goto out; 1680 1681 /* Swap the private key out (it will be destroyed below) */ 1682 tmp = *kswap; 1683 *kswap = *k; 1684 *k = tmp; 1685 1686 /* Insert the shielded key into our argument */ 1687 k->shielded_private = enc; 1688 k->shielded_len = enclen; 1689 k->shield_prekey = prekey; 1690 k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN; 1691 enc = prekey = NULL; /* transferred */ 1692 enclen = 0; 1693 1694 /* preserve key fields that are required for correct operation */ 1695 k->sk_flags = kswap->sk_flags; 1696 1697 /* success */ 1698 r = 0; 1699 1700 out: 1701 /* XXX behaviour on error - invalidate original private key? */ 1702 cipher_free(cctx); 1703 explicit_bzero(keyiv, sizeof(keyiv)); 1704 explicit_bzero(&tmp, sizeof(tmp)); 1705 freezero(enc, enclen); 1706 sshkey_prekey_free(prekey, SSHKEY_SHIELD_PREKEY_LEN); 1707 sshkey_free(kswap); 1708 sshbuf_free(prvbuf); 1709 return r; 1710 } 1711 1712 /* Check deterministic padding after private key */ 1713 static int 1714 private2_check_padding(struct sshbuf *decrypted) 1715 { 1716 u_char pad; 1717 size_t i; 1718 int r; 1719 1720 i = 0; 1721 while (sshbuf_len(decrypted)) { 1722 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 1723 goto out; 1724 if (pad != (++i & 0xff)) { 1725 r = SSH_ERR_INVALID_FORMAT; 1726 goto out; 1727 } 1728 } 1729 /* success */ 1730 r = 0; 1731 out: 1732 explicit_bzero(&pad, sizeof(pad)); 1733 explicit_bzero(&i, sizeof(i)); 1734 return r; 1735 } 1736 1737 int 1738 sshkey_unshield_private(struct sshkey *k) 1739 { 1740 struct sshbuf *prvbuf = NULL; 1741 u_char *cp, keyiv[SSH_DIGEST_MAX_LENGTH]; 1742 struct sshcipher_ctx *cctx = NULL; 1743 const struct sshcipher *cipher; 1744 struct sshkey *kswap = NULL, tmp; 1745 int r = SSH_ERR_INTERNAL_ERROR; 1746 1747 #ifdef DEBUG_PK 1748 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 1749 #endif 1750 if (!sshkey_is_shielded(k)) 1751 return 0; /* nothing to do */ 1752 1753 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 1754 r = SSH_ERR_INVALID_ARGUMENT; 1755 goto out; 1756 } 1757 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 1758 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 1759 r = SSH_ERR_INTERNAL_ERROR; 1760 goto out; 1761 } 1762 /* check size of shielded key blob */ 1763 if (k->shielded_len < cipher_blocksize(cipher) || 1764 (k->shielded_len % cipher_blocksize(cipher)) != 0) { 1765 r = SSH_ERR_INVALID_FORMAT; 1766 goto out; 1767 } 1768 1769 /* Calculate the ephemeral key from the prekey */ 1770 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 1771 k->shield_prekey, k->shield_prekey_len, 1772 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 1773 goto out; 1774 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 1775 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0) 1776 goto out; 1777 #ifdef DEBUG_PK 1778 fprintf(stderr, "%s: key+iv\n", __func__); 1779 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 1780 stderr); 1781 #endif 1782 1783 /* Decrypt and parse the shielded private key using the ephemeral key */ 1784 if ((prvbuf = sshbuf_new()) == NULL) { 1785 r = SSH_ERR_ALLOC_FAIL; 1786 goto out; 1787 } 1788 if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0) 1789 goto out; 1790 /* decrypt */ 1791 #ifdef DEBUG_PK 1792 fprintf(stderr, "%s: encrypted\n", __func__); 1793 sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr); 1794 #endif 1795 if ((r = cipher_crypt(cctx, 0, cp, 1796 k->shielded_private, k->shielded_len, 0, 0)) != 0) 1797 goto out; 1798 #ifdef DEBUG_PK 1799 fprintf(stderr, "%s: serialised\n", __func__); 1800 sshbuf_dump(prvbuf, stderr); 1801 #endif 1802 /* Parse private key */ 1803 if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0) 1804 goto out; 1805 1806 if ((r = private2_check_padding(prvbuf)) != 0) 1807 goto out; 1808 1809 /* Swap the parsed key back into place */ 1810 tmp = *kswap; 1811 *kswap = *k; 1812 *k = tmp; 1813 1814 /* success */ 1815 r = 0; 1816 1817 out: 1818 cipher_free(cctx); 1819 explicit_bzero(keyiv, sizeof(keyiv)); 1820 explicit_bzero(&tmp, sizeof(tmp)); 1821 sshkey_free(kswap); 1822 sshbuf_free(prvbuf); 1823 return r; 1824 } 1825 1826 static int 1827 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1828 { 1829 struct sshbuf *principals = NULL, *crit = NULL; 1830 struct sshbuf *exts = NULL, *ca = NULL; 1831 u_char *sig = NULL; 1832 size_t signed_len = 0, slen = 0, kidlen = 0; 1833 int ret = SSH_ERR_INTERNAL_ERROR; 1834 1835 /* Copy the entire key blob for verification and later serialisation */ 1836 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1837 return ret; 1838 1839 /* Parse body of certificate up to signature */ 1840 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1841 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1842 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1843 (ret = sshbuf_froms(b, &principals)) != 0 || 1844 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1845 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1846 (ret = sshbuf_froms(b, &crit)) != 0 || 1847 (ret = sshbuf_froms(b, &exts)) != 0 || 1848 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1849 (ret = sshbuf_froms(b, &ca)) != 0) { 1850 /* XXX debug print error for ret */ 1851 ret = SSH_ERR_INVALID_FORMAT; 1852 goto out; 1853 } 1854 1855 /* Signature is left in the buffer so we can calculate this length */ 1856 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1857 1858 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1859 ret = SSH_ERR_INVALID_FORMAT; 1860 goto out; 1861 } 1862 1863 if (key->cert->type != SSH2_CERT_TYPE_USER && 1864 key->cert->type != SSH2_CERT_TYPE_HOST) { 1865 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1866 goto out; 1867 } 1868 1869 /* Parse principals section */ 1870 while (sshbuf_len(principals) > 0) { 1871 char *principal = NULL; 1872 char **oprincipals = NULL; 1873 1874 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1875 ret = SSH_ERR_INVALID_FORMAT; 1876 goto out; 1877 } 1878 if ((ret = sshbuf_get_cstring(principals, &principal, 1879 NULL)) != 0) { 1880 ret = SSH_ERR_INVALID_FORMAT; 1881 goto out; 1882 } 1883 oprincipals = key->cert->principals; 1884 key->cert->principals = recallocarray(key->cert->principals, 1885 key->cert->nprincipals, key->cert->nprincipals + 1, 1886 sizeof(*key->cert->principals)); 1887 if (key->cert->principals == NULL) { 1888 free(principal); 1889 key->cert->principals = oprincipals; 1890 ret = SSH_ERR_ALLOC_FAIL; 1891 goto out; 1892 } 1893 key->cert->principals[key->cert->nprincipals++] = principal; 1894 } 1895 1896 /* 1897 * Stash a copies of the critical options and extensions sections 1898 * for later use. 1899 */ 1900 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1901 (exts != NULL && 1902 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1903 goto out; 1904 1905 /* 1906 * Validate critical options and extensions sections format. 1907 */ 1908 while (sshbuf_len(crit) != 0) { 1909 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1910 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1911 sshbuf_reset(key->cert->critical); 1912 ret = SSH_ERR_INVALID_FORMAT; 1913 goto out; 1914 } 1915 } 1916 while (exts != NULL && sshbuf_len(exts) != 0) { 1917 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1918 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1919 sshbuf_reset(key->cert->extensions); 1920 ret = SSH_ERR_INVALID_FORMAT; 1921 goto out; 1922 } 1923 } 1924 1925 /* Parse CA key and check signature */ 1926 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1927 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1928 goto out; 1929 } 1930 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1931 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1932 goto out; 1933 } 1934 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1935 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0) 1936 goto out; 1937 if ((ret = sshkey_get_sigtype(sig, slen, 1938 &key->cert->signature_type)) != 0) 1939 goto out; 1940 1941 /* Success */ 1942 ret = 0; 1943 out: 1944 sshbuf_free(ca); 1945 sshbuf_free(crit); 1946 sshbuf_free(exts); 1947 sshbuf_free(principals); 1948 free(sig); 1949 return ret; 1950 } 1951 1952 int 1953 sshkey_deserialize_sk(struct sshbuf *b, struct sshkey *key) 1954 { 1955 /* Parse additional security-key application string */ 1956 if (sshbuf_get_cstring(b, &key->sk_application, NULL) != 0) 1957 return SSH_ERR_INVALID_FORMAT; 1958 return 0; 1959 } 1960 1961 static int 1962 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1963 int allow_cert) 1964 { 1965 int type, ret = SSH_ERR_INTERNAL_ERROR; 1966 char *ktype = NULL; 1967 struct sshkey *key = NULL; 1968 struct sshbuf *copy; 1969 const struct sshkey_impl *impl; 1970 1971 #ifdef DEBUG_PK /* XXX */ 1972 sshbuf_dump(b, stderr); 1973 #endif 1974 if (keyp != NULL) 1975 *keyp = NULL; 1976 if ((copy = sshbuf_fromb(b)) == NULL) { 1977 ret = SSH_ERR_ALLOC_FAIL; 1978 goto out; 1979 } 1980 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1981 ret = SSH_ERR_INVALID_FORMAT; 1982 goto out; 1983 } 1984 1985 type = sshkey_type_from_name(ktype); 1986 if (!allow_cert && sshkey_type_is_cert(type)) { 1987 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1988 goto out; 1989 } 1990 if ((impl = sshkey_impl_from_type(type)) == NULL) { 1991 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 1992 goto out; 1993 } 1994 if ((key = sshkey_new(type)) == NULL) { 1995 ret = SSH_ERR_ALLOC_FAIL; 1996 goto out; 1997 } 1998 if (sshkey_type_is_cert(type)) { 1999 /* Skip nonce that precedes all certificates */ 2000 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2001 ret = SSH_ERR_INVALID_FORMAT; 2002 goto out; 2003 } 2004 } 2005 if ((ret = impl->funcs->deserialize_public(ktype, b, key)) != 0) 2006 goto out; 2007 2008 /* Parse certificate potion */ 2009 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2010 goto out; 2011 2012 if (key != NULL && sshbuf_len(b) != 0) { 2013 ret = SSH_ERR_INVALID_FORMAT; 2014 goto out; 2015 } 2016 ret = 0; 2017 if (keyp != NULL) { 2018 *keyp = key; 2019 key = NULL; 2020 } 2021 out: 2022 sshbuf_free(copy); 2023 sshkey_free(key); 2024 free(ktype); 2025 return ret; 2026 } 2027 2028 int 2029 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2030 { 2031 struct sshbuf *b; 2032 int r; 2033 2034 if ((b = sshbuf_from(blob, blen)) == NULL) 2035 return SSH_ERR_ALLOC_FAIL; 2036 r = sshkey_from_blob_internal(b, keyp, 1); 2037 sshbuf_free(b); 2038 return r; 2039 } 2040 2041 int 2042 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2043 { 2044 return sshkey_from_blob_internal(b, keyp, 1); 2045 } 2046 2047 int 2048 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2049 { 2050 struct sshbuf *b; 2051 int r; 2052 2053 if ((r = sshbuf_froms(buf, &b)) != 0) 2054 return r; 2055 r = sshkey_from_blob_internal(b, keyp, 1); 2056 sshbuf_free(b); 2057 return r; 2058 } 2059 2060 int 2061 sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2062 { 2063 int r; 2064 struct sshbuf *b = NULL; 2065 char *sigtype = NULL; 2066 2067 if (sigtypep != NULL) 2068 *sigtypep = NULL; 2069 if ((b = sshbuf_from(sig, siglen)) == NULL) 2070 return SSH_ERR_ALLOC_FAIL; 2071 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2072 goto out; 2073 /* success */ 2074 if (sigtypep != NULL) { 2075 *sigtypep = sigtype; 2076 sigtype = NULL; 2077 } 2078 r = 0; 2079 out: 2080 free(sigtype); 2081 sshbuf_free(b); 2082 return r; 2083 } 2084 2085 /* 2086 * 2087 * Checks whether a certificate's signature type is allowed. 2088 * Returns 0 (success) if the certificate signature type appears in the 2089 * "allowed" pattern-list, or the key is not a certificate to begin with. 2090 * Otherwise returns a ssherr.h code. 2091 */ 2092 int 2093 sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) 2094 { 2095 if (key == NULL || allowed == NULL) 2096 return SSH_ERR_INVALID_ARGUMENT; 2097 if (!sshkey_type_is_cert(key->type)) 2098 return 0; 2099 if (key->cert == NULL || key->cert->signature_type == NULL) 2100 return SSH_ERR_INVALID_ARGUMENT; 2101 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) 2102 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 2103 return 0; 2104 } 2105 2106 /* 2107 * Returns the expected signature algorithm for a given public key algorithm. 2108 */ 2109 const char * 2110 sshkey_sigalg_by_name(const char *name) 2111 { 2112 const struct sshkey_impl *impl; 2113 int i; 2114 2115 for (i = 0; keyimpls[i] != NULL; i++) { 2116 impl = keyimpls[i]; 2117 if (strcmp(impl->name, name) != 0) 2118 continue; 2119 if (impl->sigalg != NULL) 2120 return impl->sigalg; 2121 if (!impl->cert) 2122 return impl->name; 2123 return sshkey_ssh_name_from_type_nid( 2124 sshkey_type_plain(impl->type), impl->nid); 2125 } 2126 return NULL; 2127 } 2128 2129 /* 2130 * Verifies that the signature algorithm appearing inside the signature blob 2131 * matches that which was requested. 2132 */ 2133 int 2134 sshkey_check_sigtype(const u_char *sig, size_t siglen, 2135 const char *requested_alg) 2136 { 2137 const char *expected_alg; 2138 char *sigtype = NULL; 2139 int r; 2140 2141 if (requested_alg == NULL) 2142 return 0; 2143 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) 2144 return SSH_ERR_INVALID_ARGUMENT; 2145 if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) 2146 return r; 2147 r = strcmp(expected_alg, sigtype) == 0; 2148 free(sigtype); 2149 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; 2150 } 2151 2152 int 2153 sshkey_sign(struct sshkey *key, 2154 u_char **sigp, size_t *lenp, 2155 const u_char *data, size_t datalen, 2156 const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) 2157 { 2158 int was_shielded = sshkey_is_shielded(key); 2159 int r2, r = SSH_ERR_INTERNAL_ERROR; 2160 const struct sshkey_impl *impl; 2161 2162 if (sigp != NULL) 2163 *sigp = NULL; 2164 if (lenp != NULL) 2165 *lenp = 0; 2166 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2167 return SSH_ERR_INVALID_ARGUMENT; 2168 if ((impl = sshkey_impl_from_key(key)) == NULL) 2169 return SSH_ERR_KEY_TYPE_UNKNOWN; 2170 if ((r = sshkey_unshield_private(key)) != 0) 2171 return r; 2172 if (sshkey_is_sk(key)) { 2173 r = sshsk_sign(sk_provider, key, sigp, lenp, data, 2174 datalen, compat, sk_pin); 2175 } else { 2176 if (impl->funcs->sign == NULL) 2177 r = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2178 else { 2179 r = impl->funcs->sign(key, sigp, lenp, data, datalen, 2180 alg, sk_provider, sk_pin, compat); 2181 } 2182 } 2183 if (was_shielded && (r2 = sshkey_shield_private(key)) != 0) 2184 return r2; 2185 return r; 2186 } 2187 2188 /* 2189 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2190 * If "alg" specified, then the signature must use that algorithm. 2191 */ 2192 int 2193 sshkey_verify(const struct sshkey *key, 2194 const u_char *sig, size_t siglen, 2195 const u_char *data, size_t dlen, const char *alg, u_int compat, 2196 struct sshkey_sig_details **detailsp) 2197 { 2198 const struct sshkey_impl *impl; 2199 2200 if (detailsp != NULL) 2201 *detailsp = NULL; 2202 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2203 return SSH_ERR_INVALID_ARGUMENT; 2204 if ((impl = sshkey_impl_from_key(key)) == NULL) 2205 return SSH_ERR_KEY_TYPE_UNKNOWN; 2206 return impl->funcs->verify(key, sig, siglen, data, dlen, 2207 alg, compat, detailsp); 2208 } 2209 2210 /* Convert a plain key to their _CERT equivalent */ 2211 int 2212 sshkey_to_certified(struct sshkey *k) 2213 { 2214 int newtype; 2215 2216 if ((newtype = sshkey_type_certified(k->type)) == -1) 2217 return SSH_ERR_INVALID_ARGUMENT; 2218 if ((k->cert = cert_new()) == NULL) 2219 return SSH_ERR_ALLOC_FAIL; 2220 k->type = newtype; 2221 return 0; 2222 } 2223 2224 /* Convert a certificate to its raw key equivalent */ 2225 int 2226 sshkey_drop_cert(struct sshkey *k) 2227 { 2228 if (!sshkey_type_is_cert(k->type)) 2229 return SSH_ERR_KEY_TYPE_UNKNOWN; 2230 cert_free(k->cert); 2231 k->cert = NULL; 2232 k->type = sshkey_type_plain(k->type); 2233 return 0; 2234 } 2235 2236 /* Sign a certified key, (re-)generating the signed certblob. */ 2237 int 2238 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2239 const char *sk_provider, const char *sk_pin, 2240 sshkey_certify_signer *signer, void *signer_ctx) 2241 { 2242 const struct sshkey_impl *impl; 2243 struct sshbuf *principals = NULL; 2244 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2245 size_t i, ca_len, sig_len; 2246 int ret = SSH_ERR_INTERNAL_ERROR; 2247 struct sshbuf *cert = NULL; 2248 char *sigtype = NULL; 2249 2250 if (k == NULL || k->cert == NULL || 2251 k->cert->certblob == NULL || ca == NULL) 2252 return SSH_ERR_INVALID_ARGUMENT; 2253 if (!sshkey_is_cert(k)) 2254 return SSH_ERR_KEY_TYPE_UNKNOWN; 2255 if (!sshkey_type_is_valid_ca(ca->type)) 2256 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2257 if ((impl = sshkey_impl_from_key(k)) == NULL) 2258 return SSH_ERR_INTERNAL_ERROR; 2259 2260 /* 2261 * If no alg specified as argument but a signature_type was set, 2262 * then prefer that. If both were specified, then they must match. 2263 */ 2264 if (alg == NULL) 2265 alg = k->cert->signature_type; 2266 else if (k->cert->signature_type != NULL && 2267 strcmp(alg, k->cert->signature_type) != 0) 2268 return SSH_ERR_INVALID_ARGUMENT; 2269 2270 /* 2271 * If no signing algorithm or signature_type was specified and we're 2272 * using a RSA key, then default to a good signature algorithm. 2273 */ 2274 if (alg == NULL && ca->type == KEY_RSA) 2275 alg = "rsa-sha2-512"; 2276 2277 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2278 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2279 2280 cert = k->cert->certblob; /* for readability */ 2281 sshbuf_reset(cert); 2282 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2283 goto out; 2284 2285 /* -v01 certs put nonce first */ 2286 arc4random_buf(&nonce, sizeof(nonce)); 2287 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2288 goto out; 2289 2290 /* Public key next */ 2291 if ((ret = impl->funcs->serialize_public(k, cert, 2292 SSHKEY_SERIALIZE_DEFAULT)) != 0) 2293 goto out; 2294 2295 /* Then remaining cert fields */ 2296 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2297 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2298 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2299 goto out; 2300 2301 if ((principals = sshbuf_new()) == NULL) { 2302 ret = SSH_ERR_ALLOC_FAIL; 2303 goto out; 2304 } 2305 for (i = 0; i < k->cert->nprincipals; i++) { 2306 if ((ret = sshbuf_put_cstring(principals, 2307 k->cert->principals[i])) != 0) 2308 goto out; 2309 } 2310 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2311 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2312 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2313 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2314 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2315 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2316 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2317 goto out; 2318 2319 /* Sign the whole mess */ 2320 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2321 sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) 2322 goto out; 2323 /* Check and update signature_type against what was actually used */ 2324 if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) 2325 goto out; 2326 if (alg != NULL && strcmp(alg, sigtype) != 0) { 2327 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2328 goto out; 2329 } 2330 if (k->cert->signature_type == NULL) { 2331 k->cert->signature_type = sigtype; 2332 sigtype = NULL; 2333 } 2334 /* Append signature and we are done */ 2335 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2336 goto out; 2337 ret = 0; 2338 out: 2339 if (ret != 0) 2340 sshbuf_reset(cert); 2341 free(sig_blob); 2342 free(ca_blob); 2343 free(sigtype); 2344 sshbuf_free(principals); 2345 return ret; 2346 } 2347 2348 static int 2349 default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, 2350 const u_char *data, size_t datalen, 2351 const char *alg, const char *sk_provider, const char *sk_pin, 2352 u_int compat, void *ctx) 2353 { 2354 if (ctx != NULL) 2355 return SSH_ERR_INVALID_ARGUMENT; 2356 return sshkey_sign(key, sigp, lenp, data, datalen, alg, 2357 sk_provider, sk_pin, compat); 2358 } 2359 2360 int 2361 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, 2362 const char *sk_provider, const char *sk_pin) 2363 { 2364 return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, 2365 default_key_sign, NULL); 2366 } 2367 2368 int 2369 sshkey_cert_check_authority(const struct sshkey *k, 2370 int want_host, int require_principal, int wildcard_pattern, 2371 uint64_t verify_time, const char *name, const char **reason) 2372 { 2373 u_int i, principal_matches; 2374 2375 if (reason == NULL) 2376 return SSH_ERR_INVALID_ARGUMENT; 2377 if (!sshkey_is_cert(k)) { 2378 *reason = "Key is not a certificate"; 2379 return SSH_ERR_KEY_CERT_INVALID; 2380 } 2381 if (want_host) { 2382 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2383 *reason = "Certificate invalid: not a host certificate"; 2384 return SSH_ERR_KEY_CERT_INVALID; 2385 } 2386 } else { 2387 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2388 *reason = "Certificate invalid: not a user certificate"; 2389 return SSH_ERR_KEY_CERT_INVALID; 2390 } 2391 } 2392 if (verify_time < k->cert->valid_after) { 2393 *reason = "Certificate invalid: not yet valid"; 2394 return SSH_ERR_KEY_CERT_INVALID; 2395 } 2396 if (verify_time >= k->cert->valid_before) { 2397 *reason = "Certificate invalid: expired"; 2398 return SSH_ERR_KEY_CERT_INVALID; 2399 } 2400 if (k->cert->nprincipals == 0) { 2401 if (require_principal) { 2402 *reason = "Certificate lacks principal list"; 2403 return SSH_ERR_KEY_CERT_INVALID; 2404 } 2405 } else if (name != NULL) { 2406 principal_matches = 0; 2407 for (i = 0; i < k->cert->nprincipals; i++) { 2408 if (wildcard_pattern) { 2409 if (match_pattern(k->cert->principals[i], 2410 name)) { 2411 principal_matches = 1; 2412 break; 2413 } 2414 } else if (strcmp(name, k->cert->principals[i]) == 0) { 2415 principal_matches = 1; 2416 break; 2417 } 2418 } 2419 if (!principal_matches) { 2420 *reason = "Certificate invalid: name is not a listed " 2421 "principal"; 2422 return SSH_ERR_KEY_CERT_INVALID; 2423 } 2424 } 2425 return 0; 2426 } 2427 2428 int 2429 sshkey_cert_check_authority_now(const struct sshkey *k, 2430 int want_host, int require_principal, int wildcard_pattern, 2431 const char *name, const char **reason) 2432 { 2433 time_t now; 2434 2435 if ((now = time(NULL)) < 0) { 2436 /* yikes - system clock before epoch! */ 2437 *reason = "Certificate invalid: not yet valid"; 2438 return SSH_ERR_KEY_CERT_INVALID; 2439 } 2440 return sshkey_cert_check_authority(k, want_host, require_principal, 2441 wildcard_pattern, (uint64_t)now, name, reason); 2442 } 2443 2444 int 2445 sshkey_cert_check_host(const struct sshkey *key, const char *host, 2446 int wildcard_principals, const char *ca_sign_algorithms, 2447 const char **reason) 2448 { 2449 int r; 2450 2451 if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals, 2452 host, reason)) != 0) 2453 return r; 2454 if (sshbuf_len(key->cert->critical) != 0) { 2455 *reason = "Certificate contains unsupported critical options"; 2456 return SSH_ERR_KEY_CERT_INVALID; 2457 } 2458 if (ca_sign_algorithms != NULL && 2459 (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) { 2460 *reason = "Certificate signed with disallowed algorithm"; 2461 return SSH_ERR_KEY_CERT_INVALID; 2462 } 2463 return 0; 2464 } 2465 2466 size_t 2467 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2468 { 2469 char from[32], to[32], ret[128]; 2470 2471 *from = *to = '\0'; 2472 if (cert->valid_after == 0 && 2473 cert->valid_before == 0xffffffffffffffffULL) 2474 return strlcpy(s, "forever", l); 2475 2476 if (cert->valid_after != 0) 2477 format_absolute_time(cert->valid_after, from, sizeof(from)); 2478 if (cert->valid_before != 0xffffffffffffffffULL) 2479 format_absolute_time(cert->valid_before, to, sizeof(to)); 2480 2481 if (cert->valid_after == 0) 2482 snprintf(ret, sizeof(ret), "before %s", to); 2483 else if (cert->valid_before == 0xffffffffffffffffULL) 2484 snprintf(ret, sizeof(ret), "after %s", from); 2485 else 2486 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2487 2488 return strlcpy(s, ret, l); 2489 } 2490 2491 /* Common serialization for FIDO private keys */ 2492 int 2493 sshkey_serialize_private_sk(const struct sshkey *key, struct sshbuf *b) 2494 { 2495 int r; 2496 2497 if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 2498 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 2499 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 2500 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 2501 return r; 2502 2503 return 0; 2504 } 2505 2506 int 2507 sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, 2508 enum sshkey_serialize_rep opts) 2509 { 2510 int r = SSH_ERR_INTERNAL_ERROR; 2511 int was_shielded = sshkey_is_shielded(key); 2512 struct sshbuf *b = NULL; 2513 const struct sshkey_impl *impl; 2514 2515 if ((impl = sshkey_impl_from_key(key)) == NULL) 2516 return SSH_ERR_INTERNAL_ERROR; 2517 if ((r = sshkey_unshield_private(key)) != 0) 2518 return r; 2519 if ((b = sshbuf_new()) == NULL) 2520 return SSH_ERR_ALLOC_FAIL; 2521 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2522 goto out; 2523 if (sshkey_is_cert(key)) { 2524 if (key->cert == NULL || 2525 sshbuf_len(key->cert->certblob) == 0) { 2526 r = SSH_ERR_INVALID_ARGUMENT; 2527 goto out; 2528 } 2529 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0) 2530 goto out; 2531 } 2532 if ((r = impl->funcs->serialize_private(key, b, opts)) != 0) 2533 goto out; 2534 2535 /* 2536 * success (but we still need to append the output to buf after 2537 * possibly re-shielding the private key) 2538 */ 2539 r = 0; 2540 out: 2541 if (was_shielded) 2542 r = sshkey_shield_private(key); 2543 if (r == 0) 2544 r = sshbuf_putb(buf, b); 2545 sshbuf_free(b); 2546 2547 return r; 2548 } 2549 2550 int 2551 sshkey_private_serialize(struct sshkey *key, struct sshbuf *b) 2552 { 2553 return sshkey_private_serialize_opt(key, b, 2554 SSHKEY_SERIALIZE_DEFAULT); 2555 } 2556 2557 /* Shared deserialization of FIDO private key components */ 2558 int 2559 sshkey_private_deserialize_sk(struct sshbuf *buf, struct sshkey *k) 2560 { 2561 int r; 2562 2563 if ((k->sk_key_handle = sshbuf_new()) == NULL || 2564 (k->sk_reserved = sshbuf_new()) == NULL) 2565 return SSH_ERR_ALLOC_FAIL; 2566 if ((r = sshbuf_get_cstring(buf, &k->sk_application, NULL)) != 0 || 2567 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 2568 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 2569 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 2570 return r; 2571 2572 return 0; 2573 } 2574 2575 int 2576 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2577 { 2578 const struct sshkey_impl *impl; 2579 char *tname = NULL; 2580 char *expect_sk_application = NULL; 2581 u_char *expect_ed25519_pk = NULL; 2582 struct sshkey *k = NULL; 2583 int type, r = SSH_ERR_INTERNAL_ERROR; 2584 2585 if (kp != NULL) 2586 *kp = NULL; 2587 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2588 goto out; 2589 type = sshkey_type_from_name(tname); 2590 if (sshkey_type_is_cert(type)) { 2591 /* 2592 * Certificate key private keys begin with the certificate 2593 * itself. Make sure this matches the type of the enclosing 2594 * private key. 2595 */ 2596 if ((r = sshkey_froms(buf, &k)) != 0) 2597 goto out; 2598 if (k->type != type) { 2599 r = SSH_ERR_KEY_CERT_MISMATCH; 2600 goto out; 2601 } 2602 /* For ECDSA keys, the group must match too */ 2603 if (k->type == KEY_ECDSA && 2604 k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { 2605 r = SSH_ERR_KEY_CERT_MISMATCH; 2606 goto out; 2607 } 2608 /* 2609 * Several fields are redundant between certificate and 2610 * private key body, we require these to match. 2611 */ 2612 expect_sk_application = k->sk_application; 2613 expect_ed25519_pk = k->ed25519_pk; 2614 k->sk_application = NULL; 2615 k->ed25519_pk = NULL; 2616 /* XXX xmss too or refactor */ 2617 } else { 2618 if ((k = sshkey_new(type)) == NULL) { 2619 r = SSH_ERR_ALLOC_FAIL; 2620 goto out; 2621 } 2622 } 2623 if ((impl = sshkey_impl_from_type(type)) == NULL) { 2624 r = SSH_ERR_INTERNAL_ERROR; 2625 goto out; 2626 } 2627 if ((r = impl->funcs->deserialize_private(tname, buf, k)) != 0) 2628 goto out; 2629 2630 /* XXX xmss too or refactor */ 2631 if ((expect_sk_application != NULL && (k->sk_application == NULL || 2632 strcmp(expect_sk_application, k->sk_application) != 0)) || 2633 (expect_ed25519_pk != NULL && (k->ed25519_pk == NULL || 2634 memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) { 2635 r = SSH_ERR_KEY_CERT_MISMATCH; 2636 goto out; 2637 } 2638 /* success */ 2639 r = 0; 2640 if (kp != NULL) { 2641 *kp = k; 2642 k = NULL; 2643 } 2644 out: 2645 free(tname); 2646 sshkey_free(k); 2647 free(expect_sk_application); 2648 free(expect_ed25519_pk); 2649 return r; 2650 } 2651 2652 #ifdef WITH_OPENSSL 2653 int 2654 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2655 { 2656 EC_POINT *nq = NULL; 2657 BIGNUM *order = NULL, *x = NULL, *y = NULL, *tmp = NULL; 2658 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2659 2660 /* 2661 * NB. This assumes OpenSSL has already verified that the public 2662 * point lies on the curve. This is done by EC_POINT_oct2point() 2663 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 2664 * reachable with public points not unmarshalled using 2665 * EC_POINT_oct2point then the caller will need to explicitly check. 2666 */ 2667 2668 /* Q != infinity */ 2669 if (EC_POINT_is_at_infinity(group, public)) 2670 goto out; 2671 2672 if ((x = BN_new()) == NULL || 2673 (y = BN_new()) == NULL || 2674 (order = BN_new()) == NULL || 2675 (tmp = BN_new()) == NULL) { 2676 ret = SSH_ERR_ALLOC_FAIL; 2677 goto out; 2678 } 2679 2680 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2681 if (EC_GROUP_get_order(group, order, NULL) != 1 || 2682 EC_POINT_get_affine_coordinates_GFp(group, public, 2683 x, y, NULL) != 1) { 2684 ret = SSH_ERR_LIBCRYPTO_ERROR; 2685 goto out; 2686 } 2687 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2688 BN_num_bits(y) <= BN_num_bits(order) / 2) 2689 goto out; 2690 2691 /* nQ == infinity (n == order of subgroup) */ 2692 if ((nq = EC_POINT_new(group)) == NULL) { 2693 ret = SSH_ERR_ALLOC_FAIL; 2694 goto out; 2695 } 2696 if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) { 2697 ret = SSH_ERR_LIBCRYPTO_ERROR; 2698 goto out; 2699 } 2700 if (EC_POINT_is_at_infinity(group, nq) != 1) 2701 goto out; 2702 2703 /* x < order - 1, y < order - 1 */ 2704 if (!BN_sub(tmp, order, BN_value_one())) { 2705 ret = SSH_ERR_LIBCRYPTO_ERROR; 2706 goto out; 2707 } 2708 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2709 goto out; 2710 ret = 0; 2711 out: 2712 BN_clear_free(x); 2713 BN_clear_free(y); 2714 BN_clear_free(order); 2715 BN_clear_free(tmp); 2716 EC_POINT_free(nq); 2717 return ret; 2718 } 2719 2720 int 2721 sshkey_ec_validate_private(const EC_KEY *key) 2722 { 2723 BIGNUM *order = NULL, *tmp = NULL; 2724 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2725 2726 if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) { 2727 ret = SSH_ERR_ALLOC_FAIL; 2728 goto out; 2729 } 2730 2731 /* log2(private) > log2(order)/2 */ 2732 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) { 2733 ret = SSH_ERR_LIBCRYPTO_ERROR; 2734 goto out; 2735 } 2736 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2737 BN_num_bits(order) / 2) 2738 goto out; 2739 2740 /* private < order - 1 */ 2741 if (!BN_sub(tmp, order, BN_value_one())) { 2742 ret = SSH_ERR_LIBCRYPTO_ERROR; 2743 goto out; 2744 } 2745 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2746 goto out; 2747 ret = 0; 2748 out: 2749 BN_clear_free(order); 2750 BN_clear_free(tmp); 2751 return ret; 2752 } 2753 2754 void 2755 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2756 { 2757 BIGNUM *x = NULL, *y = NULL; 2758 2759 if (point == NULL) { 2760 fputs("point=(NULL)\n", stderr); 2761 return; 2762 } 2763 if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) { 2764 fprintf(stderr, "%s: BN_new failed\n", __func__); 2765 goto out; 2766 } 2767 if (EC_POINT_get_affine_coordinates_GFp(group, point, 2768 x, y, NULL) != 1) { 2769 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2770 __func__); 2771 goto out; 2772 } 2773 fputs("x=", stderr); 2774 BN_print_fp(stderr, x); 2775 fputs("\ny=", stderr); 2776 BN_print_fp(stderr, y); 2777 fputs("\n", stderr); 2778 out: 2779 BN_clear_free(x); 2780 BN_clear_free(y); 2781 } 2782 2783 void 2784 sshkey_dump_ec_key(const EC_KEY *key) 2785 { 2786 const BIGNUM *exponent; 2787 2788 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2789 EC_KEY_get0_public_key(key)); 2790 fputs("exponent=", stderr); 2791 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2792 fputs("(NULL)", stderr); 2793 else 2794 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2795 fputs("\n", stderr); 2796 } 2797 #endif /* WITH_OPENSSL */ 2798 2799 static int 2800 sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob, 2801 const char *passphrase, const char *comment, const char *ciphername, 2802 int rounds) 2803 { 2804 u_char *cp, *key = NULL, *pubkeyblob = NULL; 2805 u_char salt[SALT_LEN]; 2806 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 2807 u_int check; 2808 int r = SSH_ERR_INTERNAL_ERROR; 2809 struct sshcipher_ctx *ciphercontext = NULL; 2810 const struct sshcipher *cipher; 2811 const char *kdfname = KDFNAME; 2812 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 2813 2814 if (rounds <= 0) 2815 rounds = DEFAULT_ROUNDS; 2816 if (passphrase == NULL || !strlen(passphrase)) { 2817 ciphername = "none"; 2818 kdfname = "none"; 2819 } else if (ciphername == NULL) 2820 ciphername = DEFAULT_CIPHERNAME; 2821 if ((cipher = cipher_by_name(ciphername)) == NULL) { 2822 r = SSH_ERR_INVALID_ARGUMENT; 2823 goto out; 2824 } 2825 2826 if ((kdf = sshbuf_new()) == NULL || 2827 (encoded = sshbuf_new()) == NULL || 2828 (encrypted = sshbuf_new()) == NULL) { 2829 r = SSH_ERR_ALLOC_FAIL; 2830 goto out; 2831 } 2832 blocksize = cipher_blocksize(cipher); 2833 keylen = cipher_keylen(cipher); 2834 ivlen = cipher_ivlen(cipher); 2835 authlen = cipher_authlen(cipher); 2836 if ((key = calloc(1, keylen + ivlen)) == NULL) { 2837 r = SSH_ERR_ALLOC_FAIL; 2838 goto out; 2839 } 2840 if (strcmp(kdfname, "bcrypt") == 0) { 2841 arc4random_buf(salt, SALT_LEN); 2842 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 2843 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 2844 r = SSH_ERR_INVALID_ARGUMENT; 2845 goto out; 2846 } 2847 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 2848 (r = sshbuf_put_u32(kdf, rounds)) != 0) 2849 goto out; 2850 } else if (strcmp(kdfname, "none") != 0) { 2851 /* Unsupported KDF type */ 2852 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 2853 goto out; 2854 } 2855 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 2856 key + keylen, ivlen, 1)) != 0) 2857 goto out; 2858 2859 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 2860 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 2861 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 2862 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 2863 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 2864 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 2865 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 2866 goto out; 2867 2868 /* set up the buffer that will be encrypted */ 2869 2870 /* Random check bytes */ 2871 check = arc4random(); 2872 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 2873 (r = sshbuf_put_u32(encrypted, check)) != 0) 2874 goto out; 2875 2876 /* append private key and comment*/ 2877 if ((r = sshkey_private_serialize_opt(prv, encrypted, 2878 SSHKEY_SERIALIZE_FULL)) != 0 || 2879 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 2880 goto out; 2881 2882 /* padding */ 2883 i = 0; 2884 while (sshbuf_len(encrypted) % blocksize) { 2885 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 2886 goto out; 2887 } 2888 2889 /* length in destination buffer */ 2890 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 2891 goto out; 2892 2893 /* encrypt */ 2894 if ((r = sshbuf_reserve(encoded, 2895 sshbuf_len(encrypted) + authlen, &cp)) != 0) 2896 goto out; 2897 if ((r = cipher_crypt(ciphercontext, 0, cp, 2898 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 2899 goto out; 2900 2901 sshbuf_reset(blob); 2902 2903 /* assemble uuencoded key */ 2904 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 || 2905 (r = sshbuf_dtob64(encoded, blob, 1)) != 0 || 2906 (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 2907 goto out; 2908 2909 /* success */ 2910 r = 0; 2911 2912 out: 2913 sshbuf_free(kdf); 2914 sshbuf_free(encoded); 2915 sshbuf_free(encrypted); 2916 cipher_free(ciphercontext); 2917 explicit_bzero(salt, sizeof(salt)); 2918 if (key != NULL) 2919 freezero(key, keylen + ivlen); 2920 if (pubkeyblob != NULL) 2921 freezero(pubkeyblob, pubkeylen); 2922 return r; 2923 } 2924 2925 static int 2926 private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp) 2927 { 2928 const u_char *cp; 2929 size_t encoded_len; 2930 int r; 2931 u_char last; 2932 struct sshbuf *encoded = NULL, *decoded = NULL; 2933 2934 if (blob == NULL || decodedp == NULL) 2935 return SSH_ERR_INVALID_ARGUMENT; 2936 2937 *decodedp = NULL; 2938 2939 if ((encoded = sshbuf_new()) == NULL || 2940 (decoded = sshbuf_new()) == NULL) { 2941 r = SSH_ERR_ALLOC_FAIL; 2942 goto out; 2943 } 2944 2945 /* check preamble */ 2946 cp = sshbuf_ptr(blob); 2947 encoded_len = sshbuf_len(blob); 2948 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 2949 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 2950 r = SSH_ERR_INVALID_FORMAT; 2951 goto out; 2952 } 2953 cp += MARK_BEGIN_LEN; 2954 encoded_len -= MARK_BEGIN_LEN; 2955 2956 /* Look for end marker, removing whitespace as we go */ 2957 while (encoded_len > 0) { 2958 if (*cp != '\n' && *cp != '\r') { 2959 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 2960 goto out; 2961 } 2962 last = *cp; 2963 encoded_len--; 2964 cp++; 2965 if (last == '\n') { 2966 if (encoded_len >= MARK_END_LEN && 2967 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 2968 /* \0 terminate */ 2969 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 2970 goto out; 2971 break; 2972 } 2973 } 2974 } 2975 if (encoded_len == 0) { 2976 r = SSH_ERR_INVALID_FORMAT; 2977 goto out; 2978 } 2979 2980 /* decode base64 */ 2981 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 2982 goto out; 2983 2984 /* check magic */ 2985 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 2986 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 2987 r = SSH_ERR_INVALID_FORMAT; 2988 goto out; 2989 } 2990 /* success */ 2991 *decodedp = decoded; 2992 decoded = NULL; 2993 r = 0; 2994 out: 2995 sshbuf_free(encoded); 2996 sshbuf_free(decoded); 2997 return r; 2998 } 2999 3000 static int 3001 private2_decrypt(struct sshbuf *decoded, const char *passphrase, 3002 struct sshbuf **decryptedp, struct sshkey **pubkeyp) 3003 { 3004 char *ciphername = NULL, *kdfname = NULL; 3005 const struct sshcipher *cipher = NULL; 3006 int r = SSH_ERR_INTERNAL_ERROR; 3007 size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3008 struct sshbuf *kdf = NULL, *decrypted = NULL; 3009 struct sshcipher_ctx *ciphercontext = NULL; 3010 struct sshkey *pubkey = NULL; 3011 u_char *key = NULL, *salt = NULL, *dp; 3012 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3013 3014 if (decoded == NULL || decryptedp == NULL || pubkeyp == NULL) 3015 return SSH_ERR_INVALID_ARGUMENT; 3016 3017 *decryptedp = NULL; 3018 *pubkeyp = NULL; 3019 3020 if ((decrypted = sshbuf_new()) == NULL) { 3021 r = SSH_ERR_ALLOC_FAIL; 3022 goto out; 3023 } 3024 3025 /* parse public portion of key */ 3026 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3027 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3028 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3029 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3030 (r = sshbuf_get_u32(decoded, &nkeys)) != 0) 3031 goto out; 3032 3033 if (nkeys != 1) { 3034 /* XXX only one key supported at present */ 3035 r = SSH_ERR_INVALID_FORMAT; 3036 goto out; 3037 } 3038 3039 if ((r = sshkey_froms(decoded, &pubkey)) != 0 || 3040 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3041 goto out; 3042 3043 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3044 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3045 goto out; 3046 } 3047 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3048 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3049 goto out; 3050 } 3051 if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) { 3052 r = SSH_ERR_INVALID_FORMAT; 3053 goto out; 3054 } 3055 if ((passphrase == NULL || strlen(passphrase) == 0) && 3056 strcmp(kdfname, "none") != 0) { 3057 /* passphrase required */ 3058 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3059 goto out; 3060 } 3061 3062 /* check size of encrypted key blob */ 3063 blocksize = cipher_blocksize(cipher); 3064 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3065 r = SSH_ERR_INVALID_FORMAT; 3066 goto out; 3067 } 3068 3069 /* setup key */ 3070 keylen = cipher_keylen(cipher); 3071 ivlen = cipher_ivlen(cipher); 3072 authlen = cipher_authlen(cipher); 3073 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3074 r = SSH_ERR_ALLOC_FAIL; 3075 goto out; 3076 } 3077 if (strcmp(kdfname, "bcrypt") == 0) { 3078 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3079 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3080 goto out; 3081 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3082 key, keylen + ivlen, rounds) < 0) { 3083 r = SSH_ERR_INVALID_FORMAT; 3084 goto out; 3085 } 3086 } 3087 3088 /* check that an appropriate amount of auth data is present */ 3089 if (sshbuf_len(decoded) < authlen || 3090 sshbuf_len(decoded) - authlen < encrypted_len) { 3091 r = SSH_ERR_INVALID_FORMAT; 3092 goto out; 3093 } 3094 3095 /* decrypt private portion of key */ 3096 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3097 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3098 key + keylen, ivlen, 0)) != 0) 3099 goto out; 3100 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3101 encrypted_len, 0, authlen)) != 0) { 3102 /* an integrity error here indicates an incorrect passphrase */ 3103 if (r == SSH_ERR_MAC_INVALID) 3104 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3105 goto out; 3106 } 3107 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3108 goto out; 3109 /* there should be no trailing data */ 3110 if (sshbuf_len(decoded) != 0) { 3111 r = SSH_ERR_INVALID_FORMAT; 3112 goto out; 3113 } 3114 3115 /* check check bytes */ 3116 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3117 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3118 goto out; 3119 if (check1 != check2) { 3120 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3121 goto out; 3122 } 3123 /* success */ 3124 *decryptedp = decrypted; 3125 decrypted = NULL; 3126 *pubkeyp = pubkey; 3127 pubkey = NULL; 3128 r = 0; 3129 out: 3130 cipher_free(ciphercontext); 3131 free(ciphername); 3132 free(kdfname); 3133 sshkey_free(pubkey); 3134 if (salt != NULL) { 3135 explicit_bzero(salt, slen); 3136 free(salt); 3137 } 3138 if (key != NULL) { 3139 explicit_bzero(key, keylen + ivlen); 3140 free(key); 3141 } 3142 sshbuf_free(kdf); 3143 sshbuf_free(decrypted); 3144 return r; 3145 } 3146 3147 static int 3148 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3149 struct sshkey **keyp, char **commentp) 3150 { 3151 char *comment = NULL; 3152 int r = SSH_ERR_INTERNAL_ERROR; 3153 struct sshbuf *decoded = NULL, *decrypted = NULL; 3154 struct sshkey *k = NULL, *pubkey = NULL; 3155 3156 if (keyp != NULL) 3157 *keyp = NULL; 3158 if (commentp != NULL) 3159 *commentp = NULL; 3160 3161 /* Undo base64 encoding and decrypt the private section */ 3162 if ((r = private2_uudecode(blob, &decoded)) != 0 || 3163 (r = private2_decrypt(decoded, passphrase, 3164 &decrypted, &pubkey)) != 0) 3165 goto out; 3166 3167 if (type != KEY_UNSPEC && 3168 sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { 3169 r = SSH_ERR_KEY_TYPE_MISMATCH; 3170 goto out; 3171 } 3172 3173 /* Load the private key and comment */ 3174 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3175 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3176 goto out; 3177 3178 /* Check deterministic padding after private section */ 3179 if ((r = private2_check_padding(decrypted)) != 0) 3180 goto out; 3181 3182 /* Check that the public key in the envelope matches the private key */ 3183 if (!sshkey_equal(pubkey, k)) { 3184 r = SSH_ERR_INVALID_FORMAT; 3185 goto out; 3186 } 3187 3188 /* success */ 3189 r = 0; 3190 if (keyp != NULL) { 3191 *keyp = k; 3192 k = NULL; 3193 } 3194 if (commentp != NULL) { 3195 *commentp = comment; 3196 comment = NULL; 3197 } 3198 out: 3199 free(comment); 3200 sshbuf_free(decoded); 3201 sshbuf_free(decrypted); 3202 sshkey_free(k); 3203 sshkey_free(pubkey); 3204 return r; 3205 } 3206 3207 static int 3208 sshkey_parse_private2_pubkey(struct sshbuf *blob, int type, 3209 struct sshkey **keyp) 3210 { 3211 int r = SSH_ERR_INTERNAL_ERROR; 3212 struct sshbuf *decoded = NULL; 3213 struct sshkey *pubkey = NULL; 3214 u_int nkeys = 0; 3215 3216 if (keyp != NULL) 3217 *keyp = NULL; 3218 3219 if ((r = private2_uudecode(blob, &decoded)) != 0) 3220 goto out; 3221 /* parse public key from unencrypted envelope */ 3222 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3223 (r = sshbuf_skip_string(decoded)) != 0 || /* cipher */ 3224 (r = sshbuf_skip_string(decoded)) != 0 || /* KDF alg */ 3225 (r = sshbuf_skip_string(decoded)) != 0 || /* KDF hint */ 3226 (r = sshbuf_get_u32(decoded, &nkeys)) != 0) 3227 goto out; 3228 3229 if (nkeys != 1) { 3230 /* XXX only one key supported at present */ 3231 r = SSH_ERR_INVALID_FORMAT; 3232 goto out; 3233 } 3234 3235 /* Parse the public key */ 3236 if ((r = sshkey_froms(decoded, &pubkey)) != 0) 3237 goto out; 3238 3239 if (type != KEY_UNSPEC && 3240 sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { 3241 r = SSH_ERR_KEY_TYPE_MISMATCH; 3242 goto out; 3243 } 3244 3245 /* success */ 3246 r = 0; 3247 if (keyp != NULL) { 3248 *keyp = pubkey; 3249 pubkey = NULL; 3250 } 3251 out: 3252 sshbuf_free(decoded); 3253 sshkey_free(pubkey); 3254 return r; 3255 } 3256 3257 #ifdef WITH_OPENSSL 3258 /* convert SSH v2 key to PEM or PKCS#8 format */ 3259 static int 3260 sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, 3261 int format, const char *_passphrase, const char *comment) 3262 { 3263 int was_shielded = sshkey_is_shielded(key); 3264 int success, r; 3265 int blen, len = strlen(_passphrase); 3266 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3267 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3268 char *bptr; 3269 BIO *bio = NULL; 3270 struct sshbuf *blob; 3271 EVP_PKEY *pkey = NULL; 3272 3273 if (len > 0 && len <= 4) 3274 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3275 if ((blob = sshbuf_new()) == NULL) 3276 return SSH_ERR_ALLOC_FAIL; 3277 if ((bio = BIO_new(BIO_s_mem())) == NULL) { 3278 r = SSH_ERR_ALLOC_FAIL; 3279 goto out; 3280 } 3281 if ((r = sshkey_unshield_private(key)) != 0) 3282 goto out; 3283 3284 switch (key->type) { 3285 #ifdef WITH_DSA 3286 case KEY_DSA: 3287 if (format == SSHKEY_PRIVATE_PEM) { 3288 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3289 cipher, passphrase, len, NULL, NULL); 3290 } else { 3291 if ((pkey = EVP_PKEY_new()) == NULL) { 3292 r = SSH_ERR_ALLOC_FAIL; 3293 goto out; 3294 } 3295 success = EVP_PKEY_set1_DSA(pkey, key->dsa); 3296 } 3297 break; 3298 #endif 3299 case KEY_ECDSA: 3300 if (format == SSHKEY_PRIVATE_PEM) { 3301 success = PEM_write_bio_ECPrivateKey(bio, 3302 EVP_PKEY_get0_EC_KEY(key->pkey), 3303 cipher, passphrase, len, NULL, NULL); 3304 } else { 3305 pkey = key->pkey; 3306 EVP_PKEY_up_ref(key->pkey); 3307 success = 1; 3308 } 3309 break; 3310 case KEY_RSA: 3311 if (format == SSHKEY_PRIVATE_PEM) { 3312 success = PEM_write_bio_RSAPrivateKey(bio, 3313 EVP_PKEY_get0_RSA(key->pkey), 3314 cipher, passphrase, len, NULL, NULL); 3315 } else { 3316 pkey = key->pkey; 3317 EVP_PKEY_up_ref(key->pkey); 3318 success = 1; 3319 } 3320 break; 3321 default: 3322 success = 0; 3323 break; 3324 } 3325 if (success == 0) { 3326 r = SSH_ERR_LIBCRYPTO_ERROR; 3327 goto out; 3328 } 3329 if (format == SSHKEY_PRIVATE_PKCS8) { 3330 if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher, 3331 passphrase, len, NULL, NULL)) == 0) { 3332 r = SSH_ERR_LIBCRYPTO_ERROR; 3333 goto out; 3334 } 3335 } 3336 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3337 r = SSH_ERR_INTERNAL_ERROR; 3338 goto out; 3339 } 3340 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3341 goto out; 3342 r = 0; 3343 out: 3344 if (was_shielded) 3345 r = sshkey_shield_private(key); 3346 if (r == 0) 3347 r = sshbuf_putb(buf, blob); 3348 3349 EVP_PKEY_free(pkey); 3350 sshbuf_free(blob); 3351 BIO_free(bio); 3352 return r; 3353 } 3354 #endif /* WITH_OPENSSL */ 3355 3356 /* Serialise "key" to buffer "blob" */ 3357 int 3358 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3359 const char *passphrase, const char *comment, 3360 int format, const char *openssh_format_cipher, int openssh_format_rounds) 3361 { 3362 switch (key->type) { 3363 #ifdef WITH_OPENSSL 3364 case KEY_DSA: 3365 case KEY_ECDSA: 3366 case KEY_RSA: 3367 break; /* see below */ 3368 #endif /* WITH_OPENSSL */ 3369 case KEY_ED25519: 3370 case KEY_ED25519_SK: 3371 #ifdef WITH_XMSS 3372 case KEY_XMSS: 3373 #endif /* WITH_XMSS */ 3374 #ifdef WITH_OPENSSL 3375 case KEY_ECDSA_SK: 3376 #endif /* WITH_OPENSSL */ 3377 return sshkey_private_to_blob2(key, blob, passphrase, 3378 comment, openssh_format_cipher, openssh_format_rounds); 3379 default: 3380 return SSH_ERR_KEY_TYPE_UNKNOWN; 3381 } 3382 3383 #ifdef WITH_OPENSSL 3384 switch (format) { 3385 case SSHKEY_PRIVATE_OPENSSH: 3386 return sshkey_private_to_blob2(key, blob, passphrase, 3387 comment, openssh_format_cipher, openssh_format_rounds); 3388 case SSHKEY_PRIVATE_PEM: 3389 case SSHKEY_PRIVATE_PKCS8: 3390 return sshkey_private_to_blob_pem_pkcs8(key, blob, 3391 format, passphrase, comment); 3392 default: 3393 return SSH_ERR_INVALID_ARGUMENT; 3394 } 3395 #endif /* WITH_OPENSSL */ 3396 } 3397 3398 #ifdef WITH_OPENSSL 3399 static int 3400 translate_libcrypto_error(unsigned long pem_err) 3401 { 3402 int pem_reason = ERR_GET_REASON(pem_err); 3403 3404 switch (ERR_GET_LIB(pem_err)) { 3405 case ERR_LIB_PEM: 3406 switch (pem_reason) { 3407 case PEM_R_BAD_PASSWORD_READ: 3408 case PEM_R_PROBLEMS_GETTING_PASSWORD: 3409 case PEM_R_BAD_DECRYPT: 3410 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3411 default: 3412 return SSH_ERR_INVALID_FORMAT; 3413 } 3414 case ERR_LIB_EVP: 3415 switch (pem_reason) { 3416 case EVP_R_BAD_DECRYPT: 3417 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3418 #ifdef EVP_R_BN_DECODE_ERROR 3419 case EVP_R_BN_DECODE_ERROR: 3420 #endif 3421 case EVP_R_DECODE_ERROR: 3422 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 3423 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 3424 #endif 3425 return SSH_ERR_INVALID_FORMAT; 3426 default: 3427 return SSH_ERR_LIBCRYPTO_ERROR; 3428 } 3429 case ERR_LIB_ASN1: 3430 return SSH_ERR_INVALID_FORMAT; 3431 } 3432 return SSH_ERR_LIBCRYPTO_ERROR; 3433 } 3434 3435 static void 3436 clear_libcrypto_errors(void) 3437 { 3438 while (ERR_get_error() != 0) 3439 ; 3440 } 3441 3442 /* 3443 * Translate OpenSSL error codes to determine whether 3444 * passphrase is required/incorrect. 3445 */ 3446 static int 3447 convert_libcrypto_error(void) 3448 { 3449 /* 3450 * Some password errors are reported at the beginning 3451 * of the error queue. 3452 */ 3453 if (translate_libcrypto_error(ERR_peek_error()) == 3454 SSH_ERR_KEY_WRONG_PASSPHRASE) 3455 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3456 return translate_libcrypto_error(ERR_peek_last_error()); 3457 } 3458 3459 static int 3460 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3461 const char *passphrase, struct sshkey **keyp) 3462 { 3463 EVP_PKEY *pk = NULL; 3464 struct sshkey *prv = NULL; 3465 BIO *bio = NULL; 3466 int r; 3467 RSA *rsa = NULL; 3468 EC_KEY *ecdsa = NULL; 3469 3470 if (keyp != NULL) 3471 *keyp = NULL; 3472 3473 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3474 return SSH_ERR_ALLOC_FAIL; 3475 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3476 (int)sshbuf_len(blob)) { 3477 r = SSH_ERR_ALLOC_FAIL; 3478 goto out; 3479 } 3480 3481 clear_libcrypto_errors(); 3482 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3483 (char *)passphrase)) == NULL) { 3484 /* 3485 * libcrypto may return various ASN.1 errors when attempting 3486 * to parse a key with an incorrect passphrase. 3487 * Treat all format errors as "incorrect passphrase" if a 3488 * passphrase was supplied. 3489 */ 3490 if (passphrase != NULL && *passphrase != '\0') 3491 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3492 else 3493 r = convert_libcrypto_error(); 3494 goto out; 3495 } 3496 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && 3497 (type == KEY_UNSPEC || type == KEY_RSA)) { 3498 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3499 r = SSH_ERR_ALLOC_FAIL; 3500 goto out; 3501 } 3502 if ((rsa = EVP_PKEY_get1_RSA(pk)) == NULL) { 3503 r = SSH_ERR_LIBCRYPTO_ERROR; 3504 goto out; 3505 } 3506 prv->type = KEY_RSA; 3507 #ifdef DEBUG_PK 3508 RSA_print_fp(stderr, rsa, 8); 3509 #endif 3510 if (RSA_blinding_on(rsa, NULL) != 1 || 3511 EVP_PKEY_set1_RSA(pk, rsa) != 1) { 3512 r = SSH_ERR_LIBCRYPTO_ERROR; 3513 goto out; 3514 } 3515 EVP_PKEY_up_ref(pk); 3516 prv->pkey = pk; 3517 if ((r = sshkey_check_rsa_length(prv, 0)) != 0) 3518 goto out; 3519 #ifdef WITH_DSA 3520 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && 3521 (type == KEY_UNSPEC || type == KEY_DSA)) { 3522 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3523 r = SSH_ERR_ALLOC_FAIL; 3524 goto out; 3525 } 3526 prv->dsa = EVP_PKEY_get1_DSA(pk); 3527 prv->type = KEY_DSA; 3528 #ifdef DEBUG_PK 3529 DSA_print_fp(stderr, prv->dsa, 8); 3530 #endif 3531 #endif 3532 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && 3533 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3534 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3535 r = SSH_ERR_ALLOC_FAIL; 3536 goto out; 3537 } 3538 if ((prv->ecdsa_nid = sshkey_ecdsa_fixup_group(pk)) == -1 || 3539 (ecdsa = EVP_PKEY_get1_EC_KEY(pk)) == NULL) { 3540 r = SSH_ERR_LIBCRYPTO_ERROR; 3541 goto out; 3542 } 3543 prv->type = KEY_ECDSA; 3544 if (sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3545 sshkey_ec_validate_public(EC_KEY_get0_group(ecdsa), 3546 EC_KEY_get0_public_key(ecdsa)) != 0 || 3547 sshkey_ec_validate_private(ecdsa) != 0) { 3548 r = SSH_ERR_INVALID_FORMAT; 3549 goto out; 3550 } 3551 EVP_PKEY_up_ref(pk); 3552 prv->pkey = pk; 3553 #ifdef DEBUG_PK 3554 if (prv != NULL && prv->pkey != NULL) 3555 sshkey_dump_ec_key(EVP_PKEY_get0_EC_KEY(prv->pkey)); 3556 #endif 3557 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_ED25519 && 3558 (type == KEY_UNSPEC || type == KEY_ED25519)) { 3559 size_t len; 3560 3561 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL || 3562 (prv->ed25519_sk = calloc(1, ED25519_SK_SZ)) == NULL || 3563 (prv->ed25519_pk = calloc(1, ED25519_PK_SZ)) == NULL) { 3564 r = SSH_ERR_ALLOC_FAIL; 3565 goto out; 3566 } 3567 prv->type = KEY_ED25519; 3568 len = ED25519_PK_SZ; 3569 if (!EVP_PKEY_get_raw_public_key(pk, prv->ed25519_pk, &len)) { 3570 r = SSH_ERR_LIBCRYPTO_ERROR; 3571 goto out; 3572 } 3573 if (len != ED25519_PK_SZ) { 3574 r = SSH_ERR_INVALID_FORMAT; 3575 goto out; 3576 } 3577 len = ED25519_SK_SZ - ED25519_PK_SZ; 3578 if (!EVP_PKEY_get_raw_private_key(pk, prv->ed25519_sk, &len)) { 3579 r = SSH_ERR_LIBCRYPTO_ERROR; 3580 goto out; 3581 } 3582 if (len != ED25519_SK_SZ - ED25519_PK_SZ) { 3583 r = SSH_ERR_INVALID_FORMAT; 3584 goto out; 3585 } 3586 /* Append the public key to our private key */ 3587 memcpy(prv->ed25519_sk + (ED25519_SK_SZ - ED25519_PK_SZ), 3588 prv->ed25519_pk, ED25519_PK_SZ); 3589 #ifdef DEBUG_PK 3590 sshbuf_dump_data(prv->ed25519_sk, ED25519_SK_SZ, stderr); 3591 #endif 3592 } else { 3593 r = SSH_ERR_INVALID_FORMAT; 3594 goto out; 3595 } 3596 r = 0; 3597 if (keyp != NULL) { 3598 *keyp = prv; 3599 prv = NULL; 3600 } 3601 out: 3602 BIO_free(bio); 3603 EVP_PKEY_free(pk); 3604 RSA_free(rsa); 3605 EC_KEY_free(ecdsa); 3606 sshkey_free(prv); 3607 return r; 3608 } 3609 #endif /* WITH_OPENSSL */ 3610 3611 int 3612 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3613 const char *passphrase, struct sshkey **keyp, char **commentp) 3614 { 3615 int r = SSH_ERR_INTERNAL_ERROR; 3616 3617 if (keyp != NULL) 3618 *keyp = NULL; 3619 if (commentp != NULL) 3620 *commentp = NULL; 3621 3622 switch (type) { 3623 case KEY_XMSS: 3624 /* No fallback for new-format-only keys */ 3625 return sshkey_parse_private2(blob, type, passphrase, 3626 keyp, commentp); 3627 default: 3628 r = sshkey_parse_private2(blob, type, passphrase, keyp, 3629 commentp); 3630 /* Only fallback to PEM parser if a format error occurred. */ 3631 if (r != SSH_ERR_INVALID_FORMAT) 3632 return r; 3633 #ifdef WITH_OPENSSL 3634 return sshkey_parse_private_pem_fileblob(blob, type, 3635 passphrase, keyp); 3636 #else 3637 return SSH_ERR_INVALID_FORMAT; 3638 #endif /* WITH_OPENSSL */ 3639 } 3640 } 3641 3642 int 3643 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3644 struct sshkey **keyp, char **commentp) 3645 { 3646 if (keyp != NULL) 3647 *keyp = NULL; 3648 if (commentp != NULL) 3649 *commentp = NULL; 3650 3651 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3652 passphrase, keyp, commentp); 3653 } 3654 3655 void 3656 sshkey_sig_details_free(struct sshkey_sig_details *details) 3657 { 3658 freezero(details, sizeof(*details)); 3659 } 3660 3661 int 3662 sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type, 3663 struct sshkey **pubkeyp) 3664 { 3665 int r = SSH_ERR_INTERNAL_ERROR; 3666 3667 if (pubkeyp != NULL) 3668 *pubkeyp = NULL; 3669 /* only new-format private keys bundle a public key inside */ 3670 if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0) 3671 return r; 3672 return 0; 3673 } 3674 3675 #ifdef WITH_XMSS 3676 /* 3677 * serialize the key with the current state and forward the state 3678 * maxsign times. 3679 */ 3680 int 3681 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 3682 u_int32_t maxsign, int printerror) 3683 { 3684 int r, rupdate; 3685 3686 if (maxsign == 0 || 3687 sshkey_type_plain(k->type) != KEY_XMSS) 3688 return sshkey_private_serialize_opt(k, b, 3689 SSHKEY_SERIALIZE_DEFAULT); 3690 if ((r = sshkey_xmss_get_state(k, printerror)) != 0 || 3691 (r = sshkey_private_serialize_opt(k, b, 3692 SSHKEY_SERIALIZE_STATE)) != 0 || 3693 (r = sshkey_xmss_forward_state(k, maxsign)) != 0) 3694 goto out; 3695 r = 0; 3696 out: 3697 if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) { 3698 if (r == 0) 3699 r = rupdate; 3700 } 3701 return r; 3702 } 3703 3704 u_int32_t 3705 sshkey_signatures_left(const struct sshkey *k) 3706 { 3707 if (sshkey_type_plain(k->type) == KEY_XMSS) 3708 return sshkey_xmss_signatures_left(k); 3709 return 0; 3710 } 3711 3712 int 3713 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 3714 { 3715 if (sshkey_type_plain(k->type) != KEY_XMSS) 3716 return SSH_ERR_INVALID_ARGUMENT; 3717 return sshkey_xmss_enable_maxsign(k, maxsign); 3718 } 3719 3720 int 3721 sshkey_set_filename(struct sshkey *k, const char *filename) 3722 { 3723 if (k == NULL) 3724 return SSH_ERR_INVALID_ARGUMENT; 3725 if (sshkey_type_plain(k->type) != KEY_XMSS) 3726 return 0; 3727 if (filename == NULL) 3728 return SSH_ERR_INVALID_ARGUMENT; 3729 if ((k->xmss_filename = strdup(filename)) == NULL) 3730 return SSH_ERR_ALLOC_FAIL; 3731 return 0; 3732 } 3733 #else 3734 int 3735 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 3736 u_int32_t maxsign, int printerror) 3737 { 3738 return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); 3739 } 3740 3741 u_int32_t 3742 sshkey_signatures_left(const struct sshkey *k) 3743 { 3744 return 0; 3745 } 3746 3747 int 3748 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 3749 { 3750 return SSH_ERR_INVALID_ARGUMENT; 3751 } 3752 3753 int 3754 sshkey_set_filename(struct sshkey *k, const char *filename) 3755 { 3756 if (k == NULL) 3757 return SSH_ERR_INVALID_ARGUMENT; 3758 return 0; 3759 } 3760 #endif /* WITH_XMSS */ 3761