xref: /netbsd-src/crypto/external/bsd/netpgp/dist/src/lib/ssh2pgp.c (revision 7302906d5871edbdeb43f0cd6c53ec3bb7208e0a)

/*-
 * Copyright (c) 2009 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * This code is derived from software contributed to The NetBSD Foundation
 * by Alistair Crooks (agc@NetBSD.org)
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */
#include "config.h"

#ifdef HAVE_SYS_CDEFS_H
#include <sys/cdefs.h>
#endif

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/param.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <ctype.h>
#include <inttypes.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif

#ifdef HAVE_LIMITS_H
#include <limits.h>
#endif

#ifdef HAVE_OPENSSL_CAST_H
#include <openssl/cast.h>
#endif

#include <openssl/pem.h>

#include "bufgap.h"

#include "packet-parse.h"
#include "netpgpdefs.h"
#include "netpgpsdk.h"
#include "crypto.h"
#include "netpgpdigest.h"
#include "ssh2pgp.h"

/* structure for earching for constant strings */
typedef struct str_t {
	const char	*s;		/* string */
	size_t		 len;		/* its length */
	int		 type;		/* return type */
} str_t;

#ifndef USE_ARG
#define USE_ARG(x)	/*LINTED*/(void)&x
#endif

static const uint8_t	base64s[] =
/* 000 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
/* 016 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
/* 032 */       "\0\0\0\0\0\0\0\0\0\0\0?\0\0\0@"
/* 048 */       "56789:;<=>\0\0\0\0\0\0"
/* 064 */       "\0\1\2\3\4\5\6\7\10\11\12\13\14\15\16\17"
/* 080 */       "\20\21\22\23\24\25\26\27\30\31\32\0\0\0\0\0"
/* 096 */       "\0\33\34\35\36\37 !\"#$%&'()"
/* 112 */       "*+,-./01234\0\0\0\0\0"
/* 128 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
/* 144 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
/* 160 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
/* 176 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
/* 192 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
/* 208 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
/* 224 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
/* 240 */       "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";


/* short function to decode from base64 */
/* inspired by an ancient copy of b64.c, then rewritten, the bugs are all mine */
static int
frombase64(char *dst, const char *src, size_t size, int flag)
{
	uint8_t	out[3];
	uint8_t	in[4];
	uint8_t	b;
	size_t	srcc;
	int	dstc;
	int	gotc;
	int	i;

	USE_ARG(flag);
	for (dstc = 0, srcc = 0 ; srcc < size; ) {
		for (gotc = 0, i = 0; i < 4 && srcc < size; i++) {
			for (b = 0x0; srcc < size && b == 0x0 ; ) {
				b = base64s[(unsigned)src[srcc++]];
			}
			if (srcc < size) {
				gotc += 1;
				if (b) {
					in[i] = (uint8_t)(b - 1);
				}
			} else {
				in[i] = 0x0;
			}
		}
		if (gotc) {
			out[0] = (uint8_t)((unsigned)in[0] << 2 |
						(unsigned)in[1] >> 4);
			out[1] = (uint8_t)((unsigned)in[1] << 4 |
						(unsigned)in[2] >> 2);
			out[2] = (uint8_t)(((in[2] << 6) & 0xc0) | in[3]);
			for (i = 0; i < gotc - 1; i++) {
				*dst++ = out[i];
			}
			dstc += gotc - 1;
		}
	}
	return dstc;
}

/* get a bignum from the buffer gap */
static BIGNUM *
getbignum(bufgap_t *bg, char *buf, const char *header)
{
	uint32_t	 len;
	BIGNUM		*bignum;

	(void) bufgap_getbin(bg, &len, sizeof(len));
	len = ntohl(len);
	(void) bufgap_seek(bg, sizeof(len), BGFromHere, BGByte);
	(void) bufgap_getbin(bg, buf, len);
	bignum = BN_bin2bn((const uint8_t *)buf, (int)len, NULL);
	if (pgp_get_debug_level(__FILE__)) {
		hexdump(stderr, header, (const uint8_t *)(void *)buf, len);
	}
	(void) bufgap_seek(bg, len, BGFromHere, BGByte);
	return bignum;
}

#if 0
static int
putbignum(bufgap_t *bg, BIGNUM *bignum)
{
	uint32_t	 len;

	len = BN_num_bytes(bignum);
	(void) bufgap_insert(bg, &len, sizeof(len));
	(void) bufgap_insert(bg, buf, len);
	bignum = BN_bin2bn((const uint8_t *)buf, (int)len, NULL);
	if (pgp_get_debug_level(__FILE__)) {
		hexdump(stderr, header, buf, (int)len);
	}
	(void) bufgap_seek(bg, len, BGFromHere, BGByte);
	return bignum;
}
#endif

static str_t	pkatypes[] = {
	{	"ssh-rsa",	7,	PGP_PKA_RSA	},
	{	"ssh-dss",	7,	PGP_PKA_DSA	},
	{	"ssh-dsa",	7,	PGP_PKA_DSA	},
	{	NULL,		0,	0		}
};

/* look for a string in the given array */
static int
findstr(str_t *array, const char *name)
{
	str_t	*sp;

	for (sp = array ; sp->s ; sp++) {
		if (strncmp(name, sp->s, sp->len) == 0) {
			return sp->type;
		}
	}
	return -1;
}

/* convert an ssh (host) pubkey to a pgp pubkey */
int
pgp_ssh2pubkey(pgp_io_t *io, const char *f, pgp_key_t *key, pgp_hash_alg_t hashtype)
{
	pgp_pubkey_t	*pubkey;
	struct stat	 st;
	bufgap_t	 bg;
	uint32_t	 len;
	int64_t		 off;
	uint8_t		*userid;
	char		 hostname[256];
	char		 owner[256];
	char		*space;
	char	 	*buf;
	char	 	*bin;
	int		 ok;
	int		 cc;

	(void) memset(&bg, 0x0, sizeof(bg));
	if (!bufgap_open(&bg, f)) {
		(void) fprintf(stderr, "pgp_ssh2pubkey: can't open '%s'\n", f);
		return 0;
	}
	(void)stat(f, &st);
	if ((buf = calloc(1, (size_t)st.st_size)) == NULL) {
		(void) fprintf(stderr, "can't calloc %zu bytes for '%s'\n", (size_t)st.st_size, f);
		bufgap_close(&bg);
		return 0;
	}
	if ((bin = calloc(1, (size_t)st.st_size)) == NULL) {
		(void) fprintf(stderr, "can't calloc %zu bytes for '%s'\n", (size_t)st.st_size, f);
		(void) free(buf);
		bufgap_close(&bg);
		return 0;
	}

	/* move past ascii type of key */
	while (bufgap_peek(&bg, 0) != ' ') {
		bufgap_seek(&bg, 1, BGFromHere, BGByte);
	}
	bufgap_seek(&bg, 1, BGFromHere, BGByte);
	off = bufgap_tell(&bg, BGFromBOF, BGByte);

	if (bufgap_size(&bg, BGByte) - off < 10) {
		(void) fprintf(stderr, "bad key file '%s'\n", f);
		(void) free(buf);
		bufgap_close(&bg);
		return 0;
	}

	/* convert from base64 to binary */
	cc = bufgap_getbin(&bg, buf, (size_t)bg.bcc);
	if ((space = strchr(buf, ' ')) != NULL) {
		cc = (int)(space - buf);
	}
	if (pgp_get_debug_level(__FILE__)) {
		hexdump(stderr, NULL, (const uint8_t *)(const void *)buf, (size_t)cc);
	}
	cc = frombase64(bin, buf, (size_t)cc, 0);
	if (pgp_get_debug_level(__FILE__)) {
		hexdump(stderr, "decoded base64:", (const uint8_t *)(const void *)bin, (size_t)cc);
	}
	bufgap_delete(&bg, (uint64_t)bufgap_tell(&bg, BGFromEOF, BGByte));
	bufgap_insert(&bg, bin, cc);
	bufgap_seek(&bg, off, BGFromBOF, BGByte);

	/* get the type of key */
	(void) bufgap_getbin(&bg, &len, sizeof(len));
	len = ntohl(len);
	(void) bufgap_seek(&bg, sizeof(len), BGFromHere, BGByte);
	(void) bufgap_getbin(&bg, buf, len);
	(void) bufgap_seek(&bg, len, BGFromHere, BGByte);

	(void) memset(key, 0x0, sizeof(*key));
	pubkey = &key->key.seckey.pubkey;
	pubkey->version = PGP_V4;
	pubkey->birthtime = 0;
	/* get key type */
	ok = 1;
	switch (pubkey->alg = findstr(pkatypes, buf)) {
	case PGP_PKA_RSA:
		/* get the 'e' param of the key */
		pubkey->key.rsa.e = getbignum(&bg, buf, "RSA E");
		/* get the 'n' param of the key */
		pubkey->key.rsa.n = getbignum(&bg, buf, "RSA N");
		break;
	case PGP_PKA_DSA:
		/* get the 'p' param of the key */
		pubkey->key.dsa.p = getbignum(&bg, buf, "DSA P");
		/* get the 'q' param of the key */
		pubkey->key.dsa.q = getbignum(&bg, buf, "DSA Q");
		/* get the 'g' param of the key */
		pubkey->key.dsa.g = getbignum(&bg, buf, "DSA G");
		/* get the 'y' param of the key */
		pubkey->key.dsa.y = getbignum(&bg, buf, "DSA Y");
		break;
	default:
		(void) fprintf(stderr, "Unrecognised pubkey type %d for '%s'\n",
				pubkey->alg, f);
		ok = 0;
		break;
	}

	/* check for stragglers */
	if (ok && bufgap_tell(&bg, BGFromEOF, BGByte) > 0) {
		printf("%"PRIi64" bytes left\n", bufgap_tell(&bg, BGFromEOF, BGByte));
		printf("[%s]\n", bufgap_getstr(&bg));
		ok = 0;
	}
	if (ok) {
		(void) memset(&userid, 0x0, sizeof(userid));
		(void) gethostname(hostname, sizeof(hostname));
		if (strlen(space + 1) - 1 == 0) {
			(void) snprintf(owner, sizeof(owner), "<root@%s>",
					hostname);
		} else {
			(void) snprintf(owner, sizeof(owner), "<%.*s>",
				(int)strlen(space + 1) - 1,
				space + 1);
		}
		(void) pgp_asprintf((char **)(void *)&userid,
						"%s (%s) %s",
						hostname,
						f,
						owner);
		pgp_keyid(key->sigid, sizeof(key->sigid), pubkey, hashtype);
		pgp_add_userid(key, userid);
		pgp_fingerprint(&key->sigfingerprint, pubkey, hashtype);
		free(userid);
		if (pgp_get_debug_level(__FILE__)) {
			/*pgp_print_keydata(io, keyring, key, "pub", pubkey, 0);*/
			__PGP_USED(io); /* XXX */
		}
	}
	(void) free(bin);
	(void) free(buf);
	bufgap_close(&bg);
	return ok;
}

/* convert an ssh (host) seckey to a pgp seckey */
int
pgp_ssh2seckey(pgp_io_t *io, const char *f, pgp_key_t *key, pgp_pubkey_t *pubkey, pgp_hash_alg_t hashtype)
{
	pgp_crypt_t	crypted;
	pgp_hash_t	hash;
	unsigned	done = 0;
	unsigned	i = 0;
	uint8_t		sesskey[CAST_KEY_LENGTH];
	uint8_t		hashed[PGP_SHA1_HASH_SIZE];
	BIGNUM		*tmp;

	__PGP_USED(io);
	/* XXX - check for rsa/dsa */
	if (!openssl_read_pem_seckey(f, key, "ssh-rsa", 0)) {
		return 0;
	}
	if (pgp_get_debug_level(__FILE__)) {
		/*pgp_print_keydata(io, key, "sec", &key->key.seckey.pubkey, 0);*/
		/* XXX */
	}
	/* let's add some sane defaults */
	(void) memcpy(&key->key.seckey.pubkey, pubkey, sizeof(*pubkey));
	key->key.seckey.s2k_usage = PGP_S2KU_ENCRYPTED_AND_HASHED;
	key->key.seckey.alg = PGP_SA_CAST5;
	key->key.seckey.s2k_specifier = PGP_S2KS_SALTED;
	key->key.seckey.hash_alg = PGP_HASH_SHA1;
	if (key->key.seckey.pubkey.alg == PGP_PKA_RSA) {
		/* openssh and openssl have p and q swapped */
		tmp = key->key.seckey.key.rsa.p;
		key->key.seckey.key.rsa.p = key->key.seckey.key.rsa.q;
		key->key.seckey.key.rsa.q = tmp;
	}
	for (done = 0, i = 0; done < CAST_KEY_LENGTH; i++) {
		unsigned 	j;
		uint8_t		zero = 0;
		int             needed;
		int             size;

		needed = CAST_KEY_LENGTH - done;
		size = MIN(needed, PGP_SHA1_HASH_SIZE);

		pgp_hash_any(&hash, key->key.seckey.hash_alg);
		if (!hash.init(&hash)) {
			(void) fprintf(stderr, "write_seckey_body: bad alloc\n");
			return 0;
		}

		/* preload if iterating  */
		for (j = 0; j < i; j++) {
			/*
			 * Coverity shows a DEADCODE error on this
			 * line. This is expected since the hardcoded
			 * use of SHA1 and CAST5 means that it will
			 * not used. This will change however when
			 * other algorithms are supported.
			 */
			hash.add(&hash, &zero, 1);
		}

		if (key->key.seckey.s2k_specifier == PGP_S2KS_SALTED) {
			hash.add(&hash, key->key.seckey.salt, PGP_SALT_SIZE);
		}
		hash.finish(&hash, hashed);

		/*
		 * if more in hash than is needed by session key, use
		 * the leftmost octets
		 */
		(void) memcpy(&sesskey[i * PGP_SHA1_HASH_SIZE],
				hashed, (unsigned)size);
		done += (unsigned)size;
		if (done > CAST_KEY_LENGTH) {
			(void) fprintf(stderr,
				"write_seckey_body: short add\n");
			return 0;
		}
	}
	pgp_crypt_any(&crypted, key->key.seckey.alg);
	crypted.set_iv(&crypted, key->key.seckey.iv);
	crypted.set_crypt_key(&crypted, sesskey);
	pgp_encrypt_init(&crypted);
	key->key.seckey.pubkey.alg = PGP_PKA_RSA;
	pgp_fingerprint(&key->sigfingerprint, pubkey, hashtype);
	pgp_keyid(key->sigid, sizeof(key->sigid), pubkey, hashtype);
	return 1;
}

/* read a key from the ssh file, and add it to a keyring */
int
pgp_ssh2_readkeys(pgp_io_t *io, pgp_keyring_t *pubring,
		pgp_keyring_t *secring, const char *pubfile,
		const char *secfile, unsigned hashtype)
{
	pgp_key_t		*pubkey;
	pgp_key_t		*seckey;
	pgp_key_t		 key;

	pubkey = NULL;
	(void) memset(&key, 0x0, sizeof(key));
	if (pubfile) {
		if (pgp_get_debug_level(__FILE__)) {
			(void) fprintf(io->errs, "pgp_ssh2_readkeys: pubfile '%s'\n", pubfile);
		}
		if (!pgp_ssh2pubkey(io, pubfile, &key, (pgp_hash_alg_t)hashtype)) {
			(void) fprintf(io->errs, "pgp_ssh2_readkeys: can't read pubkeys '%s'\n", pubfile);
			return 0;
		}
		EXPAND_ARRAY(pubring, key);
		pubkey = &pubring->keys[pubring->keyc++];
		(void) memcpy(pubkey, &key, sizeof(key));
		pubkey->type = PGP_PTAG_CT_PUBLIC_KEY;
	}
	if (secfile) {
		if (pgp_get_debug_level(__FILE__)) {
			(void) fprintf(io->errs, "pgp_ssh2_readkeys: secfile '%s'\n", secfile);
		}
		if (pubkey == NULL) {
			pubkey = &pubring->keys[0];
		}
		if (!pgp_ssh2seckey(io, secfile, &key, &pubkey->key.pubkey, (pgp_hash_alg_t)hashtype)) {
			(void) fprintf(io->errs, "pgp_ssh2_readkeys: can't read seckeys '%s'\n", secfile);
			return 0;
		}
		EXPAND_ARRAY(secring, key);
		seckey = &secring->keys[secring->keyc++];
		(void) memcpy(seckey, &key, sizeof(key));
		seckey->type = PGP_PTAG_CT_SECRET_KEY;
	}
	return 1;
}