1 /* $OpenBSD: sshkey.c,v 1.54 2017/07/01 13:50:45 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/types.h> 29 #include <netinet/in.h> 30 31 #ifdef WITH_OPENSSL 32 #include <openssl/evp.h> 33 #include <openssl/err.h> 34 #include <openssl/pem.h> 35 #endif 36 37 #include "crypto_api.h" 38 39 #include <errno.h> 40 #include <stdio.h> 41 #include <string.h> 42 #include <util.h> 43 #include <limits.h> 44 #include <resolv.h> 45 46 #include "ssh2.h" 47 #include "ssherr.h" 48 #include "misc.h" 49 #include "sshbuf.h" 50 #include "cipher.h" 51 #include "digest.h" 52 #define SSHKEY_INTERNAL 53 #include "sshkey.h" 54 #include "match.h" 55 56 /* openssh private key file format */ 57 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 58 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 59 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 60 #define MARK_END_LEN (sizeof(MARK_END) - 1) 61 #define KDFNAME "bcrypt" 62 #define AUTH_MAGIC "openssh-key-v1" 63 #define SALT_LEN 16 64 #define DEFAULT_CIPHERNAME "aes256-cbc" 65 #define DEFAULT_ROUNDS 16 66 67 /* Version identification string for SSH v1 identity files. */ 68 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 69 70 static int sshkey_from_blob_internal(struct sshbuf *buf, 71 struct sshkey **keyp, int allow_cert); 72 73 /* Supported key types */ 74 struct keytype { 75 const char *name; 76 const char *shortname; 77 int type; 78 int nid; 79 int cert; 80 int sigonly; 81 }; 82 static const struct keytype keytypes[] = { 83 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, 84 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 85 KEY_ED25519_CERT, 0, 1, 0 }, 86 #ifdef WITH_OPENSSL 87 { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, 88 { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, 89 { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, 90 { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, 91 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 92 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, 93 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, 94 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, 95 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, 96 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 97 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 98 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 99 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 100 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 101 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 102 #endif /* WITH_OPENSSL */ 103 { NULL, NULL, -1, -1, 0, 0 } 104 }; 105 106 const char * 107 sshkey_type(const struct sshkey *k) 108 { 109 const struct keytype *kt; 110 111 for (kt = keytypes; kt->type != -1; kt++) { 112 if (kt->type == k->type) 113 return kt->shortname; 114 } 115 return "unknown"; 116 } 117 118 static const char * 119 sshkey_ssh_name_from_type_nid(int type, int nid) 120 { 121 const struct keytype *kt; 122 123 for (kt = keytypes; kt->type != -1; kt++) { 124 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 125 return kt->name; 126 } 127 return "ssh-unknown"; 128 } 129 130 int 131 sshkey_type_is_cert(int type) 132 { 133 const struct keytype *kt; 134 135 for (kt = keytypes; kt->type != -1; kt++) { 136 if (kt->type == type) 137 return kt->cert; 138 } 139 return 0; 140 } 141 142 const char * 143 sshkey_ssh_name(const struct sshkey *k) 144 { 145 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 146 } 147 148 const char * 149 sshkey_ssh_name_plain(const struct sshkey *k) 150 { 151 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 152 k->ecdsa_nid); 153 } 154 155 int 156 sshkey_type_from_name(const char *name) 157 { 158 const struct keytype *kt; 159 160 for (kt = keytypes; kt->type != -1; kt++) { 161 /* Only allow shortname matches for plain key types */ 162 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 163 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 164 return kt->type; 165 } 166 return KEY_UNSPEC; 167 } 168 169 int 170 sshkey_ecdsa_nid_from_name(const char *name) 171 { 172 const struct keytype *kt; 173 174 for (kt = keytypes; kt->type != -1; kt++) { 175 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 176 continue; 177 if (kt->name != NULL && strcmp(name, kt->name) == 0) 178 return kt->nid; 179 } 180 return -1; 181 } 182 183 char * 184 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 185 { 186 char *tmp, *ret = NULL; 187 size_t nlen, rlen = 0; 188 const struct keytype *kt; 189 190 for (kt = keytypes; kt->type != -1; kt++) { 191 if (kt->name == NULL) 192 continue; 193 if (!include_sigonly && kt->sigonly) 194 continue; 195 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 196 continue; 197 if (ret != NULL) 198 ret[rlen++] = sep; 199 nlen = strlen(kt->name); 200 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 201 free(ret); 202 return NULL; 203 } 204 ret = tmp; 205 memcpy(ret + rlen, kt->name, nlen + 1); 206 rlen += nlen; 207 } 208 return ret; 209 } 210 211 int 212 sshkey_names_valid2(const char *names, int allow_wildcard) 213 { 214 char *s, *cp, *p; 215 const struct keytype *kt; 216 int type; 217 218 if (names == NULL || strcmp(names, "") == 0) 219 return 0; 220 if ((s = cp = strdup(names)) == NULL) 221 return 0; 222 for ((p = strsep(&cp, ",")); p && *p != '\0'; 223 (p = strsep(&cp, ","))) { 224 type = sshkey_type_from_name(p); 225 if (type == KEY_UNSPEC) { 226 if (allow_wildcard) { 227 /* 228 * Try matching key types against the string. 229 * If any has a positive or negative match then 230 * the component is accepted. 231 */ 232 for (kt = keytypes; kt->type != -1; kt++) { 233 if (match_pattern_list(kt->name, 234 p, 0) != 0) 235 break; 236 } 237 if (kt->type != -1) 238 continue; 239 } 240 free(s); 241 return 0; 242 } 243 } 244 free(s); 245 return 1; 246 } 247 248 u_int 249 sshkey_size(const struct sshkey *k) 250 { 251 switch (k->type) { 252 #ifdef WITH_OPENSSL 253 case KEY_RSA: 254 case KEY_RSA_CERT: 255 return BN_num_bits(k->rsa->n); 256 case KEY_DSA: 257 case KEY_DSA_CERT: 258 return BN_num_bits(k->dsa->p); 259 case KEY_ECDSA: 260 case KEY_ECDSA_CERT: 261 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 262 #endif /* WITH_OPENSSL */ 263 case KEY_ED25519: 264 case KEY_ED25519_CERT: 265 return 256; /* XXX */ 266 } 267 return 0; 268 } 269 270 static int 271 sshkey_type_is_valid_ca(int type) 272 { 273 switch (type) { 274 case KEY_RSA: 275 case KEY_DSA: 276 case KEY_ECDSA: 277 case KEY_ED25519: 278 return 1; 279 default: 280 return 0; 281 } 282 } 283 284 int 285 sshkey_is_cert(const struct sshkey *k) 286 { 287 if (k == NULL) 288 return 0; 289 return sshkey_type_is_cert(k->type); 290 } 291 292 /* Return the cert-less equivalent to a certified key type */ 293 int 294 sshkey_type_plain(int type) 295 { 296 switch (type) { 297 case KEY_RSA_CERT: 298 return KEY_RSA; 299 case KEY_DSA_CERT: 300 return KEY_DSA; 301 case KEY_ECDSA_CERT: 302 return KEY_ECDSA; 303 case KEY_ED25519_CERT: 304 return KEY_ED25519; 305 default: 306 return type; 307 } 308 } 309 310 #ifdef WITH_OPENSSL 311 /* XXX: these are really begging for a table-driven approach */ 312 int 313 sshkey_curve_name_to_nid(const char *name) 314 { 315 if (strcmp(name, "nistp256") == 0) 316 return NID_X9_62_prime256v1; 317 else if (strcmp(name, "nistp384") == 0) 318 return NID_secp384r1; 319 else if (strcmp(name, "nistp521") == 0) 320 return NID_secp521r1; 321 else 322 return -1; 323 } 324 325 u_int 326 sshkey_curve_nid_to_bits(int nid) 327 { 328 switch (nid) { 329 case NID_X9_62_prime256v1: 330 return 256; 331 case NID_secp384r1: 332 return 384; 333 case NID_secp521r1: 334 return 521; 335 default: 336 return 0; 337 } 338 } 339 340 int 341 sshkey_ecdsa_bits_to_nid(int bits) 342 { 343 switch (bits) { 344 case 256: 345 return NID_X9_62_prime256v1; 346 case 384: 347 return NID_secp384r1; 348 case 521: 349 return NID_secp521r1; 350 default: 351 return -1; 352 } 353 } 354 355 const char * 356 sshkey_curve_nid_to_name(int nid) 357 { 358 switch (nid) { 359 case NID_X9_62_prime256v1: 360 return "nistp256"; 361 case NID_secp384r1: 362 return "nistp384"; 363 case NID_secp521r1: 364 return "nistp521"; 365 default: 366 return NULL; 367 } 368 } 369 370 int 371 sshkey_ec_nid_to_hash_alg(int nid) 372 { 373 int kbits = sshkey_curve_nid_to_bits(nid); 374 375 if (kbits <= 0) 376 return -1; 377 378 /* RFC5656 section 6.2.1 */ 379 if (kbits <= 256) 380 return SSH_DIGEST_SHA256; 381 else if (kbits <= 384) 382 return SSH_DIGEST_SHA384; 383 else 384 return SSH_DIGEST_SHA512; 385 } 386 #endif /* WITH_OPENSSL */ 387 388 static void 389 cert_free(struct sshkey_cert *cert) 390 { 391 u_int i; 392 393 if (cert == NULL) 394 return; 395 sshbuf_free(cert->certblob); 396 sshbuf_free(cert->critical); 397 sshbuf_free(cert->extensions); 398 free(cert->key_id); 399 for (i = 0; i < cert->nprincipals; i++) 400 free(cert->principals[i]); 401 free(cert->principals); 402 sshkey_free(cert->signature_key); 403 explicit_bzero(cert, sizeof(*cert)); 404 free(cert); 405 } 406 407 static struct sshkey_cert * 408 cert_new(void) 409 { 410 struct sshkey_cert *cert; 411 412 if ((cert = calloc(1, sizeof(*cert))) == NULL) 413 return NULL; 414 if ((cert->certblob = sshbuf_new()) == NULL || 415 (cert->critical = sshbuf_new()) == NULL || 416 (cert->extensions = sshbuf_new()) == NULL) { 417 cert_free(cert); 418 return NULL; 419 } 420 cert->key_id = NULL; 421 cert->principals = NULL; 422 cert->signature_key = NULL; 423 return cert; 424 } 425 426 struct sshkey * 427 sshkey_new(int type) 428 { 429 struct sshkey *k; 430 #ifdef WITH_OPENSSL 431 RSA *rsa; 432 DSA *dsa; 433 #endif /* WITH_OPENSSL */ 434 435 if ((k = calloc(1, sizeof(*k))) == NULL) 436 return NULL; 437 k->type = type; 438 k->ecdsa = NULL; 439 k->ecdsa_nid = -1; 440 k->dsa = NULL; 441 k->rsa = NULL; 442 k->cert = NULL; 443 k->ed25519_sk = NULL; 444 k->ed25519_pk = NULL; 445 switch (k->type) { 446 #ifdef WITH_OPENSSL 447 case KEY_RSA: 448 case KEY_RSA_CERT: 449 if ((rsa = RSA_new()) == NULL || 450 (rsa->n = BN_new()) == NULL || 451 (rsa->e = BN_new()) == NULL) { 452 if (rsa != NULL) 453 RSA_free(rsa); 454 free(k); 455 return NULL; 456 } 457 k->rsa = rsa; 458 break; 459 case KEY_DSA: 460 case KEY_DSA_CERT: 461 if ((dsa = DSA_new()) == NULL || 462 (dsa->p = BN_new()) == NULL || 463 (dsa->q = BN_new()) == NULL || 464 (dsa->g = BN_new()) == NULL || 465 (dsa->pub_key = BN_new()) == NULL) { 466 if (dsa != NULL) 467 DSA_free(dsa); 468 free(k); 469 return NULL; 470 } 471 k->dsa = dsa; 472 break; 473 case KEY_ECDSA: 474 case KEY_ECDSA_CERT: 475 /* Cannot do anything until we know the group */ 476 break; 477 #endif /* WITH_OPENSSL */ 478 case KEY_ED25519: 479 case KEY_ED25519_CERT: 480 /* no need to prealloc */ 481 break; 482 case KEY_UNSPEC: 483 break; 484 default: 485 free(k); 486 return NULL; 487 } 488 489 if (sshkey_is_cert(k)) { 490 if ((k->cert = cert_new()) == NULL) { 491 sshkey_free(k); 492 return NULL; 493 } 494 } 495 496 return k; 497 } 498 499 int 500 sshkey_add_private(struct sshkey *k) 501 { 502 switch (k->type) { 503 #ifdef WITH_OPENSSL 504 case KEY_RSA: 505 case KEY_RSA_CERT: 506 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 507 if (bn_maybe_alloc_failed(k->rsa->d) || 508 bn_maybe_alloc_failed(k->rsa->iqmp) || 509 bn_maybe_alloc_failed(k->rsa->q) || 510 bn_maybe_alloc_failed(k->rsa->p) || 511 bn_maybe_alloc_failed(k->rsa->dmq1) || 512 bn_maybe_alloc_failed(k->rsa->dmp1)) 513 return SSH_ERR_ALLOC_FAIL; 514 break; 515 case KEY_DSA: 516 case KEY_DSA_CERT: 517 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 518 return SSH_ERR_ALLOC_FAIL; 519 break; 520 #undef bn_maybe_alloc_failed 521 case KEY_ECDSA: 522 case KEY_ECDSA_CERT: 523 /* Cannot do anything until we know the group */ 524 break; 525 #endif /* WITH_OPENSSL */ 526 case KEY_ED25519: 527 case KEY_ED25519_CERT: 528 /* no need to prealloc */ 529 break; 530 case KEY_UNSPEC: 531 break; 532 default: 533 return SSH_ERR_INVALID_ARGUMENT; 534 } 535 return 0; 536 } 537 538 struct sshkey * 539 sshkey_new_private(int type) 540 { 541 struct sshkey *k = sshkey_new(type); 542 543 if (k == NULL) 544 return NULL; 545 if (sshkey_add_private(k) != 0) { 546 sshkey_free(k); 547 return NULL; 548 } 549 return k; 550 } 551 552 void 553 sshkey_free(struct sshkey *k) 554 { 555 if (k == NULL) 556 return; 557 switch (k->type) { 558 #ifdef WITH_OPENSSL 559 case KEY_RSA: 560 case KEY_RSA_CERT: 561 if (k->rsa != NULL) 562 RSA_free(k->rsa); 563 k->rsa = NULL; 564 break; 565 case KEY_DSA: 566 case KEY_DSA_CERT: 567 if (k->dsa != NULL) 568 DSA_free(k->dsa); 569 k->dsa = NULL; 570 break; 571 case KEY_ECDSA: 572 case KEY_ECDSA_CERT: 573 if (k->ecdsa != NULL) 574 EC_KEY_free(k->ecdsa); 575 k->ecdsa = NULL; 576 break; 577 #endif /* WITH_OPENSSL */ 578 case KEY_ED25519: 579 case KEY_ED25519_CERT: 580 if (k->ed25519_pk) { 581 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 582 free(k->ed25519_pk); 583 k->ed25519_pk = NULL; 584 } 585 if (k->ed25519_sk) { 586 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 587 free(k->ed25519_sk); 588 k->ed25519_sk = NULL; 589 } 590 break; 591 case KEY_UNSPEC: 592 break; 593 default: 594 break; 595 } 596 if (sshkey_is_cert(k)) 597 cert_free(k->cert); 598 explicit_bzero(k, sizeof(*k)); 599 free(k); 600 } 601 602 static int 603 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 604 { 605 if (a == NULL && b == NULL) 606 return 1; 607 if (a == NULL || b == NULL) 608 return 0; 609 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 610 return 0; 611 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 612 sshbuf_len(a->certblob)) != 0) 613 return 0; 614 return 1; 615 } 616 617 /* 618 * Compare public portions of key only, allowing comparisons between 619 * certificates and plain keys too. 620 */ 621 int 622 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 623 { 624 #ifdef WITH_OPENSSL 625 BN_CTX *bnctx; 626 #endif /* WITH_OPENSSL */ 627 628 if (a == NULL || b == NULL || 629 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 630 return 0; 631 632 switch (a->type) { 633 #ifdef WITH_OPENSSL 634 case KEY_RSA_CERT: 635 case KEY_RSA: 636 return a->rsa != NULL && b->rsa != NULL && 637 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 638 BN_cmp(a->rsa->n, b->rsa->n) == 0; 639 case KEY_DSA_CERT: 640 case KEY_DSA: 641 return a->dsa != NULL && b->dsa != NULL && 642 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 643 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 644 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 645 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 646 case KEY_ECDSA_CERT: 647 case KEY_ECDSA: 648 if (a->ecdsa == NULL || b->ecdsa == NULL || 649 EC_KEY_get0_public_key(a->ecdsa) == NULL || 650 EC_KEY_get0_public_key(b->ecdsa) == NULL) 651 return 0; 652 if ((bnctx = BN_CTX_new()) == NULL) 653 return 0; 654 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 655 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 656 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 657 EC_KEY_get0_public_key(a->ecdsa), 658 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 659 BN_CTX_free(bnctx); 660 return 0; 661 } 662 BN_CTX_free(bnctx); 663 return 1; 664 #endif /* WITH_OPENSSL */ 665 case KEY_ED25519: 666 case KEY_ED25519_CERT: 667 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 668 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 669 default: 670 return 0; 671 } 672 /* NOTREACHED */ 673 } 674 675 int 676 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 677 { 678 if (a == NULL || b == NULL || a->type != b->type) 679 return 0; 680 if (sshkey_is_cert(a)) { 681 if (!cert_compare(a->cert, b->cert)) 682 return 0; 683 } 684 return sshkey_equal_public(a, b); 685 } 686 687 static int 688 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 689 { 690 int type, ret = SSH_ERR_INTERNAL_ERROR; 691 const char *typename; 692 693 if (key == NULL) 694 return SSH_ERR_INVALID_ARGUMENT; 695 696 if (sshkey_is_cert(key)) { 697 if (key->cert == NULL) 698 return SSH_ERR_EXPECTED_CERT; 699 if (sshbuf_len(key->cert->certblob) == 0) 700 return SSH_ERR_KEY_LACKS_CERTBLOB; 701 } 702 type = force_plain ? sshkey_type_plain(key->type) : key->type; 703 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 704 705 switch (type) { 706 #ifdef WITH_OPENSSL 707 case KEY_DSA_CERT: 708 case KEY_ECDSA_CERT: 709 case KEY_RSA_CERT: 710 #endif /* WITH_OPENSSL */ 711 case KEY_ED25519_CERT: 712 /* Use the existing blob */ 713 /* XXX modified flag? */ 714 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 715 return ret; 716 break; 717 #ifdef WITH_OPENSSL 718 case KEY_DSA: 719 if (key->dsa == NULL) 720 return SSH_ERR_INVALID_ARGUMENT; 721 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 722 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 723 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 724 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 725 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 726 return ret; 727 break; 728 case KEY_ECDSA: 729 if (key->ecdsa == NULL) 730 return SSH_ERR_INVALID_ARGUMENT; 731 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 732 (ret = sshbuf_put_cstring(b, 733 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 734 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 735 return ret; 736 break; 737 case KEY_RSA: 738 if (key->rsa == NULL) 739 return SSH_ERR_INVALID_ARGUMENT; 740 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 741 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 742 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 743 return ret; 744 break; 745 #endif /* WITH_OPENSSL */ 746 case KEY_ED25519: 747 if (key->ed25519_pk == NULL) 748 return SSH_ERR_INVALID_ARGUMENT; 749 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 750 (ret = sshbuf_put_string(b, 751 key->ed25519_pk, ED25519_PK_SZ)) != 0) 752 return ret; 753 break; 754 default: 755 return SSH_ERR_KEY_TYPE_UNKNOWN; 756 } 757 return 0; 758 } 759 760 int 761 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 762 { 763 return to_blob_buf(key, b, 0); 764 } 765 766 int 767 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 768 { 769 struct sshbuf *tmp; 770 int r; 771 772 if ((tmp = sshbuf_new()) == NULL) 773 return SSH_ERR_ALLOC_FAIL; 774 r = to_blob_buf(key, tmp, 0); 775 if (r == 0) 776 r = sshbuf_put_stringb(b, tmp); 777 sshbuf_free(tmp); 778 return r; 779 } 780 781 int 782 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 783 { 784 return to_blob_buf(key, b, 1); 785 } 786 787 static int 788 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 789 { 790 int ret = SSH_ERR_INTERNAL_ERROR; 791 size_t len; 792 struct sshbuf *b = NULL; 793 794 if (lenp != NULL) 795 *lenp = 0; 796 if (blobp != NULL) 797 *blobp = NULL; 798 if ((b = sshbuf_new()) == NULL) 799 return SSH_ERR_ALLOC_FAIL; 800 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 801 goto out; 802 len = sshbuf_len(b); 803 if (lenp != NULL) 804 *lenp = len; 805 if (blobp != NULL) { 806 if ((*blobp = malloc(len)) == NULL) { 807 ret = SSH_ERR_ALLOC_FAIL; 808 goto out; 809 } 810 memcpy(*blobp, sshbuf_ptr(b), len); 811 } 812 ret = 0; 813 out: 814 sshbuf_free(b); 815 return ret; 816 } 817 818 int 819 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 820 { 821 return to_blob(key, blobp, lenp, 0); 822 } 823 824 int 825 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 826 { 827 return to_blob(key, blobp, lenp, 1); 828 } 829 830 int 831 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 832 u_char **retp, size_t *lenp) 833 { 834 u_char *blob = NULL, *ret = NULL; 835 size_t blob_len = 0; 836 int r = SSH_ERR_INTERNAL_ERROR; 837 838 if (retp != NULL) 839 *retp = NULL; 840 if (lenp != NULL) 841 *lenp = 0; 842 if (ssh_digest_bytes(dgst_alg) == 0) { 843 r = SSH_ERR_INVALID_ARGUMENT; 844 goto out; 845 } 846 if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 847 goto out; 848 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 849 r = SSH_ERR_ALLOC_FAIL; 850 goto out; 851 } 852 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 853 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 854 goto out; 855 /* success */ 856 if (retp != NULL) { 857 *retp = ret; 858 ret = NULL; 859 } 860 if (lenp != NULL) 861 *lenp = ssh_digest_bytes(dgst_alg); 862 r = 0; 863 out: 864 free(ret); 865 if (blob != NULL) { 866 explicit_bzero(blob, blob_len); 867 free(blob); 868 } 869 return r; 870 } 871 872 static char * 873 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 874 { 875 char *ret; 876 size_t plen = strlen(alg) + 1; 877 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 878 int r; 879 880 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 881 return NULL; 882 strlcpy(ret, alg, rlen); 883 strlcat(ret, ":", rlen); 884 if (dgst_raw_len == 0) 885 return ret; 886 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 887 ret + plen, rlen - plen)) == -1) { 888 explicit_bzero(ret, rlen); 889 free(ret); 890 return NULL; 891 } 892 /* Trim padding characters from end */ 893 ret[strcspn(ret, "=")] = '\0'; 894 return ret; 895 } 896 897 static char * 898 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 899 { 900 char *retval, hex[5]; 901 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 902 903 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 904 return NULL; 905 strlcpy(retval, alg, rlen); 906 strlcat(retval, ":", rlen); 907 for (i = 0; i < dgst_raw_len; i++) { 908 snprintf(hex, sizeof(hex), "%s%02x", 909 i > 0 ? ":" : "", dgst_raw[i]); 910 strlcat(retval, hex, rlen); 911 } 912 return retval; 913 } 914 915 static char * 916 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 917 { 918 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 919 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 920 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 921 u_int i, j = 0, rounds, seed = 1; 922 char *retval; 923 924 rounds = (dgst_raw_len / 2) + 1; 925 if ((retval = calloc(rounds, 6)) == NULL) 926 return NULL; 927 retval[j++] = 'x'; 928 for (i = 0; i < rounds; i++) { 929 u_int idx0, idx1, idx2, idx3, idx4; 930 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 931 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 932 seed) % 6; 933 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 934 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 935 (seed / 6)) % 6; 936 retval[j++] = vowels[idx0]; 937 retval[j++] = consonants[idx1]; 938 retval[j++] = vowels[idx2]; 939 if ((i + 1) < rounds) { 940 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 941 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 942 retval[j++] = consonants[idx3]; 943 retval[j++] = '-'; 944 retval[j++] = consonants[idx4]; 945 seed = ((seed * 5) + 946 ((((u_int)(dgst_raw[2 * i])) * 7) + 947 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 948 } 949 } else { 950 idx0 = seed % 6; 951 idx1 = 16; 952 idx2 = seed / 6; 953 retval[j++] = vowels[idx0]; 954 retval[j++] = consonants[idx1]; 955 retval[j++] = vowels[idx2]; 956 } 957 } 958 retval[j++] = 'x'; 959 retval[j++] = '\0'; 960 return retval; 961 } 962 963 /* 964 * Draw an ASCII-Art representing the fingerprint so human brain can 965 * profit from its built-in pattern recognition ability. 966 * This technique is called "random art" and can be found in some 967 * scientific publications like this original paper: 968 * 969 * "Hash Visualization: a New Technique to improve Real-World Security", 970 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 971 * Techniques and E-Commerce (CrypTEC '99) 972 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 973 * 974 * The subject came up in a talk by Dan Kaminsky, too. 975 * 976 * If you see the picture is different, the key is different. 977 * If the picture looks the same, you still know nothing. 978 * 979 * The algorithm used here is a worm crawling over a discrete plane, 980 * leaving a trace (augmenting the field) everywhere it goes. 981 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 982 * makes the respective movement vector be ignored for this turn. 983 * Graphs are not unambiguous, because circles in graphs can be 984 * walked in either direction. 985 */ 986 987 /* 988 * Field sizes for the random art. Have to be odd, so the starting point 989 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 990 * Else pictures would be too dense, and drawing the frame would 991 * fail, too, because the key type would not fit in anymore. 992 */ 993 #define FLDBASE 8 994 #define FLDSIZE_Y (FLDBASE + 1) 995 #define FLDSIZE_X (FLDBASE * 2 + 1) 996 static char * 997 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 998 const struct sshkey *k) 999 { 1000 /* 1001 * Chars to be used after each other every time the worm 1002 * intersects with itself. Matter of taste. 1003 */ 1004 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1005 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1006 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1007 size_t i, tlen, hlen; 1008 u_int b; 1009 int x, y, r; 1010 size_t len = strlen(augmentation_string) - 1; 1011 1012 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1013 return NULL; 1014 1015 /* initialize field */ 1016 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1017 x = FLDSIZE_X / 2; 1018 y = FLDSIZE_Y / 2; 1019 1020 /* process raw key */ 1021 for (i = 0; i < dgst_raw_len; i++) { 1022 int input; 1023 /* each byte conveys four 2-bit move commands */ 1024 input = dgst_raw[i]; 1025 for (b = 0; b < 4; b++) { 1026 /* evaluate 2 bit, rest is shifted later */ 1027 x += (input & 0x1) ? 1 : -1; 1028 y += (input & 0x2) ? 1 : -1; 1029 1030 /* assure we are still in bounds */ 1031 x = MAXIMUM(x, 0); 1032 y = MAXIMUM(y, 0); 1033 x = MINIMUM(x, FLDSIZE_X - 1); 1034 y = MINIMUM(y, FLDSIZE_Y - 1); 1035 1036 /* augment the field */ 1037 if (field[x][y] < len - 2) 1038 field[x][y]++; 1039 input = input >> 2; 1040 } 1041 } 1042 1043 /* mark starting point and end point*/ 1044 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1045 field[x][y] = len; 1046 1047 /* assemble title */ 1048 r = snprintf(title, sizeof(title), "[%s %u]", 1049 sshkey_type(k), sshkey_size(k)); 1050 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1051 if (r < 0 || r > (int)sizeof(title)) 1052 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1053 tlen = (r <= 0) ? 0 : strlen(title); 1054 1055 /* assemble hash ID. */ 1056 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1057 hlen = (r <= 0) ? 0 : strlen(hash); 1058 1059 /* output upper border */ 1060 p = retval; 1061 *p++ = '+'; 1062 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1063 *p++ = '-'; 1064 memcpy(p, title, tlen); 1065 p += tlen; 1066 for (i += tlen; i < FLDSIZE_X; i++) 1067 *p++ = '-'; 1068 *p++ = '+'; 1069 *p++ = '\n'; 1070 1071 /* output content */ 1072 for (y = 0; y < FLDSIZE_Y; y++) { 1073 *p++ = '|'; 1074 for (x = 0; x < FLDSIZE_X; x++) 1075 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1076 *p++ = '|'; 1077 *p++ = '\n'; 1078 } 1079 1080 /* output lower border */ 1081 *p++ = '+'; 1082 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1083 *p++ = '-'; 1084 memcpy(p, hash, hlen); 1085 p += hlen; 1086 for (i += hlen; i < FLDSIZE_X; i++) 1087 *p++ = '-'; 1088 *p++ = '+'; 1089 1090 return retval; 1091 } 1092 1093 char * 1094 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1095 enum sshkey_fp_rep dgst_rep) 1096 { 1097 char *retval = NULL; 1098 u_char *dgst_raw; 1099 size_t dgst_raw_len; 1100 1101 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1102 return NULL; 1103 switch (dgst_rep) { 1104 case SSH_FP_DEFAULT: 1105 if (dgst_alg == SSH_DIGEST_MD5) { 1106 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1107 dgst_raw, dgst_raw_len); 1108 } else { 1109 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1110 dgst_raw, dgst_raw_len); 1111 } 1112 break; 1113 case SSH_FP_HEX: 1114 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1115 dgst_raw, dgst_raw_len); 1116 break; 1117 case SSH_FP_BASE64: 1118 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1119 dgst_raw, dgst_raw_len); 1120 break; 1121 case SSH_FP_BUBBLEBABBLE: 1122 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1123 break; 1124 case SSH_FP_RANDOMART: 1125 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1126 dgst_raw, dgst_raw_len, k); 1127 break; 1128 default: 1129 explicit_bzero(dgst_raw, dgst_raw_len); 1130 free(dgst_raw); 1131 return NULL; 1132 } 1133 explicit_bzero(dgst_raw, dgst_raw_len); 1134 free(dgst_raw); 1135 return retval; 1136 } 1137 1138 1139 /* returns 0 ok, and < 0 error */ 1140 int 1141 sshkey_read(struct sshkey *ret, char **cpp) 1142 { 1143 struct sshkey *k; 1144 int retval = SSH_ERR_INVALID_FORMAT; 1145 char *ep, *cp, *space; 1146 int r, type, curve_nid = -1; 1147 struct sshbuf *blob; 1148 1149 if (ret == NULL) 1150 return SSH_ERR_INVALID_ARGUMENT; 1151 1152 cp = *cpp; 1153 1154 switch (ret->type) { 1155 case KEY_UNSPEC: 1156 case KEY_RSA: 1157 case KEY_DSA: 1158 case KEY_ECDSA: 1159 case KEY_ED25519: 1160 case KEY_DSA_CERT: 1161 case KEY_ECDSA_CERT: 1162 case KEY_RSA_CERT: 1163 case KEY_ED25519_CERT: 1164 space = strchr(cp, ' '); 1165 if (space == NULL) 1166 return SSH_ERR_INVALID_FORMAT; 1167 *space = '\0'; 1168 type = sshkey_type_from_name(cp); 1169 if (sshkey_type_plain(type) == KEY_ECDSA && 1170 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1171 return SSH_ERR_EC_CURVE_INVALID; 1172 *space = ' '; 1173 if (type == KEY_UNSPEC) 1174 return SSH_ERR_INVALID_FORMAT; 1175 cp = space+1; 1176 if (*cp == '\0') 1177 return SSH_ERR_INVALID_FORMAT; 1178 if (ret->type != KEY_UNSPEC && ret->type != type) 1179 return SSH_ERR_KEY_TYPE_MISMATCH; 1180 if ((blob = sshbuf_new()) == NULL) 1181 return SSH_ERR_ALLOC_FAIL; 1182 /* trim comment */ 1183 space = strchr(cp, ' '); 1184 if (space) { 1185 /* advance 'space': skip whitespace */ 1186 *space++ = '\0'; 1187 while (*space == ' ' || *space == '\t') 1188 space++; 1189 ep = space; 1190 } else 1191 ep = cp + strlen(cp); 1192 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1193 sshbuf_free(blob); 1194 return r; 1195 } 1196 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1197 sshbuf_len(blob), &k)) != 0) { 1198 sshbuf_free(blob); 1199 return r; 1200 } 1201 sshbuf_free(blob); 1202 if (k->type != type) { 1203 sshkey_free(k); 1204 return SSH_ERR_KEY_TYPE_MISMATCH; 1205 } 1206 if (sshkey_type_plain(type) == KEY_ECDSA && 1207 curve_nid != k->ecdsa_nid) { 1208 sshkey_free(k); 1209 return SSH_ERR_EC_CURVE_MISMATCH; 1210 } 1211 ret->type = type; 1212 if (sshkey_is_cert(ret)) { 1213 if (!sshkey_is_cert(k)) { 1214 sshkey_free(k); 1215 return SSH_ERR_EXPECTED_CERT; 1216 } 1217 if (ret->cert != NULL) 1218 cert_free(ret->cert); 1219 ret->cert = k->cert; 1220 k->cert = NULL; 1221 } 1222 switch (sshkey_type_plain(ret->type)) { 1223 #ifdef WITH_OPENSSL 1224 case KEY_RSA: 1225 if (ret->rsa != NULL) 1226 RSA_free(ret->rsa); 1227 ret->rsa = k->rsa; 1228 k->rsa = NULL; 1229 #ifdef DEBUG_PK 1230 RSA_print_fp(stderr, ret->rsa, 8); 1231 #endif 1232 break; 1233 case KEY_DSA: 1234 if (ret->dsa != NULL) 1235 DSA_free(ret->dsa); 1236 ret->dsa = k->dsa; 1237 k->dsa = NULL; 1238 #ifdef DEBUG_PK 1239 DSA_print_fp(stderr, ret->dsa, 8); 1240 #endif 1241 break; 1242 case KEY_ECDSA: 1243 if (ret->ecdsa != NULL) 1244 EC_KEY_free(ret->ecdsa); 1245 ret->ecdsa = k->ecdsa; 1246 ret->ecdsa_nid = k->ecdsa_nid; 1247 k->ecdsa = NULL; 1248 k->ecdsa_nid = -1; 1249 #ifdef DEBUG_PK 1250 sshkey_dump_ec_key(ret->ecdsa); 1251 #endif 1252 break; 1253 #endif /* WITH_OPENSSL */ 1254 case KEY_ED25519: 1255 free(ret->ed25519_pk); 1256 ret->ed25519_pk = k->ed25519_pk; 1257 k->ed25519_pk = NULL; 1258 #ifdef DEBUG_PK 1259 /* XXX */ 1260 #endif 1261 break; 1262 } 1263 *cpp = ep; 1264 retval = 0; 1265 /*XXXX*/ 1266 sshkey_free(k); 1267 if (retval != 0) 1268 break; 1269 break; 1270 default: 1271 return SSH_ERR_INVALID_ARGUMENT; 1272 } 1273 return retval; 1274 } 1275 1276 int 1277 sshkey_to_base64(const struct sshkey *key, char **b64p) 1278 { 1279 int r = SSH_ERR_INTERNAL_ERROR; 1280 struct sshbuf *b = NULL; 1281 char *uu = NULL; 1282 1283 if (b64p != NULL) 1284 *b64p = NULL; 1285 if ((b = sshbuf_new()) == NULL) 1286 return SSH_ERR_ALLOC_FAIL; 1287 if ((r = sshkey_putb(key, b)) != 0) 1288 goto out; 1289 if ((uu = sshbuf_dtob64(b)) == NULL) { 1290 r = SSH_ERR_ALLOC_FAIL; 1291 goto out; 1292 } 1293 /* Success */ 1294 if (b64p != NULL) { 1295 *b64p = uu; 1296 uu = NULL; 1297 } 1298 r = 0; 1299 out: 1300 sshbuf_free(b); 1301 free(uu); 1302 return r; 1303 } 1304 1305 int 1306 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1307 { 1308 int r = SSH_ERR_INTERNAL_ERROR; 1309 char *uu = NULL; 1310 1311 if ((r = sshkey_to_base64(key, &uu)) != 0) 1312 goto out; 1313 if ((r = sshbuf_putf(b, "%s %s", 1314 sshkey_ssh_name(key), uu)) != 0) 1315 goto out; 1316 r = 0; 1317 out: 1318 free(uu); 1319 return r; 1320 } 1321 1322 int 1323 sshkey_write(const struct sshkey *key, FILE *f) 1324 { 1325 struct sshbuf *b = NULL; 1326 int r = SSH_ERR_INTERNAL_ERROR; 1327 1328 if ((b = sshbuf_new()) == NULL) 1329 return SSH_ERR_ALLOC_FAIL; 1330 if ((r = sshkey_format_text(key, b)) != 0) 1331 goto out; 1332 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1333 if (feof(f)) 1334 errno = EPIPE; 1335 r = SSH_ERR_SYSTEM_ERROR; 1336 goto out; 1337 } 1338 /* Success */ 1339 r = 0; 1340 out: 1341 sshbuf_free(b); 1342 return r; 1343 } 1344 1345 const char * 1346 sshkey_cert_type(const struct sshkey *k) 1347 { 1348 switch (k->cert->type) { 1349 case SSH2_CERT_TYPE_USER: 1350 return "user"; 1351 case SSH2_CERT_TYPE_HOST: 1352 return "host"; 1353 default: 1354 return "unknown"; 1355 } 1356 } 1357 1358 #ifdef WITH_OPENSSL 1359 static int 1360 rsa_generate_private_key(u_int bits, RSA **rsap) 1361 { 1362 RSA *private = NULL; 1363 BIGNUM *f4 = NULL; 1364 int ret = SSH_ERR_INTERNAL_ERROR; 1365 1366 if (rsap == NULL) 1367 return SSH_ERR_INVALID_ARGUMENT; 1368 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1369 bits > SSHBUF_MAX_BIGNUM * 8) 1370 return SSH_ERR_KEY_LENGTH; 1371 *rsap = NULL; 1372 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1373 ret = SSH_ERR_ALLOC_FAIL; 1374 goto out; 1375 } 1376 if (!BN_set_word(f4, RSA_F4) || 1377 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1378 ret = SSH_ERR_LIBCRYPTO_ERROR; 1379 goto out; 1380 } 1381 *rsap = private; 1382 private = NULL; 1383 ret = 0; 1384 out: 1385 if (private != NULL) 1386 RSA_free(private); 1387 if (f4 != NULL) 1388 BN_free(f4); 1389 return ret; 1390 } 1391 1392 static int 1393 dsa_generate_private_key(u_int bits, DSA **dsap) 1394 { 1395 DSA *private; 1396 int ret = SSH_ERR_INTERNAL_ERROR; 1397 1398 if (dsap == NULL) 1399 return SSH_ERR_INVALID_ARGUMENT; 1400 if (bits != 1024) 1401 return SSH_ERR_KEY_LENGTH; 1402 if ((private = DSA_new()) == NULL) { 1403 ret = SSH_ERR_ALLOC_FAIL; 1404 goto out; 1405 } 1406 *dsap = NULL; 1407 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1408 NULL, NULL) || !DSA_generate_key(private)) { 1409 ret = SSH_ERR_LIBCRYPTO_ERROR; 1410 goto out; 1411 } 1412 *dsap = private; 1413 private = NULL; 1414 ret = 0; 1415 out: 1416 if (private != NULL) 1417 DSA_free(private); 1418 return ret; 1419 } 1420 1421 int 1422 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1423 { 1424 EC_GROUP *eg; 1425 int nids[] = { 1426 NID_X9_62_prime256v1, 1427 NID_secp384r1, 1428 NID_secp521r1, 1429 -1 1430 }; 1431 int nid; 1432 u_int i; 1433 BN_CTX *bnctx; 1434 const EC_GROUP *g = EC_KEY_get0_group(k); 1435 1436 /* 1437 * The group may be stored in a ASN.1 encoded private key in one of two 1438 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1439 * or explicit group parameters encoded into the key blob. Only the 1440 * "named group" case sets the group NID for us, but we can figure 1441 * it out for the other case by comparing against all the groups that 1442 * are supported. 1443 */ 1444 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1445 return nid; 1446 if ((bnctx = BN_CTX_new()) == NULL) 1447 return -1; 1448 for (i = 0; nids[i] != -1; i++) { 1449 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1450 BN_CTX_free(bnctx); 1451 return -1; 1452 } 1453 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1454 break; 1455 EC_GROUP_free(eg); 1456 } 1457 BN_CTX_free(bnctx); 1458 if (nids[i] != -1) { 1459 /* Use the group with the NID attached */ 1460 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1461 if (EC_KEY_set_group(k, eg) != 1) { 1462 EC_GROUP_free(eg); 1463 return -1; 1464 } 1465 } 1466 return nids[i]; 1467 } 1468 1469 static int 1470 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1471 { 1472 EC_KEY *private; 1473 int ret = SSH_ERR_INTERNAL_ERROR; 1474 1475 if (nid == NULL || ecdsap == NULL) 1476 return SSH_ERR_INVALID_ARGUMENT; 1477 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1478 return SSH_ERR_KEY_LENGTH; 1479 *ecdsap = NULL; 1480 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1481 ret = SSH_ERR_ALLOC_FAIL; 1482 goto out; 1483 } 1484 if (EC_KEY_generate_key(private) != 1) { 1485 ret = SSH_ERR_LIBCRYPTO_ERROR; 1486 goto out; 1487 } 1488 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1489 *ecdsap = private; 1490 private = NULL; 1491 ret = 0; 1492 out: 1493 if (private != NULL) 1494 EC_KEY_free(private); 1495 return ret; 1496 } 1497 #endif /* WITH_OPENSSL */ 1498 1499 int 1500 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1501 { 1502 struct sshkey *k; 1503 int ret = SSH_ERR_INTERNAL_ERROR; 1504 1505 if (keyp == NULL) 1506 return SSH_ERR_INVALID_ARGUMENT; 1507 *keyp = NULL; 1508 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1509 return SSH_ERR_ALLOC_FAIL; 1510 switch (type) { 1511 case KEY_ED25519: 1512 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1513 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1514 ret = SSH_ERR_ALLOC_FAIL; 1515 break; 1516 } 1517 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1518 ret = 0; 1519 break; 1520 #ifdef WITH_OPENSSL 1521 case KEY_DSA: 1522 ret = dsa_generate_private_key(bits, &k->dsa); 1523 break; 1524 case KEY_ECDSA: 1525 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1526 &k->ecdsa); 1527 break; 1528 case KEY_RSA: 1529 ret = rsa_generate_private_key(bits, &k->rsa); 1530 break; 1531 #endif /* WITH_OPENSSL */ 1532 default: 1533 ret = SSH_ERR_INVALID_ARGUMENT; 1534 } 1535 if (ret == 0) { 1536 k->type = type; 1537 *keyp = k; 1538 } else 1539 sshkey_free(k); 1540 return ret; 1541 } 1542 1543 int 1544 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1545 { 1546 u_int i; 1547 const struct sshkey_cert *from; 1548 struct sshkey_cert *to; 1549 int ret = SSH_ERR_INTERNAL_ERROR; 1550 1551 if (to_key->cert != NULL) { 1552 cert_free(to_key->cert); 1553 to_key->cert = NULL; 1554 } 1555 1556 if ((from = from_key->cert) == NULL) 1557 return SSH_ERR_INVALID_ARGUMENT; 1558 1559 if ((to = to_key->cert = cert_new()) == NULL) 1560 return SSH_ERR_ALLOC_FAIL; 1561 1562 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1563 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1564 (ret = sshbuf_putb(to->extensions, from->extensions)) != 0) 1565 return ret; 1566 1567 to->serial = from->serial; 1568 to->type = from->type; 1569 if (from->key_id == NULL) 1570 to->key_id = NULL; 1571 else if ((to->key_id = strdup(from->key_id)) == NULL) 1572 return SSH_ERR_ALLOC_FAIL; 1573 to->valid_after = from->valid_after; 1574 to->valid_before = from->valid_before; 1575 if (from->signature_key == NULL) 1576 to->signature_key = NULL; 1577 else if ((ret = sshkey_from_private(from->signature_key, 1578 &to->signature_key)) != 0) 1579 return ret; 1580 1581 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1582 return SSH_ERR_INVALID_ARGUMENT; 1583 if (from->nprincipals > 0) { 1584 if ((to->principals = calloc(from->nprincipals, 1585 sizeof(*to->principals))) == NULL) 1586 return SSH_ERR_ALLOC_FAIL; 1587 for (i = 0; i < from->nprincipals; i++) { 1588 to->principals[i] = strdup(from->principals[i]); 1589 if (to->principals[i] == NULL) { 1590 to->nprincipals = i; 1591 return SSH_ERR_ALLOC_FAIL; 1592 } 1593 } 1594 } 1595 to->nprincipals = from->nprincipals; 1596 return 0; 1597 } 1598 1599 int 1600 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1601 { 1602 struct sshkey *n = NULL; 1603 int ret = SSH_ERR_INTERNAL_ERROR; 1604 1605 *pkp = NULL; 1606 switch (k->type) { 1607 #ifdef WITH_OPENSSL 1608 case KEY_DSA: 1609 case KEY_DSA_CERT: 1610 if ((n = sshkey_new(k->type)) == NULL) 1611 return SSH_ERR_ALLOC_FAIL; 1612 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1613 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1614 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1615 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1616 sshkey_free(n); 1617 return SSH_ERR_ALLOC_FAIL; 1618 } 1619 break; 1620 case KEY_ECDSA: 1621 case KEY_ECDSA_CERT: 1622 if ((n = sshkey_new(k->type)) == NULL) 1623 return SSH_ERR_ALLOC_FAIL; 1624 n->ecdsa_nid = k->ecdsa_nid; 1625 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1626 if (n->ecdsa == NULL) { 1627 sshkey_free(n); 1628 return SSH_ERR_ALLOC_FAIL; 1629 } 1630 if (EC_KEY_set_public_key(n->ecdsa, 1631 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1632 sshkey_free(n); 1633 return SSH_ERR_LIBCRYPTO_ERROR; 1634 } 1635 break; 1636 case KEY_RSA: 1637 case KEY_RSA_CERT: 1638 if ((n = sshkey_new(k->type)) == NULL) 1639 return SSH_ERR_ALLOC_FAIL; 1640 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1641 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1642 sshkey_free(n); 1643 return SSH_ERR_ALLOC_FAIL; 1644 } 1645 break; 1646 #endif /* WITH_OPENSSL */ 1647 case KEY_ED25519: 1648 case KEY_ED25519_CERT: 1649 if ((n = sshkey_new(k->type)) == NULL) 1650 return SSH_ERR_ALLOC_FAIL; 1651 if (k->ed25519_pk != NULL) { 1652 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1653 sshkey_free(n); 1654 return SSH_ERR_ALLOC_FAIL; 1655 } 1656 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1657 } 1658 break; 1659 default: 1660 return SSH_ERR_KEY_TYPE_UNKNOWN; 1661 } 1662 if (sshkey_is_cert(k)) { 1663 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1664 sshkey_free(n); 1665 return ret; 1666 } 1667 } 1668 *pkp = n; 1669 return 0; 1670 } 1671 1672 static int 1673 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1674 { 1675 struct sshbuf *principals = NULL, *crit = NULL; 1676 struct sshbuf *exts = NULL, *ca = NULL; 1677 u_char *sig = NULL; 1678 size_t signed_len = 0, slen = 0, kidlen = 0; 1679 int ret = SSH_ERR_INTERNAL_ERROR; 1680 1681 /* Copy the entire key blob for verification and later serialisation */ 1682 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1683 return ret; 1684 1685 /* Parse body of certificate up to signature */ 1686 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1687 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1688 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1689 (ret = sshbuf_froms(b, &principals)) != 0 || 1690 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1691 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1692 (ret = sshbuf_froms(b, &crit)) != 0 || 1693 (ret = sshbuf_froms(b, &exts)) != 0 || 1694 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1695 (ret = sshbuf_froms(b, &ca)) != 0) { 1696 /* XXX debug print error for ret */ 1697 ret = SSH_ERR_INVALID_FORMAT; 1698 goto out; 1699 } 1700 1701 /* Signature is left in the buffer so we can calculate this length */ 1702 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1703 1704 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1705 ret = SSH_ERR_INVALID_FORMAT; 1706 goto out; 1707 } 1708 1709 if (key->cert->type != SSH2_CERT_TYPE_USER && 1710 key->cert->type != SSH2_CERT_TYPE_HOST) { 1711 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1712 goto out; 1713 } 1714 1715 /* Parse principals section */ 1716 while (sshbuf_len(principals) > 0) { 1717 char *principal = NULL; 1718 char **oprincipals = NULL; 1719 1720 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1721 ret = SSH_ERR_INVALID_FORMAT; 1722 goto out; 1723 } 1724 if ((ret = sshbuf_get_cstring(principals, &principal, 1725 NULL)) != 0) { 1726 ret = SSH_ERR_INVALID_FORMAT; 1727 goto out; 1728 } 1729 oprincipals = key->cert->principals; 1730 key->cert->principals = recallocarray(key->cert->principals, 1731 key->cert->nprincipals, key->cert->nprincipals + 1, 1732 sizeof(*key->cert->principals)); 1733 if (key->cert->principals == NULL) { 1734 free(principal); 1735 key->cert->principals = oprincipals; 1736 ret = SSH_ERR_ALLOC_FAIL; 1737 goto out; 1738 } 1739 key->cert->principals[key->cert->nprincipals++] = principal; 1740 } 1741 1742 /* 1743 * Stash a copies of the critical options and extensions sections 1744 * for later use. 1745 */ 1746 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1747 (exts != NULL && 1748 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1749 goto out; 1750 1751 /* 1752 * Validate critical options and extensions sections format. 1753 */ 1754 while (sshbuf_len(crit) != 0) { 1755 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1756 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1757 sshbuf_reset(key->cert->critical); 1758 ret = SSH_ERR_INVALID_FORMAT; 1759 goto out; 1760 } 1761 } 1762 while (exts != NULL && sshbuf_len(exts) != 0) { 1763 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1764 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1765 sshbuf_reset(key->cert->extensions); 1766 ret = SSH_ERR_INVALID_FORMAT; 1767 goto out; 1768 } 1769 } 1770 1771 /* Parse CA key and check signature */ 1772 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1773 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1774 goto out; 1775 } 1776 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1777 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1778 goto out; 1779 } 1780 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1781 sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) 1782 goto out; 1783 1784 /* Success */ 1785 ret = 0; 1786 out: 1787 sshbuf_free(ca); 1788 sshbuf_free(crit); 1789 sshbuf_free(exts); 1790 sshbuf_free(principals); 1791 free(sig); 1792 return ret; 1793 } 1794 1795 static int 1796 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1797 int allow_cert) 1798 { 1799 int type, ret = SSH_ERR_INTERNAL_ERROR; 1800 char *ktype = NULL, *curve = NULL; 1801 struct sshkey *key = NULL; 1802 size_t len; 1803 u_char *pk = NULL; 1804 struct sshbuf *copy; 1805 #ifdef WITH_OPENSSL 1806 EC_POINT *q = NULL; 1807 #endif /* WITH_OPENSSL */ 1808 1809 #ifdef DEBUG_PK /* XXX */ 1810 sshbuf_dump(b, stderr); 1811 #endif 1812 if (keyp != NULL) 1813 *keyp = NULL; 1814 if ((copy = sshbuf_fromb(b)) == NULL) { 1815 ret = SSH_ERR_ALLOC_FAIL; 1816 goto out; 1817 } 1818 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1819 ret = SSH_ERR_INVALID_FORMAT; 1820 goto out; 1821 } 1822 1823 type = sshkey_type_from_name(ktype); 1824 if (!allow_cert && sshkey_type_is_cert(type)) { 1825 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1826 goto out; 1827 } 1828 switch (type) { 1829 #ifdef WITH_OPENSSL 1830 case KEY_RSA_CERT: 1831 /* Skip nonce */ 1832 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1833 ret = SSH_ERR_INVALID_FORMAT; 1834 goto out; 1835 } 1836 /* FALLTHROUGH */ 1837 case KEY_RSA: 1838 if ((key = sshkey_new(type)) == NULL) { 1839 ret = SSH_ERR_ALLOC_FAIL; 1840 goto out; 1841 } 1842 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 || 1843 sshbuf_get_bignum2(b, key->rsa->n) != 0) { 1844 ret = SSH_ERR_INVALID_FORMAT; 1845 goto out; 1846 } 1847 if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 1848 ret = SSH_ERR_KEY_LENGTH; 1849 goto out; 1850 } 1851 #ifdef DEBUG_PK 1852 RSA_print_fp(stderr, key->rsa, 8); 1853 #endif 1854 break; 1855 case KEY_DSA_CERT: 1856 /* Skip nonce */ 1857 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1858 ret = SSH_ERR_INVALID_FORMAT; 1859 goto out; 1860 } 1861 /* FALLTHROUGH */ 1862 case KEY_DSA: 1863 if ((key = sshkey_new(type)) == NULL) { 1864 ret = SSH_ERR_ALLOC_FAIL; 1865 goto out; 1866 } 1867 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 || 1868 sshbuf_get_bignum2(b, key->dsa->q) != 0 || 1869 sshbuf_get_bignum2(b, key->dsa->g) != 0 || 1870 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) { 1871 ret = SSH_ERR_INVALID_FORMAT; 1872 goto out; 1873 } 1874 #ifdef DEBUG_PK 1875 DSA_print_fp(stderr, key->dsa, 8); 1876 #endif 1877 break; 1878 case KEY_ECDSA_CERT: 1879 /* Skip nonce */ 1880 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1881 ret = SSH_ERR_INVALID_FORMAT; 1882 goto out; 1883 } 1884 /* FALLTHROUGH */ 1885 case KEY_ECDSA: 1886 if ((key = sshkey_new(type)) == NULL) { 1887 ret = SSH_ERR_ALLOC_FAIL; 1888 goto out; 1889 } 1890 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 1891 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 1892 ret = SSH_ERR_INVALID_FORMAT; 1893 goto out; 1894 } 1895 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 1896 ret = SSH_ERR_EC_CURVE_MISMATCH; 1897 goto out; 1898 } 1899 if (key->ecdsa != NULL) 1900 EC_KEY_free(key->ecdsa); 1901 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 1902 == NULL) { 1903 ret = SSH_ERR_EC_CURVE_INVALID; 1904 goto out; 1905 } 1906 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 1907 ret = SSH_ERR_ALLOC_FAIL; 1908 goto out; 1909 } 1910 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 1911 ret = SSH_ERR_INVALID_FORMAT; 1912 goto out; 1913 } 1914 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 1915 q) != 0) { 1916 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 1917 goto out; 1918 } 1919 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 1920 /* XXX assume it is a allocation error */ 1921 ret = SSH_ERR_ALLOC_FAIL; 1922 goto out; 1923 } 1924 #ifdef DEBUG_PK 1925 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 1926 #endif 1927 break; 1928 #endif /* WITH_OPENSSL */ 1929 case KEY_ED25519_CERT: 1930 /* Skip nonce */ 1931 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1932 ret = SSH_ERR_INVALID_FORMAT; 1933 goto out; 1934 } 1935 /* FALLTHROUGH */ 1936 case KEY_ED25519: 1937 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 1938 goto out; 1939 if (len != ED25519_PK_SZ) { 1940 ret = SSH_ERR_INVALID_FORMAT; 1941 goto out; 1942 } 1943 if ((key = sshkey_new(type)) == NULL) { 1944 ret = SSH_ERR_ALLOC_FAIL; 1945 goto out; 1946 } 1947 key->ed25519_pk = pk; 1948 pk = NULL; 1949 break; 1950 case KEY_UNSPEC: 1951 if ((key = sshkey_new(type)) == NULL) { 1952 ret = SSH_ERR_ALLOC_FAIL; 1953 goto out; 1954 } 1955 break; 1956 default: 1957 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 1958 goto out; 1959 } 1960 1961 /* Parse certificate potion */ 1962 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 1963 goto out; 1964 1965 if (key != NULL && sshbuf_len(b) != 0) { 1966 ret = SSH_ERR_INVALID_FORMAT; 1967 goto out; 1968 } 1969 ret = 0; 1970 if (keyp != NULL) { 1971 *keyp = key; 1972 key = NULL; 1973 } 1974 out: 1975 sshbuf_free(copy); 1976 sshkey_free(key); 1977 free(ktype); 1978 free(curve); 1979 free(pk); 1980 #ifdef WITH_OPENSSL 1981 if (q != NULL) 1982 EC_POINT_free(q); 1983 #endif /* WITH_OPENSSL */ 1984 return ret; 1985 } 1986 1987 int 1988 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 1989 { 1990 struct sshbuf *b; 1991 int r; 1992 1993 if ((b = sshbuf_from(blob, blen)) == NULL) 1994 return SSH_ERR_ALLOC_FAIL; 1995 r = sshkey_from_blob_internal(b, keyp, 1); 1996 sshbuf_free(b); 1997 return r; 1998 } 1999 2000 int 2001 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2002 { 2003 return sshkey_from_blob_internal(b, keyp, 1); 2004 } 2005 2006 int 2007 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2008 { 2009 struct sshbuf *b; 2010 int r; 2011 2012 if ((r = sshbuf_froms(buf, &b)) != 0) 2013 return r; 2014 r = sshkey_from_blob_internal(b, keyp, 1); 2015 sshbuf_free(b); 2016 return r; 2017 } 2018 2019 int 2020 sshkey_sign(const struct sshkey *key, 2021 u_char **sigp, size_t *lenp, 2022 const u_char *data, size_t datalen, const char *alg, u_int compat) 2023 { 2024 if (sigp != NULL) 2025 *sigp = NULL; 2026 if (lenp != NULL) 2027 *lenp = 0; 2028 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2029 return SSH_ERR_INVALID_ARGUMENT; 2030 switch (key->type) { 2031 #ifdef WITH_OPENSSL 2032 case KEY_DSA_CERT: 2033 case KEY_DSA: 2034 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2035 case KEY_ECDSA_CERT: 2036 case KEY_ECDSA: 2037 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2038 case KEY_RSA_CERT: 2039 case KEY_RSA: 2040 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2041 #endif /* WITH_OPENSSL */ 2042 case KEY_ED25519: 2043 case KEY_ED25519_CERT: 2044 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2045 default: 2046 return SSH_ERR_KEY_TYPE_UNKNOWN; 2047 } 2048 } 2049 2050 /* 2051 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2052 */ 2053 int 2054 sshkey_verify(const struct sshkey *key, 2055 const u_char *sig, size_t siglen, 2056 const u_char *data, size_t dlen, u_int compat) 2057 { 2058 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2059 return SSH_ERR_INVALID_ARGUMENT; 2060 switch (key->type) { 2061 #ifdef WITH_OPENSSL 2062 case KEY_DSA_CERT: 2063 case KEY_DSA: 2064 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2065 case KEY_ECDSA_CERT: 2066 case KEY_ECDSA: 2067 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2068 case KEY_RSA_CERT: 2069 case KEY_RSA: 2070 return ssh_rsa_verify(key, sig, siglen, data, dlen); 2071 #endif /* WITH_OPENSSL */ 2072 case KEY_ED25519: 2073 case KEY_ED25519_CERT: 2074 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2075 default: 2076 return SSH_ERR_KEY_TYPE_UNKNOWN; 2077 } 2078 } 2079 2080 /* Converts a private to a public key */ 2081 int 2082 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2083 { 2084 struct sshkey *pk; 2085 int ret = SSH_ERR_INTERNAL_ERROR; 2086 2087 *dkp = NULL; 2088 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2089 return SSH_ERR_ALLOC_FAIL; 2090 pk->type = k->type; 2091 pk->flags = k->flags; 2092 pk->ecdsa_nid = k->ecdsa_nid; 2093 pk->dsa = NULL; 2094 pk->ecdsa = NULL; 2095 pk->rsa = NULL; 2096 pk->ed25519_pk = NULL; 2097 pk->ed25519_sk = NULL; 2098 2099 switch (k->type) { 2100 #ifdef WITH_OPENSSL 2101 case KEY_RSA_CERT: 2102 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2103 goto fail; 2104 /* FALLTHROUGH */ 2105 case KEY_RSA: 2106 if ((pk->rsa = RSA_new()) == NULL || 2107 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2108 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2109 ret = SSH_ERR_ALLOC_FAIL; 2110 goto fail; 2111 } 2112 break; 2113 case KEY_DSA_CERT: 2114 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2115 goto fail; 2116 /* FALLTHROUGH */ 2117 case KEY_DSA: 2118 if ((pk->dsa = DSA_new()) == NULL || 2119 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2120 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2121 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2122 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2123 ret = SSH_ERR_ALLOC_FAIL; 2124 goto fail; 2125 } 2126 break; 2127 case KEY_ECDSA_CERT: 2128 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2129 goto fail; 2130 /* FALLTHROUGH */ 2131 case KEY_ECDSA: 2132 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2133 if (pk->ecdsa == NULL) { 2134 ret = SSH_ERR_ALLOC_FAIL; 2135 goto fail; 2136 } 2137 if (EC_KEY_set_public_key(pk->ecdsa, 2138 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2139 ret = SSH_ERR_LIBCRYPTO_ERROR; 2140 goto fail; 2141 } 2142 break; 2143 #endif /* WITH_OPENSSL */ 2144 case KEY_ED25519_CERT: 2145 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2146 goto fail; 2147 /* FALLTHROUGH */ 2148 case KEY_ED25519: 2149 if (k->ed25519_pk != NULL) { 2150 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2151 ret = SSH_ERR_ALLOC_FAIL; 2152 goto fail; 2153 } 2154 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2155 } 2156 break; 2157 default: 2158 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2159 fail: 2160 sshkey_free(pk); 2161 return ret; 2162 } 2163 *dkp = pk; 2164 return 0; 2165 } 2166 2167 /* Convert a plain key to their _CERT equivalent */ 2168 int 2169 sshkey_to_certified(struct sshkey *k) 2170 { 2171 int newtype; 2172 2173 switch (k->type) { 2174 #ifdef WITH_OPENSSL 2175 case KEY_RSA: 2176 newtype = KEY_RSA_CERT; 2177 break; 2178 case KEY_DSA: 2179 newtype = KEY_DSA_CERT; 2180 break; 2181 case KEY_ECDSA: 2182 newtype = KEY_ECDSA_CERT; 2183 break; 2184 #endif /* WITH_OPENSSL */ 2185 case KEY_ED25519: 2186 newtype = KEY_ED25519_CERT; 2187 break; 2188 default: 2189 return SSH_ERR_INVALID_ARGUMENT; 2190 } 2191 if ((k->cert = cert_new()) == NULL) 2192 return SSH_ERR_ALLOC_FAIL; 2193 k->type = newtype; 2194 return 0; 2195 } 2196 2197 /* Convert a certificate to its raw key equivalent */ 2198 int 2199 sshkey_drop_cert(struct sshkey *k) 2200 { 2201 if (!sshkey_type_is_cert(k->type)) 2202 return SSH_ERR_KEY_TYPE_UNKNOWN; 2203 cert_free(k->cert); 2204 k->cert = NULL; 2205 k->type = sshkey_type_plain(k->type); 2206 return 0; 2207 } 2208 2209 /* Sign a certified key, (re-)generating the signed certblob. */ 2210 int 2211 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2212 sshkey_certify_signer *signer, void *signer_ctx) 2213 { 2214 struct sshbuf *principals = NULL; 2215 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2216 size_t i, ca_len, sig_len; 2217 int ret = SSH_ERR_INTERNAL_ERROR; 2218 struct sshbuf *cert; 2219 2220 if (k == NULL || k->cert == NULL || 2221 k->cert->certblob == NULL || ca == NULL) 2222 return SSH_ERR_INVALID_ARGUMENT; 2223 if (!sshkey_is_cert(k)) 2224 return SSH_ERR_KEY_TYPE_UNKNOWN; 2225 if (!sshkey_type_is_valid_ca(ca->type)) 2226 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2227 2228 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2229 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2230 2231 cert = k->cert->certblob; /* for readability */ 2232 sshbuf_reset(cert); 2233 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2234 goto out; 2235 2236 /* -v01 certs put nonce first */ 2237 arc4random_buf(&nonce, sizeof(nonce)); 2238 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2239 goto out; 2240 2241 /* XXX this substantially duplicates to_blob(); refactor */ 2242 switch (k->type) { 2243 #ifdef WITH_OPENSSL 2244 case KEY_DSA_CERT: 2245 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2246 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2247 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2248 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2249 goto out; 2250 break; 2251 case KEY_ECDSA_CERT: 2252 if ((ret = sshbuf_put_cstring(cert, 2253 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2254 (ret = sshbuf_put_ec(cert, 2255 EC_KEY_get0_public_key(k->ecdsa), 2256 EC_KEY_get0_group(k->ecdsa))) != 0) 2257 goto out; 2258 break; 2259 case KEY_RSA_CERT: 2260 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2261 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2262 goto out; 2263 break; 2264 #endif /* WITH_OPENSSL */ 2265 case KEY_ED25519_CERT: 2266 if ((ret = sshbuf_put_string(cert, 2267 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2268 goto out; 2269 break; 2270 default: 2271 ret = SSH_ERR_INVALID_ARGUMENT; 2272 goto out; 2273 } 2274 2275 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2276 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2277 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2278 goto out; 2279 2280 if ((principals = sshbuf_new()) == NULL) { 2281 ret = SSH_ERR_ALLOC_FAIL; 2282 goto out; 2283 } 2284 for (i = 0; i < k->cert->nprincipals; i++) { 2285 if ((ret = sshbuf_put_cstring(principals, 2286 k->cert->principals[i])) != 0) 2287 goto out; 2288 } 2289 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2290 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2291 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2292 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2293 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2294 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2295 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2296 goto out; 2297 2298 /* Sign the whole mess */ 2299 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2300 sshbuf_len(cert), alg, 0, signer_ctx)) != 0) 2301 goto out; 2302 2303 /* Append signature and we are done */ 2304 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2305 goto out; 2306 ret = 0; 2307 out: 2308 if (ret != 0) 2309 sshbuf_reset(cert); 2310 free(sig_blob); 2311 free(ca_blob); 2312 sshbuf_free(principals); 2313 return ret; 2314 } 2315 2316 static int 2317 default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 2318 const u_char *data, size_t datalen, 2319 const char *alg, u_int compat, void *ctx) 2320 { 2321 if (ctx != NULL) 2322 return SSH_ERR_INVALID_ARGUMENT; 2323 return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat); 2324 } 2325 2326 int 2327 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2328 { 2329 return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL); 2330 } 2331 2332 int 2333 sshkey_cert_check_authority(const struct sshkey *k, 2334 int want_host, int require_principal, 2335 const char *name, const char **reason) 2336 { 2337 u_int i, principal_matches; 2338 time_t now = time(NULL); 2339 2340 if (reason != NULL) 2341 *reason = NULL; 2342 2343 if (want_host) { 2344 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2345 *reason = "Certificate invalid: not a host certificate"; 2346 return SSH_ERR_KEY_CERT_INVALID; 2347 } 2348 } else { 2349 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2350 *reason = "Certificate invalid: not a user certificate"; 2351 return SSH_ERR_KEY_CERT_INVALID; 2352 } 2353 } 2354 if (now < 0) { 2355 /* yikes - system clock before epoch! */ 2356 *reason = "Certificate invalid: not yet valid"; 2357 return SSH_ERR_KEY_CERT_INVALID; 2358 } 2359 if ((u_int64_t)now < k->cert->valid_after) { 2360 *reason = "Certificate invalid: not yet valid"; 2361 return SSH_ERR_KEY_CERT_INVALID; 2362 } 2363 if ((u_int64_t)now >= k->cert->valid_before) { 2364 *reason = "Certificate invalid: expired"; 2365 return SSH_ERR_KEY_CERT_INVALID; 2366 } 2367 if (k->cert->nprincipals == 0) { 2368 if (require_principal) { 2369 *reason = "Certificate lacks principal list"; 2370 return SSH_ERR_KEY_CERT_INVALID; 2371 } 2372 } else if (name != NULL) { 2373 principal_matches = 0; 2374 for (i = 0; i < k->cert->nprincipals; i++) { 2375 if (strcmp(name, k->cert->principals[i]) == 0) { 2376 principal_matches = 1; 2377 break; 2378 } 2379 } 2380 if (!principal_matches) { 2381 *reason = "Certificate invalid: name is not a listed " 2382 "principal"; 2383 return SSH_ERR_KEY_CERT_INVALID; 2384 } 2385 } 2386 return 0; 2387 } 2388 2389 size_t 2390 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2391 { 2392 char from[32], to[32], ret[64]; 2393 time_t tt; 2394 struct tm *tm; 2395 2396 *from = *to = '\0'; 2397 if (cert->valid_after == 0 && 2398 cert->valid_before == 0xffffffffffffffffULL) 2399 return strlcpy(s, "forever", l); 2400 2401 if (cert->valid_after != 0) { 2402 /* XXX revisit INT_MAX in 2038 :) */ 2403 tt = cert->valid_after > INT_MAX ? 2404 INT_MAX : cert->valid_after; 2405 tm = localtime(&tt); 2406 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2407 } 2408 if (cert->valid_before != 0xffffffffffffffffULL) { 2409 /* XXX revisit INT_MAX in 2038 :) */ 2410 tt = cert->valid_before > INT_MAX ? 2411 INT_MAX : cert->valid_before; 2412 tm = localtime(&tt); 2413 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2414 } 2415 2416 if (cert->valid_after == 0) 2417 snprintf(ret, sizeof(ret), "before %s", to); 2418 else if (cert->valid_before == 0xffffffffffffffffULL) 2419 snprintf(ret, sizeof(ret), "after %s", from); 2420 else 2421 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2422 2423 return strlcpy(s, ret, l); 2424 } 2425 2426 int 2427 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2428 { 2429 int r = SSH_ERR_INTERNAL_ERROR; 2430 2431 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2432 goto out; 2433 switch (key->type) { 2434 #ifdef WITH_OPENSSL 2435 case KEY_RSA: 2436 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2437 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2438 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2439 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2440 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2441 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2442 goto out; 2443 break; 2444 case KEY_RSA_CERT: 2445 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2446 r = SSH_ERR_INVALID_ARGUMENT; 2447 goto out; 2448 } 2449 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2450 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2451 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2452 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2453 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2454 goto out; 2455 break; 2456 case KEY_DSA: 2457 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2458 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2459 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2460 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2461 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2462 goto out; 2463 break; 2464 case KEY_DSA_CERT: 2465 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2466 r = SSH_ERR_INVALID_ARGUMENT; 2467 goto out; 2468 } 2469 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2470 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2471 goto out; 2472 break; 2473 case KEY_ECDSA: 2474 if ((r = sshbuf_put_cstring(b, 2475 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2476 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2477 (r = sshbuf_put_bignum2(b, 2478 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2479 goto out; 2480 break; 2481 case KEY_ECDSA_CERT: 2482 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2483 r = SSH_ERR_INVALID_ARGUMENT; 2484 goto out; 2485 } 2486 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2487 (r = sshbuf_put_bignum2(b, 2488 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2489 goto out; 2490 break; 2491 #endif /* WITH_OPENSSL */ 2492 case KEY_ED25519: 2493 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2494 ED25519_PK_SZ)) != 0 || 2495 (r = sshbuf_put_string(b, key->ed25519_sk, 2496 ED25519_SK_SZ)) != 0) 2497 goto out; 2498 break; 2499 case KEY_ED25519_CERT: 2500 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2501 r = SSH_ERR_INVALID_ARGUMENT; 2502 goto out; 2503 } 2504 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2505 (r = sshbuf_put_string(b, key->ed25519_pk, 2506 ED25519_PK_SZ)) != 0 || 2507 (r = sshbuf_put_string(b, key->ed25519_sk, 2508 ED25519_SK_SZ)) != 0) 2509 goto out; 2510 break; 2511 default: 2512 r = SSH_ERR_INVALID_ARGUMENT; 2513 goto out; 2514 } 2515 /* success */ 2516 r = 0; 2517 out: 2518 return r; 2519 } 2520 2521 int 2522 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2523 { 2524 char *tname = NULL, *curve = NULL; 2525 struct sshkey *k = NULL; 2526 size_t pklen = 0, sklen = 0; 2527 int type, r = SSH_ERR_INTERNAL_ERROR; 2528 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2529 #ifdef WITH_OPENSSL 2530 BIGNUM *exponent = NULL; 2531 #endif /* WITH_OPENSSL */ 2532 2533 if (kp != NULL) 2534 *kp = NULL; 2535 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2536 goto out; 2537 type = sshkey_type_from_name(tname); 2538 switch (type) { 2539 #ifdef WITH_OPENSSL 2540 case KEY_DSA: 2541 if ((k = sshkey_new_private(type)) == NULL) { 2542 r = SSH_ERR_ALLOC_FAIL; 2543 goto out; 2544 } 2545 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2546 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2547 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2548 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2549 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2550 goto out; 2551 break; 2552 case KEY_DSA_CERT: 2553 if ((r = sshkey_froms(buf, &k)) != 0 || 2554 (r = sshkey_add_private(k)) != 0 || 2555 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2556 goto out; 2557 break; 2558 case KEY_ECDSA: 2559 if ((k = sshkey_new_private(type)) == NULL) { 2560 r = SSH_ERR_ALLOC_FAIL; 2561 goto out; 2562 } 2563 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2564 r = SSH_ERR_INVALID_ARGUMENT; 2565 goto out; 2566 } 2567 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2568 goto out; 2569 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2570 r = SSH_ERR_EC_CURVE_MISMATCH; 2571 goto out; 2572 } 2573 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2574 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2575 r = SSH_ERR_LIBCRYPTO_ERROR; 2576 goto out; 2577 } 2578 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2579 (r = sshbuf_get_bignum2(buf, exponent))) 2580 goto out; 2581 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2582 r = SSH_ERR_LIBCRYPTO_ERROR; 2583 goto out; 2584 } 2585 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2586 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2587 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2588 goto out; 2589 break; 2590 case KEY_ECDSA_CERT: 2591 if ((exponent = BN_new()) == NULL) { 2592 r = SSH_ERR_LIBCRYPTO_ERROR; 2593 goto out; 2594 } 2595 if ((r = sshkey_froms(buf, &k)) != 0 || 2596 (r = sshkey_add_private(k)) != 0 || 2597 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2598 goto out; 2599 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2600 r = SSH_ERR_LIBCRYPTO_ERROR; 2601 goto out; 2602 } 2603 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2604 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2605 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2606 goto out; 2607 break; 2608 case KEY_RSA: 2609 if ((k = sshkey_new_private(type)) == NULL) { 2610 r = SSH_ERR_ALLOC_FAIL; 2611 goto out; 2612 } 2613 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2614 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2615 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2616 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2617 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2618 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2619 (r = ssh_rsa_generate_additional_parameters(k)) != 0) 2620 goto out; 2621 if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 2622 r = SSH_ERR_KEY_LENGTH; 2623 goto out; 2624 } 2625 break; 2626 case KEY_RSA_CERT: 2627 if ((r = sshkey_froms(buf, &k)) != 0 || 2628 (r = sshkey_add_private(k)) != 0 || 2629 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2630 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2631 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2632 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2633 (r = ssh_rsa_generate_additional_parameters(k)) != 0) 2634 goto out; 2635 if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 2636 r = SSH_ERR_KEY_LENGTH; 2637 goto out; 2638 } 2639 break; 2640 #endif /* WITH_OPENSSL */ 2641 case KEY_ED25519: 2642 if ((k = sshkey_new_private(type)) == NULL) { 2643 r = SSH_ERR_ALLOC_FAIL; 2644 goto out; 2645 } 2646 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2647 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2648 goto out; 2649 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2650 r = SSH_ERR_INVALID_FORMAT; 2651 goto out; 2652 } 2653 k->ed25519_pk = ed25519_pk; 2654 k->ed25519_sk = ed25519_sk; 2655 ed25519_pk = ed25519_sk = NULL; 2656 break; 2657 case KEY_ED25519_CERT: 2658 if ((r = sshkey_froms(buf, &k)) != 0 || 2659 (r = sshkey_add_private(k)) != 0 || 2660 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2661 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2662 goto out; 2663 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2664 r = SSH_ERR_INVALID_FORMAT; 2665 goto out; 2666 } 2667 k->ed25519_pk = ed25519_pk; 2668 k->ed25519_sk = ed25519_sk; 2669 ed25519_pk = ed25519_sk = NULL; 2670 break; 2671 default: 2672 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2673 goto out; 2674 } 2675 #ifdef WITH_OPENSSL 2676 /* enable blinding */ 2677 switch (k->type) { 2678 case KEY_RSA: 2679 case KEY_RSA_CERT: 2680 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2681 r = SSH_ERR_LIBCRYPTO_ERROR; 2682 goto out; 2683 } 2684 break; 2685 } 2686 #endif /* WITH_OPENSSL */ 2687 /* success */ 2688 r = 0; 2689 if (kp != NULL) { 2690 *kp = k; 2691 k = NULL; 2692 } 2693 out: 2694 free(tname); 2695 free(curve); 2696 #ifdef WITH_OPENSSL 2697 if (exponent != NULL) 2698 BN_clear_free(exponent); 2699 #endif /* WITH_OPENSSL */ 2700 sshkey_free(k); 2701 if (ed25519_pk != NULL) { 2702 explicit_bzero(ed25519_pk, pklen); 2703 free(ed25519_pk); 2704 } 2705 if (ed25519_sk != NULL) { 2706 explicit_bzero(ed25519_sk, sklen); 2707 free(ed25519_sk); 2708 } 2709 return r; 2710 } 2711 2712 #ifdef WITH_OPENSSL 2713 int 2714 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2715 { 2716 BN_CTX *bnctx; 2717 EC_POINT *nq = NULL; 2718 BIGNUM *order, *x, *y, *tmp; 2719 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2720 2721 /* 2722 * NB. This assumes OpenSSL has already verified that the public 2723 * point lies on the curve. This is done by EC_POINT_oct2point() 2724 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 2725 * reachable with public points not unmarshalled using 2726 * EC_POINT_oct2point then the caller will need to explicitly check. 2727 */ 2728 2729 if ((bnctx = BN_CTX_new()) == NULL) 2730 return SSH_ERR_ALLOC_FAIL; 2731 BN_CTX_start(bnctx); 2732 2733 /* 2734 * We shouldn't ever hit this case because bignum_get_ecpoint() 2735 * refuses to load GF2m points. 2736 */ 2737 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2738 NID_X9_62_prime_field) 2739 goto out; 2740 2741 /* Q != infinity */ 2742 if (EC_POINT_is_at_infinity(group, public)) 2743 goto out; 2744 2745 if ((x = BN_CTX_get(bnctx)) == NULL || 2746 (y = BN_CTX_get(bnctx)) == NULL || 2747 (order = BN_CTX_get(bnctx)) == NULL || 2748 (tmp = BN_CTX_get(bnctx)) == NULL) { 2749 ret = SSH_ERR_ALLOC_FAIL; 2750 goto out; 2751 } 2752 2753 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2754 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2755 EC_POINT_get_affine_coordinates_GFp(group, public, 2756 x, y, bnctx) != 1) { 2757 ret = SSH_ERR_LIBCRYPTO_ERROR; 2758 goto out; 2759 } 2760 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2761 BN_num_bits(y) <= BN_num_bits(order) / 2) 2762 goto out; 2763 2764 /* nQ == infinity (n == order of subgroup) */ 2765 if ((nq = EC_POINT_new(group)) == NULL) { 2766 ret = SSH_ERR_ALLOC_FAIL; 2767 goto out; 2768 } 2769 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2770 ret = SSH_ERR_LIBCRYPTO_ERROR; 2771 goto out; 2772 } 2773 if (EC_POINT_is_at_infinity(group, nq) != 1) 2774 goto out; 2775 2776 /* x < order - 1, y < order - 1 */ 2777 if (!BN_sub(tmp, order, BN_value_one())) { 2778 ret = SSH_ERR_LIBCRYPTO_ERROR; 2779 goto out; 2780 } 2781 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2782 goto out; 2783 ret = 0; 2784 out: 2785 BN_CTX_free(bnctx); 2786 if (nq != NULL) 2787 EC_POINT_free(nq); 2788 return ret; 2789 } 2790 2791 int 2792 sshkey_ec_validate_private(const EC_KEY *key) 2793 { 2794 BN_CTX *bnctx; 2795 BIGNUM *order, *tmp; 2796 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2797 2798 if ((bnctx = BN_CTX_new()) == NULL) 2799 return SSH_ERR_ALLOC_FAIL; 2800 BN_CTX_start(bnctx); 2801 2802 if ((order = BN_CTX_get(bnctx)) == NULL || 2803 (tmp = BN_CTX_get(bnctx)) == NULL) { 2804 ret = SSH_ERR_ALLOC_FAIL; 2805 goto out; 2806 } 2807 2808 /* log2(private) > log2(order)/2 */ 2809 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2810 ret = SSH_ERR_LIBCRYPTO_ERROR; 2811 goto out; 2812 } 2813 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2814 BN_num_bits(order) / 2) 2815 goto out; 2816 2817 /* private < order - 1 */ 2818 if (!BN_sub(tmp, order, BN_value_one())) { 2819 ret = SSH_ERR_LIBCRYPTO_ERROR; 2820 goto out; 2821 } 2822 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2823 goto out; 2824 ret = 0; 2825 out: 2826 BN_CTX_free(bnctx); 2827 return ret; 2828 } 2829 2830 void 2831 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2832 { 2833 BIGNUM *x, *y; 2834 BN_CTX *bnctx; 2835 2836 if (point == NULL) { 2837 fputs("point=(NULL)\n", stderr); 2838 return; 2839 } 2840 if ((bnctx = BN_CTX_new()) == NULL) { 2841 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2842 return; 2843 } 2844 BN_CTX_start(bnctx); 2845 if ((x = BN_CTX_get(bnctx)) == NULL || 2846 (y = BN_CTX_get(bnctx)) == NULL) { 2847 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 2848 return; 2849 } 2850 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2851 NID_X9_62_prime_field) { 2852 fprintf(stderr, "%s: group is not a prime field\n", __func__); 2853 return; 2854 } 2855 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 2856 bnctx) != 1) { 2857 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2858 __func__); 2859 return; 2860 } 2861 fputs("x=", stderr); 2862 BN_print_fp(stderr, x); 2863 fputs("\ny=", stderr); 2864 BN_print_fp(stderr, y); 2865 fputs("\n", stderr); 2866 BN_CTX_free(bnctx); 2867 } 2868 2869 void 2870 sshkey_dump_ec_key(const EC_KEY *key) 2871 { 2872 const BIGNUM *exponent; 2873 2874 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2875 EC_KEY_get0_public_key(key)); 2876 fputs("exponent=", stderr); 2877 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2878 fputs("(NULL)", stderr); 2879 else 2880 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2881 fputs("\n", stderr); 2882 } 2883 #endif /* WITH_OPENSSL */ 2884 2885 static int 2886 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 2887 const char *passphrase, const char *comment, const char *ciphername, 2888 int rounds) 2889 { 2890 u_char *cp, *key = NULL, *pubkeyblob = NULL; 2891 u_char salt[SALT_LEN]; 2892 char *b64 = NULL; 2893 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 2894 u_int check; 2895 int r = SSH_ERR_INTERNAL_ERROR; 2896 struct sshcipher_ctx *ciphercontext = NULL; 2897 const struct sshcipher *cipher; 2898 const char *kdfname = KDFNAME; 2899 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 2900 2901 if (rounds <= 0) 2902 rounds = DEFAULT_ROUNDS; 2903 if (passphrase == NULL || !strlen(passphrase)) { 2904 ciphername = "none"; 2905 kdfname = "none"; 2906 } else if (ciphername == NULL) 2907 ciphername = DEFAULT_CIPHERNAME; 2908 if ((cipher = cipher_by_name(ciphername)) == NULL) { 2909 r = SSH_ERR_INVALID_ARGUMENT; 2910 goto out; 2911 } 2912 2913 if ((kdf = sshbuf_new()) == NULL || 2914 (encoded = sshbuf_new()) == NULL || 2915 (encrypted = sshbuf_new()) == NULL) { 2916 r = SSH_ERR_ALLOC_FAIL; 2917 goto out; 2918 } 2919 blocksize = cipher_blocksize(cipher); 2920 keylen = cipher_keylen(cipher); 2921 ivlen = cipher_ivlen(cipher); 2922 authlen = cipher_authlen(cipher); 2923 if ((key = calloc(1, keylen + ivlen)) == NULL) { 2924 r = SSH_ERR_ALLOC_FAIL; 2925 goto out; 2926 } 2927 if (strcmp(kdfname, "bcrypt") == 0) { 2928 arc4random_buf(salt, SALT_LEN); 2929 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 2930 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 2931 r = SSH_ERR_INVALID_ARGUMENT; 2932 goto out; 2933 } 2934 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 2935 (r = sshbuf_put_u32(kdf, rounds)) != 0) 2936 goto out; 2937 } else if (strcmp(kdfname, "none") != 0) { 2938 /* Unsupported KDF type */ 2939 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 2940 goto out; 2941 } 2942 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 2943 key + keylen, ivlen, 1)) != 0) 2944 goto out; 2945 2946 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 2947 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 2948 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 2949 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 2950 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 2951 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 2952 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 2953 goto out; 2954 2955 /* set up the buffer that will be encrypted */ 2956 2957 /* Random check bytes */ 2958 check = arc4random(); 2959 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 2960 (r = sshbuf_put_u32(encrypted, check)) != 0) 2961 goto out; 2962 2963 /* append private key and comment*/ 2964 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 2965 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 2966 goto out; 2967 2968 /* padding */ 2969 i = 0; 2970 while (sshbuf_len(encrypted) % blocksize) { 2971 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 2972 goto out; 2973 } 2974 2975 /* length in destination buffer */ 2976 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 2977 goto out; 2978 2979 /* encrypt */ 2980 if ((r = sshbuf_reserve(encoded, 2981 sshbuf_len(encrypted) + authlen, &cp)) != 0) 2982 goto out; 2983 if ((r = cipher_crypt(ciphercontext, 0, cp, 2984 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 2985 goto out; 2986 2987 /* uuencode */ 2988 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 2989 r = SSH_ERR_ALLOC_FAIL; 2990 goto out; 2991 } 2992 2993 sshbuf_reset(blob); 2994 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 2995 goto out; 2996 for (i = 0; i < strlen(b64); i++) { 2997 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 2998 goto out; 2999 /* insert line breaks */ 3000 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3001 goto out; 3002 } 3003 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3004 goto out; 3005 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3006 goto out; 3007 3008 /* success */ 3009 r = 0; 3010 3011 out: 3012 sshbuf_free(kdf); 3013 sshbuf_free(encoded); 3014 sshbuf_free(encrypted); 3015 cipher_free(ciphercontext); 3016 explicit_bzero(salt, sizeof(salt)); 3017 if (key != NULL) { 3018 explicit_bzero(key, keylen + ivlen); 3019 free(key); 3020 } 3021 if (pubkeyblob != NULL) { 3022 explicit_bzero(pubkeyblob, pubkeylen); 3023 free(pubkeyblob); 3024 } 3025 if (b64 != NULL) { 3026 explicit_bzero(b64, strlen(b64)); 3027 free(b64); 3028 } 3029 return r; 3030 } 3031 3032 static int 3033 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3034 struct sshkey **keyp, char **commentp) 3035 { 3036 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3037 const struct sshcipher *cipher = NULL; 3038 const u_char *cp; 3039 int r = SSH_ERR_INTERNAL_ERROR; 3040 size_t encoded_len; 3041 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3042 struct sshbuf *encoded = NULL, *decoded = NULL; 3043 struct sshbuf *kdf = NULL, *decrypted = NULL; 3044 struct sshcipher_ctx *ciphercontext = NULL; 3045 struct sshkey *k = NULL; 3046 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3047 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3048 3049 if (keyp != NULL) 3050 *keyp = NULL; 3051 if (commentp != NULL) 3052 *commentp = NULL; 3053 3054 if ((encoded = sshbuf_new()) == NULL || 3055 (decoded = sshbuf_new()) == NULL || 3056 (decrypted = sshbuf_new()) == NULL) { 3057 r = SSH_ERR_ALLOC_FAIL; 3058 goto out; 3059 } 3060 3061 /* check preamble */ 3062 cp = sshbuf_ptr(blob); 3063 encoded_len = sshbuf_len(blob); 3064 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3065 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3066 r = SSH_ERR_INVALID_FORMAT; 3067 goto out; 3068 } 3069 cp += MARK_BEGIN_LEN; 3070 encoded_len -= MARK_BEGIN_LEN; 3071 3072 /* Look for end marker, removing whitespace as we go */ 3073 while (encoded_len > 0) { 3074 if (*cp != '\n' && *cp != '\r') { 3075 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3076 goto out; 3077 } 3078 last = *cp; 3079 encoded_len--; 3080 cp++; 3081 if (last == '\n') { 3082 if (encoded_len >= MARK_END_LEN && 3083 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3084 /* \0 terminate */ 3085 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3086 goto out; 3087 break; 3088 } 3089 } 3090 } 3091 if (encoded_len == 0) { 3092 r = SSH_ERR_INVALID_FORMAT; 3093 goto out; 3094 } 3095 3096 /* decode base64 */ 3097 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3098 goto out; 3099 3100 /* check magic */ 3101 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3102 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3103 r = SSH_ERR_INVALID_FORMAT; 3104 goto out; 3105 } 3106 /* parse public portion of key */ 3107 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3108 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3109 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3110 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3111 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3112 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3113 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3114 goto out; 3115 3116 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3117 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3118 goto out; 3119 } 3120 if ((passphrase == NULL || strlen(passphrase) == 0) && 3121 strcmp(ciphername, "none") != 0) { 3122 /* passphrase required */ 3123 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3124 goto out; 3125 } 3126 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3127 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3128 goto out; 3129 } 3130 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3131 r = SSH_ERR_INVALID_FORMAT; 3132 goto out; 3133 } 3134 if (nkeys != 1) { 3135 /* XXX only one key supported */ 3136 r = SSH_ERR_INVALID_FORMAT; 3137 goto out; 3138 } 3139 3140 /* check size of encrypted key blob */ 3141 blocksize = cipher_blocksize(cipher); 3142 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3143 r = SSH_ERR_INVALID_FORMAT; 3144 goto out; 3145 } 3146 3147 /* setup key */ 3148 keylen = cipher_keylen(cipher); 3149 ivlen = cipher_ivlen(cipher); 3150 authlen = cipher_authlen(cipher); 3151 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3152 r = SSH_ERR_ALLOC_FAIL; 3153 goto out; 3154 } 3155 if (strcmp(kdfname, "bcrypt") == 0) { 3156 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3157 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3158 goto out; 3159 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3160 key, keylen + ivlen, rounds) < 0) { 3161 r = SSH_ERR_INVALID_FORMAT; 3162 goto out; 3163 } 3164 } 3165 3166 /* check that an appropriate amount of auth data is present */ 3167 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3168 r = SSH_ERR_INVALID_FORMAT; 3169 goto out; 3170 } 3171 3172 /* decrypt private portion of key */ 3173 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3174 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3175 key + keylen, ivlen, 0)) != 0) 3176 goto out; 3177 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3178 encrypted_len, 0, authlen)) != 0) { 3179 /* an integrity error here indicates an incorrect passphrase */ 3180 if (r == SSH_ERR_MAC_INVALID) 3181 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3182 goto out; 3183 } 3184 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3185 goto out; 3186 /* there should be no trailing data */ 3187 if (sshbuf_len(decoded) != 0) { 3188 r = SSH_ERR_INVALID_FORMAT; 3189 goto out; 3190 } 3191 3192 /* check check bytes */ 3193 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3194 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3195 goto out; 3196 if (check1 != check2) { 3197 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3198 goto out; 3199 } 3200 3201 /* Load the private key and comment */ 3202 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3203 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3204 goto out; 3205 3206 /* Check deterministic padding */ 3207 i = 0; 3208 while (sshbuf_len(decrypted)) { 3209 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3210 goto out; 3211 if (pad != (++i & 0xff)) { 3212 r = SSH_ERR_INVALID_FORMAT; 3213 goto out; 3214 } 3215 } 3216 3217 /* XXX decode pubkey and check against private */ 3218 3219 /* success */ 3220 r = 0; 3221 if (keyp != NULL) { 3222 *keyp = k; 3223 k = NULL; 3224 } 3225 if (commentp != NULL) { 3226 *commentp = comment; 3227 comment = NULL; 3228 } 3229 out: 3230 pad = 0; 3231 cipher_free(ciphercontext); 3232 free(ciphername); 3233 free(kdfname); 3234 free(comment); 3235 if (salt != NULL) { 3236 explicit_bzero(salt, slen); 3237 free(salt); 3238 } 3239 if (key != NULL) { 3240 explicit_bzero(key, keylen + ivlen); 3241 free(key); 3242 } 3243 sshbuf_free(encoded); 3244 sshbuf_free(decoded); 3245 sshbuf_free(kdf); 3246 sshbuf_free(decrypted); 3247 sshkey_free(k); 3248 return r; 3249 } 3250 3251 3252 #ifdef WITH_OPENSSL 3253 /* convert SSH v2 key in OpenSSL PEM format */ 3254 static int 3255 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3256 const char *_passphrase, const char *comment) 3257 { 3258 int success, r; 3259 int blen, len = strlen(_passphrase); 3260 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3261 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3262 const u_char *bptr; 3263 BIO *bio = NULL; 3264 3265 if (len > 0 && len <= 4) 3266 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3267 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3268 return SSH_ERR_ALLOC_FAIL; 3269 3270 switch (key->type) { 3271 case KEY_DSA: 3272 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3273 cipher, passphrase, len, NULL, NULL); 3274 break; 3275 case KEY_ECDSA: 3276 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3277 cipher, passphrase, len, NULL, NULL); 3278 break; 3279 case KEY_RSA: 3280 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3281 cipher, passphrase, len, NULL, NULL); 3282 break; 3283 default: 3284 success = 0; 3285 break; 3286 } 3287 if (success == 0) { 3288 r = SSH_ERR_LIBCRYPTO_ERROR; 3289 goto out; 3290 } 3291 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3292 r = SSH_ERR_INTERNAL_ERROR; 3293 goto out; 3294 } 3295 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3296 goto out; 3297 r = 0; 3298 out: 3299 BIO_free(bio); 3300 return r; 3301 } 3302 #endif /* WITH_OPENSSL */ 3303 3304 /* Serialise "key" to buffer "blob" */ 3305 int 3306 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3307 const char *passphrase, const char *comment, 3308 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3309 { 3310 switch (key->type) { 3311 #ifdef WITH_OPENSSL 3312 case KEY_DSA: 3313 case KEY_ECDSA: 3314 case KEY_RSA: 3315 if (force_new_format) { 3316 return sshkey_private_to_blob2(key, blob, passphrase, 3317 comment, new_format_cipher, new_format_rounds); 3318 } 3319 return sshkey_private_pem_to_blob(key, blob, 3320 passphrase, comment); 3321 #endif /* WITH_OPENSSL */ 3322 case KEY_ED25519: 3323 return sshkey_private_to_blob2(key, blob, passphrase, 3324 comment, new_format_cipher, new_format_rounds); 3325 default: 3326 return SSH_ERR_KEY_TYPE_UNKNOWN; 3327 } 3328 } 3329 3330 3331 #ifdef WITH_OPENSSL 3332 static int 3333 translate_libcrypto_error(unsigned long pem_err) 3334 { 3335 int pem_reason = ERR_GET_REASON(pem_err); 3336 3337 switch (ERR_GET_LIB(pem_err)) { 3338 case ERR_LIB_PEM: 3339 switch (pem_reason) { 3340 case PEM_R_BAD_PASSWORD_READ: 3341 case PEM_R_PROBLEMS_GETTING_PASSWORD: 3342 case PEM_R_BAD_DECRYPT: 3343 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3344 default: 3345 return SSH_ERR_INVALID_FORMAT; 3346 } 3347 case ERR_LIB_EVP: 3348 switch (pem_reason) { 3349 case EVP_R_BAD_DECRYPT: 3350 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3351 case EVP_R_BN_DECODE_ERROR: 3352 case EVP_R_DECODE_ERROR: 3353 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 3354 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 3355 #endif 3356 return SSH_ERR_INVALID_FORMAT; 3357 default: 3358 return SSH_ERR_LIBCRYPTO_ERROR; 3359 } 3360 case ERR_LIB_ASN1: 3361 return SSH_ERR_INVALID_FORMAT; 3362 } 3363 return SSH_ERR_LIBCRYPTO_ERROR; 3364 } 3365 3366 static void 3367 clear_libcrypto_errors(void) 3368 { 3369 while (ERR_get_error() != 0) 3370 ; 3371 } 3372 3373 /* 3374 * Translate OpenSSL error codes to determine whether 3375 * passphrase is required/incorrect. 3376 */ 3377 static int 3378 convert_libcrypto_error(void) 3379 { 3380 /* 3381 * Some password errors are reported at the beginning 3382 * of the error queue. 3383 */ 3384 if (translate_libcrypto_error(ERR_peek_error()) == 3385 SSH_ERR_KEY_WRONG_PASSPHRASE) 3386 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3387 return translate_libcrypto_error(ERR_peek_last_error()); 3388 } 3389 3390 static int 3391 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3392 const char *passphrase, struct sshkey **keyp) 3393 { 3394 EVP_PKEY *pk = NULL; 3395 struct sshkey *prv = NULL; 3396 BIO *bio = NULL; 3397 int r; 3398 3399 if (keyp != NULL) 3400 *keyp = NULL; 3401 3402 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3403 return SSH_ERR_ALLOC_FAIL; 3404 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3405 (int)sshbuf_len(blob)) { 3406 r = SSH_ERR_ALLOC_FAIL; 3407 goto out; 3408 } 3409 3410 clear_libcrypto_errors(); 3411 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3412 (char *)passphrase)) == NULL) { 3413 r = convert_libcrypto_error(); 3414 goto out; 3415 } 3416 if (pk->type == EVP_PKEY_RSA && 3417 (type == KEY_UNSPEC || type == KEY_RSA)) { 3418 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3419 r = SSH_ERR_ALLOC_FAIL; 3420 goto out; 3421 } 3422 prv->rsa = EVP_PKEY_get1_RSA(pk); 3423 prv->type = KEY_RSA; 3424 #ifdef DEBUG_PK 3425 RSA_print_fp(stderr, prv->rsa, 8); 3426 #endif 3427 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3428 r = SSH_ERR_LIBCRYPTO_ERROR; 3429 goto out; 3430 } 3431 if (BN_num_bits(prv->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 3432 r = SSH_ERR_KEY_LENGTH; 3433 goto out; 3434 } 3435 } else if (pk->type == EVP_PKEY_DSA && 3436 (type == KEY_UNSPEC || type == KEY_DSA)) { 3437 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3438 r = SSH_ERR_ALLOC_FAIL; 3439 goto out; 3440 } 3441 prv->dsa = EVP_PKEY_get1_DSA(pk); 3442 prv->type = KEY_DSA; 3443 #ifdef DEBUG_PK 3444 DSA_print_fp(stderr, prv->dsa, 8); 3445 #endif 3446 } else if (pk->type == EVP_PKEY_EC && 3447 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3448 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3449 r = SSH_ERR_ALLOC_FAIL; 3450 goto out; 3451 } 3452 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3453 prv->type = KEY_ECDSA; 3454 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3455 if (prv->ecdsa_nid == -1 || 3456 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3457 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3458 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3459 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3460 r = SSH_ERR_INVALID_FORMAT; 3461 goto out; 3462 } 3463 #ifdef DEBUG_PK 3464 if (prv != NULL && prv->ecdsa != NULL) 3465 sshkey_dump_ec_key(prv->ecdsa); 3466 #endif 3467 } else { 3468 r = SSH_ERR_INVALID_FORMAT; 3469 goto out; 3470 } 3471 r = 0; 3472 if (keyp != NULL) { 3473 *keyp = prv; 3474 prv = NULL; 3475 } 3476 out: 3477 BIO_free(bio); 3478 if (pk != NULL) 3479 EVP_PKEY_free(pk); 3480 sshkey_free(prv); 3481 return r; 3482 } 3483 #endif /* WITH_OPENSSL */ 3484 3485 int 3486 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3487 const char *passphrase, struct sshkey **keyp, char **commentp) 3488 { 3489 int r = SSH_ERR_INTERNAL_ERROR; 3490 3491 if (keyp != NULL) 3492 *keyp = NULL; 3493 if (commentp != NULL) 3494 *commentp = NULL; 3495 3496 switch (type) { 3497 #ifdef WITH_OPENSSL 3498 case KEY_DSA: 3499 case KEY_ECDSA: 3500 case KEY_RSA: 3501 return sshkey_parse_private_pem_fileblob(blob, type, 3502 passphrase, keyp); 3503 #endif /* WITH_OPENSSL */ 3504 case KEY_ED25519: 3505 return sshkey_parse_private2(blob, type, passphrase, 3506 keyp, commentp); 3507 case KEY_UNSPEC: 3508 r = sshkey_parse_private2(blob, type, passphrase, keyp, 3509 commentp); 3510 /* Do not fallback to PEM parser if only passphrase is wrong. */ 3511 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE) 3512 return r; 3513 #ifdef WITH_OPENSSL 3514 return sshkey_parse_private_pem_fileblob(blob, type, 3515 passphrase, keyp); 3516 #else 3517 return SSH_ERR_INVALID_FORMAT; 3518 #endif /* WITH_OPENSSL */ 3519 default: 3520 return SSH_ERR_KEY_TYPE_UNKNOWN; 3521 } 3522 } 3523 3524 int 3525 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3526 struct sshkey **keyp, char **commentp) 3527 { 3528 if (keyp != NULL) 3529 *keyp = NULL; 3530 if (commentp != NULL) 3531 *commentp = NULL; 3532 3533 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3534 passphrase, keyp, commentp); 3535 } 3536