1 /* $NetBSD: sshkey.c,v 1.29 2022/10/05 22:39:36 christos Exp $ */ 2 /* $OpenBSD: sshkey.c,v 1.122 2022/09/17 10:30:45 djm Exp $ */ 3 4 /* 5 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 6 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 7 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 #include "includes.h" 30 __RCSID("$NetBSD: sshkey.c,v 1.29 2022/10/05 22:39:36 christos Exp $"); 31 32 #include <sys/types.h> 33 #include <netinet/in.h> 34 35 #ifdef WITH_OPENSSL 36 #include <openssl/evp.h> 37 #include <openssl/err.h> 38 #include <openssl/pem.h> 39 #endif 40 41 #include "crypto_api.h" 42 43 #include <errno.h> 44 #include <stdio.h> 45 #include <string.h> 46 #include <util.h> 47 #include <limits.h> 48 #include <resolv.h> 49 50 #include "ssh2.h" 51 #include "ssherr.h" 52 #include "misc.h" 53 #include "sshbuf.h" 54 #include "cipher.h" 55 #include "digest.h" 56 #define SSHKEY_INTERNAL 57 #include "sshkey.h" 58 #include "match.h" 59 #include "ssh-sk.h" 60 61 #ifdef WITH_XMSS 62 #include "sshkey-xmss.h" 63 #include "xmss_fast.h" 64 #endif 65 66 /* openssh private key file format */ 67 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 68 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 69 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 70 #define MARK_END_LEN (sizeof(MARK_END) - 1) 71 #define KDFNAME "bcrypt" 72 #define AUTH_MAGIC "openssh-key-v1" 73 #define SALT_LEN 16 74 #define DEFAULT_CIPHERNAME "aes256-ctr" 75 #define DEFAULT_ROUNDS 16 76 77 /* Version identification string for SSH v1 identity files. */ 78 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 79 80 /* 81 * Constants relating to "shielding" support; protection of keys expected 82 * to remain in memory for long durations 83 */ 84 #define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024) 85 #define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */ 86 #define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512 87 88 int sshkey_private_serialize_opt(struct sshkey *key, 89 struct sshbuf *buf, enum sshkey_serialize_rep); 90 static int sshkey_from_blob_internal(struct sshbuf *buf, 91 struct sshkey **keyp, int allow_cert); 92 93 /* Supported key types */ 94 struct keytype { 95 const char *name; 96 const char *shortname; 97 const char *sigalg; 98 int type; 99 int nid; 100 int cert; 101 int sigonly; 102 }; 103 static const struct keytype keytypes[] = { 104 { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 }, 105 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL, 106 KEY_ED25519_CERT, 0, 1, 0 }, 107 { "sk-ssh-ed25519@openssh.com", "ED25519-SK", NULL, 108 KEY_ED25519_SK, 0, 0, 0 }, 109 { "sk-ssh-ed25519-cert-v01@openssh.com", "ED25519-SK-CERT", NULL, 110 KEY_ED25519_SK_CERT, 0, 1, 0 }, 111 #ifdef WITH_XMSS 112 { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 }, 113 { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL, 114 KEY_XMSS_CERT, 0, 1, 0 }, 115 #endif /* WITH_XMSS */ 116 #ifdef WITH_OPENSSL 117 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 }, 118 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 119 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 120 { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 }, 121 { "ecdsa-sha2-nistp256", "ECDSA", NULL, 122 KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 123 { "ecdsa-sha2-nistp384", "ECDSA", NULL, 124 KEY_ECDSA, NID_secp384r1, 0, 0 }, 125 { "ecdsa-sha2-nistp521", "ECDSA", NULL, 126 KEY_ECDSA, NID_secp521r1, 0, 0 }, 127 { "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, 128 KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 0 }, 129 { "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, 130 KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 1 }, 131 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, 132 KEY_RSA_CERT, 0, 1, 0 }, 133 { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT", 134 "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, 135 { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT", 136 "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, 137 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL, 138 KEY_DSA_CERT, 0, 1, 0 }, 139 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL, 140 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 141 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL, 142 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 143 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL, 144 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 145 { "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-SK-CERT", NULL, 146 KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, 147 #endif /* WITH_OPENSSL */ 148 { NULL, NULL, NULL, -1, -1, 0, 0 } 149 }; 150 151 const char * 152 sshkey_type(const struct sshkey *k) 153 { 154 const struct keytype *kt; 155 156 for (kt = keytypes; kt->type != -1; kt++) { 157 if (kt->type == k->type) 158 return kt->shortname; 159 } 160 return "unknown"; 161 } 162 163 static const char * 164 sshkey_ssh_name_from_type_nid(int type, int nid) 165 { 166 const struct keytype *kt; 167 168 for (kt = keytypes; kt->type != -1; kt++) { 169 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 170 return kt->name; 171 } 172 return "ssh-unknown"; 173 } 174 175 int 176 sshkey_type_is_cert(int type) 177 { 178 const struct keytype *kt; 179 180 for (kt = keytypes; kt->type != -1; kt++) { 181 if (kt->type == type) 182 return kt->cert; 183 } 184 return 0; 185 } 186 187 const char * 188 sshkey_ssh_name(const struct sshkey *k) 189 { 190 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 191 } 192 193 const char * 194 sshkey_ssh_name_plain(const struct sshkey *k) 195 { 196 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 197 k->ecdsa_nid); 198 } 199 200 int 201 sshkey_type_from_name(const char *name) 202 { 203 const struct keytype *kt; 204 205 for (kt = keytypes; kt->type != -1; kt++) { 206 /* Only allow shortname matches for plain key types */ 207 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 208 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 209 return kt->type; 210 } 211 return KEY_UNSPEC; 212 } 213 214 static int 215 key_type_is_ecdsa_variant(int type) 216 { 217 switch (type) { 218 case KEY_ECDSA: 219 case KEY_ECDSA_CERT: 220 case KEY_ECDSA_SK: 221 case KEY_ECDSA_SK_CERT: 222 return 1; 223 } 224 return 0; 225 } 226 227 int 228 sshkey_ecdsa_nid_from_name(const char *name) 229 { 230 const struct keytype *kt; 231 232 for (kt = keytypes; kt->type != -1; kt++) { 233 if (!key_type_is_ecdsa_variant(kt->type)) 234 continue; 235 if (kt->name != NULL && strcmp(name, kt->name) == 0) 236 return kt->nid; 237 } 238 return -1; 239 } 240 241 int 242 sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs) 243 { 244 int ktype; 245 246 if (sigalgs == NULL || *sigalgs == '\0' || 247 (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC) 248 return 0; 249 else if (ktype == KEY_RSA) { 250 return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 || 251 match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 || 252 match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1; 253 } else if (ktype == KEY_RSA_CERT) { 254 return match_pattern_list("ssh-rsa-cert-v01@openssh.com", 255 sigalgs, 0) == 1 || 256 match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", 257 sigalgs, 0) == 1 || 258 match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", 259 sigalgs, 0) == 1; 260 } else 261 return match_pattern_list(keyname, sigalgs, 0) == 1; 262 } 263 264 char * 265 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 266 { 267 char *tmp, *ret = NULL; 268 size_t nlen, rlen = 0; 269 const struct keytype *kt; 270 271 for (kt = keytypes; kt->type != -1; kt++) { 272 if (kt->name == NULL) 273 continue; 274 if (!include_sigonly && kt->sigonly) 275 continue; 276 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 277 continue; 278 if (ret != NULL) 279 ret[rlen++] = sep; 280 nlen = strlen(kt->name); 281 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 282 free(ret); 283 return NULL; 284 } 285 ret = tmp; 286 memcpy(ret + rlen, kt->name, nlen + 1); 287 rlen += nlen; 288 } 289 return ret; 290 } 291 292 int 293 sshkey_names_valid2(const char *names, int allow_wildcard) 294 { 295 char *s, *cp, *p; 296 const struct keytype *kt; 297 int type; 298 299 if (names == NULL || strcmp(names, "") == 0) 300 return 0; 301 if ((s = cp = strdup(names)) == NULL) 302 return 0; 303 for ((p = strsep(&cp, ",")); p && *p != '\0'; 304 (p = strsep(&cp, ","))) { 305 type = sshkey_type_from_name(p); 306 if (type == KEY_UNSPEC) { 307 if (allow_wildcard) { 308 /* 309 * Try matching key types against the string. 310 * If any has a positive or negative match then 311 * the component is accepted. 312 */ 313 for (kt = keytypes; kt->type != -1; kt++) { 314 if (match_pattern_list(kt->name, 315 p, 0) != 0) 316 break; 317 } 318 if (kt->type != -1) 319 continue; 320 } 321 free(s); 322 return 0; 323 } 324 } 325 free(s); 326 return 1; 327 } 328 329 u_int 330 sshkey_size(const struct sshkey *k) 331 { 332 #ifdef WITH_OPENSSL 333 const BIGNUM *rsa_n, *dsa_p; 334 #endif /* WITH_OPENSSL */ 335 336 switch (k->type) { 337 #ifdef WITH_OPENSSL 338 case KEY_RSA: 339 case KEY_RSA_CERT: 340 if (k->rsa == NULL) 341 return 0; 342 RSA_get0_key(k->rsa, &rsa_n, NULL, NULL); 343 return BN_num_bits(rsa_n); 344 case KEY_DSA: 345 case KEY_DSA_CERT: 346 if (k->dsa == NULL) 347 return 0; 348 DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL); 349 return BN_num_bits(dsa_p); 350 case KEY_ECDSA: 351 case KEY_ECDSA_CERT: 352 case KEY_ECDSA_SK: 353 case KEY_ECDSA_SK_CERT: 354 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 355 #endif /* WITH_OPENSSL */ 356 case KEY_ED25519: 357 case KEY_ED25519_CERT: 358 case KEY_ED25519_SK: 359 case KEY_ED25519_SK_CERT: 360 case KEY_XMSS: 361 case KEY_XMSS_CERT: 362 return 256; /* XXX */ 363 } 364 return 0; 365 } 366 367 static int 368 sshkey_type_is_valid_ca(int type) 369 { 370 switch (type) { 371 case KEY_RSA: 372 case KEY_DSA: 373 case KEY_ECDSA: 374 case KEY_ECDSA_SK: 375 case KEY_ED25519: 376 case KEY_ED25519_SK: 377 case KEY_XMSS: 378 return 1; 379 default: 380 return 0; 381 } 382 } 383 384 int 385 sshkey_is_cert(const struct sshkey *k) 386 { 387 if (k == NULL) 388 return 0; 389 return sshkey_type_is_cert(k->type); 390 } 391 392 int 393 sshkey_is_sk(const struct sshkey *k) 394 { 395 if (k == NULL) 396 return 0; 397 switch (sshkey_type_plain(k->type)) { 398 case KEY_ECDSA_SK: 399 case KEY_ED25519_SK: 400 return 1; 401 default: 402 return 0; 403 } 404 } 405 406 /* Return the cert-less equivalent to a certified key type */ 407 int 408 sshkey_type_plain(int type) 409 { 410 switch (type) { 411 case KEY_RSA_CERT: 412 return KEY_RSA; 413 case KEY_DSA_CERT: 414 return KEY_DSA; 415 case KEY_ECDSA_CERT: 416 return KEY_ECDSA; 417 case KEY_ECDSA_SK_CERT: 418 return KEY_ECDSA_SK; 419 case KEY_ED25519_CERT: 420 return KEY_ED25519; 421 case KEY_ED25519_SK_CERT: 422 return KEY_ED25519_SK; 423 case KEY_XMSS_CERT: 424 return KEY_XMSS; 425 default: 426 return type; 427 } 428 } 429 430 #ifdef WITH_OPENSSL 431 /* XXX: these are really begging for a table-driven approach */ 432 int 433 sshkey_curve_name_to_nid(const char *name) 434 { 435 if (strcmp(name, "nistp256") == 0) 436 return NID_X9_62_prime256v1; 437 else if (strcmp(name, "nistp384") == 0) 438 return NID_secp384r1; 439 else if (strcmp(name, "nistp521") == 0) 440 return NID_secp521r1; 441 else 442 return -1; 443 } 444 445 u_int 446 sshkey_curve_nid_to_bits(int nid) 447 { 448 switch (nid) { 449 case NID_X9_62_prime256v1: 450 return 256; 451 case NID_secp384r1: 452 return 384; 453 case NID_secp521r1: 454 return 521; 455 default: 456 return 0; 457 } 458 } 459 460 int 461 sshkey_ecdsa_bits_to_nid(int bits) 462 { 463 switch (bits) { 464 case 256: 465 return NID_X9_62_prime256v1; 466 case 384: 467 return NID_secp384r1; 468 case 521: 469 return NID_secp521r1; 470 default: 471 return -1; 472 } 473 } 474 475 const char * 476 sshkey_curve_nid_to_name(int nid) 477 { 478 switch (nid) { 479 case NID_X9_62_prime256v1: 480 return "nistp256"; 481 case NID_secp384r1: 482 return "nistp384"; 483 case NID_secp521r1: 484 return "nistp521"; 485 default: 486 return NULL; 487 } 488 } 489 490 int 491 sshkey_ec_nid_to_hash_alg(int nid) 492 { 493 int kbits = sshkey_curve_nid_to_bits(nid); 494 495 if (kbits <= 0) 496 return -1; 497 498 /* RFC5656 section 6.2.1 */ 499 if (kbits <= 256) 500 return SSH_DIGEST_SHA256; 501 else if (kbits <= 384) 502 return SSH_DIGEST_SHA384; 503 else 504 return SSH_DIGEST_SHA512; 505 } 506 #endif /* WITH_OPENSSL */ 507 508 static void 509 cert_free(struct sshkey_cert *cert) 510 { 511 u_int i; 512 513 if (cert == NULL) 514 return; 515 sshbuf_free(cert->certblob); 516 sshbuf_free(cert->critical); 517 sshbuf_free(cert->extensions); 518 free(cert->key_id); 519 for (i = 0; i < cert->nprincipals; i++) 520 free(cert->principals[i]); 521 free(cert->principals); 522 sshkey_free(cert->signature_key); 523 free(cert->signature_type); 524 freezero(cert, sizeof(*cert)); 525 } 526 527 static struct sshkey_cert * 528 cert_new(void) 529 { 530 struct sshkey_cert *cert; 531 532 if ((cert = calloc(1, sizeof(*cert))) == NULL) 533 return NULL; 534 if ((cert->certblob = sshbuf_new()) == NULL || 535 (cert->critical = sshbuf_new()) == NULL || 536 (cert->extensions = sshbuf_new()) == NULL) { 537 cert_free(cert); 538 return NULL; 539 } 540 cert->key_id = NULL; 541 cert->principals = NULL; 542 cert->signature_key = NULL; 543 cert->signature_type = NULL; 544 return cert; 545 } 546 547 struct sshkey * 548 sshkey_new(int type) 549 { 550 struct sshkey *k; 551 #ifdef WITH_OPENSSL 552 RSA *rsa; 553 DSA *dsa; 554 #endif /* WITH_OPENSSL */ 555 556 if ((k = calloc(1, sizeof(*k))) == NULL) 557 return NULL; 558 k->type = type; 559 k->ecdsa = NULL; 560 k->ecdsa_nid = -1; 561 k->dsa = NULL; 562 k->rsa = NULL; 563 k->cert = NULL; 564 k->ed25519_sk = NULL; 565 k->ed25519_pk = NULL; 566 k->xmss_sk = NULL; 567 k->xmss_pk = NULL; 568 switch (k->type) { 569 #ifdef WITH_OPENSSL 570 case KEY_RSA: 571 case KEY_RSA_CERT: 572 if ((rsa = RSA_new()) == NULL) { 573 free(k); 574 return NULL; 575 } 576 k->rsa = rsa; 577 break; 578 case KEY_DSA: 579 case KEY_DSA_CERT: 580 if ((dsa = DSA_new()) == NULL) { 581 free(k); 582 return NULL; 583 } 584 k->dsa = dsa; 585 break; 586 case KEY_ECDSA: 587 case KEY_ECDSA_CERT: 588 case KEY_ECDSA_SK: 589 case KEY_ECDSA_SK_CERT: 590 /* Cannot do anything until we know the group */ 591 break; 592 #endif /* WITH_OPENSSL */ 593 case KEY_ED25519: 594 case KEY_ED25519_CERT: 595 case KEY_ED25519_SK: 596 case KEY_ED25519_SK_CERT: 597 case KEY_XMSS: 598 case KEY_XMSS_CERT: 599 /* no need to prealloc */ 600 break; 601 case KEY_UNSPEC: 602 break; 603 default: 604 free(k); 605 return NULL; 606 } 607 608 if (sshkey_is_cert(k)) { 609 if ((k->cert = cert_new()) == NULL) { 610 sshkey_free(k); 611 return NULL; 612 } 613 } 614 615 return k; 616 } 617 618 void 619 sshkey_free(struct sshkey *k) 620 { 621 if (k == NULL) 622 return; 623 switch (k->type) { 624 #ifdef WITH_OPENSSL 625 case KEY_RSA: 626 case KEY_RSA_CERT: 627 RSA_free(k->rsa); 628 k->rsa = NULL; 629 break; 630 case KEY_DSA: 631 case KEY_DSA_CERT: 632 DSA_free(k->dsa); 633 k->dsa = NULL; 634 break; 635 case KEY_ECDSA_SK: 636 case KEY_ECDSA_SK_CERT: 637 free(k->sk_application); 638 sshbuf_free(k->sk_key_handle); 639 sshbuf_free(k->sk_reserved); 640 /* FALLTHROUGH */ 641 case KEY_ECDSA: 642 case KEY_ECDSA_CERT: 643 EC_KEY_free(k->ecdsa); 644 k->ecdsa = NULL; 645 break; 646 #endif /* WITH_OPENSSL */ 647 case KEY_ED25519_SK: 648 case KEY_ED25519_SK_CERT: 649 free(k->sk_application); 650 sshbuf_free(k->sk_key_handle); 651 sshbuf_free(k->sk_reserved); 652 /* FALLTHROUGH */ 653 case KEY_ED25519: 654 case KEY_ED25519_CERT: 655 freezero(k->ed25519_pk, ED25519_PK_SZ); 656 k->ed25519_pk = NULL; 657 freezero(k->ed25519_sk, ED25519_SK_SZ); 658 k->ed25519_sk = NULL; 659 break; 660 #ifdef WITH_XMSS 661 case KEY_XMSS: 662 case KEY_XMSS_CERT: 663 freezero(k->xmss_pk, sshkey_xmss_pklen(k)); 664 k->xmss_pk = NULL; 665 freezero(k->xmss_sk, sshkey_xmss_sklen(k)); 666 k->xmss_sk = NULL; 667 sshkey_xmss_free_state(k); 668 free(k->xmss_name); 669 k->xmss_name = NULL; 670 free(k->xmss_filename); 671 k->xmss_filename = NULL; 672 break; 673 #endif /* WITH_XMSS */ 674 case KEY_UNSPEC: 675 break; 676 default: 677 break; 678 } 679 if (sshkey_is_cert(k)) 680 cert_free(k->cert); 681 freezero(k->shielded_private, k->shielded_len); 682 freezero(k->shield_prekey, k->shield_prekey_len); 683 freezero(k, sizeof(*k)); 684 } 685 686 static int 687 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 688 { 689 if (a == NULL && b == NULL) 690 return 1; 691 if (a == NULL || b == NULL) 692 return 0; 693 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 694 return 0; 695 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 696 sshbuf_len(a->certblob)) != 0) 697 return 0; 698 return 1; 699 } 700 701 /* 702 * Compare public portions of key only, allowing comparisons between 703 * certificates and plain keys too. 704 */ 705 int 706 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 707 { 708 #ifdef WITH_OPENSSL 709 const BIGNUM *rsa_e_a, *rsa_n_a; 710 const BIGNUM *rsa_e_b, *rsa_n_b; 711 const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a; 712 const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b; 713 #endif /* WITH_OPENSSL */ 714 715 if (a == NULL || b == NULL || 716 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 717 return 0; 718 719 switch (a->type) { 720 #ifdef WITH_OPENSSL 721 case KEY_RSA_CERT: 722 case KEY_RSA: 723 if (a->rsa == NULL || b->rsa == NULL) 724 return 0; 725 RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL); 726 RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL); 727 return BN_cmp(rsa_e_a, rsa_e_b) == 0 && 728 BN_cmp(rsa_n_a, rsa_n_b) == 0; 729 case KEY_DSA_CERT: 730 case KEY_DSA: 731 if (a->dsa == NULL || b->dsa == NULL) 732 return 0; 733 DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a); 734 DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b); 735 DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL); 736 DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL); 737 return BN_cmp(dsa_p_a, dsa_p_b) == 0 && 738 BN_cmp(dsa_q_a, dsa_q_b) == 0 && 739 BN_cmp(dsa_g_a, dsa_g_b) == 0 && 740 BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0; 741 case KEY_ECDSA_SK: 742 case KEY_ECDSA_SK_CERT: 743 if (a->sk_application == NULL || b->sk_application == NULL) 744 return 0; 745 if (strcmp(a->sk_application, b->sk_application) != 0) 746 return 0; 747 /* FALLTHROUGH */ 748 case KEY_ECDSA_CERT: 749 case KEY_ECDSA: 750 if (a->ecdsa == NULL || b->ecdsa == NULL || 751 EC_KEY_get0_public_key(a->ecdsa) == NULL || 752 EC_KEY_get0_public_key(b->ecdsa) == NULL) 753 return 0; 754 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 755 EC_KEY_get0_group(b->ecdsa), NULL) != 0 || 756 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 757 EC_KEY_get0_public_key(a->ecdsa), 758 EC_KEY_get0_public_key(b->ecdsa), NULL) != 0) 759 return 0; 760 return 1; 761 #endif /* WITH_OPENSSL */ 762 case KEY_ED25519_SK: 763 case KEY_ED25519_SK_CERT: 764 if (a->sk_application == NULL || b->sk_application == NULL) 765 return 0; 766 if (strcmp(a->sk_application, b->sk_application) != 0) 767 return 0; 768 /* FALLTHROUGH */ 769 case KEY_ED25519: 770 case KEY_ED25519_CERT: 771 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 772 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 773 #ifdef WITH_XMSS 774 case KEY_XMSS: 775 case KEY_XMSS_CERT: 776 return a->xmss_pk != NULL && b->xmss_pk != NULL && 777 sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) && 778 memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0; 779 #endif /* WITH_XMSS */ 780 default: 781 return 0; 782 } 783 /* NOTREACHED */ 784 } 785 786 int 787 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 788 { 789 if (a == NULL || b == NULL || a->type != b->type) 790 return 0; 791 if (sshkey_is_cert(a)) { 792 if (!cert_compare(a->cert, b->cert)) 793 return 0; 794 } 795 return sshkey_equal_public(a, b); 796 } 797 798 static int 799 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, 800 enum sshkey_serialize_rep opts) 801 { 802 int type, ret = SSH_ERR_INTERNAL_ERROR; 803 const char *typename; 804 #ifdef WITH_OPENSSL 805 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 806 #endif /* WITH_OPENSSL */ 807 808 if (key == NULL) 809 return SSH_ERR_INVALID_ARGUMENT; 810 811 if (sshkey_is_cert(key)) { 812 if (key->cert == NULL) 813 return SSH_ERR_EXPECTED_CERT; 814 if (sshbuf_len(key->cert->certblob) == 0) 815 return SSH_ERR_KEY_LACKS_CERTBLOB; 816 } 817 type = force_plain ? sshkey_type_plain(key->type) : key->type; 818 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 819 820 switch (type) { 821 #ifdef WITH_OPENSSL 822 case KEY_DSA_CERT: 823 case KEY_ECDSA_CERT: 824 case KEY_ECDSA_SK_CERT: 825 case KEY_RSA_CERT: 826 #endif /* WITH_OPENSSL */ 827 case KEY_ED25519_CERT: 828 case KEY_ED25519_SK_CERT: 829 #ifdef WITH_XMSS 830 case KEY_XMSS_CERT: 831 #endif /* WITH_XMSS */ 832 /* Use the existing blob */ 833 /* XXX modified flag? */ 834 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 835 return ret; 836 break; 837 #ifdef WITH_OPENSSL 838 case KEY_DSA: 839 if (key->dsa == NULL) 840 return SSH_ERR_INVALID_ARGUMENT; 841 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 842 DSA_get0_key(key->dsa, &dsa_pub_key, NULL); 843 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 844 (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 || 845 (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 || 846 (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 || 847 (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0) 848 return ret; 849 break; 850 case KEY_ECDSA: 851 case KEY_ECDSA_SK: 852 if (key->ecdsa == NULL) 853 return SSH_ERR_INVALID_ARGUMENT; 854 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 855 (ret = sshbuf_put_cstring(b, 856 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 857 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 858 return ret; 859 if (type == KEY_ECDSA_SK) { 860 if ((ret = sshbuf_put_cstring(b, 861 key->sk_application)) != 0) 862 return ret; 863 } 864 break; 865 case KEY_RSA: 866 if (key->rsa == NULL) 867 return SSH_ERR_INVALID_ARGUMENT; 868 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL); 869 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 870 (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 || 871 (ret = sshbuf_put_bignum2(b, rsa_n)) != 0) 872 return ret; 873 break; 874 #endif /* WITH_OPENSSL */ 875 case KEY_ED25519: 876 case KEY_ED25519_SK: 877 if (key->ed25519_pk == NULL) 878 return SSH_ERR_INVALID_ARGUMENT; 879 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 880 (ret = sshbuf_put_string(b, 881 key->ed25519_pk, ED25519_PK_SZ)) != 0) 882 return ret; 883 if (type == KEY_ED25519_SK) { 884 if ((ret = sshbuf_put_cstring(b, 885 key->sk_application)) != 0) 886 return ret; 887 } 888 break; 889 #ifdef WITH_XMSS 890 case KEY_XMSS: 891 if (key->xmss_name == NULL || key->xmss_pk == NULL || 892 sshkey_xmss_pklen(key) == 0) 893 return SSH_ERR_INVALID_ARGUMENT; 894 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 895 (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 896 (ret = sshbuf_put_string(b, 897 key->xmss_pk, sshkey_xmss_pklen(key))) != 0 || 898 (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0) 899 return ret; 900 break; 901 #endif /* WITH_XMSS */ 902 default: 903 return SSH_ERR_KEY_TYPE_UNKNOWN; 904 } 905 return 0; 906 } 907 908 int 909 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 910 { 911 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); 912 } 913 914 int 915 sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, 916 enum sshkey_serialize_rep opts) 917 { 918 struct sshbuf *tmp; 919 int r; 920 921 if ((tmp = sshbuf_new()) == NULL) 922 return SSH_ERR_ALLOC_FAIL; 923 r = to_blob_buf(key, tmp, 0, opts); 924 if (r == 0) 925 r = sshbuf_put_stringb(b, tmp); 926 sshbuf_free(tmp); 927 return r; 928 } 929 930 int 931 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 932 { 933 return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); 934 } 935 936 int 937 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 938 { 939 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); 940 } 941 942 static int 943 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, 944 enum sshkey_serialize_rep opts) 945 { 946 int ret = SSH_ERR_INTERNAL_ERROR; 947 size_t len; 948 struct sshbuf *b = NULL; 949 950 if (lenp != NULL) 951 *lenp = 0; 952 if (blobp != NULL) 953 *blobp = NULL; 954 if ((b = sshbuf_new()) == NULL) 955 return SSH_ERR_ALLOC_FAIL; 956 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) 957 goto out; 958 len = sshbuf_len(b); 959 if (lenp != NULL) 960 *lenp = len; 961 if (blobp != NULL) { 962 if ((*blobp = malloc(len)) == NULL) { 963 ret = SSH_ERR_ALLOC_FAIL; 964 goto out; 965 } 966 memcpy(*blobp, sshbuf_ptr(b), len); 967 } 968 ret = 0; 969 out: 970 sshbuf_free(b); 971 return ret; 972 } 973 974 int 975 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 976 { 977 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); 978 } 979 980 int 981 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 982 { 983 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); 984 } 985 986 int 987 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 988 u_char **retp, size_t *lenp) 989 { 990 u_char *blob = NULL, *ret = NULL; 991 size_t blob_len = 0; 992 int r = SSH_ERR_INTERNAL_ERROR; 993 994 if (retp != NULL) 995 *retp = NULL; 996 if (lenp != NULL) 997 *lenp = 0; 998 if (ssh_digest_bytes(dgst_alg) == 0) { 999 r = SSH_ERR_INVALID_ARGUMENT; 1000 goto out; 1001 } 1002 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) 1003 != 0) 1004 goto out; 1005 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 1006 r = SSH_ERR_ALLOC_FAIL; 1007 goto out; 1008 } 1009 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 1010 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 1011 goto out; 1012 /* success */ 1013 if (retp != NULL) { 1014 *retp = ret; 1015 ret = NULL; 1016 } 1017 if (lenp != NULL) 1018 *lenp = ssh_digest_bytes(dgst_alg); 1019 r = 0; 1020 out: 1021 free(ret); 1022 if (blob != NULL) 1023 freezero(blob, blob_len); 1024 return r; 1025 } 1026 1027 static char * 1028 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 1029 { 1030 char *ret; 1031 size_t plen = strlen(alg) + 1; 1032 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 1033 1034 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 1035 return NULL; 1036 strlcpy(ret, alg, rlen); 1037 strlcat(ret, ":", rlen); 1038 if (dgst_raw_len == 0) 1039 return ret; 1040 if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) { 1041 freezero(ret, rlen); 1042 return NULL; 1043 } 1044 /* Trim padding characters from end */ 1045 ret[strcspn(ret, "=")] = '\0'; 1046 return ret; 1047 } 1048 1049 static char * 1050 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 1051 { 1052 char *retval, hex[5]; 1053 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 1054 1055 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 1056 return NULL; 1057 strlcpy(retval, alg, rlen); 1058 strlcat(retval, ":", rlen); 1059 for (i = 0; i < dgst_raw_len; i++) { 1060 snprintf(hex, sizeof(hex), "%s%02x", 1061 i > 0 ? ":" : "", dgst_raw[i]); 1062 strlcat(retval, hex, rlen); 1063 } 1064 return retval; 1065 } 1066 1067 static char * 1068 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 1069 { 1070 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 1071 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 1072 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 1073 u_int i, j = 0, rounds, seed = 1; 1074 char *retval; 1075 1076 rounds = (dgst_raw_len / 2) + 1; 1077 if ((retval = calloc(rounds, 6)) == NULL) 1078 return NULL; 1079 retval[j++] = 'x'; 1080 for (i = 0; i < rounds; i++) { 1081 u_int idx0, idx1, idx2, idx3, idx4; 1082 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 1083 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 1084 seed) % 6; 1085 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 1086 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 1087 (seed / 6)) % 6; 1088 retval[j++] = vowels[idx0]; 1089 retval[j++] = consonants[idx1]; 1090 retval[j++] = vowels[idx2]; 1091 if ((i + 1) < rounds) { 1092 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 1093 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 1094 retval[j++] = consonants[idx3]; 1095 retval[j++] = '-'; 1096 retval[j++] = consonants[idx4]; 1097 seed = ((seed * 5) + 1098 ((((u_int)(dgst_raw[2 * i])) * 7) + 1099 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 1100 } 1101 } else { 1102 idx0 = seed % 6; 1103 idx1 = 16; 1104 idx2 = seed / 6; 1105 retval[j++] = vowels[idx0]; 1106 retval[j++] = consonants[idx1]; 1107 retval[j++] = vowels[idx2]; 1108 } 1109 } 1110 retval[j++] = 'x'; 1111 retval[j++] = '\0'; 1112 return retval; 1113 } 1114 1115 /* 1116 * Draw an ASCII-Art representing the fingerprint so human brain can 1117 * profit from its built-in pattern recognition ability. 1118 * This technique is called "random art" and can be found in some 1119 * scientific publications like this original paper: 1120 * 1121 * "Hash Visualization: a New Technique to improve Real-World Security", 1122 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1123 * Techniques and E-Commerce (CrypTEC '99) 1124 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1125 * 1126 * The subject came up in a talk by Dan Kaminsky, too. 1127 * 1128 * If you see the picture is different, the key is different. 1129 * If the picture looks the same, you still know nothing. 1130 * 1131 * The algorithm used here is a worm crawling over a discrete plane, 1132 * leaving a trace (augmenting the field) everywhere it goes. 1133 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1134 * makes the respective movement vector be ignored for this turn. 1135 * Graphs are not unambiguous, because circles in graphs can be 1136 * walked in either direction. 1137 */ 1138 1139 /* 1140 * Field sizes for the random art. Have to be odd, so the starting point 1141 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1142 * Else pictures would be too dense, and drawing the frame would 1143 * fail, too, because the key type would not fit in anymore. 1144 */ 1145 #define FLDBASE 8 1146 #define FLDSIZE_Y (FLDBASE + 1) 1147 #define FLDSIZE_X (FLDBASE * 2 + 1) 1148 static char * 1149 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1150 const struct sshkey *k) 1151 { 1152 /* 1153 * Chars to be used after each other every time the worm 1154 * intersects with itself. Matter of taste. 1155 */ 1156 const char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1157 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1158 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1159 size_t i, tlen, hlen; 1160 u_int b; 1161 int x, y, r; 1162 size_t len = strlen(augmentation_string) - 1; 1163 1164 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1165 return NULL; 1166 1167 /* initialize field */ 1168 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1169 x = FLDSIZE_X / 2; 1170 y = FLDSIZE_Y / 2; 1171 1172 /* process raw key */ 1173 for (i = 0; i < dgst_raw_len; i++) { 1174 int input; 1175 /* each byte conveys four 2-bit move commands */ 1176 input = dgst_raw[i]; 1177 for (b = 0; b < 4; b++) { 1178 /* evaluate 2 bit, rest is shifted later */ 1179 x += (input & 0x1) ? 1 : -1; 1180 y += (input & 0x2) ? 1 : -1; 1181 1182 /* assure we are still in bounds */ 1183 x = MAXIMUM(x, 0); 1184 y = MAXIMUM(y, 0); 1185 x = MINIMUM(x, FLDSIZE_X - 1); 1186 y = MINIMUM(y, FLDSIZE_Y - 1); 1187 1188 /* augment the field */ 1189 if (field[x][y] < len - 2) 1190 field[x][y]++; 1191 input = input >> 2; 1192 } 1193 } 1194 1195 /* mark starting point and end point*/ 1196 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1197 field[x][y] = len; 1198 1199 /* assemble title */ 1200 r = snprintf(title, sizeof(title), "[%s %u]", 1201 sshkey_type(k), sshkey_size(k)); 1202 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1203 if (r < 0 || r > (int)sizeof(title)) 1204 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1205 tlen = (r <= 0) ? 0 : strlen(title); 1206 1207 /* assemble hash ID. */ 1208 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1209 hlen = (r <= 0) ? 0 : strlen(hash); 1210 1211 /* output upper border */ 1212 p = retval; 1213 *p++ = '+'; 1214 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1215 *p++ = '-'; 1216 memcpy(p, title, tlen); 1217 p += tlen; 1218 for (i += tlen; i < FLDSIZE_X; i++) 1219 *p++ = '-'; 1220 *p++ = '+'; 1221 *p++ = '\n'; 1222 1223 /* output content */ 1224 for (y = 0; y < FLDSIZE_Y; y++) { 1225 *p++ = '|'; 1226 for (x = 0; x < FLDSIZE_X; x++) 1227 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1228 *p++ = '|'; 1229 *p++ = '\n'; 1230 } 1231 1232 /* output lower border */ 1233 *p++ = '+'; 1234 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1235 *p++ = '-'; 1236 memcpy(p, hash, hlen); 1237 p += hlen; 1238 for (i += hlen; i < FLDSIZE_X; i++) 1239 *p++ = '-'; 1240 *p++ = '+'; 1241 1242 return retval; 1243 } 1244 1245 char * 1246 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1247 enum sshkey_fp_rep dgst_rep) 1248 { 1249 char *retval = NULL; 1250 u_char *dgst_raw; 1251 size_t dgst_raw_len; 1252 1253 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1254 return NULL; 1255 switch (dgst_rep) { 1256 case SSH_FP_DEFAULT: 1257 if (dgst_alg == SSH_DIGEST_MD5) { 1258 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1259 dgst_raw, dgst_raw_len); 1260 } else { 1261 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1262 dgst_raw, dgst_raw_len); 1263 } 1264 break; 1265 case SSH_FP_HEX: 1266 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1267 dgst_raw, dgst_raw_len); 1268 break; 1269 case SSH_FP_BASE64: 1270 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1271 dgst_raw, dgst_raw_len); 1272 break; 1273 case SSH_FP_BUBBLEBABBLE: 1274 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1275 break; 1276 case SSH_FP_RANDOMART: 1277 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1278 dgst_raw, dgst_raw_len, k); 1279 break; 1280 default: 1281 freezero(dgst_raw, dgst_raw_len); 1282 return NULL; 1283 } 1284 freezero(dgst_raw, dgst_raw_len); 1285 return retval; 1286 } 1287 1288 static int 1289 peek_type_nid(const char *s, size_t l, int *nid) 1290 { 1291 const struct keytype *kt; 1292 1293 for (kt = keytypes; kt->type != -1; kt++) { 1294 if (kt->name == NULL || strlen(kt->name) != l) 1295 continue; 1296 if (memcmp(s, kt->name, l) == 0) { 1297 *nid = -1; 1298 if (key_type_is_ecdsa_variant(kt->type)) 1299 *nid = kt->nid; 1300 return kt->type; 1301 } 1302 } 1303 return KEY_UNSPEC; 1304 } 1305 1306 /* XXX this can now be made const char * */ 1307 int 1308 sshkey_read(struct sshkey *ret, char **cpp) 1309 { 1310 struct sshkey *k; 1311 char *cp, *blobcopy; 1312 size_t space; 1313 int r, type, curve_nid = -1; 1314 struct sshbuf *blob; 1315 1316 if (ret == NULL) 1317 return SSH_ERR_INVALID_ARGUMENT; 1318 1319 switch (ret->type) { 1320 case KEY_UNSPEC: 1321 case KEY_RSA: 1322 case KEY_DSA: 1323 case KEY_ECDSA: 1324 case KEY_ECDSA_SK: 1325 case KEY_ED25519: 1326 case KEY_ED25519_SK: 1327 case KEY_DSA_CERT: 1328 case KEY_ECDSA_CERT: 1329 case KEY_ECDSA_SK_CERT: 1330 case KEY_RSA_CERT: 1331 case KEY_ED25519_CERT: 1332 case KEY_ED25519_SK_CERT: 1333 #ifdef WITH_XMSS 1334 case KEY_XMSS: 1335 case KEY_XMSS_CERT: 1336 #endif /* WITH_XMSS */ 1337 break; /* ok */ 1338 default: 1339 return SSH_ERR_INVALID_ARGUMENT; 1340 } 1341 1342 /* Decode type */ 1343 cp = *cpp; 1344 space = strcspn(cp, " \t"); 1345 if (space == strlen(cp)) 1346 return SSH_ERR_INVALID_FORMAT; 1347 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) 1348 return SSH_ERR_INVALID_FORMAT; 1349 1350 /* skip whitespace */ 1351 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1352 ; 1353 if (*cp == '\0') 1354 return SSH_ERR_INVALID_FORMAT; 1355 if (ret->type != KEY_UNSPEC && ret->type != type) 1356 return SSH_ERR_KEY_TYPE_MISMATCH; 1357 if ((blob = sshbuf_new()) == NULL) 1358 return SSH_ERR_ALLOC_FAIL; 1359 1360 /* find end of keyblob and decode */ 1361 space = strcspn(cp, " \t"); 1362 if ((blobcopy = strndup(cp, space)) == NULL) { 1363 sshbuf_free(blob); 1364 return SSH_ERR_ALLOC_FAIL; 1365 } 1366 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { 1367 free(blobcopy); 1368 sshbuf_free(blob); 1369 return r; 1370 } 1371 free(blobcopy); 1372 if ((r = sshkey_fromb(blob, &k)) != 0) { 1373 sshbuf_free(blob); 1374 return r; 1375 } 1376 sshbuf_free(blob); 1377 1378 /* skip whitespace and leave cp at start of comment */ 1379 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1380 ; 1381 1382 /* ensure type of blob matches type at start of line */ 1383 if (k->type != type) { 1384 sshkey_free(k); 1385 return SSH_ERR_KEY_TYPE_MISMATCH; 1386 } 1387 if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) { 1388 sshkey_free(k); 1389 return SSH_ERR_EC_CURVE_MISMATCH; 1390 } 1391 1392 /* Fill in ret from parsed key */ 1393 ret->type = type; 1394 if (sshkey_is_cert(ret)) { 1395 if (!sshkey_is_cert(k)) { 1396 sshkey_free(k); 1397 return SSH_ERR_EXPECTED_CERT; 1398 } 1399 if (ret->cert != NULL) 1400 cert_free(ret->cert); 1401 ret->cert = k->cert; 1402 k->cert = NULL; 1403 } 1404 switch (sshkey_type_plain(ret->type)) { 1405 #ifdef WITH_OPENSSL 1406 case KEY_RSA: 1407 RSA_free(ret->rsa); 1408 ret->rsa = k->rsa; 1409 k->rsa = NULL; 1410 #ifdef DEBUG_PK 1411 RSA_print_fp(stderr, ret->rsa, 8); 1412 #endif 1413 break; 1414 case KEY_DSA: 1415 DSA_free(ret->dsa); 1416 ret->dsa = k->dsa; 1417 k->dsa = NULL; 1418 #ifdef DEBUG_PK 1419 DSA_print_fp(stderr, ret->dsa, 8); 1420 #endif 1421 break; 1422 case KEY_ECDSA: 1423 EC_KEY_free(ret->ecdsa); 1424 ret->ecdsa = k->ecdsa; 1425 ret->ecdsa_nid = k->ecdsa_nid; 1426 k->ecdsa = NULL; 1427 k->ecdsa_nid = -1; 1428 #ifdef DEBUG_PK 1429 sshkey_dump_ec_key(ret->ecdsa); 1430 #endif 1431 break; 1432 case KEY_ECDSA_SK: 1433 EC_KEY_free(ret->ecdsa); 1434 ret->ecdsa = k->ecdsa; 1435 ret->ecdsa_nid = k->ecdsa_nid; 1436 ret->sk_application = k->sk_application; 1437 k->ecdsa = NULL; 1438 k->ecdsa_nid = -1; 1439 k->sk_application = NULL; 1440 #ifdef DEBUG_PK 1441 sshkey_dump_ec_key(ret->ecdsa); 1442 fprintf(stderr, "App: %s\n", ret->sk_application); 1443 #endif 1444 break; 1445 #endif /* WITH_OPENSSL */ 1446 case KEY_ED25519: 1447 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1448 ret->ed25519_pk = k->ed25519_pk; 1449 k->ed25519_pk = NULL; 1450 #ifdef DEBUG_PK 1451 /* XXX */ 1452 #endif 1453 break; 1454 case KEY_ED25519_SK: 1455 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1456 ret->ed25519_pk = k->ed25519_pk; 1457 ret->sk_application = k->sk_application; 1458 k->ed25519_pk = NULL; 1459 k->sk_application = NULL; 1460 break; 1461 #ifdef WITH_XMSS 1462 case KEY_XMSS: 1463 free(ret->xmss_pk); 1464 ret->xmss_pk = k->xmss_pk; 1465 k->xmss_pk = NULL; 1466 free(ret->xmss_state); 1467 ret->xmss_state = k->xmss_state; 1468 k->xmss_state = NULL; 1469 free(ret->xmss_name); 1470 ret->xmss_name = k->xmss_name; 1471 k->xmss_name = NULL; 1472 free(ret->xmss_filename); 1473 ret->xmss_filename = k->xmss_filename; 1474 k->xmss_filename = NULL; 1475 #ifdef DEBUG_PK 1476 /* XXX */ 1477 #endif 1478 break; 1479 #endif /* WITH_XMSS */ 1480 default: 1481 sshkey_free(k); 1482 return SSH_ERR_INTERNAL_ERROR; 1483 } 1484 sshkey_free(k); 1485 1486 /* success */ 1487 *cpp = cp; 1488 return 0; 1489 } 1490 1491 int 1492 sshkey_to_base64(const struct sshkey *key, char **b64p) 1493 { 1494 int r = SSH_ERR_INTERNAL_ERROR; 1495 struct sshbuf *b = NULL; 1496 char *uu = NULL; 1497 1498 if (b64p != NULL) 1499 *b64p = NULL; 1500 if ((b = sshbuf_new()) == NULL) 1501 return SSH_ERR_ALLOC_FAIL; 1502 if ((r = sshkey_putb(key, b)) != 0) 1503 goto out; 1504 if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) { 1505 r = SSH_ERR_ALLOC_FAIL; 1506 goto out; 1507 } 1508 /* Success */ 1509 if (b64p != NULL) { 1510 *b64p = uu; 1511 uu = NULL; 1512 } 1513 r = 0; 1514 out: 1515 sshbuf_free(b); 1516 free(uu); 1517 return r; 1518 } 1519 1520 int 1521 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1522 { 1523 int r = SSH_ERR_INTERNAL_ERROR; 1524 char *uu = NULL; 1525 1526 if ((r = sshkey_to_base64(key, &uu)) != 0) 1527 goto out; 1528 if ((r = sshbuf_putf(b, "%s %s", 1529 sshkey_ssh_name(key), uu)) != 0) 1530 goto out; 1531 r = 0; 1532 out: 1533 free(uu); 1534 return r; 1535 } 1536 1537 int 1538 sshkey_write(const struct sshkey *key, FILE *f) 1539 { 1540 struct sshbuf *b = NULL; 1541 int r = SSH_ERR_INTERNAL_ERROR; 1542 1543 if ((b = sshbuf_new()) == NULL) 1544 return SSH_ERR_ALLOC_FAIL; 1545 if ((r = sshkey_format_text(key, b)) != 0) 1546 goto out; 1547 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1548 if (feof(f)) 1549 errno = EPIPE; 1550 r = SSH_ERR_SYSTEM_ERROR; 1551 goto out; 1552 } 1553 /* Success */ 1554 r = 0; 1555 out: 1556 sshbuf_free(b); 1557 return r; 1558 } 1559 1560 const char * 1561 sshkey_cert_type(const struct sshkey *k) 1562 { 1563 switch (k->cert->type) { 1564 case SSH2_CERT_TYPE_USER: 1565 return "user"; 1566 case SSH2_CERT_TYPE_HOST: 1567 return "host"; 1568 default: 1569 return "unknown"; 1570 } 1571 } 1572 1573 #ifdef WITH_OPENSSL 1574 static int 1575 rsa_generate_private_key(u_int bits, RSA **rsap) 1576 { 1577 RSA *private = NULL; 1578 BIGNUM *f4 = NULL; 1579 int ret = SSH_ERR_INTERNAL_ERROR; 1580 1581 if (rsap == NULL) 1582 return SSH_ERR_INVALID_ARGUMENT; 1583 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1584 bits > SSHBUF_MAX_BIGNUM * 8) 1585 return SSH_ERR_KEY_LENGTH; 1586 *rsap = NULL; 1587 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1588 ret = SSH_ERR_ALLOC_FAIL; 1589 goto out; 1590 } 1591 if (!BN_set_word(f4, RSA_F4) || 1592 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1593 ret = SSH_ERR_LIBCRYPTO_ERROR; 1594 goto out; 1595 } 1596 *rsap = private; 1597 private = NULL; 1598 ret = 0; 1599 out: 1600 RSA_free(private); 1601 BN_free(f4); 1602 return ret; 1603 } 1604 1605 static int 1606 dsa_generate_private_key(u_int bits, DSA **dsap) 1607 { 1608 DSA *private; 1609 int ret = SSH_ERR_INTERNAL_ERROR; 1610 1611 if (dsap == NULL) 1612 return SSH_ERR_INVALID_ARGUMENT; 1613 if (bits != 1024) 1614 return SSH_ERR_KEY_LENGTH; 1615 if ((private = DSA_new()) == NULL) { 1616 ret = SSH_ERR_ALLOC_FAIL; 1617 goto out; 1618 } 1619 *dsap = NULL; 1620 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1621 NULL, NULL) || !DSA_generate_key(private)) { 1622 ret = SSH_ERR_LIBCRYPTO_ERROR; 1623 goto out; 1624 } 1625 *dsap = private; 1626 private = NULL; 1627 ret = 0; 1628 out: 1629 DSA_free(private); 1630 return ret; 1631 } 1632 1633 int 1634 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1635 { 1636 EC_GROUP *eg = NULL; /* XXXGCC: unneeded init */ 1637 int nids[] = { 1638 NID_X9_62_prime256v1, 1639 NID_secp384r1, 1640 NID_secp521r1, 1641 -1 1642 }; 1643 int nid; 1644 u_int i; 1645 const EC_GROUP *g = EC_KEY_get0_group(k); 1646 1647 /* 1648 * The group may be stored in a ASN.1 encoded private key in one of two 1649 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1650 * or explicit group parameters encoded into the key blob. Only the 1651 * "named group" case sets the group NID for us, but we can figure 1652 * it out for the other case by comparing against all the groups that 1653 * are supported. 1654 */ 1655 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1656 return nid; 1657 for (i = 0; nids[i] != -1; i++) { 1658 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) 1659 return -1; 1660 if (EC_GROUP_cmp(g, eg, NULL) == 0) 1661 break; 1662 EC_GROUP_free(eg); 1663 } 1664 if (nids[i] != -1) { 1665 /* Use the group with the NID attached */ 1666 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1667 if (EC_KEY_set_group(k, eg) != 1) { 1668 EC_GROUP_free(eg); 1669 return -1; 1670 } 1671 } 1672 return nids[i]; 1673 } 1674 1675 static int 1676 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1677 { 1678 EC_KEY *private; 1679 int ret = SSH_ERR_INTERNAL_ERROR; 1680 1681 if (nid == NULL || ecdsap == NULL) 1682 return SSH_ERR_INVALID_ARGUMENT; 1683 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1684 return SSH_ERR_KEY_LENGTH; 1685 *ecdsap = NULL; 1686 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1687 ret = SSH_ERR_ALLOC_FAIL; 1688 goto out; 1689 } 1690 if (EC_KEY_generate_key(private) != 1) { 1691 ret = SSH_ERR_LIBCRYPTO_ERROR; 1692 goto out; 1693 } 1694 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1695 *ecdsap = private; 1696 private = NULL; 1697 ret = 0; 1698 out: 1699 EC_KEY_free(private); 1700 return ret; 1701 } 1702 #endif /* WITH_OPENSSL */ 1703 1704 int 1705 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1706 { 1707 struct sshkey *k; 1708 int ret = SSH_ERR_INTERNAL_ERROR; 1709 1710 if (keyp == NULL) 1711 return SSH_ERR_INVALID_ARGUMENT; 1712 *keyp = NULL; 1713 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1714 return SSH_ERR_ALLOC_FAIL; 1715 switch (type) { 1716 case KEY_ED25519: 1717 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1718 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1719 ret = SSH_ERR_ALLOC_FAIL; 1720 break; 1721 } 1722 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1723 ret = 0; 1724 break; 1725 #ifdef WITH_XMSS 1726 case KEY_XMSS: 1727 ret = sshkey_xmss_generate_private_key(k, bits); 1728 break; 1729 #endif /* WITH_XMSS */ 1730 #ifdef WITH_OPENSSL 1731 case KEY_DSA: 1732 ret = dsa_generate_private_key(bits, &k->dsa); 1733 break; 1734 case KEY_ECDSA: 1735 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1736 &k->ecdsa); 1737 break; 1738 case KEY_RSA: 1739 ret = rsa_generate_private_key(bits, &k->rsa); 1740 break; 1741 #endif /* WITH_OPENSSL */ 1742 default: 1743 ret = SSH_ERR_INVALID_ARGUMENT; 1744 } 1745 if (ret == 0) { 1746 k->type = type; 1747 *keyp = k; 1748 } else 1749 sshkey_free(k); 1750 return ret; 1751 } 1752 1753 int 1754 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1755 { 1756 u_int i; 1757 const struct sshkey_cert *from; 1758 struct sshkey_cert *to; 1759 int r = SSH_ERR_INTERNAL_ERROR; 1760 1761 if (to_key == NULL || (from = from_key->cert) == NULL) 1762 return SSH_ERR_INVALID_ARGUMENT; 1763 1764 if ((to = cert_new()) == NULL) 1765 return SSH_ERR_ALLOC_FAIL; 1766 1767 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1768 (r = sshbuf_putb(to->critical, from->critical)) != 0 || 1769 (r = sshbuf_putb(to->extensions, from->extensions)) != 0) 1770 goto out; 1771 1772 to->serial = from->serial; 1773 to->type = from->type; 1774 if (from->key_id == NULL) 1775 to->key_id = NULL; 1776 else if ((to->key_id = strdup(from->key_id)) == NULL) { 1777 r = SSH_ERR_ALLOC_FAIL; 1778 goto out; 1779 } 1780 to->valid_after = from->valid_after; 1781 to->valid_before = from->valid_before; 1782 if (from->signature_key == NULL) 1783 to->signature_key = NULL; 1784 else if ((r = sshkey_from_private(from->signature_key, 1785 &to->signature_key)) != 0) 1786 goto out; 1787 if (from->signature_type != NULL && 1788 (to->signature_type = strdup(from->signature_type)) == NULL) { 1789 r = SSH_ERR_ALLOC_FAIL; 1790 goto out; 1791 } 1792 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { 1793 r = SSH_ERR_INVALID_ARGUMENT; 1794 goto out; 1795 } 1796 if (from->nprincipals > 0) { 1797 if ((to->principals = calloc(from->nprincipals, 1798 sizeof(*to->principals))) == NULL) { 1799 r = SSH_ERR_ALLOC_FAIL; 1800 goto out; 1801 } 1802 for (i = 0; i < from->nprincipals; i++) { 1803 to->principals[i] = strdup(from->principals[i]); 1804 if (to->principals[i] == NULL) { 1805 to->nprincipals = i; 1806 r = SSH_ERR_ALLOC_FAIL; 1807 goto out; 1808 } 1809 } 1810 } 1811 to->nprincipals = from->nprincipals; 1812 1813 /* success */ 1814 cert_free(to_key->cert); 1815 to_key->cert = to; 1816 to = NULL; 1817 r = 0; 1818 out: 1819 cert_free(to); 1820 return r; 1821 } 1822 1823 int 1824 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1825 { 1826 struct sshkey *n = NULL; 1827 int r = SSH_ERR_INTERNAL_ERROR; 1828 #ifdef WITH_OPENSSL 1829 const BIGNUM *rsa_n, *rsa_e; 1830 BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL; 1831 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 1832 BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL; 1833 BIGNUM *dsa_pub_key_dup = NULL; 1834 #endif /* WITH_OPENSSL */ 1835 1836 *pkp = NULL; 1837 if ((n = sshkey_new(k->type)) == NULL) { 1838 r = SSH_ERR_ALLOC_FAIL; 1839 goto out; 1840 } 1841 switch (k->type) { 1842 #ifdef WITH_OPENSSL 1843 case KEY_DSA: 1844 case KEY_DSA_CERT: 1845 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 1846 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 1847 if ((dsa_p_dup = BN_dup(dsa_p)) == NULL || 1848 (dsa_q_dup = BN_dup(dsa_q)) == NULL || 1849 (dsa_g_dup = BN_dup(dsa_g)) == NULL || 1850 (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) { 1851 r = SSH_ERR_ALLOC_FAIL; 1852 goto out; 1853 } 1854 if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) { 1855 r = SSH_ERR_LIBCRYPTO_ERROR; 1856 goto out; 1857 } 1858 dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */ 1859 if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) { 1860 r = SSH_ERR_LIBCRYPTO_ERROR; 1861 goto out; 1862 } 1863 dsa_pub_key_dup = NULL; /* transferred */ 1864 1865 break; 1866 case KEY_ECDSA: 1867 case KEY_ECDSA_CERT: 1868 case KEY_ECDSA_SK: 1869 case KEY_ECDSA_SK_CERT: 1870 n->ecdsa_nid = k->ecdsa_nid; 1871 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1872 if (n->ecdsa == NULL) { 1873 r = SSH_ERR_ALLOC_FAIL; 1874 goto out; 1875 } 1876 if (EC_KEY_set_public_key(n->ecdsa, 1877 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1878 r = SSH_ERR_LIBCRYPTO_ERROR; 1879 goto out; 1880 } 1881 if (k->type != KEY_ECDSA_SK && k->type != KEY_ECDSA_SK_CERT) 1882 break; 1883 /* Append security-key application string */ 1884 if ((n->sk_application = strdup(k->sk_application)) == NULL) 1885 goto out; 1886 break; 1887 case KEY_RSA: 1888 case KEY_RSA_CERT: 1889 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 1890 if ((rsa_n_dup = BN_dup(rsa_n)) == NULL || 1891 (rsa_e_dup = BN_dup(rsa_e)) == NULL) { 1892 r = SSH_ERR_ALLOC_FAIL; 1893 goto out; 1894 } 1895 if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) { 1896 r = SSH_ERR_LIBCRYPTO_ERROR; 1897 goto out; 1898 } 1899 rsa_n_dup = rsa_e_dup = NULL; /* transferred */ 1900 break; 1901 #endif /* WITH_OPENSSL */ 1902 case KEY_ED25519: 1903 case KEY_ED25519_CERT: 1904 case KEY_ED25519_SK: 1905 case KEY_ED25519_SK_CERT: 1906 if (k->ed25519_pk != NULL) { 1907 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1908 r = SSH_ERR_ALLOC_FAIL; 1909 goto out; 1910 } 1911 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1912 } 1913 if (k->type != KEY_ED25519_SK && 1914 k->type != KEY_ED25519_SK_CERT) 1915 break; 1916 /* Append security-key application string */ 1917 if ((n->sk_application = strdup(k->sk_application)) == NULL) 1918 goto out; 1919 break; 1920 #ifdef WITH_XMSS 1921 case KEY_XMSS: 1922 case KEY_XMSS_CERT: 1923 if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0) 1924 goto out; 1925 if (k->xmss_pk != NULL) { 1926 u_int32_t left; 1927 size_t pklen = sshkey_xmss_pklen(k); 1928 if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) { 1929 r = SSH_ERR_INTERNAL_ERROR; 1930 goto out; 1931 } 1932 if ((n->xmss_pk = malloc(pklen)) == NULL) { 1933 r = SSH_ERR_ALLOC_FAIL; 1934 goto out; 1935 } 1936 memcpy(n->xmss_pk, k->xmss_pk, pklen); 1937 /* simulate number of signatures left on pubkey */ 1938 left = sshkey_xmss_signatures_left(k); 1939 if (left) 1940 sshkey_xmss_enable_maxsign(n, left); 1941 } 1942 break; 1943 #endif /* WITH_XMSS */ 1944 default: 1945 r = SSH_ERR_KEY_TYPE_UNKNOWN; 1946 goto out; 1947 } 1948 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) 1949 goto out; 1950 /* success */ 1951 *pkp = n; 1952 n = NULL; 1953 r = 0; 1954 out: 1955 sshkey_free(n); 1956 #ifdef WITH_OPENSSL 1957 BN_clear_free(rsa_n_dup); 1958 BN_clear_free(rsa_e_dup); 1959 BN_clear_free(dsa_p_dup); 1960 BN_clear_free(dsa_q_dup); 1961 BN_clear_free(dsa_g_dup); 1962 BN_clear_free(dsa_pub_key_dup); 1963 #endif /* WITH_OPENSSL */ 1964 1965 return r; 1966 } 1967 1968 int 1969 sshkey_is_shielded(struct sshkey *k) 1970 { 1971 return k != NULL && k->shielded_private != NULL; 1972 } 1973 1974 int 1975 sshkey_shield_private(struct sshkey *k) 1976 { 1977 struct sshbuf *prvbuf = NULL; 1978 u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH]; 1979 struct sshcipher_ctx *cctx = NULL; 1980 const struct sshcipher *cipher; 1981 size_t i, enclen = 0; 1982 struct sshkey *kswap = NULL, tmp; 1983 int r = SSH_ERR_INTERNAL_ERROR; 1984 1985 #ifdef DEBUG_PK 1986 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 1987 #endif 1988 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 1989 r = SSH_ERR_INVALID_ARGUMENT; 1990 goto out; 1991 } 1992 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 1993 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 1994 r = SSH_ERR_INTERNAL_ERROR; 1995 goto out; 1996 } 1997 1998 /* Prepare a random pre-key, and from it an ephemeral key */ 1999 if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) { 2000 r = SSH_ERR_ALLOC_FAIL; 2001 goto out; 2002 } 2003 arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN); 2004 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 2005 prekey, SSHKEY_SHIELD_PREKEY_LEN, 2006 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 2007 goto out; 2008 #ifdef DEBUG_PK 2009 fprintf(stderr, "%s: key+iv\n", __func__); 2010 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 2011 stderr); 2012 #endif 2013 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 2014 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0) 2015 goto out; 2016 2017 /* Serialise and encrypt the private key using the ephemeral key */ 2018 if ((prvbuf = sshbuf_new()) == NULL) { 2019 r = SSH_ERR_ALLOC_FAIL; 2020 goto out; 2021 } 2022 if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0) 2023 goto out; 2024 if ((r = sshkey_private_serialize_opt(k, prvbuf, 2025 SSHKEY_SERIALIZE_SHIELD)) != 0) 2026 goto out; 2027 /* pad to cipher blocksize */ 2028 i = 0; 2029 while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) { 2030 if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0) 2031 goto out; 2032 } 2033 #ifdef DEBUG_PK 2034 fprintf(stderr, "%s: serialised\n", __func__); 2035 sshbuf_dump(prvbuf, stderr); 2036 #endif 2037 /* encrypt */ 2038 enclen = sshbuf_len(prvbuf); 2039 if ((enc = malloc(enclen)) == NULL) { 2040 r = SSH_ERR_ALLOC_FAIL; 2041 goto out; 2042 } 2043 if ((r = cipher_crypt(cctx, 0, enc, 2044 sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0) 2045 goto out; 2046 #ifdef DEBUG_PK 2047 fprintf(stderr, "%s: encrypted\n", __func__); 2048 sshbuf_dump_data(enc, enclen, stderr); 2049 #endif 2050 2051 /* Make a scrubbed, public-only copy of our private key argument */ 2052 if ((r = sshkey_from_private(k, &kswap)) != 0) 2053 goto out; 2054 2055 /* Swap the private key out (it will be destroyed below) */ 2056 tmp = *kswap; 2057 *kswap = *k; 2058 *k = tmp; 2059 2060 /* Insert the shielded key into our argument */ 2061 k->shielded_private = enc; 2062 k->shielded_len = enclen; 2063 k->shield_prekey = prekey; 2064 k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN; 2065 enc = prekey = NULL; /* transferred */ 2066 enclen = 0; 2067 2068 /* preserve key fields that are required for correct operation */ 2069 k->sk_flags = kswap->sk_flags; 2070 2071 /* success */ 2072 r = 0; 2073 2074 out: 2075 /* XXX behaviour on error - invalidate original private key? */ 2076 cipher_free(cctx); 2077 explicit_bzero(keyiv, sizeof(keyiv)); 2078 explicit_bzero(&tmp, sizeof(tmp)); 2079 freezero(enc, enclen); 2080 freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN); 2081 sshkey_free(kswap); 2082 sshbuf_free(prvbuf); 2083 return r; 2084 } 2085 2086 /* Check deterministic padding after private key */ 2087 static int 2088 private2_check_padding(struct sshbuf *decrypted) 2089 { 2090 u_char pad; 2091 size_t i; 2092 int r; 2093 2094 i = 0; 2095 while (sshbuf_len(decrypted)) { 2096 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 2097 goto out; 2098 if (pad != (++i & 0xff)) { 2099 r = SSH_ERR_INVALID_FORMAT; 2100 goto out; 2101 } 2102 } 2103 /* success */ 2104 r = 0; 2105 out: 2106 explicit_bzero(&pad, sizeof(pad)); 2107 explicit_bzero(&i, sizeof(i)); 2108 return r; 2109 } 2110 2111 int 2112 sshkey_unshield_private(struct sshkey *k) 2113 { 2114 struct sshbuf *prvbuf = NULL; 2115 u_char *cp, keyiv[SSH_DIGEST_MAX_LENGTH]; 2116 struct sshcipher_ctx *cctx = NULL; 2117 const struct sshcipher *cipher; 2118 struct sshkey *kswap = NULL, tmp; 2119 int r = SSH_ERR_INTERNAL_ERROR; 2120 2121 #ifdef DEBUG_PK 2122 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 2123 #endif 2124 if (!sshkey_is_shielded(k)) 2125 return 0; /* nothing to do */ 2126 2127 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 2128 r = SSH_ERR_INVALID_ARGUMENT; 2129 goto out; 2130 } 2131 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 2132 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 2133 r = SSH_ERR_INTERNAL_ERROR; 2134 goto out; 2135 } 2136 /* check size of shielded key blob */ 2137 if (k->shielded_len < cipher_blocksize(cipher) || 2138 (k->shielded_len % cipher_blocksize(cipher)) != 0) { 2139 r = SSH_ERR_INVALID_FORMAT; 2140 goto out; 2141 } 2142 2143 /* Calculate the ephemeral key from the prekey */ 2144 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 2145 k->shield_prekey, k->shield_prekey_len, 2146 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 2147 goto out; 2148 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 2149 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0) 2150 goto out; 2151 #ifdef DEBUG_PK 2152 fprintf(stderr, "%s: key+iv\n", __func__); 2153 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 2154 stderr); 2155 #endif 2156 2157 /* Decrypt and parse the shielded private key using the ephemeral key */ 2158 if ((prvbuf = sshbuf_new()) == NULL) { 2159 r = SSH_ERR_ALLOC_FAIL; 2160 goto out; 2161 } 2162 if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0) 2163 goto out; 2164 /* decrypt */ 2165 #ifdef DEBUG_PK 2166 fprintf(stderr, "%s: encrypted\n", __func__); 2167 sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr); 2168 #endif 2169 if ((r = cipher_crypt(cctx, 0, cp, 2170 k->shielded_private, k->shielded_len, 0, 0)) != 0) 2171 goto out; 2172 #ifdef DEBUG_PK 2173 fprintf(stderr, "%s: serialised\n", __func__); 2174 sshbuf_dump(prvbuf, stderr); 2175 #endif 2176 /* Parse private key */ 2177 if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0) 2178 goto out; 2179 2180 if ((r = private2_check_padding(prvbuf)) != 0) 2181 goto out; 2182 2183 /* Swap the parsed key back into place */ 2184 tmp = *kswap; 2185 *kswap = *k; 2186 *k = tmp; 2187 2188 /* success */ 2189 r = 0; 2190 2191 out: 2192 cipher_free(cctx); 2193 explicit_bzero(keyiv, sizeof(keyiv)); 2194 explicit_bzero(&tmp, sizeof(tmp)); 2195 sshkey_free(kswap); 2196 sshbuf_free(prvbuf); 2197 return r; 2198 } 2199 2200 static int 2201 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 2202 { 2203 struct sshbuf *principals = NULL, *crit = NULL; 2204 struct sshbuf *exts = NULL, *ca = NULL; 2205 u_char *sig = NULL; 2206 size_t signed_len = 0, slen = 0, kidlen = 0; 2207 int ret = SSH_ERR_INTERNAL_ERROR; 2208 2209 /* Copy the entire key blob for verification and later serialisation */ 2210 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 2211 return ret; 2212 2213 /* Parse body of certificate up to signature */ 2214 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 2215 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 2216 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 2217 (ret = sshbuf_froms(b, &principals)) != 0 || 2218 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 2219 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 2220 (ret = sshbuf_froms(b, &crit)) != 0 || 2221 (ret = sshbuf_froms(b, &exts)) != 0 || 2222 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 2223 (ret = sshbuf_froms(b, &ca)) != 0) { 2224 /* XXX debug print error for ret */ 2225 ret = SSH_ERR_INVALID_FORMAT; 2226 goto out; 2227 } 2228 2229 /* Signature is left in the buffer so we can calculate this length */ 2230 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 2231 2232 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 2233 ret = SSH_ERR_INVALID_FORMAT; 2234 goto out; 2235 } 2236 2237 if (key->cert->type != SSH2_CERT_TYPE_USER && 2238 key->cert->type != SSH2_CERT_TYPE_HOST) { 2239 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 2240 goto out; 2241 } 2242 2243 /* Parse principals section */ 2244 while (sshbuf_len(principals) > 0) { 2245 char *principal = NULL; 2246 char **oprincipals = NULL; 2247 2248 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 2249 ret = SSH_ERR_INVALID_FORMAT; 2250 goto out; 2251 } 2252 if ((ret = sshbuf_get_cstring(principals, &principal, 2253 NULL)) != 0) { 2254 ret = SSH_ERR_INVALID_FORMAT; 2255 goto out; 2256 } 2257 oprincipals = key->cert->principals; 2258 key->cert->principals = recallocarray(key->cert->principals, 2259 key->cert->nprincipals, key->cert->nprincipals + 1, 2260 sizeof(*key->cert->principals)); 2261 if (key->cert->principals == NULL) { 2262 free(principal); 2263 key->cert->principals = oprincipals; 2264 ret = SSH_ERR_ALLOC_FAIL; 2265 goto out; 2266 } 2267 key->cert->principals[key->cert->nprincipals++] = principal; 2268 } 2269 2270 /* 2271 * Stash a copies of the critical options and extensions sections 2272 * for later use. 2273 */ 2274 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 2275 (exts != NULL && 2276 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 2277 goto out; 2278 2279 /* 2280 * Validate critical options and extensions sections format. 2281 */ 2282 while (sshbuf_len(crit) != 0) { 2283 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 2284 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 2285 sshbuf_reset(key->cert->critical); 2286 ret = SSH_ERR_INVALID_FORMAT; 2287 goto out; 2288 } 2289 } 2290 while (exts != NULL && sshbuf_len(exts) != 0) { 2291 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 2292 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 2293 sshbuf_reset(key->cert->extensions); 2294 ret = SSH_ERR_INVALID_FORMAT; 2295 goto out; 2296 } 2297 } 2298 2299 /* Parse CA key and check signature */ 2300 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 2301 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2302 goto out; 2303 } 2304 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 2305 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2306 goto out; 2307 } 2308 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 2309 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0) 2310 goto out; 2311 if ((ret = sshkey_get_sigtype(sig, slen, 2312 &key->cert->signature_type)) != 0) 2313 goto out; 2314 2315 /* Success */ 2316 ret = 0; 2317 out: 2318 sshbuf_free(ca); 2319 sshbuf_free(crit); 2320 sshbuf_free(exts); 2321 sshbuf_free(principals); 2322 free(sig); 2323 return ret; 2324 } 2325 2326 int 2327 sshkey_check_rsa_length(const struct sshkey *k, int min_size) 2328 { 2329 #ifdef WITH_OPENSSL 2330 const BIGNUM *rsa_n; 2331 int nbits; 2332 2333 if (k == NULL || k->rsa == NULL || 2334 (k->type != KEY_RSA && k->type != KEY_RSA_CERT)) 2335 return 0; 2336 RSA_get0_key(k->rsa, &rsa_n, NULL, NULL); 2337 nbits = BN_num_bits(rsa_n); 2338 if (nbits < SSH_RSA_MINIMUM_MODULUS_SIZE || 2339 (min_size > 0 && nbits < min_size)) 2340 return SSH_ERR_KEY_LENGTH; 2341 #endif /* WITH_OPENSSL */ 2342 return 0; 2343 } 2344 2345 static int 2346 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 2347 int allow_cert) 2348 { 2349 int type, ret = SSH_ERR_INTERNAL_ERROR; 2350 char *ktype = NULL, *curve = NULL, *xmss_name = NULL; 2351 struct sshkey *key = NULL; 2352 size_t len; 2353 u_char *pk = NULL; 2354 struct sshbuf *copy; 2355 #ifdef WITH_OPENSSL 2356 EC_POINT *q = NULL, *qq = NULL; 2357 BIGNUM *rsa_n = NULL, *rsa_e = NULL; 2358 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; 2359 #endif /* WITH_OPENSSL */ 2360 2361 #ifdef DEBUG_PK /* XXX */ 2362 sshbuf_dump(b, stderr); 2363 #endif 2364 if (keyp != NULL) 2365 *keyp = NULL; 2366 if ((copy = sshbuf_fromb(b)) == NULL) { 2367 ret = SSH_ERR_ALLOC_FAIL; 2368 goto out; 2369 } 2370 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 2371 ret = SSH_ERR_INVALID_FORMAT; 2372 goto out; 2373 } 2374 2375 type = sshkey_type_from_name(ktype); 2376 if (!allow_cert && sshkey_type_is_cert(type)) { 2377 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2378 goto out; 2379 } 2380 switch (type) { 2381 #ifdef WITH_OPENSSL 2382 case KEY_RSA_CERT: 2383 /* Skip nonce */ 2384 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2385 ret = SSH_ERR_INVALID_FORMAT; 2386 goto out; 2387 } 2388 /* FALLTHROUGH */ 2389 case KEY_RSA: 2390 if ((key = sshkey_new(type)) == NULL) { 2391 ret = SSH_ERR_ALLOC_FAIL; 2392 goto out; 2393 } 2394 if (sshbuf_get_bignum2(b, &rsa_e) != 0 || 2395 sshbuf_get_bignum2(b, &rsa_n) != 0) { 2396 ret = SSH_ERR_INVALID_FORMAT; 2397 goto out; 2398 } 2399 if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) { 2400 ret = SSH_ERR_LIBCRYPTO_ERROR; 2401 goto out; 2402 } 2403 rsa_n = rsa_e = NULL; /* transferred */ 2404 if ((ret = sshkey_check_rsa_length(key, 0)) != 0) 2405 goto out; 2406 #ifdef DEBUG_PK 2407 RSA_print_fp(stderr, key->rsa, 8); 2408 #endif 2409 break; 2410 case KEY_DSA_CERT: 2411 /* Skip nonce */ 2412 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2413 ret = SSH_ERR_INVALID_FORMAT; 2414 goto out; 2415 } 2416 /* FALLTHROUGH */ 2417 case KEY_DSA: 2418 if ((key = sshkey_new(type)) == NULL) { 2419 ret = SSH_ERR_ALLOC_FAIL; 2420 goto out; 2421 } 2422 if (sshbuf_get_bignum2(b, &dsa_p) != 0 || 2423 sshbuf_get_bignum2(b, &dsa_q) != 0 || 2424 sshbuf_get_bignum2(b, &dsa_g) != 0 || 2425 sshbuf_get_bignum2(b, &dsa_pub_key) != 0) { 2426 ret = SSH_ERR_INVALID_FORMAT; 2427 goto out; 2428 } 2429 if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) { 2430 ret = SSH_ERR_LIBCRYPTO_ERROR; 2431 goto out; 2432 } 2433 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2434 if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) { 2435 ret = SSH_ERR_LIBCRYPTO_ERROR; 2436 goto out; 2437 } 2438 dsa_pub_key = NULL; /* transferred */ 2439 #ifdef DEBUG_PK 2440 DSA_print_fp(stderr, key->dsa, 8); 2441 #endif 2442 break; 2443 case KEY_ECDSA_CERT: 2444 case KEY_ECDSA_SK_CERT: 2445 /* Skip nonce */ 2446 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2447 ret = SSH_ERR_INVALID_FORMAT; 2448 goto out; 2449 } 2450 /* FALLTHROUGH */ 2451 case KEY_ECDSA: 2452 case KEY_ECDSA_SK: 2453 if ((key = sshkey_new(type)) == NULL) { 2454 ret = SSH_ERR_ALLOC_FAIL; 2455 goto out; 2456 } 2457 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2458 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2459 ret = SSH_ERR_INVALID_FORMAT; 2460 goto out; 2461 } 2462 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2463 ret = SSH_ERR_EC_CURVE_MISMATCH; 2464 goto out; 2465 } 2466 EC_KEY_free(key->ecdsa); 2467 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2468 == NULL) { 2469 ret = SSH_ERR_EC_CURVE_INVALID; 2470 goto out; 2471 } 2472 if ((qq = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2473 ret = SSH_ERR_ALLOC_FAIL; 2474 goto out; 2475 } 2476 if (sshbuf_get_ec(b, qq, EC_KEY_get0_group(key->ecdsa)) != 0) { 2477 ret = SSH_ERR_INVALID_FORMAT; 2478 goto out; 2479 } 2480 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2481 qq) != 0) { 2482 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2483 goto out; 2484 } 2485 if (EC_KEY_set_public_key(key->ecdsa, qq) != 1) { 2486 /* XXX assume it is a allocation error */ 2487 ret = SSH_ERR_ALLOC_FAIL; 2488 goto out; 2489 } 2490 #ifdef DEBUG_PK 2491 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), qq); 2492 #endif 2493 if (type == KEY_ECDSA_SK || type == KEY_ECDSA_SK_CERT) { 2494 /* Parse additional security-key application string */ 2495 if (sshbuf_get_cstring(b, &key->sk_application, 2496 NULL) != 0) { 2497 ret = SSH_ERR_INVALID_FORMAT; 2498 goto out; 2499 } 2500 #ifdef DEBUG_PK 2501 fprintf(stderr, "App: %s\n", key->sk_application); 2502 #endif 2503 } 2504 break; 2505 #endif /* WITH_OPENSSL */ 2506 case KEY_ED25519_CERT: 2507 case KEY_ED25519_SK_CERT: 2508 /* Skip nonce */ 2509 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2510 ret = SSH_ERR_INVALID_FORMAT; 2511 goto out; 2512 } 2513 /* FALLTHROUGH */ 2514 case KEY_ED25519: 2515 case KEY_ED25519_SK: 2516 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2517 goto out; 2518 if (len != ED25519_PK_SZ) { 2519 ret = SSH_ERR_INVALID_FORMAT; 2520 goto out; 2521 } 2522 if ((key = sshkey_new(type)) == NULL) { 2523 ret = SSH_ERR_ALLOC_FAIL; 2524 goto out; 2525 } 2526 if (type == KEY_ED25519_SK || type == KEY_ED25519_SK_CERT) { 2527 /* Parse additional security-key application string */ 2528 if (sshbuf_get_cstring(b, &key->sk_application, 2529 NULL) != 0) { 2530 ret = SSH_ERR_INVALID_FORMAT; 2531 goto out; 2532 } 2533 #ifdef DEBUG_PK 2534 fprintf(stderr, "App: %s\n", key->sk_application); 2535 #endif 2536 } 2537 key->ed25519_pk = pk; 2538 pk = NULL; 2539 break; 2540 #ifdef WITH_XMSS 2541 case KEY_XMSS_CERT: 2542 /* Skip nonce */ 2543 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2544 ret = SSH_ERR_INVALID_FORMAT; 2545 goto out; 2546 } 2547 /* FALLTHROUGH */ 2548 case KEY_XMSS: 2549 if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0) 2550 goto out; 2551 if ((key = sshkey_new(type)) == NULL) { 2552 ret = SSH_ERR_ALLOC_FAIL; 2553 goto out; 2554 } 2555 if ((ret = sshkey_xmss_init(key, xmss_name)) != 0) 2556 goto out; 2557 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2558 goto out; 2559 if (len == 0 || len != sshkey_xmss_pklen(key)) { 2560 ret = SSH_ERR_INVALID_FORMAT; 2561 goto out; 2562 } 2563 key->xmss_pk = pk; 2564 pk = NULL; 2565 if (type != KEY_XMSS_CERT && 2566 (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0) 2567 goto out; 2568 break; 2569 #endif /* WITH_XMSS */ 2570 case KEY_UNSPEC: 2571 default: 2572 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2573 goto out; 2574 } 2575 2576 /* Parse certificate potion */ 2577 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2578 goto out; 2579 2580 if (key != NULL && sshbuf_len(b) != 0) { 2581 ret = SSH_ERR_INVALID_FORMAT; 2582 goto out; 2583 } 2584 ret = 0; 2585 if (keyp != NULL) { 2586 *keyp = key; 2587 key = NULL; 2588 } 2589 out: 2590 sshbuf_free(copy); 2591 sshkey_free(key); 2592 free(xmss_name); 2593 free(ktype); 2594 free(curve); 2595 free(pk); 2596 #ifdef WITH_OPENSSL 2597 EC_POINT_free(q); 2598 BN_clear_free(rsa_n); 2599 BN_clear_free(rsa_e); 2600 BN_clear_free(dsa_p); 2601 BN_clear_free(dsa_q); 2602 BN_clear_free(dsa_g); 2603 BN_clear_free(dsa_pub_key); 2604 #endif /* WITH_OPENSSL */ 2605 return ret; 2606 } 2607 2608 int 2609 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2610 { 2611 struct sshbuf *b; 2612 int r; 2613 2614 if ((b = sshbuf_from(blob, blen)) == NULL) 2615 return SSH_ERR_ALLOC_FAIL; 2616 r = sshkey_from_blob_internal(b, keyp, 1); 2617 sshbuf_free(b); 2618 return r; 2619 } 2620 2621 int 2622 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2623 { 2624 return sshkey_from_blob_internal(b, keyp, 1); 2625 } 2626 2627 int 2628 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2629 { 2630 struct sshbuf *b; 2631 int r; 2632 2633 if ((r = sshbuf_froms(buf, &b)) != 0) 2634 return r; 2635 r = sshkey_from_blob_internal(b, keyp, 1); 2636 sshbuf_free(b); 2637 return r; 2638 } 2639 2640 int 2641 sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2642 { 2643 int r; 2644 struct sshbuf *b = NULL; 2645 char *sigtype = NULL; 2646 2647 if (sigtypep != NULL) 2648 *sigtypep = NULL; 2649 if ((b = sshbuf_from(sig, siglen)) == NULL) 2650 return SSH_ERR_ALLOC_FAIL; 2651 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2652 goto out; 2653 /* success */ 2654 if (sigtypep != NULL) { 2655 *sigtypep = sigtype; 2656 sigtype = NULL; 2657 } 2658 r = 0; 2659 out: 2660 free(sigtype); 2661 sshbuf_free(b); 2662 return r; 2663 } 2664 2665 /* 2666 * 2667 * Checks whether a certificate's signature type is allowed. 2668 * Returns 0 (success) if the certificate signature type appears in the 2669 * "allowed" pattern-list, or the key is not a certificate to begin with. 2670 * Otherwise returns a ssherr.h code. 2671 */ 2672 int 2673 sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) 2674 { 2675 if (key == NULL || allowed == NULL) 2676 return SSH_ERR_INVALID_ARGUMENT; 2677 if (!sshkey_type_is_cert(key->type)) 2678 return 0; 2679 if (key->cert == NULL || key->cert->signature_type == NULL) 2680 return SSH_ERR_INVALID_ARGUMENT; 2681 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) 2682 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 2683 return 0; 2684 } 2685 2686 /* 2687 * Returns the expected signature algorithm for a given public key algorithm. 2688 */ 2689 const char * 2690 sshkey_sigalg_by_name(const char *name) 2691 { 2692 const struct keytype *kt; 2693 2694 for (kt = keytypes; kt->type != -1; kt++) { 2695 if (strcmp(kt->name, name) != 0) 2696 continue; 2697 if (kt->sigalg != NULL) 2698 return kt->sigalg; 2699 if (!kt->cert) 2700 return kt->name; 2701 return sshkey_ssh_name_from_type_nid( 2702 sshkey_type_plain(kt->type), kt->nid); 2703 } 2704 return NULL; 2705 } 2706 2707 /* 2708 * Verifies that the signature algorithm appearing inside the signature blob 2709 * matches that which was requested. 2710 */ 2711 int 2712 sshkey_check_sigtype(const u_char *sig, size_t siglen, 2713 const char *requested_alg) 2714 { 2715 const char *expected_alg; 2716 char *sigtype = NULL; 2717 int r; 2718 2719 if (requested_alg == NULL) 2720 return 0; 2721 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) 2722 return SSH_ERR_INVALID_ARGUMENT; 2723 if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) 2724 return r; 2725 r = strcmp(expected_alg, sigtype) == 0; 2726 free(sigtype); 2727 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; 2728 } 2729 2730 int 2731 sshkey_sign(struct sshkey *key, 2732 u_char **sigp, size_t *lenp, 2733 const u_char *data, size_t datalen, 2734 const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) 2735 { 2736 int was_shielded = sshkey_is_shielded(key); 2737 int r2, r = SSH_ERR_INTERNAL_ERROR; 2738 2739 if (sigp != NULL) 2740 *sigp = NULL; 2741 if (lenp != NULL) 2742 *lenp = 0; 2743 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2744 return SSH_ERR_INVALID_ARGUMENT; 2745 if ((r = sshkey_unshield_private(key)) != 0) 2746 return r; 2747 switch (key->type) { 2748 #ifdef WITH_OPENSSL 2749 case KEY_DSA_CERT: 2750 case KEY_DSA: 2751 r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2752 break; 2753 case KEY_ECDSA_CERT: 2754 case KEY_ECDSA: 2755 r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2756 break; 2757 case KEY_RSA_CERT: 2758 case KEY_RSA: 2759 r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2760 break; 2761 #endif /* WITH_OPENSSL */ 2762 case KEY_ED25519: 2763 case KEY_ED25519_CERT: 2764 r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2765 break; 2766 case KEY_ED25519_SK: 2767 case KEY_ED25519_SK_CERT: 2768 case KEY_ECDSA_SK_CERT: 2769 case KEY_ECDSA_SK: 2770 r = sshsk_sign(sk_provider, key, sigp, lenp, data, 2771 datalen, compat, sk_pin); 2772 break; 2773 #ifdef WITH_XMSS 2774 case KEY_XMSS: 2775 case KEY_XMSS_CERT: 2776 r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat); 2777 break; 2778 #endif /* WITH_XMSS */ 2779 default: 2780 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2781 break; 2782 } 2783 if (was_shielded && (r2 = sshkey_shield_private(key)) != 0) 2784 return r2; 2785 return r; 2786 } 2787 2788 /* 2789 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2790 * If "alg" specified, then the signature must use that algorithm. 2791 */ 2792 int 2793 sshkey_verify(const struct sshkey *key, 2794 const u_char *sig, size_t siglen, 2795 const u_char *data, size_t dlen, const char *alg, u_int compat, 2796 struct sshkey_sig_details **detailsp) 2797 { 2798 if (detailsp != NULL) 2799 *detailsp = NULL; 2800 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2801 return SSH_ERR_INVALID_ARGUMENT; 2802 switch (key->type) { 2803 #ifdef WITH_OPENSSL 2804 case KEY_DSA_CERT: 2805 case KEY_DSA: 2806 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2807 case KEY_ECDSA_CERT: 2808 case KEY_ECDSA: 2809 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2810 case KEY_ECDSA_SK_CERT: 2811 case KEY_ECDSA_SK: 2812 return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen, 2813 compat, detailsp); 2814 case KEY_RSA_CERT: 2815 case KEY_RSA: 2816 return ssh_rsa_verify(key, sig, siglen, data, dlen, alg); 2817 #endif /* WITH_OPENSSL */ 2818 case KEY_ED25519: 2819 case KEY_ED25519_CERT: 2820 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2821 case KEY_ED25519_SK: 2822 case KEY_ED25519_SK_CERT: 2823 return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen, 2824 compat, detailsp); 2825 #ifdef WITH_XMSS 2826 case KEY_XMSS: 2827 case KEY_XMSS_CERT: 2828 return ssh_xmss_verify(key, sig, siglen, data, dlen, compat); 2829 #endif /* WITH_XMSS */ 2830 default: 2831 return SSH_ERR_KEY_TYPE_UNKNOWN; 2832 } 2833 } 2834 2835 /* Convert a plain key to their _CERT equivalent */ 2836 int 2837 sshkey_to_certified(struct sshkey *k) 2838 { 2839 int newtype; 2840 2841 switch (k->type) { 2842 #ifdef WITH_OPENSSL 2843 case KEY_RSA: 2844 newtype = KEY_RSA_CERT; 2845 break; 2846 case KEY_DSA: 2847 newtype = KEY_DSA_CERT; 2848 break; 2849 case KEY_ECDSA: 2850 newtype = KEY_ECDSA_CERT; 2851 break; 2852 case KEY_ECDSA_SK: 2853 newtype = KEY_ECDSA_SK_CERT; 2854 break; 2855 #endif /* WITH_OPENSSL */ 2856 case KEY_ED25519_SK: 2857 newtype = KEY_ED25519_SK_CERT; 2858 break; 2859 case KEY_ED25519: 2860 newtype = KEY_ED25519_CERT; 2861 break; 2862 #ifdef WITH_XMSS 2863 case KEY_XMSS: 2864 newtype = KEY_XMSS_CERT; 2865 break; 2866 #endif /* WITH_XMSS */ 2867 default: 2868 return SSH_ERR_INVALID_ARGUMENT; 2869 } 2870 if ((k->cert = cert_new()) == NULL) 2871 return SSH_ERR_ALLOC_FAIL; 2872 k->type = newtype; 2873 return 0; 2874 } 2875 2876 /* Convert a certificate to its raw key equivalent */ 2877 int 2878 sshkey_drop_cert(struct sshkey *k) 2879 { 2880 if (!sshkey_type_is_cert(k->type)) 2881 return SSH_ERR_KEY_TYPE_UNKNOWN; 2882 cert_free(k->cert); 2883 k->cert = NULL; 2884 k->type = sshkey_type_plain(k->type); 2885 return 0; 2886 } 2887 2888 /* Sign a certified key, (re-)generating the signed certblob. */ 2889 int 2890 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2891 const char *sk_provider, const char *sk_pin, 2892 sshkey_certify_signer *signer, void *signer_ctx) 2893 { 2894 struct sshbuf *principals = NULL; 2895 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2896 size_t i, ca_len, sig_len; 2897 int ret = SSH_ERR_INTERNAL_ERROR; 2898 struct sshbuf *cert = NULL; 2899 char *sigtype = NULL; 2900 #ifdef WITH_OPENSSL 2901 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 2902 #endif /* WITH_OPENSSL */ 2903 2904 if (k == NULL || k->cert == NULL || 2905 k->cert->certblob == NULL || ca == NULL) 2906 return SSH_ERR_INVALID_ARGUMENT; 2907 if (!sshkey_is_cert(k)) 2908 return SSH_ERR_KEY_TYPE_UNKNOWN; 2909 if (!sshkey_type_is_valid_ca(ca->type)) 2910 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2911 2912 /* 2913 * If no alg specified as argument but a signature_type was set, 2914 * then prefer that. If both were specified, then they must match. 2915 */ 2916 if (alg == NULL) 2917 alg = k->cert->signature_type; 2918 else if (k->cert->signature_type != NULL && 2919 strcmp(alg, k->cert->signature_type) != 0) 2920 return SSH_ERR_INVALID_ARGUMENT; 2921 2922 /* 2923 * If no signing algorithm or signature_type was specified and we're 2924 * using a RSA key, then default to a good signature algorithm. 2925 */ 2926 if (alg == NULL && ca->type == KEY_RSA) 2927 alg = "rsa-sha2-512"; 2928 2929 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2930 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2931 2932 cert = k->cert->certblob; /* for readability */ 2933 sshbuf_reset(cert); 2934 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2935 goto out; 2936 2937 /* -v01 certs put nonce first */ 2938 arc4random_buf(&nonce, sizeof(nonce)); 2939 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2940 goto out; 2941 2942 /* XXX this substantially duplicates to_blob(); refactor */ 2943 switch (k->type) { 2944 #ifdef WITH_OPENSSL 2945 case KEY_DSA_CERT: 2946 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 2947 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 2948 if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 || 2949 (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 || 2950 (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 || 2951 (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0) 2952 goto out; 2953 break; 2954 case KEY_ECDSA_CERT: 2955 case KEY_ECDSA_SK_CERT: 2956 if ((ret = sshbuf_put_cstring(cert, 2957 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2958 (ret = sshbuf_put_ec(cert, 2959 EC_KEY_get0_public_key(k->ecdsa), 2960 EC_KEY_get0_group(k->ecdsa))) != 0) 2961 goto out; 2962 if (k->type == KEY_ECDSA_SK_CERT) { 2963 if ((ret = sshbuf_put_cstring(cert, 2964 k->sk_application)) != 0) 2965 goto out; 2966 } 2967 break; 2968 case KEY_RSA_CERT: 2969 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 2970 if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 || 2971 (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0) 2972 goto out; 2973 break; 2974 #endif /* WITH_OPENSSL */ 2975 case KEY_ED25519_CERT: 2976 case KEY_ED25519_SK_CERT: 2977 if ((ret = sshbuf_put_string(cert, 2978 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2979 goto out; 2980 if (k->type == KEY_ED25519_SK_CERT) { 2981 if ((ret = sshbuf_put_cstring(cert, 2982 k->sk_application)) != 0) 2983 goto out; 2984 } 2985 break; 2986 #ifdef WITH_XMSS 2987 case KEY_XMSS_CERT: 2988 if (k->xmss_name == NULL) { 2989 ret = SSH_ERR_INVALID_ARGUMENT; 2990 goto out; 2991 } 2992 if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) || 2993 (ret = sshbuf_put_string(cert, 2994 k->xmss_pk, sshkey_xmss_pklen(k))) != 0) 2995 goto out; 2996 break; 2997 #endif /* WITH_XMSS */ 2998 default: 2999 ret = SSH_ERR_INVALID_ARGUMENT; 3000 goto out; 3001 } 3002 3003 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 3004 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 3005 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 3006 goto out; 3007 3008 if ((principals = sshbuf_new()) == NULL) { 3009 ret = SSH_ERR_ALLOC_FAIL; 3010 goto out; 3011 } 3012 for (i = 0; i < k->cert->nprincipals; i++) { 3013 if ((ret = sshbuf_put_cstring(principals, 3014 k->cert->principals[i])) != 0) 3015 goto out; 3016 } 3017 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 3018 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 3019 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 3020 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 3021 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 3022 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 3023 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 3024 goto out; 3025 3026 /* Sign the whole mess */ 3027 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 3028 sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) 3029 goto out; 3030 /* Check and update signature_type against what was actually used */ 3031 if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) 3032 goto out; 3033 if (alg != NULL && strcmp(alg, sigtype) != 0) { 3034 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; 3035 goto out; 3036 } 3037 if (k->cert->signature_type == NULL) { 3038 k->cert->signature_type = sigtype; 3039 sigtype = NULL; 3040 } 3041 /* Append signature and we are done */ 3042 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 3043 goto out; 3044 ret = 0; 3045 out: 3046 if (ret != 0) 3047 sshbuf_reset(cert); 3048 free(sig_blob); 3049 free(ca_blob); 3050 free(sigtype); 3051 sshbuf_free(principals); 3052 return ret; 3053 } 3054 3055 static int 3056 default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, 3057 const u_char *data, size_t datalen, 3058 const char *alg, const char *sk_provider, const char *sk_pin, 3059 u_int compat, void *ctx) 3060 { 3061 if (ctx != NULL) 3062 return SSH_ERR_INVALID_ARGUMENT; 3063 return sshkey_sign(key, sigp, lenp, data, datalen, alg, 3064 sk_provider, sk_pin, compat); 3065 } 3066 3067 int 3068 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, 3069 const char *sk_provider, const char *sk_pin) 3070 { 3071 return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, 3072 default_key_sign, NULL); 3073 } 3074 3075 int 3076 sshkey_cert_check_authority(const struct sshkey *k, 3077 int want_host, int require_principal, int wildcard_pattern, 3078 uint64_t verify_time, const char *name, const char **reason) 3079 { 3080 u_int i, principal_matches; 3081 3082 if (reason == NULL) 3083 return SSH_ERR_INVALID_ARGUMENT; 3084 if (!sshkey_is_cert(k)) { 3085 *reason = "Key is not a certificate"; 3086 return SSH_ERR_KEY_CERT_INVALID; 3087 } 3088 if (want_host) { 3089 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 3090 *reason = "Certificate invalid: not a host certificate"; 3091 return SSH_ERR_KEY_CERT_INVALID; 3092 } 3093 } else { 3094 if (k->cert->type != SSH2_CERT_TYPE_USER) { 3095 *reason = "Certificate invalid: not a user certificate"; 3096 return SSH_ERR_KEY_CERT_INVALID; 3097 } 3098 } 3099 if (verify_time < k->cert->valid_after) { 3100 *reason = "Certificate invalid: not yet valid"; 3101 return SSH_ERR_KEY_CERT_INVALID; 3102 } 3103 if (verify_time >= k->cert->valid_before) { 3104 *reason = "Certificate invalid: expired"; 3105 return SSH_ERR_KEY_CERT_INVALID; 3106 } 3107 if (k->cert->nprincipals == 0) { 3108 if (require_principal) { 3109 *reason = "Certificate lacks principal list"; 3110 return SSH_ERR_KEY_CERT_INVALID; 3111 } 3112 } else if (name != NULL) { 3113 principal_matches = 0; 3114 for (i = 0; i < k->cert->nprincipals; i++) { 3115 if (wildcard_pattern) { 3116 if (match_pattern(k->cert->principals[i], 3117 name)) { 3118 principal_matches = 1; 3119 break; 3120 } 3121 } else if (strcmp(name, k->cert->principals[i]) == 0) { 3122 principal_matches = 1; 3123 break; 3124 } 3125 } 3126 if (!principal_matches) { 3127 *reason = "Certificate invalid: name is not a listed " 3128 "principal"; 3129 return SSH_ERR_KEY_CERT_INVALID; 3130 } 3131 } 3132 return 0; 3133 } 3134 3135 int 3136 sshkey_cert_check_authority_now(const struct sshkey *k, 3137 int want_host, int require_principal, int wildcard_pattern, 3138 const char *name, const char **reason) 3139 { 3140 time_t now; 3141 3142 if ((now = time(NULL)) < 0) { 3143 /* yikes - system clock before epoch! */ 3144 *reason = "Certificate invalid: not yet valid"; 3145 return SSH_ERR_KEY_CERT_INVALID; 3146 } 3147 return sshkey_cert_check_authority(k, want_host, require_principal, 3148 wildcard_pattern, (uint64_t)now, name, reason); 3149 } 3150 3151 int 3152 sshkey_cert_check_host(const struct sshkey *key, const char *host, 3153 int wildcard_principals, const char *ca_sign_algorithms, 3154 const char **reason) 3155 { 3156 int r; 3157 3158 if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals, 3159 host, reason)) != 0) 3160 return r; 3161 if (sshbuf_len(key->cert->critical) != 0) { 3162 *reason = "Certificate contains unsupported critical options"; 3163 return SSH_ERR_KEY_CERT_INVALID; 3164 } 3165 if (ca_sign_algorithms != NULL && 3166 (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) { 3167 *reason = "Certificate signed with disallowed algorithm"; 3168 return SSH_ERR_KEY_CERT_INVALID; 3169 } 3170 return 0; 3171 } 3172 3173 size_t 3174 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 3175 { 3176 char from[32], to[32], ret[128]; 3177 3178 *from = *to = '\0'; 3179 if (cert->valid_after == 0 && 3180 cert->valid_before == 0xffffffffffffffffULL) 3181 return strlcpy(s, "forever", l); 3182 3183 if (cert->valid_after != 0) 3184 format_absolute_time(cert->valid_after, from, sizeof(from)); 3185 if (cert->valid_before != 0xffffffffffffffffULL) 3186 format_absolute_time(cert->valid_before, to, sizeof(to)); 3187 3188 if (cert->valid_after == 0) 3189 snprintf(ret, sizeof(ret), "before %s", to); 3190 else if (cert->valid_before == 0xffffffffffffffffULL) 3191 snprintf(ret, sizeof(ret), "after %s", from); 3192 else 3193 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 3194 3195 return strlcpy(s, ret, l); 3196 } 3197 3198 int 3199 sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, 3200 enum sshkey_serialize_rep opts) 3201 { 3202 int r = SSH_ERR_INTERNAL_ERROR; 3203 int was_shielded = sshkey_is_shielded(key); 3204 struct sshbuf *b = NULL; 3205 #ifdef WITH_OPENSSL 3206 const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q; 3207 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key; 3208 #endif /* WITH_OPENSSL */ 3209 3210 if ((r = sshkey_unshield_private(key)) != 0) 3211 return r; 3212 if ((b = sshbuf_new()) == NULL) 3213 return SSH_ERR_ALLOC_FAIL; 3214 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 3215 goto out; 3216 switch (key->type) { 3217 #ifdef WITH_OPENSSL 3218 case KEY_RSA: 3219 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d); 3220 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 3221 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 3222 if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 || 3223 (r = sshbuf_put_bignum2(b, rsa_e)) != 0 || 3224 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 3225 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 3226 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 3227 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 3228 goto out; 3229 break; 3230 case KEY_RSA_CERT: 3231 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3232 r = SSH_ERR_INVALID_ARGUMENT; 3233 goto out; 3234 } 3235 RSA_get0_key(key->rsa, NULL, NULL, &rsa_d); 3236 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 3237 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 3238 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3239 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 3240 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 3241 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 3242 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 3243 goto out; 3244 break; 3245 case KEY_DSA: 3246 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 3247 DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key); 3248 if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 || 3249 (r = sshbuf_put_bignum2(b, dsa_q)) != 0 || 3250 (r = sshbuf_put_bignum2(b, dsa_g)) != 0 || 3251 (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 || 3252 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 3253 goto out; 3254 break; 3255 case KEY_DSA_CERT: 3256 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3257 r = SSH_ERR_INVALID_ARGUMENT; 3258 goto out; 3259 } 3260 DSA_get0_key(key->dsa, NULL, &dsa_priv_key); 3261 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3262 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 3263 goto out; 3264 break; 3265 case KEY_ECDSA: 3266 if ((r = sshbuf_put_cstring(b, 3267 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 3268 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 3269 (r = sshbuf_put_bignum2(b, 3270 EC_KEY_get0_private_key(key->ecdsa))) != 0) 3271 goto out; 3272 break; 3273 case KEY_ECDSA_CERT: 3274 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3275 r = SSH_ERR_INVALID_ARGUMENT; 3276 goto out; 3277 } 3278 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3279 (r = sshbuf_put_bignum2(b, 3280 EC_KEY_get0_private_key(key->ecdsa))) != 0) 3281 goto out; 3282 break; 3283 case KEY_ECDSA_SK: 3284 if ((r = sshbuf_put_cstring(b, 3285 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 3286 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 3287 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3288 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3289 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3290 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3291 goto out; 3292 break; 3293 case KEY_ECDSA_SK_CERT: 3294 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3295 r = SSH_ERR_INVALID_ARGUMENT; 3296 goto out; 3297 } 3298 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3299 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3300 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3301 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3302 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3303 goto out; 3304 break; 3305 #endif /* WITH_OPENSSL */ 3306 case KEY_ED25519: 3307 if ((r = sshbuf_put_string(b, key->ed25519_pk, 3308 ED25519_PK_SZ)) != 0 || 3309 (r = sshbuf_put_string(b, key->ed25519_sk, 3310 ED25519_SK_SZ)) != 0) 3311 goto out; 3312 break; 3313 case KEY_ED25519_CERT: 3314 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3315 r = SSH_ERR_INVALID_ARGUMENT; 3316 goto out; 3317 } 3318 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3319 (r = sshbuf_put_string(b, key->ed25519_pk, 3320 ED25519_PK_SZ)) != 0 || 3321 (r = sshbuf_put_string(b, key->ed25519_sk, 3322 ED25519_SK_SZ)) != 0) 3323 goto out; 3324 break; 3325 case KEY_ED25519_SK: 3326 if ((r = sshbuf_put_string(b, key->ed25519_pk, 3327 ED25519_PK_SZ)) != 0 || 3328 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3329 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3330 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3331 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3332 goto out; 3333 break; 3334 case KEY_ED25519_SK_CERT: 3335 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3336 r = SSH_ERR_INVALID_ARGUMENT; 3337 goto out; 3338 } 3339 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3340 (r = sshbuf_put_string(b, key->ed25519_pk, 3341 ED25519_PK_SZ)) != 0 || 3342 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3343 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3344 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3345 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3346 goto out; 3347 break; 3348 #ifdef WITH_XMSS 3349 case KEY_XMSS: 3350 if (key->xmss_name == NULL) { 3351 r = SSH_ERR_INVALID_ARGUMENT; 3352 goto out; 3353 } 3354 if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 3355 (r = sshbuf_put_string(b, key->xmss_pk, 3356 sshkey_xmss_pklen(key))) != 0 || 3357 (r = sshbuf_put_string(b, key->xmss_sk, 3358 sshkey_xmss_sklen(key))) != 0 || 3359 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 3360 goto out; 3361 break; 3362 case KEY_XMSS_CERT: 3363 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 || 3364 key->xmss_name == NULL) { 3365 r = SSH_ERR_INVALID_ARGUMENT; 3366 goto out; 3367 } 3368 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3369 (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 3370 (r = sshbuf_put_string(b, key->xmss_pk, 3371 sshkey_xmss_pklen(key))) != 0 || 3372 (r = sshbuf_put_string(b, key->xmss_sk, 3373 sshkey_xmss_sklen(key))) != 0 || 3374 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 3375 goto out; 3376 break; 3377 #endif /* WITH_XMSS */ 3378 default: 3379 r = SSH_ERR_INVALID_ARGUMENT; 3380 goto out; 3381 } 3382 /* 3383 * success (but we still need to append the output to buf after 3384 * possibly re-shielding the private key) 3385 */ 3386 r = 0; 3387 out: 3388 if (was_shielded) 3389 r = sshkey_shield_private(key); 3390 if (r == 0) 3391 r = sshbuf_putb(buf, b); 3392 sshbuf_free(b); 3393 3394 return r; 3395 } 3396 3397 int 3398 sshkey_private_serialize(struct sshkey *key, struct sshbuf *b) 3399 { 3400 return sshkey_private_serialize_opt(key, b, 3401 SSHKEY_SERIALIZE_DEFAULT); 3402 } 3403 3404 int 3405 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 3406 { 3407 char *tname = NULL, *curve = NULL, *xmss_name = NULL; 3408 char *expect_sk_application = NULL; 3409 struct sshkey *k = NULL; 3410 size_t pklen = 0, sklen = 0; 3411 int type, r = SSH_ERR_INTERNAL_ERROR; 3412 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 3413 u_char *expect_ed25519_pk = NULL; 3414 u_char *xmss_pk = NULL, *xmss_sk = NULL; 3415 #ifdef WITH_OPENSSL 3416 BIGNUM *exponent = NULL; 3417 BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; 3418 BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL; 3419 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL; 3420 BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; 3421 #endif /* WITH_OPENSSL */ 3422 3423 if (kp != NULL) 3424 *kp = NULL; 3425 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 3426 goto out; 3427 type = sshkey_type_from_name(tname); 3428 if (sshkey_type_is_cert(type)) { 3429 /* 3430 * Certificate key private keys begin with the certificate 3431 * itself. Make sure this matches the type of the enclosing 3432 * private key. 3433 */ 3434 if ((r = sshkey_froms(buf, &k)) != 0) 3435 goto out; 3436 if (k->type != type) { 3437 r = SSH_ERR_KEY_CERT_MISMATCH; 3438 goto out; 3439 } 3440 /* For ECDSA keys, the group must match too */ 3441 if (k->type == KEY_ECDSA && 3442 k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { 3443 r = SSH_ERR_KEY_CERT_MISMATCH; 3444 goto out; 3445 } 3446 /* 3447 * Several fields are redundant between certificate and 3448 * private key body, we require these to match. 3449 */ 3450 expect_sk_application = k->sk_application; 3451 expect_ed25519_pk = k->ed25519_pk; 3452 k->sk_application = NULL; 3453 k->ed25519_pk = NULL; 3454 } else { 3455 if ((k = sshkey_new(type)) == NULL) { 3456 r = SSH_ERR_ALLOC_FAIL; 3457 goto out; 3458 } 3459 } 3460 switch (type) { 3461 #ifdef WITH_OPENSSL 3462 case KEY_DSA: 3463 if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 || 3464 (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 || 3465 (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 || 3466 (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0) 3467 goto out; 3468 if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) { 3469 r = SSH_ERR_LIBCRYPTO_ERROR; 3470 goto out; 3471 } 3472 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 3473 if (!DSA_set0_key(k->dsa, dsa_pub_key, NULL)) { 3474 r = SSH_ERR_LIBCRYPTO_ERROR; 3475 goto out; 3476 } 3477 dsa_pub_key = NULL; /* transferred */ 3478 /* FALLTHROUGH */ 3479 case KEY_DSA_CERT: 3480 if ((r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 3481 goto out; 3482 if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { 3483 r = SSH_ERR_LIBCRYPTO_ERROR; 3484 goto out; 3485 } 3486 dsa_priv_key = NULL; /* transferred */ 3487 break; 3488 case KEY_ECDSA: 3489 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 3490 r = SSH_ERR_INVALID_ARGUMENT; 3491 goto out; 3492 } 3493 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 3494 goto out; 3495 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 3496 r = SSH_ERR_EC_CURVE_MISMATCH; 3497 goto out; 3498 } 3499 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 3500 if (k->ecdsa == NULL) { 3501 r = SSH_ERR_LIBCRYPTO_ERROR; 3502 goto out; 3503 } 3504 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0) 3505 goto out; 3506 /* FALLTHROUGH */ 3507 case KEY_ECDSA_CERT: 3508 if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0) 3509 goto out; 3510 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 3511 r = SSH_ERR_LIBCRYPTO_ERROR; 3512 goto out; 3513 } 3514 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3515 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 3516 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 3517 goto out; 3518 break; 3519 case KEY_ECDSA_SK: 3520 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 3521 r = SSH_ERR_INVALID_ARGUMENT; 3522 goto out; 3523 } 3524 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 3525 goto out; 3526 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 3527 r = SSH_ERR_EC_CURVE_MISMATCH; 3528 goto out; 3529 } 3530 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3531 (k->sk_reserved = sshbuf_new()) == NULL) { 3532 r = SSH_ERR_ALLOC_FAIL; 3533 goto out; 3534 } 3535 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 3536 if (k->ecdsa == NULL) { 3537 r = SSH_ERR_LIBCRYPTO_ERROR; 3538 goto out; 3539 } 3540 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 3541 (r = sshbuf_get_cstring(buf, &k->sk_application, 3542 NULL)) != 0 || 3543 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3544 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3545 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3546 goto out; 3547 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3548 EC_KEY_get0_public_key(k->ecdsa))) != 0) 3549 goto out; 3550 break; 3551 case KEY_ECDSA_SK_CERT: 3552 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3553 (k->sk_reserved = sshbuf_new()) == NULL) { 3554 r = SSH_ERR_ALLOC_FAIL; 3555 goto out; 3556 } 3557 if ((r = sshbuf_get_cstring(buf, &k->sk_application, 3558 NULL)) != 0 || 3559 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3560 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3561 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3562 goto out; 3563 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3564 EC_KEY_get0_public_key(k->ecdsa))) != 0) 3565 goto out; 3566 break; 3567 case KEY_RSA: 3568 if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 || 3569 (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0) 3570 goto out; 3571 if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, NULL)) { 3572 r = SSH_ERR_LIBCRYPTO_ERROR; 3573 goto out; 3574 } 3575 rsa_n = rsa_e = NULL; /* transferred */ 3576 /* FALLTHROUGH */ 3577 case KEY_RSA_CERT: 3578 if ((r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 3579 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 3580 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 3581 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 3582 goto out; 3583 if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { 3584 r = SSH_ERR_LIBCRYPTO_ERROR; 3585 goto out; 3586 } 3587 rsa_d = NULL; /* transferred */ 3588 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 3589 r = SSH_ERR_LIBCRYPTO_ERROR; 3590 goto out; 3591 } 3592 rsa_p = rsa_q = NULL; /* transferred */ 3593 if ((r = sshkey_check_rsa_length(k, 0)) != 0) 3594 goto out; 3595 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 3596 goto out; 3597 break; 3598 #endif /* WITH_OPENSSL */ 3599 case KEY_ED25519: 3600 case KEY_ED25519_CERT: 3601 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3602 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3603 goto out; 3604 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3605 r = SSH_ERR_INVALID_FORMAT; 3606 goto out; 3607 } 3608 k->ed25519_pk = ed25519_pk; 3609 k->ed25519_sk = ed25519_sk; 3610 ed25519_pk = ed25519_sk = NULL; /* transferred */ 3611 break; 3612 case KEY_ED25519_SK: 3613 case KEY_ED25519_SK_CERT: 3614 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0) 3615 goto out; 3616 if (pklen != ED25519_PK_SZ) { 3617 r = SSH_ERR_INVALID_FORMAT; 3618 goto out; 3619 } 3620 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3621 (k->sk_reserved = sshbuf_new()) == NULL) { 3622 r = SSH_ERR_ALLOC_FAIL; 3623 goto out; 3624 } 3625 if ((r = sshbuf_get_cstring(buf, &k->sk_application, 3626 NULL)) != 0 || 3627 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3628 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3629 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3630 goto out; 3631 k->ed25519_pk = ed25519_pk; 3632 ed25519_pk = NULL; /* transferred */ 3633 break; 3634 #ifdef WITH_XMSS 3635 case KEY_XMSS: 3636 case KEY_XMSS_CERT: 3637 if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3638 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3639 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3640 goto out; 3641 if (type == KEY_XMSS && 3642 (r = sshkey_xmss_init(k, xmss_name)) != 0) 3643 goto out; 3644 if (pklen != sshkey_xmss_pklen(k) || 3645 sklen != sshkey_xmss_sklen(k)) { 3646 r = SSH_ERR_INVALID_FORMAT; 3647 goto out; 3648 } 3649 k->xmss_pk = xmss_pk; 3650 k->xmss_sk = xmss_sk; 3651 xmss_pk = xmss_sk = NULL; 3652 /* optional internal state */ 3653 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3654 goto out; 3655 break; 3656 #endif /* WITH_XMSS */ 3657 default: 3658 r = SSH_ERR_KEY_TYPE_UNKNOWN; 3659 goto out; 3660 } 3661 #ifdef WITH_OPENSSL 3662 /* enable blinding */ 3663 switch (k->type) { 3664 case KEY_RSA: 3665 case KEY_RSA_CERT: 3666 if (RSA_blinding_on(k->rsa, NULL) != 1) { 3667 r = SSH_ERR_LIBCRYPTO_ERROR; 3668 goto out; 3669 } 3670 break; 3671 } 3672 #endif /* WITH_OPENSSL */ 3673 if ((expect_sk_application != NULL && (k->sk_application == NULL || 3674 strcmp(expect_sk_application, k->sk_application) != 0)) || 3675 (expect_ed25519_pk != NULL && (k->ed25519_pk == NULL || 3676 memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) { 3677 r = SSH_ERR_KEY_CERT_MISMATCH; 3678 goto out; 3679 } 3680 /* success */ 3681 r = 0; 3682 if (kp != NULL) { 3683 *kp = k; 3684 k = NULL; 3685 } 3686 out: 3687 free(tname); 3688 free(curve); 3689 #ifdef WITH_OPENSSL 3690 BN_clear_free(exponent); 3691 BN_clear_free(dsa_p); 3692 BN_clear_free(dsa_q); 3693 BN_clear_free(dsa_g); 3694 BN_clear_free(dsa_pub_key); 3695 BN_clear_free(dsa_priv_key); 3696 BN_clear_free(rsa_n); 3697 BN_clear_free(rsa_e); 3698 BN_clear_free(rsa_d); 3699 BN_clear_free(rsa_p); 3700 BN_clear_free(rsa_q); 3701 BN_clear_free(rsa_iqmp); 3702 #endif /* WITH_OPENSSL */ 3703 sshkey_free(k); 3704 freezero(ed25519_pk, pklen); 3705 freezero(ed25519_sk, sklen); 3706 free(xmss_name); 3707 freezero(xmss_pk, pklen); 3708 freezero(xmss_sk, sklen); 3709 free(expect_sk_application); 3710 free(expect_ed25519_pk); 3711 return r; 3712 } 3713 3714 #ifdef WITH_OPENSSL 3715 int 3716 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 3717 { 3718 EC_POINT *nq = NULL; 3719 BIGNUM *order = NULL, *x = NULL, *y = NULL, *tmp = NULL; 3720 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3721 3722 /* 3723 * NB. This assumes OpenSSL has already verified that the public 3724 * point lies on the curve. This is done by EC_POINT_oct2point() 3725 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 3726 * reachable with public points not unmarshalled using 3727 * EC_POINT_oct2point then the caller will need to explicitly check. 3728 */ 3729 3730 /* 3731 * We shouldn't ever hit this case because bignum_get_ecpoint() 3732 * refuses to load GF2m points. 3733 */ 3734 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3735 NID_X9_62_prime_field) 3736 goto out; 3737 3738 /* Q != infinity */ 3739 if (EC_POINT_is_at_infinity(group, public)) 3740 goto out; 3741 3742 if ((x = BN_new()) == NULL || 3743 (y = BN_new()) == NULL || 3744 (order = BN_new()) == NULL || 3745 (tmp = BN_new()) == NULL) { 3746 ret = SSH_ERR_ALLOC_FAIL; 3747 goto out; 3748 } 3749 3750 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 3751 if (EC_GROUP_get_order(group, order, NULL) != 1 || 3752 EC_POINT_get_affine_coordinates_GFp(group, public, 3753 x, y, NULL) != 1) { 3754 ret = SSH_ERR_LIBCRYPTO_ERROR; 3755 goto out; 3756 } 3757 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 3758 BN_num_bits(y) <= BN_num_bits(order) / 2) 3759 goto out; 3760 3761 /* nQ == infinity (n == order of subgroup) */ 3762 if ((nq = EC_POINT_new(group)) == NULL) { 3763 ret = SSH_ERR_ALLOC_FAIL; 3764 goto out; 3765 } 3766 if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) { 3767 ret = SSH_ERR_LIBCRYPTO_ERROR; 3768 goto out; 3769 } 3770 if (EC_POINT_is_at_infinity(group, nq) != 1) 3771 goto out; 3772 3773 /* x < order - 1, y < order - 1 */ 3774 if (!BN_sub(tmp, order, BN_value_one())) { 3775 ret = SSH_ERR_LIBCRYPTO_ERROR; 3776 goto out; 3777 } 3778 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 3779 goto out; 3780 ret = 0; 3781 out: 3782 BN_clear_free(x); 3783 BN_clear_free(y); 3784 BN_clear_free(order); 3785 BN_clear_free(tmp); 3786 EC_POINT_free(nq); 3787 return ret; 3788 } 3789 3790 int 3791 sshkey_ec_validate_private(const EC_KEY *key) 3792 { 3793 BIGNUM *order = NULL, *tmp = NULL; 3794 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3795 3796 if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) { 3797 ret = SSH_ERR_ALLOC_FAIL; 3798 goto out; 3799 } 3800 3801 /* log2(private) > log2(order)/2 */ 3802 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) { 3803 ret = SSH_ERR_LIBCRYPTO_ERROR; 3804 goto out; 3805 } 3806 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 3807 BN_num_bits(order) / 2) 3808 goto out; 3809 3810 /* private < order - 1 */ 3811 if (!BN_sub(tmp, order, BN_value_one())) { 3812 ret = SSH_ERR_LIBCRYPTO_ERROR; 3813 goto out; 3814 } 3815 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 3816 goto out; 3817 ret = 0; 3818 out: 3819 BN_clear_free(order); 3820 BN_clear_free(tmp); 3821 return ret; 3822 } 3823 3824 void 3825 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 3826 { 3827 BIGNUM *x = NULL, *y = NULL; 3828 3829 if (point == NULL) { 3830 fputs("point=(NULL)\n", stderr); 3831 return; 3832 } 3833 if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) { 3834 fprintf(stderr, "%s: BN_new failed\n", __func__); 3835 goto out; 3836 } 3837 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3838 NID_X9_62_prime_field) { 3839 fprintf(stderr, "%s: group is not a prime field\n", __func__); 3840 goto out; 3841 } 3842 if (EC_POINT_get_affine_coordinates_GFp(group, point, 3843 x, y, NULL) != 1) { 3844 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 3845 __func__); 3846 goto out; 3847 } 3848 fputs("x=", stderr); 3849 BN_print_fp(stderr, x); 3850 fputs("\ny=", stderr); 3851 BN_print_fp(stderr, y); 3852 fputs("\n", stderr); 3853 out: 3854 BN_clear_free(x); 3855 BN_clear_free(y); 3856 } 3857 3858 void 3859 sshkey_dump_ec_key(const EC_KEY *key) 3860 { 3861 const BIGNUM *exponent; 3862 3863 sshkey_dump_ec_point(EC_KEY_get0_group(key), 3864 EC_KEY_get0_public_key(key)); 3865 fputs("exponent=", stderr); 3866 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 3867 fputs("(NULL)", stderr); 3868 else 3869 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 3870 fputs("\n", stderr); 3871 } 3872 #endif /* WITH_OPENSSL */ 3873 3874 static int 3875 sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob, 3876 const char *passphrase, const char *comment, const char *ciphername, 3877 int rounds) 3878 { 3879 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3880 u_char salt[SALT_LEN]; 3881 char *b64 = NULL; 3882 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3883 u_int check; 3884 int r = SSH_ERR_INTERNAL_ERROR; 3885 struct sshcipher_ctx *ciphercontext = NULL; 3886 const struct sshcipher *cipher; 3887 const char *kdfname = KDFNAME; 3888 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3889 3890 if (rounds <= 0) 3891 rounds = DEFAULT_ROUNDS; 3892 if (passphrase == NULL || !strlen(passphrase)) { 3893 ciphername = "none"; 3894 kdfname = "none"; 3895 } else if (ciphername == NULL) 3896 ciphername = DEFAULT_CIPHERNAME; 3897 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3898 r = SSH_ERR_INVALID_ARGUMENT; 3899 goto out; 3900 } 3901 3902 if ((kdf = sshbuf_new()) == NULL || 3903 (encoded = sshbuf_new()) == NULL || 3904 (encrypted = sshbuf_new()) == NULL) { 3905 r = SSH_ERR_ALLOC_FAIL; 3906 goto out; 3907 } 3908 blocksize = cipher_blocksize(cipher); 3909 keylen = cipher_keylen(cipher); 3910 ivlen = cipher_ivlen(cipher); 3911 authlen = cipher_authlen(cipher); 3912 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3913 r = SSH_ERR_ALLOC_FAIL; 3914 goto out; 3915 } 3916 if (strcmp(kdfname, "bcrypt") == 0) { 3917 arc4random_buf(salt, SALT_LEN); 3918 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3919 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3920 r = SSH_ERR_INVALID_ARGUMENT; 3921 goto out; 3922 } 3923 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3924 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3925 goto out; 3926 } else if (strcmp(kdfname, "none") != 0) { 3927 /* Unsupported KDF type */ 3928 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3929 goto out; 3930 } 3931 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3932 key + keylen, ivlen, 1)) != 0) 3933 goto out; 3934 3935 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3936 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3937 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3938 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3939 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3940 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3941 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3942 goto out; 3943 3944 /* set up the buffer that will be encrypted */ 3945 3946 /* Random check bytes */ 3947 check = arc4random(); 3948 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3949 (r = sshbuf_put_u32(encrypted, check)) != 0) 3950 goto out; 3951 3952 /* append private key and comment*/ 3953 if ((r = sshkey_private_serialize_opt(prv, encrypted, 3954 SSHKEY_SERIALIZE_FULL)) != 0 || 3955 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3956 goto out; 3957 3958 /* padding */ 3959 i = 0; 3960 while (sshbuf_len(encrypted) % blocksize) { 3961 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3962 goto out; 3963 } 3964 3965 /* length in destination buffer */ 3966 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3967 goto out; 3968 3969 /* encrypt */ 3970 if ((r = sshbuf_reserve(encoded, 3971 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3972 goto out; 3973 if ((r = cipher_crypt(ciphercontext, 0, cp, 3974 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3975 goto out; 3976 3977 sshbuf_reset(blob); 3978 3979 /* assemble uuencoded key */ 3980 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 || 3981 (r = sshbuf_dtob64(encoded, blob, 1)) != 0 || 3982 (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3983 goto out; 3984 3985 /* success */ 3986 r = 0; 3987 3988 out: 3989 sshbuf_free(kdf); 3990 sshbuf_free(encoded); 3991 sshbuf_free(encrypted); 3992 cipher_free(ciphercontext); 3993 explicit_bzero(salt, sizeof(salt)); 3994 if (key != NULL) 3995 freezero(key, keylen + ivlen); 3996 if (pubkeyblob != NULL) 3997 freezero(pubkeyblob, pubkeylen); 3998 if (b64 != NULL) 3999 freezero(b64, strlen(b64)); 4000 return r; 4001 } 4002 4003 static int 4004 private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp) 4005 { 4006 const u_char *cp; 4007 size_t encoded_len; 4008 int r; 4009 u_char last; 4010 struct sshbuf *encoded = NULL, *decoded = NULL; 4011 4012 if (blob == NULL || decodedp == NULL) 4013 return SSH_ERR_INVALID_ARGUMENT; 4014 4015 *decodedp = NULL; 4016 4017 if ((encoded = sshbuf_new()) == NULL || 4018 (decoded = sshbuf_new()) == NULL) { 4019 r = SSH_ERR_ALLOC_FAIL; 4020 goto out; 4021 } 4022 4023 /* check preamble */ 4024 cp = sshbuf_ptr(blob); 4025 encoded_len = sshbuf_len(blob); 4026 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 4027 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 4028 r = SSH_ERR_INVALID_FORMAT; 4029 goto out; 4030 } 4031 cp += MARK_BEGIN_LEN; 4032 encoded_len -= MARK_BEGIN_LEN; 4033 4034 /* Look for end marker, removing whitespace as we go */ 4035 while (encoded_len > 0) { 4036 if (*cp != '\n' && *cp != '\r') { 4037 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 4038 goto out; 4039 } 4040 last = *cp; 4041 encoded_len--; 4042 cp++; 4043 if (last == '\n') { 4044 if (encoded_len >= MARK_END_LEN && 4045 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 4046 /* \0 terminate */ 4047 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 4048 goto out; 4049 break; 4050 } 4051 } 4052 } 4053 if (encoded_len == 0) { 4054 r = SSH_ERR_INVALID_FORMAT; 4055 goto out; 4056 } 4057 4058 /* decode base64 */ 4059 if ((r = sshbuf_b64tod(decoded, (const char *)sshbuf_ptr(encoded))) != 0) 4060 goto out; 4061 4062 /* check magic */ 4063 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 4064 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 4065 r = SSH_ERR_INVALID_FORMAT; 4066 goto out; 4067 } 4068 /* success */ 4069 *decodedp = decoded; 4070 decoded = NULL; 4071 r = 0; 4072 out: 4073 sshbuf_free(encoded); 4074 sshbuf_free(decoded); 4075 return r; 4076 } 4077 4078 static int 4079 private2_decrypt(struct sshbuf *decoded, const char *passphrase, 4080 struct sshbuf **decryptedp, struct sshkey **pubkeyp) 4081 { 4082 char *ciphername = NULL, *kdfname = NULL; 4083 const struct sshcipher *cipher = NULL; 4084 int r = SSH_ERR_INTERNAL_ERROR; 4085 size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0; 4086 struct sshbuf *kdf = NULL, *decrypted = NULL; 4087 struct sshcipher_ctx *ciphercontext = NULL; 4088 struct sshkey *pubkey = NULL; 4089 u_char *key = NULL, *salt = NULL, *dp; 4090 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 4091 4092 if (decoded == NULL || decryptedp == NULL || pubkeyp == NULL) 4093 return SSH_ERR_INVALID_ARGUMENT; 4094 4095 *decryptedp = NULL; 4096 *pubkeyp = NULL; 4097 4098 if ((decrypted = sshbuf_new()) == NULL) { 4099 r = SSH_ERR_ALLOC_FAIL; 4100 goto out; 4101 } 4102 4103 /* parse public portion of key */ 4104 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 4105 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 4106 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 4107 (r = sshbuf_froms(decoded, &kdf)) != 0 || 4108 (r = sshbuf_get_u32(decoded, &nkeys)) != 0) 4109 goto out; 4110 4111 if (nkeys != 1) { 4112 /* XXX only one key supported at present */ 4113 r = SSH_ERR_INVALID_FORMAT; 4114 goto out; 4115 } 4116 4117 if ((r = sshkey_froms(decoded, &pubkey)) != 0 || 4118 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 4119 goto out; 4120 4121 if ((cipher = cipher_by_name(ciphername)) == NULL) { 4122 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 4123 goto out; 4124 } 4125 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 4126 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 4127 goto out; 4128 } 4129 if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) { 4130 r = SSH_ERR_INVALID_FORMAT; 4131 goto out; 4132 } 4133 if ((passphrase == NULL || strlen(passphrase) == 0) && 4134 strcmp(kdfname, "none") != 0) { 4135 /* passphrase required */ 4136 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4137 goto out; 4138 } 4139 4140 /* check size of encrypted key blob */ 4141 blocksize = cipher_blocksize(cipher); 4142 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 4143 r = SSH_ERR_INVALID_FORMAT; 4144 goto out; 4145 } 4146 4147 /* setup key */ 4148 keylen = cipher_keylen(cipher); 4149 ivlen = cipher_ivlen(cipher); 4150 authlen = cipher_authlen(cipher); 4151 if ((key = calloc(1, keylen + ivlen)) == NULL) { 4152 r = SSH_ERR_ALLOC_FAIL; 4153 goto out; 4154 } 4155 if (strcmp(kdfname, "bcrypt") == 0) { 4156 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 4157 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 4158 goto out; 4159 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 4160 key, keylen + ivlen, rounds) < 0) { 4161 r = SSH_ERR_INVALID_FORMAT; 4162 goto out; 4163 } 4164 } 4165 4166 /* check that an appropriate amount of auth data is present */ 4167 if (sshbuf_len(decoded) < authlen || 4168 sshbuf_len(decoded) - authlen < encrypted_len) { 4169 r = SSH_ERR_INVALID_FORMAT; 4170 goto out; 4171 } 4172 4173 /* decrypt private portion of key */ 4174 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 4175 (r = cipher_init(&ciphercontext, cipher, key, keylen, 4176 key + keylen, ivlen, 0)) != 0) 4177 goto out; 4178 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 4179 encrypted_len, 0, authlen)) != 0) { 4180 /* an integrity error here indicates an incorrect passphrase */ 4181 if (r == SSH_ERR_MAC_INVALID) 4182 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4183 goto out; 4184 } 4185 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 4186 goto out; 4187 /* there should be no trailing data */ 4188 if (sshbuf_len(decoded) != 0) { 4189 r = SSH_ERR_INVALID_FORMAT; 4190 goto out; 4191 } 4192 4193 /* check check bytes */ 4194 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 4195 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 4196 goto out; 4197 if (check1 != check2) { 4198 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4199 goto out; 4200 } 4201 /* success */ 4202 *decryptedp = decrypted; 4203 decrypted = NULL; 4204 *pubkeyp = pubkey; 4205 pubkey = NULL; 4206 r = 0; 4207 out: 4208 cipher_free(ciphercontext); 4209 free(ciphername); 4210 free(kdfname); 4211 sshkey_free(pubkey); 4212 if (salt != NULL) { 4213 explicit_bzero(salt, slen); 4214 free(salt); 4215 } 4216 if (key != NULL) { 4217 explicit_bzero(key, keylen + ivlen); 4218 free(key); 4219 } 4220 sshbuf_free(kdf); 4221 sshbuf_free(decrypted); 4222 return r; 4223 } 4224 4225 static int 4226 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 4227 struct sshkey **keyp, char **commentp) 4228 { 4229 char *comment = NULL; 4230 int r = SSH_ERR_INTERNAL_ERROR; 4231 struct sshbuf *decoded = NULL, *decrypted = NULL; 4232 struct sshkey *k = NULL, *pubkey = NULL; 4233 4234 if (keyp != NULL) 4235 *keyp = NULL; 4236 if (commentp != NULL) 4237 *commentp = NULL; 4238 4239 /* Undo base64 encoding and decrypt the private section */ 4240 if ((r = private2_uudecode(blob, &decoded)) != 0 || 4241 (r = private2_decrypt(decoded, passphrase, 4242 &decrypted, &pubkey)) != 0) 4243 goto out; 4244 4245 if (type != KEY_UNSPEC && 4246 sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { 4247 r = SSH_ERR_KEY_TYPE_MISMATCH; 4248 goto out; 4249 } 4250 4251 /* Load the private key and comment */ 4252 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 4253 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 4254 goto out; 4255 4256 /* Check deterministic padding after private section */ 4257 if ((r = private2_check_padding(decrypted)) != 0) 4258 goto out; 4259 4260 /* Check that the public key in the envelope matches the private key */ 4261 if (!sshkey_equal(pubkey, k)) { 4262 r = SSH_ERR_INVALID_FORMAT; 4263 goto out; 4264 } 4265 4266 /* success */ 4267 r = 0; 4268 if (keyp != NULL) { 4269 *keyp = k; 4270 k = NULL; 4271 } 4272 if (commentp != NULL) { 4273 *commentp = comment; 4274 comment = NULL; 4275 } 4276 out: 4277 free(comment); 4278 sshbuf_free(decoded); 4279 sshbuf_free(decrypted); 4280 sshkey_free(k); 4281 sshkey_free(pubkey); 4282 return r; 4283 } 4284 4285 static int 4286 sshkey_parse_private2_pubkey(struct sshbuf *blob, int type, 4287 struct sshkey **keyp) 4288 { 4289 int r = SSH_ERR_INTERNAL_ERROR; 4290 struct sshbuf *decoded = NULL; 4291 struct sshkey *pubkey = NULL; 4292 u_int nkeys = 0; 4293 4294 if (keyp != NULL) 4295 *keyp = NULL; 4296 4297 if ((r = private2_uudecode(blob, &decoded)) != 0) 4298 goto out; 4299 /* parse public key from unencrypted envelope */ 4300 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 4301 (r = sshbuf_skip_string(decoded)) != 0 || /* cipher */ 4302 (r = sshbuf_skip_string(decoded)) != 0 || /* KDF alg */ 4303 (r = sshbuf_skip_string(decoded)) != 0 || /* KDF hint */ 4304 (r = sshbuf_get_u32(decoded, &nkeys)) != 0) 4305 goto out; 4306 4307 if (nkeys != 1) { 4308 /* XXX only one key supported at present */ 4309 r = SSH_ERR_INVALID_FORMAT; 4310 goto out; 4311 } 4312 4313 /* Parse the public key */ 4314 if ((r = sshkey_froms(decoded, &pubkey)) != 0) 4315 goto out; 4316 4317 if (type != KEY_UNSPEC && 4318 sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { 4319 r = SSH_ERR_KEY_TYPE_MISMATCH; 4320 goto out; 4321 } 4322 4323 /* success */ 4324 r = 0; 4325 if (keyp != NULL) { 4326 *keyp = pubkey; 4327 pubkey = NULL; 4328 } 4329 out: 4330 sshbuf_free(decoded); 4331 sshkey_free(pubkey); 4332 return r; 4333 } 4334 4335 #ifdef WITH_OPENSSL 4336 /* convert SSH v2 key to PEM or PKCS#8 format */ 4337 static int 4338 sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, 4339 int format, const char *_passphrase, const char *comment) 4340 { 4341 int was_shielded = sshkey_is_shielded(key); 4342 int success, r; 4343 int blen, len = strlen(_passphrase); 4344 u_char *passphrase = (len > 0) ? __UNCONST(_passphrase) : NULL; 4345 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 4346 char *bptr; 4347 BIO *bio = NULL; 4348 struct sshbuf *blob; 4349 EVP_PKEY *pkey = NULL; 4350 4351 if (len > 0 && len <= 4) 4352 return SSH_ERR_PASSPHRASE_TOO_SHORT; 4353 if ((blob = sshbuf_new()) == NULL) 4354 return SSH_ERR_ALLOC_FAIL; 4355 if ((bio = BIO_new(BIO_s_mem())) == NULL) { 4356 r = SSH_ERR_ALLOC_FAIL; 4357 goto out; 4358 } 4359 if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) { 4360 r = SSH_ERR_ALLOC_FAIL; 4361 goto out; 4362 } 4363 if ((r = sshkey_unshield_private(key)) != 0) 4364 goto out; 4365 4366 switch (key->type) { 4367 case KEY_DSA: 4368 if (format == SSHKEY_PRIVATE_PEM) { 4369 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 4370 cipher, passphrase, len, NULL, NULL); 4371 } else { 4372 success = EVP_PKEY_set1_DSA(pkey, key->dsa); 4373 } 4374 break; 4375 case KEY_ECDSA: 4376 if (format == SSHKEY_PRIVATE_PEM) { 4377 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 4378 cipher, passphrase, len, NULL, NULL); 4379 } else { 4380 success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa); 4381 } 4382 break; 4383 case KEY_RSA: 4384 if (format == SSHKEY_PRIVATE_PEM) { 4385 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 4386 cipher, passphrase, len, NULL, NULL); 4387 } else { 4388 success = EVP_PKEY_set1_RSA(pkey, key->rsa); 4389 } 4390 break; 4391 default: 4392 success = 0; 4393 break; 4394 } 4395 if (success == 0) { 4396 r = SSH_ERR_LIBCRYPTO_ERROR; 4397 goto out; 4398 } 4399 if (format == SSHKEY_PRIVATE_PKCS8) { 4400 if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher, 4401 passphrase, len, NULL, NULL)) == 0) { 4402 r = SSH_ERR_LIBCRYPTO_ERROR; 4403 goto out; 4404 } 4405 } 4406 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 4407 r = SSH_ERR_INTERNAL_ERROR; 4408 goto out; 4409 } 4410 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 4411 goto out; 4412 r = 0; 4413 out: 4414 if (was_shielded) 4415 r = sshkey_shield_private(key); 4416 if (r == 0) 4417 r = sshbuf_putb(buf, blob); 4418 4419 EVP_PKEY_free(pkey); 4420 sshbuf_free(blob); 4421 BIO_free(bio); 4422 return r; 4423 } 4424 #endif /* WITH_OPENSSL */ 4425 4426 /* Serialise "key" to buffer "blob" */ 4427 int 4428 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 4429 const char *passphrase, const char *comment, 4430 int format, const char *openssh_format_cipher, int openssh_format_rounds) 4431 { 4432 switch (key->type) { 4433 #ifdef WITH_OPENSSL 4434 case KEY_DSA: 4435 case KEY_ECDSA: 4436 case KEY_RSA: 4437 break; /* see below */ 4438 #endif /* WITH_OPENSSL */ 4439 case KEY_ED25519: 4440 case KEY_ED25519_SK: 4441 #ifdef WITH_XMSS 4442 case KEY_XMSS: 4443 #endif /* WITH_XMSS */ 4444 #ifdef WITH_OPENSSL 4445 case KEY_ECDSA_SK: 4446 #endif /* WITH_OPENSSL */ 4447 return sshkey_private_to_blob2(key, blob, passphrase, 4448 comment, openssh_format_cipher, openssh_format_rounds); 4449 default: 4450 return SSH_ERR_KEY_TYPE_UNKNOWN; 4451 } 4452 4453 #ifdef WITH_OPENSSL 4454 switch (format) { 4455 case SSHKEY_PRIVATE_OPENSSH: 4456 return sshkey_private_to_blob2(key, blob, passphrase, 4457 comment, openssh_format_cipher, openssh_format_rounds); 4458 case SSHKEY_PRIVATE_PEM: 4459 case SSHKEY_PRIVATE_PKCS8: 4460 return sshkey_private_to_blob_pem_pkcs8(key, blob, 4461 format, passphrase, comment); 4462 default: 4463 return SSH_ERR_INVALID_ARGUMENT; 4464 } 4465 #endif /* WITH_OPENSSL */ 4466 } 4467 4468 #ifdef WITH_OPENSSL 4469 static int 4470 translate_libcrypto_error(unsigned long pem_err) 4471 { 4472 int pem_reason = ERR_GET_REASON(pem_err); 4473 4474 switch (ERR_GET_LIB(pem_err)) { 4475 case ERR_LIB_PEM: 4476 switch (pem_reason) { 4477 case PEM_R_BAD_PASSWORD_READ: 4478 case PEM_R_PROBLEMS_GETTING_PASSWORD: 4479 case PEM_R_BAD_DECRYPT: 4480 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4481 default: 4482 return SSH_ERR_INVALID_FORMAT; 4483 } 4484 case ERR_LIB_EVP: 4485 switch (pem_reason) { 4486 case EVP_R_BAD_DECRYPT: 4487 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4488 #ifdef EVP_R_BN_DECODE_ERROR 4489 case EVP_R_BN_DECODE_ERROR: 4490 #endif 4491 case EVP_R_DECODE_ERROR: 4492 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 4493 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 4494 #endif 4495 return SSH_ERR_INVALID_FORMAT; 4496 default: 4497 return SSH_ERR_LIBCRYPTO_ERROR; 4498 } 4499 case ERR_LIB_ASN1: 4500 return SSH_ERR_INVALID_FORMAT; 4501 } 4502 return SSH_ERR_LIBCRYPTO_ERROR; 4503 } 4504 4505 static void 4506 clear_libcrypto_errors(void) 4507 { 4508 while (ERR_get_error() != 0) 4509 ; 4510 } 4511 4512 /* 4513 * Translate OpenSSL error codes to determine whether 4514 * passphrase is required/incorrect. 4515 */ 4516 static int 4517 convert_libcrypto_error(void) 4518 { 4519 /* 4520 * Some password errors are reported at the beginning 4521 * of the error queue. 4522 */ 4523 if (translate_libcrypto_error(ERR_peek_error()) == 4524 SSH_ERR_KEY_WRONG_PASSPHRASE) 4525 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4526 return translate_libcrypto_error(ERR_peek_last_error()); 4527 } 4528 4529 #if 0 4530 static int 4531 pem_passphrase_cb(char *buf, int size, int rwflag, void *u) 4532 { 4533 char *p = (char *)u; 4534 size_t len; 4535 4536 if (p == NULL || (len = strlen(p)) == 0) 4537 return -1; 4538 if (size < 0 || len > (size_t)size) 4539 return -1; 4540 memcpy(buf, p, len); 4541 return (int)len; 4542 } 4543 #endif 4544 4545 static int 4546 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 4547 const char *passphrase, struct sshkey **keyp) 4548 { 4549 EVP_PKEY *pk = NULL; 4550 struct sshkey *prv = NULL; 4551 BIO *bio = NULL; 4552 int r; 4553 4554 if (keyp != NULL) 4555 *keyp = NULL; 4556 4557 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 4558 return SSH_ERR_ALLOC_FAIL; 4559 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 4560 (int)sshbuf_len(blob)) { 4561 r = SSH_ERR_ALLOC_FAIL; 4562 goto out; 4563 } 4564 4565 clear_libcrypto_errors(); 4566 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 4567 __UNCONST(passphrase))) == NULL) { 4568 /* 4569 * libcrypto may return various ASN.1 errors when attempting 4570 * to parse a key with an incorrect passphrase. 4571 * Treat all format errors as "incorrect passphrase" if a 4572 * passphrase was supplied. 4573 */ 4574 if (passphrase != NULL && *passphrase != '\0') 4575 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4576 else 4577 r = convert_libcrypto_error(); 4578 goto out; 4579 } 4580 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && 4581 (type == KEY_UNSPEC || type == KEY_RSA)) { 4582 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4583 r = SSH_ERR_ALLOC_FAIL; 4584 goto out; 4585 } 4586 prv->rsa = EVP_PKEY_get1_RSA(pk); 4587 prv->type = KEY_RSA; 4588 #ifdef DEBUG_PK 4589 RSA_print_fp(stderr, prv->rsa, 8); 4590 #endif 4591 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 4592 r = SSH_ERR_LIBCRYPTO_ERROR; 4593 goto out; 4594 } 4595 if ((r = sshkey_check_rsa_length(prv, 0)) != 0) 4596 goto out; 4597 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && 4598 (type == KEY_UNSPEC || type == KEY_DSA)) { 4599 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4600 r = SSH_ERR_ALLOC_FAIL; 4601 goto out; 4602 } 4603 prv->dsa = EVP_PKEY_get1_DSA(pk); 4604 prv->type = KEY_DSA; 4605 #ifdef DEBUG_PK 4606 DSA_print_fp(stderr, prv->dsa, 8); 4607 #endif 4608 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && 4609 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 4610 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4611 r = SSH_ERR_ALLOC_FAIL; 4612 goto out; 4613 } 4614 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 4615 prv->type = KEY_ECDSA; 4616 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 4617 if (prv->ecdsa_nid == -1 || 4618 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 4619 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 4620 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 4621 sshkey_ec_validate_private(prv->ecdsa) != 0) { 4622 r = SSH_ERR_INVALID_FORMAT; 4623 goto out; 4624 } 4625 #ifdef DEBUG_PK 4626 if (prv != NULL && prv->ecdsa != NULL) 4627 sshkey_dump_ec_key(prv->ecdsa); 4628 #endif 4629 } else { 4630 r = SSH_ERR_INVALID_FORMAT; 4631 goto out; 4632 } 4633 r = 0; 4634 if (keyp != NULL) { 4635 *keyp = prv; 4636 prv = NULL; 4637 } 4638 out: 4639 BIO_free(bio); 4640 EVP_PKEY_free(pk); 4641 sshkey_free(prv); 4642 return r; 4643 } 4644 #endif /* WITH_OPENSSL */ 4645 4646 int 4647 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 4648 const char *passphrase, struct sshkey **keyp, char **commentp) 4649 { 4650 int r = SSH_ERR_INTERNAL_ERROR; 4651 4652 if (keyp != NULL) 4653 *keyp = NULL; 4654 if (commentp != NULL) 4655 *commentp = NULL; 4656 4657 switch (type) { 4658 case KEY_ED25519: 4659 case KEY_XMSS: 4660 /* No fallback for new-format-only keys */ 4661 return sshkey_parse_private2(blob, type, passphrase, 4662 keyp, commentp); 4663 default: 4664 r = sshkey_parse_private2(blob, type, passphrase, keyp, 4665 commentp); 4666 /* Only fallback to PEM parser if a format error occurred. */ 4667 if (r != SSH_ERR_INVALID_FORMAT) 4668 return r; 4669 #ifdef WITH_OPENSSL 4670 return sshkey_parse_private_pem_fileblob(blob, type, 4671 passphrase, keyp); 4672 #else 4673 return SSH_ERR_INVALID_FORMAT; 4674 #endif /* WITH_OPENSSL */ 4675 } 4676 } 4677 4678 int 4679 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 4680 struct sshkey **keyp, char **commentp) 4681 { 4682 if (keyp != NULL) 4683 *keyp = NULL; 4684 if (commentp != NULL) 4685 *commentp = NULL; 4686 4687 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 4688 passphrase, keyp, commentp); 4689 } 4690 4691 void 4692 sshkey_sig_details_free(struct sshkey_sig_details *details) 4693 { 4694 freezero(details, sizeof(*details)); 4695 } 4696 4697 int 4698 sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type, 4699 struct sshkey **pubkeyp) 4700 { 4701 int r = SSH_ERR_INTERNAL_ERROR; 4702 4703 if (pubkeyp != NULL) 4704 *pubkeyp = NULL; 4705 /* only new-format private keys bundle a public key inside */ 4706 if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0) 4707 return r; 4708 return 0; 4709 } 4710 4711 #ifdef WITH_XMSS 4712 /* 4713 * serialize the key with the current state and forward the state 4714 * maxsign times. 4715 */ 4716 int 4717 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 4718 u_int32_t maxsign, int printerror) 4719 { 4720 int r, rupdate; 4721 4722 if (maxsign == 0 || 4723 sshkey_type_plain(k->type) != KEY_XMSS) 4724 return sshkey_private_serialize_opt(k, b, 4725 SSHKEY_SERIALIZE_DEFAULT); 4726 if ((r = sshkey_xmss_get_state(k, printerror)) != 0 || 4727 (r = sshkey_private_serialize_opt(k, b, 4728 SSHKEY_SERIALIZE_STATE)) != 0 || 4729 (r = sshkey_xmss_forward_state(k, maxsign)) != 0) 4730 goto out; 4731 r = 0; 4732 out: 4733 if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) { 4734 if (r == 0) 4735 r = rupdate; 4736 } 4737 return r; 4738 } 4739 4740 u_int32_t 4741 sshkey_signatures_left(const struct sshkey *k) 4742 { 4743 if (sshkey_type_plain(k->type) == KEY_XMSS) 4744 return sshkey_xmss_signatures_left(k); 4745 return 0; 4746 } 4747 4748 int 4749 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4750 { 4751 if (sshkey_type_plain(k->type) != KEY_XMSS) 4752 return SSH_ERR_INVALID_ARGUMENT; 4753 return sshkey_xmss_enable_maxsign(k, maxsign); 4754 } 4755 4756 int 4757 sshkey_set_filename(struct sshkey *k, const char *filename) 4758 { 4759 if (k == NULL) 4760 return SSH_ERR_INVALID_ARGUMENT; 4761 if (sshkey_type_plain(k->type) != KEY_XMSS) 4762 return 0; 4763 if (filename == NULL) 4764 return SSH_ERR_INVALID_ARGUMENT; 4765 if ((k->xmss_filename = strdup(filename)) == NULL) 4766 return SSH_ERR_ALLOC_FAIL; 4767 return 0; 4768 } 4769 #else 4770 int 4771 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 4772 u_int32_t maxsign, int printerror) 4773 { 4774 return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); 4775 } 4776 4777 u_int32_t 4778 sshkey_signatures_left(const struct sshkey *k) 4779 { 4780 return 0; 4781 } 4782 4783 int 4784 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4785 { 4786 return SSH_ERR_INVALID_ARGUMENT; 4787 } 4788 4789 int 4790 sshkey_set_filename(struct sshkey *k, const char *filename) 4791 { 4792 if (k == NULL) 4793 return SSH_ERR_INVALID_ARGUMENT; 4794 return 0; 4795 } 4796 #endif /* WITH_XMSS */ 4797