1 /* $NetBSD: sshkey.c,v 1.26 2021/04/19 14:40:15 christos Exp $ */ 2 /* $OpenBSD: sshkey.c,v 1.116 2021/04/03 06:18:41 djm Exp $ */ 3 4 /* 5 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 6 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 7 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 #include "includes.h" 30 __RCSID("$NetBSD: sshkey.c,v 1.26 2021/04/19 14:40:15 christos Exp $"); 31 32 #include <sys/types.h> 33 #include <netinet/in.h> 34 35 #ifdef WITH_OPENSSL 36 #include <openssl/evp.h> 37 #include <openssl/err.h> 38 #include <openssl/pem.h> 39 #endif 40 41 #include "crypto_api.h" 42 43 #include <errno.h> 44 #include <stdio.h> 45 #include <string.h> 46 #include <util.h> 47 #include <limits.h> 48 #include <resolv.h> 49 50 #include "ssh2.h" 51 #include "ssherr.h" 52 #include "misc.h" 53 #include "sshbuf.h" 54 #include "cipher.h" 55 #include "digest.h" 56 #define SSHKEY_INTERNAL 57 #include "sshkey.h" 58 #include "match.h" 59 #include "ssh-sk.h" 60 61 #ifdef WITH_XMSS 62 #include "sshkey-xmss.h" 63 #include "xmss_fast.h" 64 #endif 65 66 /* openssh private key file format */ 67 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 68 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 69 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 70 #define MARK_END_LEN (sizeof(MARK_END) - 1) 71 #define KDFNAME "bcrypt" 72 #define AUTH_MAGIC "openssh-key-v1" 73 #define SALT_LEN 16 74 #define DEFAULT_CIPHERNAME "aes256-ctr" 75 #define DEFAULT_ROUNDS 16 76 77 /* Version identification string for SSH v1 identity files. */ 78 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 79 80 /* 81 * Constants relating to "shielding" support; protection of keys expected 82 * to remain in memory for long durations 83 */ 84 #define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024) 85 #define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */ 86 #define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512 87 88 int sshkey_private_serialize_opt(struct sshkey *key, 89 struct sshbuf *buf, enum sshkey_serialize_rep); 90 static int sshkey_from_blob_internal(struct sshbuf *buf, 91 struct sshkey **keyp, int allow_cert); 92 93 /* Supported key types */ 94 struct keytype { 95 const char *name; 96 const char *shortname; 97 const char *sigalg; 98 int type; 99 int nid; 100 int cert; 101 int sigonly; 102 }; 103 static const struct keytype keytypes[] = { 104 { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 }, 105 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL, 106 KEY_ED25519_CERT, 0, 1, 0 }, 107 { "sk-ssh-ed25519@openssh.com", "ED25519-SK", NULL, 108 KEY_ED25519_SK, 0, 0, 0 }, 109 { "sk-ssh-ed25519-cert-v01@openssh.com", "ED25519-SK-CERT", NULL, 110 KEY_ED25519_SK_CERT, 0, 1, 0 }, 111 #ifdef WITH_XMSS 112 { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 }, 113 { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL, 114 KEY_XMSS_CERT, 0, 1, 0 }, 115 #endif /* WITH_XMSS */ 116 #ifdef WITH_OPENSSL 117 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 }, 118 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 119 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 120 { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 }, 121 { "ecdsa-sha2-nistp256", "ECDSA", NULL, 122 KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 123 { "ecdsa-sha2-nistp384", "ECDSA", NULL, 124 KEY_ECDSA, NID_secp384r1, 0, 0 }, 125 { "ecdsa-sha2-nistp521", "ECDSA", NULL, 126 KEY_ECDSA, NID_secp521r1, 0, 0 }, 127 { "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, 128 KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 0 }, 129 { "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, 130 KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 1 }, 131 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, 132 KEY_RSA_CERT, 0, 1, 0 }, 133 { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT", 134 "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, 135 { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT", 136 "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, 137 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL, 138 KEY_DSA_CERT, 0, 1, 0 }, 139 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL, 140 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 141 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL, 142 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 143 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL, 144 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 145 { "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-SK-CERT", NULL, 146 KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, 147 #endif /* WITH_OPENSSL */ 148 { NULL, NULL, NULL, -1, -1, 0, 0 } 149 }; 150 151 const char * 152 sshkey_type(const struct sshkey *k) 153 { 154 const struct keytype *kt; 155 156 for (kt = keytypes; kt->type != -1; kt++) { 157 if (kt->type == k->type) 158 return kt->shortname; 159 } 160 return "unknown"; 161 } 162 163 static const char * 164 sshkey_ssh_name_from_type_nid(int type, int nid) 165 { 166 const struct keytype *kt; 167 168 for (kt = keytypes; kt->type != -1; kt++) { 169 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 170 return kt->name; 171 } 172 return "ssh-unknown"; 173 } 174 175 int 176 sshkey_type_is_cert(int type) 177 { 178 const struct keytype *kt; 179 180 for (kt = keytypes; kt->type != -1; kt++) { 181 if (kt->type == type) 182 return kt->cert; 183 } 184 return 0; 185 } 186 187 const char * 188 sshkey_ssh_name(const struct sshkey *k) 189 { 190 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 191 } 192 193 const char * 194 sshkey_ssh_name_plain(const struct sshkey *k) 195 { 196 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 197 k->ecdsa_nid); 198 } 199 200 int 201 sshkey_type_from_name(const char *name) 202 { 203 const struct keytype *kt; 204 205 for (kt = keytypes; kt->type != -1; kt++) { 206 /* Only allow shortname matches for plain key types */ 207 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 208 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 209 return kt->type; 210 } 211 return KEY_UNSPEC; 212 } 213 214 static int 215 key_type_is_ecdsa_variant(int type) 216 { 217 switch (type) { 218 case KEY_ECDSA: 219 case KEY_ECDSA_CERT: 220 case KEY_ECDSA_SK: 221 case KEY_ECDSA_SK_CERT: 222 return 1; 223 } 224 return 0; 225 } 226 227 int 228 sshkey_ecdsa_nid_from_name(const char *name) 229 { 230 const struct keytype *kt; 231 232 for (kt = keytypes; kt->type != -1; kt++) { 233 if (!key_type_is_ecdsa_variant(kt->type)) 234 continue; 235 if (kt->name != NULL && strcmp(name, kt->name) == 0) 236 return kt->nid; 237 } 238 return -1; 239 } 240 241 char * 242 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 243 { 244 char *tmp, *ret = NULL; 245 size_t nlen, rlen = 0; 246 const struct keytype *kt; 247 248 for (kt = keytypes; kt->type != -1; kt++) { 249 if (kt->name == NULL) 250 continue; 251 if (!include_sigonly && kt->sigonly) 252 continue; 253 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 254 continue; 255 if (ret != NULL) 256 ret[rlen++] = sep; 257 nlen = strlen(kt->name); 258 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 259 free(ret); 260 return NULL; 261 } 262 ret = tmp; 263 memcpy(ret + rlen, kt->name, nlen + 1); 264 rlen += nlen; 265 } 266 return ret; 267 } 268 269 int 270 sshkey_names_valid2(const char *names, int allow_wildcard) 271 { 272 char *s, *cp, *p; 273 const struct keytype *kt; 274 int type; 275 276 if (names == NULL || strcmp(names, "") == 0) 277 return 0; 278 if ((s = cp = strdup(names)) == NULL) 279 return 0; 280 for ((p = strsep(&cp, ",")); p && *p != '\0'; 281 (p = strsep(&cp, ","))) { 282 type = sshkey_type_from_name(p); 283 if (type == KEY_UNSPEC) { 284 if (allow_wildcard) { 285 /* 286 * Try matching key types against the string. 287 * If any has a positive or negative match then 288 * the component is accepted. 289 */ 290 for (kt = keytypes; kt->type != -1; kt++) { 291 if (match_pattern_list(kt->name, 292 p, 0) != 0) 293 break; 294 } 295 if (kt->type != -1) 296 continue; 297 } 298 free(s); 299 return 0; 300 } 301 } 302 free(s); 303 return 1; 304 } 305 306 u_int 307 sshkey_size(const struct sshkey *k) 308 { 309 #ifdef WITH_OPENSSL 310 const BIGNUM *rsa_n, *dsa_p; 311 #endif /* WITH_OPENSSL */ 312 313 switch (k->type) { 314 #ifdef WITH_OPENSSL 315 case KEY_RSA: 316 case KEY_RSA_CERT: 317 if (k->rsa == NULL) 318 return 0; 319 RSA_get0_key(k->rsa, &rsa_n, NULL, NULL); 320 return BN_num_bits(rsa_n); 321 case KEY_DSA: 322 case KEY_DSA_CERT: 323 if (k->dsa == NULL) 324 return 0; 325 DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL); 326 return BN_num_bits(dsa_p); 327 case KEY_ECDSA: 328 case KEY_ECDSA_CERT: 329 case KEY_ECDSA_SK: 330 case KEY_ECDSA_SK_CERT: 331 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 332 #endif /* WITH_OPENSSL */ 333 case KEY_ED25519: 334 case KEY_ED25519_CERT: 335 case KEY_ED25519_SK: 336 case KEY_ED25519_SK_CERT: 337 case KEY_XMSS: 338 case KEY_XMSS_CERT: 339 return 256; /* XXX */ 340 } 341 return 0; 342 } 343 344 static int 345 sshkey_type_is_valid_ca(int type) 346 { 347 switch (type) { 348 case KEY_RSA: 349 case KEY_DSA: 350 case KEY_ECDSA: 351 case KEY_ECDSA_SK: 352 case KEY_ED25519: 353 case KEY_ED25519_SK: 354 case KEY_XMSS: 355 return 1; 356 default: 357 return 0; 358 } 359 } 360 361 int 362 sshkey_is_cert(const struct sshkey *k) 363 { 364 if (k == NULL) 365 return 0; 366 return sshkey_type_is_cert(k->type); 367 } 368 369 int 370 sshkey_is_sk(const struct sshkey *k) 371 { 372 if (k == NULL) 373 return 0; 374 switch (sshkey_type_plain(k->type)) { 375 case KEY_ECDSA_SK: 376 case KEY_ED25519_SK: 377 return 1; 378 default: 379 return 0; 380 } 381 } 382 383 /* Return the cert-less equivalent to a certified key type */ 384 int 385 sshkey_type_plain(int type) 386 { 387 switch (type) { 388 case KEY_RSA_CERT: 389 return KEY_RSA; 390 case KEY_DSA_CERT: 391 return KEY_DSA; 392 case KEY_ECDSA_CERT: 393 return KEY_ECDSA; 394 case KEY_ECDSA_SK_CERT: 395 return KEY_ECDSA_SK; 396 case KEY_ED25519_CERT: 397 return KEY_ED25519; 398 case KEY_ED25519_SK_CERT: 399 return KEY_ED25519_SK; 400 case KEY_XMSS_CERT: 401 return KEY_XMSS; 402 default: 403 return type; 404 } 405 } 406 407 #ifdef WITH_OPENSSL 408 /* XXX: these are really begging for a table-driven approach */ 409 int 410 sshkey_curve_name_to_nid(const char *name) 411 { 412 if (strcmp(name, "nistp256") == 0) 413 return NID_X9_62_prime256v1; 414 else if (strcmp(name, "nistp384") == 0) 415 return NID_secp384r1; 416 else if (strcmp(name, "nistp521") == 0) 417 return NID_secp521r1; 418 else 419 return -1; 420 } 421 422 u_int 423 sshkey_curve_nid_to_bits(int nid) 424 { 425 switch (nid) { 426 case NID_X9_62_prime256v1: 427 return 256; 428 case NID_secp384r1: 429 return 384; 430 case NID_secp521r1: 431 return 521; 432 default: 433 return 0; 434 } 435 } 436 437 int 438 sshkey_ecdsa_bits_to_nid(int bits) 439 { 440 switch (bits) { 441 case 256: 442 return NID_X9_62_prime256v1; 443 case 384: 444 return NID_secp384r1; 445 case 521: 446 return NID_secp521r1; 447 default: 448 return -1; 449 } 450 } 451 452 const char * 453 sshkey_curve_nid_to_name(int nid) 454 { 455 switch (nid) { 456 case NID_X9_62_prime256v1: 457 return "nistp256"; 458 case NID_secp384r1: 459 return "nistp384"; 460 case NID_secp521r1: 461 return "nistp521"; 462 default: 463 return NULL; 464 } 465 } 466 467 int 468 sshkey_ec_nid_to_hash_alg(int nid) 469 { 470 int kbits = sshkey_curve_nid_to_bits(nid); 471 472 if (kbits <= 0) 473 return -1; 474 475 /* RFC5656 section 6.2.1 */ 476 if (kbits <= 256) 477 return SSH_DIGEST_SHA256; 478 else if (kbits <= 384) 479 return SSH_DIGEST_SHA384; 480 else 481 return SSH_DIGEST_SHA512; 482 } 483 #endif /* WITH_OPENSSL */ 484 485 static void 486 cert_free(struct sshkey_cert *cert) 487 { 488 u_int i; 489 490 if (cert == NULL) 491 return; 492 sshbuf_free(cert->certblob); 493 sshbuf_free(cert->critical); 494 sshbuf_free(cert->extensions); 495 free(cert->key_id); 496 for (i = 0; i < cert->nprincipals; i++) 497 free(cert->principals[i]); 498 free(cert->principals); 499 sshkey_free(cert->signature_key); 500 free(cert->signature_type); 501 freezero(cert, sizeof(*cert)); 502 } 503 504 static struct sshkey_cert * 505 cert_new(void) 506 { 507 struct sshkey_cert *cert; 508 509 if ((cert = calloc(1, sizeof(*cert))) == NULL) 510 return NULL; 511 if ((cert->certblob = sshbuf_new()) == NULL || 512 (cert->critical = sshbuf_new()) == NULL || 513 (cert->extensions = sshbuf_new()) == NULL) { 514 cert_free(cert); 515 return NULL; 516 } 517 cert->key_id = NULL; 518 cert->principals = NULL; 519 cert->signature_key = NULL; 520 cert->signature_type = NULL; 521 return cert; 522 } 523 524 struct sshkey * 525 sshkey_new(int type) 526 { 527 struct sshkey *k; 528 #ifdef WITH_OPENSSL 529 RSA *rsa; 530 DSA *dsa; 531 #endif /* WITH_OPENSSL */ 532 533 if ((k = calloc(1, sizeof(*k))) == NULL) 534 return NULL; 535 k->type = type; 536 k->ecdsa = NULL; 537 k->ecdsa_nid = -1; 538 k->dsa = NULL; 539 k->rsa = NULL; 540 k->cert = NULL; 541 k->ed25519_sk = NULL; 542 k->ed25519_pk = NULL; 543 k->xmss_sk = NULL; 544 k->xmss_pk = NULL; 545 switch (k->type) { 546 #ifdef WITH_OPENSSL 547 case KEY_RSA: 548 case KEY_RSA_CERT: 549 if ((rsa = RSA_new()) == NULL) { 550 free(k); 551 return NULL; 552 } 553 k->rsa = rsa; 554 break; 555 case KEY_DSA: 556 case KEY_DSA_CERT: 557 if ((dsa = DSA_new()) == NULL) { 558 free(k); 559 return NULL; 560 } 561 k->dsa = dsa; 562 break; 563 case KEY_ECDSA: 564 case KEY_ECDSA_CERT: 565 case KEY_ECDSA_SK: 566 case KEY_ECDSA_SK_CERT: 567 /* Cannot do anything until we know the group */ 568 break; 569 #endif /* WITH_OPENSSL */ 570 case KEY_ED25519: 571 case KEY_ED25519_CERT: 572 case KEY_ED25519_SK: 573 case KEY_ED25519_SK_CERT: 574 case KEY_XMSS: 575 case KEY_XMSS_CERT: 576 /* no need to prealloc */ 577 break; 578 case KEY_UNSPEC: 579 break; 580 default: 581 free(k); 582 return NULL; 583 } 584 585 if (sshkey_is_cert(k)) { 586 if ((k->cert = cert_new()) == NULL) { 587 sshkey_free(k); 588 return NULL; 589 } 590 } 591 592 return k; 593 } 594 595 void 596 sshkey_free(struct sshkey *k) 597 { 598 if (k == NULL) 599 return; 600 switch (k->type) { 601 #ifdef WITH_OPENSSL 602 case KEY_RSA: 603 case KEY_RSA_CERT: 604 RSA_free(k->rsa); 605 k->rsa = NULL; 606 break; 607 case KEY_DSA: 608 case KEY_DSA_CERT: 609 DSA_free(k->dsa); 610 k->dsa = NULL; 611 break; 612 case KEY_ECDSA_SK: 613 case KEY_ECDSA_SK_CERT: 614 free(k->sk_application); 615 sshbuf_free(k->sk_key_handle); 616 sshbuf_free(k->sk_reserved); 617 /* FALLTHROUGH */ 618 case KEY_ECDSA: 619 case KEY_ECDSA_CERT: 620 EC_KEY_free(k->ecdsa); 621 k->ecdsa = NULL; 622 break; 623 #endif /* WITH_OPENSSL */ 624 case KEY_ED25519_SK: 625 case KEY_ED25519_SK_CERT: 626 free(k->sk_application); 627 sshbuf_free(k->sk_key_handle); 628 sshbuf_free(k->sk_reserved); 629 /* FALLTHROUGH */ 630 case KEY_ED25519: 631 case KEY_ED25519_CERT: 632 freezero(k->ed25519_pk, ED25519_PK_SZ); 633 k->ed25519_pk = NULL; 634 freezero(k->ed25519_sk, ED25519_SK_SZ); 635 k->ed25519_sk = NULL; 636 break; 637 #ifdef WITH_XMSS 638 case KEY_XMSS: 639 case KEY_XMSS_CERT: 640 freezero(k->xmss_pk, sshkey_xmss_pklen(k)); 641 k->xmss_pk = NULL; 642 freezero(k->xmss_sk, sshkey_xmss_sklen(k)); 643 k->xmss_sk = NULL; 644 sshkey_xmss_free_state(k); 645 free(k->xmss_name); 646 k->xmss_name = NULL; 647 free(k->xmss_filename); 648 k->xmss_filename = NULL; 649 break; 650 #endif /* WITH_XMSS */ 651 case KEY_UNSPEC: 652 break; 653 default: 654 break; 655 } 656 if (sshkey_is_cert(k)) 657 cert_free(k->cert); 658 freezero(k->shielded_private, k->shielded_len); 659 freezero(k->shield_prekey, k->shield_prekey_len); 660 freezero(k, sizeof(*k)); 661 } 662 663 static int 664 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 665 { 666 if (a == NULL && b == NULL) 667 return 1; 668 if (a == NULL || b == NULL) 669 return 0; 670 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 671 return 0; 672 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 673 sshbuf_len(a->certblob)) != 0) 674 return 0; 675 return 1; 676 } 677 678 /* 679 * Compare public portions of key only, allowing comparisons between 680 * certificates and plain keys too. 681 */ 682 int 683 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 684 { 685 #ifdef WITH_OPENSSL 686 const BIGNUM *rsa_e_a, *rsa_n_a; 687 const BIGNUM *rsa_e_b, *rsa_n_b; 688 const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a; 689 const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b; 690 #endif /* WITH_OPENSSL */ 691 692 if (a == NULL || b == NULL || 693 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 694 return 0; 695 696 switch (a->type) { 697 #ifdef WITH_OPENSSL 698 case KEY_RSA_CERT: 699 case KEY_RSA: 700 if (a->rsa == NULL || b->rsa == NULL) 701 return 0; 702 RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL); 703 RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL); 704 return BN_cmp(rsa_e_a, rsa_e_b) == 0 && 705 BN_cmp(rsa_n_a, rsa_n_b) == 0; 706 case KEY_DSA_CERT: 707 case KEY_DSA: 708 if (a->dsa == NULL || b->dsa == NULL) 709 return 0; 710 DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a); 711 DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b); 712 DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL); 713 DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL); 714 return BN_cmp(dsa_p_a, dsa_p_b) == 0 && 715 BN_cmp(dsa_q_a, dsa_q_b) == 0 && 716 BN_cmp(dsa_g_a, dsa_g_b) == 0 && 717 BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0; 718 case KEY_ECDSA_SK: 719 case KEY_ECDSA_SK_CERT: 720 if (a->sk_application == NULL || b->sk_application == NULL) 721 return 0; 722 if (strcmp(a->sk_application, b->sk_application) != 0) 723 return 0; 724 /* FALLTHROUGH */ 725 case KEY_ECDSA_CERT: 726 case KEY_ECDSA: 727 if (a->ecdsa == NULL || b->ecdsa == NULL || 728 EC_KEY_get0_public_key(a->ecdsa) == NULL || 729 EC_KEY_get0_public_key(b->ecdsa) == NULL) 730 return 0; 731 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 732 EC_KEY_get0_group(b->ecdsa), NULL) != 0 || 733 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 734 EC_KEY_get0_public_key(a->ecdsa), 735 EC_KEY_get0_public_key(b->ecdsa), NULL) != 0) 736 return 0; 737 return 1; 738 #endif /* WITH_OPENSSL */ 739 case KEY_ED25519_SK: 740 case KEY_ED25519_SK_CERT: 741 if (a->sk_application == NULL || b->sk_application == NULL) 742 return 0; 743 if (strcmp(a->sk_application, b->sk_application) != 0) 744 return 0; 745 /* FALLTHROUGH */ 746 case KEY_ED25519: 747 case KEY_ED25519_CERT: 748 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 749 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 750 #ifdef WITH_XMSS 751 case KEY_XMSS: 752 case KEY_XMSS_CERT: 753 return a->xmss_pk != NULL && b->xmss_pk != NULL && 754 sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) && 755 memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0; 756 #endif /* WITH_XMSS */ 757 default: 758 return 0; 759 } 760 /* NOTREACHED */ 761 } 762 763 int 764 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 765 { 766 if (a == NULL || b == NULL || a->type != b->type) 767 return 0; 768 if (sshkey_is_cert(a)) { 769 if (!cert_compare(a->cert, b->cert)) 770 return 0; 771 } 772 return sshkey_equal_public(a, b); 773 } 774 775 static int 776 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, 777 enum sshkey_serialize_rep opts) 778 { 779 int type, ret = SSH_ERR_INTERNAL_ERROR; 780 const char *typename; 781 #ifdef WITH_OPENSSL 782 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 783 #endif /* WITH_OPENSSL */ 784 785 if (key == NULL) 786 return SSH_ERR_INVALID_ARGUMENT; 787 788 if (sshkey_is_cert(key)) { 789 if (key->cert == NULL) 790 return SSH_ERR_EXPECTED_CERT; 791 if (sshbuf_len(key->cert->certblob) == 0) 792 return SSH_ERR_KEY_LACKS_CERTBLOB; 793 } 794 type = force_plain ? sshkey_type_plain(key->type) : key->type; 795 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 796 797 switch (type) { 798 #ifdef WITH_OPENSSL 799 case KEY_DSA_CERT: 800 case KEY_ECDSA_CERT: 801 case KEY_ECDSA_SK_CERT: 802 case KEY_RSA_CERT: 803 #endif /* WITH_OPENSSL */ 804 case KEY_ED25519_CERT: 805 case KEY_ED25519_SK_CERT: 806 #ifdef WITH_XMSS 807 case KEY_XMSS_CERT: 808 #endif /* WITH_XMSS */ 809 /* Use the existing blob */ 810 /* XXX modified flag? */ 811 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 812 return ret; 813 break; 814 #ifdef WITH_OPENSSL 815 case KEY_DSA: 816 if (key->dsa == NULL) 817 return SSH_ERR_INVALID_ARGUMENT; 818 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 819 DSA_get0_key(key->dsa, &dsa_pub_key, NULL); 820 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 821 (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 || 822 (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 || 823 (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 || 824 (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0) 825 return ret; 826 break; 827 case KEY_ECDSA: 828 case KEY_ECDSA_SK: 829 if (key->ecdsa == NULL) 830 return SSH_ERR_INVALID_ARGUMENT; 831 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 832 (ret = sshbuf_put_cstring(b, 833 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 834 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 835 return ret; 836 if (type == KEY_ECDSA_SK) { 837 if ((ret = sshbuf_put_cstring(b, 838 key->sk_application)) != 0) 839 return ret; 840 } 841 break; 842 case KEY_RSA: 843 if (key->rsa == NULL) 844 return SSH_ERR_INVALID_ARGUMENT; 845 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL); 846 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 847 (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 || 848 (ret = sshbuf_put_bignum2(b, rsa_n)) != 0) 849 return ret; 850 break; 851 #endif /* WITH_OPENSSL */ 852 case KEY_ED25519: 853 case KEY_ED25519_SK: 854 if (key->ed25519_pk == NULL) 855 return SSH_ERR_INVALID_ARGUMENT; 856 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 857 (ret = sshbuf_put_string(b, 858 key->ed25519_pk, ED25519_PK_SZ)) != 0) 859 return ret; 860 if (type == KEY_ED25519_SK) { 861 if ((ret = sshbuf_put_cstring(b, 862 key->sk_application)) != 0) 863 return ret; 864 } 865 break; 866 #ifdef WITH_XMSS 867 case KEY_XMSS: 868 if (key->xmss_name == NULL || key->xmss_pk == NULL || 869 sshkey_xmss_pklen(key) == 0) 870 return SSH_ERR_INVALID_ARGUMENT; 871 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 872 (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 873 (ret = sshbuf_put_string(b, 874 key->xmss_pk, sshkey_xmss_pklen(key))) != 0 || 875 (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0) 876 return ret; 877 break; 878 #endif /* WITH_XMSS */ 879 default: 880 return SSH_ERR_KEY_TYPE_UNKNOWN; 881 } 882 return 0; 883 } 884 885 int 886 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 887 { 888 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); 889 } 890 891 int 892 sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, 893 enum sshkey_serialize_rep opts) 894 { 895 struct sshbuf *tmp; 896 int r; 897 898 if ((tmp = sshbuf_new()) == NULL) 899 return SSH_ERR_ALLOC_FAIL; 900 r = to_blob_buf(key, tmp, 0, opts); 901 if (r == 0) 902 r = sshbuf_put_stringb(b, tmp); 903 sshbuf_free(tmp); 904 return r; 905 } 906 907 int 908 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 909 { 910 return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); 911 } 912 913 int 914 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 915 { 916 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); 917 } 918 919 static int 920 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, 921 enum sshkey_serialize_rep opts) 922 { 923 int ret = SSH_ERR_INTERNAL_ERROR; 924 size_t len; 925 struct sshbuf *b = NULL; 926 927 if (lenp != NULL) 928 *lenp = 0; 929 if (blobp != NULL) 930 *blobp = NULL; 931 if ((b = sshbuf_new()) == NULL) 932 return SSH_ERR_ALLOC_FAIL; 933 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) 934 goto out; 935 len = sshbuf_len(b); 936 if (lenp != NULL) 937 *lenp = len; 938 if (blobp != NULL) { 939 if ((*blobp = malloc(len)) == NULL) { 940 ret = SSH_ERR_ALLOC_FAIL; 941 goto out; 942 } 943 memcpy(*blobp, sshbuf_ptr(b), len); 944 } 945 ret = 0; 946 out: 947 sshbuf_free(b); 948 return ret; 949 } 950 951 int 952 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 953 { 954 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); 955 } 956 957 int 958 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 959 { 960 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); 961 } 962 963 int 964 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 965 u_char **retp, size_t *lenp) 966 { 967 u_char *blob = NULL, *ret = NULL; 968 size_t blob_len = 0; 969 int r = SSH_ERR_INTERNAL_ERROR; 970 971 if (retp != NULL) 972 *retp = NULL; 973 if (lenp != NULL) 974 *lenp = 0; 975 if (ssh_digest_bytes(dgst_alg) == 0) { 976 r = SSH_ERR_INVALID_ARGUMENT; 977 goto out; 978 } 979 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) 980 != 0) 981 goto out; 982 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 983 r = SSH_ERR_ALLOC_FAIL; 984 goto out; 985 } 986 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 987 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 988 goto out; 989 /* success */ 990 if (retp != NULL) { 991 *retp = ret; 992 ret = NULL; 993 } 994 if (lenp != NULL) 995 *lenp = ssh_digest_bytes(dgst_alg); 996 r = 0; 997 out: 998 free(ret); 999 if (blob != NULL) 1000 freezero(blob, blob_len); 1001 return r; 1002 } 1003 1004 static char * 1005 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 1006 { 1007 char *ret; 1008 size_t plen = strlen(alg) + 1; 1009 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 1010 1011 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 1012 return NULL; 1013 strlcpy(ret, alg, rlen); 1014 strlcat(ret, ":", rlen); 1015 if (dgst_raw_len == 0) 1016 return ret; 1017 if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) { 1018 freezero(ret, rlen); 1019 return NULL; 1020 } 1021 /* Trim padding characters from end */ 1022 ret[strcspn(ret, "=")] = '\0'; 1023 return ret; 1024 } 1025 1026 static char * 1027 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 1028 { 1029 char *retval, hex[5]; 1030 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 1031 1032 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 1033 return NULL; 1034 strlcpy(retval, alg, rlen); 1035 strlcat(retval, ":", rlen); 1036 for (i = 0; i < dgst_raw_len; i++) { 1037 snprintf(hex, sizeof(hex), "%s%02x", 1038 i > 0 ? ":" : "", dgst_raw[i]); 1039 strlcat(retval, hex, rlen); 1040 } 1041 return retval; 1042 } 1043 1044 static char * 1045 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 1046 { 1047 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 1048 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 1049 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 1050 u_int i, j = 0, rounds, seed = 1; 1051 char *retval; 1052 1053 rounds = (dgst_raw_len / 2) + 1; 1054 if ((retval = calloc(rounds, 6)) == NULL) 1055 return NULL; 1056 retval[j++] = 'x'; 1057 for (i = 0; i < rounds; i++) { 1058 u_int idx0, idx1, idx2, idx3, idx4; 1059 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 1060 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 1061 seed) % 6; 1062 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 1063 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 1064 (seed / 6)) % 6; 1065 retval[j++] = vowels[idx0]; 1066 retval[j++] = consonants[idx1]; 1067 retval[j++] = vowels[idx2]; 1068 if ((i + 1) < rounds) { 1069 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 1070 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 1071 retval[j++] = consonants[idx3]; 1072 retval[j++] = '-'; 1073 retval[j++] = consonants[idx4]; 1074 seed = ((seed * 5) + 1075 ((((u_int)(dgst_raw[2 * i])) * 7) + 1076 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 1077 } 1078 } else { 1079 idx0 = seed % 6; 1080 idx1 = 16; 1081 idx2 = seed / 6; 1082 retval[j++] = vowels[idx0]; 1083 retval[j++] = consonants[idx1]; 1084 retval[j++] = vowels[idx2]; 1085 } 1086 } 1087 retval[j++] = 'x'; 1088 retval[j++] = '\0'; 1089 return retval; 1090 } 1091 1092 /* 1093 * Draw an ASCII-Art representing the fingerprint so human brain can 1094 * profit from its built-in pattern recognition ability. 1095 * This technique is called "random art" and can be found in some 1096 * scientific publications like this original paper: 1097 * 1098 * "Hash Visualization: a New Technique to improve Real-World Security", 1099 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1100 * Techniques and E-Commerce (CrypTEC '99) 1101 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1102 * 1103 * The subject came up in a talk by Dan Kaminsky, too. 1104 * 1105 * If you see the picture is different, the key is different. 1106 * If the picture looks the same, you still know nothing. 1107 * 1108 * The algorithm used here is a worm crawling over a discrete plane, 1109 * leaving a trace (augmenting the field) everywhere it goes. 1110 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1111 * makes the respective movement vector be ignored for this turn. 1112 * Graphs are not unambiguous, because circles in graphs can be 1113 * walked in either direction. 1114 */ 1115 1116 /* 1117 * Field sizes for the random art. Have to be odd, so the starting point 1118 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1119 * Else pictures would be too dense, and drawing the frame would 1120 * fail, too, because the key type would not fit in anymore. 1121 */ 1122 #define FLDBASE 8 1123 #define FLDSIZE_Y (FLDBASE + 1) 1124 #define FLDSIZE_X (FLDBASE * 2 + 1) 1125 static char * 1126 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1127 const struct sshkey *k) 1128 { 1129 /* 1130 * Chars to be used after each other every time the worm 1131 * intersects with itself. Matter of taste. 1132 */ 1133 const char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1134 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1135 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1136 size_t i, tlen, hlen; 1137 u_int b; 1138 int x, y, r; 1139 size_t len = strlen(augmentation_string) - 1; 1140 1141 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1142 return NULL; 1143 1144 /* initialize field */ 1145 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1146 x = FLDSIZE_X / 2; 1147 y = FLDSIZE_Y / 2; 1148 1149 /* process raw key */ 1150 for (i = 0; i < dgst_raw_len; i++) { 1151 int input; 1152 /* each byte conveys four 2-bit move commands */ 1153 input = dgst_raw[i]; 1154 for (b = 0; b < 4; b++) { 1155 /* evaluate 2 bit, rest is shifted later */ 1156 x += (input & 0x1) ? 1 : -1; 1157 y += (input & 0x2) ? 1 : -1; 1158 1159 /* assure we are still in bounds */ 1160 x = MAXIMUM(x, 0); 1161 y = MAXIMUM(y, 0); 1162 x = MINIMUM(x, FLDSIZE_X - 1); 1163 y = MINIMUM(y, FLDSIZE_Y - 1); 1164 1165 /* augment the field */ 1166 if (field[x][y] < len - 2) 1167 field[x][y]++; 1168 input = input >> 2; 1169 } 1170 } 1171 1172 /* mark starting point and end point*/ 1173 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1174 field[x][y] = len; 1175 1176 /* assemble title */ 1177 r = snprintf(title, sizeof(title), "[%s %u]", 1178 sshkey_type(k), sshkey_size(k)); 1179 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1180 if (r < 0 || r > (int)sizeof(title)) 1181 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1182 tlen = (r <= 0) ? 0 : strlen(title); 1183 1184 /* assemble hash ID. */ 1185 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1186 hlen = (r <= 0) ? 0 : strlen(hash); 1187 1188 /* output upper border */ 1189 p = retval; 1190 *p++ = '+'; 1191 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1192 *p++ = '-'; 1193 memcpy(p, title, tlen); 1194 p += tlen; 1195 for (i += tlen; i < FLDSIZE_X; i++) 1196 *p++ = '-'; 1197 *p++ = '+'; 1198 *p++ = '\n'; 1199 1200 /* output content */ 1201 for (y = 0; y < FLDSIZE_Y; y++) { 1202 *p++ = '|'; 1203 for (x = 0; x < FLDSIZE_X; x++) 1204 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1205 *p++ = '|'; 1206 *p++ = '\n'; 1207 } 1208 1209 /* output lower border */ 1210 *p++ = '+'; 1211 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1212 *p++ = '-'; 1213 memcpy(p, hash, hlen); 1214 p += hlen; 1215 for (i += hlen; i < FLDSIZE_X; i++) 1216 *p++ = '-'; 1217 *p++ = '+'; 1218 1219 return retval; 1220 } 1221 1222 char * 1223 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1224 enum sshkey_fp_rep dgst_rep) 1225 { 1226 char *retval = NULL; 1227 u_char *dgst_raw; 1228 size_t dgst_raw_len; 1229 1230 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1231 return NULL; 1232 switch (dgst_rep) { 1233 case SSH_FP_DEFAULT: 1234 if (dgst_alg == SSH_DIGEST_MD5) { 1235 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1236 dgst_raw, dgst_raw_len); 1237 } else { 1238 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1239 dgst_raw, dgst_raw_len); 1240 } 1241 break; 1242 case SSH_FP_HEX: 1243 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1244 dgst_raw, dgst_raw_len); 1245 break; 1246 case SSH_FP_BASE64: 1247 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1248 dgst_raw, dgst_raw_len); 1249 break; 1250 case SSH_FP_BUBBLEBABBLE: 1251 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1252 break; 1253 case SSH_FP_RANDOMART: 1254 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1255 dgst_raw, dgst_raw_len, k); 1256 break; 1257 default: 1258 freezero(dgst_raw, dgst_raw_len); 1259 return NULL; 1260 } 1261 freezero(dgst_raw, dgst_raw_len); 1262 return retval; 1263 } 1264 1265 static int 1266 peek_type_nid(const char *s, size_t l, int *nid) 1267 { 1268 const struct keytype *kt; 1269 1270 for (kt = keytypes; kt->type != -1; kt++) { 1271 if (kt->name == NULL || strlen(kt->name) != l) 1272 continue; 1273 if (memcmp(s, kt->name, l) == 0) { 1274 *nid = -1; 1275 if (key_type_is_ecdsa_variant(kt->type)) 1276 *nid = kt->nid; 1277 return kt->type; 1278 } 1279 } 1280 return KEY_UNSPEC; 1281 } 1282 1283 1284 /* XXX this can now be made const char * */ 1285 int 1286 sshkey_read(struct sshkey *ret, char **cpp) 1287 { 1288 struct sshkey *k; 1289 char *cp, *blobcopy; 1290 size_t space; 1291 int r, type, curve_nid = -1; 1292 struct sshbuf *blob; 1293 1294 if (ret == NULL) 1295 return SSH_ERR_INVALID_ARGUMENT; 1296 1297 switch (ret->type) { 1298 case KEY_UNSPEC: 1299 case KEY_RSA: 1300 case KEY_DSA: 1301 case KEY_ECDSA: 1302 case KEY_ECDSA_SK: 1303 case KEY_ED25519: 1304 case KEY_ED25519_SK: 1305 case KEY_DSA_CERT: 1306 case KEY_ECDSA_CERT: 1307 case KEY_ECDSA_SK_CERT: 1308 case KEY_RSA_CERT: 1309 case KEY_ED25519_CERT: 1310 case KEY_ED25519_SK_CERT: 1311 #ifdef WITH_XMSS 1312 case KEY_XMSS: 1313 case KEY_XMSS_CERT: 1314 #endif /* WITH_XMSS */ 1315 break; /* ok */ 1316 default: 1317 return SSH_ERR_INVALID_ARGUMENT; 1318 } 1319 1320 /* Decode type */ 1321 cp = *cpp; 1322 space = strcspn(cp, " \t"); 1323 if (space == strlen(cp)) 1324 return SSH_ERR_INVALID_FORMAT; 1325 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) 1326 return SSH_ERR_INVALID_FORMAT; 1327 1328 /* skip whitespace */ 1329 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1330 ; 1331 if (*cp == '\0') 1332 return SSH_ERR_INVALID_FORMAT; 1333 if (ret->type != KEY_UNSPEC && ret->type != type) 1334 return SSH_ERR_KEY_TYPE_MISMATCH; 1335 if ((blob = sshbuf_new()) == NULL) 1336 return SSH_ERR_ALLOC_FAIL; 1337 1338 /* find end of keyblob and decode */ 1339 space = strcspn(cp, " \t"); 1340 if ((blobcopy = strndup(cp, space)) == NULL) { 1341 sshbuf_free(blob); 1342 return SSH_ERR_ALLOC_FAIL; 1343 } 1344 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { 1345 free(blobcopy); 1346 sshbuf_free(blob); 1347 return r; 1348 } 1349 free(blobcopy); 1350 if ((r = sshkey_fromb(blob, &k)) != 0) { 1351 sshbuf_free(blob); 1352 return r; 1353 } 1354 sshbuf_free(blob); 1355 1356 /* skip whitespace and leave cp at start of comment */ 1357 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1358 ; 1359 1360 /* ensure type of blob matches type at start of line */ 1361 if (k->type != type) { 1362 sshkey_free(k); 1363 return SSH_ERR_KEY_TYPE_MISMATCH; 1364 } 1365 if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) { 1366 sshkey_free(k); 1367 return SSH_ERR_EC_CURVE_MISMATCH; 1368 } 1369 1370 /* Fill in ret from parsed key */ 1371 ret->type = type; 1372 if (sshkey_is_cert(ret)) { 1373 if (!sshkey_is_cert(k)) { 1374 sshkey_free(k); 1375 return SSH_ERR_EXPECTED_CERT; 1376 } 1377 if (ret->cert != NULL) 1378 cert_free(ret->cert); 1379 ret->cert = k->cert; 1380 k->cert = NULL; 1381 } 1382 switch (sshkey_type_plain(ret->type)) { 1383 #ifdef WITH_OPENSSL 1384 case KEY_RSA: 1385 RSA_free(ret->rsa); 1386 ret->rsa = k->rsa; 1387 k->rsa = NULL; 1388 #ifdef DEBUG_PK 1389 RSA_print_fp(stderr, ret->rsa, 8); 1390 #endif 1391 break; 1392 case KEY_DSA: 1393 DSA_free(ret->dsa); 1394 ret->dsa = k->dsa; 1395 k->dsa = NULL; 1396 #ifdef DEBUG_PK 1397 DSA_print_fp(stderr, ret->dsa, 8); 1398 #endif 1399 break; 1400 case KEY_ECDSA: 1401 EC_KEY_free(ret->ecdsa); 1402 ret->ecdsa = k->ecdsa; 1403 ret->ecdsa_nid = k->ecdsa_nid; 1404 k->ecdsa = NULL; 1405 k->ecdsa_nid = -1; 1406 #ifdef DEBUG_PK 1407 sshkey_dump_ec_key(ret->ecdsa); 1408 #endif 1409 break; 1410 case KEY_ECDSA_SK: 1411 EC_KEY_free(ret->ecdsa); 1412 ret->ecdsa = k->ecdsa; 1413 ret->ecdsa_nid = k->ecdsa_nid; 1414 ret->sk_application = k->sk_application; 1415 k->ecdsa = NULL; 1416 k->ecdsa_nid = -1; 1417 k->sk_application = NULL; 1418 #ifdef DEBUG_PK 1419 sshkey_dump_ec_key(ret->ecdsa); 1420 fprintf(stderr, "App: %s\n", ret->sk_application); 1421 #endif 1422 break; 1423 #endif /* WITH_OPENSSL */ 1424 case KEY_ED25519: 1425 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1426 ret->ed25519_pk = k->ed25519_pk; 1427 k->ed25519_pk = NULL; 1428 #ifdef DEBUG_PK 1429 /* XXX */ 1430 #endif 1431 break; 1432 case KEY_ED25519_SK: 1433 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1434 ret->ed25519_pk = k->ed25519_pk; 1435 ret->sk_application = k->sk_application; 1436 k->ed25519_pk = NULL; 1437 k->sk_application = NULL; 1438 break; 1439 #ifdef WITH_XMSS 1440 case KEY_XMSS: 1441 free(ret->xmss_pk); 1442 ret->xmss_pk = k->xmss_pk; 1443 k->xmss_pk = NULL; 1444 free(ret->xmss_state); 1445 ret->xmss_state = k->xmss_state; 1446 k->xmss_state = NULL; 1447 free(ret->xmss_name); 1448 ret->xmss_name = k->xmss_name; 1449 k->xmss_name = NULL; 1450 free(ret->xmss_filename); 1451 ret->xmss_filename = k->xmss_filename; 1452 k->xmss_filename = NULL; 1453 #ifdef DEBUG_PK 1454 /* XXX */ 1455 #endif 1456 break; 1457 #endif /* WITH_XMSS */ 1458 default: 1459 sshkey_free(k); 1460 return SSH_ERR_INTERNAL_ERROR; 1461 } 1462 sshkey_free(k); 1463 1464 /* success */ 1465 *cpp = cp; 1466 return 0; 1467 } 1468 1469 int 1470 sshkey_to_base64(const struct sshkey *key, char **b64p) 1471 { 1472 int r = SSH_ERR_INTERNAL_ERROR; 1473 struct sshbuf *b = NULL; 1474 char *uu = NULL; 1475 1476 if (b64p != NULL) 1477 *b64p = NULL; 1478 if ((b = sshbuf_new()) == NULL) 1479 return SSH_ERR_ALLOC_FAIL; 1480 if ((r = sshkey_putb(key, b)) != 0) 1481 goto out; 1482 if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) { 1483 r = SSH_ERR_ALLOC_FAIL; 1484 goto out; 1485 } 1486 /* Success */ 1487 if (b64p != NULL) { 1488 *b64p = uu; 1489 uu = NULL; 1490 } 1491 r = 0; 1492 out: 1493 sshbuf_free(b); 1494 free(uu); 1495 return r; 1496 } 1497 1498 int 1499 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1500 { 1501 int r = SSH_ERR_INTERNAL_ERROR; 1502 char *uu = NULL; 1503 1504 if ((r = sshkey_to_base64(key, &uu)) != 0) 1505 goto out; 1506 if ((r = sshbuf_putf(b, "%s %s", 1507 sshkey_ssh_name(key), uu)) != 0) 1508 goto out; 1509 r = 0; 1510 out: 1511 free(uu); 1512 return r; 1513 } 1514 1515 int 1516 sshkey_write(const struct sshkey *key, FILE *f) 1517 { 1518 struct sshbuf *b = NULL; 1519 int r = SSH_ERR_INTERNAL_ERROR; 1520 1521 if ((b = sshbuf_new()) == NULL) 1522 return SSH_ERR_ALLOC_FAIL; 1523 if ((r = sshkey_format_text(key, b)) != 0) 1524 goto out; 1525 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1526 if (feof(f)) 1527 errno = EPIPE; 1528 r = SSH_ERR_SYSTEM_ERROR; 1529 goto out; 1530 } 1531 /* Success */ 1532 r = 0; 1533 out: 1534 sshbuf_free(b); 1535 return r; 1536 } 1537 1538 const char * 1539 sshkey_cert_type(const struct sshkey *k) 1540 { 1541 switch (k->cert->type) { 1542 case SSH2_CERT_TYPE_USER: 1543 return "user"; 1544 case SSH2_CERT_TYPE_HOST: 1545 return "host"; 1546 default: 1547 return "unknown"; 1548 } 1549 } 1550 1551 #ifdef WITH_OPENSSL 1552 static int 1553 rsa_generate_private_key(u_int bits, RSA **rsap) 1554 { 1555 RSA *private = NULL; 1556 BIGNUM *f4 = NULL; 1557 int ret = SSH_ERR_INTERNAL_ERROR; 1558 1559 if (rsap == NULL) 1560 return SSH_ERR_INVALID_ARGUMENT; 1561 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1562 bits > SSHBUF_MAX_BIGNUM * 8) 1563 return SSH_ERR_KEY_LENGTH; 1564 *rsap = NULL; 1565 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1566 ret = SSH_ERR_ALLOC_FAIL; 1567 goto out; 1568 } 1569 if (!BN_set_word(f4, RSA_F4) || 1570 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1571 ret = SSH_ERR_LIBCRYPTO_ERROR; 1572 goto out; 1573 } 1574 *rsap = private; 1575 private = NULL; 1576 ret = 0; 1577 out: 1578 RSA_free(private); 1579 BN_free(f4); 1580 return ret; 1581 } 1582 1583 static int 1584 dsa_generate_private_key(u_int bits, DSA **dsap) 1585 { 1586 DSA *private; 1587 int ret = SSH_ERR_INTERNAL_ERROR; 1588 1589 if (dsap == NULL) 1590 return SSH_ERR_INVALID_ARGUMENT; 1591 if (bits != 1024) 1592 return SSH_ERR_KEY_LENGTH; 1593 if ((private = DSA_new()) == NULL) { 1594 ret = SSH_ERR_ALLOC_FAIL; 1595 goto out; 1596 } 1597 *dsap = NULL; 1598 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1599 NULL, NULL) || !DSA_generate_key(private)) { 1600 ret = SSH_ERR_LIBCRYPTO_ERROR; 1601 goto out; 1602 } 1603 *dsap = private; 1604 private = NULL; 1605 ret = 0; 1606 out: 1607 DSA_free(private); 1608 return ret; 1609 } 1610 1611 int 1612 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1613 { 1614 EC_GROUP *eg = NULL; /* XXXGCC: unneeded init */ 1615 int nids[] = { 1616 NID_X9_62_prime256v1, 1617 NID_secp384r1, 1618 NID_secp521r1, 1619 -1 1620 }; 1621 int nid; 1622 u_int i; 1623 const EC_GROUP *g = EC_KEY_get0_group(k); 1624 1625 /* 1626 * The group may be stored in a ASN.1 encoded private key in one of two 1627 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1628 * or explicit group parameters encoded into the key blob. Only the 1629 * "named group" case sets the group NID for us, but we can figure 1630 * it out for the other case by comparing against all the groups that 1631 * are supported. 1632 */ 1633 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1634 return nid; 1635 for (i = 0; nids[i] != -1; i++) { 1636 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) 1637 return -1; 1638 if (EC_GROUP_cmp(g, eg, NULL) == 0) 1639 break; 1640 EC_GROUP_free(eg); 1641 } 1642 if (nids[i] != -1) { 1643 /* Use the group with the NID attached */ 1644 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1645 if (EC_KEY_set_group(k, eg) != 1) { 1646 EC_GROUP_free(eg); 1647 return -1; 1648 } 1649 } 1650 return nids[i]; 1651 } 1652 1653 static int 1654 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1655 { 1656 EC_KEY *private; 1657 int ret = SSH_ERR_INTERNAL_ERROR; 1658 1659 if (nid == NULL || ecdsap == NULL) 1660 return SSH_ERR_INVALID_ARGUMENT; 1661 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1662 return SSH_ERR_KEY_LENGTH; 1663 *ecdsap = NULL; 1664 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1665 ret = SSH_ERR_ALLOC_FAIL; 1666 goto out; 1667 } 1668 if (EC_KEY_generate_key(private) != 1) { 1669 ret = SSH_ERR_LIBCRYPTO_ERROR; 1670 goto out; 1671 } 1672 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1673 *ecdsap = private; 1674 private = NULL; 1675 ret = 0; 1676 out: 1677 EC_KEY_free(private); 1678 return ret; 1679 } 1680 #endif /* WITH_OPENSSL */ 1681 1682 int 1683 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1684 { 1685 struct sshkey *k; 1686 int ret = SSH_ERR_INTERNAL_ERROR; 1687 1688 if (keyp == NULL) 1689 return SSH_ERR_INVALID_ARGUMENT; 1690 *keyp = NULL; 1691 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1692 return SSH_ERR_ALLOC_FAIL; 1693 switch (type) { 1694 case KEY_ED25519: 1695 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1696 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1697 ret = SSH_ERR_ALLOC_FAIL; 1698 break; 1699 } 1700 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1701 ret = 0; 1702 break; 1703 #ifdef WITH_XMSS 1704 case KEY_XMSS: 1705 ret = sshkey_xmss_generate_private_key(k, bits); 1706 break; 1707 #endif /* WITH_XMSS */ 1708 #ifdef WITH_OPENSSL 1709 case KEY_DSA: 1710 ret = dsa_generate_private_key(bits, &k->dsa); 1711 break; 1712 case KEY_ECDSA: 1713 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1714 &k->ecdsa); 1715 break; 1716 case KEY_RSA: 1717 ret = rsa_generate_private_key(bits, &k->rsa); 1718 break; 1719 #endif /* WITH_OPENSSL */ 1720 default: 1721 ret = SSH_ERR_INVALID_ARGUMENT; 1722 } 1723 if (ret == 0) { 1724 k->type = type; 1725 *keyp = k; 1726 } else 1727 sshkey_free(k); 1728 return ret; 1729 } 1730 1731 int 1732 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1733 { 1734 u_int i; 1735 const struct sshkey_cert *from; 1736 struct sshkey_cert *to; 1737 int r = SSH_ERR_INTERNAL_ERROR; 1738 1739 if (to_key == NULL || (from = from_key->cert) == NULL) 1740 return SSH_ERR_INVALID_ARGUMENT; 1741 1742 if ((to = cert_new()) == NULL) 1743 return SSH_ERR_ALLOC_FAIL; 1744 1745 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1746 (r = sshbuf_putb(to->critical, from->critical)) != 0 || 1747 (r = sshbuf_putb(to->extensions, from->extensions)) != 0) 1748 goto out; 1749 1750 to->serial = from->serial; 1751 to->type = from->type; 1752 if (from->key_id == NULL) 1753 to->key_id = NULL; 1754 else if ((to->key_id = strdup(from->key_id)) == NULL) { 1755 r = SSH_ERR_ALLOC_FAIL; 1756 goto out; 1757 } 1758 to->valid_after = from->valid_after; 1759 to->valid_before = from->valid_before; 1760 if (from->signature_key == NULL) 1761 to->signature_key = NULL; 1762 else if ((r = sshkey_from_private(from->signature_key, 1763 &to->signature_key)) != 0) 1764 goto out; 1765 if (from->signature_type != NULL && 1766 (to->signature_type = strdup(from->signature_type)) == NULL) { 1767 r = SSH_ERR_ALLOC_FAIL; 1768 goto out; 1769 } 1770 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { 1771 r = SSH_ERR_INVALID_ARGUMENT; 1772 goto out; 1773 } 1774 if (from->nprincipals > 0) { 1775 if ((to->principals = calloc(from->nprincipals, 1776 sizeof(*to->principals))) == NULL) { 1777 r = SSH_ERR_ALLOC_FAIL; 1778 goto out; 1779 } 1780 for (i = 0; i < from->nprincipals; i++) { 1781 to->principals[i] = strdup(from->principals[i]); 1782 if (to->principals[i] == NULL) { 1783 to->nprincipals = i; 1784 r = SSH_ERR_ALLOC_FAIL; 1785 goto out; 1786 } 1787 } 1788 } 1789 to->nprincipals = from->nprincipals; 1790 1791 /* success */ 1792 cert_free(to_key->cert); 1793 to_key->cert = to; 1794 to = NULL; 1795 r = 0; 1796 out: 1797 cert_free(to); 1798 return r; 1799 } 1800 1801 int 1802 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1803 { 1804 struct sshkey *n = NULL; 1805 int r = SSH_ERR_INTERNAL_ERROR; 1806 #ifdef WITH_OPENSSL 1807 const BIGNUM *rsa_n, *rsa_e; 1808 BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL; 1809 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 1810 BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL; 1811 BIGNUM *dsa_pub_key_dup = NULL; 1812 #endif /* WITH_OPENSSL */ 1813 1814 *pkp = NULL; 1815 if ((n = sshkey_new(k->type)) == NULL) { 1816 r = SSH_ERR_ALLOC_FAIL; 1817 goto out; 1818 } 1819 switch (k->type) { 1820 #ifdef WITH_OPENSSL 1821 case KEY_DSA: 1822 case KEY_DSA_CERT: 1823 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 1824 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 1825 if ((dsa_p_dup = BN_dup(dsa_p)) == NULL || 1826 (dsa_q_dup = BN_dup(dsa_q)) == NULL || 1827 (dsa_g_dup = BN_dup(dsa_g)) == NULL || 1828 (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) { 1829 r = SSH_ERR_ALLOC_FAIL; 1830 goto out; 1831 } 1832 if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) { 1833 r = SSH_ERR_LIBCRYPTO_ERROR; 1834 goto out; 1835 } 1836 dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */ 1837 if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) { 1838 r = SSH_ERR_LIBCRYPTO_ERROR; 1839 goto out; 1840 } 1841 dsa_pub_key_dup = NULL; /* transferred */ 1842 1843 break; 1844 case KEY_ECDSA: 1845 case KEY_ECDSA_CERT: 1846 case KEY_ECDSA_SK: 1847 case KEY_ECDSA_SK_CERT: 1848 n->ecdsa_nid = k->ecdsa_nid; 1849 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1850 if (n->ecdsa == NULL) { 1851 r = SSH_ERR_ALLOC_FAIL; 1852 goto out; 1853 } 1854 if (EC_KEY_set_public_key(n->ecdsa, 1855 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1856 r = SSH_ERR_LIBCRYPTO_ERROR; 1857 goto out; 1858 } 1859 if (k->type != KEY_ECDSA_SK && k->type != KEY_ECDSA_SK_CERT) 1860 break; 1861 /* Append security-key application string */ 1862 if ((n->sk_application = strdup(k->sk_application)) == NULL) 1863 goto out; 1864 break; 1865 case KEY_RSA: 1866 case KEY_RSA_CERT: 1867 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 1868 if ((rsa_n_dup = BN_dup(rsa_n)) == NULL || 1869 (rsa_e_dup = BN_dup(rsa_e)) == NULL) { 1870 r = SSH_ERR_ALLOC_FAIL; 1871 goto out; 1872 } 1873 if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) { 1874 r = SSH_ERR_LIBCRYPTO_ERROR; 1875 goto out; 1876 } 1877 rsa_n_dup = rsa_e_dup = NULL; /* transferred */ 1878 break; 1879 #endif /* WITH_OPENSSL */ 1880 case KEY_ED25519: 1881 case KEY_ED25519_CERT: 1882 case KEY_ED25519_SK: 1883 case KEY_ED25519_SK_CERT: 1884 if (k->ed25519_pk != NULL) { 1885 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1886 r = SSH_ERR_ALLOC_FAIL; 1887 goto out; 1888 } 1889 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1890 } 1891 if (k->type != KEY_ED25519_SK && 1892 k->type != KEY_ED25519_SK_CERT) 1893 break; 1894 /* Append security-key application string */ 1895 if ((n->sk_application = strdup(k->sk_application)) == NULL) 1896 goto out; 1897 break; 1898 #ifdef WITH_XMSS 1899 case KEY_XMSS: 1900 case KEY_XMSS_CERT: 1901 if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0) 1902 goto out; 1903 if (k->xmss_pk != NULL) { 1904 u_int32_t left; 1905 size_t pklen = sshkey_xmss_pklen(k); 1906 if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) { 1907 r = SSH_ERR_INTERNAL_ERROR; 1908 goto out; 1909 } 1910 if ((n->xmss_pk = malloc(pklen)) == NULL) { 1911 r = SSH_ERR_ALLOC_FAIL; 1912 goto out; 1913 } 1914 memcpy(n->xmss_pk, k->xmss_pk, pklen); 1915 /* simulate number of signatures left on pubkey */ 1916 left = sshkey_xmss_signatures_left(k); 1917 if (left) 1918 sshkey_xmss_enable_maxsign(n, left); 1919 } 1920 break; 1921 #endif /* WITH_XMSS */ 1922 default: 1923 r = SSH_ERR_KEY_TYPE_UNKNOWN; 1924 goto out; 1925 } 1926 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) 1927 goto out; 1928 /* success */ 1929 *pkp = n; 1930 n = NULL; 1931 r = 0; 1932 out: 1933 sshkey_free(n); 1934 #ifdef WITH_OPENSSL 1935 BN_clear_free(rsa_n_dup); 1936 BN_clear_free(rsa_e_dup); 1937 BN_clear_free(dsa_p_dup); 1938 BN_clear_free(dsa_q_dup); 1939 BN_clear_free(dsa_g_dup); 1940 BN_clear_free(dsa_pub_key_dup); 1941 #endif /* WITH_OPENSSL */ 1942 1943 return r; 1944 } 1945 1946 int 1947 sshkey_is_shielded(struct sshkey *k) 1948 { 1949 return k != NULL && k->shielded_private != NULL; 1950 } 1951 1952 int 1953 sshkey_shield_private(struct sshkey *k) 1954 { 1955 struct sshbuf *prvbuf = NULL; 1956 u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH]; 1957 struct sshcipher_ctx *cctx = NULL; 1958 const struct sshcipher *cipher; 1959 size_t i, enclen = 0; 1960 struct sshkey *kswap = NULL, tmp; 1961 int r = SSH_ERR_INTERNAL_ERROR; 1962 1963 #ifdef DEBUG_PK 1964 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 1965 #endif 1966 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 1967 r = SSH_ERR_INVALID_ARGUMENT; 1968 goto out; 1969 } 1970 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 1971 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 1972 r = SSH_ERR_INTERNAL_ERROR; 1973 goto out; 1974 } 1975 1976 /* Prepare a random pre-key, and from it an ephemeral key */ 1977 if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) { 1978 r = SSH_ERR_ALLOC_FAIL; 1979 goto out; 1980 } 1981 arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN); 1982 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 1983 prekey, SSHKEY_SHIELD_PREKEY_LEN, 1984 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 1985 goto out; 1986 #ifdef DEBUG_PK 1987 fprintf(stderr, "%s: key+iv\n", __func__); 1988 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 1989 stderr); 1990 #endif 1991 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 1992 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0) 1993 goto out; 1994 1995 /* Serialise and encrypt the private key using the ephemeral key */ 1996 if ((prvbuf = sshbuf_new()) == NULL) { 1997 r = SSH_ERR_ALLOC_FAIL; 1998 goto out; 1999 } 2000 if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0) 2001 goto out; 2002 if ((r = sshkey_private_serialize_opt(k, prvbuf, 2003 SSHKEY_SERIALIZE_SHIELD)) != 0) 2004 goto out; 2005 /* pad to cipher blocksize */ 2006 i = 0; 2007 while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) { 2008 if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0) 2009 goto out; 2010 } 2011 #ifdef DEBUG_PK 2012 fprintf(stderr, "%s: serialised\n", __func__); 2013 sshbuf_dump(prvbuf, stderr); 2014 #endif 2015 /* encrypt */ 2016 enclen = sshbuf_len(prvbuf); 2017 if ((enc = malloc(enclen)) == NULL) { 2018 r = SSH_ERR_ALLOC_FAIL; 2019 goto out; 2020 } 2021 if ((r = cipher_crypt(cctx, 0, enc, 2022 sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0) 2023 goto out; 2024 #ifdef DEBUG_PK 2025 fprintf(stderr, "%s: encrypted\n", __func__); 2026 sshbuf_dump_data(enc, enclen, stderr); 2027 #endif 2028 2029 /* Make a scrubbed, public-only copy of our private key argument */ 2030 if ((r = sshkey_from_private(k, &kswap)) != 0) 2031 goto out; 2032 2033 /* Swap the private key out (it will be destroyed below) */ 2034 tmp = *kswap; 2035 *kswap = *k; 2036 *k = tmp; 2037 2038 /* Insert the shielded key into our argument */ 2039 k->shielded_private = enc; 2040 k->shielded_len = enclen; 2041 k->shield_prekey = prekey; 2042 k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN; 2043 enc = prekey = NULL; /* transferred */ 2044 enclen = 0; 2045 2046 /* preserve key fields that are required for correct operation */ 2047 k->sk_flags = kswap->sk_flags; 2048 2049 /* success */ 2050 r = 0; 2051 2052 out: 2053 /* XXX behaviour on error - invalidate original private key? */ 2054 cipher_free(cctx); 2055 explicit_bzero(keyiv, sizeof(keyiv)); 2056 explicit_bzero(&tmp, sizeof(tmp)); 2057 freezero(enc, enclen); 2058 freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN); 2059 sshkey_free(kswap); 2060 sshbuf_free(prvbuf); 2061 return r; 2062 } 2063 2064 int 2065 sshkey_unshield_private(struct sshkey *k) 2066 { 2067 struct sshbuf *prvbuf = NULL; 2068 u_char pad, *cp, keyiv[SSH_DIGEST_MAX_LENGTH]; 2069 struct sshcipher_ctx *cctx = NULL; 2070 const struct sshcipher *cipher; 2071 size_t i; 2072 struct sshkey *kswap = NULL, tmp; 2073 int r = SSH_ERR_INTERNAL_ERROR; 2074 2075 #ifdef DEBUG_PK 2076 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 2077 #endif 2078 if (!sshkey_is_shielded(k)) 2079 return 0; /* nothing to do */ 2080 2081 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 2082 r = SSH_ERR_INVALID_ARGUMENT; 2083 goto out; 2084 } 2085 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 2086 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 2087 r = SSH_ERR_INTERNAL_ERROR; 2088 goto out; 2089 } 2090 /* check size of shielded key blob */ 2091 if (k->shielded_len < cipher_blocksize(cipher) || 2092 (k->shielded_len % cipher_blocksize(cipher)) != 0) { 2093 r = SSH_ERR_INVALID_FORMAT; 2094 goto out; 2095 } 2096 2097 /* Calculate the ephemeral key from the prekey */ 2098 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 2099 k->shield_prekey, k->shield_prekey_len, 2100 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 2101 goto out; 2102 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 2103 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0) 2104 goto out; 2105 #ifdef DEBUG_PK 2106 fprintf(stderr, "%s: key+iv\n", __func__); 2107 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 2108 stderr); 2109 #endif 2110 2111 /* Decrypt and parse the shielded private key using the ephemeral key */ 2112 if ((prvbuf = sshbuf_new()) == NULL) { 2113 r = SSH_ERR_ALLOC_FAIL; 2114 goto out; 2115 } 2116 if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0) 2117 goto out; 2118 /* decrypt */ 2119 #ifdef DEBUG_PK 2120 fprintf(stderr, "%s: encrypted\n", __func__); 2121 sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr); 2122 #endif 2123 if ((r = cipher_crypt(cctx, 0, cp, 2124 k->shielded_private, k->shielded_len, 0, 0)) != 0) 2125 goto out; 2126 #ifdef DEBUG_PK 2127 fprintf(stderr, "%s: serialised\n", __func__); 2128 sshbuf_dump(prvbuf, stderr); 2129 #endif 2130 /* Parse private key */ 2131 if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0) 2132 goto out; 2133 /* Check deterministic padding */ 2134 i = 0; 2135 while (sshbuf_len(prvbuf)) { 2136 if ((r = sshbuf_get_u8(prvbuf, &pad)) != 0) 2137 goto out; 2138 if (pad != (++i & 0xff)) { 2139 r = SSH_ERR_INVALID_FORMAT; 2140 goto out; 2141 } 2142 } 2143 2144 /* Swap the parsed key back into place */ 2145 tmp = *kswap; 2146 *kswap = *k; 2147 *k = tmp; 2148 2149 /* success */ 2150 r = 0; 2151 2152 out: 2153 cipher_free(cctx); 2154 explicit_bzero(keyiv, sizeof(keyiv)); 2155 explicit_bzero(&tmp, sizeof(tmp)); 2156 sshkey_free(kswap); 2157 sshbuf_free(prvbuf); 2158 return r; 2159 } 2160 2161 static int 2162 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 2163 { 2164 struct sshbuf *principals = NULL, *crit = NULL; 2165 struct sshbuf *exts = NULL, *ca = NULL; 2166 u_char *sig = NULL; 2167 size_t signed_len = 0, slen = 0, kidlen = 0; 2168 int ret = SSH_ERR_INTERNAL_ERROR; 2169 2170 /* Copy the entire key blob for verification and later serialisation */ 2171 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 2172 return ret; 2173 2174 /* Parse body of certificate up to signature */ 2175 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 2176 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 2177 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 2178 (ret = sshbuf_froms(b, &principals)) != 0 || 2179 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 2180 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 2181 (ret = sshbuf_froms(b, &crit)) != 0 || 2182 (ret = sshbuf_froms(b, &exts)) != 0 || 2183 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 2184 (ret = sshbuf_froms(b, &ca)) != 0) { 2185 /* XXX debug print error for ret */ 2186 ret = SSH_ERR_INVALID_FORMAT; 2187 goto out; 2188 } 2189 2190 /* Signature is left in the buffer so we can calculate this length */ 2191 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 2192 2193 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 2194 ret = SSH_ERR_INVALID_FORMAT; 2195 goto out; 2196 } 2197 2198 if (key->cert->type != SSH2_CERT_TYPE_USER && 2199 key->cert->type != SSH2_CERT_TYPE_HOST) { 2200 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 2201 goto out; 2202 } 2203 2204 /* Parse principals section */ 2205 while (sshbuf_len(principals) > 0) { 2206 char *principal = NULL; 2207 char **oprincipals = NULL; 2208 2209 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 2210 ret = SSH_ERR_INVALID_FORMAT; 2211 goto out; 2212 } 2213 if ((ret = sshbuf_get_cstring(principals, &principal, 2214 NULL)) != 0) { 2215 ret = SSH_ERR_INVALID_FORMAT; 2216 goto out; 2217 } 2218 oprincipals = key->cert->principals; 2219 key->cert->principals = recallocarray(key->cert->principals, 2220 key->cert->nprincipals, key->cert->nprincipals + 1, 2221 sizeof(*key->cert->principals)); 2222 if (key->cert->principals == NULL) { 2223 free(principal); 2224 key->cert->principals = oprincipals; 2225 ret = SSH_ERR_ALLOC_FAIL; 2226 goto out; 2227 } 2228 key->cert->principals[key->cert->nprincipals++] = principal; 2229 } 2230 2231 /* 2232 * Stash a copies of the critical options and extensions sections 2233 * for later use. 2234 */ 2235 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 2236 (exts != NULL && 2237 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 2238 goto out; 2239 2240 /* 2241 * Validate critical options and extensions sections format. 2242 */ 2243 while (sshbuf_len(crit) != 0) { 2244 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 2245 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 2246 sshbuf_reset(key->cert->critical); 2247 ret = SSH_ERR_INVALID_FORMAT; 2248 goto out; 2249 } 2250 } 2251 while (exts != NULL && sshbuf_len(exts) != 0) { 2252 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 2253 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 2254 sshbuf_reset(key->cert->extensions); 2255 ret = SSH_ERR_INVALID_FORMAT; 2256 goto out; 2257 } 2258 } 2259 2260 /* Parse CA key and check signature */ 2261 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 2262 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2263 goto out; 2264 } 2265 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 2266 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2267 goto out; 2268 } 2269 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 2270 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0) 2271 goto out; 2272 if ((ret = sshkey_get_sigtype(sig, slen, 2273 &key->cert->signature_type)) != 0) 2274 goto out; 2275 2276 /* Success */ 2277 ret = 0; 2278 out: 2279 sshbuf_free(ca); 2280 sshbuf_free(crit); 2281 sshbuf_free(exts); 2282 sshbuf_free(principals); 2283 free(sig); 2284 return ret; 2285 } 2286 2287 #ifdef WITH_OPENSSL 2288 static int 2289 check_rsa_length(const RSA *rsa) 2290 { 2291 const BIGNUM *rsa_n; 2292 2293 RSA_get0_key(rsa, &rsa_n, NULL, NULL); 2294 if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) 2295 return SSH_ERR_KEY_LENGTH; 2296 return 0; 2297 } 2298 #endif /* WITH_OPENSSL */ 2299 2300 static int 2301 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 2302 int allow_cert) 2303 { 2304 int type, ret = SSH_ERR_INTERNAL_ERROR; 2305 char *ktype = NULL, *curve = NULL, *xmss_name = NULL; 2306 struct sshkey *key = NULL; 2307 size_t len; 2308 u_char *pk = NULL; 2309 struct sshbuf *copy; 2310 #ifdef WITH_OPENSSL 2311 EC_POINT *q = NULL, *qq = NULL; 2312 BIGNUM *rsa_n = NULL, *rsa_e = NULL; 2313 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; 2314 #endif /* WITH_OPENSSL */ 2315 2316 #ifdef DEBUG_PK /* XXX */ 2317 sshbuf_dump(b, stderr); 2318 #endif 2319 if (keyp != NULL) 2320 *keyp = NULL; 2321 if ((copy = sshbuf_fromb(b)) == NULL) { 2322 ret = SSH_ERR_ALLOC_FAIL; 2323 goto out; 2324 } 2325 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 2326 ret = SSH_ERR_INVALID_FORMAT; 2327 goto out; 2328 } 2329 2330 type = sshkey_type_from_name(ktype); 2331 if (!allow_cert && sshkey_type_is_cert(type)) { 2332 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2333 goto out; 2334 } 2335 switch (type) { 2336 #ifdef WITH_OPENSSL 2337 case KEY_RSA_CERT: 2338 /* Skip nonce */ 2339 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2340 ret = SSH_ERR_INVALID_FORMAT; 2341 goto out; 2342 } 2343 /* FALLTHROUGH */ 2344 case KEY_RSA: 2345 if ((key = sshkey_new(type)) == NULL) { 2346 ret = SSH_ERR_ALLOC_FAIL; 2347 goto out; 2348 } 2349 if (sshbuf_get_bignum2(b, &rsa_e) != 0 || 2350 sshbuf_get_bignum2(b, &rsa_n) != 0) { 2351 ret = SSH_ERR_INVALID_FORMAT; 2352 goto out; 2353 } 2354 if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) { 2355 ret = SSH_ERR_LIBCRYPTO_ERROR; 2356 goto out; 2357 } 2358 rsa_n = rsa_e = NULL; /* transferred */ 2359 if ((ret = check_rsa_length(key->rsa)) != 0) 2360 goto out; 2361 #ifdef DEBUG_PK 2362 RSA_print_fp(stderr, key->rsa, 8); 2363 #endif 2364 break; 2365 case KEY_DSA_CERT: 2366 /* Skip nonce */ 2367 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2368 ret = SSH_ERR_INVALID_FORMAT; 2369 goto out; 2370 } 2371 /* FALLTHROUGH */ 2372 case KEY_DSA: 2373 if ((key = sshkey_new(type)) == NULL) { 2374 ret = SSH_ERR_ALLOC_FAIL; 2375 goto out; 2376 } 2377 if (sshbuf_get_bignum2(b, &dsa_p) != 0 || 2378 sshbuf_get_bignum2(b, &dsa_q) != 0 || 2379 sshbuf_get_bignum2(b, &dsa_g) != 0 || 2380 sshbuf_get_bignum2(b, &dsa_pub_key) != 0) { 2381 ret = SSH_ERR_INVALID_FORMAT; 2382 goto out; 2383 } 2384 if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) { 2385 ret = SSH_ERR_LIBCRYPTO_ERROR; 2386 goto out; 2387 } 2388 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2389 if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) { 2390 ret = SSH_ERR_LIBCRYPTO_ERROR; 2391 goto out; 2392 } 2393 dsa_pub_key = NULL; /* transferred */ 2394 #ifdef DEBUG_PK 2395 DSA_print_fp(stderr, key->dsa, 8); 2396 #endif 2397 break; 2398 case KEY_ECDSA_CERT: 2399 case KEY_ECDSA_SK_CERT: 2400 /* Skip nonce */ 2401 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2402 ret = SSH_ERR_INVALID_FORMAT; 2403 goto out; 2404 } 2405 /* FALLTHROUGH */ 2406 case KEY_ECDSA: 2407 case KEY_ECDSA_SK: 2408 if ((key = sshkey_new(type)) == NULL) { 2409 ret = SSH_ERR_ALLOC_FAIL; 2410 goto out; 2411 } 2412 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2413 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2414 ret = SSH_ERR_INVALID_FORMAT; 2415 goto out; 2416 } 2417 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2418 ret = SSH_ERR_EC_CURVE_MISMATCH; 2419 goto out; 2420 } 2421 EC_KEY_free(key->ecdsa); 2422 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2423 == NULL) { 2424 ret = SSH_ERR_EC_CURVE_INVALID; 2425 goto out; 2426 } 2427 if ((qq = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2428 ret = SSH_ERR_ALLOC_FAIL; 2429 goto out; 2430 } 2431 if (sshbuf_get_ec(b, qq, EC_KEY_get0_group(key->ecdsa)) != 0) { 2432 ret = SSH_ERR_INVALID_FORMAT; 2433 goto out; 2434 } 2435 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2436 qq) != 0) { 2437 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2438 goto out; 2439 } 2440 if (EC_KEY_set_public_key(key->ecdsa, qq) != 1) { 2441 /* XXX assume it is a allocation error */ 2442 ret = SSH_ERR_ALLOC_FAIL; 2443 goto out; 2444 } 2445 #ifdef DEBUG_PK 2446 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), qq); 2447 #endif 2448 if (type == KEY_ECDSA_SK || type == KEY_ECDSA_SK_CERT) { 2449 /* Parse additional security-key application string */ 2450 if (sshbuf_get_cstring(b, &key->sk_application, 2451 NULL) != 0) { 2452 ret = SSH_ERR_INVALID_FORMAT; 2453 goto out; 2454 } 2455 #ifdef DEBUG_PK 2456 fprintf(stderr, "App: %s\n", key->sk_application); 2457 #endif 2458 } 2459 break; 2460 #endif /* WITH_OPENSSL */ 2461 case KEY_ED25519_CERT: 2462 case KEY_ED25519_SK_CERT: 2463 /* Skip nonce */ 2464 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2465 ret = SSH_ERR_INVALID_FORMAT; 2466 goto out; 2467 } 2468 /* FALLTHROUGH */ 2469 case KEY_ED25519: 2470 case KEY_ED25519_SK: 2471 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2472 goto out; 2473 if (len != ED25519_PK_SZ) { 2474 ret = SSH_ERR_INVALID_FORMAT; 2475 goto out; 2476 } 2477 if ((key = sshkey_new(type)) == NULL) { 2478 ret = SSH_ERR_ALLOC_FAIL; 2479 goto out; 2480 } 2481 if (type == KEY_ED25519_SK || type == KEY_ED25519_SK_CERT) { 2482 /* Parse additional security-key application string */ 2483 if (sshbuf_get_cstring(b, &key->sk_application, 2484 NULL) != 0) { 2485 ret = SSH_ERR_INVALID_FORMAT; 2486 goto out; 2487 } 2488 #ifdef DEBUG_PK 2489 fprintf(stderr, "App: %s\n", key->sk_application); 2490 #endif 2491 } 2492 key->ed25519_pk = pk; 2493 pk = NULL; 2494 break; 2495 #ifdef WITH_XMSS 2496 case KEY_XMSS_CERT: 2497 /* Skip nonce */ 2498 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2499 ret = SSH_ERR_INVALID_FORMAT; 2500 goto out; 2501 } 2502 /* FALLTHROUGH */ 2503 case KEY_XMSS: 2504 if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0) 2505 goto out; 2506 if ((key = sshkey_new(type)) == NULL) { 2507 ret = SSH_ERR_ALLOC_FAIL; 2508 goto out; 2509 } 2510 if ((ret = sshkey_xmss_init(key, xmss_name)) != 0) 2511 goto out; 2512 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2513 goto out; 2514 if (len == 0 || len != sshkey_xmss_pklen(key)) { 2515 ret = SSH_ERR_INVALID_FORMAT; 2516 goto out; 2517 } 2518 key->xmss_pk = pk; 2519 pk = NULL; 2520 if (type != KEY_XMSS_CERT && 2521 (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0) 2522 goto out; 2523 break; 2524 #endif /* WITH_XMSS */ 2525 case KEY_UNSPEC: 2526 default: 2527 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2528 goto out; 2529 } 2530 2531 /* Parse certificate potion */ 2532 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2533 goto out; 2534 2535 if (key != NULL && sshbuf_len(b) != 0) { 2536 ret = SSH_ERR_INVALID_FORMAT; 2537 goto out; 2538 } 2539 ret = 0; 2540 if (keyp != NULL) { 2541 *keyp = key; 2542 key = NULL; 2543 } 2544 out: 2545 sshbuf_free(copy); 2546 sshkey_free(key); 2547 free(xmss_name); 2548 free(ktype); 2549 free(curve); 2550 free(pk); 2551 #ifdef WITH_OPENSSL 2552 EC_POINT_free(q); 2553 BN_clear_free(rsa_n); 2554 BN_clear_free(rsa_e); 2555 BN_clear_free(dsa_p); 2556 BN_clear_free(dsa_q); 2557 BN_clear_free(dsa_g); 2558 BN_clear_free(dsa_pub_key); 2559 #endif /* WITH_OPENSSL */ 2560 return ret; 2561 } 2562 2563 int 2564 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2565 { 2566 struct sshbuf *b; 2567 int r; 2568 2569 if ((b = sshbuf_from(blob, blen)) == NULL) 2570 return SSH_ERR_ALLOC_FAIL; 2571 r = sshkey_from_blob_internal(b, keyp, 1); 2572 sshbuf_free(b); 2573 return r; 2574 } 2575 2576 int 2577 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2578 { 2579 return sshkey_from_blob_internal(b, keyp, 1); 2580 } 2581 2582 int 2583 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2584 { 2585 struct sshbuf *b; 2586 int r; 2587 2588 if ((r = sshbuf_froms(buf, &b)) != 0) 2589 return r; 2590 r = sshkey_from_blob_internal(b, keyp, 1); 2591 sshbuf_free(b); 2592 return r; 2593 } 2594 2595 int 2596 sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2597 { 2598 int r; 2599 struct sshbuf *b = NULL; 2600 char *sigtype = NULL; 2601 2602 if (sigtypep != NULL) 2603 *sigtypep = NULL; 2604 if ((b = sshbuf_from(sig, siglen)) == NULL) 2605 return SSH_ERR_ALLOC_FAIL; 2606 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2607 goto out; 2608 /* success */ 2609 if (sigtypep != NULL) { 2610 *sigtypep = sigtype; 2611 sigtype = NULL; 2612 } 2613 r = 0; 2614 out: 2615 free(sigtype); 2616 sshbuf_free(b); 2617 return r; 2618 } 2619 2620 /* 2621 * 2622 * Checks whether a certificate's signature type is allowed. 2623 * Returns 0 (success) if the certificate signature type appears in the 2624 * "allowed" pattern-list, or the key is not a certificate to begin with. 2625 * Otherwise returns a ssherr.h code. 2626 */ 2627 int 2628 sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) 2629 { 2630 if (key == NULL || allowed == NULL) 2631 return SSH_ERR_INVALID_ARGUMENT; 2632 if (!sshkey_type_is_cert(key->type)) 2633 return 0; 2634 if (key->cert == NULL || key->cert->signature_type == NULL) 2635 return SSH_ERR_INVALID_ARGUMENT; 2636 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) 2637 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 2638 return 0; 2639 } 2640 2641 /* 2642 * Returns the expected signature algorithm for a given public key algorithm. 2643 */ 2644 const char * 2645 sshkey_sigalg_by_name(const char *name) 2646 { 2647 const struct keytype *kt; 2648 2649 for (kt = keytypes; kt->type != -1; kt++) { 2650 if (strcmp(kt->name, name) != 0) 2651 continue; 2652 if (kt->sigalg != NULL) 2653 return kt->sigalg; 2654 if (!kt->cert) 2655 return kt->name; 2656 return sshkey_ssh_name_from_type_nid( 2657 sshkey_type_plain(kt->type), kt->nid); 2658 } 2659 return NULL; 2660 } 2661 2662 /* 2663 * Verifies that the signature algorithm appearing inside the signature blob 2664 * matches that which was requested. 2665 */ 2666 int 2667 sshkey_check_sigtype(const u_char *sig, size_t siglen, 2668 const char *requested_alg) 2669 { 2670 const char *expected_alg; 2671 char *sigtype = NULL; 2672 int r; 2673 2674 if (requested_alg == NULL) 2675 return 0; 2676 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) 2677 return SSH_ERR_INVALID_ARGUMENT; 2678 if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) 2679 return r; 2680 r = strcmp(expected_alg, sigtype) == 0; 2681 free(sigtype); 2682 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; 2683 } 2684 2685 int 2686 sshkey_sign(struct sshkey *key, 2687 u_char **sigp, size_t *lenp, 2688 const u_char *data, size_t datalen, 2689 const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) 2690 { 2691 int was_shielded = sshkey_is_shielded(key); 2692 int r2, r = SSH_ERR_INTERNAL_ERROR; 2693 2694 if (sigp != NULL) 2695 *sigp = NULL; 2696 if (lenp != NULL) 2697 *lenp = 0; 2698 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2699 return SSH_ERR_INVALID_ARGUMENT; 2700 if ((r = sshkey_unshield_private(key)) != 0) 2701 return r; 2702 switch (key->type) { 2703 #ifdef WITH_OPENSSL 2704 case KEY_DSA_CERT: 2705 case KEY_DSA: 2706 r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2707 break; 2708 case KEY_ECDSA_CERT: 2709 case KEY_ECDSA: 2710 r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2711 break; 2712 case KEY_RSA_CERT: 2713 case KEY_RSA: 2714 r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2715 break; 2716 #endif /* WITH_OPENSSL */ 2717 case KEY_ED25519: 2718 case KEY_ED25519_CERT: 2719 r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2720 break; 2721 case KEY_ED25519_SK: 2722 case KEY_ED25519_SK_CERT: 2723 case KEY_ECDSA_SK_CERT: 2724 case KEY_ECDSA_SK: 2725 r = sshsk_sign(sk_provider, key, sigp, lenp, data, 2726 datalen, compat, sk_pin); 2727 break; 2728 #ifdef WITH_XMSS 2729 case KEY_XMSS: 2730 case KEY_XMSS_CERT: 2731 r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat); 2732 break; 2733 #endif /* WITH_XMSS */ 2734 default: 2735 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2736 break; 2737 } 2738 if (was_shielded && (r2 = sshkey_shield_private(key)) != 0) 2739 return r2; 2740 return r; 2741 } 2742 2743 /* 2744 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2745 * If "alg" specified, then the signature must use that algorithm. 2746 */ 2747 int 2748 sshkey_verify(const struct sshkey *key, 2749 const u_char *sig, size_t siglen, 2750 const u_char *data, size_t dlen, const char *alg, u_int compat, 2751 struct sshkey_sig_details **detailsp) 2752 { 2753 if (detailsp != NULL) 2754 *detailsp = NULL; 2755 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2756 return SSH_ERR_INVALID_ARGUMENT; 2757 switch (key->type) { 2758 #ifdef WITH_OPENSSL 2759 case KEY_DSA_CERT: 2760 case KEY_DSA: 2761 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2762 case KEY_ECDSA_CERT: 2763 case KEY_ECDSA: 2764 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2765 case KEY_ECDSA_SK_CERT: 2766 case KEY_ECDSA_SK: 2767 return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen, 2768 compat, detailsp); 2769 case KEY_RSA_CERT: 2770 case KEY_RSA: 2771 return ssh_rsa_verify(key, sig, siglen, data, dlen, alg); 2772 #endif /* WITH_OPENSSL */ 2773 case KEY_ED25519: 2774 case KEY_ED25519_CERT: 2775 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2776 case KEY_ED25519_SK: 2777 case KEY_ED25519_SK_CERT: 2778 return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen, 2779 compat, detailsp); 2780 #ifdef WITH_XMSS 2781 case KEY_XMSS: 2782 case KEY_XMSS_CERT: 2783 return ssh_xmss_verify(key, sig, siglen, data, dlen, compat); 2784 #endif /* WITH_XMSS */ 2785 default: 2786 return SSH_ERR_KEY_TYPE_UNKNOWN; 2787 } 2788 } 2789 2790 /* Convert a plain key to their _CERT equivalent */ 2791 int 2792 sshkey_to_certified(struct sshkey *k) 2793 { 2794 int newtype; 2795 2796 switch (k->type) { 2797 #ifdef WITH_OPENSSL 2798 case KEY_RSA: 2799 newtype = KEY_RSA_CERT; 2800 break; 2801 case KEY_DSA: 2802 newtype = KEY_DSA_CERT; 2803 break; 2804 case KEY_ECDSA: 2805 newtype = KEY_ECDSA_CERT; 2806 break; 2807 case KEY_ECDSA_SK: 2808 newtype = KEY_ECDSA_SK_CERT; 2809 break; 2810 #endif /* WITH_OPENSSL */ 2811 case KEY_ED25519_SK: 2812 newtype = KEY_ED25519_SK_CERT; 2813 break; 2814 case KEY_ED25519: 2815 newtype = KEY_ED25519_CERT; 2816 break; 2817 #ifdef WITH_XMSS 2818 case KEY_XMSS: 2819 newtype = KEY_XMSS_CERT; 2820 break; 2821 #endif /* WITH_XMSS */ 2822 default: 2823 return SSH_ERR_INVALID_ARGUMENT; 2824 } 2825 if ((k->cert = cert_new()) == NULL) 2826 return SSH_ERR_ALLOC_FAIL; 2827 k->type = newtype; 2828 return 0; 2829 } 2830 2831 /* Convert a certificate to its raw key equivalent */ 2832 int 2833 sshkey_drop_cert(struct sshkey *k) 2834 { 2835 if (!sshkey_type_is_cert(k->type)) 2836 return SSH_ERR_KEY_TYPE_UNKNOWN; 2837 cert_free(k->cert); 2838 k->cert = NULL; 2839 k->type = sshkey_type_plain(k->type); 2840 return 0; 2841 } 2842 2843 /* Sign a certified key, (re-)generating the signed certblob. */ 2844 int 2845 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2846 const char *sk_provider, const char *sk_pin, 2847 sshkey_certify_signer *signer, void *signer_ctx) 2848 { 2849 struct sshbuf *principals = NULL; 2850 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2851 size_t i, ca_len, sig_len; 2852 int ret = SSH_ERR_INTERNAL_ERROR; 2853 struct sshbuf *cert = NULL; 2854 char *sigtype = NULL; 2855 #ifdef WITH_OPENSSL 2856 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 2857 #endif /* WITH_OPENSSL */ 2858 2859 if (k == NULL || k->cert == NULL || 2860 k->cert->certblob == NULL || ca == NULL) 2861 return SSH_ERR_INVALID_ARGUMENT; 2862 if (!sshkey_is_cert(k)) 2863 return SSH_ERR_KEY_TYPE_UNKNOWN; 2864 if (!sshkey_type_is_valid_ca(ca->type)) 2865 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2866 2867 /* 2868 * If no alg specified as argument but a signature_type was set, 2869 * then prefer that. If both were specified, then they must match. 2870 */ 2871 if (alg == NULL) 2872 alg = k->cert->signature_type; 2873 else if (k->cert->signature_type != NULL && 2874 strcmp(alg, k->cert->signature_type) != 0) 2875 return SSH_ERR_INVALID_ARGUMENT; 2876 2877 /* 2878 * If no signing algorithm or signature_type was specified and we're 2879 * using a RSA key, then default to a good signature algorithm. 2880 */ 2881 if (alg == NULL && ca->type == KEY_RSA) 2882 alg = "rsa-sha2-512"; 2883 2884 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2885 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2886 2887 cert = k->cert->certblob; /* for readability */ 2888 sshbuf_reset(cert); 2889 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2890 goto out; 2891 2892 /* -v01 certs put nonce first */ 2893 arc4random_buf(&nonce, sizeof(nonce)); 2894 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2895 goto out; 2896 2897 /* XXX this substantially duplicates to_blob(); refactor */ 2898 switch (k->type) { 2899 #ifdef WITH_OPENSSL 2900 case KEY_DSA_CERT: 2901 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 2902 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 2903 if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 || 2904 (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 || 2905 (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 || 2906 (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0) 2907 goto out; 2908 break; 2909 case KEY_ECDSA_CERT: 2910 case KEY_ECDSA_SK_CERT: 2911 if ((ret = sshbuf_put_cstring(cert, 2912 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2913 (ret = sshbuf_put_ec(cert, 2914 EC_KEY_get0_public_key(k->ecdsa), 2915 EC_KEY_get0_group(k->ecdsa))) != 0) 2916 goto out; 2917 if (k->type == KEY_ECDSA_SK_CERT) { 2918 if ((ret = sshbuf_put_cstring(cert, 2919 k->sk_application)) != 0) 2920 goto out; 2921 } 2922 break; 2923 case KEY_RSA_CERT: 2924 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 2925 if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 || 2926 (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0) 2927 goto out; 2928 break; 2929 #endif /* WITH_OPENSSL */ 2930 case KEY_ED25519_CERT: 2931 case KEY_ED25519_SK_CERT: 2932 if ((ret = sshbuf_put_string(cert, 2933 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2934 goto out; 2935 if (k->type == KEY_ED25519_SK_CERT) { 2936 if ((ret = sshbuf_put_cstring(cert, 2937 k->sk_application)) != 0) 2938 goto out; 2939 } 2940 break; 2941 #ifdef WITH_XMSS 2942 case KEY_XMSS_CERT: 2943 if (k->xmss_name == NULL) { 2944 ret = SSH_ERR_INVALID_ARGUMENT; 2945 goto out; 2946 } 2947 if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) || 2948 (ret = sshbuf_put_string(cert, 2949 k->xmss_pk, sshkey_xmss_pklen(k))) != 0) 2950 goto out; 2951 break; 2952 #endif /* WITH_XMSS */ 2953 default: 2954 ret = SSH_ERR_INVALID_ARGUMENT; 2955 goto out; 2956 } 2957 2958 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2959 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2960 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2961 goto out; 2962 2963 if ((principals = sshbuf_new()) == NULL) { 2964 ret = SSH_ERR_ALLOC_FAIL; 2965 goto out; 2966 } 2967 for (i = 0; i < k->cert->nprincipals; i++) { 2968 if ((ret = sshbuf_put_cstring(principals, 2969 k->cert->principals[i])) != 0) 2970 goto out; 2971 } 2972 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2973 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2974 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2975 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2976 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2977 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2978 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2979 goto out; 2980 2981 /* Sign the whole mess */ 2982 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2983 sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) 2984 goto out; 2985 /* Check and update signature_type against what was actually used */ 2986 if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) 2987 goto out; 2988 if (alg != NULL && strcmp(alg, sigtype) != 0) { 2989 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2990 goto out; 2991 } 2992 if (k->cert->signature_type == NULL) { 2993 k->cert->signature_type = sigtype; 2994 sigtype = NULL; 2995 } 2996 /* Append signature and we are done */ 2997 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2998 goto out; 2999 ret = 0; 3000 out: 3001 if (ret != 0) 3002 sshbuf_reset(cert); 3003 free(sig_blob); 3004 free(ca_blob); 3005 free(sigtype); 3006 sshbuf_free(principals); 3007 return ret; 3008 } 3009 3010 static int 3011 default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, 3012 const u_char *data, size_t datalen, 3013 const char *alg, const char *sk_provider, const char *sk_pin, 3014 u_int compat, void *ctx) 3015 { 3016 if (ctx != NULL) 3017 return SSH_ERR_INVALID_ARGUMENT; 3018 return sshkey_sign(key, sigp, lenp, data, datalen, alg, 3019 sk_provider, sk_pin, compat); 3020 } 3021 3022 int 3023 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, 3024 const char *sk_provider, const char *sk_pin) 3025 { 3026 return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, 3027 default_key_sign, NULL); 3028 } 3029 3030 int 3031 sshkey_cert_check_authority(const struct sshkey *k, 3032 int want_host, int require_principal, int wildcard_pattern, 3033 const char *name, const char **reason) 3034 { 3035 u_int i, principal_matches; 3036 time_t now = time(NULL); 3037 3038 if (reason == NULL) 3039 return SSH_ERR_INVALID_ARGUMENT; 3040 if (!sshkey_is_cert(k)) { 3041 *reason = "Key is not a certificate"; 3042 return SSH_ERR_KEY_CERT_INVALID; 3043 } 3044 if (want_host) { 3045 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 3046 *reason = "Certificate invalid: not a host certificate"; 3047 return SSH_ERR_KEY_CERT_INVALID; 3048 } 3049 } else { 3050 if (k->cert->type != SSH2_CERT_TYPE_USER) { 3051 *reason = "Certificate invalid: not a user certificate"; 3052 return SSH_ERR_KEY_CERT_INVALID; 3053 } 3054 } 3055 if (now < 0) { 3056 /* yikes - system clock before epoch! */ 3057 *reason = "Certificate invalid: not yet valid"; 3058 return SSH_ERR_KEY_CERT_INVALID; 3059 } 3060 if ((u_int64_t)now < k->cert->valid_after) { 3061 *reason = "Certificate invalid: not yet valid"; 3062 return SSH_ERR_KEY_CERT_INVALID; 3063 } 3064 if ((u_int64_t)now >= k->cert->valid_before) { 3065 *reason = "Certificate invalid: expired"; 3066 return SSH_ERR_KEY_CERT_INVALID; 3067 } 3068 if (k->cert->nprincipals == 0) { 3069 if (require_principal) { 3070 *reason = "Certificate lacks principal list"; 3071 return SSH_ERR_KEY_CERT_INVALID; 3072 } 3073 } else if (name != NULL) { 3074 principal_matches = 0; 3075 for (i = 0; i < k->cert->nprincipals; i++) { 3076 if (wildcard_pattern) { 3077 if (match_pattern(k->cert->principals[i], 3078 name)) { 3079 principal_matches = 1; 3080 break; 3081 } 3082 } else if (strcmp(name, k->cert->principals[i]) == 0) { 3083 principal_matches = 1; 3084 break; 3085 } 3086 } 3087 if (!principal_matches) { 3088 *reason = "Certificate invalid: name is not a listed " 3089 "principal"; 3090 return SSH_ERR_KEY_CERT_INVALID; 3091 } 3092 } 3093 return 0; 3094 } 3095 3096 int 3097 sshkey_cert_check_host(const struct sshkey *key, const char *host, 3098 int wildcard_principals, const char *ca_sign_algorithms, 3099 const char **reason) 3100 { 3101 int r; 3102 3103 if ((r = sshkey_cert_check_authority(key, 1, 0, wildcard_principals, 3104 host, reason)) != 0) 3105 return r; 3106 if (sshbuf_len(key->cert->critical) != 0) { 3107 *reason = "Certificate contains unsupported critical options"; 3108 return SSH_ERR_KEY_CERT_INVALID; 3109 } 3110 if (ca_sign_algorithms != NULL && 3111 (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) { 3112 *reason = "Certificate signed with disallowed algorithm"; 3113 return SSH_ERR_KEY_CERT_INVALID; 3114 } 3115 return 0; 3116 } 3117 3118 size_t 3119 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 3120 { 3121 char from[32], to[32], ret[128]; 3122 time_t tt; 3123 struct tm *tm; 3124 3125 *from = *to = '\0'; 3126 if (cert->valid_after == 0 && 3127 cert->valid_before == 0xffffffffffffffffULL) 3128 return strlcpy(s, "forever", l); 3129 3130 if (cert->valid_after != 0) { 3131 /* XXX revisit INT_MAX in 2038 :) */ 3132 tt = cert->valid_after > INT_MAX ? 3133 INT_MAX : cert->valid_after; 3134 tm = localtime(&tt); 3135 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 3136 } 3137 if (cert->valid_before != 0xffffffffffffffffULL) { 3138 /* XXX revisit INT_MAX in 2038 :) */ 3139 tt = cert->valid_before > INT_MAX ? 3140 INT_MAX : cert->valid_before; 3141 tm = localtime(&tt); 3142 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 3143 } 3144 3145 if (cert->valid_after == 0) 3146 snprintf(ret, sizeof(ret), "before %s", to); 3147 else if (cert->valid_before == 0xffffffffffffffffULL) 3148 snprintf(ret, sizeof(ret), "after %s", from); 3149 else 3150 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 3151 3152 return strlcpy(s, ret, l); 3153 } 3154 3155 int 3156 sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, 3157 enum sshkey_serialize_rep opts) 3158 { 3159 int r = SSH_ERR_INTERNAL_ERROR; 3160 int was_shielded = sshkey_is_shielded(key); 3161 struct sshbuf *b = NULL; 3162 #ifdef WITH_OPENSSL 3163 const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q; 3164 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key; 3165 #endif /* WITH_OPENSSL */ 3166 3167 if ((r = sshkey_unshield_private(key)) != 0) 3168 return r; 3169 if ((b = sshbuf_new()) == NULL) 3170 return SSH_ERR_ALLOC_FAIL; 3171 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 3172 goto out; 3173 switch (key->type) { 3174 #ifdef WITH_OPENSSL 3175 case KEY_RSA: 3176 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d); 3177 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 3178 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 3179 if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 || 3180 (r = sshbuf_put_bignum2(b, rsa_e)) != 0 || 3181 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 3182 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 3183 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 3184 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 3185 goto out; 3186 break; 3187 case KEY_RSA_CERT: 3188 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3189 r = SSH_ERR_INVALID_ARGUMENT; 3190 goto out; 3191 } 3192 RSA_get0_key(key->rsa, NULL, NULL, &rsa_d); 3193 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 3194 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 3195 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3196 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 3197 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 3198 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 3199 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 3200 goto out; 3201 break; 3202 case KEY_DSA: 3203 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 3204 DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key); 3205 if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 || 3206 (r = sshbuf_put_bignum2(b, dsa_q)) != 0 || 3207 (r = sshbuf_put_bignum2(b, dsa_g)) != 0 || 3208 (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 || 3209 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 3210 goto out; 3211 break; 3212 case KEY_DSA_CERT: 3213 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3214 r = SSH_ERR_INVALID_ARGUMENT; 3215 goto out; 3216 } 3217 DSA_get0_key(key->dsa, NULL, &dsa_priv_key); 3218 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3219 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 3220 goto out; 3221 break; 3222 case KEY_ECDSA: 3223 if ((r = sshbuf_put_cstring(b, 3224 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 3225 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 3226 (r = sshbuf_put_bignum2(b, 3227 EC_KEY_get0_private_key(key->ecdsa))) != 0) 3228 goto out; 3229 break; 3230 case KEY_ECDSA_CERT: 3231 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3232 r = SSH_ERR_INVALID_ARGUMENT; 3233 goto out; 3234 } 3235 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3236 (r = sshbuf_put_bignum2(b, 3237 EC_KEY_get0_private_key(key->ecdsa))) != 0) 3238 goto out; 3239 break; 3240 case KEY_ECDSA_SK: 3241 if ((r = sshbuf_put_cstring(b, 3242 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 3243 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 3244 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3245 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3246 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3247 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3248 goto out; 3249 break; 3250 case KEY_ECDSA_SK_CERT: 3251 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3252 r = SSH_ERR_INVALID_ARGUMENT; 3253 goto out; 3254 } 3255 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3256 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3257 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3258 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3259 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3260 goto out; 3261 break; 3262 #endif /* WITH_OPENSSL */ 3263 case KEY_ED25519: 3264 if ((r = sshbuf_put_string(b, key->ed25519_pk, 3265 ED25519_PK_SZ)) != 0 || 3266 (r = sshbuf_put_string(b, key->ed25519_sk, 3267 ED25519_SK_SZ)) != 0) 3268 goto out; 3269 break; 3270 case KEY_ED25519_CERT: 3271 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3272 r = SSH_ERR_INVALID_ARGUMENT; 3273 goto out; 3274 } 3275 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3276 (r = sshbuf_put_string(b, key->ed25519_pk, 3277 ED25519_PK_SZ)) != 0 || 3278 (r = sshbuf_put_string(b, key->ed25519_sk, 3279 ED25519_SK_SZ)) != 0) 3280 goto out; 3281 break; 3282 case KEY_ED25519_SK: 3283 if ((r = sshbuf_put_string(b, key->ed25519_pk, 3284 ED25519_PK_SZ)) != 0 || 3285 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3286 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3287 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3288 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3289 goto out; 3290 break; 3291 case KEY_ED25519_SK_CERT: 3292 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3293 r = SSH_ERR_INVALID_ARGUMENT; 3294 goto out; 3295 } 3296 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3297 (r = sshbuf_put_string(b, key->ed25519_pk, 3298 ED25519_PK_SZ)) != 0 || 3299 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3300 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3301 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3302 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3303 goto out; 3304 break; 3305 #ifdef WITH_XMSS 3306 case KEY_XMSS: 3307 if (key->xmss_name == NULL) { 3308 r = SSH_ERR_INVALID_ARGUMENT; 3309 goto out; 3310 } 3311 if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 3312 (r = sshbuf_put_string(b, key->xmss_pk, 3313 sshkey_xmss_pklen(key))) != 0 || 3314 (r = sshbuf_put_string(b, key->xmss_sk, 3315 sshkey_xmss_sklen(key))) != 0 || 3316 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 3317 goto out; 3318 break; 3319 case KEY_XMSS_CERT: 3320 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 || 3321 key->xmss_name == NULL) { 3322 r = SSH_ERR_INVALID_ARGUMENT; 3323 goto out; 3324 } 3325 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3326 (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 3327 (r = sshbuf_put_string(b, key->xmss_pk, 3328 sshkey_xmss_pklen(key))) != 0 || 3329 (r = sshbuf_put_string(b, key->xmss_sk, 3330 sshkey_xmss_sklen(key))) != 0 || 3331 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 3332 goto out; 3333 break; 3334 #endif /* WITH_XMSS */ 3335 default: 3336 r = SSH_ERR_INVALID_ARGUMENT; 3337 goto out; 3338 } 3339 /* 3340 * success (but we still need to append the output to buf after 3341 * possibly re-shielding the private key) 3342 */ 3343 r = 0; 3344 out: 3345 if (was_shielded) 3346 r = sshkey_shield_private(key); 3347 if (r == 0) 3348 r = sshbuf_putb(buf, b); 3349 sshbuf_free(b); 3350 3351 return r; 3352 } 3353 3354 int 3355 sshkey_private_serialize(struct sshkey *key, struct sshbuf *b) 3356 { 3357 return sshkey_private_serialize_opt(key, b, 3358 SSHKEY_SERIALIZE_DEFAULT); 3359 } 3360 3361 int 3362 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 3363 { 3364 char *tname = NULL, *curve = NULL, *xmss_name = NULL; 3365 char *expect_sk_application = NULL; 3366 struct sshkey *k = NULL; 3367 size_t pklen = 0, sklen = 0; 3368 int type, r = SSH_ERR_INTERNAL_ERROR; 3369 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 3370 u_char *expect_ed25519_pk = NULL; 3371 u_char *xmss_pk = NULL, *xmss_sk = NULL; 3372 #ifdef WITH_OPENSSL 3373 BIGNUM *exponent = NULL; 3374 BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; 3375 BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL; 3376 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL; 3377 BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; 3378 #endif /* WITH_OPENSSL */ 3379 3380 if (kp != NULL) 3381 *kp = NULL; 3382 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 3383 goto out; 3384 type = sshkey_type_from_name(tname); 3385 if (sshkey_type_is_cert(type)) { 3386 /* 3387 * Certificate key private keys begin with the certificate 3388 * itself. Make sure this matches the type of the enclosing 3389 * private key. 3390 */ 3391 if ((r = sshkey_froms(buf, &k)) != 0) 3392 goto out; 3393 if (k->type != type) { 3394 r = SSH_ERR_KEY_CERT_MISMATCH; 3395 goto out; 3396 } 3397 /* For ECDSA keys, the group must match too */ 3398 if (k->type == KEY_ECDSA && 3399 k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { 3400 r = SSH_ERR_KEY_CERT_MISMATCH; 3401 goto out; 3402 } 3403 /* 3404 * Several fields are redundant between certificate and 3405 * private key body, we require these to match. 3406 */ 3407 expect_sk_application = k->sk_application; 3408 expect_ed25519_pk = k->ed25519_pk; 3409 k->sk_application = NULL; 3410 k->ed25519_pk = NULL; 3411 } else { 3412 if ((k = sshkey_new(type)) == NULL) { 3413 r = SSH_ERR_ALLOC_FAIL; 3414 goto out; 3415 } 3416 } 3417 switch (type) { 3418 #ifdef WITH_OPENSSL 3419 case KEY_DSA: 3420 if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 || 3421 (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 || 3422 (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 || 3423 (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0) 3424 goto out; 3425 if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) { 3426 r = SSH_ERR_LIBCRYPTO_ERROR; 3427 goto out; 3428 } 3429 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 3430 if (!DSA_set0_key(k->dsa, dsa_pub_key, NULL)) { 3431 r = SSH_ERR_LIBCRYPTO_ERROR; 3432 goto out; 3433 } 3434 dsa_pub_key = NULL; /* transferred */ 3435 /* FALLTHROUGH */ 3436 case KEY_DSA_CERT: 3437 if ((r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 3438 goto out; 3439 if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { 3440 r = SSH_ERR_LIBCRYPTO_ERROR; 3441 goto out; 3442 } 3443 dsa_priv_key = NULL; /* transferred */ 3444 break; 3445 case KEY_ECDSA: 3446 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 3447 r = SSH_ERR_INVALID_ARGUMENT; 3448 goto out; 3449 } 3450 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 3451 goto out; 3452 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 3453 r = SSH_ERR_EC_CURVE_MISMATCH; 3454 goto out; 3455 } 3456 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 3457 if (k->ecdsa == NULL) { 3458 r = SSH_ERR_LIBCRYPTO_ERROR; 3459 goto out; 3460 } 3461 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0) 3462 goto out; 3463 /* FALLTHROUGH */ 3464 case KEY_ECDSA_CERT: 3465 if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0) 3466 goto out; 3467 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 3468 r = SSH_ERR_LIBCRYPTO_ERROR; 3469 goto out; 3470 } 3471 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3472 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 3473 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 3474 goto out; 3475 break; 3476 case KEY_ECDSA_SK: 3477 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 3478 r = SSH_ERR_INVALID_ARGUMENT; 3479 goto out; 3480 } 3481 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 3482 goto out; 3483 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 3484 r = SSH_ERR_EC_CURVE_MISMATCH; 3485 goto out; 3486 } 3487 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3488 (k->sk_reserved = sshbuf_new()) == NULL) { 3489 r = SSH_ERR_ALLOC_FAIL; 3490 goto out; 3491 } 3492 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 3493 if (k->ecdsa == NULL) { 3494 r = SSH_ERR_LIBCRYPTO_ERROR; 3495 goto out; 3496 } 3497 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 3498 (r = sshbuf_get_cstring(buf, &k->sk_application, 3499 NULL)) != 0 || 3500 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3501 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3502 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3503 goto out; 3504 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3505 EC_KEY_get0_public_key(k->ecdsa))) != 0) 3506 goto out; 3507 break; 3508 case KEY_ECDSA_SK_CERT: 3509 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3510 (k->sk_reserved = sshbuf_new()) == NULL) { 3511 r = SSH_ERR_ALLOC_FAIL; 3512 goto out; 3513 } 3514 if ((r = sshbuf_get_cstring(buf, &k->sk_application, 3515 NULL)) != 0 || 3516 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3517 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3518 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3519 goto out; 3520 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3521 EC_KEY_get0_public_key(k->ecdsa))) != 0) 3522 goto out; 3523 break; 3524 case KEY_RSA: 3525 if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 || 3526 (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0) 3527 goto out; 3528 if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, NULL)) { 3529 r = SSH_ERR_LIBCRYPTO_ERROR; 3530 goto out; 3531 } 3532 rsa_n = rsa_e = NULL; /* transferred */ 3533 /* FALLTHROUGH */ 3534 case KEY_RSA_CERT: 3535 if ((r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 3536 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 3537 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 3538 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 3539 goto out; 3540 if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { 3541 r = SSH_ERR_LIBCRYPTO_ERROR; 3542 goto out; 3543 } 3544 rsa_d = NULL; /* transferred */ 3545 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 3546 r = SSH_ERR_LIBCRYPTO_ERROR; 3547 goto out; 3548 } 3549 rsa_p = rsa_q = NULL; /* transferred */ 3550 if ((r = check_rsa_length(k->rsa)) != 0) 3551 goto out; 3552 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 3553 goto out; 3554 break; 3555 #endif /* WITH_OPENSSL */ 3556 case KEY_ED25519: 3557 case KEY_ED25519_CERT: 3558 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3559 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3560 goto out; 3561 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3562 r = SSH_ERR_INVALID_FORMAT; 3563 goto out; 3564 } 3565 k->ed25519_pk = ed25519_pk; 3566 k->ed25519_sk = ed25519_sk; 3567 ed25519_pk = ed25519_sk = NULL; /* transferred */ 3568 break; 3569 case KEY_ED25519_SK: 3570 case KEY_ED25519_SK_CERT: 3571 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0) 3572 goto out; 3573 if (pklen != ED25519_PK_SZ) { 3574 r = SSH_ERR_INVALID_FORMAT; 3575 goto out; 3576 } 3577 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3578 (k->sk_reserved = sshbuf_new()) == NULL) { 3579 r = SSH_ERR_ALLOC_FAIL; 3580 goto out; 3581 } 3582 if ((r = sshbuf_get_cstring(buf, &k->sk_application, 3583 NULL)) != 0 || 3584 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3585 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3586 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3587 goto out; 3588 k->ed25519_pk = ed25519_pk; 3589 ed25519_pk = NULL; /* transferred */ 3590 break; 3591 #ifdef WITH_XMSS 3592 case KEY_XMSS: 3593 case KEY_XMSS_CERT: 3594 if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3595 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3596 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3597 goto out; 3598 if (type == KEY_XMSS && 3599 (r = sshkey_xmss_init(k, xmss_name)) != 0) 3600 goto out; 3601 if (pklen != sshkey_xmss_pklen(k) || 3602 sklen != sshkey_xmss_sklen(k)) { 3603 r = SSH_ERR_INVALID_FORMAT; 3604 goto out; 3605 } 3606 k->xmss_pk = xmss_pk; 3607 k->xmss_sk = xmss_sk; 3608 xmss_pk = xmss_sk = NULL; 3609 /* optional internal state */ 3610 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3611 goto out; 3612 break; 3613 #endif /* WITH_XMSS */ 3614 default: 3615 r = SSH_ERR_KEY_TYPE_UNKNOWN; 3616 goto out; 3617 } 3618 #ifdef WITH_OPENSSL 3619 /* enable blinding */ 3620 switch (k->type) { 3621 case KEY_RSA: 3622 case KEY_RSA_CERT: 3623 if (RSA_blinding_on(k->rsa, NULL) != 1) { 3624 r = SSH_ERR_LIBCRYPTO_ERROR; 3625 goto out; 3626 } 3627 break; 3628 } 3629 #endif /* WITH_OPENSSL */ 3630 if ((expect_sk_application != NULL && (k->sk_application == NULL || 3631 strcmp(expect_sk_application, k->sk_application) != 0)) || 3632 (expect_ed25519_pk != NULL && (k->ed25519_pk == NULL || 3633 memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) { 3634 r = SSH_ERR_KEY_CERT_MISMATCH; 3635 goto out; 3636 } 3637 /* success */ 3638 r = 0; 3639 if (kp != NULL) { 3640 *kp = k; 3641 k = NULL; 3642 } 3643 out: 3644 free(tname); 3645 free(curve); 3646 #ifdef WITH_OPENSSL 3647 BN_clear_free(exponent); 3648 BN_clear_free(dsa_p); 3649 BN_clear_free(dsa_q); 3650 BN_clear_free(dsa_g); 3651 BN_clear_free(dsa_pub_key); 3652 BN_clear_free(dsa_priv_key); 3653 BN_clear_free(rsa_n); 3654 BN_clear_free(rsa_e); 3655 BN_clear_free(rsa_d); 3656 BN_clear_free(rsa_p); 3657 BN_clear_free(rsa_q); 3658 BN_clear_free(rsa_iqmp); 3659 #endif /* WITH_OPENSSL */ 3660 sshkey_free(k); 3661 freezero(ed25519_pk, pklen); 3662 freezero(ed25519_sk, sklen); 3663 free(xmss_name); 3664 freezero(xmss_pk, pklen); 3665 freezero(xmss_sk, sklen); 3666 free(expect_sk_application); 3667 free(expect_ed25519_pk); 3668 return r; 3669 } 3670 3671 #ifdef WITH_OPENSSL 3672 int 3673 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 3674 { 3675 EC_POINT *nq = NULL; 3676 BIGNUM *order = NULL, *x = NULL, *y = NULL, *tmp = NULL; 3677 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3678 3679 /* 3680 * NB. This assumes OpenSSL has already verified that the public 3681 * point lies on the curve. This is done by EC_POINT_oct2point() 3682 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 3683 * reachable with public points not unmarshalled using 3684 * EC_POINT_oct2point then the caller will need to explicitly check. 3685 */ 3686 3687 /* 3688 * We shouldn't ever hit this case because bignum_get_ecpoint() 3689 * refuses to load GF2m points. 3690 */ 3691 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3692 NID_X9_62_prime_field) 3693 goto out; 3694 3695 /* Q != infinity */ 3696 if (EC_POINT_is_at_infinity(group, public)) 3697 goto out; 3698 3699 if ((x = BN_new()) == NULL || 3700 (y = BN_new()) == NULL || 3701 (order = BN_new()) == NULL || 3702 (tmp = BN_new()) == NULL) { 3703 ret = SSH_ERR_ALLOC_FAIL; 3704 goto out; 3705 } 3706 3707 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 3708 if (EC_GROUP_get_order(group, order, NULL) != 1 || 3709 EC_POINT_get_affine_coordinates_GFp(group, public, 3710 x, y, NULL) != 1) { 3711 ret = SSH_ERR_LIBCRYPTO_ERROR; 3712 goto out; 3713 } 3714 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 3715 BN_num_bits(y) <= BN_num_bits(order) / 2) 3716 goto out; 3717 3718 /* nQ == infinity (n == order of subgroup) */ 3719 if ((nq = EC_POINT_new(group)) == NULL) { 3720 ret = SSH_ERR_ALLOC_FAIL; 3721 goto out; 3722 } 3723 if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) { 3724 ret = SSH_ERR_LIBCRYPTO_ERROR; 3725 goto out; 3726 } 3727 if (EC_POINT_is_at_infinity(group, nq) != 1) 3728 goto out; 3729 3730 /* x < order - 1, y < order - 1 */ 3731 if (!BN_sub(tmp, order, BN_value_one())) { 3732 ret = SSH_ERR_LIBCRYPTO_ERROR; 3733 goto out; 3734 } 3735 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 3736 goto out; 3737 ret = 0; 3738 out: 3739 BN_clear_free(x); 3740 BN_clear_free(y); 3741 BN_clear_free(order); 3742 BN_clear_free(tmp); 3743 EC_POINT_free(nq); 3744 return ret; 3745 } 3746 3747 int 3748 sshkey_ec_validate_private(const EC_KEY *key) 3749 { 3750 BIGNUM *order = NULL, *tmp = NULL; 3751 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3752 3753 if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) { 3754 ret = SSH_ERR_ALLOC_FAIL; 3755 goto out; 3756 } 3757 3758 /* log2(private) > log2(order)/2 */ 3759 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) { 3760 ret = SSH_ERR_LIBCRYPTO_ERROR; 3761 goto out; 3762 } 3763 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 3764 BN_num_bits(order) / 2) 3765 goto out; 3766 3767 /* private < order - 1 */ 3768 if (!BN_sub(tmp, order, BN_value_one())) { 3769 ret = SSH_ERR_LIBCRYPTO_ERROR; 3770 goto out; 3771 } 3772 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 3773 goto out; 3774 ret = 0; 3775 out: 3776 BN_clear_free(order); 3777 BN_clear_free(tmp); 3778 return ret; 3779 } 3780 3781 void 3782 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 3783 { 3784 BIGNUM *x = NULL, *y = NULL; 3785 3786 if (point == NULL) { 3787 fputs("point=(NULL)\n", stderr); 3788 return; 3789 } 3790 if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) { 3791 fprintf(stderr, "%s: BN_new failed\n", __func__); 3792 goto out; 3793 } 3794 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3795 NID_X9_62_prime_field) { 3796 fprintf(stderr, "%s: group is not a prime field\n", __func__); 3797 goto out; 3798 } 3799 if (EC_POINT_get_affine_coordinates_GFp(group, point, 3800 x, y, NULL) != 1) { 3801 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 3802 __func__); 3803 goto out; 3804 } 3805 fputs("x=", stderr); 3806 BN_print_fp(stderr, x); 3807 fputs("\ny=", stderr); 3808 BN_print_fp(stderr, y); 3809 fputs("\n", stderr); 3810 out: 3811 BN_clear_free(x); 3812 BN_clear_free(y); 3813 } 3814 3815 void 3816 sshkey_dump_ec_key(const EC_KEY *key) 3817 { 3818 const BIGNUM *exponent; 3819 3820 sshkey_dump_ec_point(EC_KEY_get0_group(key), 3821 EC_KEY_get0_public_key(key)); 3822 fputs("exponent=", stderr); 3823 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 3824 fputs("(NULL)", stderr); 3825 else 3826 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 3827 fputs("\n", stderr); 3828 } 3829 #endif /* WITH_OPENSSL */ 3830 3831 static int 3832 sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob, 3833 const char *passphrase, const char *comment, const char *ciphername, 3834 int rounds) 3835 { 3836 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3837 u_char salt[SALT_LEN]; 3838 char *b64 = NULL; 3839 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3840 u_int check; 3841 int r = SSH_ERR_INTERNAL_ERROR; 3842 struct sshcipher_ctx *ciphercontext = NULL; 3843 const struct sshcipher *cipher; 3844 const char *kdfname = KDFNAME; 3845 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3846 3847 if (rounds <= 0) 3848 rounds = DEFAULT_ROUNDS; 3849 if (passphrase == NULL || !strlen(passphrase)) { 3850 ciphername = "none"; 3851 kdfname = "none"; 3852 } else if (ciphername == NULL) 3853 ciphername = DEFAULT_CIPHERNAME; 3854 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3855 r = SSH_ERR_INVALID_ARGUMENT; 3856 goto out; 3857 } 3858 3859 if ((kdf = sshbuf_new()) == NULL || 3860 (encoded = sshbuf_new()) == NULL || 3861 (encrypted = sshbuf_new()) == NULL) { 3862 r = SSH_ERR_ALLOC_FAIL; 3863 goto out; 3864 } 3865 blocksize = cipher_blocksize(cipher); 3866 keylen = cipher_keylen(cipher); 3867 ivlen = cipher_ivlen(cipher); 3868 authlen = cipher_authlen(cipher); 3869 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3870 r = SSH_ERR_ALLOC_FAIL; 3871 goto out; 3872 } 3873 if (strcmp(kdfname, "bcrypt") == 0) { 3874 arc4random_buf(salt, SALT_LEN); 3875 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3876 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3877 r = SSH_ERR_INVALID_ARGUMENT; 3878 goto out; 3879 } 3880 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3881 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3882 goto out; 3883 } else if (strcmp(kdfname, "none") != 0) { 3884 /* Unsupported KDF type */ 3885 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3886 goto out; 3887 } 3888 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3889 key + keylen, ivlen, 1)) != 0) 3890 goto out; 3891 3892 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3893 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3894 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3895 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3896 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3897 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3898 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3899 goto out; 3900 3901 /* set up the buffer that will be encrypted */ 3902 3903 /* Random check bytes */ 3904 check = arc4random(); 3905 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3906 (r = sshbuf_put_u32(encrypted, check)) != 0) 3907 goto out; 3908 3909 /* append private key and comment*/ 3910 if ((r = sshkey_private_serialize_opt(prv, encrypted, 3911 SSHKEY_SERIALIZE_FULL)) != 0 || 3912 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3913 goto out; 3914 3915 /* padding */ 3916 i = 0; 3917 while (sshbuf_len(encrypted) % blocksize) { 3918 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3919 goto out; 3920 } 3921 3922 /* length in destination buffer */ 3923 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3924 goto out; 3925 3926 /* encrypt */ 3927 if ((r = sshbuf_reserve(encoded, 3928 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3929 goto out; 3930 if ((r = cipher_crypt(ciphercontext, 0, cp, 3931 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3932 goto out; 3933 3934 sshbuf_reset(blob); 3935 3936 /* assemble uuencoded key */ 3937 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 || 3938 (r = sshbuf_dtob64(encoded, blob, 1)) != 0 || 3939 (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3940 goto out; 3941 3942 /* success */ 3943 r = 0; 3944 3945 out: 3946 sshbuf_free(kdf); 3947 sshbuf_free(encoded); 3948 sshbuf_free(encrypted); 3949 cipher_free(ciphercontext); 3950 explicit_bzero(salt, sizeof(salt)); 3951 if (key != NULL) 3952 freezero(key, keylen + ivlen); 3953 if (pubkeyblob != NULL) 3954 freezero(pubkeyblob, pubkeylen); 3955 if (b64 != NULL) 3956 freezero(b64, strlen(b64)); 3957 return r; 3958 } 3959 3960 static int 3961 private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp) 3962 { 3963 const u_char *cp; 3964 size_t encoded_len; 3965 int r; 3966 u_char last; 3967 struct sshbuf *encoded = NULL, *decoded = NULL; 3968 3969 if (blob == NULL || decodedp == NULL) 3970 return SSH_ERR_INVALID_ARGUMENT; 3971 3972 *decodedp = NULL; 3973 3974 if ((encoded = sshbuf_new()) == NULL || 3975 (decoded = sshbuf_new()) == NULL) { 3976 r = SSH_ERR_ALLOC_FAIL; 3977 goto out; 3978 } 3979 3980 /* check preamble */ 3981 cp = sshbuf_ptr(blob); 3982 encoded_len = sshbuf_len(blob); 3983 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3984 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3985 r = SSH_ERR_INVALID_FORMAT; 3986 goto out; 3987 } 3988 cp += MARK_BEGIN_LEN; 3989 encoded_len -= MARK_BEGIN_LEN; 3990 3991 /* Look for end marker, removing whitespace as we go */ 3992 while (encoded_len > 0) { 3993 if (*cp != '\n' && *cp != '\r') { 3994 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3995 goto out; 3996 } 3997 last = *cp; 3998 encoded_len--; 3999 cp++; 4000 if (last == '\n') { 4001 if (encoded_len >= MARK_END_LEN && 4002 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 4003 /* \0 terminate */ 4004 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 4005 goto out; 4006 break; 4007 } 4008 } 4009 } 4010 if (encoded_len == 0) { 4011 r = SSH_ERR_INVALID_FORMAT; 4012 goto out; 4013 } 4014 4015 /* decode base64 */ 4016 if ((r = sshbuf_b64tod(decoded, (const char *)sshbuf_ptr(encoded))) != 0) 4017 goto out; 4018 4019 /* check magic */ 4020 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 4021 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 4022 r = SSH_ERR_INVALID_FORMAT; 4023 goto out; 4024 } 4025 /* success */ 4026 *decodedp = decoded; 4027 decoded = NULL; 4028 r = 0; 4029 out: 4030 sshbuf_free(encoded); 4031 sshbuf_free(decoded); 4032 return r; 4033 } 4034 4035 static int 4036 private2_decrypt(struct sshbuf *decoded, const char *passphrase, 4037 struct sshbuf **decryptedp, struct sshkey **pubkeyp) 4038 { 4039 char *ciphername = NULL, *kdfname = NULL; 4040 const struct sshcipher *cipher = NULL; 4041 int r = SSH_ERR_INTERNAL_ERROR; 4042 size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0; 4043 struct sshbuf *kdf = NULL, *decrypted = NULL; 4044 struct sshcipher_ctx *ciphercontext = NULL; 4045 struct sshkey *pubkey = NULL; 4046 u_char *key = NULL, *salt = NULL, *dp; 4047 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 4048 4049 if (decoded == NULL || decryptedp == NULL || pubkeyp == NULL) 4050 return SSH_ERR_INVALID_ARGUMENT; 4051 4052 *decryptedp = NULL; 4053 *pubkeyp = NULL; 4054 4055 if ((decrypted = sshbuf_new()) == NULL) { 4056 r = SSH_ERR_ALLOC_FAIL; 4057 goto out; 4058 } 4059 4060 /* parse public portion of key */ 4061 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 4062 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 4063 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 4064 (r = sshbuf_froms(decoded, &kdf)) != 0 || 4065 (r = sshbuf_get_u32(decoded, &nkeys)) != 0) 4066 goto out; 4067 4068 if (nkeys != 1) { 4069 /* XXX only one key supported at present */ 4070 r = SSH_ERR_INVALID_FORMAT; 4071 goto out; 4072 } 4073 4074 if ((r = sshkey_froms(decoded, &pubkey)) != 0 || 4075 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 4076 goto out; 4077 4078 if ((cipher = cipher_by_name(ciphername)) == NULL) { 4079 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 4080 goto out; 4081 } 4082 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 4083 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 4084 goto out; 4085 } 4086 if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) { 4087 r = SSH_ERR_INVALID_FORMAT; 4088 goto out; 4089 } 4090 if ((passphrase == NULL || strlen(passphrase) == 0) && 4091 strcmp(kdfname, "none") != 0) { 4092 /* passphrase required */ 4093 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4094 goto out; 4095 } 4096 4097 /* check size of encrypted key blob */ 4098 blocksize = cipher_blocksize(cipher); 4099 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 4100 r = SSH_ERR_INVALID_FORMAT; 4101 goto out; 4102 } 4103 4104 /* setup key */ 4105 keylen = cipher_keylen(cipher); 4106 ivlen = cipher_ivlen(cipher); 4107 authlen = cipher_authlen(cipher); 4108 if ((key = calloc(1, keylen + ivlen)) == NULL) { 4109 r = SSH_ERR_ALLOC_FAIL; 4110 goto out; 4111 } 4112 if (strcmp(kdfname, "bcrypt") == 0) { 4113 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 4114 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 4115 goto out; 4116 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 4117 key, keylen + ivlen, rounds) < 0) { 4118 r = SSH_ERR_INVALID_FORMAT; 4119 goto out; 4120 } 4121 } 4122 4123 /* check that an appropriate amount of auth data is present */ 4124 if (sshbuf_len(decoded) < authlen || 4125 sshbuf_len(decoded) - authlen < encrypted_len) { 4126 r = SSH_ERR_INVALID_FORMAT; 4127 goto out; 4128 } 4129 4130 /* decrypt private portion of key */ 4131 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 4132 (r = cipher_init(&ciphercontext, cipher, key, keylen, 4133 key + keylen, ivlen, 0)) != 0) 4134 goto out; 4135 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 4136 encrypted_len, 0, authlen)) != 0) { 4137 /* an integrity error here indicates an incorrect passphrase */ 4138 if (r == SSH_ERR_MAC_INVALID) 4139 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4140 goto out; 4141 } 4142 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 4143 goto out; 4144 /* there should be no trailing data */ 4145 if (sshbuf_len(decoded) != 0) { 4146 r = SSH_ERR_INVALID_FORMAT; 4147 goto out; 4148 } 4149 4150 /* check check bytes */ 4151 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 4152 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 4153 goto out; 4154 if (check1 != check2) { 4155 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4156 goto out; 4157 } 4158 /* success */ 4159 *decryptedp = decrypted; 4160 decrypted = NULL; 4161 *pubkeyp = pubkey; 4162 pubkey = NULL; 4163 r = 0; 4164 out: 4165 cipher_free(ciphercontext); 4166 free(ciphername); 4167 free(kdfname); 4168 sshkey_free(pubkey); 4169 if (salt != NULL) { 4170 explicit_bzero(salt, slen); 4171 free(salt); 4172 } 4173 if (key != NULL) { 4174 explicit_bzero(key, keylen + ivlen); 4175 free(key); 4176 } 4177 sshbuf_free(kdf); 4178 sshbuf_free(decrypted); 4179 return r; 4180 } 4181 4182 /* Check deterministic padding after private key */ 4183 static int 4184 private2_check_padding(struct sshbuf *decrypted) 4185 { 4186 u_char pad; 4187 size_t i; 4188 int r = SSH_ERR_INTERNAL_ERROR; 4189 4190 i = 0; 4191 while (sshbuf_len(decrypted)) { 4192 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 4193 goto out; 4194 if (pad != (++i & 0xff)) { 4195 r = SSH_ERR_INVALID_FORMAT; 4196 goto out; 4197 } 4198 } 4199 /* success */ 4200 r = 0; 4201 out: 4202 explicit_bzero(&pad, sizeof(pad)); 4203 explicit_bzero(&i, sizeof(i)); 4204 return r; 4205 } 4206 4207 static int 4208 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 4209 struct sshkey **keyp, char **commentp) 4210 { 4211 char *comment = NULL; 4212 int r = SSH_ERR_INTERNAL_ERROR; 4213 struct sshbuf *decoded = NULL, *decrypted = NULL; 4214 struct sshkey *k = NULL, *pubkey = NULL; 4215 4216 if (keyp != NULL) 4217 *keyp = NULL; 4218 if (commentp != NULL) 4219 *commentp = NULL; 4220 4221 /* Undo base64 encoding and decrypt the private section */ 4222 if ((r = private2_uudecode(blob, &decoded)) != 0 || 4223 (r = private2_decrypt(decoded, passphrase, 4224 &decrypted, &pubkey)) != 0) 4225 goto out; 4226 4227 if (type != KEY_UNSPEC && 4228 sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { 4229 r = SSH_ERR_KEY_TYPE_MISMATCH; 4230 goto out; 4231 } 4232 4233 /* Load the private key and comment */ 4234 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 4235 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 4236 goto out; 4237 4238 /* Check deterministic padding after private section */ 4239 if ((r = private2_check_padding(decrypted)) != 0) 4240 goto out; 4241 4242 /* Check that the public key in the envelope matches the private key */ 4243 if (!sshkey_equal(pubkey, k)) { 4244 r = SSH_ERR_INVALID_FORMAT; 4245 goto out; 4246 } 4247 4248 /* success */ 4249 r = 0; 4250 if (keyp != NULL) { 4251 *keyp = k; 4252 k = NULL; 4253 } 4254 if (commentp != NULL) { 4255 *commentp = comment; 4256 comment = NULL; 4257 } 4258 out: 4259 free(comment); 4260 sshbuf_free(decoded); 4261 sshbuf_free(decrypted); 4262 sshkey_free(k); 4263 sshkey_free(pubkey); 4264 return r; 4265 } 4266 4267 static int 4268 sshkey_parse_private2_pubkey(struct sshbuf *blob, int type, 4269 struct sshkey **keyp) 4270 { 4271 int r = SSH_ERR_INTERNAL_ERROR; 4272 struct sshbuf *decoded = NULL; 4273 struct sshkey *pubkey = NULL; 4274 u_int nkeys = 0; 4275 4276 if (keyp != NULL) 4277 *keyp = NULL; 4278 4279 if ((r = private2_uudecode(blob, &decoded)) != 0) 4280 goto out; 4281 /* parse public key from unencrypted envelope */ 4282 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 4283 (r = sshbuf_skip_string(decoded)) != 0 || /* cipher */ 4284 (r = sshbuf_skip_string(decoded)) != 0 || /* KDF alg */ 4285 (r = sshbuf_skip_string(decoded)) != 0 || /* KDF hint */ 4286 (r = sshbuf_get_u32(decoded, &nkeys)) != 0) 4287 goto out; 4288 4289 if (nkeys != 1) { 4290 /* XXX only one key supported at present */ 4291 r = SSH_ERR_INVALID_FORMAT; 4292 goto out; 4293 } 4294 4295 /* Parse the public key */ 4296 if ((r = sshkey_froms(decoded, &pubkey)) != 0) 4297 goto out; 4298 4299 if (type != KEY_UNSPEC && 4300 sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { 4301 r = SSH_ERR_KEY_TYPE_MISMATCH; 4302 goto out; 4303 } 4304 4305 /* success */ 4306 r = 0; 4307 if (keyp != NULL) { 4308 *keyp = pubkey; 4309 pubkey = NULL; 4310 } 4311 out: 4312 sshbuf_free(decoded); 4313 sshkey_free(pubkey); 4314 return r; 4315 } 4316 4317 #ifdef WITH_OPENSSL 4318 /* convert SSH v2 key to PEM or PKCS#8 format */ 4319 static int 4320 sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, 4321 int format, const char *_passphrase, const char *comment) 4322 { 4323 int was_shielded = sshkey_is_shielded(key); 4324 int success, r; 4325 int blen, len = strlen(_passphrase); 4326 u_char *passphrase = (len > 0) ? __UNCONST(_passphrase) : NULL; 4327 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 4328 char *bptr; 4329 BIO *bio = NULL; 4330 struct sshbuf *blob; 4331 EVP_PKEY *pkey = NULL; 4332 4333 if (len > 0 && len <= 4) 4334 return SSH_ERR_PASSPHRASE_TOO_SHORT; 4335 if ((blob = sshbuf_new()) == NULL) 4336 return SSH_ERR_ALLOC_FAIL; 4337 if ((bio = BIO_new(BIO_s_mem())) == NULL) { 4338 r = SSH_ERR_ALLOC_FAIL; 4339 goto out; 4340 } 4341 if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) { 4342 r = SSH_ERR_ALLOC_FAIL; 4343 goto out; 4344 } 4345 if ((r = sshkey_unshield_private(key)) != 0) 4346 goto out; 4347 4348 switch (key->type) { 4349 case KEY_DSA: 4350 if (format == SSHKEY_PRIVATE_PEM) { 4351 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 4352 cipher, passphrase, len, NULL, NULL); 4353 } else { 4354 success = EVP_PKEY_set1_DSA(pkey, key->dsa); 4355 } 4356 break; 4357 case KEY_ECDSA: 4358 if (format == SSHKEY_PRIVATE_PEM) { 4359 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 4360 cipher, passphrase, len, NULL, NULL); 4361 } else { 4362 success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa); 4363 } 4364 break; 4365 case KEY_RSA: 4366 if (format == SSHKEY_PRIVATE_PEM) { 4367 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 4368 cipher, passphrase, len, NULL, NULL); 4369 } else { 4370 success = EVP_PKEY_set1_RSA(pkey, key->rsa); 4371 } 4372 break; 4373 default: 4374 success = 0; 4375 break; 4376 } 4377 if (success == 0) { 4378 r = SSH_ERR_LIBCRYPTO_ERROR; 4379 goto out; 4380 } 4381 if (format == SSHKEY_PRIVATE_PKCS8) { 4382 if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher, 4383 passphrase, len, NULL, NULL)) == 0) { 4384 r = SSH_ERR_LIBCRYPTO_ERROR; 4385 goto out; 4386 } 4387 } 4388 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 4389 r = SSH_ERR_INTERNAL_ERROR; 4390 goto out; 4391 } 4392 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 4393 goto out; 4394 r = 0; 4395 out: 4396 if (was_shielded) 4397 r = sshkey_shield_private(key); 4398 if (r == 0) 4399 r = sshbuf_putb(buf, blob); 4400 4401 EVP_PKEY_free(pkey); 4402 sshbuf_free(blob); 4403 BIO_free(bio); 4404 return r; 4405 } 4406 #endif /* WITH_OPENSSL */ 4407 4408 /* Serialise "key" to buffer "blob" */ 4409 int 4410 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 4411 const char *passphrase, const char *comment, 4412 int format, const char *openssh_format_cipher, int openssh_format_rounds) 4413 { 4414 switch (key->type) { 4415 #ifdef WITH_OPENSSL 4416 case KEY_DSA: 4417 case KEY_ECDSA: 4418 case KEY_RSA: 4419 break; /* see below */ 4420 #endif /* WITH_OPENSSL */ 4421 case KEY_ED25519: 4422 case KEY_ED25519_SK: 4423 #ifdef WITH_XMSS 4424 case KEY_XMSS: 4425 #endif /* WITH_XMSS */ 4426 #ifdef WITH_OPENSSL 4427 case KEY_ECDSA_SK: 4428 #endif /* WITH_OPENSSL */ 4429 return sshkey_private_to_blob2(key, blob, passphrase, 4430 comment, openssh_format_cipher, openssh_format_rounds); 4431 default: 4432 return SSH_ERR_KEY_TYPE_UNKNOWN; 4433 } 4434 4435 #ifdef WITH_OPENSSL 4436 switch (format) { 4437 case SSHKEY_PRIVATE_OPENSSH: 4438 return sshkey_private_to_blob2(key, blob, passphrase, 4439 comment, openssh_format_cipher, openssh_format_rounds); 4440 case SSHKEY_PRIVATE_PEM: 4441 case SSHKEY_PRIVATE_PKCS8: 4442 return sshkey_private_to_blob_pem_pkcs8(key, blob, 4443 format, passphrase, comment); 4444 default: 4445 return SSH_ERR_INVALID_ARGUMENT; 4446 } 4447 #endif /* WITH_OPENSSL */ 4448 } 4449 4450 #ifdef WITH_OPENSSL 4451 static int 4452 translate_libcrypto_error(unsigned long pem_err) 4453 { 4454 int pem_reason = ERR_GET_REASON(pem_err); 4455 4456 switch (ERR_GET_LIB(pem_err)) { 4457 case ERR_LIB_PEM: 4458 switch (pem_reason) { 4459 case PEM_R_BAD_PASSWORD_READ: 4460 case PEM_R_PROBLEMS_GETTING_PASSWORD: 4461 case PEM_R_BAD_DECRYPT: 4462 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4463 default: 4464 return SSH_ERR_INVALID_FORMAT; 4465 } 4466 case ERR_LIB_EVP: 4467 switch (pem_reason) { 4468 case EVP_R_BAD_DECRYPT: 4469 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4470 #ifdef EVP_R_BN_DECODE_ERROR 4471 case EVP_R_BN_DECODE_ERROR: 4472 #endif 4473 case EVP_R_DECODE_ERROR: 4474 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 4475 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 4476 #endif 4477 return SSH_ERR_INVALID_FORMAT; 4478 default: 4479 return SSH_ERR_LIBCRYPTO_ERROR; 4480 } 4481 case ERR_LIB_ASN1: 4482 return SSH_ERR_INVALID_FORMAT; 4483 } 4484 return SSH_ERR_LIBCRYPTO_ERROR; 4485 } 4486 4487 static void 4488 clear_libcrypto_errors(void) 4489 { 4490 while (ERR_get_error() != 0) 4491 ; 4492 } 4493 4494 /* 4495 * Translate OpenSSL error codes to determine whether 4496 * passphrase is required/incorrect. 4497 */ 4498 static int 4499 convert_libcrypto_error(void) 4500 { 4501 /* 4502 * Some password errors are reported at the beginning 4503 * of the error queue. 4504 */ 4505 if (translate_libcrypto_error(ERR_peek_error()) == 4506 SSH_ERR_KEY_WRONG_PASSPHRASE) 4507 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4508 return translate_libcrypto_error(ERR_peek_last_error()); 4509 } 4510 4511 #if 0 4512 static int 4513 pem_passphrase_cb(char *buf, int size, int rwflag, void *u) 4514 { 4515 char *p = (char *)u; 4516 size_t len; 4517 4518 if (p == NULL || (len = strlen(p)) == 0) 4519 return -1; 4520 if (size < 0 || len > (size_t)size) 4521 return -1; 4522 memcpy(buf, p, len); 4523 return (int)len; 4524 } 4525 #endif 4526 4527 static int 4528 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 4529 const char *passphrase, struct sshkey **keyp) 4530 { 4531 EVP_PKEY *pk = NULL; 4532 struct sshkey *prv = NULL; 4533 BIO *bio = NULL; 4534 int r; 4535 4536 if (keyp != NULL) 4537 *keyp = NULL; 4538 4539 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 4540 return SSH_ERR_ALLOC_FAIL; 4541 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 4542 (int)sshbuf_len(blob)) { 4543 r = SSH_ERR_ALLOC_FAIL; 4544 goto out; 4545 } 4546 4547 clear_libcrypto_errors(); 4548 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 4549 __UNCONST(passphrase))) == NULL) { 4550 /* 4551 * libcrypto may return various ASN.1 errors when attempting 4552 * to parse a key with an incorrect passphrase. 4553 * Treat all format errors as "incorrect passphrase" if a 4554 * passphrase was supplied. 4555 */ 4556 if (passphrase != NULL && *passphrase != '\0') 4557 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4558 else 4559 r = convert_libcrypto_error(); 4560 goto out; 4561 } 4562 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && 4563 (type == KEY_UNSPEC || type == KEY_RSA)) { 4564 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4565 r = SSH_ERR_ALLOC_FAIL; 4566 goto out; 4567 } 4568 prv->rsa = EVP_PKEY_get1_RSA(pk); 4569 prv->type = KEY_RSA; 4570 #ifdef DEBUG_PK 4571 RSA_print_fp(stderr, prv->rsa, 8); 4572 #endif 4573 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 4574 r = SSH_ERR_LIBCRYPTO_ERROR; 4575 goto out; 4576 } 4577 if ((r = check_rsa_length(prv->rsa)) != 0) 4578 goto out; 4579 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && 4580 (type == KEY_UNSPEC || type == KEY_DSA)) { 4581 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4582 r = SSH_ERR_ALLOC_FAIL; 4583 goto out; 4584 } 4585 prv->dsa = EVP_PKEY_get1_DSA(pk); 4586 prv->type = KEY_DSA; 4587 #ifdef DEBUG_PK 4588 DSA_print_fp(stderr, prv->dsa, 8); 4589 #endif 4590 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && 4591 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 4592 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4593 r = SSH_ERR_ALLOC_FAIL; 4594 goto out; 4595 } 4596 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 4597 prv->type = KEY_ECDSA; 4598 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 4599 if (prv->ecdsa_nid == -1 || 4600 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 4601 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 4602 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 4603 sshkey_ec_validate_private(prv->ecdsa) != 0) { 4604 r = SSH_ERR_INVALID_FORMAT; 4605 goto out; 4606 } 4607 #ifdef DEBUG_PK 4608 if (prv != NULL && prv->ecdsa != NULL) 4609 sshkey_dump_ec_key(prv->ecdsa); 4610 #endif 4611 } else { 4612 r = SSH_ERR_INVALID_FORMAT; 4613 goto out; 4614 } 4615 r = 0; 4616 if (keyp != NULL) { 4617 *keyp = prv; 4618 prv = NULL; 4619 } 4620 out: 4621 BIO_free(bio); 4622 EVP_PKEY_free(pk); 4623 sshkey_free(prv); 4624 return r; 4625 } 4626 #endif /* WITH_OPENSSL */ 4627 4628 int 4629 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 4630 const char *passphrase, struct sshkey **keyp, char **commentp) 4631 { 4632 int r = SSH_ERR_INTERNAL_ERROR; 4633 4634 if (keyp != NULL) 4635 *keyp = NULL; 4636 if (commentp != NULL) 4637 *commentp = NULL; 4638 4639 switch (type) { 4640 case KEY_ED25519: 4641 case KEY_XMSS: 4642 /* No fallback for new-format-only keys */ 4643 return sshkey_parse_private2(blob, type, passphrase, 4644 keyp, commentp); 4645 default: 4646 r = sshkey_parse_private2(blob, type, passphrase, keyp, 4647 commentp); 4648 /* Only fallback to PEM parser if a format error occurred. */ 4649 if (r != SSH_ERR_INVALID_FORMAT) 4650 return r; 4651 #ifdef WITH_OPENSSL 4652 return sshkey_parse_private_pem_fileblob(blob, type, 4653 passphrase, keyp); 4654 #else 4655 return SSH_ERR_INVALID_FORMAT; 4656 #endif /* WITH_OPENSSL */ 4657 } 4658 } 4659 4660 int 4661 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 4662 struct sshkey **keyp, char **commentp) 4663 { 4664 if (keyp != NULL) 4665 *keyp = NULL; 4666 if (commentp != NULL) 4667 *commentp = NULL; 4668 4669 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 4670 passphrase, keyp, commentp); 4671 } 4672 4673 void 4674 sshkey_sig_details_free(struct sshkey_sig_details *details) 4675 { 4676 freezero(details, sizeof(*details)); 4677 } 4678 4679 int 4680 sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type, 4681 struct sshkey **pubkeyp) 4682 { 4683 int r = SSH_ERR_INTERNAL_ERROR; 4684 4685 if (pubkeyp != NULL) 4686 *pubkeyp = NULL; 4687 /* only new-format private keys bundle a public key inside */ 4688 if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0) 4689 return r; 4690 return 0; 4691 } 4692 4693 #ifdef WITH_XMSS 4694 /* 4695 * serialize the key with the current state and forward the state 4696 * maxsign times. 4697 */ 4698 int 4699 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 4700 u_int32_t maxsign, int printerror) 4701 { 4702 int r, rupdate; 4703 4704 if (maxsign == 0 || 4705 sshkey_type_plain(k->type) != KEY_XMSS) 4706 return sshkey_private_serialize_opt(k, b, 4707 SSHKEY_SERIALIZE_DEFAULT); 4708 if ((r = sshkey_xmss_get_state(k, printerror)) != 0 || 4709 (r = sshkey_private_serialize_opt(k, b, 4710 SSHKEY_SERIALIZE_STATE)) != 0 || 4711 (r = sshkey_xmss_forward_state(k, maxsign)) != 0) 4712 goto out; 4713 r = 0; 4714 out: 4715 if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) { 4716 if (r == 0) 4717 r = rupdate; 4718 } 4719 return r; 4720 } 4721 4722 u_int32_t 4723 sshkey_signatures_left(const struct sshkey *k) 4724 { 4725 if (sshkey_type_plain(k->type) == KEY_XMSS) 4726 return sshkey_xmss_signatures_left(k); 4727 return 0; 4728 } 4729 4730 int 4731 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4732 { 4733 if (sshkey_type_plain(k->type) != KEY_XMSS) 4734 return SSH_ERR_INVALID_ARGUMENT; 4735 return sshkey_xmss_enable_maxsign(k, maxsign); 4736 } 4737 4738 int 4739 sshkey_set_filename(struct sshkey *k, const char *filename) 4740 { 4741 if (k == NULL) 4742 return SSH_ERR_INVALID_ARGUMENT; 4743 if (sshkey_type_plain(k->type) != KEY_XMSS) 4744 return 0; 4745 if (filename == NULL) 4746 return SSH_ERR_INVALID_ARGUMENT; 4747 if ((k->xmss_filename = strdup(filename)) == NULL) 4748 return SSH_ERR_ALLOC_FAIL; 4749 return 0; 4750 } 4751 #else 4752 int 4753 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 4754 u_int32_t maxsign, int printerror) 4755 { 4756 return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); 4757 } 4758 4759 u_int32_t 4760 sshkey_signatures_left(const struct sshkey *k) 4761 { 4762 return 0; 4763 } 4764 4765 int 4766 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4767 { 4768 return SSH_ERR_INVALID_ARGUMENT; 4769 } 4770 4771 int 4772 sshkey_set_filename(struct sshkey *k, const char *filename) 4773 { 4774 if (k == NULL) 4775 return SSH_ERR_INVALID_ARGUMENT; 4776 return 0; 4777 } 4778 #endif /* WITH_XMSS */ 4779