1 /* $NetBSD: sshkey.c,v 1.11 2017/10/07 19:39:19 christos Exp $ */ 2 /* $OpenBSD: sshkey.c,v 1.56 2017/08/12 06:42:52 djm Exp $ */ 3 /* 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 5 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 6 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 #include "includes.h" 29 __RCSID("$NetBSD: sshkey.c,v 1.11 2017/10/07 19:39:19 christos Exp $"); 30 31 #include <sys/types.h> 32 #include <netinet/in.h> 33 34 #ifdef WITH_OPENSSL 35 #include <openssl/evp.h> 36 #include <openssl/err.h> 37 #include <openssl/pem.h> 38 #endif 39 40 #include "crypto_api.h" 41 42 #include <errno.h> 43 #include <stdio.h> 44 #include <string.h> 45 #include <util.h> 46 #include <limits.h> 47 #include <resolv.h> 48 49 #include "ssh2.h" 50 #include "ssherr.h" 51 #include "misc.h" 52 #include "sshbuf.h" 53 #include "cipher.h" 54 #include "digest.h" 55 #define SSHKEY_INTERNAL 56 #include "sshkey.h" 57 #include "match.h" 58 59 /* openssh private key file format */ 60 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 61 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 62 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 63 #define MARK_END_LEN (sizeof(MARK_END) - 1) 64 #define KDFNAME "bcrypt" 65 #define AUTH_MAGIC "openssh-key-v1" 66 #define SALT_LEN 16 67 #define DEFAULT_CIPHERNAME "aes256-ctr" 68 #define DEFAULT_ROUNDS 16 69 70 /* Version identification string for SSH v1 identity files. */ 71 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 72 73 static int sshkey_from_blob_internal(struct sshbuf *buf, 74 struct sshkey **keyp, int allow_cert); 75 76 /* Supported key types */ 77 struct keytype { 78 const char *name; 79 const char *shortname; 80 int type; 81 int nid; 82 int cert; 83 int sigonly; 84 }; 85 static const struct keytype keytypes[] = { 86 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, 87 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 88 KEY_ED25519_CERT, 0, 1, 0 }, 89 #ifdef WITH_OPENSSL 90 { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, 91 { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, 92 { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, 93 { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, 94 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 95 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, 96 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, 97 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, 98 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, 99 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 100 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 101 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 102 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 103 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 104 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 105 #endif /* WITH_OPENSSL */ 106 { NULL, NULL, -1, -1, 0, 0 } 107 }; 108 109 const char * 110 sshkey_type(const struct sshkey *k) 111 { 112 const struct keytype *kt; 113 114 for (kt = keytypes; kt->type != -1; kt++) { 115 if (kt->type == k->type) 116 return kt->shortname; 117 } 118 return "unknown"; 119 } 120 121 static const char * 122 sshkey_ssh_name_from_type_nid(int type, int nid) 123 { 124 const struct keytype *kt; 125 126 for (kt = keytypes; kt->type != -1; kt++) { 127 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 128 return kt->name; 129 } 130 return "ssh-unknown"; 131 } 132 133 int 134 sshkey_type_is_cert(int type) 135 { 136 const struct keytype *kt; 137 138 for (kt = keytypes; kt->type != -1; kt++) { 139 if (kt->type == type) 140 return kt->cert; 141 } 142 return 0; 143 } 144 145 const char * 146 sshkey_ssh_name(const struct sshkey *k) 147 { 148 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 149 } 150 151 const char * 152 sshkey_ssh_name_plain(const struct sshkey *k) 153 { 154 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 155 k->ecdsa_nid); 156 } 157 158 int 159 sshkey_type_from_name(const char *name) 160 { 161 const struct keytype *kt; 162 163 for (kt = keytypes; kt->type != -1; kt++) { 164 /* Only allow shortname matches for plain key types */ 165 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 166 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 167 return kt->type; 168 } 169 return KEY_UNSPEC; 170 } 171 172 int 173 sshkey_ecdsa_nid_from_name(const char *name) 174 { 175 const struct keytype *kt; 176 177 for (kt = keytypes; kt->type != -1; kt++) { 178 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 179 continue; 180 if (kt->name != NULL && strcmp(name, kt->name) == 0) 181 return kt->nid; 182 } 183 return -1; 184 } 185 186 char * 187 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 188 { 189 char *tmp, *ret = NULL; 190 size_t nlen, rlen = 0; 191 const struct keytype *kt; 192 193 for (kt = keytypes; kt->type != -1; kt++) { 194 if (kt->name == NULL) 195 continue; 196 if (!include_sigonly && kt->sigonly) 197 continue; 198 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 199 continue; 200 if (ret != NULL) 201 ret[rlen++] = sep; 202 nlen = strlen(kt->name); 203 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 204 free(ret); 205 return NULL; 206 } 207 ret = tmp; 208 memcpy(ret + rlen, kt->name, nlen + 1); 209 rlen += nlen; 210 } 211 return ret; 212 } 213 214 int 215 sshkey_names_valid2(const char *names, int allow_wildcard) 216 { 217 char *s, *cp, *p; 218 const struct keytype *kt; 219 int type; 220 221 if (names == NULL || strcmp(names, "") == 0) 222 return 0; 223 if ((s = cp = strdup(names)) == NULL) 224 return 0; 225 for ((p = strsep(&cp, ",")); p && *p != '\0'; 226 (p = strsep(&cp, ","))) { 227 type = sshkey_type_from_name(p); 228 if (type == KEY_UNSPEC) { 229 if (allow_wildcard) { 230 /* 231 * Try matching key types against the string. 232 * If any has a positive or negative match then 233 * the component is accepted. 234 */ 235 for (kt = keytypes; kt->type != -1; kt++) { 236 if (match_pattern_list(kt->name, 237 p, 0) != 0) 238 break; 239 } 240 if (kt->type != -1) 241 continue; 242 } 243 free(s); 244 return 0; 245 } 246 } 247 free(s); 248 return 1; 249 } 250 251 u_int 252 sshkey_size(const struct sshkey *k) 253 { 254 switch (k->type) { 255 #ifdef WITH_OPENSSL 256 case KEY_RSA: 257 case KEY_RSA_CERT: 258 return BN_num_bits(k->rsa->n); 259 case KEY_DSA: 260 case KEY_DSA_CERT: 261 return BN_num_bits(k->dsa->p); 262 case KEY_ECDSA: 263 case KEY_ECDSA_CERT: 264 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 265 #endif /* WITH_OPENSSL */ 266 case KEY_ED25519: 267 case KEY_ED25519_CERT: 268 return 256; /* XXX */ 269 } 270 return 0; 271 } 272 273 static int 274 sshkey_type_is_valid_ca(int type) 275 { 276 switch (type) { 277 case KEY_RSA: 278 case KEY_DSA: 279 case KEY_ECDSA: 280 case KEY_ED25519: 281 return 1; 282 default: 283 return 0; 284 } 285 } 286 287 int 288 sshkey_is_cert(const struct sshkey *k) 289 { 290 if (k == NULL) 291 return 0; 292 return sshkey_type_is_cert(k->type); 293 } 294 295 /* Return the cert-less equivalent to a certified key type */ 296 int 297 sshkey_type_plain(int type) 298 { 299 switch (type) { 300 case KEY_RSA_CERT: 301 return KEY_RSA; 302 case KEY_DSA_CERT: 303 return KEY_DSA; 304 case KEY_ECDSA_CERT: 305 return KEY_ECDSA; 306 case KEY_ED25519_CERT: 307 return KEY_ED25519; 308 default: 309 return type; 310 } 311 } 312 313 #ifdef WITH_OPENSSL 314 /* XXX: these are really begging for a table-driven approach */ 315 int 316 sshkey_curve_name_to_nid(const char *name) 317 { 318 if (strcmp(name, "nistp256") == 0) 319 return NID_X9_62_prime256v1; 320 else if (strcmp(name, "nistp384") == 0) 321 return NID_secp384r1; 322 else if (strcmp(name, "nistp521") == 0) 323 return NID_secp521r1; 324 else 325 return -1; 326 } 327 328 u_int 329 sshkey_curve_nid_to_bits(int nid) 330 { 331 switch (nid) { 332 case NID_X9_62_prime256v1: 333 return 256; 334 case NID_secp384r1: 335 return 384; 336 case NID_secp521r1: 337 return 521; 338 default: 339 return 0; 340 } 341 } 342 343 int 344 sshkey_ecdsa_bits_to_nid(int bits) 345 { 346 switch (bits) { 347 case 256: 348 return NID_X9_62_prime256v1; 349 case 384: 350 return NID_secp384r1; 351 case 521: 352 return NID_secp521r1; 353 default: 354 return -1; 355 } 356 } 357 358 const char * 359 sshkey_curve_nid_to_name(int nid) 360 { 361 switch (nid) { 362 case NID_X9_62_prime256v1: 363 return "nistp256"; 364 case NID_secp384r1: 365 return "nistp384"; 366 case NID_secp521r1: 367 return "nistp521"; 368 default: 369 return NULL; 370 } 371 } 372 373 int 374 sshkey_ec_nid_to_hash_alg(int nid) 375 { 376 int kbits = sshkey_curve_nid_to_bits(nid); 377 378 if (kbits <= 0) 379 return -1; 380 381 /* RFC5656 section 6.2.1 */ 382 if (kbits <= 256) 383 return SSH_DIGEST_SHA256; 384 else if (kbits <= 384) 385 return SSH_DIGEST_SHA384; 386 else 387 return SSH_DIGEST_SHA512; 388 } 389 #endif /* WITH_OPENSSL */ 390 391 static void 392 cert_free(struct sshkey_cert *cert) 393 { 394 u_int i; 395 396 if (cert == NULL) 397 return; 398 sshbuf_free(cert->certblob); 399 sshbuf_free(cert->critical); 400 sshbuf_free(cert->extensions); 401 free(cert->key_id); 402 for (i = 0; i < cert->nprincipals; i++) 403 free(cert->principals[i]); 404 free(cert->principals); 405 sshkey_free(cert->signature_key); 406 explicit_bzero(cert, sizeof(*cert)); 407 free(cert); 408 } 409 410 static struct sshkey_cert * 411 cert_new(void) 412 { 413 struct sshkey_cert *cert; 414 415 if ((cert = calloc(1, sizeof(*cert))) == NULL) 416 return NULL; 417 if ((cert->certblob = sshbuf_new()) == NULL || 418 (cert->critical = sshbuf_new()) == NULL || 419 (cert->extensions = sshbuf_new()) == NULL) { 420 cert_free(cert); 421 return NULL; 422 } 423 cert->key_id = NULL; 424 cert->principals = NULL; 425 cert->signature_key = NULL; 426 return cert; 427 } 428 429 struct sshkey * 430 sshkey_new(int type) 431 { 432 struct sshkey *k; 433 #ifdef WITH_OPENSSL 434 RSA *rsa; 435 DSA *dsa; 436 #endif /* WITH_OPENSSL */ 437 438 if ((k = calloc(1, sizeof(*k))) == NULL) 439 return NULL; 440 k->type = type; 441 k->ecdsa = NULL; 442 k->ecdsa_nid = -1; 443 k->dsa = NULL; 444 k->rsa = NULL; 445 k->cert = NULL; 446 k->ed25519_sk = NULL; 447 k->ed25519_pk = NULL; 448 switch (k->type) { 449 #ifdef WITH_OPENSSL 450 case KEY_RSA: 451 case KEY_RSA_CERT: 452 if ((rsa = RSA_new()) == NULL || 453 (rsa->n = BN_new()) == NULL || 454 (rsa->e = BN_new()) == NULL) { 455 if (rsa != NULL) 456 RSA_free(rsa); 457 free(k); 458 return NULL; 459 } 460 k->rsa = rsa; 461 break; 462 case KEY_DSA: 463 case KEY_DSA_CERT: 464 if ((dsa = DSA_new()) == NULL || 465 (dsa->p = BN_new()) == NULL || 466 (dsa->q = BN_new()) == NULL || 467 (dsa->g = BN_new()) == NULL || 468 (dsa->pub_key = BN_new()) == NULL) { 469 if (dsa != NULL) 470 DSA_free(dsa); 471 free(k); 472 return NULL; 473 } 474 k->dsa = dsa; 475 break; 476 case KEY_ECDSA: 477 case KEY_ECDSA_CERT: 478 /* Cannot do anything until we know the group */ 479 break; 480 #endif /* WITH_OPENSSL */ 481 case KEY_ED25519: 482 case KEY_ED25519_CERT: 483 /* no need to prealloc */ 484 break; 485 case KEY_UNSPEC: 486 break; 487 default: 488 free(k); 489 return NULL; 490 } 491 492 if (sshkey_is_cert(k)) { 493 if ((k->cert = cert_new()) == NULL) { 494 sshkey_free(k); 495 return NULL; 496 } 497 } 498 499 return k; 500 } 501 502 int 503 sshkey_add_private(struct sshkey *k) 504 { 505 switch (k->type) { 506 #ifdef WITH_OPENSSL 507 case KEY_RSA: 508 case KEY_RSA_CERT: 509 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 510 if (bn_maybe_alloc_failed(k->rsa->d) || 511 bn_maybe_alloc_failed(k->rsa->iqmp) || 512 bn_maybe_alloc_failed(k->rsa->q) || 513 bn_maybe_alloc_failed(k->rsa->p) || 514 bn_maybe_alloc_failed(k->rsa->dmq1) || 515 bn_maybe_alloc_failed(k->rsa->dmp1)) 516 return SSH_ERR_ALLOC_FAIL; 517 break; 518 case KEY_DSA: 519 case KEY_DSA_CERT: 520 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 521 return SSH_ERR_ALLOC_FAIL; 522 break; 523 #undef bn_maybe_alloc_failed 524 case KEY_ECDSA: 525 case KEY_ECDSA_CERT: 526 /* Cannot do anything until we know the group */ 527 break; 528 #endif /* WITH_OPENSSL */ 529 case KEY_ED25519: 530 case KEY_ED25519_CERT: 531 /* no need to prealloc */ 532 break; 533 case KEY_UNSPEC: 534 break; 535 default: 536 return SSH_ERR_INVALID_ARGUMENT; 537 } 538 return 0; 539 } 540 541 struct sshkey * 542 sshkey_new_private(int type) 543 { 544 struct sshkey *k = sshkey_new(type); 545 546 if (k == NULL) 547 return NULL; 548 if (sshkey_add_private(k) != 0) { 549 sshkey_free(k); 550 return NULL; 551 } 552 return k; 553 } 554 555 void 556 sshkey_free(struct sshkey *k) 557 { 558 if (k == NULL) 559 return; 560 switch (k->type) { 561 #ifdef WITH_OPENSSL 562 case KEY_RSA: 563 case KEY_RSA_CERT: 564 if (k->rsa != NULL) 565 RSA_free(k->rsa); 566 k->rsa = NULL; 567 break; 568 case KEY_DSA: 569 case KEY_DSA_CERT: 570 if (k->dsa != NULL) 571 DSA_free(k->dsa); 572 k->dsa = NULL; 573 break; 574 case KEY_ECDSA: 575 case KEY_ECDSA_CERT: 576 if (k->ecdsa != NULL) 577 EC_KEY_free(k->ecdsa); 578 k->ecdsa = NULL; 579 break; 580 #endif /* WITH_OPENSSL */ 581 case KEY_ED25519: 582 case KEY_ED25519_CERT: 583 if (k->ed25519_pk) { 584 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 585 free(k->ed25519_pk); 586 k->ed25519_pk = NULL; 587 } 588 if (k->ed25519_sk) { 589 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 590 free(k->ed25519_sk); 591 k->ed25519_sk = NULL; 592 } 593 break; 594 case KEY_UNSPEC: 595 break; 596 default: 597 break; 598 } 599 if (sshkey_is_cert(k)) 600 cert_free(k->cert); 601 explicit_bzero(k, sizeof(*k)); 602 free(k); 603 } 604 605 static int 606 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 607 { 608 if (a == NULL && b == NULL) 609 return 1; 610 if (a == NULL || b == NULL) 611 return 0; 612 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 613 return 0; 614 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 615 sshbuf_len(a->certblob)) != 0) 616 return 0; 617 return 1; 618 } 619 620 /* 621 * Compare public portions of key only, allowing comparisons between 622 * certificates and plain keys too. 623 */ 624 int 625 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 626 { 627 #ifdef WITH_OPENSSL 628 BN_CTX *bnctx; 629 #endif /* WITH_OPENSSL */ 630 631 if (a == NULL || b == NULL || 632 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 633 return 0; 634 635 switch (a->type) { 636 #ifdef WITH_OPENSSL 637 case KEY_RSA_CERT: 638 case KEY_RSA: 639 return a->rsa != NULL && b->rsa != NULL && 640 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 641 BN_cmp(a->rsa->n, b->rsa->n) == 0; 642 case KEY_DSA_CERT: 643 case KEY_DSA: 644 return a->dsa != NULL && b->dsa != NULL && 645 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 646 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 647 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 648 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 649 case KEY_ECDSA_CERT: 650 case KEY_ECDSA: 651 if (a->ecdsa == NULL || b->ecdsa == NULL || 652 EC_KEY_get0_public_key(a->ecdsa) == NULL || 653 EC_KEY_get0_public_key(b->ecdsa) == NULL) 654 return 0; 655 if ((bnctx = BN_CTX_new()) == NULL) 656 return 0; 657 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 658 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 659 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 660 EC_KEY_get0_public_key(a->ecdsa), 661 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 662 BN_CTX_free(bnctx); 663 return 0; 664 } 665 BN_CTX_free(bnctx); 666 return 1; 667 #endif /* WITH_OPENSSL */ 668 case KEY_ED25519: 669 case KEY_ED25519_CERT: 670 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 671 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 672 default: 673 return 0; 674 } 675 /* NOTREACHED */ 676 } 677 678 int 679 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 680 { 681 if (a == NULL || b == NULL || a->type != b->type) 682 return 0; 683 if (sshkey_is_cert(a)) { 684 if (!cert_compare(a->cert, b->cert)) 685 return 0; 686 } 687 return sshkey_equal_public(a, b); 688 } 689 690 static int 691 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 692 { 693 int type, ret = SSH_ERR_INTERNAL_ERROR; 694 const char *typename; 695 696 if (key == NULL) 697 return SSH_ERR_INVALID_ARGUMENT; 698 699 if (sshkey_is_cert(key)) { 700 if (key->cert == NULL) 701 return SSH_ERR_EXPECTED_CERT; 702 if (sshbuf_len(key->cert->certblob) == 0) 703 return SSH_ERR_KEY_LACKS_CERTBLOB; 704 } 705 type = force_plain ? sshkey_type_plain(key->type) : key->type; 706 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 707 708 switch (type) { 709 #ifdef WITH_OPENSSL 710 case KEY_DSA_CERT: 711 case KEY_ECDSA_CERT: 712 case KEY_RSA_CERT: 713 #endif /* WITH_OPENSSL */ 714 case KEY_ED25519_CERT: 715 /* Use the existing blob */ 716 /* XXX modified flag? */ 717 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 718 return ret; 719 break; 720 #ifdef WITH_OPENSSL 721 case KEY_DSA: 722 if (key->dsa == NULL) 723 return SSH_ERR_INVALID_ARGUMENT; 724 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 725 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 726 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 727 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 728 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 729 return ret; 730 break; 731 case KEY_ECDSA: 732 if (key->ecdsa == NULL) 733 return SSH_ERR_INVALID_ARGUMENT; 734 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 735 (ret = sshbuf_put_cstring(b, 736 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 737 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 738 return ret; 739 break; 740 case KEY_RSA: 741 if (key->rsa == NULL) 742 return SSH_ERR_INVALID_ARGUMENT; 743 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 744 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 745 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 746 return ret; 747 break; 748 #endif /* WITH_OPENSSL */ 749 case KEY_ED25519: 750 if (key->ed25519_pk == NULL) 751 return SSH_ERR_INVALID_ARGUMENT; 752 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 753 (ret = sshbuf_put_string(b, 754 key->ed25519_pk, ED25519_PK_SZ)) != 0) 755 return ret; 756 break; 757 default: 758 return SSH_ERR_KEY_TYPE_UNKNOWN; 759 } 760 return 0; 761 } 762 763 int 764 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 765 { 766 return to_blob_buf(key, b, 0); 767 } 768 769 int 770 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 771 { 772 struct sshbuf *tmp; 773 int r; 774 775 if ((tmp = sshbuf_new()) == NULL) 776 return SSH_ERR_ALLOC_FAIL; 777 r = to_blob_buf(key, tmp, 0); 778 if (r == 0) 779 r = sshbuf_put_stringb(b, tmp); 780 sshbuf_free(tmp); 781 return r; 782 } 783 784 int 785 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 786 { 787 return to_blob_buf(key, b, 1); 788 } 789 790 static int 791 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 792 { 793 int ret = SSH_ERR_INTERNAL_ERROR; 794 size_t len; 795 struct sshbuf *b = NULL; 796 797 if (lenp != NULL) 798 *lenp = 0; 799 if (blobp != NULL) 800 *blobp = NULL; 801 if ((b = sshbuf_new()) == NULL) 802 return SSH_ERR_ALLOC_FAIL; 803 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 804 goto out; 805 len = sshbuf_len(b); 806 if (lenp != NULL) 807 *lenp = len; 808 if (blobp != NULL) { 809 if ((*blobp = malloc(len)) == NULL) { 810 ret = SSH_ERR_ALLOC_FAIL; 811 goto out; 812 } 813 memcpy(*blobp, sshbuf_ptr(b), len); 814 } 815 ret = 0; 816 out: 817 sshbuf_free(b); 818 return ret; 819 } 820 821 int 822 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 823 { 824 return to_blob(key, blobp, lenp, 0); 825 } 826 827 int 828 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 829 { 830 return to_blob(key, blobp, lenp, 1); 831 } 832 833 int 834 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 835 u_char **retp, size_t *lenp) 836 { 837 u_char *blob = NULL, *ret = NULL; 838 size_t blob_len = 0; 839 int r = SSH_ERR_INTERNAL_ERROR; 840 841 if (retp != NULL) 842 *retp = NULL; 843 if (lenp != NULL) 844 *lenp = 0; 845 if (ssh_digest_bytes(dgst_alg) == 0) { 846 r = SSH_ERR_INVALID_ARGUMENT; 847 goto out; 848 } 849 if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 850 goto out; 851 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 852 r = SSH_ERR_ALLOC_FAIL; 853 goto out; 854 } 855 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 856 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 857 goto out; 858 /* success */ 859 if (retp != NULL) { 860 *retp = ret; 861 ret = NULL; 862 } 863 if (lenp != NULL) 864 *lenp = ssh_digest_bytes(dgst_alg); 865 r = 0; 866 out: 867 free(ret); 868 if (blob != NULL) { 869 explicit_bzero(blob, blob_len); 870 free(blob); 871 } 872 return r; 873 } 874 875 static char * 876 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 877 { 878 char *ret; 879 size_t plen = strlen(alg) + 1; 880 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 881 int r; 882 883 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 884 return NULL; 885 strlcpy(ret, alg, rlen); 886 strlcat(ret, ":", rlen); 887 if (dgst_raw_len == 0) 888 return ret; 889 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 890 ret + plen, rlen - plen)) == -1) { 891 explicit_bzero(ret, rlen); 892 free(ret); 893 return NULL; 894 } 895 /* Trim padding characters from end */ 896 ret[strcspn(ret, "=")] = '\0'; 897 return ret; 898 } 899 900 static char * 901 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 902 { 903 char *retval, hex[5]; 904 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 905 906 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 907 return NULL; 908 strlcpy(retval, alg, rlen); 909 strlcat(retval, ":", rlen); 910 for (i = 0; i < dgst_raw_len; i++) { 911 snprintf(hex, sizeof(hex), "%s%02x", 912 i > 0 ? ":" : "", dgst_raw[i]); 913 strlcat(retval, hex, rlen); 914 } 915 return retval; 916 } 917 918 static char * 919 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 920 { 921 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 922 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 923 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 924 u_int i, j = 0, rounds, seed = 1; 925 char *retval; 926 927 rounds = (dgst_raw_len / 2) + 1; 928 if ((retval = calloc(rounds, 6)) == NULL) 929 return NULL; 930 retval[j++] = 'x'; 931 for (i = 0; i < rounds; i++) { 932 u_int idx0, idx1, idx2, idx3, idx4; 933 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 934 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 935 seed) % 6; 936 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 937 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 938 (seed / 6)) % 6; 939 retval[j++] = vowels[idx0]; 940 retval[j++] = consonants[idx1]; 941 retval[j++] = vowels[idx2]; 942 if ((i + 1) < rounds) { 943 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 944 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 945 retval[j++] = consonants[idx3]; 946 retval[j++] = '-'; 947 retval[j++] = consonants[idx4]; 948 seed = ((seed * 5) + 949 ((((u_int)(dgst_raw[2 * i])) * 7) + 950 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 951 } 952 } else { 953 idx0 = seed % 6; 954 idx1 = 16; 955 idx2 = seed / 6; 956 retval[j++] = vowels[idx0]; 957 retval[j++] = consonants[idx1]; 958 retval[j++] = vowels[idx2]; 959 } 960 } 961 retval[j++] = 'x'; 962 retval[j++] = '\0'; 963 return retval; 964 } 965 966 /* 967 * Draw an ASCII-Art representing the fingerprint so human brain can 968 * profit from its built-in pattern recognition ability. 969 * This technique is called "random art" and can be found in some 970 * scientific publications like this original paper: 971 * 972 * "Hash Visualization: a New Technique to improve Real-World Security", 973 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 974 * Techniques and E-Commerce (CrypTEC '99) 975 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 976 * 977 * The subject came up in a talk by Dan Kaminsky, too. 978 * 979 * If you see the picture is different, the key is different. 980 * If the picture looks the same, you still know nothing. 981 * 982 * The algorithm used here is a worm crawling over a discrete plane, 983 * leaving a trace (augmenting the field) everywhere it goes. 984 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 985 * makes the respective movement vector be ignored for this turn. 986 * Graphs are not unambiguous, because circles in graphs can be 987 * walked in either direction. 988 */ 989 990 /* 991 * Field sizes for the random art. Have to be odd, so the starting point 992 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 993 * Else pictures would be too dense, and drawing the frame would 994 * fail, too, because the key type would not fit in anymore. 995 */ 996 #define FLDBASE 8 997 #define FLDSIZE_Y (FLDBASE + 1) 998 #define FLDSIZE_X (FLDBASE * 2 + 1) 999 static char * 1000 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1001 const struct sshkey *k) 1002 { 1003 /* 1004 * Chars to be used after each other every time the worm 1005 * intersects with itself. Matter of taste. 1006 */ 1007 const char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1008 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1009 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1010 size_t i, tlen, hlen; 1011 u_int b; 1012 int x, y, r; 1013 size_t len = strlen(augmentation_string) - 1; 1014 1015 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1016 return NULL; 1017 1018 /* initialize field */ 1019 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1020 x = FLDSIZE_X / 2; 1021 y = FLDSIZE_Y / 2; 1022 1023 /* process raw key */ 1024 for (i = 0; i < dgst_raw_len; i++) { 1025 int input; 1026 /* each byte conveys four 2-bit move commands */ 1027 input = dgst_raw[i]; 1028 for (b = 0; b < 4; b++) { 1029 /* evaluate 2 bit, rest is shifted later */ 1030 x += (input & 0x1) ? 1 : -1; 1031 y += (input & 0x2) ? 1 : -1; 1032 1033 /* assure we are still in bounds */ 1034 x = MAXIMUM(x, 0); 1035 y = MAXIMUM(y, 0); 1036 x = MINIMUM(x, FLDSIZE_X - 1); 1037 y = MINIMUM(y, FLDSIZE_Y - 1); 1038 1039 /* augment the field */ 1040 if (field[x][y] < len - 2) 1041 field[x][y]++; 1042 input = input >> 2; 1043 } 1044 } 1045 1046 /* mark starting point and end point*/ 1047 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1048 field[x][y] = len; 1049 1050 /* assemble title */ 1051 r = snprintf(title, sizeof(title), "[%s %u]", 1052 sshkey_type(k), sshkey_size(k)); 1053 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1054 if (r < 0 || r > (int)sizeof(title)) 1055 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1056 tlen = (r <= 0) ? 0 : strlen(title); 1057 1058 /* assemble hash ID. */ 1059 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1060 hlen = (r <= 0) ? 0 : strlen(hash); 1061 1062 /* output upper border */ 1063 p = retval; 1064 *p++ = '+'; 1065 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1066 *p++ = '-'; 1067 memcpy(p, title, tlen); 1068 p += tlen; 1069 for (i += tlen; i < FLDSIZE_X; i++) 1070 *p++ = '-'; 1071 *p++ = '+'; 1072 *p++ = '\n'; 1073 1074 /* output content */ 1075 for (y = 0; y < FLDSIZE_Y; y++) { 1076 *p++ = '|'; 1077 for (x = 0; x < FLDSIZE_X; x++) 1078 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1079 *p++ = '|'; 1080 *p++ = '\n'; 1081 } 1082 1083 /* output lower border */ 1084 *p++ = '+'; 1085 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1086 *p++ = '-'; 1087 memcpy(p, hash, hlen); 1088 p += hlen; 1089 for (i += hlen; i < FLDSIZE_X; i++) 1090 *p++ = '-'; 1091 *p++ = '+'; 1092 1093 return retval; 1094 } 1095 1096 char * 1097 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1098 enum sshkey_fp_rep dgst_rep) 1099 { 1100 char *retval = NULL; 1101 u_char *dgst_raw; 1102 size_t dgst_raw_len; 1103 1104 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1105 return NULL; 1106 switch (dgst_rep) { 1107 case SSH_FP_DEFAULT: 1108 if (dgst_alg == SSH_DIGEST_MD5) { 1109 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1110 dgst_raw, dgst_raw_len); 1111 } else { 1112 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1113 dgst_raw, dgst_raw_len); 1114 } 1115 break; 1116 case SSH_FP_HEX: 1117 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1118 dgst_raw, dgst_raw_len); 1119 break; 1120 case SSH_FP_BASE64: 1121 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1122 dgst_raw, dgst_raw_len); 1123 break; 1124 case SSH_FP_BUBBLEBABBLE: 1125 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1126 break; 1127 case SSH_FP_RANDOMART: 1128 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1129 dgst_raw, dgst_raw_len, k); 1130 break; 1131 default: 1132 explicit_bzero(dgst_raw, dgst_raw_len); 1133 free(dgst_raw); 1134 return NULL; 1135 } 1136 explicit_bzero(dgst_raw, dgst_raw_len); 1137 free(dgst_raw); 1138 return retval; 1139 } 1140 1141 1142 /* returns 0 ok, and < 0 error */ 1143 int 1144 sshkey_read(struct sshkey *ret, char **cpp) 1145 { 1146 struct sshkey *k; 1147 int retval = SSH_ERR_INVALID_FORMAT; 1148 char *ep, *cp, *space; 1149 int r, type, curve_nid = -1; 1150 struct sshbuf *blob; 1151 1152 if (ret == NULL) 1153 return SSH_ERR_INVALID_ARGUMENT; 1154 1155 cp = *cpp; 1156 1157 switch (ret->type) { 1158 case KEY_UNSPEC: 1159 case KEY_RSA: 1160 case KEY_DSA: 1161 case KEY_ECDSA: 1162 case KEY_ED25519: 1163 case KEY_DSA_CERT: 1164 case KEY_ECDSA_CERT: 1165 case KEY_RSA_CERT: 1166 case KEY_ED25519_CERT: 1167 space = strchr(cp, ' '); 1168 if (space == NULL) 1169 return SSH_ERR_INVALID_FORMAT; 1170 *space = '\0'; 1171 type = sshkey_type_from_name(cp); 1172 if (sshkey_type_plain(type) == KEY_ECDSA && 1173 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1174 return SSH_ERR_EC_CURVE_INVALID; 1175 *space = ' '; 1176 if (type == KEY_UNSPEC) 1177 return SSH_ERR_INVALID_FORMAT; 1178 cp = space+1; 1179 if (*cp == '\0') 1180 return SSH_ERR_INVALID_FORMAT; 1181 if (ret->type != KEY_UNSPEC && ret->type != type) 1182 return SSH_ERR_KEY_TYPE_MISMATCH; 1183 if ((blob = sshbuf_new()) == NULL) 1184 return SSH_ERR_ALLOC_FAIL; 1185 /* trim comment */ 1186 space = strchr(cp, ' '); 1187 if (space) { 1188 /* advance 'space': skip whitespace */ 1189 *space++ = '\0'; 1190 while (*space == ' ' || *space == '\t') 1191 space++; 1192 ep = space; 1193 } else 1194 ep = cp + strlen(cp); 1195 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1196 sshbuf_free(blob); 1197 return r; 1198 } 1199 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1200 sshbuf_len(blob), &k)) != 0) { 1201 sshbuf_free(blob); 1202 return r; 1203 } 1204 sshbuf_free(blob); 1205 if (k->type != type) { 1206 sshkey_free(k); 1207 return SSH_ERR_KEY_TYPE_MISMATCH; 1208 } 1209 if (sshkey_type_plain(type) == KEY_ECDSA && 1210 curve_nid != k->ecdsa_nid) { 1211 sshkey_free(k); 1212 return SSH_ERR_EC_CURVE_MISMATCH; 1213 } 1214 ret->type = type; 1215 if (sshkey_is_cert(ret)) { 1216 if (!sshkey_is_cert(k)) { 1217 sshkey_free(k); 1218 return SSH_ERR_EXPECTED_CERT; 1219 } 1220 if (ret->cert != NULL) 1221 cert_free(ret->cert); 1222 ret->cert = k->cert; 1223 k->cert = NULL; 1224 } 1225 switch (sshkey_type_plain(ret->type)) { 1226 #ifdef WITH_OPENSSL 1227 case KEY_RSA: 1228 if (ret->rsa != NULL) 1229 RSA_free(ret->rsa); 1230 ret->rsa = k->rsa; 1231 k->rsa = NULL; 1232 #ifdef DEBUG_PK 1233 RSA_print_fp(stderr, ret->rsa, 8); 1234 #endif 1235 break; 1236 case KEY_DSA: 1237 if (ret->dsa != NULL) 1238 DSA_free(ret->dsa); 1239 ret->dsa = k->dsa; 1240 k->dsa = NULL; 1241 #ifdef DEBUG_PK 1242 DSA_print_fp(stderr, ret->dsa, 8); 1243 #endif 1244 break; 1245 case KEY_ECDSA: 1246 if (ret->ecdsa != NULL) 1247 EC_KEY_free(ret->ecdsa); 1248 ret->ecdsa = k->ecdsa; 1249 ret->ecdsa_nid = k->ecdsa_nid; 1250 k->ecdsa = NULL; 1251 k->ecdsa_nid = -1; 1252 #ifdef DEBUG_PK 1253 sshkey_dump_ec_key(ret->ecdsa); 1254 #endif 1255 break; 1256 #endif /* WITH_OPENSSL */ 1257 case KEY_ED25519: 1258 free(ret->ed25519_pk); 1259 ret->ed25519_pk = k->ed25519_pk; 1260 k->ed25519_pk = NULL; 1261 #ifdef DEBUG_PK 1262 /* XXX */ 1263 #endif 1264 break; 1265 } 1266 *cpp = ep; 1267 retval = 0; 1268 /*XXXX*/ 1269 sshkey_free(k); 1270 if (retval != 0) 1271 break; 1272 break; 1273 default: 1274 return SSH_ERR_INVALID_ARGUMENT; 1275 } 1276 return retval; 1277 } 1278 1279 int 1280 sshkey_to_base64(const struct sshkey *key, char **b64p) 1281 { 1282 int r = SSH_ERR_INTERNAL_ERROR; 1283 struct sshbuf *b = NULL; 1284 char *uu = NULL; 1285 1286 if (b64p != NULL) 1287 *b64p = NULL; 1288 if ((b = sshbuf_new()) == NULL) 1289 return SSH_ERR_ALLOC_FAIL; 1290 if ((r = sshkey_putb(key, b)) != 0) 1291 goto out; 1292 if ((uu = sshbuf_dtob64(b)) == NULL) { 1293 r = SSH_ERR_ALLOC_FAIL; 1294 goto out; 1295 } 1296 /* Success */ 1297 if (b64p != NULL) { 1298 *b64p = uu; 1299 uu = NULL; 1300 } 1301 r = 0; 1302 out: 1303 sshbuf_free(b); 1304 free(uu); 1305 return r; 1306 } 1307 1308 int 1309 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1310 { 1311 int r = SSH_ERR_INTERNAL_ERROR; 1312 char *uu = NULL; 1313 1314 if ((r = sshkey_to_base64(key, &uu)) != 0) 1315 goto out; 1316 if ((r = sshbuf_putf(b, "%s %s", 1317 sshkey_ssh_name(key), uu)) != 0) 1318 goto out; 1319 r = 0; 1320 out: 1321 free(uu); 1322 return r; 1323 } 1324 1325 int 1326 sshkey_write(const struct sshkey *key, FILE *f) 1327 { 1328 struct sshbuf *b = NULL; 1329 int r = SSH_ERR_INTERNAL_ERROR; 1330 1331 if ((b = sshbuf_new()) == NULL) 1332 return SSH_ERR_ALLOC_FAIL; 1333 if ((r = sshkey_format_text(key, b)) != 0) 1334 goto out; 1335 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1336 if (feof(f)) 1337 errno = EPIPE; 1338 r = SSH_ERR_SYSTEM_ERROR; 1339 goto out; 1340 } 1341 /* Success */ 1342 r = 0; 1343 out: 1344 sshbuf_free(b); 1345 return r; 1346 } 1347 1348 const char * 1349 sshkey_cert_type(const struct sshkey *k) 1350 { 1351 switch (k->cert->type) { 1352 case SSH2_CERT_TYPE_USER: 1353 return "user"; 1354 case SSH2_CERT_TYPE_HOST: 1355 return "host"; 1356 default: 1357 return "unknown"; 1358 } 1359 } 1360 1361 #ifdef WITH_OPENSSL 1362 static int 1363 rsa_generate_private_key(u_int bits, RSA **rsap) 1364 { 1365 RSA *private = NULL; 1366 BIGNUM *f4 = NULL; 1367 int ret = SSH_ERR_INTERNAL_ERROR; 1368 1369 if (rsap == NULL) 1370 return SSH_ERR_INVALID_ARGUMENT; 1371 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1372 bits > SSHBUF_MAX_BIGNUM * 8) 1373 return SSH_ERR_KEY_LENGTH; 1374 *rsap = NULL; 1375 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1376 ret = SSH_ERR_ALLOC_FAIL; 1377 goto out; 1378 } 1379 if (!BN_set_word(f4, RSA_F4) || 1380 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1381 ret = SSH_ERR_LIBCRYPTO_ERROR; 1382 goto out; 1383 } 1384 *rsap = private; 1385 private = NULL; 1386 ret = 0; 1387 out: 1388 if (private != NULL) 1389 RSA_free(private); 1390 if (f4 != NULL) 1391 BN_free(f4); 1392 return ret; 1393 } 1394 1395 static int 1396 dsa_generate_private_key(u_int bits, DSA **dsap) 1397 { 1398 DSA *private; 1399 int ret = SSH_ERR_INTERNAL_ERROR; 1400 1401 if (dsap == NULL) 1402 return SSH_ERR_INVALID_ARGUMENT; 1403 if (bits != 1024) 1404 return SSH_ERR_KEY_LENGTH; 1405 if ((private = DSA_new()) == NULL) { 1406 ret = SSH_ERR_ALLOC_FAIL; 1407 goto out; 1408 } 1409 *dsap = NULL; 1410 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1411 NULL, NULL) || !DSA_generate_key(private)) { 1412 ret = SSH_ERR_LIBCRYPTO_ERROR; 1413 goto out; 1414 } 1415 *dsap = private; 1416 private = NULL; 1417 ret = 0; 1418 out: 1419 if (private != NULL) 1420 DSA_free(private); 1421 return ret; 1422 } 1423 1424 int 1425 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1426 { 1427 EC_GROUP *eg; 1428 int nids[] = { 1429 NID_X9_62_prime256v1, 1430 NID_secp384r1, 1431 NID_secp521r1, 1432 -1 1433 }; 1434 int nid; 1435 u_int i; 1436 BN_CTX *bnctx; 1437 const EC_GROUP *g = EC_KEY_get0_group(k); 1438 1439 /* 1440 * The group may be stored in a ASN.1 encoded private key in one of two 1441 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1442 * or explicit group parameters encoded into the key blob. Only the 1443 * "named group" case sets the group NID for us, but we can figure 1444 * it out for the other case by comparing against all the groups that 1445 * are supported. 1446 */ 1447 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1448 return nid; 1449 if ((bnctx = BN_CTX_new()) == NULL) 1450 return -1; 1451 for (i = 0; nids[i] != -1; i++) { 1452 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1453 BN_CTX_free(bnctx); 1454 return -1; 1455 } 1456 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1457 break; 1458 EC_GROUP_free(eg); 1459 } 1460 BN_CTX_free(bnctx); 1461 if (nids[i] != -1) { 1462 /* Use the group with the NID attached */ 1463 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1464 if (EC_KEY_set_group(k, eg) != 1) { 1465 EC_GROUP_free(eg); 1466 return -1; 1467 } 1468 } 1469 return nids[i]; 1470 } 1471 1472 static int 1473 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1474 { 1475 EC_KEY *private; 1476 int ret = SSH_ERR_INTERNAL_ERROR; 1477 1478 if (nid == NULL || ecdsap == NULL) 1479 return SSH_ERR_INVALID_ARGUMENT; 1480 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1481 return SSH_ERR_KEY_LENGTH; 1482 *ecdsap = NULL; 1483 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1484 ret = SSH_ERR_ALLOC_FAIL; 1485 goto out; 1486 } 1487 if (EC_KEY_generate_key(private) != 1) { 1488 ret = SSH_ERR_LIBCRYPTO_ERROR; 1489 goto out; 1490 } 1491 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1492 *ecdsap = private; 1493 private = NULL; 1494 ret = 0; 1495 out: 1496 if (private != NULL) 1497 EC_KEY_free(private); 1498 return ret; 1499 } 1500 #endif /* WITH_OPENSSL */ 1501 1502 int 1503 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1504 { 1505 struct sshkey *k; 1506 int ret = SSH_ERR_INTERNAL_ERROR; 1507 1508 if (keyp == NULL) 1509 return SSH_ERR_INVALID_ARGUMENT; 1510 *keyp = NULL; 1511 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1512 return SSH_ERR_ALLOC_FAIL; 1513 switch (type) { 1514 case KEY_ED25519: 1515 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1516 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1517 ret = SSH_ERR_ALLOC_FAIL; 1518 break; 1519 } 1520 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1521 ret = 0; 1522 break; 1523 #ifdef WITH_OPENSSL 1524 case KEY_DSA: 1525 ret = dsa_generate_private_key(bits, &k->dsa); 1526 break; 1527 case KEY_ECDSA: 1528 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1529 &k->ecdsa); 1530 break; 1531 case KEY_RSA: 1532 ret = rsa_generate_private_key(bits, &k->rsa); 1533 break; 1534 #endif /* WITH_OPENSSL */ 1535 default: 1536 ret = SSH_ERR_INVALID_ARGUMENT; 1537 } 1538 if (ret == 0) { 1539 k->type = type; 1540 *keyp = k; 1541 } else 1542 sshkey_free(k); 1543 return ret; 1544 } 1545 1546 int 1547 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1548 { 1549 u_int i; 1550 const struct sshkey_cert *from; 1551 struct sshkey_cert *to; 1552 int ret = SSH_ERR_INTERNAL_ERROR; 1553 1554 if (to_key->cert != NULL) { 1555 cert_free(to_key->cert); 1556 to_key->cert = NULL; 1557 } 1558 1559 if ((from = from_key->cert) == NULL) 1560 return SSH_ERR_INVALID_ARGUMENT; 1561 1562 if ((to = to_key->cert = cert_new()) == NULL) 1563 return SSH_ERR_ALLOC_FAIL; 1564 1565 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1566 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1567 (ret = sshbuf_putb(to->extensions, from->extensions)) != 0) 1568 return ret; 1569 1570 to->serial = from->serial; 1571 to->type = from->type; 1572 if (from->key_id == NULL) 1573 to->key_id = NULL; 1574 else if ((to->key_id = strdup(from->key_id)) == NULL) 1575 return SSH_ERR_ALLOC_FAIL; 1576 to->valid_after = from->valid_after; 1577 to->valid_before = from->valid_before; 1578 if (from->signature_key == NULL) 1579 to->signature_key = NULL; 1580 else if ((ret = sshkey_from_private(from->signature_key, 1581 &to->signature_key)) != 0) 1582 return ret; 1583 1584 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1585 return SSH_ERR_INVALID_ARGUMENT; 1586 if (from->nprincipals > 0) { 1587 if ((to->principals = calloc(from->nprincipals, 1588 sizeof(*to->principals))) == NULL) 1589 return SSH_ERR_ALLOC_FAIL; 1590 for (i = 0; i < from->nprincipals; i++) { 1591 to->principals[i] = strdup(from->principals[i]); 1592 if (to->principals[i] == NULL) { 1593 to->nprincipals = i; 1594 return SSH_ERR_ALLOC_FAIL; 1595 } 1596 } 1597 } 1598 to->nprincipals = from->nprincipals; 1599 return 0; 1600 } 1601 1602 int 1603 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1604 { 1605 struct sshkey *n = NULL; 1606 int ret = SSH_ERR_INTERNAL_ERROR; 1607 1608 *pkp = NULL; 1609 switch (k->type) { 1610 #ifdef WITH_OPENSSL 1611 case KEY_DSA: 1612 case KEY_DSA_CERT: 1613 if ((n = sshkey_new(k->type)) == NULL) 1614 return SSH_ERR_ALLOC_FAIL; 1615 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1616 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1617 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1618 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1619 sshkey_free(n); 1620 return SSH_ERR_ALLOC_FAIL; 1621 } 1622 break; 1623 case KEY_ECDSA: 1624 case KEY_ECDSA_CERT: 1625 if ((n = sshkey_new(k->type)) == NULL) 1626 return SSH_ERR_ALLOC_FAIL; 1627 n->ecdsa_nid = k->ecdsa_nid; 1628 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1629 if (n->ecdsa == NULL) { 1630 sshkey_free(n); 1631 return SSH_ERR_ALLOC_FAIL; 1632 } 1633 if (EC_KEY_set_public_key(n->ecdsa, 1634 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1635 sshkey_free(n); 1636 return SSH_ERR_LIBCRYPTO_ERROR; 1637 } 1638 break; 1639 case KEY_RSA: 1640 case KEY_RSA_CERT: 1641 if ((n = sshkey_new(k->type)) == NULL) 1642 return SSH_ERR_ALLOC_FAIL; 1643 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1644 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1645 sshkey_free(n); 1646 return SSH_ERR_ALLOC_FAIL; 1647 } 1648 break; 1649 #endif /* WITH_OPENSSL */ 1650 case KEY_ED25519: 1651 case KEY_ED25519_CERT: 1652 if ((n = sshkey_new(k->type)) == NULL) 1653 return SSH_ERR_ALLOC_FAIL; 1654 if (k->ed25519_pk != NULL) { 1655 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1656 sshkey_free(n); 1657 return SSH_ERR_ALLOC_FAIL; 1658 } 1659 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1660 } 1661 break; 1662 default: 1663 return SSH_ERR_KEY_TYPE_UNKNOWN; 1664 } 1665 if (sshkey_is_cert(k)) { 1666 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1667 sshkey_free(n); 1668 return ret; 1669 } 1670 } 1671 *pkp = n; 1672 return 0; 1673 } 1674 1675 static int 1676 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1677 { 1678 struct sshbuf *principals = NULL, *crit = NULL; 1679 struct sshbuf *exts = NULL, *ca = NULL; 1680 u_char *sig = NULL; 1681 size_t signed_len = 0, slen = 0, kidlen = 0; 1682 int ret = SSH_ERR_INTERNAL_ERROR; 1683 1684 /* Copy the entire key blob for verification and later serialisation */ 1685 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1686 return ret; 1687 1688 /* Parse body of certificate up to signature */ 1689 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1690 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1691 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1692 (ret = sshbuf_froms(b, &principals)) != 0 || 1693 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1694 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1695 (ret = sshbuf_froms(b, &crit)) != 0 || 1696 (ret = sshbuf_froms(b, &exts)) != 0 || 1697 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1698 (ret = sshbuf_froms(b, &ca)) != 0) { 1699 /* XXX debug print error for ret */ 1700 ret = SSH_ERR_INVALID_FORMAT; 1701 goto out; 1702 } 1703 1704 /* Signature is left in the buffer so we can calculate this length */ 1705 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1706 1707 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1708 ret = SSH_ERR_INVALID_FORMAT; 1709 goto out; 1710 } 1711 1712 if (key->cert->type != SSH2_CERT_TYPE_USER && 1713 key->cert->type != SSH2_CERT_TYPE_HOST) { 1714 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1715 goto out; 1716 } 1717 1718 /* Parse principals section */ 1719 while (sshbuf_len(principals) > 0) { 1720 char *principal = NULL; 1721 char **oprincipals = NULL; 1722 1723 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1724 ret = SSH_ERR_INVALID_FORMAT; 1725 goto out; 1726 } 1727 if ((ret = sshbuf_get_cstring(principals, &principal, 1728 NULL)) != 0) { 1729 ret = SSH_ERR_INVALID_FORMAT; 1730 goto out; 1731 } 1732 oprincipals = key->cert->principals; 1733 key->cert->principals = recallocarray(key->cert->principals, 1734 key->cert->nprincipals, key->cert->nprincipals + 1, 1735 sizeof(*key->cert->principals)); 1736 if (key->cert->principals == NULL) { 1737 free(principal); 1738 key->cert->principals = oprincipals; 1739 ret = SSH_ERR_ALLOC_FAIL; 1740 goto out; 1741 } 1742 key->cert->principals[key->cert->nprincipals++] = principal; 1743 } 1744 1745 /* 1746 * Stash a copies of the critical options and extensions sections 1747 * for later use. 1748 */ 1749 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1750 (exts != NULL && 1751 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1752 goto out; 1753 1754 /* 1755 * Validate critical options and extensions sections format. 1756 */ 1757 while (sshbuf_len(crit) != 0) { 1758 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1759 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1760 sshbuf_reset(key->cert->critical); 1761 ret = SSH_ERR_INVALID_FORMAT; 1762 goto out; 1763 } 1764 } 1765 while (exts != NULL && sshbuf_len(exts) != 0) { 1766 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1767 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1768 sshbuf_reset(key->cert->extensions); 1769 ret = SSH_ERR_INVALID_FORMAT; 1770 goto out; 1771 } 1772 } 1773 1774 /* Parse CA key and check signature */ 1775 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1776 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1777 goto out; 1778 } 1779 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1780 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1781 goto out; 1782 } 1783 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1784 sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) 1785 goto out; 1786 1787 /* Success */ 1788 ret = 0; 1789 out: 1790 sshbuf_free(ca); 1791 sshbuf_free(crit); 1792 sshbuf_free(exts); 1793 sshbuf_free(principals); 1794 free(sig); 1795 return ret; 1796 } 1797 1798 static int 1799 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1800 int allow_cert) 1801 { 1802 int type, ret = SSH_ERR_INTERNAL_ERROR; 1803 char *ktype = NULL, *curve = NULL; 1804 struct sshkey *key = NULL; 1805 size_t len; 1806 u_char *pk = NULL; 1807 struct sshbuf *copy; 1808 #ifdef WITH_OPENSSL 1809 EC_POINT *q = NULL; 1810 #endif /* WITH_OPENSSL */ 1811 1812 #ifdef DEBUG_PK /* XXX */ 1813 sshbuf_dump(b, stderr); 1814 #endif 1815 if (keyp != NULL) 1816 *keyp = NULL; 1817 if ((copy = sshbuf_fromb(b)) == NULL) { 1818 ret = SSH_ERR_ALLOC_FAIL; 1819 goto out; 1820 } 1821 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1822 ret = SSH_ERR_INVALID_FORMAT; 1823 goto out; 1824 } 1825 1826 type = sshkey_type_from_name(ktype); 1827 if (!allow_cert && sshkey_type_is_cert(type)) { 1828 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1829 goto out; 1830 } 1831 switch (type) { 1832 #ifdef WITH_OPENSSL 1833 case KEY_RSA_CERT: 1834 /* Skip nonce */ 1835 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1836 ret = SSH_ERR_INVALID_FORMAT; 1837 goto out; 1838 } 1839 /* FALLTHROUGH */ 1840 case KEY_RSA: 1841 if ((key = sshkey_new(type)) == NULL) { 1842 ret = SSH_ERR_ALLOC_FAIL; 1843 goto out; 1844 } 1845 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 || 1846 sshbuf_get_bignum2(b, key->rsa->n) != 0) { 1847 ret = SSH_ERR_INVALID_FORMAT; 1848 goto out; 1849 } 1850 if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 1851 ret = SSH_ERR_KEY_LENGTH; 1852 goto out; 1853 } 1854 #ifdef DEBUG_PK 1855 RSA_print_fp(stderr, key->rsa, 8); 1856 #endif 1857 break; 1858 case KEY_DSA_CERT: 1859 /* Skip nonce */ 1860 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1861 ret = SSH_ERR_INVALID_FORMAT; 1862 goto out; 1863 } 1864 /* FALLTHROUGH */ 1865 case KEY_DSA: 1866 if ((key = sshkey_new(type)) == NULL) { 1867 ret = SSH_ERR_ALLOC_FAIL; 1868 goto out; 1869 } 1870 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 || 1871 sshbuf_get_bignum2(b, key->dsa->q) != 0 || 1872 sshbuf_get_bignum2(b, key->dsa->g) != 0 || 1873 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) { 1874 ret = SSH_ERR_INVALID_FORMAT; 1875 goto out; 1876 } 1877 #ifdef DEBUG_PK 1878 DSA_print_fp(stderr, key->dsa, 8); 1879 #endif 1880 break; 1881 case KEY_ECDSA_CERT: 1882 /* Skip nonce */ 1883 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1884 ret = SSH_ERR_INVALID_FORMAT; 1885 goto out; 1886 } 1887 /* FALLTHROUGH */ 1888 case KEY_ECDSA: 1889 if ((key = sshkey_new(type)) == NULL) { 1890 ret = SSH_ERR_ALLOC_FAIL; 1891 goto out; 1892 } 1893 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 1894 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 1895 ret = SSH_ERR_INVALID_FORMAT; 1896 goto out; 1897 } 1898 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 1899 ret = SSH_ERR_EC_CURVE_MISMATCH; 1900 goto out; 1901 } 1902 if (key->ecdsa != NULL) 1903 EC_KEY_free(key->ecdsa); 1904 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 1905 == NULL) { 1906 ret = SSH_ERR_EC_CURVE_INVALID; 1907 goto out; 1908 } 1909 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 1910 ret = SSH_ERR_ALLOC_FAIL; 1911 goto out; 1912 } 1913 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 1914 ret = SSH_ERR_INVALID_FORMAT; 1915 goto out; 1916 } 1917 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 1918 q) != 0) { 1919 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 1920 goto out; 1921 } 1922 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 1923 /* XXX assume it is a allocation error */ 1924 ret = SSH_ERR_ALLOC_FAIL; 1925 goto out; 1926 } 1927 #ifdef DEBUG_PK 1928 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 1929 #endif 1930 break; 1931 #endif /* WITH_OPENSSL */ 1932 case KEY_ED25519_CERT: 1933 /* Skip nonce */ 1934 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1935 ret = SSH_ERR_INVALID_FORMAT; 1936 goto out; 1937 } 1938 /* FALLTHROUGH */ 1939 case KEY_ED25519: 1940 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 1941 goto out; 1942 if (len != ED25519_PK_SZ) { 1943 ret = SSH_ERR_INVALID_FORMAT; 1944 goto out; 1945 } 1946 if ((key = sshkey_new(type)) == NULL) { 1947 ret = SSH_ERR_ALLOC_FAIL; 1948 goto out; 1949 } 1950 key->ed25519_pk = pk; 1951 pk = NULL; 1952 break; 1953 case KEY_UNSPEC: 1954 default: 1955 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 1956 goto out; 1957 } 1958 1959 /* Parse certificate potion */ 1960 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 1961 goto out; 1962 1963 if (key != NULL && sshbuf_len(b) != 0) { 1964 ret = SSH_ERR_INVALID_FORMAT; 1965 goto out; 1966 } 1967 ret = 0; 1968 if (keyp != NULL) { 1969 *keyp = key; 1970 key = NULL; 1971 } 1972 out: 1973 sshbuf_free(copy); 1974 sshkey_free(key); 1975 free(ktype); 1976 free(curve); 1977 free(pk); 1978 #ifdef WITH_OPENSSL 1979 if (q != NULL) 1980 EC_POINT_free(q); 1981 #endif /* WITH_OPENSSL */ 1982 return ret; 1983 } 1984 1985 int 1986 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 1987 { 1988 struct sshbuf *b; 1989 int r; 1990 1991 if ((b = sshbuf_from(blob, blen)) == NULL) 1992 return SSH_ERR_ALLOC_FAIL; 1993 r = sshkey_from_blob_internal(b, keyp, 1); 1994 sshbuf_free(b); 1995 return r; 1996 } 1997 1998 int 1999 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2000 { 2001 return sshkey_from_blob_internal(b, keyp, 1); 2002 } 2003 2004 int 2005 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2006 { 2007 struct sshbuf *b; 2008 int r; 2009 2010 if ((r = sshbuf_froms(buf, &b)) != 0) 2011 return r; 2012 r = sshkey_from_blob_internal(b, keyp, 1); 2013 sshbuf_free(b); 2014 return r; 2015 } 2016 2017 int 2018 sshkey_sign(const struct sshkey *key, 2019 u_char **sigp, size_t *lenp, 2020 const u_char *data, size_t datalen, const char *alg, u_int compat) 2021 { 2022 if (sigp != NULL) 2023 *sigp = NULL; 2024 if (lenp != NULL) 2025 *lenp = 0; 2026 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2027 return SSH_ERR_INVALID_ARGUMENT; 2028 switch (key->type) { 2029 #ifdef WITH_OPENSSL 2030 case KEY_DSA_CERT: 2031 case KEY_DSA: 2032 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2033 case KEY_ECDSA_CERT: 2034 case KEY_ECDSA: 2035 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2036 case KEY_RSA_CERT: 2037 case KEY_RSA: 2038 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2039 #endif /* WITH_OPENSSL */ 2040 case KEY_ED25519: 2041 case KEY_ED25519_CERT: 2042 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2043 default: 2044 return SSH_ERR_KEY_TYPE_UNKNOWN; 2045 } 2046 } 2047 2048 /* 2049 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2050 */ 2051 int 2052 sshkey_verify(const struct sshkey *key, 2053 const u_char *sig, size_t siglen, 2054 const u_char *data, size_t dlen, u_int compat) 2055 { 2056 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2057 return SSH_ERR_INVALID_ARGUMENT; 2058 switch (key->type) { 2059 #ifdef WITH_OPENSSL 2060 case KEY_DSA_CERT: 2061 case KEY_DSA: 2062 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2063 case KEY_ECDSA_CERT: 2064 case KEY_ECDSA: 2065 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2066 case KEY_RSA_CERT: 2067 case KEY_RSA: 2068 return ssh_rsa_verify(key, sig, siglen, data, dlen); 2069 #endif /* WITH_OPENSSL */ 2070 case KEY_ED25519: 2071 case KEY_ED25519_CERT: 2072 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2073 default: 2074 return SSH_ERR_KEY_TYPE_UNKNOWN; 2075 } 2076 } 2077 2078 /* Converts a private to a public key */ 2079 int 2080 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2081 { 2082 struct sshkey *pk; 2083 int ret = SSH_ERR_INTERNAL_ERROR; 2084 2085 *dkp = NULL; 2086 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2087 return SSH_ERR_ALLOC_FAIL; 2088 pk->type = k->type; 2089 pk->flags = k->flags; 2090 pk->ecdsa_nid = k->ecdsa_nid; 2091 pk->dsa = NULL; 2092 pk->ecdsa = NULL; 2093 pk->rsa = NULL; 2094 pk->ed25519_pk = NULL; 2095 pk->ed25519_sk = NULL; 2096 2097 switch (k->type) { 2098 #ifdef WITH_OPENSSL 2099 case KEY_RSA_CERT: 2100 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2101 goto fail; 2102 /* FALLTHROUGH */ 2103 case KEY_RSA: 2104 if ((pk->rsa = RSA_new()) == NULL || 2105 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2106 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2107 ret = SSH_ERR_ALLOC_FAIL; 2108 goto fail; 2109 } 2110 break; 2111 case KEY_DSA_CERT: 2112 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2113 goto fail; 2114 /* FALLTHROUGH */ 2115 case KEY_DSA: 2116 if ((pk->dsa = DSA_new()) == NULL || 2117 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2118 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2119 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2120 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2121 ret = SSH_ERR_ALLOC_FAIL; 2122 goto fail; 2123 } 2124 break; 2125 case KEY_ECDSA_CERT: 2126 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2127 goto fail; 2128 /* FALLTHROUGH */ 2129 case KEY_ECDSA: 2130 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2131 if (pk->ecdsa == NULL) { 2132 ret = SSH_ERR_ALLOC_FAIL; 2133 goto fail; 2134 } 2135 if (EC_KEY_set_public_key(pk->ecdsa, 2136 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2137 ret = SSH_ERR_LIBCRYPTO_ERROR; 2138 goto fail; 2139 } 2140 break; 2141 #endif /* WITH_OPENSSL */ 2142 case KEY_ED25519_CERT: 2143 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2144 goto fail; 2145 /* FALLTHROUGH */ 2146 case KEY_ED25519: 2147 if (k->ed25519_pk != NULL) { 2148 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2149 ret = SSH_ERR_ALLOC_FAIL; 2150 goto fail; 2151 } 2152 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2153 } 2154 break; 2155 default: 2156 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2157 fail: 2158 sshkey_free(pk); 2159 return ret; 2160 } 2161 *dkp = pk; 2162 return 0; 2163 } 2164 2165 /* Convert a plain key to their _CERT equivalent */ 2166 int 2167 sshkey_to_certified(struct sshkey *k) 2168 { 2169 int newtype; 2170 2171 switch (k->type) { 2172 #ifdef WITH_OPENSSL 2173 case KEY_RSA: 2174 newtype = KEY_RSA_CERT; 2175 break; 2176 case KEY_DSA: 2177 newtype = KEY_DSA_CERT; 2178 break; 2179 case KEY_ECDSA: 2180 newtype = KEY_ECDSA_CERT; 2181 break; 2182 #endif /* WITH_OPENSSL */ 2183 case KEY_ED25519: 2184 newtype = KEY_ED25519_CERT; 2185 break; 2186 default: 2187 return SSH_ERR_INVALID_ARGUMENT; 2188 } 2189 if ((k->cert = cert_new()) == NULL) 2190 return SSH_ERR_ALLOC_FAIL; 2191 k->type = newtype; 2192 return 0; 2193 } 2194 2195 /* Convert a certificate to its raw key equivalent */ 2196 int 2197 sshkey_drop_cert(struct sshkey *k) 2198 { 2199 if (!sshkey_type_is_cert(k->type)) 2200 return SSH_ERR_KEY_TYPE_UNKNOWN; 2201 cert_free(k->cert); 2202 k->cert = NULL; 2203 k->type = sshkey_type_plain(k->type); 2204 return 0; 2205 } 2206 2207 /* Sign a certified key, (re-)generating the signed certblob. */ 2208 int 2209 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2210 sshkey_certify_signer *signer, void *signer_ctx) 2211 { 2212 struct sshbuf *principals = NULL; 2213 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2214 size_t i, ca_len, sig_len; 2215 int ret = SSH_ERR_INTERNAL_ERROR; 2216 struct sshbuf *cert; 2217 2218 if (k == NULL || k->cert == NULL || 2219 k->cert->certblob == NULL || ca == NULL) 2220 return SSH_ERR_INVALID_ARGUMENT; 2221 if (!sshkey_is_cert(k)) 2222 return SSH_ERR_KEY_TYPE_UNKNOWN; 2223 if (!sshkey_type_is_valid_ca(ca->type)) 2224 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2225 2226 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2227 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2228 2229 cert = k->cert->certblob; /* for readability */ 2230 sshbuf_reset(cert); 2231 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2232 goto out; 2233 2234 /* -v01 certs put nonce first */ 2235 arc4random_buf(&nonce, sizeof(nonce)); 2236 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2237 goto out; 2238 2239 /* XXX this substantially duplicates to_blob(); refactor */ 2240 switch (k->type) { 2241 #ifdef WITH_OPENSSL 2242 case KEY_DSA_CERT: 2243 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2244 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2245 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2246 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2247 goto out; 2248 break; 2249 case KEY_ECDSA_CERT: 2250 if ((ret = sshbuf_put_cstring(cert, 2251 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2252 (ret = sshbuf_put_ec(cert, 2253 EC_KEY_get0_public_key(k->ecdsa), 2254 EC_KEY_get0_group(k->ecdsa))) != 0) 2255 goto out; 2256 break; 2257 case KEY_RSA_CERT: 2258 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2259 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2260 goto out; 2261 break; 2262 #endif /* WITH_OPENSSL */ 2263 case KEY_ED25519_CERT: 2264 if ((ret = sshbuf_put_string(cert, 2265 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2266 goto out; 2267 break; 2268 default: 2269 ret = SSH_ERR_INVALID_ARGUMENT; 2270 goto out; 2271 } 2272 2273 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2274 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2275 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2276 goto out; 2277 2278 if ((principals = sshbuf_new()) == NULL) { 2279 ret = SSH_ERR_ALLOC_FAIL; 2280 goto out; 2281 } 2282 for (i = 0; i < k->cert->nprincipals; i++) { 2283 if ((ret = sshbuf_put_cstring(principals, 2284 k->cert->principals[i])) != 0) 2285 goto out; 2286 } 2287 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2288 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2289 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2290 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2291 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2292 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2293 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2294 goto out; 2295 2296 /* Sign the whole mess */ 2297 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2298 sshbuf_len(cert), alg, 0, signer_ctx)) != 0) 2299 goto out; 2300 2301 /* Append signature and we are done */ 2302 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2303 goto out; 2304 ret = 0; 2305 out: 2306 if (ret != 0) 2307 sshbuf_reset(cert); 2308 free(sig_blob); 2309 free(ca_blob); 2310 sshbuf_free(principals); 2311 return ret; 2312 } 2313 2314 static int 2315 default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 2316 const u_char *data, size_t datalen, 2317 const char *alg, u_int compat, void *ctx) 2318 { 2319 if (ctx != NULL) 2320 return SSH_ERR_INVALID_ARGUMENT; 2321 return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat); 2322 } 2323 2324 int 2325 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2326 { 2327 return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL); 2328 } 2329 2330 int 2331 sshkey_cert_check_authority(const struct sshkey *k, 2332 int want_host, int require_principal, 2333 const char *name, const char **reason) 2334 { 2335 u_int i, principal_matches; 2336 time_t now = time(NULL); 2337 2338 if (reason != NULL) 2339 *reason = NULL; 2340 2341 if (want_host) { 2342 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2343 *reason = "Certificate invalid: not a host certificate"; 2344 return SSH_ERR_KEY_CERT_INVALID; 2345 } 2346 } else { 2347 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2348 *reason = "Certificate invalid: not a user certificate"; 2349 return SSH_ERR_KEY_CERT_INVALID; 2350 } 2351 } 2352 if (now < 0) { 2353 /* yikes - system clock before epoch! */ 2354 *reason = "Certificate invalid: not yet valid"; 2355 return SSH_ERR_KEY_CERT_INVALID; 2356 } 2357 if ((u_int64_t)now < k->cert->valid_after) { 2358 *reason = "Certificate invalid: not yet valid"; 2359 return SSH_ERR_KEY_CERT_INVALID; 2360 } 2361 if ((u_int64_t)now >= k->cert->valid_before) { 2362 *reason = "Certificate invalid: expired"; 2363 return SSH_ERR_KEY_CERT_INVALID; 2364 } 2365 if (k->cert->nprincipals == 0) { 2366 if (require_principal) { 2367 *reason = "Certificate lacks principal list"; 2368 return SSH_ERR_KEY_CERT_INVALID; 2369 } 2370 } else if (name != NULL) { 2371 principal_matches = 0; 2372 for (i = 0; i < k->cert->nprincipals; i++) { 2373 if (strcmp(name, k->cert->principals[i]) == 0) { 2374 principal_matches = 1; 2375 break; 2376 } 2377 } 2378 if (!principal_matches) { 2379 *reason = "Certificate invalid: name is not a listed " 2380 "principal"; 2381 return SSH_ERR_KEY_CERT_INVALID; 2382 } 2383 } 2384 return 0; 2385 } 2386 2387 size_t 2388 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2389 { 2390 char from[32], to[32], ret[64]; 2391 time_t tt; 2392 struct tm *tm; 2393 2394 *from = *to = '\0'; 2395 if (cert->valid_after == 0 && 2396 cert->valid_before == 0xffffffffffffffffULL) 2397 return strlcpy(s, "forever", l); 2398 2399 if (cert->valid_after != 0) { 2400 /* XXX revisit INT_MAX in 2038 :) */ 2401 tt = cert->valid_after > INT_MAX ? 2402 INT_MAX : cert->valid_after; 2403 tm = localtime(&tt); 2404 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2405 } 2406 if (cert->valid_before != 0xffffffffffffffffULL) { 2407 /* XXX revisit INT_MAX in 2038 :) */ 2408 tt = cert->valid_before > INT_MAX ? 2409 INT_MAX : cert->valid_before; 2410 tm = localtime(&tt); 2411 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2412 } 2413 2414 if (cert->valid_after == 0) 2415 snprintf(ret, sizeof(ret), "before %s", to); 2416 else if (cert->valid_before == 0xffffffffffffffffULL) 2417 snprintf(ret, sizeof(ret), "after %s", from); 2418 else 2419 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2420 2421 return strlcpy(s, ret, l); 2422 } 2423 2424 int 2425 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2426 { 2427 int r = SSH_ERR_INTERNAL_ERROR; 2428 2429 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2430 goto out; 2431 switch (key->type) { 2432 #ifdef WITH_OPENSSL 2433 case KEY_RSA: 2434 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2435 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2436 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2437 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2438 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2439 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2440 goto out; 2441 break; 2442 case KEY_RSA_CERT: 2443 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2444 r = SSH_ERR_INVALID_ARGUMENT; 2445 goto out; 2446 } 2447 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2448 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2449 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2450 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2451 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2452 goto out; 2453 break; 2454 case KEY_DSA: 2455 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2456 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2457 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2458 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2459 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2460 goto out; 2461 break; 2462 case KEY_DSA_CERT: 2463 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2464 r = SSH_ERR_INVALID_ARGUMENT; 2465 goto out; 2466 } 2467 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2468 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2469 goto out; 2470 break; 2471 case KEY_ECDSA: 2472 if ((r = sshbuf_put_cstring(b, 2473 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2474 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2475 (r = sshbuf_put_bignum2(b, 2476 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2477 goto out; 2478 break; 2479 case KEY_ECDSA_CERT: 2480 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2481 r = SSH_ERR_INVALID_ARGUMENT; 2482 goto out; 2483 } 2484 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2485 (r = sshbuf_put_bignum2(b, 2486 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2487 goto out; 2488 break; 2489 #endif /* WITH_OPENSSL */ 2490 case KEY_ED25519: 2491 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2492 ED25519_PK_SZ)) != 0 || 2493 (r = sshbuf_put_string(b, key->ed25519_sk, 2494 ED25519_SK_SZ)) != 0) 2495 goto out; 2496 break; 2497 case KEY_ED25519_CERT: 2498 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2499 r = SSH_ERR_INVALID_ARGUMENT; 2500 goto out; 2501 } 2502 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2503 (r = sshbuf_put_string(b, key->ed25519_pk, 2504 ED25519_PK_SZ)) != 0 || 2505 (r = sshbuf_put_string(b, key->ed25519_sk, 2506 ED25519_SK_SZ)) != 0) 2507 goto out; 2508 break; 2509 default: 2510 r = SSH_ERR_INVALID_ARGUMENT; 2511 goto out; 2512 } 2513 /* success */ 2514 r = 0; 2515 out: 2516 return r; 2517 } 2518 2519 int 2520 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2521 { 2522 char *tname = NULL, *curve = NULL; 2523 struct sshkey *k = NULL; 2524 size_t pklen = 0, sklen = 0; 2525 int type, r = SSH_ERR_INTERNAL_ERROR; 2526 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2527 #ifdef WITH_OPENSSL 2528 BIGNUM *exponent = NULL; 2529 #endif /* WITH_OPENSSL */ 2530 2531 if (kp != NULL) 2532 *kp = NULL; 2533 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2534 goto out; 2535 type = sshkey_type_from_name(tname); 2536 switch (type) { 2537 #ifdef WITH_OPENSSL 2538 case KEY_DSA: 2539 if ((k = sshkey_new_private(type)) == NULL) { 2540 r = SSH_ERR_ALLOC_FAIL; 2541 goto out; 2542 } 2543 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2544 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2545 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2546 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2547 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2548 goto out; 2549 break; 2550 case KEY_DSA_CERT: 2551 if ((r = sshkey_froms(buf, &k)) != 0 || 2552 (r = sshkey_add_private(k)) != 0 || 2553 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2554 goto out; 2555 break; 2556 case KEY_ECDSA: 2557 if ((k = sshkey_new_private(type)) == NULL) { 2558 r = SSH_ERR_ALLOC_FAIL; 2559 goto out; 2560 } 2561 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2562 r = SSH_ERR_INVALID_ARGUMENT; 2563 goto out; 2564 } 2565 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2566 goto out; 2567 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2568 r = SSH_ERR_EC_CURVE_MISMATCH; 2569 goto out; 2570 } 2571 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2572 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2573 r = SSH_ERR_LIBCRYPTO_ERROR; 2574 goto out; 2575 } 2576 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2577 (r = sshbuf_get_bignum2(buf, exponent))) 2578 goto out; 2579 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2580 r = SSH_ERR_LIBCRYPTO_ERROR; 2581 goto out; 2582 } 2583 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2584 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2585 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2586 goto out; 2587 break; 2588 case KEY_ECDSA_CERT: 2589 if ((exponent = BN_new()) == NULL) { 2590 r = SSH_ERR_LIBCRYPTO_ERROR; 2591 goto out; 2592 } 2593 if ((r = sshkey_froms(buf, &k)) != 0 || 2594 (r = sshkey_add_private(k)) != 0 || 2595 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2596 goto out; 2597 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2598 r = SSH_ERR_LIBCRYPTO_ERROR; 2599 goto out; 2600 } 2601 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2602 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2603 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2604 goto out; 2605 break; 2606 case KEY_RSA: 2607 if ((k = sshkey_new_private(type)) == NULL) { 2608 r = SSH_ERR_ALLOC_FAIL; 2609 goto out; 2610 } 2611 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2612 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2613 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2614 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2615 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2616 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2617 (r = ssh_rsa_generate_additional_parameters(k)) != 0) 2618 goto out; 2619 if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 2620 r = SSH_ERR_KEY_LENGTH; 2621 goto out; 2622 } 2623 break; 2624 case KEY_RSA_CERT: 2625 if ((r = sshkey_froms(buf, &k)) != 0 || 2626 (r = sshkey_add_private(k)) != 0 || 2627 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2628 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2629 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2630 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2631 (r = ssh_rsa_generate_additional_parameters(k)) != 0) 2632 goto out; 2633 if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 2634 r = SSH_ERR_KEY_LENGTH; 2635 goto out; 2636 } 2637 break; 2638 #endif /* WITH_OPENSSL */ 2639 case KEY_ED25519: 2640 if ((k = sshkey_new_private(type)) == NULL) { 2641 r = SSH_ERR_ALLOC_FAIL; 2642 goto out; 2643 } 2644 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2645 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2646 goto out; 2647 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2648 r = SSH_ERR_INVALID_FORMAT; 2649 goto out; 2650 } 2651 k->ed25519_pk = ed25519_pk; 2652 k->ed25519_sk = ed25519_sk; 2653 ed25519_pk = ed25519_sk = NULL; 2654 break; 2655 case KEY_ED25519_CERT: 2656 if ((r = sshkey_froms(buf, &k)) != 0 || 2657 (r = sshkey_add_private(k)) != 0 || 2658 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2659 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2660 goto out; 2661 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2662 r = SSH_ERR_INVALID_FORMAT; 2663 goto out; 2664 } 2665 k->ed25519_pk = ed25519_pk; 2666 k->ed25519_sk = ed25519_sk; 2667 ed25519_pk = ed25519_sk = NULL; 2668 break; 2669 default: 2670 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2671 goto out; 2672 } 2673 #ifdef WITH_OPENSSL 2674 /* enable blinding */ 2675 switch (k->type) { 2676 case KEY_RSA: 2677 case KEY_RSA_CERT: 2678 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2679 r = SSH_ERR_LIBCRYPTO_ERROR; 2680 goto out; 2681 } 2682 break; 2683 } 2684 #endif /* WITH_OPENSSL */ 2685 /* success */ 2686 r = 0; 2687 if (kp != NULL) { 2688 *kp = k; 2689 k = NULL; 2690 } 2691 out: 2692 free(tname); 2693 free(curve); 2694 #ifdef WITH_OPENSSL 2695 if (exponent != NULL) 2696 BN_clear_free(exponent); 2697 #endif /* WITH_OPENSSL */ 2698 sshkey_free(k); 2699 if (ed25519_pk != NULL) { 2700 explicit_bzero(ed25519_pk, pklen); 2701 free(ed25519_pk); 2702 } 2703 if (ed25519_sk != NULL) { 2704 explicit_bzero(ed25519_sk, sklen); 2705 free(ed25519_sk); 2706 } 2707 return r; 2708 } 2709 2710 #ifdef WITH_OPENSSL 2711 int 2712 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2713 { 2714 BN_CTX *bnctx; 2715 EC_POINT *nq = NULL; 2716 BIGNUM *order, *x, *y, *tmp; 2717 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2718 2719 /* 2720 * NB. This assumes OpenSSL has already verified that the public 2721 * point lies on the curve. This is done by EC_POINT_oct2point() 2722 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 2723 * reachable with public points not unmarshalled using 2724 * EC_POINT_oct2point then the caller will need to explicitly check. 2725 */ 2726 2727 if ((bnctx = BN_CTX_new()) == NULL) 2728 return SSH_ERR_ALLOC_FAIL; 2729 BN_CTX_start(bnctx); 2730 2731 /* 2732 * We shouldn't ever hit this case because bignum_get_ecpoint() 2733 * refuses to load GF2m points. 2734 */ 2735 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2736 NID_X9_62_prime_field) 2737 goto out; 2738 2739 /* Q != infinity */ 2740 if (EC_POINT_is_at_infinity(group, public)) 2741 goto out; 2742 2743 if ((x = BN_CTX_get(bnctx)) == NULL || 2744 (y = BN_CTX_get(bnctx)) == NULL || 2745 (order = BN_CTX_get(bnctx)) == NULL || 2746 (tmp = BN_CTX_get(bnctx)) == NULL) { 2747 ret = SSH_ERR_ALLOC_FAIL; 2748 goto out; 2749 } 2750 2751 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2752 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2753 EC_POINT_get_affine_coordinates_GFp(group, public, 2754 x, y, bnctx) != 1) { 2755 ret = SSH_ERR_LIBCRYPTO_ERROR; 2756 goto out; 2757 } 2758 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2759 BN_num_bits(y) <= BN_num_bits(order) / 2) 2760 goto out; 2761 2762 /* nQ == infinity (n == order of subgroup) */ 2763 if ((nq = EC_POINT_new(group)) == NULL) { 2764 ret = SSH_ERR_ALLOC_FAIL; 2765 goto out; 2766 } 2767 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2768 ret = SSH_ERR_LIBCRYPTO_ERROR; 2769 goto out; 2770 } 2771 if (EC_POINT_is_at_infinity(group, nq) != 1) 2772 goto out; 2773 2774 /* x < order - 1, y < order - 1 */ 2775 if (!BN_sub(tmp, order, BN_value_one())) { 2776 ret = SSH_ERR_LIBCRYPTO_ERROR; 2777 goto out; 2778 } 2779 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2780 goto out; 2781 ret = 0; 2782 out: 2783 BN_CTX_free(bnctx); 2784 if (nq != NULL) 2785 EC_POINT_free(nq); 2786 return ret; 2787 } 2788 2789 int 2790 sshkey_ec_validate_private(const EC_KEY *key) 2791 { 2792 BN_CTX *bnctx; 2793 BIGNUM *order, *tmp; 2794 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2795 2796 if ((bnctx = BN_CTX_new()) == NULL) 2797 return SSH_ERR_ALLOC_FAIL; 2798 BN_CTX_start(bnctx); 2799 2800 if ((order = BN_CTX_get(bnctx)) == NULL || 2801 (tmp = BN_CTX_get(bnctx)) == NULL) { 2802 ret = SSH_ERR_ALLOC_FAIL; 2803 goto out; 2804 } 2805 2806 /* log2(private) > log2(order)/2 */ 2807 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2808 ret = SSH_ERR_LIBCRYPTO_ERROR; 2809 goto out; 2810 } 2811 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2812 BN_num_bits(order) / 2) 2813 goto out; 2814 2815 /* private < order - 1 */ 2816 if (!BN_sub(tmp, order, BN_value_one())) { 2817 ret = SSH_ERR_LIBCRYPTO_ERROR; 2818 goto out; 2819 } 2820 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2821 goto out; 2822 ret = 0; 2823 out: 2824 BN_CTX_free(bnctx); 2825 return ret; 2826 } 2827 2828 void 2829 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2830 { 2831 BIGNUM *x, *y; 2832 BN_CTX *bnctx; 2833 2834 if (point == NULL) { 2835 fputs("point=(NULL)\n", stderr); 2836 return; 2837 } 2838 if ((bnctx = BN_CTX_new()) == NULL) { 2839 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2840 return; 2841 } 2842 BN_CTX_start(bnctx); 2843 if ((x = BN_CTX_get(bnctx)) == NULL || 2844 (y = BN_CTX_get(bnctx)) == NULL) { 2845 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 2846 return; 2847 } 2848 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2849 NID_X9_62_prime_field) { 2850 fprintf(stderr, "%s: group is not a prime field\n", __func__); 2851 return; 2852 } 2853 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 2854 bnctx) != 1) { 2855 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2856 __func__); 2857 return; 2858 } 2859 fputs("x=", stderr); 2860 BN_print_fp(stderr, x); 2861 fputs("\ny=", stderr); 2862 BN_print_fp(stderr, y); 2863 fputs("\n", stderr); 2864 BN_CTX_free(bnctx); 2865 } 2866 2867 void 2868 sshkey_dump_ec_key(const EC_KEY *key) 2869 { 2870 const BIGNUM *exponent; 2871 2872 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2873 EC_KEY_get0_public_key(key)); 2874 fputs("exponent=", stderr); 2875 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2876 fputs("(NULL)", stderr); 2877 else 2878 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2879 fputs("\n", stderr); 2880 } 2881 #endif /* WITH_OPENSSL */ 2882 2883 static int 2884 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 2885 const char *passphrase, const char *comment, const char *ciphername, 2886 int rounds) 2887 { 2888 u_char *cp, *key = NULL, *pubkeyblob = NULL; 2889 u_char salt[SALT_LEN]; 2890 char *b64 = NULL; 2891 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 2892 u_int check; 2893 int r = SSH_ERR_INTERNAL_ERROR; 2894 struct sshcipher_ctx *ciphercontext = NULL; 2895 const struct sshcipher *cipher; 2896 const char *kdfname = KDFNAME; 2897 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 2898 2899 if (rounds <= 0) 2900 rounds = DEFAULT_ROUNDS; 2901 if (passphrase == NULL || !strlen(passphrase)) { 2902 ciphername = "none"; 2903 kdfname = "none"; 2904 } else if (ciphername == NULL) 2905 ciphername = DEFAULT_CIPHERNAME; 2906 if ((cipher = cipher_by_name(ciphername)) == NULL) { 2907 r = SSH_ERR_INVALID_ARGUMENT; 2908 goto out; 2909 } 2910 2911 if ((kdf = sshbuf_new()) == NULL || 2912 (encoded = sshbuf_new()) == NULL || 2913 (encrypted = sshbuf_new()) == NULL) { 2914 r = SSH_ERR_ALLOC_FAIL; 2915 goto out; 2916 } 2917 blocksize = cipher_blocksize(cipher); 2918 keylen = cipher_keylen(cipher); 2919 ivlen = cipher_ivlen(cipher); 2920 authlen = cipher_authlen(cipher); 2921 if ((key = calloc(1, keylen + ivlen)) == NULL) { 2922 r = SSH_ERR_ALLOC_FAIL; 2923 goto out; 2924 } 2925 if (strcmp(kdfname, "bcrypt") == 0) { 2926 arc4random_buf(salt, SALT_LEN); 2927 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 2928 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 2929 r = SSH_ERR_INVALID_ARGUMENT; 2930 goto out; 2931 } 2932 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 2933 (r = sshbuf_put_u32(kdf, rounds)) != 0) 2934 goto out; 2935 } else if (strcmp(kdfname, "none") != 0) { 2936 /* Unsupported KDF type */ 2937 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 2938 goto out; 2939 } 2940 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 2941 key + keylen, ivlen, 1)) != 0) 2942 goto out; 2943 2944 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 2945 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 2946 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 2947 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 2948 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 2949 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 2950 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 2951 goto out; 2952 2953 /* set up the buffer that will be encrypted */ 2954 2955 /* Random check bytes */ 2956 check = arc4random(); 2957 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 2958 (r = sshbuf_put_u32(encrypted, check)) != 0) 2959 goto out; 2960 2961 /* append private key and comment*/ 2962 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 2963 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 2964 goto out; 2965 2966 /* padding */ 2967 i = 0; 2968 while (sshbuf_len(encrypted) % blocksize) { 2969 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 2970 goto out; 2971 } 2972 2973 /* length in destination buffer */ 2974 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 2975 goto out; 2976 2977 /* encrypt */ 2978 if ((r = sshbuf_reserve(encoded, 2979 sshbuf_len(encrypted) + authlen, &cp)) != 0) 2980 goto out; 2981 if ((r = cipher_crypt(ciphercontext, 0, cp, 2982 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 2983 goto out; 2984 2985 /* uuencode */ 2986 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 2987 r = SSH_ERR_ALLOC_FAIL; 2988 goto out; 2989 } 2990 2991 sshbuf_reset(blob); 2992 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 2993 goto out; 2994 for (i = 0; i < strlen(b64); i++) { 2995 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 2996 goto out; 2997 /* insert line breaks */ 2998 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 2999 goto out; 3000 } 3001 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3002 goto out; 3003 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3004 goto out; 3005 3006 /* success */ 3007 r = 0; 3008 3009 out: 3010 sshbuf_free(kdf); 3011 sshbuf_free(encoded); 3012 sshbuf_free(encrypted); 3013 cipher_free(ciphercontext); 3014 explicit_bzero(salt, sizeof(salt)); 3015 if (key != NULL) { 3016 explicit_bzero(key, keylen + ivlen); 3017 free(key); 3018 } 3019 if (pubkeyblob != NULL) { 3020 explicit_bzero(pubkeyblob, pubkeylen); 3021 free(pubkeyblob); 3022 } 3023 if (b64 != NULL) { 3024 explicit_bzero(b64, strlen(b64)); 3025 free(b64); 3026 } 3027 return r; 3028 } 3029 3030 static int 3031 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3032 struct sshkey **keyp, char **commentp) 3033 { 3034 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3035 const struct sshcipher *cipher = NULL; 3036 const u_char *cp; 3037 int r = SSH_ERR_INTERNAL_ERROR; 3038 size_t encoded_len; 3039 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3040 struct sshbuf *encoded = NULL, *decoded = NULL; 3041 struct sshbuf *kdf = NULL, *decrypted = NULL; 3042 struct sshcipher_ctx *ciphercontext = NULL; 3043 struct sshkey *k = NULL; 3044 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3045 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3046 3047 if (keyp != NULL) 3048 *keyp = NULL; 3049 if (commentp != NULL) 3050 *commentp = NULL; 3051 3052 if ((encoded = sshbuf_new()) == NULL || 3053 (decoded = sshbuf_new()) == NULL || 3054 (decrypted = sshbuf_new()) == NULL) { 3055 r = SSH_ERR_ALLOC_FAIL; 3056 goto out; 3057 } 3058 3059 /* check preamble */ 3060 cp = sshbuf_ptr(blob); 3061 encoded_len = sshbuf_len(blob); 3062 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3063 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3064 r = SSH_ERR_INVALID_FORMAT; 3065 goto out; 3066 } 3067 cp += MARK_BEGIN_LEN; 3068 encoded_len -= MARK_BEGIN_LEN; 3069 3070 /* Look for end marker, removing whitespace as we go */ 3071 while (encoded_len > 0) { 3072 if (*cp != '\n' && *cp != '\r') { 3073 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3074 goto out; 3075 } 3076 last = *cp; 3077 encoded_len--; 3078 cp++; 3079 if (last == '\n') { 3080 if (encoded_len >= MARK_END_LEN && 3081 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3082 /* \0 terminate */ 3083 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3084 goto out; 3085 break; 3086 } 3087 } 3088 } 3089 if (encoded_len == 0) { 3090 r = SSH_ERR_INVALID_FORMAT; 3091 goto out; 3092 } 3093 3094 /* decode base64 */ 3095 if ((r = sshbuf_b64tod(decoded, (const char *)sshbuf_ptr(encoded))) != 0) 3096 goto out; 3097 3098 /* check magic */ 3099 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3100 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3101 r = SSH_ERR_INVALID_FORMAT; 3102 goto out; 3103 } 3104 /* parse public portion of key */ 3105 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3106 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3107 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3108 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3109 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3110 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3111 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3112 goto out; 3113 3114 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3115 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3116 goto out; 3117 } 3118 if ((passphrase == NULL || strlen(passphrase) == 0) && 3119 strcmp(ciphername, "none") != 0) { 3120 /* passphrase required */ 3121 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3122 goto out; 3123 } 3124 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3125 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3126 goto out; 3127 } 3128 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3129 r = SSH_ERR_INVALID_FORMAT; 3130 goto out; 3131 } 3132 if (nkeys != 1) { 3133 /* XXX only one key supported */ 3134 r = SSH_ERR_INVALID_FORMAT; 3135 goto out; 3136 } 3137 3138 /* check size of encrypted key blob */ 3139 blocksize = cipher_blocksize(cipher); 3140 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3141 r = SSH_ERR_INVALID_FORMAT; 3142 goto out; 3143 } 3144 3145 /* setup key */ 3146 keylen = cipher_keylen(cipher); 3147 ivlen = cipher_ivlen(cipher); 3148 authlen = cipher_authlen(cipher); 3149 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3150 r = SSH_ERR_ALLOC_FAIL; 3151 goto out; 3152 } 3153 if (strcmp(kdfname, "bcrypt") == 0) { 3154 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3155 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3156 goto out; 3157 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3158 key, keylen + ivlen, rounds) < 0) { 3159 r = SSH_ERR_INVALID_FORMAT; 3160 goto out; 3161 } 3162 } 3163 3164 /* check that an appropriate amount of auth data is present */ 3165 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3166 r = SSH_ERR_INVALID_FORMAT; 3167 goto out; 3168 } 3169 3170 /* decrypt private portion of key */ 3171 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3172 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3173 key + keylen, ivlen, 0)) != 0) 3174 goto out; 3175 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3176 encrypted_len, 0, authlen)) != 0) { 3177 /* an integrity error here indicates an incorrect passphrase */ 3178 if (r == SSH_ERR_MAC_INVALID) 3179 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3180 goto out; 3181 } 3182 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3183 goto out; 3184 /* there should be no trailing data */ 3185 if (sshbuf_len(decoded) != 0) { 3186 r = SSH_ERR_INVALID_FORMAT; 3187 goto out; 3188 } 3189 3190 /* check check bytes */ 3191 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3192 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3193 goto out; 3194 if (check1 != check2) { 3195 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3196 goto out; 3197 } 3198 3199 /* Load the private key and comment */ 3200 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3201 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3202 goto out; 3203 3204 /* Check deterministic padding */ 3205 i = 0; 3206 while (sshbuf_len(decrypted)) { 3207 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3208 goto out; 3209 if (pad != (++i & 0xff)) { 3210 r = SSH_ERR_INVALID_FORMAT; 3211 goto out; 3212 } 3213 } 3214 3215 /* XXX decode pubkey and check against private */ 3216 3217 /* success */ 3218 r = 0; 3219 if (keyp != NULL) { 3220 *keyp = k; 3221 k = NULL; 3222 } 3223 if (commentp != NULL) { 3224 *commentp = comment; 3225 comment = NULL; 3226 } 3227 out: 3228 pad = 0; 3229 cipher_free(ciphercontext); 3230 free(ciphername); 3231 free(kdfname); 3232 free(comment); 3233 if (salt != NULL) { 3234 explicit_bzero(salt, slen); 3235 free(salt); 3236 } 3237 if (key != NULL) { 3238 explicit_bzero(key, keylen + ivlen); 3239 free(key); 3240 } 3241 sshbuf_free(encoded); 3242 sshbuf_free(decoded); 3243 sshbuf_free(kdf); 3244 sshbuf_free(decrypted); 3245 sshkey_free(k); 3246 return r; 3247 } 3248 3249 3250 #ifdef WITH_OPENSSL 3251 /* convert SSH v2 key in OpenSSL PEM format */ 3252 static int 3253 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3254 const char *_passphrase, const char *comment) 3255 { 3256 int success, r; 3257 int blen, len = strlen(_passphrase); 3258 u_char *passphrase = (len > 0) ? __UNCONST(_passphrase) : NULL; 3259 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3260 const u_char *bptr; 3261 BIO *bio = NULL; 3262 3263 if (len > 0 && len <= 4) 3264 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3265 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3266 return SSH_ERR_ALLOC_FAIL; 3267 3268 switch (key->type) { 3269 case KEY_DSA: 3270 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3271 cipher, passphrase, len, NULL, NULL); 3272 break; 3273 case KEY_ECDSA: 3274 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3275 cipher, passphrase, len, NULL, NULL); 3276 break; 3277 case KEY_RSA: 3278 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3279 cipher, passphrase, len, NULL, NULL); 3280 break; 3281 default: 3282 success = 0; 3283 break; 3284 } 3285 if (success == 0) { 3286 r = SSH_ERR_LIBCRYPTO_ERROR; 3287 goto out; 3288 } 3289 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3290 r = SSH_ERR_INTERNAL_ERROR; 3291 goto out; 3292 } 3293 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3294 goto out; 3295 r = 0; 3296 out: 3297 BIO_free(bio); 3298 return r; 3299 } 3300 #endif /* WITH_OPENSSL */ 3301 3302 /* Serialise "key" to buffer "blob" */ 3303 int 3304 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3305 const char *passphrase, const char *comment, 3306 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3307 { 3308 switch (key->type) { 3309 #ifdef WITH_OPENSSL 3310 case KEY_DSA: 3311 case KEY_ECDSA: 3312 case KEY_RSA: 3313 if (force_new_format) { 3314 return sshkey_private_to_blob2(key, blob, passphrase, 3315 comment, new_format_cipher, new_format_rounds); 3316 } 3317 return sshkey_private_pem_to_blob(key, blob, 3318 passphrase, comment); 3319 #endif /* WITH_OPENSSL */ 3320 case KEY_ED25519: 3321 return sshkey_private_to_blob2(key, blob, passphrase, 3322 comment, new_format_cipher, new_format_rounds); 3323 default: 3324 return SSH_ERR_KEY_TYPE_UNKNOWN; 3325 } 3326 } 3327 3328 3329 #ifdef WITH_OPENSSL 3330 static int 3331 translate_libcrypto_error(unsigned long pem_err) 3332 { 3333 int pem_reason = ERR_GET_REASON(pem_err); 3334 3335 switch (ERR_GET_LIB(pem_err)) { 3336 case ERR_LIB_PEM: 3337 switch (pem_reason) { 3338 case PEM_R_BAD_PASSWORD_READ: 3339 case PEM_R_PROBLEMS_GETTING_PASSWORD: 3340 case PEM_R_BAD_DECRYPT: 3341 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3342 default: 3343 return SSH_ERR_INVALID_FORMAT; 3344 } 3345 case ERR_LIB_EVP: 3346 switch (pem_reason) { 3347 case EVP_R_BAD_DECRYPT: 3348 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3349 case EVP_R_BN_DECODE_ERROR: 3350 case EVP_R_DECODE_ERROR: 3351 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 3352 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 3353 #endif 3354 return SSH_ERR_INVALID_FORMAT; 3355 default: 3356 return SSH_ERR_LIBCRYPTO_ERROR; 3357 } 3358 case ERR_LIB_ASN1: 3359 return SSH_ERR_INVALID_FORMAT; 3360 } 3361 return SSH_ERR_LIBCRYPTO_ERROR; 3362 } 3363 3364 static void 3365 clear_libcrypto_errors(void) 3366 { 3367 while (ERR_get_error() != 0) 3368 ; 3369 } 3370 3371 /* 3372 * Translate OpenSSL error codes to determine whether 3373 * passphrase is required/incorrect. 3374 */ 3375 static int 3376 convert_libcrypto_error(void) 3377 { 3378 /* 3379 * Some password errors are reported at the beginning 3380 * of the error queue. 3381 */ 3382 if (translate_libcrypto_error(ERR_peek_error()) == 3383 SSH_ERR_KEY_WRONG_PASSPHRASE) 3384 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3385 return translate_libcrypto_error(ERR_peek_last_error()); 3386 } 3387 3388 static int 3389 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3390 const char *passphrase, struct sshkey **keyp) 3391 { 3392 EVP_PKEY *pk = NULL; 3393 struct sshkey *prv = NULL; 3394 BIO *bio = NULL; 3395 int r; 3396 3397 if (keyp != NULL) 3398 *keyp = NULL; 3399 3400 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3401 return SSH_ERR_ALLOC_FAIL; 3402 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3403 (int)sshbuf_len(blob)) { 3404 r = SSH_ERR_ALLOC_FAIL; 3405 goto out; 3406 } 3407 3408 clear_libcrypto_errors(); 3409 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3410 __UNCONST(passphrase))) == NULL) { 3411 r = convert_libcrypto_error(); 3412 goto out; 3413 } 3414 if (pk->type == EVP_PKEY_RSA && 3415 (type == KEY_UNSPEC || type == KEY_RSA)) { 3416 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3417 r = SSH_ERR_ALLOC_FAIL; 3418 goto out; 3419 } 3420 prv->rsa = EVP_PKEY_get1_RSA(pk); 3421 prv->type = KEY_RSA; 3422 #ifdef DEBUG_PK 3423 RSA_print_fp(stderr, prv->rsa, 8); 3424 #endif 3425 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3426 r = SSH_ERR_LIBCRYPTO_ERROR; 3427 goto out; 3428 } 3429 if (BN_num_bits(prv->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 3430 r = SSH_ERR_KEY_LENGTH; 3431 goto out; 3432 } 3433 } else if (pk->type == EVP_PKEY_DSA && 3434 (type == KEY_UNSPEC || type == KEY_DSA)) { 3435 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3436 r = SSH_ERR_ALLOC_FAIL; 3437 goto out; 3438 } 3439 prv->dsa = EVP_PKEY_get1_DSA(pk); 3440 prv->type = KEY_DSA; 3441 #ifdef DEBUG_PK 3442 DSA_print_fp(stderr, prv->dsa, 8); 3443 #endif 3444 } else if (pk->type == EVP_PKEY_EC && 3445 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3446 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3447 r = SSH_ERR_ALLOC_FAIL; 3448 goto out; 3449 } 3450 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3451 prv->type = KEY_ECDSA; 3452 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3453 if (prv->ecdsa_nid == -1 || 3454 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3455 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3456 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3457 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3458 r = SSH_ERR_INVALID_FORMAT; 3459 goto out; 3460 } 3461 #ifdef DEBUG_PK 3462 if (prv != NULL && prv->ecdsa != NULL) 3463 sshkey_dump_ec_key(prv->ecdsa); 3464 #endif 3465 } else { 3466 r = SSH_ERR_INVALID_FORMAT; 3467 goto out; 3468 } 3469 r = 0; 3470 if (keyp != NULL) { 3471 *keyp = prv; 3472 prv = NULL; 3473 } 3474 out: 3475 BIO_free(bio); 3476 if (pk != NULL) 3477 EVP_PKEY_free(pk); 3478 sshkey_free(prv); 3479 return r; 3480 } 3481 #endif /* WITH_OPENSSL */ 3482 3483 int 3484 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3485 const char *passphrase, struct sshkey **keyp, char **commentp) 3486 { 3487 int r = SSH_ERR_INTERNAL_ERROR; 3488 3489 if (keyp != NULL) 3490 *keyp = NULL; 3491 if (commentp != NULL) 3492 *commentp = NULL; 3493 3494 switch (type) { 3495 #ifdef WITH_OPENSSL 3496 case KEY_DSA: 3497 case KEY_ECDSA: 3498 case KEY_RSA: 3499 return sshkey_parse_private_pem_fileblob(blob, type, 3500 passphrase, keyp); 3501 #endif /* WITH_OPENSSL */ 3502 case KEY_ED25519: 3503 return sshkey_parse_private2(blob, type, passphrase, 3504 keyp, commentp); 3505 case KEY_UNSPEC: 3506 r = sshkey_parse_private2(blob, type, passphrase, keyp, 3507 commentp); 3508 /* Do not fallback to PEM parser if only passphrase is wrong. */ 3509 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE) 3510 return r; 3511 #ifdef WITH_OPENSSL 3512 return sshkey_parse_private_pem_fileblob(blob, type, 3513 passphrase, keyp); 3514 #else 3515 return SSH_ERR_INVALID_FORMAT; 3516 #endif /* WITH_OPENSSL */ 3517 default: 3518 return SSH_ERR_KEY_TYPE_UNKNOWN; 3519 } 3520 } 3521 3522 int 3523 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3524 struct sshkey **keyp, char **commentp) 3525 { 3526 if (keyp != NULL) 3527 *keyp = NULL; 3528 if (commentp != NULL) 3529 *commentp = NULL; 3530 3531 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3532 passphrase, keyp, commentp); 3533 } 3534