1 /* $NetBSD: sshkey.c,v 1.8 2016/08/02 13:45:12 christos Exp $ */ 2 /* $OpenBSD: sshkey.c,v 1.35 2016/06/19 07:48:02 djm Exp $ */ 3 /* 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 5 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 6 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 #include "includes.h" 29 __RCSID("$NetBSD: sshkey.c,v 1.8 2016/08/02 13:45:12 christos Exp $"); 30 31 #include <sys/param.h> /* MIN MAX */ 32 #include <sys/types.h> 33 #include <netinet/in.h> 34 35 #ifdef WITH_OPENSSL 36 #include <openssl/evp.h> 37 #include <openssl/err.h> 38 #include <openssl/pem.h> 39 #endif 40 41 #include "crypto_api.h" 42 43 #include <errno.h> 44 #include <stdio.h> 45 #include <string.h> 46 #include <util.h> 47 #include <limits.h> 48 #include <resolv.h> 49 50 #include "ssh2.h" 51 #include "ssherr.h" 52 #include "misc.h" 53 #include "sshbuf.h" 54 #include "rsa.h" 55 #include "cipher.h" 56 #include "digest.h" 57 #define SSHKEY_INTERNAL 58 #include "sshkey.h" 59 #include "match.h" 60 61 /* openssh private key file format */ 62 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 63 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 64 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 65 #define MARK_END_LEN (sizeof(MARK_END) - 1) 66 #define KDFNAME "bcrypt" 67 #define AUTH_MAGIC "openssh-key-v1" 68 #define SALT_LEN 16 69 #define DEFAULT_CIPHERNAME "aes256-cbc" 70 #define DEFAULT_ROUNDS 16 71 72 /* Version identification string for SSH v1 identity files. */ 73 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 74 75 static int sshkey_from_blob_internal(struct sshbuf *buf, 76 struct sshkey **keyp, int allow_cert); 77 78 /* Supported key types */ 79 struct keytype { 80 const char *name; 81 const char *shortname; 82 int type; 83 int nid; 84 int cert; 85 int sigonly; 86 }; 87 static const struct keytype keytypes[] = { 88 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, 89 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 90 KEY_ED25519_CERT, 0, 1, 0 }, 91 #ifdef WITH_OPENSSL 92 { NULL, "RSA1", KEY_RSA1, 0, 0, 0 }, 93 { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, 94 { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, 95 { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, 96 { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, 97 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 98 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, 99 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, 100 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, 101 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, 102 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 103 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 104 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 105 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 106 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 107 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 108 #endif /* WITH_OPENSSL */ 109 { NULL, NULL, -1, -1, 0, 0 } 110 }; 111 112 const char * 113 sshkey_type(const struct sshkey *k) 114 { 115 const struct keytype *kt; 116 117 for (kt = keytypes; kt->type != -1; kt++) { 118 if (kt->type == k->type) 119 return kt->shortname; 120 } 121 return "unknown"; 122 } 123 124 static const char * 125 sshkey_ssh_name_from_type_nid(int type, int nid) 126 { 127 const struct keytype *kt; 128 129 for (kt = keytypes; kt->type != -1; kt++) { 130 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 131 return kt->name; 132 } 133 return "ssh-unknown"; 134 } 135 136 int 137 sshkey_type_is_cert(int type) 138 { 139 const struct keytype *kt; 140 141 for (kt = keytypes; kt->type != -1; kt++) { 142 if (kt->type == type) 143 return kt->cert; 144 } 145 return 0; 146 } 147 148 const char * 149 sshkey_ssh_name(const struct sshkey *k) 150 { 151 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 152 } 153 154 const char * 155 sshkey_ssh_name_plain(const struct sshkey *k) 156 { 157 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 158 k->ecdsa_nid); 159 } 160 161 int 162 sshkey_type_from_name(const char *name) 163 { 164 const struct keytype *kt; 165 166 for (kt = keytypes; kt->type != -1; kt++) { 167 /* Only allow shortname matches for plain key types */ 168 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 169 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 170 return kt->type; 171 } 172 return KEY_UNSPEC; 173 } 174 175 int 176 sshkey_ecdsa_nid_from_name(const char *name) 177 { 178 const struct keytype *kt; 179 180 for (kt = keytypes; kt->type != -1; kt++) { 181 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 182 continue; 183 if (kt->name != NULL && strcmp(name, kt->name) == 0) 184 return kt->nid; 185 } 186 return -1; 187 } 188 189 char * 190 key_alg_list(int certs_only, int plain_only) 191 { 192 char *tmp, *ret = NULL; 193 size_t nlen, rlen = 0; 194 const struct keytype *kt; 195 196 for (kt = keytypes; kt->type != -1; kt++) { 197 if (kt->name == NULL || kt->sigonly) 198 continue; 199 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 200 continue; 201 if (ret != NULL) 202 ret[rlen++] = '\n'; 203 nlen = strlen(kt->name); 204 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 205 free(ret); 206 return NULL; 207 } 208 ret = tmp; 209 memcpy(ret + rlen, kt->name, nlen + 1); 210 rlen += nlen; 211 } 212 return ret; 213 } 214 215 int 216 sshkey_names_valid2(const char *names, int allow_wildcard) 217 { 218 char *s, *cp, *p; 219 const struct keytype *kt; 220 int type; 221 222 if (names == NULL || strcmp(names, "") == 0) 223 return 0; 224 if ((s = cp = strdup(names)) == NULL) 225 return 0; 226 for ((p = strsep(&cp, ",")); p && *p != '\0'; 227 (p = strsep(&cp, ","))) { 228 type = sshkey_type_from_name(p); 229 if (type == KEY_RSA1) { 230 free(s); 231 return 0; 232 } 233 if (type == KEY_UNSPEC) { 234 if (allow_wildcard) { 235 /* 236 * Try matching key types against the string. 237 * If any has a positive or negative match then 238 * the component is accepted. 239 */ 240 for (kt = keytypes; kt->type != -1; kt++) { 241 if (kt->type == KEY_RSA1) 242 continue; 243 if (match_pattern_list(kt->name, 244 p, 0) != 0) 245 break; 246 } 247 if (kt->type != -1) 248 continue; 249 } 250 free(s); 251 return 0; 252 } 253 } 254 free(s); 255 return 1; 256 } 257 258 u_int 259 sshkey_size(const struct sshkey *k) 260 { 261 switch (k->type) { 262 #ifdef WITH_OPENSSL 263 case KEY_RSA1: 264 case KEY_RSA: 265 case KEY_RSA_CERT: 266 return BN_num_bits(k->rsa->n); 267 case KEY_DSA: 268 case KEY_DSA_CERT: 269 return BN_num_bits(k->dsa->p); 270 case KEY_ECDSA: 271 case KEY_ECDSA_CERT: 272 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 273 #endif /* WITH_OPENSSL */ 274 case KEY_ED25519: 275 case KEY_ED25519_CERT: 276 return 256; /* XXX */ 277 } 278 return 0; 279 } 280 281 static int 282 sshkey_type_is_valid_ca(int type) 283 { 284 switch (type) { 285 case KEY_RSA: 286 case KEY_DSA: 287 case KEY_ECDSA: 288 case KEY_ED25519: 289 return 1; 290 default: 291 return 0; 292 } 293 } 294 295 int 296 sshkey_is_cert(const struct sshkey *k) 297 { 298 if (k == NULL) 299 return 0; 300 return sshkey_type_is_cert(k->type); 301 } 302 303 /* Return the cert-less equivalent to a certified key type */ 304 int 305 sshkey_type_plain(int type) 306 { 307 switch (type) { 308 case KEY_RSA_CERT: 309 return KEY_RSA; 310 case KEY_DSA_CERT: 311 return KEY_DSA; 312 case KEY_ECDSA_CERT: 313 return KEY_ECDSA; 314 case KEY_ED25519_CERT: 315 return KEY_ED25519; 316 default: 317 return type; 318 } 319 } 320 321 #ifdef WITH_OPENSSL 322 /* XXX: these are really begging for a table-driven approach */ 323 int 324 sshkey_curve_name_to_nid(const char *name) 325 { 326 if (strcmp(name, "nistp256") == 0) 327 return NID_X9_62_prime256v1; 328 else if (strcmp(name, "nistp384") == 0) 329 return NID_secp384r1; 330 else if (strcmp(name, "nistp521") == 0) 331 return NID_secp521r1; 332 else 333 return -1; 334 } 335 336 u_int 337 sshkey_curve_nid_to_bits(int nid) 338 { 339 switch (nid) { 340 case NID_X9_62_prime256v1: 341 return 256; 342 case NID_secp384r1: 343 return 384; 344 case NID_secp521r1: 345 return 521; 346 default: 347 return 0; 348 } 349 } 350 351 int 352 sshkey_ecdsa_bits_to_nid(int bits) 353 { 354 switch (bits) { 355 case 256: 356 return NID_X9_62_prime256v1; 357 case 384: 358 return NID_secp384r1; 359 case 521: 360 return NID_secp521r1; 361 default: 362 return -1; 363 } 364 } 365 366 const char * 367 sshkey_curve_nid_to_name(int nid) 368 { 369 switch (nid) { 370 case NID_X9_62_prime256v1: 371 return "nistp256"; 372 case NID_secp384r1: 373 return "nistp384"; 374 case NID_secp521r1: 375 return "nistp521"; 376 default: 377 return NULL; 378 } 379 } 380 381 int 382 sshkey_ec_nid_to_hash_alg(int nid) 383 { 384 int kbits = sshkey_curve_nid_to_bits(nid); 385 386 if (kbits <= 0) 387 return -1; 388 389 /* RFC5656 section 6.2.1 */ 390 if (kbits <= 256) 391 return SSH_DIGEST_SHA256; 392 else if (kbits <= 384) 393 return SSH_DIGEST_SHA384; 394 else 395 return SSH_DIGEST_SHA512; 396 } 397 #endif /* WITH_OPENSSL */ 398 399 static void 400 cert_free(struct sshkey_cert *cert) 401 { 402 u_int i; 403 404 if (cert == NULL) 405 return; 406 sshbuf_free(cert->certblob); 407 sshbuf_free(cert->critical); 408 sshbuf_free(cert->extensions); 409 free(cert->key_id); 410 for (i = 0; i < cert->nprincipals; i++) 411 free(cert->principals[i]); 412 free(cert->principals); 413 sshkey_free(cert->signature_key); 414 explicit_bzero(cert, sizeof(*cert)); 415 free(cert); 416 } 417 418 static struct sshkey_cert * 419 cert_new(void) 420 { 421 struct sshkey_cert *cert; 422 423 if ((cert = calloc(1, sizeof(*cert))) == NULL) 424 return NULL; 425 if ((cert->certblob = sshbuf_new()) == NULL || 426 (cert->critical = sshbuf_new()) == NULL || 427 (cert->extensions = sshbuf_new()) == NULL) { 428 cert_free(cert); 429 return NULL; 430 } 431 cert->key_id = NULL; 432 cert->principals = NULL; 433 cert->signature_key = NULL; 434 return cert; 435 } 436 437 struct sshkey * 438 sshkey_new(int type) 439 { 440 struct sshkey *k; 441 #ifdef WITH_OPENSSL 442 RSA *rsa; 443 DSA *dsa; 444 #endif /* WITH_OPENSSL */ 445 446 if ((k = calloc(1, sizeof(*k))) == NULL) 447 return NULL; 448 k->type = type; 449 k->ecdsa = NULL; 450 k->ecdsa_nid = -1; 451 k->dsa = NULL; 452 k->rsa = NULL; 453 k->cert = NULL; 454 k->ed25519_sk = NULL; 455 k->ed25519_pk = NULL; 456 switch (k->type) { 457 #ifdef WITH_OPENSSL 458 case KEY_RSA1: 459 case KEY_RSA: 460 case KEY_RSA_CERT: 461 if ((rsa = RSA_new()) == NULL || 462 (rsa->n = BN_new()) == NULL || 463 (rsa->e = BN_new()) == NULL) { 464 if (rsa != NULL) 465 RSA_free(rsa); 466 free(k); 467 return NULL; 468 } 469 k->rsa = rsa; 470 break; 471 case KEY_DSA: 472 case KEY_DSA_CERT: 473 if ((dsa = DSA_new()) == NULL || 474 (dsa->p = BN_new()) == NULL || 475 (dsa->q = BN_new()) == NULL || 476 (dsa->g = BN_new()) == NULL || 477 (dsa->pub_key = BN_new()) == NULL) { 478 if (dsa != NULL) 479 DSA_free(dsa); 480 free(k); 481 return NULL; 482 } 483 k->dsa = dsa; 484 break; 485 case KEY_ECDSA: 486 case KEY_ECDSA_CERT: 487 /* Cannot do anything until we know the group */ 488 break; 489 #endif /* WITH_OPENSSL */ 490 case KEY_ED25519: 491 case KEY_ED25519_CERT: 492 /* no need to prealloc */ 493 break; 494 case KEY_UNSPEC: 495 break; 496 default: 497 free(k); 498 return NULL; 499 break; 500 } 501 502 if (sshkey_is_cert(k)) { 503 if ((k->cert = cert_new()) == NULL) { 504 sshkey_free(k); 505 return NULL; 506 } 507 } 508 509 return k; 510 } 511 512 int 513 sshkey_add_private(struct sshkey *k) 514 { 515 switch (k->type) { 516 #ifdef WITH_OPENSSL 517 case KEY_RSA1: 518 case KEY_RSA: 519 case KEY_RSA_CERT: 520 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 521 if (bn_maybe_alloc_failed(k->rsa->d) || 522 bn_maybe_alloc_failed(k->rsa->iqmp) || 523 bn_maybe_alloc_failed(k->rsa->q) || 524 bn_maybe_alloc_failed(k->rsa->p) || 525 bn_maybe_alloc_failed(k->rsa->dmq1) || 526 bn_maybe_alloc_failed(k->rsa->dmp1)) 527 return SSH_ERR_ALLOC_FAIL; 528 break; 529 case KEY_DSA: 530 case KEY_DSA_CERT: 531 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 532 return SSH_ERR_ALLOC_FAIL; 533 break; 534 #undef bn_maybe_alloc_failed 535 case KEY_ECDSA: 536 case KEY_ECDSA_CERT: 537 /* Cannot do anything until we know the group */ 538 break; 539 #endif /* WITH_OPENSSL */ 540 case KEY_ED25519: 541 case KEY_ED25519_CERT: 542 /* no need to prealloc */ 543 break; 544 case KEY_UNSPEC: 545 break; 546 default: 547 return SSH_ERR_INVALID_ARGUMENT; 548 } 549 return 0; 550 } 551 552 struct sshkey * 553 sshkey_new_private(int type) 554 { 555 struct sshkey *k = sshkey_new(type); 556 557 if (k == NULL) 558 return NULL; 559 if (sshkey_add_private(k) != 0) { 560 sshkey_free(k); 561 return NULL; 562 } 563 return k; 564 } 565 566 void 567 sshkey_free(struct sshkey *k) 568 { 569 if (k == NULL) 570 return; 571 switch (k->type) { 572 #ifdef WITH_OPENSSL 573 case KEY_RSA1: 574 case KEY_RSA: 575 case KEY_RSA_CERT: 576 if (k->rsa != NULL) 577 RSA_free(k->rsa); 578 k->rsa = NULL; 579 break; 580 case KEY_DSA: 581 case KEY_DSA_CERT: 582 if (k->dsa != NULL) 583 DSA_free(k->dsa); 584 k->dsa = NULL; 585 break; 586 case KEY_ECDSA: 587 case KEY_ECDSA_CERT: 588 if (k->ecdsa != NULL) 589 EC_KEY_free(k->ecdsa); 590 k->ecdsa = NULL; 591 break; 592 #endif /* WITH_OPENSSL */ 593 case KEY_ED25519: 594 case KEY_ED25519_CERT: 595 if (k->ed25519_pk) { 596 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 597 free(k->ed25519_pk); 598 k->ed25519_pk = NULL; 599 } 600 if (k->ed25519_sk) { 601 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 602 free(k->ed25519_sk); 603 k->ed25519_sk = NULL; 604 } 605 break; 606 case KEY_UNSPEC: 607 break; 608 default: 609 break; 610 } 611 if (sshkey_is_cert(k)) 612 cert_free(k->cert); 613 explicit_bzero(k, sizeof(*k)); 614 free(k); 615 } 616 617 static int 618 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 619 { 620 if (a == NULL && b == NULL) 621 return 1; 622 if (a == NULL || b == NULL) 623 return 0; 624 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 625 return 0; 626 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 627 sshbuf_len(a->certblob)) != 0) 628 return 0; 629 return 1; 630 } 631 632 /* 633 * Compare public portions of key only, allowing comparisons between 634 * certificates and plain keys too. 635 */ 636 int 637 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 638 { 639 #ifdef WITH_OPENSSL 640 BN_CTX *bnctx; 641 #endif /* WITH_OPENSSL */ 642 643 if (a == NULL || b == NULL || 644 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 645 return 0; 646 647 switch (a->type) { 648 #ifdef WITH_OPENSSL 649 case KEY_RSA1: 650 case KEY_RSA_CERT: 651 case KEY_RSA: 652 return a->rsa != NULL && b->rsa != NULL && 653 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 654 BN_cmp(a->rsa->n, b->rsa->n) == 0; 655 case KEY_DSA_CERT: 656 case KEY_DSA: 657 return a->dsa != NULL && b->dsa != NULL && 658 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 659 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 660 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 661 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 662 case KEY_ECDSA_CERT: 663 case KEY_ECDSA: 664 if (a->ecdsa == NULL || b->ecdsa == NULL || 665 EC_KEY_get0_public_key(a->ecdsa) == NULL || 666 EC_KEY_get0_public_key(b->ecdsa) == NULL) 667 return 0; 668 if ((bnctx = BN_CTX_new()) == NULL) 669 return 0; 670 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 671 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 672 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 673 EC_KEY_get0_public_key(a->ecdsa), 674 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 675 BN_CTX_free(bnctx); 676 return 0; 677 } 678 BN_CTX_free(bnctx); 679 return 1; 680 #endif /* WITH_OPENSSL */ 681 case KEY_ED25519: 682 case KEY_ED25519_CERT: 683 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 684 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 685 default: 686 return 0; 687 } 688 /* NOTREACHED */ 689 } 690 691 int 692 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 693 { 694 if (a == NULL || b == NULL || a->type != b->type) 695 return 0; 696 if (sshkey_is_cert(a)) { 697 if (!cert_compare(a->cert, b->cert)) 698 return 0; 699 } 700 return sshkey_equal_public(a, b); 701 } 702 703 static int 704 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 705 { 706 int type, ret = SSH_ERR_INTERNAL_ERROR; 707 const char *typename; 708 709 if (key == NULL) 710 return SSH_ERR_INVALID_ARGUMENT; 711 712 if (sshkey_is_cert(key)) { 713 if (key->cert == NULL) 714 return SSH_ERR_EXPECTED_CERT; 715 if (sshbuf_len(key->cert->certblob) == 0) 716 return SSH_ERR_KEY_LACKS_CERTBLOB; 717 } 718 type = force_plain ? sshkey_type_plain(key->type) : key->type; 719 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 720 721 switch (type) { 722 #ifdef WITH_OPENSSL 723 case KEY_DSA_CERT: 724 case KEY_ECDSA_CERT: 725 case KEY_RSA_CERT: 726 #endif /* WITH_OPENSSL */ 727 case KEY_ED25519_CERT: 728 /* Use the existing blob */ 729 /* XXX modified flag? */ 730 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 731 return ret; 732 break; 733 #ifdef WITH_OPENSSL 734 case KEY_DSA: 735 if (key->dsa == NULL) 736 return SSH_ERR_INVALID_ARGUMENT; 737 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 738 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 739 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 740 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 741 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 742 return ret; 743 break; 744 case KEY_ECDSA: 745 if (key->ecdsa == NULL) 746 return SSH_ERR_INVALID_ARGUMENT; 747 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 748 (ret = sshbuf_put_cstring(b, 749 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 750 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 751 return ret; 752 break; 753 case KEY_RSA: 754 if (key->rsa == NULL) 755 return SSH_ERR_INVALID_ARGUMENT; 756 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 757 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 758 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 759 return ret; 760 break; 761 #endif /* WITH_OPENSSL */ 762 case KEY_ED25519: 763 if (key->ed25519_pk == NULL) 764 return SSH_ERR_INVALID_ARGUMENT; 765 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 766 (ret = sshbuf_put_string(b, 767 key->ed25519_pk, ED25519_PK_SZ)) != 0) 768 return ret; 769 break; 770 default: 771 return SSH_ERR_KEY_TYPE_UNKNOWN; 772 } 773 return 0; 774 } 775 776 int 777 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 778 { 779 return to_blob_buf(key, b, 0); 780 } 781 782 int 783 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 784 { 785 struct sshbuf *tmp; 786 int r; 787 788 if ((tmp = sshbuf_new()) == NULL) 789 return SSH_ERR_ALLOC_FAIL; 790 r = to_blob_buf(key, tmp, 0); 791 if (r == 0) 792 r = sshbuf_put_stringb(b, tmp); 793 sshbuf_free(tmp); 794 return r; 795 } 796 797 int 798 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 799 { 800 return to_blob_buf(key, b, 1); 801 } 802 803 static int 804 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 805 { 806 int ret = SSH_ERR_INTERNAL_ERROR; 807 size_t len; 808 struct sshbuf *b = NULL; 809 810 if (lenp != NULL) 811 *lenp = 0; 812 if (blobp != NULL) 813 *blobp = NULL; 814 if ((b = sshbuf_new()) == NULL) 815 return SSH_ERR_ALLOC_FAIL; 816 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 817 goto out; 818 len = sshbuf_len(b); 819 if (lenp != NULL) 820 *lenp = len; 821 if (blobp != NULL) { 822 if ((*blobp = malloc(len)) == NULL) { 823 ret = SSH_ERR_ALLOC_FAIL; 824 goto out; 825 } 826 memcpy(*blobp, sshbuf_ptr(b), len); 827 } 828 ret = 0; 829 out: 830 sshbuf_free(b); 831 return ret; 832 } 833 834 int 835 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 836 { 837 return to_blob(key, blobp, lenp, 0); 838 } 839 840 int 841 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 842 { 843 return to_blob(key, blobp, lenp, 1); 844 } 845 846 int 847 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 848 u_char **retp, size_t *lenp) 849 { 850 u_char *blob = NULL, *ret = NULL; 851 size_t blob_len = 0; 852 int r = SSH_ERR_INTERNAL_ERROR; 853 854 if (retp != NULL) 855 *retp = NULL; 856 if (lenp != NULL) 857 *lenp = 0; 858 if (ssh_digest_bytes(dgst_alg) == 0) { 859 r = SSH_ERR_INVALID_ARGUMENT; 860 goto out; 861 } 862 863 if (k->type == KEY_RSA1) { 864 #ifdef WITH_OPENSSL 865 int nlen = BN_num_bytes(k->rsa->n); 866 int elen = BN_num_bytes(k->rsa->e); 867 868 blob_len = nlen + elen; 869 if (nlen >= INT_MAX - elen || 870 (blob = malloc(blob_len)) == NULL) { 871 r = SSH_ERR_ALLOC_FAIL; 872 goto out; 873 } 874 BN_bn2bin(k->rsa->n, blob); 875 BN_bn2bin(k->rsa->e, blob + nlen); 876 #endif /* WITH_OPENSSL */ 877 } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 878 goto out; 879 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 880 r = SSH_ERR_ALLOC_FAIL; 881 goto out; 882 } 883 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 884 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 885 goto out; 886 /* success */ 887 if (retp != NULL) { 888 *retp = ret; 889 ret = NULL; 890 } 891 if (lenp != NULL) 892 *lenp = ssh_digest_bytes(dgst_alg); 893 r = 0; 894 out: 895 free(ret); 896 if (blob != NULL) { 897 explicit_bzero(blob, blob_len); 898 free(blob); 899 } 900 return r; 901 } 902 903 static char * 904 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 905 { 906 char *ret; 907 size_t plen = strlen(alg) + 1; 908 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 909 int r; 910 911 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 912 return NULL; 913 strlcpy(ret, alg, rlen); 914 strlcat(ret, ":", rlen); 915 if (dgst_raw_len == 0) 916 return ret; 917 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 918 ret + plen, rlen - plen)) == -1) { 919 explicit_bzero(ret, rlen); 920 free(ret); 921 return NULL; 922 } 923 /* Trim padding characters from end */ 924 ret[strcspn(ret, "=")] = '\0'; 925 return ret; 926 } 927 928 static char * 929 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 930 { 931 char *retval, hex[5]; 932 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 933 934 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 935 return NULL; 936 strlcpy(retval, alg, rlen); 937 strlcat(retval, ":", rlen); 938 for (i = 0; i < dgst_raw_len; i++) { 939 snprintf(hex, sizeof(hex), "%s%02x", 940 i > 0 ? ":" : "", dgst_raw[i]); 941 strlcat(retval, hex, rlen); 942 } 943 return retval; 944 } 945 946 static char * 947 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 948 { 949 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 950 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 951 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 952 u_int i, j = 0, rounds, seed = 1; 953 char *retval; 954 955 rounds = (dgst_raw_len / 2) + 1; 956 if ((retval = calloc(rounds, 6)) == NULL) 957 return NULL; 958 retval[j++] = 'x'; 959 for (i = 0; i < rounds; i++) { 960 u_int idx0, idx1, idx2, idx3, idx4; 961 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 962 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 963 seed) % 6; 964 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 965 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 966 (seed / 6)) % 6; 967 retval[j++] = vowels[idx0]; 968 retval[j++] = consonants[idx1]; 969 retval[j++] = vowels[idx2]; 970 if ((i + 1) < rounds) { 971 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 972 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 973 retval[j++] = consonants[idx3]; 974 retval[j++] = '-'; 975 retval[j++] = consonants[idx4]; 976 seed = ((seed * 5) + 977 ((((u_int)(dgst_raw[2 * i])) * 7) + 978 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 979 } 980 } else { 981 idx0 = seed % 6; 982 idx1 = 16; 983 idx2 = seed / 6; 984 retval[j++] = vowels[idx0]; 985 retval[j++] = consonants[idx1]; 986 retval[j++] = vowels[idx2]; 987 } 988 } 989 retval[j++] = 'x'; 990 retval[j++] = '\0'; 991 return retval; 992 } 993 994 /* 995 * Draw an ASCII-Art representing the fingerprint so human brain can 996 * profit from its built-in pattern recognition ability. 997 * This technique is called "random art" and can be found in some 998 * scientific publications like this original paper: 999 * 1000 * "Hash Visualization: a New Technique to improve Real-World Security", 1001 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1002 * Techniques and E-Commerce (CrypTEC '99) 1003 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1004 * 1005 * The subject came up in a talk by Dan Kaminsky, too. 1006 * 1007 * If you see the picture is different, the key is different. 1008 * If the picture looks the same, you still know nothing. 1009 * 1010 * The algorithm used here is a worm crawling over a discrete plane, 1011 * leaving a trace (augmenting the field) everywhere it goes. 1012 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1013 * makes the respective movement vector be ignored for this turn. 1014 * Graphs are not unambiguous, because circles in graphs can be 1015 * walked in either direction. 1016 */ 1017 1018 /* 1019 * Field sizes for the random art. Have to be odd, so the starting point 1020 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1021 * Else pictures would be too dense, and drawing the frame would 1022 * fail, too, because the key type would not fit in anymore. 1023 */ 1024 #define FLDBASE 8 1025 #define FLDSIZE_Y (FLDBASE + 1) 1026 #define FLDSIZE_X (FLDBASE * 2 + 1) 1027 static char * 1028 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1029 const struct sshkey *k) 1030 { 1031 /* 1032 * Chars to be used after each other every time the worm 1033 * intersects with itself. Matter of taste. 1034 */ 1035 const char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1036 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1037 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1038 size_t i, tlen, hlen; 1039 u_int b; 1040 int x, y, r; 1041 size_t len = strlen(augmentation_string) - 1; 1042 1043 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1044 return NULL; 1045 1046 /* initialize field */ 1047 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1048 x = FLDSIZE_X / 2; 1049 y = FLDSIZE_Y / 2; 1050 1051 /* process raw key */ 1052 for (i = 0; i < dgst_raw_len; i++) { 1053 int input; 1054 /* each byte conveys four 2-bit move commands */ 1055 input = dgst_raw[i]; 1056 for (b = 0; b < 4; b++) { 1057 /* evaluate 2 bit, rest is shifted later */ 1058 x += (input & 0x1) ? 1 : -1; 1059 y += (input & 0x2) ? 1 : -1; 1060 1061 /* assure we are still in bounds */ 1062 x = MAX(x, 0); 1063 y = MAX(y, 0); 1064 x = MIN(x, FLDSIZE_X - 1); 1065 y = MIN(y, FLDSIZE_Y - 1); 1066 1067 /* augment the field */ 1068 if (field[x][y] < len - 2) 1069 field[x][y]++; 1070 input = input >> 2; 1071 } 1072 } 1073 1074 /* mark starting point and end point*/ 1075 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1076 field[x][y] = len; 1077 1078 /* assemble title */ 1079 r = snprintf(title, sizeof(title), "[%s %u]", 1080 sshkey_type(k), sshkey_size(k)); 1081 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1082 if (r < 0 || r > (int)sizeof(title)) 1083 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1084 tlen = (r <= 0) ? 0 : strlen(title); 1085 1086 /* assemble hash ID. */ 1087 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1088 hlen = (r <= 0) ? 0 : strlen(hash); 1089 1090 /* output upper border */ 1091 p = retval; 1092 *p++ = '+'; 1093 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1094 *p++ = '-'; 1095 memcpy(p, title, tlen); 1096 p += tlen; 1097 for (i += tlen; i < FLDSIZE_X; i++) 1098 *p++ = '-'; 1099 *p++ = '+'; 1100 *p++ = '\n'; 1101 1102 /* output content */ 1103 for (y = 0; y < FLDSIZE_Y; y++) { 1104 *p++ = '|'; 1105 for (x = 0; x < FLDSIZE_X; x++) 1106 *p++ = augmentation_string[MIN(field[x][y], len)]; 1107 *p++ = '|'; 1108 *p++ = '\n'; 1109 } 1110 1111 /* output lower border */ 1112 *p++ = '+'; 1113 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1114 *p++ = '-'; 1115 memcpy(p, hash, hlen); 1116 p += hlen; 1117 for (i += hlen; i < FLDSIZE_X; i++) 1118 *p++ = '-'; 1119 *p++ = '+'; 1120 1121 return retval; 1122 } 1123 1124 char * 1125 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1126 enum sshkey_fp_rep dgst_rep) 1127 { 1128 char *retval = NULL; 1129 u_char *dgst_raw; 1130 size_t dgst_raw_len; 1131 1132 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1133 return NULL; 1134 switch (dgst_rep) { 1135 case SSH_FP_DEFAULT: 1136 if (dgst_alg == SSH_DIGEST_MD5) { 1137 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1138 dgst_raw, dgst_raw_len); 1139 } else { 1140 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1141 dgst_raw, dgst_raw_len); 1142 } 1143 break; 1144 case SSH_FP_HEX: 1145 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1146 dgst_raw, dgst_raw_len); 1147 break; 1148 case SSH_FP_BASE64: 1149 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1150 dgst_raw, dgst_raw_len); 1151 break; 1152 case SSH_FP_BUBBLEBABBLE: 1153 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1154 break; 1155 case SSH_FP_RANDOMART: 1156 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1157 dgst_raw, dgst_raw_len, k); 1158 break; 1159 default: 1160 explicit_bzero(dgst_raw, dgst_raw_len); 1161 free(dgst_raw); 1162 return NULL; 1163 } 1164 explicit_bzero(dgst_raw, dgst_raw_len); 1165 free(dgst_raw); 1166 return retval; 1167 } 1168 1169 #ifdef WITH_SSH1 1170 /* 1171 * Reads a multiple-precision integer in decimal from the buffer, and advances 1172 * the pointer. The integer must already be initialized. This function is 1173 * permitted to modify the buffer. This leaves *cpp to point just beyond the 1174 * last processed character. 1175 */ 1176 static int 1177 read_decimal_bignum(char **cpp, BIGNUM *v) 1178 { 1179 char *cp; 1180 size_t e; 1181 int skip = 1; /* skip white space */ 1182 1183 cp = *cpp; 1184 while (*cp == ' ' || *cp == '\t') 1185 cp++; 1186 e = strspn(cp, "0123456789"); 1187 if (e == 0) 1188 return SSH_ERR_INVALID_FORMAT; 1189 if (e > SSHBUF_MAX_BIGNUM * 3) 1190 return SSH_ERR_BIGNUM_TOO_LARGE; 1191 if (cp[e] == '\0') 1192 skip = 0; 1193 else if (strchr(" \t\r\n", cp[e]) == NULL) 1194 return SSH_ERR_INVALID_FORMAT; 1195 cp[e] = '\0'; 1196 if (BN_dec2bn(&v, cp) <= 0) 1197 return SSH_ERR_INVALID_FORMAT; 1198 *cpp = cp + e + skip; 1199 return 0; 1200 } 1201 #endif /* WITH_SSH1 */ 1202 1203 /* returns 0 ok, and < 0 error */ 1204 int 1205 sshkey_read(struct sshkey *ret, char **cpp) 1206 { 1207 struct sshkey *k; 1208 int retval = SSH_ERR_INVALID_FORMAT; 1209 char *ep, *cp, *space; 1210 int r, type, curve_nid = -1; 1211 struct sshbuf *blob; 1212 #ifdef WITH_SSH1 1213 u_long bits; 1214 #endif /* WITH_SSH1 */ 1215 1216 cp = *cpp; 1217 1218 switch (ret->type) { 1219 case KEY_RSA1: 1220 #ifdef WITH_SSH1 1221 /* Get number of bits. */ 1222 bits = strtoul(cp, &ep, 10); 1223 if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL || 1224 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) 1225 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ 1226 /* Get public exponent, public modulus. */ 1227 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0) 1228 return r; 1229 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) 1230 return r; 1231 /* validate the claimed number of bits */ 1232 if (BN_num_bits(ret->rsa->n) != (int)bits) 1233 return SSH_ERR_KEY_BITS_MISMATCH; 1234 *cpp = ep; 1235 retval = 0; 1236 #endif /* WITH_SSH1 */ 1237 break; 1238 case KEY_UNSPEC: 1239 case KEY_RSA: 1240 case KEY_DSA: 1241 case KEY_ECDSA: 1242 case KEY_ED25519: 1243 case KEY_DSA_CERT: 1244 case KEY_ECDSA_CERT: 1245 case KEY_RSA_CERT: 1246 case KEY_ED25519_CERT: 1247 space = strchr(cp, ' '); 1248 if (space == NULL) 1249 return SSH_ERR_INVALID_FORMAT; 1250 *space = '\0'; 1251 type = sshkey_type_from_name(cp); 1252 if (sshkey_type_plain(type) == KEY_ECDSA && 1253 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1254 return SSH_ERR_EC_CURVE_INVALID; 1255 *space = ' '; 1256 if (type == KEY_UNSPEC) 1257 return SSH_ERR_INVALID_FORMAT; 1258 cp = space+1; 1259 if (*cp == '\0') 1260 return SSH_ERR_INVALID_FORMAT; 1261 if (ret->type != KEY_UNSPEC && ret->type != type) 1262 return SSH_ERR_KEY_TYPE_MISMATCH; 1263 if ((blob = sshbuf_new()) == NULL) 1264 return SSH_ERR_ALLOC_FAIL; 1265 /* trim comment */ 1266 space = strchr(cp, ' '); 1267 if (space) { 1268 /* advance 'space': skip whitespace */ 1269 *space++ = '\0'; 1270 while (*space == ' ' || *space == '\t') 1271 space++; 1272 ep = space; 1273 } else 1274 ep = cp + strlen(cp); 1275 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1276 sshbuf_free(blob); 1277 return r; 1278 } 1279 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1280 sshbuf_len(blob), &k)) != 0) { 1281 sshbuf_free(blob); 1282 return r; 1283 } 1284 sshbuf_free(blob); 1285 if (k->type != type) { 1286 sshkey_free(k); 1287 return SSH_ERR_KEY_TYPE_MISMATCH; 1288 } 1289 if (sshkey_type_plain(type) == KEY_ECDSA && 1290 curve_nid != k->ecdsa_nid) { 1291 sshkey_free(k); 1292 return SSH_ERR_EC_CURVE_MISMATCH; 1293 } 1294 ret->type = type; 1295 if (sshkey_is_cert(ret)) { 1296 if (!sshkey_is_cert(k)) { 1297 sshkey_free(k); 1298 return SSH_ERR_EXPECTED_CERT; 1299 } 1300 if (ret->cert != NULL) 1301 cert_free(ret->cert); 1302 ret->cert = k->cert; 1303 k->cert = NULL; 1304 } 1305 switch (sshkey_type_plain(ret->type)) { 1306 #ifdef WITH_OPENSSL 1307 case KEY_RSA: 1308 if (ret->rsa != NULL) 1309 RSA_free(ret->rsa); 1310 ret->rsa = k->rsa; 1311 k->rsa = NULL; 1312 #ifdef DEBUG_PK 1313 RSA_print_fp(stderr, ret->rsa, 8); 1314 #endif 1315 break; 1316 case KEY_DSA: 1317 if (ret->dsa != NULL) 1318 DSA_free(ret->dsa); 1319 ret->dsa = k->dsa; 1320 k->dsa = NULL; 1321 #ifdef DEBUG_PK 1322 DSA_print_fp(stderr, ret->dsa, 8); 1323 #endif 1324 break; 1325 case KEY_ECDSA: 1326 if (ret->ecdsa != NULL) 1327 EC_KEY_free(ret->ecdsa); 1328 ret->ecdsa = k->ecdsa; 1329 ret->ecdsa_nid = k->ecdsa_nid; 1330 k->ecdsa = NULL; 1331 k->ecdsa_nid = -1; 1332 #ifdef DEBUG_PK 1333 sshkey_dump_ec_key(ret->ecdsa); 1334 #endif 1335 break; 1336 #endif /* WITH_OPENSSL */ 1337 case KEY_ED25519: 1338 free(ret->ed25519_pk); 1339 ret->ed25519_pk = k->ed25519_pk; 1340 k->ed25519_pk = NULL; 1341 #ifdef DEBUG_PK 1342 /* XXX */ 1343 #endif 1344 break; 1345 } 1346 *cpp = ep; 1347 retval = 0; 1348 /*XXXX*/ 1349 sshkey_free(k); 1350 if (retval != 0) 1351 break; 1352 break; 1353 default: 1354 return SSH_ERR_INVALID_ARGUMENT; 1355 } 1356 return retval; 1357 } 1358 1359 int 1360 sshkey_to_base64(const struct sshkey *key, char **b64p) 1361 { 1362 int r = SSH_ERR_INTERNAL_ERROR; 1363 struct sshbuf *b = NULL; 1364 char *uu = NULL; 1365 1366 if (b64p != NULL) 1367 *b64p = NULL; 1368 if ((b = sshbuf_new()) == NULL) 1369 return SSH_ERR_ALLOC_FAIL; 1370 if ((r = sshkey_putb(key, b)) != 0) 1371 goto out; 1372 if ((uu = sshbuf_dtob64(b)) == NULL) { 1373 r = SSH_ERR_ALLOC_FAIL; 1374 goto out; 1375 } 1376 /* Success */ 1377 if (b64p != NULL) { 1378 *b64p = uu; 1379 uu = NULL; 1380 } 1381 r = 0; 1382 out: 1383 sshbuf_free(b); 1384 free(uu); 1385 return r; 1386 } 1387 1388 static int 1389 sshkey_format_rsa1(const struct sshkey *key, struct sshbuf *b) 1390 { 1391 int r = SSH_ERR_INTERNAL_ERROR; 1392 #ifdef WITH_SSH1 1393 u_int bits = 0; 1394 char *dec_e = NULL, *dec_n = NULL; 1395 1396 if (key->rsa == NULL || key->rsa->e == NULL || 1397 key->rsa->n == NULL) { 1398 r = SSH_ERR_INVALID_ARGUMENT; 1399 goto out; 1400 } 1401 if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || 1402 (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { 1403 r = SSH_ERR_ALLOC_FAIL; 1404 goto out; 1405 } 1406 /* size of modulus 'n' */ 1407 if ((bits = BN_num_bits(key->rsa->n)) <= 0) { 1408 r = SSH_ERR_INVALID_ARGUMENT; 1409 goto out; 1410 } 1411 if ((r = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) 1412 goto out; 1413 1414 /* Success */ 1415 r = 0; 1416 out: 1417 if (dec_e != NULL) 1418 OPENSSL_free(dec_e); 1419 if (dec_n != NULL) 1420 OPENSSL_free(dec_n); 1421 #endif /* WITH_SSH1 */ 1422 1423 return r; 1424 } 1425 1426 static int 1427 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1428 { 1429 int r = SSH_ERR_INTERNAL_ERROR; 1430 char *uu = NULL; 1431 1432 if (key->type == KEY_RSA1) { 1433 if ((r = sshkey_format_rsa1(key, b)) != 0) 1434 goto out; 1435 } else { 1436 /* Unsupported key types handled in sshkey_to_base64() */ 1437 if ((r = sshkey_to_base64(key, &uu)) != 0) 1438 goto out; 1439 if ((r = sshbuf_putf(b, "%s %s", 1440 sshkey_ssh_name(key), uu)) != 0) 1441 goto out; 1442 } 1443 r = 0; 1444 out: 1445 free(uu); 1446 return r; 1447 } 1448 1449 int 1450 sshkey_write(const struct sshkey *key, FILE *f) 1451 { 1452 struct sshbuf *b = NULL; 1453 int r = SSH_ERR_INTERNAL_ERROR; 1454 1455 if ((b = sshbuf_new()) == NULL) 1456 return SSH_ERR_ALLOC_FAIL; 1457 if ((r = sshkey_format_text(key, b)) != 0) 1458 goto out; 1459 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1460 if (feof(f)) 1461 errno = EPIPE; 1462 r = SSH_ERR_SYSTEM_ERROR; 1463 goto out; 1464 } 1465 /* Success */ 1466 r = 0; 1467 out: 1468 sshbuf_free(b); 1469 return r; 1470 } 1471 1472 const char * 1473 sshkey_cert_type(const struct sshkey *k) 1474 { 1475 switch (k->cert->type) { 1476 case SSH2_CERT_TYPE_USER: 1477 return "user"; 1478 case SSH2_CERT_TYPE_HOST: 1479 return "host"; 1480 default: 1481 return "unknown"; 1482 } 1483 } 1484 1485 #ifdef WITH_OPENSSL 1486 static int 1487 rsa_generate_private_key(u_int bits, RSA **rsap) 1488 { 1489 RSA *private = NULL; 1490 BIGNUM *f4 = NULL; 1491 int ret = SSH_ERR_INTERNAL_ERROR; 1492 1493 if (rsap == NULL || 1494 bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1495 bits > SSHBUF_MAX_BIGNUM * 8) 1496 return SSH_ERR_INVALID_ARGUMENT; 1497 *rsap = NULL; 1498 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1499 ret = SSH_ERR_ALLOC_FAIL; 1500 goto out; 1501 } 1502 if (!BN_set_word(f4, RSA_F4) || 1503 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1504 ret = SSH_ERR_LIBCRYPTO_ERROR; 1505 goto out; 1506 } 1507 *rsap = private; 1508 private = NULL; 1509 ret = 0; 1510 out: 1511 if (private != NULL) 1512 RSA_free(private); 1513 if (f4 != NULL) 1514 BN_free(f4); 1515 return ret; 1516 } 1517 1518 static int 1519 dsa_generate_private_key(u_int bits, DSA **dsap) 1520 { 1521 DSA *private; 1522 int ret = SSH_ERR_INTERNAL_ERROR; 1523 1524 if (dsap == NULL || bits != 1024) 1525 return SSH_ERR_INVALID_ARGUMENT; 1526 if ((private = DSA_new()) == NULL) { 1527 ret = SSH_ERR_ALLOC_FAIL; 1528 goto out; 1529 } 1530 *dsap = NULL; 1531 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1532 NULL, NULL) || !DSA_generate_key(private)) { 1533 ret = SSH_ERR_LIBCRYPTO_ERROR; 1534 goto out; 1535 } 1536 *dsap = private; 1537 private = NULL; 1538 ret = 0; 1539 out: 1540 if (private != NULL) 1541 DSA_free(private); 1542 return ret; 1543 } 1544 1545 int 1546 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1547 { 1548 EC_GROUP *eg; 1549 int nids[] = { 1550 NID_X9_62_prime256v1, 1551 NID_secp384r1, 1552 NID_secp521r1, 1553 -1 1554 }; 1555 int nid; 1556 u_int i; 1557 BN_CTX *bnctx; 1558 const EC_GROUP *g = EC_KEY_get0_group(k); 1559 1560 /* 1561 * The group may be stored in a ASN.1 encoded private key in one of two 1562 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1563 * or explicit group parameters encoded into the key blob. Only the 1564 * "named group" case sets the group NID for us, but we can figure 1565 * it out for the other case by comparing against all the groups that 1566 * are supported. 1567 */ 1568 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1569 return nid; 1570 if ((bnctx = BN_CTX_new()) == NULL) 1571 return -1; 1572 for (i = 0; nids[i] != -1; i++) { 1573 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1574 BN_CTX_free(bnctx); 1575 return -1; 1576 } 1577 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1578 break; 1579 EC_GROUP_free(eg); 1580 } 1581 BN_CTX_free(bnctx); 1582 if (nids[i] != -1) { 1583 /* Use the group with the NID attached */ 1584 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1585 if (EC_KEY_set_group(k, eg) != 1) { 1586 EC_GROUP_free(eg); 1587 return -1; 1588 } 1589 } 1590 return nids[i]; 1591 } 1592 1593 static int 1594 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1595 { 1596 EC_KEY *private; 1597 int ret = SSH_ERR_INTERNAL_ERROR; 1598 1599 if (nid == NULL || ecdsap == NULL || 1600 (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1601 return SSH_ERR_INVALID_ARGUMENT; 1602 *ecdsap = NULL; 1603 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1604 ret = SSH_ERR_ALLOC_FAIL; 1605 goto out; 1606 } 1607 if (EC_KEY_generate_key(private) != 1) { 1608 ret = SSH_ERR_LIBCRYPTO_ERROR; 1609 goto out; 1610 } 1611 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1612 *ecdsap = private; 1613 private = NULL; 1614 ret = 0; 1615 out: 1616 if (private != NULL) 1617 EC_KEY_free(private); 1618 return ret; 1619 } 1620 #endif /* WITH_OPENSSL */ 1621 1622 int 1623 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1624 { 1625 struct sshkey *k; 1626 int ret = SSH_ERR_INTERNAL_ERROR; 1627 1628 if (keyp == NULL) 1629 return SSH_ERR_INVALID_ARGUMENT; 1630 *keyp = NULL; 1631 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1632 return SSH_ERR_ALLOC_FAIL; 1633 switch (type) { 1634 case KEY_ED25519: 1635 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1636 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1637 ret = SSH_ERR_ALLOC_FAIL; 1638 break; 1639 } 1640 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1641 ret = 0; 1642 break; 1643 #ifdef WITH_OPENSSL 1644 case KEY_DSA: 1645 ret = dsa_generate_private_key(bits, &k->dsa); 1646 break; 1647 case KEY_ECDSA: 1648 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1649 &k->ecdsa); 1650 break; 1651 case KEY_RSA: 1652 case KEY_RSA1: 1653 ret = rsa_generate_private_key(bits, &k->rsa); 1654 break; 1655 #endif /* WITH_OPENSSL */ 1656 default: 1657 ret = SSH_ERR_INVALID_ARGUMENT; 1658 } 1659 if (ret == 0) { 1660 k->type = type; 1661 *keyp = k; 1662 } else 1663 sshkey_free(k); 1664 return ret; 1665 } 1666 1667 int 1668 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1669 { 1670 u_int i; 1671 const struct sshkey_cert *from; 1672 struct sshkey_cert *to; 1673 int ret = SSH_ERR_INTERNAL_ERROR; 1674 1675 if (to_key->cert != NULL) { 1676 cert_free(to_key->cert); 1677 to_key->cert = NULL; 1678 } 1679 1680 if ((from = from_key->cert) == NULL) 1681 return SSH_ERR_INVALID_ARGUMENT; 1682 1683 if ((to = to_key->cert = cert_new()) == NULL) 1684 return SSH_ERR_ALLOC_FAIL; 1685 1686 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1687 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1688 (ret = sshbuf_putb(to->extensions, from->extensions)) != 0) 1689 return ret; 1690 1691 to->serial = from->serial; 1692 to->type = from->type; 1693 if (from->key_id == NULL) 1694 to->key_id = NULL; 1695 else if ((to->key_id = strdup(from->key_id)) == NULL) 1696 return SSH_ERR_ALLOC_FAIL; 1697 to->valid_after = from->valid_after; 1698 to->valid_before = from->valid_before; 1699 if (from->signature_key == NULL) 1700 to->signature_key = NULL; 1701 else if ((ret = sshkey_from_private(from->signature_key, 1702 &to->signature_key)) != 0) 1703 return ret; 1704 1705 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1706 return SSH_ERR_INVALID_ARGUMENT; 1707 if (from->nprincipals > 0) { 1708 if ((to->principals = calloc(from->nprincipals, 1709 sizeof(*to->principals))) == NULL) 1710 return SSH_ERR_ALLOC_FAIL; 1711 for (i = 0; i < from->nprincipals; i++) { 1712 to->principals[i] = strdup(from->principals[i]); 1713 if (to->principals[i] == NULL) { 1714 to->nprincipals = i; 1715 return SSH_ERR_ALLOC_FAIL; 1716 } 1717 } 1718 } 1719 to->nprincipals = from->nprincipals; 1720 return 0; 1721 } 1722 1723 int 1724 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1725 { 1726 struct sshkey *n = NULL; 1727 int ret = SSH_ERR_INTERNAL_ERROR; 1728 1729 *pkp = NULL; 1730 switch (k->type) { 1731 #ifdef WITH_OPENSSL 1732 case KEY_DSA: 1733 case KEY_DSA_CERT: 1734 if ((n = sshkey_new(k->type)) == NULL) 1735 return SSH_ERR_ALLOC_FAIL; 1736 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1737 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1738 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1739 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1740 sshkey_free(n); 1741 return SSH_ERR_ALLOC_FAIL; 1742 } 1743 break; 1744 case KEY_ECDSA: 1745 case KEY_ECDSA_CERT: 1746 if ((n = sshkey_new(k->type)) == NULL) 1747 return SSH_ERR_ALLOC_FAIL; 1748 n->ecdsa_nid = k->ecdsa_nid; 1749 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1750 if (n->ecdsa == NULL) { 1751 sshkey_free(n); 1752 return SSH_ERR_ALLOC_FAIL; 1753 } 1754 if (EC_KEY_set_public_key(n->ecdsa, 1755 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1756 sshkey_free(n); 1757 return SSH_ERR_LIBCRYPTO_ERROR; 1758 } 1759 break; 1760 case KEY_RSA: 1761 case KEY_RSA1: 1762 case KEY_RSA_CERT: 1763 if ((n = sshkey_new(k->type)) == NULL) 1764 return SSH_ERR_ALLOC_FAIL; 1765 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1766 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1767 sshkey_free(n); 1768 return SSH_ERR_ALLOC_FAIL; 1769 } 1770 break; 1771 #endif /* WITH_OPENSSL */ 1772 case KEY_ED25519: 1773 case KEY_ED25519_CERT: 1774 if ((n = sshkey_new(k->type)) == NULL) 1775 return SSH_ERR_ALLOC_FAIL; 1776 if (k->ed25519_pk != NULL) { 1777 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1778 sshkey_free(n); 1779 return SSH_ERR_ALLOC_FAIL; 1780 } 1781 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1782 } 1783 break; 1784 default: 1785 return SSH_ERR_KEY_TYPE_UNKNOWN; 1786 } 1787 if (sshkey_is_cert(k)) { 1788 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1789 sshkey_free(n); 1790 return ret; 1791 } 1792 } 1793 *pkp = n; 1794 return 0; 1795 } 1796 1797 static int 1798 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1799 { 1800 struct sshbuf *principals = NULL, *crit = NULL; 1801 struct sshbuf *exts = NULL, *ca = NULL; 1802 u_char *sig = NULL; 1803 size_t signed_len = 0, slen = 0, kidlen = 0; 1804 int ret = SSH_ERR_INTERNAL_ERROR; 1805 1806 /* Copy the entire key blob for verification and later serialisation */ 1807 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1808 return ret; 1809 1810 /* Parse body of certificate up to signature */ 1811 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1812 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1813 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1814 (ret = sshbuf_froms(b, &principals)) != 0 || 1815 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1816 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1817 (ret = sshbuf_froms(b, &crit)) != 0 || 1818 (ret = sshbuf_froms(b, &exts)) != 0 || 1819 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1820 (ret = sshbuf_froms(b, &ca)) != 0) { 1821 /* XXX debug print error for ret */ 1822 ret = SSH_ERR_INVALID_FORMAT; 1823 goto out; 1824 } 1825 1826 /* Signature is left in the buffer so we can calculate this length */ 1827 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1828 1829 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1830 ret = SSH_ERR_INVALID_FORMAT; 1831 goto out; 1832 } 1833 1834 if (key->cert->type != SSH2_CERT_TYPE_USER && 1835 key->cert->type != SSH2_CERT_TYPE_HOST) { 1836 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1837 goto out; 1838 } 1839 1840 /* Parse principals section */ 1841 while (sshbuf_len(principals) > 0) { 1842 char *principal = NULL; 1843 char **oprincipals = NULL; 1844 1845 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1846 ret = SSH_ERR_INVALID_FORMAT; 1847 goto out; 1848 } 1849 if ((ret = sshbuf_get_cstring(principals, &principal, 1850 NULL)) != 0) { 1851 ret = SSH_ERR_INVALID_FORMAT; 1852 goto out; 1853 } 1854 oprincipals = key->cert->principals; 1855 key->cert->principals = reallocarray(key->cert->principals, 1856 key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1857 if (key->cert->principals == NULL) { 1858 free(principal); 1859 key->cert->principals = oprincipals; 1860 ret = SSH_ERR_ALLOC_FAIL; 1861 goto out; 1862 } 1863 key->cert->principals[key->cert->nprincipals++] = principal; 1864 } 1865 1866 /* 1867 * Stash a copies of the critical options and extensions sections 1868 * for later use. 1869 */ 1870 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1871 (exts != NULL && 1872 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1873 goto out; 1874 1875 /* 1876 * Validate critical options and extensions sections format. 1877 */ 1878 while (sshbuf_len(crit) != 0) { 1879 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1880 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1881 sshbuf_reset(key->cert->critical); 1882 ret = SSH_ERR_INVALID_FORMAT; 1883 goto out; 1884 } 1885 } 1886 while (exts != NULL && sshbuf_len(exts) != 0) { 1887 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1888 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1889 sshbuf_reset(key->cert->extensions); 1890 ret = SSH_ERR_INVALID_FORMAT; 1891 goto out; 1892 } 1893 } 1894 1895 /* Parse CA key and check signature */ 1896 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1897 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1898 goto out; 1899 } 1900 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1901 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1902 goto out; 1903 } 1904 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1905 sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) 1906 goto out; 1907 1908 /* Success */ 1909 ret = 0; 1910 out: 1911 sshbuf_free(ca); 1912 sshbuf_free(crit); 1913 sshbuf_free(exts); 1914 sshbuf_free(principals); 1915 free(sig); 1916 return ret; 1917 } 1918 1919 static int 1920 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1921 int allow_cert) 1922 { 1923 int type, ret = SSH_ERR_INTERNAL_ERROR; 1924 char *ktype = NULL, *curve = NULL; 1925 struct sshkey *key = NULL; 1926 size_t len; 1927 u_char *pk = NULL; 1928 struct sshbuf *copy; 1929 #ifdef WITH_OPENSSL 1930 EC_POINT *q = NULL; 1931 #endif /* WITH_OPENSSL */ 1932 1933 #ifdef DEBUG_PK /* XXX */ 1934 sshbuf_dump(b, stderr); 1935 #endif 1936 if (keyp != NULL) 1937 *keyp = NULL; 1938 if ((copy = sshbuf_fromb(b)) == NULL) { 1939 ret = SSH_ERR_ALLOC_FAIL; 1940 goto out; 1941 } 1942 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1943 ret = SSH_ERR_INVALID_FORMAT; 1944 goto out; 1945 } 1946 1947 type = sshkey_type_from_name(ktype); 1948 if (!allow_cert && sshkey_type_is_cert(type)) { 1949 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1950 goto out; 1951 } 1952 switch (type) { 1953 #ifdef WITH_OPENSSL 1954 case KEY_RSA_CERT: 1955 /* Skip nonce */ 1956 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1957 ret = SSH_ERR_INVALID_FORMAT; 1958 goto out; 1959 } 1960 /* FALLTHROUGH */ 1961 case KEY_RSA: 1962 if ((key = sshkey_new(type)) == NULL) { 1963 ret = SSH_ERR_ALLOC_FAIL; 1964 goto out; 1965 } 1966 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 || 1967 sshbuf_get_bignum2(b, key->rsa->n) != 0) { 1968 ret = SSH_ERR_INVALID_FORMAT; 1969 goto out; 1970 } 1971 #ifdef DEBUG_PK 1972 RSA_print_fp(stderr, key->rsa, 8); 1973 #endif 1974 break; 1975 case KEY_DSA_CERT: 1976 /* Skip nonce */ 1977 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1978 ret = SSH_ERR_INVALID_FORMAT; 1979 goto out; 1980 } 1981 /* FALLTHROUGH */ 1982 case KEY_DSA: 1983 if ((key = sshkey_new(type)) == NULL) { 1984 ret = SSH_ERR_ALLOC_FAIL; 1985 goto out; 1986 } 1987 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 || 1988 sshbuf_get_bignum2(b, key->dsa->q) != 0 || 1989 sshbuf_get_bignum2(b, key->dsa->g) != 0 || 1990 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) { 1991 ret = SSH_ERR_INVALID_FORMAT; 1992 goto out; 1993 } 1994 #ifdef DEBUG_PK 1995 DSA_print_fp(stderr, key->dsa, 8); 1996 #endif 1997 break; 1998 case KEY_ECDSA_CERT: 1999 /* Skip nonce */ 2000 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2001 ret = SSH_ERR_INVALID_FORMAT; 2002 goto out; 2003 } 2004 /* FALLTHROUGH */ 2005 case KEY_ECDSA: 2006 if ((key = sshkey_new(type)) == NULL) { 2007 ret = SSH_ERR_ALLOC_FAIL; 2008 goto out; 2009 } 2010 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2011 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2012 ret = SSH_ERR_INVALID_FORMAT; 2013 goto out; 2014 } 2015 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2016 ret = SSH_ERR_EC_CURVE_MISMATCH; 2017 goto out; 2018 } 2019 if (key->ecdsa != NULL) 2020 EC_KEY_free(key->ecdsa); 2021 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2022 == NULL) { 2023 ret = SSH_ERR_EC_CURVE_INVALID; 2024 goto out; 2025 } 2026 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2027 ret = SSH_ERR_ALLOC_FAIL; 2028 goto out; 2029 } 2030 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 2031 ret = SSH_ERR_INVALID_FORMAT; 2032 goto out; 2033 } 2034 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2035 q) != 0) { 2036 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2037 goto out; 2038 } 2039 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 2040 /* XXX assume it is a allocation error */ 2041 ret = SSH_ERR_ALLOC_FAIL; 2042 goto out; 2043 } 2044 #ifdef DEBUG_PK 2045 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 2046 #endif 2047 break; 2048 #endif /* WITH_OPENSSL */ 2049 case KEY_ED25519_CERT: 2050 /* Skip nonce */ 2051 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2052 ret = SSH_ERR_INVALID_FORMAT; 2053 goto out; 2054 } 2055 /* FALLTHROUGH */ 2056 case KEY_ED25519: 2057 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2058 goto out; 2059 if (len != ED25519_PK_SZ) { 2060 ret = SSH_ERR_INVALID_FORMAT; 2061 goto out; 2062 } 2063 if ((key = sshkey_new(type)) == NULL) { 2064 ret = SSH_ERR_ALLOC_FAIL; 2065 goto out; 2066 } 2067 key->ed25519_pk = pk; 2068 pk = NULL; 2069 break; 2070 case KEY_UNSPEC: 2071 if ((key = sshkey_new(type)) == NULL) { 2072 ret = SSH_ERR_ALLOC_FAIL; 2073 goto out; 2074 } 2075 break; 2076 default: 2077 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2078 goto out; 2079 } 2080 2081 /* Parse certificate potion */ 2082 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2083 goto out; 2084 2085 if (key != NULL && sshbuf_len(b) != 0) { 2086 ret = SSH_ERR_INVALID_FORMAT; 2087 goto out; 2088 } 2089 ret = 0; 2090 if (keyp != NULL) { 2091 *keyp = key; 2092 key = NULL; 2093 } 2094 out: 2095 sshbuf_free(copy); 2096 sshkey_free(key); 2097 free(ktype); 2098 free(curve); 2099 free(pk); 2100 #ifdef WITH_OPENSSL 2101 if (q != NULL) 2102 EC_POINT_free(q); 2103 #endif /* WITH_OPENSSL */ 2104 return ret; 2105 } 2106 2107 int 2108 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2109 { 2110 struct sshbuf *b; 2111 int r; 2112 2113 if ((b = sshbuf_from(blob, blen)) == NULL) 2114 return SSH_ERR_ALLOC_FAIL; 2115 r = sshkey_from_blob_internal(b, keyp, 1); 2116 sshbuf_free(b); 2117 return r; 2118 } 2119 2120 int 2121 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2122 { 2123 return sshkey_from_blob_internal(b, keyp, 1); 2124 } 2125 2126 int 2127 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2128 { 2129 struct sshbuf *b; 2130 int r; 2131 2132 if ((r = sshbuf_froms(buf, &b)) != 0) 2133 return r; 2134 r = sshkey_from_blob_internal(b, keyp, 1); 2135 sshbuf_free(b); 2136 return r; 2137 } 2138 2139 int 2140 sshkey_sign(const struct sshkey *key, 2141 u_char **sigp, size_t *lenp, 2142 const u_char *data, size_t datalen, const char *alg, u_int compat) 2143 { 2144 if (sigp != NULL) 2145 *sigp = NULL; 2146 if (lenp != NULL) 2147 *lenp = 0; 2148 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2149 return SSH_ERR_INVALID_ARGUMENT; 2150 switch (key->type) { 2151 #ifdef WITH_OPENSSL 2152 case KEY_DSA_CERT: 2153 case KEY_DSA: 2154 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2155 case KEY_ECDSA_CERT: 2156 case KEY_ECDSA: 2157 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2158 case KEY_RSA_CERT: 2159 case KEY_RSA: 2160 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2161 #endif /* WITH_OPENSSL */ 2162 case KEY_ED25519: 2163 case KEY_ED25519_CERT: 2164 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2165 default: 2166 return SSH_ERR_KEY_TYPE_UNKNOWN; 2167 } 2168 } 2169 2170 /* 2171 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2172 */ 2173 int 2174 sshkey_verify(const struct sshkey *key, 2175 const u_char *sig, size_t siglen, 2176 const u_char *data, size_t dlen, u_int compat) 2177 { 2178 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2179 return SSH_ERR_INVALID_ARGUMENT; 2180 switch (key->type) { 2181 #ifdef WITH_OPENSSL 2182 case KEY_DSA_CERT: 2183 case KEY_DSA: 2184 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2185 case KEY_ECDSA_CERT: 2186 case KEY_ECDSA: 2187 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2188 case KEY_RSA_CERT: 2189 case KEY_RSA: 2190 return ssh_rsa_verify(key, sig, siglen, data, dlen); 2191 #endif /* WITH_OPENSSL */ 2192 case KEY_ED25519: 2193 case KEY_ED25519_CERT: 2194 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2195 default: 2196 return SSH_ERR_KEY_TYPE_UNKNOWN; 2197 } 2198 } 2199 2200 /* Converts a private to a public key */ 2201 int 2202 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2203 { 2204 struct sshkey *pk; 2205 int ret = SSH_ERR_INTERNAL_ERROR; 2206 2207 *dkp = NULL; 2208 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2209 return SSH_ERR_ALLOC_FAIL; 2210 pk->type = k->type; 2211 pk->flags = k->flags; 2212 pk->ecdsa_nid = k->ecdsa_nid; 2213 pk->dsa = NULL; 2214 pk->ecdsa = NULL; 2215 pk->rsa = NULL; 2216 pk->ed25519_pk = NULL; 2217 pk->ed25519_sk = NULL; 2218 2219 switch (k->type) { 2220 #ifdef WITH_OPENSSL 2221 case KEY_RSA_CERT: 2222 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2223 goto fail; 2224 /* FALLTHROUGH */ 2225 case KEY_RSA1: 2226 case KEY_RSA: 2227 if ((pk->rsa = RSA_new()) == NULL || 2228 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2229 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2230 ret = SSH_ERR_ALLOC_FAIL; 2231 goto fail; 2232 } 2233 break; 2234 case KEY_DSA_CERT: 2235 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2236 goto fail; 2237 /* FALLTHROUGH */ 2238 case KEY_DSA: 2239 if ((pk->dsa = DSA_new()) == NULL || 2240 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2241 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2242 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2243 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2244 ret = SSH_ERR_ALLOC_FAIL; 2245 goto fail; 2246 } 2247 break; 2248 case KEY_ECDSA_CERT: 2249 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2250 goto fail; 2251 /* FALLTHROUGH */ 2252 case KEY_ECDSA: 2253 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2254 if (pk->ecdsa == NULL) { 2255 ret = SSH_ERR_ALLOC_FAIL; 2256 goto fail; 2257 } 2258 if (EC_KEY_set_public_key(pk->ecdsa, 2259 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2260 ret = SSH_ERR_LIBCRYPTO_ERROR; 2261 goto fail; 2262 } 2263 break; 2264 #endif /* WITH_OPENSSL */ 2265 case KEY_ED25519_CERT: 2266 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2267 goto fail; 2268 /* FALLTHROUGH */ 2269 case KEY_ED25519: 2270 if (k->ed25519_pk != NULL) { 2271 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2272 ret = SSH_ERR_ALLOC_FAIL; 2273 goto fail; 2274 } 2275 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2276 } 2277 break; 2278 default: 2279 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2280 fail: 2281 sshkey_free(pk); 2282 return ret; 2283 } 2284 *dkp = pk; 2285 return 0; 2286 } 2287 2288 /* Convert a plain key to their _CERT equivalent */ 2289 int 2290 sshkey_to_certified(struct sshkey *k) 2291 { 2292 int newtype; 2293 2294 switch (k->type) { 2295 #ifdef WITH_OPENSSL 2296 case KEY_RSA: 2297 newtype = KEY_RSA_CERT; 2298 break; 2299 case KEY_DSA: 2300 newtype = KEY_DSA_CERT; 2301 break; 2302 case KEY_ECDSA: 2303 newtype = KEY_ECDSA_CERT; 2304 break; 2305 #endif /* WITH_OPENSSL */ 2306 case KEY_ED25519: 2307 newtype = KEY_ED25519_CERT; 2308 break; 2309 default: 2310 return SSH_ERR_INVALID_ARGUMENT; 2311 } 2312 if ((k->cert = cert_new()) == NULL) 2313 return SSH_ERR_ALLOC_FAIL; 2314 k->type = newtype; 2315 return 0; 2316 } 2317 2318 /* Convert a certificate to its raw key equivalent */ 2319 int 2320 sshkey_drop_cert(struct sshkey *k) 2321 { 2322 if (!sshkey_type_is_cert(k->type)) 2323 return SSH_ERR_KEY_TYPE_UNKNOWN; 2324 cert_free(k->cert); 2325 k->cert = NULL; 2326 k->type = sshkey_type_plain(k->type); 2327 return 0; 2328 } 2329 2330 /* Sign a certified key, (re-)generating the signed certblob. */ 2331 int 2332 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2333 { 2334 struct sshbuf *principals = NULL; 2335 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2336 size_t i, ca_len, sig_len; 2337 int ret = SSH_ERR_INTERNAL_ERROR; 2338 struct sshbuf *cert; 2339 2340 if (k == NULL || k->cert == NULL || 2341 k->cert->certblob == NULL || ca == NULL) 2342 return SSH_ERR_INVALID_ARGUMENT; 2343 if (!sshkey_is_cert(k)) 2344 return SSH_ERR_KEY_TYPE_UNKNOWN; 2345 if (!sshkey_type_is_valid_ca(ca->type)) 2346 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2347 2348 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2349 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2350 2351 cert = k->cert->certblob; /* for readability */ 2352 sshbuf_reset(cert); 2353 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2354 goto out; 2355 2356 /* -v01 certs put nonce first */ 2357 arc4random_buf(&nonce, sizeof(nonce)); 2358 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2359 goto out; 2360 2361 /* XXX this substantially duplicates to_blob(); refactor */ 2362 switch (k->type) { 2363 #ifdef WITH_OPENSSL 2364 case KEY_DSA_CERT: 2365 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2366 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2367 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2368 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2369 goto out; 2370 break; 2371 case KEY_ECDSA_CERT: 2372 if ((ret = sshbuf_put_cstring(cert, 2373 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2374 (ret = sshbuf_put_ec(cert, 2375 EC_KEY_get0_public_key(k->ecdsa), 2376 EC_KEY_get0_group(k->ecdsa))) != 0) 2377 goto out; 2378 break; 2379 case KEY_RSA_CERT: 2380 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2381 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2382 goto out; 2383 break; 2384 #endif /* WITH_OPENSSL */ 2385 case KEY_ED25519_CERT: 2386 if ((ret = sshbuf_put_string(cert, 2387 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2388 goto out; 2389 break; 2390 default: 2391 ret = SSH_ERR_INVALID_ARGUMENT; 2392 goto out; 2393 } 2394 2395 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2396 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2397 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2398 goto out; 2399 2400 if ((principals = sshbuf_new()) == NULL) { 2401 ret = SSH_ERR_ALLOC_FAIL; 2402 goto out; 2403 } 2404 for (i = 0; i < k->cert->nprincipals; i++) { 2405 if ((ret = sshbuf_put_cstring(principals, 2406 k->cert->principals[i])) != 0) 2407 goto out; 2408 } 2409 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2410 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2411 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2412 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2413 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2414 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2415 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2416 goto out; 2417 2418 /* Sign the whole mess */ 2419 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2420 sshbuf_len(cert), alg, 0)) != 0) 2421 goto out; 2422 2423 /* Append signature and we are done */ 2424 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2425 goto out; 2426 ret = 0; 2427 out: 2428 if (ret != 0) 2429 sshbuf_reset(cert); 2430 free(sig_blob); 2431 free(ca_blob); 2432 sshbuf_free(principals); 2433 return ret; 2434 } 2435 2436 int 2437 sshkey_cert_check_authority(const struct sshkey *k, 2438 int want_host, int require_principal, 2439 const char *name, const char **reason) 2440 { 2441 u_int i, principal_matches; 2442 time_t now = time(NULL); 2443 2444 if (reason != NULL) 2445 *reason = NULL; 2446 2447 if (want_host) { 2448 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2449 *reason = "Certificate invalid: not a host certificate"; 2450 return SSH_ERR_KEY_CERT_INVALID; 2451 } 2452 } else { 2453 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2454 *reason = "Certificate invalid: not a user certificate"; 2455 return SSH_ERR_KEY_CERT_INVALID; 2456 } 2457 } 2458 if (now < 0) { 2459 /* yikes - system clock before epoch! */ 2460 *reason = "Certificate invalid: not yet valid"; 2461 return SSH_ERR_KEY_CERT_INVALID; 2462 } 2463 if ((u_int64_t)now < k->cert->valid_after) { 2464 *reason = "Certificate invalid: not yet valid"; 2465 return SSH_ERR_KEY_CERT_INVALID; 2466 } 2467 if ((u_int64_t)now >= k->cert->valid_before) { 2468 *reason = "Certificate invalid: expired"; 2469 return SSH_ERR_KEY_CERT_INVALID; 2470 } 2471 if (k->cert->nprincipals == 0) { 2472 if (require_principal) { 2473 *reason = "Certificate lacks principal list"; 2474 return SSH_ERR_KEY_CERT_INVALID; 2475 } 2476 } else if (name != NULL) { 2477 principal_matches = 0; 2478 for (i = 0; i < k->cert->nprincipals; i++) { 2479 if (strcmp(name, k->cert->principals[i]) == 0) { 2480 principal_matches = 1; 2481 break; 2482 } 2483 } 2484 if (!principal_matches) { 2485 *reason = "Certificate invalid: name is not a listed " 2486 "principal"; 2487 return SSH_ERR_KEY_CERT_INVALID; 2488 } 2489 } 2490 return 0; 2491 } 2492 2493 size_t 2494 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2495 { 2496 char from[32], to[32], ret[64]; 2497 time_t tt; 2498 struct tm *tm; 2499 2500 *from = *to = '\0'; 2501 if (cert->valid_after == 0 && 2502 cert->valid_before == 0xffffffffffffffffULL) 2503 return strlcpy(s, "forever", l); 2504 2505 if (cert->valid_after != 0) { 2506 /* XXX revisit INT_MAX in 2038 :) */ 2507 tt = cert->valid_after > INT_MAX ? 2508 INT_MAX : cert->valid_after; 2509 tm = localtime(&tt); 2510 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2511 } 2512 if (cert->valid_before != 0xffffffffffffffffULL) { 2513 /* XXX revisit INT_MAX in 2038 :) */ 2514 tt = cert->valid_before > INT_MAX ? 2515 INT_MAX : cert->valid_before; 2516 tm = localtime(&tt); 2517 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2518 } 2519 2520 if (cert->valid_after == 0) 2521 snprintf(ret, sizeof(ret), "before %s", to); 2522 else if (cert->valid_before == 0xffffffffffffffffULL) 2523 snprintf(ret, sizeof(ret), "after %s", from); 2524 else 2525 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2526 2527 return strlcpy(s, ret, l); 2528 } 2529 2530 int 2531 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2532 { 2533 int r = SSH_ERR_INTERNAL_ERROR; 2534 2535 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2536 goto out; 2537 switch (key->type) { 2538 #ifdef WITH_OPENSSL 2539 case KEY_RSA: 2540 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2541 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2542 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2543 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2544 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2545 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2546 goto out; 2547 break; 2548 case KEY_RSA_CERT: 2549 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2550 r = SSH_ERR_INVALID_ARGUMENT; 2551 goto out; 2552 } 2553 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2554 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2555 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2556 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2557 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2558 goto out; 2559 break; 2560 case KEY_DSA: 2561 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2562 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2563 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2564 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2565 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2566 goto out; 2567 break; 2568 case KEY_DSA_CERT: 2569 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2570 r = SSH_ERR_INVALID_ARGUMENT; 2571 goto out; 2572 } 2573 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2574 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2575 goto out; 2576 break; 2577 case KEY_ECDSA: 2578 if ((r = sshbuf_put_cstring(b, 2579 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2580 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2581 (r = sshbuf_put_bignum2(b, 2582 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2583 goto out; 2584 break; 2585 case KEY_ECDSA_CERT: 2586 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2587 r = SSH_ERR_INVALID_ARGUMENT; 2588 goto out; 2589 } 2590 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2591 (r = sshbuf_put_bignum2(b, 2592 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2593 goto out; 2594 break; 2595 #endif /* WITH_OPENSSL */ 2596 case KEY_ED25519: 2597 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2598 ED25519_PK_SZ)) != 0 || 2599 (r = sshbuf_put_string(b, key->ed25519_sk, 2600 ED25519_SK_SZ)) != 0) 2601 goto out; 2602 break; 2603 case KEY_ED25519_CERT: 2604 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2605 r = SSH_ERR_INVALID_ARGUMENT; 2606 goto out; 2607 } 2608 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2609 (r = sshbuf_put_string(b, key->ed25519_pk, 2610 ED25519_PK_SZ)) != 0 || 2611 (r = sshbuf_put_string(b, key->ed25519_sk, 2612 ED25519_SK_SZ)) != 0) 2613 goto out; 2614 break; 2615 default: 2616 r = SSH_ERR_INVALID_ARGUMENT; 2617 goto out; 2618 } 2619 /* success */ 2620 r = 0; 2621 out: 2622 return r; 2623 } 2624 2625 int 2626 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2627 { 2628 char *tname = NULL, *curve = NULL; 2629 struct sshkey *k = NULL; 2630 size_t pklen = 0, sklen = 0; 2631 int type, r = SSH_ERR_INTERNAL_ERROR; 2632 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2633 #ifdef WITH_OPENSSL 2634 BIGNUM *exponent = NULL; 2635 #endif /* WITH_OPENSSL */ 2636 2637 if (kp != NULL) 2638 *kp = NULL; 2639 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2640 goto out; 2641 type = sshkey_type_from_name(tname); 2642 switch (type) { 2643 #ifdef WITH_OPENSSL 2644 case KEY_DSA: 2645 if ((k = sshkey_new_private(type)) == NULL) { 2646 r = SSH_ERR_ALLOC_FAIL; 2647 goto out; 2648 } 2649 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2650 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2651 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2652 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2653 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2654 goto out; 2655 break; 2656 case KEY_DSA_CERT: 2657 if ((r = sshkey_froms(buf, &k)) != 0 || 2658 (r = sshkey_add_private(k)) != 0 || 2659 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2660 goto out; 2661 break; 2662 case KEY_ECDSA: 2663 if ((k = sshkey_new_private(type)) == NULL) { 2664 r = SSH_ERR_ALLOC_FAIL; 2665 goto out; 2666 } 2667 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2668 r = SSH_ERR_INVALID_ARGUMENT; 2669 goto out; 2670 } 2671 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2672 goto out; 2673 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2674 r = SSH_ERR_EC_CURVE_MISMATCH; 2675 goto out; 2676 } 2677 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2678 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2679 r = SSH_ERR_LIBCRYPTO_ERROR; 2680 goto out; 2681 } 2682 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2683 (r = sshbuf_get_bignum2(buf, exponent))) 2684 goto out; 2685 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2686 r = SSH_ERR_LIBCRYPTO_ERROR; 2687 goto out; 2688 } 2689 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2690 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2691 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2692 goto out; 2693 break; 2694 case KEY_ECDSA_CERT: 2695 if ((exponent = BN_new()) == NULL) { 2696 r = SSH_ERR_LIBCRYPTO_ERROR; 2697 goto out; 2698 } 2699 if ((r = sshkey_froms(buf, &k)) != 0 || 2700 (r = sshkey_add_private(k)) != 0 || 2701 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2702 goto out; 2703 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2704 r = SSH_ERR_LIBCRYPTO_ERROR; 2705 goto out; 2706 } 2707 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2708 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2709 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2710 goto out; 2711 break; 2712 case KEY_RSA: 2713 if ((k = sshkey_new_private(type)) == NULL) { 2714 r = SSH_ERR_ALLOC_FAIL; 2715 goto out; 2716 } 2717 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2718 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2719 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2720 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2721 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2722 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2723 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2724 goto out; 2725 break; 2726 case KEY_RSA_CERT: 2727 if ((r = sshkey_froms(buf, &k)) != 0 || 2728 (r = sshkey_add_private(k)) != 0 || 2729 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2730 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2731 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2732 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2733 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2734 goto out; 2735 break; 2736 #endif /* WITH_OPENSSL */ 2737 case KEY_ED25519: 2738 if ((k = sshkey_new_private(type)) == NULL) { 2739 r = SSH_ERR_ALLOC_FAIL; 2740 goto out; 2741 } 2742 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2743 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2744 goto out; 2745 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2746 r = SSH_ERR_INVALID_FORMAT; 2747 goto out; 2748 } 2749 k->ed25519_pk = ed25519_pk; 2750 k->ed25519_sk = ed25519_sk; 2751 ed25519_pk = ed25519_sk = NULL; 2752 break; 2753 case KEY_ED25519_CERT: 2754 if ((r = sshkey_froms(buf, &k)) != 0 || 2755 (r = sshkey_add_private(k)) != 0 || 2756 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2757 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2758 goto out; 2759 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2760 r = SSH_ERR_INVALID_FORMAT; 2761 goto out; 2762 } 2763 k->ed25519_pk = ed25519_pk; 2764 k->ed25519_sk = ed25519_sk; 2765 ed25519_pk = ed25519_sk = NULL; 2766 break; 2767 default: 2768 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2769 goto out; 2770 } 2771 #ifdef WITH_OPENSSL 2772 /* enable blinding */ 2773 switch (k->type) { 2774 case KEY_RSA: 2775 case KEY_RSA_CERT: 2776 case KEY_RSA1: 2777 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2778 r = SSH_ERR_LIBCRYPTO_ERROR; 2779 goto out; 2780 } 2781 break; 2782 } 2783 #endif /* WITH_OPENSSL */ 2784 /* success */ 2785 r = 0; 2786 if (kp != NULL) { 2787 *kp = k; 2788 k = NULL; 2789 } 2790 out: 2791 free(tname); 2792 free(curve); 2793 #ifdef WITH_OPENSSL 2794 if (exponent != NULL) 2795 BN_clear_free(exponent); 2796 #endif /* WITH_OPENSSL */ 2797 sshkey_free(k); 2798 if (ed25519_pk != NULL) { 2799 explicit_bzero(ed25519_pk, pklen); 2800 free(ed25519_pk); 2801 } 2802 if (ed25519_sk != NULL) { 2803 explicit_bzero(ed25519_sk, sklen); 2804 free(ed25519_sk); 2805 } 2806 return r; 2807 } 2808 2809 #ifdef WITH_OPENSSL 2810 int 2811 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2812 { 2813 BN_CTX *bnctx; 2814 EC_POINT *nq = NULL; 2815 BIGNUM *order, *x, *y, *tmp; 2816 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2817 2818 if ((bnctx = BN_CTX_new()) == NULL) 2819 return SSH_ERR_ALLOC_FAIL; 2820 BN_CTX_start(bnctx); 2821 2822 /* 2823 * We shouldn't ever hit this case because bignum_get_ecpoint() 2824 * refuses to load GF2m points. 2825 */ 2826 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2827 NID_X9_62_prime_field) 2828 goto out; 2829 2830 /* Q != infinity */ 2831 if (EC_POINT_is_at_infinity(group, public)) 2832 goto out; 2833 2834 if ((x = BN_CTX_get(bnctx)) == NULL || 2835 (y = BN_CTX_get(bnctx)) == NULL || 2836 (order = BN_CTX_get(bnctx)) == NULL || 2837 (tmp = BN_CTX_get(bnctx)) == NULL) { 2838 ret = SSH_ERR_ALLOC_FAIL; 2839 goto out; 2840 } 2841 2842 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2843 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2844 EC_POINT_get_affine_coordinates_GFp(group, public, 2845 x, y, bnctx) != 1) { 2846 ret = SSH_ERR_LIBCRYPTO_ERROR; 2847 goto out; 2848 } 2849 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2850 BN_num_bits(y) <= BN_num_bits(order) / 2) 2851 goto out; 2852 2853 /* nQ == infinity (n == order of subgroup) */ 2854 if ((nq = EC_POINT_new(group)) == NULL) { 2855 ret = SSH_ERR_ALLOC_FAIL; 2856 goto out; 2857 } 2858 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2859 ret = SSH_ERR_LIBCRYPTO_ERROR; 2860 goto out; 2861 } 2862 if (EC_POINT_is_at_infinity(group, nq) != 1) 2863 goto out; 2864 2865 /* x < order - 1, y < order - 1 */ 2866 if (!BN_sub(tmp, order, BN_value_one())) { 2867 ret = SSH_ERR_LIBCRYPTO_ERROR; 2868 goto out; 2869 } 2870 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2871 goto out; 2872 ret = 0; 2873 out: 2874 BN_CTX_free(bnctx); 2875 if (nq != NULL) 2876 EC_POINT_free(nq); 2877 return ret; 2878 } 2879 2880 int 2881 sshkey_ec_validate_private(const EC_KEY *key) 2882 { 2883 BN_CTX *bnctx; 2884 BIGNUM *order, *tmp; 2885 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2886 2887 if ((bnctx = BN_CTX_new()) == NULL) 2888 return SSH_ERR_ALLOC_FAIL; 2889 BN_CTX_start(bnctx); 2890 2891 if ((order = BN_CTX_get(bnctx)) == NULL || 2892 (tmp = BN_CTX_get(bnctx)) == NULL) { 2893 ret = SSH_ERR_ALLOC_FAIL; 2894 goto out; 2895 } 2896 2897 /* log2(private) > log2(order)/2 */ 2898 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2899 ret = SSH_ERR_LIBCRYPTO_ERROR; 2900 goto out; 2901 } 2902 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2903 BN_num_bits(order) / 2) 2904 goto out; 2905 2906 /* private < order - 1 */ 2907 if (!BN_sub(tmp, order, BN_value_one())) { 2908 ret = SSH_ERR_LIBCRYPTO_ERROR; 2909 goto out; 2910 } 2911 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2912 goto out; 2913 ret = 0; 2914 out: 2915 BN_CTX_free(bnctx); 2916 return ret; 2917 } 2918 2919 void 2920 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2921 { 2922 BIGNUM *x, *y; 2923 BN_CTX *bnctx; 2924 2925 if (point == NULL) { 2926 fputs("point=(NULL)\n", stderr); 2927 return; 2928 } 2929 if ((bnctx = BN_CTX_new()) == NULL) { 2930 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2931 return; 2932 } 2933 BN_CTX_start(bnctx); 2934 if ((x = BN_CTX_get(bnctx)) == NULL || 2935 (y = BN_CTX_get(bnctx)) == NULL) { 2936 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 2937 return; 2938 } 2939 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2940 NID_X9_62_prime_field) { 2941 fprintf(stderr, "%s: group is not a prime field\n", __func__); 2942 return; 2943 } 2944 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 2945 bnctx) != 1) { 2946 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2947 __func__); 2948 return; 2949 } 2950 fputs("x=", stderr); 2951 BN_print_fp(stderr, x); 2952 fputs("\ny=", stderr); 2953 BN_print_fp(stderr, y); 2954 fputs("\n", stderr); 2955 BN_CTX_free(bnctx); 2956 } 2957 2958 void 2959 sshkey_dump_ec_key(const EC_KEY *key) 2960 { 2961 const BIGNUM *exponent; 2962 2963 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2964 EC_KEY_get0_public_key(key)); 2965 fputs("exponent=", stderr); 2966 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2967 fputs("(NULL)", stderr); 2968 else 2969 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2970 fputs("\n", stderr); 2971 } 2972 #endif /* WITH_OPENSSL */ 2973 2974 static int 2975 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 2976 const char *passphrase, const char *comment, const char *ciphername, 2977 int rounds) 2978 { 2979 u_char *cp, *key = NULL, *pubkeyblob = NULL; 2980 u_char salt[SALT_LEN]; 2981 char *b64 = NULL; 2982 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 2983 u_int check; 2984 int r = SSH_ERR_INTERNAL_ERROR; 2985 struct sshcipher_ctx ciphercontext; 2986 const struct sshcipher *cipher; 2987 const char *kdfname = KDFNAME; 2988 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 2989 2990 memset(&ciphercontext, 0, sizeof(ciphercontext)); 2991 2992 if (rounds <= 0) 2993 rounds = DEFAULT_ROUNDS; 2994 if (passphrase == NULL || !strlen(passphrase)) { 2995 ciphername = "none"; 2996 kdfname = "none"; 2997 } else if (ciphername == NULL) 2998 ciphername = DEFAULT_CIPHERNAME; 2999 else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) { 3000 r = SSH_ERR_INVALID_ARGUMENT; 3001 goto out; 3002 } 3003 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3004 r = SSH_ERR_INTERNAL_ERROR; 3005 goto out; 3006 } 3007 3008 if ((kdf = sshbuf_new()) == NULL || 3009 (encoded = sshbuf_new()) == NULL || 3010 (encrypted = sshbuf_new()) == NULL) { 3011 r = SSH_ERR_ALLOC_FAIL; 3012 goto out; 3013 } 3014 blocksize = cipher_blocksize(cipher); 3015 keylen = cipher_keylen(cipher); 3016 ivlen = cipher_ivlen(cipher); 3017 authlen = cipher_authlen(cipher); 3018 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3019 r = SSH_ERR_ALLOC_FAIL; 3020 goto out; 3021 } 3022 if (strcmp(kdfname, "bcrypt") == 0) { 3023 arc4random_buf(salt, SALT_LEN); 3024 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3025 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3026 r = SSH_ERR_INVALID_ARGUMENT; 3027 goto out; 3028 } 3029 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3030 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3031 goto out; 3032 } else if (strcmp(kdfname, "none") != 0) { 3033 /* Unsupported KDF type */ 3034 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3035 goto out; 3036 } 3037 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3038 key + keylen, ivlen, 1)) != 0) 3039 goto out; 3040 3041 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3042 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3043 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3044 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3045 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3046 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3047 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3048 goto out; 3049 3050 /* set up the buffer that will be encrypted */ 3051 3052 /* Random check bytes */ 3053 check = arc4random(); 3054 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3055 (r = sshbuf_put_u32(encrypted, check)) != 0) 3056 goto out; 3057 3058 /* append private key and comment*/ 3059 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 3060 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3061 goto out; 3062 3063 /* padding */ 3064 i = 0; 3065 while (sshbuf_len(encrypted) % blocksize) { 3066 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3067 goto out; 3068 } 3069 3070 /* length in destination buffer */ 3071 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3072 goto out; 3073 3074 /* encrypt */ 3075 if ((r = sshbuf_reserve(encoded, 3076 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3077 goto out; 3078 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3079 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3080 goto out; 3081 3082 /* uuencode */ 3083 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3084 r = SSH_ERR_ALLOC_FAIL; 3085 goto out; 3086 } 3087 3088 sshbuf_reset(blob); 3089 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3090 goto out; 3091 for (i = 0; i < strlen(b64); i++) { 3092 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3093 goto out; 3094 /* insert line breaks */ 3095 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3096 goto out; 3097 } 3098 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3099 goto out; 3100 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3101 goto out; 3102 3103 /* success */ 3104 r = 0; 3105 3106 out: 3107 sshbuf_free(kdf); 3108 sshbuf_free(encoded); 3109 sshbuf_free(encrypted); 3110 cipher_cleanup(&ciphercontext); 3111 explicit_bzero(salt, sizeof(salt)); 3112 if (key != NULL) { 3113 explicit_bzero(key, keylen + ivlen); 3114 free(key); 3115 } 3116 if (pubkeyblob != NULL) { 3117 explicit_bzero(pubkeyblob, pubkeylen); 3118 free(pubkeyblob); 3119 } 3120 if (b64 != NULL) { 3121 explicit_bzero(b64, strlen(b64)); 3122 free(b64); 3123 } 3124 return r; 3125 } 3126 3127 static int 3128 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3129 struct sshkey **keyp, char **commentp) 3130 { 3131 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3132 const struct sshcipher *cipher = NULL; 3133 const u_char *cp; 3134 int r = SSH_ERR_INTERNAL_ERROR; 3135 size_t encoded_len; 3136 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3137 struct sshbuf *encoded = NULL, *decoded = NULL; 3138 struct sshbuf *kdf = NULL, *decrypted = NULL; 3139 struct sshcipher_ctx ciphercontext; 3140 struct sshkey *k = NULL; 3141 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3142 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3143 3144 memset(&ciphercontext, 0, sizeof(ciphercontext)); 3145 if (keyp != NULL) 3146 *keyp = NULL; 3147 if (commentp != NULL) 3148 *commentp = NULL; 3149 3150 if ((encoded = sshbuf_new()) == NULL || 3151 (decoded = sshbuf_new()) == NULL || 3152 (decrypted = sshbuf_new()) == NULL) { 3153 r = SSH_ERR_ALLOC_FAIL; 3154 goto out; 3155 } 3156 3157 /* check preamble */ 3158 cp = sshbuf_ptr(blob); 3159 encoded_len = sshbuf_len(blob); 3160 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3161 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3162 r = SSH_ERR_INVALID_FORMAT; 3163 goto out; 3164 } 3165 cp += MARK_BEGIN_LEN; 3166 encoded_len -= MARK_BEGIN_LEN; 3167 3168 /* Look for end marker, removing whitespace as we go */ 3169 while (encoded_len > 0) { 3170 if (*cp != '\n' && *cp != '\r') { 3171 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3172 goto out; 3173 } 3174 last = *cp; 3175 encoded_len--; 3176 cp++; 3177 if (last == '\n') { 3178 if (encoded_len >= MARK_END_LEN && 3179 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3180 /* \0 terminate */ 3181 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3182 goto out; 3183 break; 3184 } 3185 } 3186 } 3187 if (encoded_len == 0) { 3188 r = SSH_ERR_INVALID_FORMAT; 3189 goto out; 3190 } 3191 3192 /* decode base64 */ 3193 if ((r = sshbuf_b64tod(decoded, (const char *)sshbuf_ptr(encoded))) != 0) 3194 goto out; 3195 3196 /* check magic */ 3197 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3198 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3199 r = SSH_ERR_INVALID_FORMAT; 3200 goto out; 3201 } 3202 /* parse public portion of key */ 3203 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3204 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3205 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3206 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3207 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3208 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3209 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3210 goto out; 3211 3212 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3213 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3214 goto out; 3215 } 3216 if ((passphrase == NULL || strlen(passphrase) == 0) && 3217 strcmp(ciphername, "none") != 0) { 3218 /* passphrase required */ 3219 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3220 goto out; 3221 } 3222 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3223 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3224 goto out; 3225 } 3226 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3227 r = SSH_ERR_INVALID_FORMAT; 3228 goto out; 3229 } 3230 if (nkeys != 1) { 3231 /* XXX only one key supported */ 3232 r = SSH_ERR_INVALID_FORMAT; 3233 goto out; 3234 } 3235 3236 /* check size of encrypted key blob */ 3237 blocksize = cipher_blocksize(cipher); 3238 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3239 r = SSH_ERR_INVALID_FORMAT; 3240 goto out; 3241 } 3242 3243 /* setup key */ 3244 keylen = cipher_keylen(cipher); 3245 ivlen = cipher_ivlen(cipher); 3246 authlen = cipher_authlen(cipher); 3247 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3248 r = SSH_ERR_ALLOC_FAIL; 3249 goto out; 3250 } 3251 if (strcmp(kdfname, "bcrypt") == 0) { 3252 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3253 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3254 goto out; 3255 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3256 key, keylen + ivlen, rounds) < 0) { 3257 r = SSH_ERR_INVALID_FORMAT; 3258 goto out; 3259 } 3260 } 3261 3262 /* check that an appropriate amount of auth data is present */ 3263 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3264 r = SSH_ERR_INVALID_FORMAT; 3265 goto out; 3266 } 3267 3268 /* decrypt private portion of key */ 3269 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3270 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3271 key + keylen, ivlen, 0)) != 0) 3272 goto out; 3273 if ((r = cipher_crypt(&ciphercontext, 0, dp, sshbuf_ptr(decoded), 3274 encrypted_len, 0, authlen)) != 0) { 3275 /* an integrity error here indicates an incorrect passphrase */ 3276 if (r == SSH_ERR_MAC_INVALID) 3277 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3278 goto out; 3279 } 3280 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3281 goto out; 3282 /* there should be no trailing data */ 3283 if (sshbuf_len(decoded) != 0) { 3284 r = SSH_ERR_INVALID_FORMAT; 3285 goto out; 3286 } 3287 3288 /* check check bytes */ 3289 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3290 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3291 goto out; 3292 if (check1 != check2) { 3293 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3294 goto out; 3295 } 3296 3297 /* Load the private key and comment */ 3298 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3299 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3300 goto out; 3301 3302 /* Check deterministic padding */ 3303 i = 0; 3304 while (sshbuf_len(decrypted)) { 3305 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3306 goto out; 3307 if (pad != (++i & 0xff)) { 3308 r = SSH_ERR_INVALID_FORMAT; 3309 goto out; 3310 } 3311 } 3312 3313 /* XXX decode pubkey and check against private */ 3314 3315 /* success */ 3316 r = 0; 3317 if (keyp != NULL) { 3318 *keyp = k; 3319 k = NULL; 3320 } 3321 if (commentp != NULL) { 3322 *commentp = comment; 3323 comment = NULL; 3324 } 3325 out: 3326 pad = 0; 3327 cipher_cleanup(&ciphercontext); 3328 free(ciphername); 3329 free(kdfname); 3330 free(comment); 3331 if (salt != NULL) { 3332 explicit_bzero(salt, slen); 3333 free(salt); 3334 } 3335 if (key != NULL) { 3336 explicit_bzero(key, keylen + ivlen); 3337 free(key); 3338 } 3339 sshbuf_free(encoded); 3340 sshbuf_free(decoded); 3341 sshbuf_free(kdf); 3342 sshbuf_free(decrypted); 3343 sshkey_free(k); 3344 return r; 3345 } 3346 3347 #if WITH_SSH1 3348 /* 3349 * Serialises the authentication (private) key to a blob, encrypting it with 3350 * passphrase. The identification of the blob (lowest 64 bits of n) will 3351 * precede the key to provide identification of the key without needing a 3352 * passphrase. 3353 */ 3354 static int 3355 sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, 3356 const char *passphrase, const char *comment) 3357 { 3358 struct sshbuf *buffer = NULL, *encrypted = NULL; 3359 u_char buf[8]; 3360 int r, cipher_num; 3361 struct sshcipher_ctx ciphercontext; 3362 const struct sshcipher *cipher; 3363 u_char *cp; 3364 3365 /* 3366 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting 3367 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. 3368 */ 3369 cipher_num = (strcmp(passphrase, "") == 0) ? 3370 SSH_CIPHER_NONE : SSH_CIPHER_3DES; 3371 if ((cipher = cipher_by_number(cipher_num)) == NULL) 3372 return SSH_ERR_INTERNAL_ERROR; 3373 3374 /* This buffer is used to build the secret part of the private key. */ 3375 if ((buffer = sshbuf_new()) == NULL) 3376 return SSH_ERR_ALLOC_FAIL; 3377 3378 /* Put checkbytes for checking passphrase validity. */ 3379 if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0) 3380 goto out; 3381 arc4random_buf(cp, 2); 3382 memcpy(cp + 2, cp, 2); 3383 3384 /* 3385 * Store the private key (n and e will not be stored because they 3386 * will be stored in plain text, and storing them also in encrypted 3387 * format would just give known plaintext). 3388 * Note: q and p are stored in reverse order to SSL. 3389 */ 3390 if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 || 3391 (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 || 3392 (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 || 3393 (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0) 3394 goto out; 3395 3396 /* Pad the part to be encrypted to a size that is a multiple of 8. */ 3397 explicit_bzero(buf, 8); 3398 if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0) 3399 goto out; 3400 3401 /* This buffer will be used to contain the data in the file. */ 3402 if ((encrypted = sshbuf_new()) == NULL) { 3403 r = SSH_ERR_ALLOC_FAIL; 3404 goto out; 3405 } 3406 3407 /* First store keyfile id string. */ 3408 if ((r = sshbuf_put(encrypted, LEGACY_BEGIN, 3409 sizeof(LEGACY_BEGIN))) != 0) 3410 goto out; 3411 3412 /* Store cipher type and "reserved" field. */ 3413 if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 || 3414 (r = sshbuf_put_u32(encrypted, 0)) != 0) 3415 goto out; 3416 3417 /* Store public key. This will be in plain text. */ 3418 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || 3419 (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 || 3420 (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 || 3421 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3422 goto out; 3423 3424 /* Allocate space for the private part of the key in the buffer. */ 3425 if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0) 3426 goto out; 3427 3428 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3429 CIPHER_ENCRYPT)) != 0) 3430 goto out; 3431 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3432 sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0) 3433 goto out; 3434 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3435 goto out; 3436 3437 r = sshbuf_putb(blob, encrypted); 3438 3439 out: 3440 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3441 explicit_bzero(buf, sizeof(buf)); 3442 sshbuf_free(buffer); 3443 sshbuf_free(encrypted); 3444 3445 return r; 3446 } 3447 #endif /* WITH_SSH1 */ 3448 3449 #ifdef WITH_OPENSSL 3450 /* convert SSH v2 key in OpenSSL PEM format */ 3451 static int 3452 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3453 const char *_passphrase, const char *comment) 3454 { 3455 int success, r; 3456 int blen, len = strlen(_passphrase); 3457 u_char *passphrase = (len > 0) ? __UNCONST(_passphrase) : NULL; 3458 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3459 const u_char *bptr; 3460 BIO *bio = NULL; 3461 3462 if (len > 0 && len <= 4) 3463 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3464 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3465 return SSH_ERR_ALLOC_FAIL; 3466 3467 switch (key->type) { 3468 case KEY_DSA: 3469 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3470 cipher, passphrase, len, NULL, NULL); 3471 break; 3472 case KEY_ECDSA: 3473 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3474 cipher, passphrase, len, NULL, NULL); 3475 break; 3476 case KEY_RSA: 3477 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3478 cipher, passphrase, len, NULL, NULL); 3479 break; 3480 default: 3481 success = 0; 3482 break; 3483 } 3484 if (success == 0) { 3485 r = SSH_ERR_LIBCRYPTO_ERROR; 3486 goto out; 3487 } 3488 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3489 r = SSH_ERR_INTERNAL_ERROR; 3490 goto out; 3491 } 3492 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3493 goto out; 3494 r = 0; 3495 out: 3496 BIO_free(bio); 3497 return r; 3498 } 3499 #endif /* WITH_OPENSSL */ 3500 3501 /* Serialise "key" to buffer "blob" */ 3502 int 3503 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3504 const char *passphrase, const char *comment, 3505 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3506 { 3507 switch (key->type) { 3508 #ifdef WITH_SSH1 3509 case KEY_RSA1: 3510 return sshkey_private_rsa1_to_blob(key, blob, 3511 passphrase, comment); 3512 #endif /* WITH_SSH1 */ 3513 #ifdef WITH_OPENSSL 3514 case KEY_DSA: 3515 case KEY_ECDSA: 3516 case KEY_RSA: 3517 if (force_new_format) { 3518 return sshkey_private_to_blob2(key, blob, passphrase, 3519 comment, new_format_cipher, new_format_rounds); 3520 } 3521 return sshkey_private_pem_to_blob(key, blob, 3522 passphrase, comment); 3523 #endif /* WITH_OPENSSL */ 3524 case KEY_ED25519: 3525 return sshkey_private_to_blob2(key, blob, passphrase, 3526 comment, new_format_cipher, new_format_rounds); 3527 default: 3528 return SSH_ERR_KEY_TYPE_UNKNOWN; 3529 } 3530 } 3531 3532 #ifdef WITH_SSH1 3533 /* 3534 * Parse the public, unencrypted portion of a RSA1 key. 3535 */ 3536 int 3537 sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, 3538 struct sshkey **keyp, char **commentp) 3539 { 3540 int r; 3541 struct sshkey *pub = NULL; 3542 struct sshbuf *copy = NULL; 3543 3544 if (keyp != NULL) 3545 *keyp = NULL; 3546 if (commentp != NULL) 3547 *commentp = NULL; 3548 3549 /* Check that it is at least big enough to contain the ID string. */ 3550 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3551 return SSH_ERR_INVALID_FORMAT; 3552 3553 /* 3554 * Make sure it begins with the id string. Consume the id string 3555 * from the buffer. 3556 */ 3557 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3558 return SSH_ERR_INVALID_FORMAT; 3559 /* Make a working copy of the keyblob and skip past the magic */ 3560 if ((copy = sshbuf_fromb(blob)) == NULL) 3561 return SSH_ERR_ALLOC_FAIL; 3562 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3563 goto out; 3564 3565 /* Skip cipher type, reserved data and key bits. */ 3566 if ((r = sshbuf_get_u8(copy, NULL)) != 0 || /* cipher type */ 3567 (r = sshbuf_get_u32(copy, NULL)) != 0 || /* reserved */ 3568 (r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */ 3569 goto out; 3570 3571 /* Read the public key from the buffer. */ 3572 if ((pub = sshkey_new(KEY_RSA1)) == NULL || 3573 (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 || 3574 (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0) 3575 goto out; 3576 3577 /* Finally, the comment */ 3578 if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0) 3579 goto out; 3580 3581 /* The encrypted private part is not parsed by this function. */ 3582 3583 r = 0; 3584 if (keyp != NULL) { 3585 *keyp = pub; 3586 pub = NULL; 3587 } 3588 out: 3589 sshbuf_free(copy); 3590 sshkey_free(pub); 3591 return r; 3592 } 3593 3594 static int 3595 sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, 3596 struct sshkey **keyp, char **commentp) 3597 { 3598 int r; 3599 u_int16_t check1, check2; 3600 u_int8_t cipher_type; 3601 struct sshbuf *decrypted = NULL, *copy = NULL; 3602 u_char *cp; 3603 char *comment = NULL; 3604 struct sshcipher_ctx ciphercontext; 3605 const struct sshcipher *cipher; 3606 struct sshkey *prv = NULL; 3607 3608 if (keyp != NULL) 3609 *keyp = NULL; 3610 if (commentp != NULL) 3611 *commentp = NULL; 3612 3613 /* Check that it is at least big enough to contain the ID string. */ 3614 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3615 return SSH_ERR_INVALID_FORMAT; 3616 3617 /* 3618 * Make sure it begins with the id string. Consume the id string 3619 * from the buffer. 3620 */ 3621 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3622 return SSH_ERR_INVALID_FORMAT; 3623 3624 if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) { 3625 r = SSH_ERR_ALLOC_FAIL; 3626 goto out; 3627 } 3628 if ((copy = sshbuf_fromb(blob)) == NULL || 3629 (decrypted = sshbuf_new()) == NULL) { 3630 r = SSH_ERR_ALLOC_FAIL; 3631 goto out; 3632 } 3633 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3634 goto out; 3635 3636 /* Read cipher type. */ 3637 if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 || 3638 (r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */ 3639 goto out; 3640 3641 /* Read the public key and comment from the buffer. */ 3642 if ((r = sshbuf_get_u32(copy, NULL)) != 0 || /* key bits */ 3643 (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 || 3644 (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 || 3645 (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0) 3646 goto out; 3647 3648 /* Check that it is a supported cipher. */ 3649 cipher = cipher_by_number(cipher_type); 3650 if (cipher == NULL) { 3651 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3652 goto out; 3653 } 3654 /* Initialize space for decrypted data. */ 3655 if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0) 3656 goto out; 3657 3658 /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ 3659 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3660 CIPHER_DECRYPT)) != 0) 3661 goto out; 3662 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3663 sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) { 3664 cipher_cleanup(&ciphercontext); 3665 goto out; 3666 } 3667 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3668 goto out; 3669 3670 if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 || 3671 (r = sshbuf_get_u16(decrypted, &check2)) != 0) 3672 goto out; 3673 if (check1 != check2) { 3674 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3675 goto out; 3676 } 3677 3678 /* Read the rest of the private key. */ 3679 if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 || 3680 (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 || 3681 (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 || 3682 (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0) 3683 goto out; 3684 3685 /* calculate p-1 and q-1 */ 3686 if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0) 3687 goto out; 3688 3689 /* enable blinding */ 3690 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3691 r = SSH_ERR_LIBCRYPTO_ERROR; 3692 goto out; 3693 } 3694 r = 0; 3695 if (keyp != NULL) { 3696 *keyp = prv; 3697 prv = NULL; 3698 } 3699 if (commentp != NULL) { 3700 *commentp = comment; 3701 comment = NULL; 3702 } 3703 out: 3704 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3705 free(comment); 3706 sshkey_free(prv); 3707 sshbuf_free(copy); 3708 sshbuf_free(decrypted); 3709 return r; 3710 } 3711 #endif /* WITH_SSH1 */ 3712 3713 #ifdef WITH_OPENSSL 3714 static int 3715 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3716 const char *passphrase, struct sshkey **keyp) 3717 { 3718 EVP_PKEY *pk = NULL; 3719 struct sshkey *prv = NULL; 3720 BIO *bio = NULL; 3721 int r; 3722 3723 if (keyp != NULL) 3724 *keyp = NULL; 3725 3726 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3727 return SSH_ERR_ALLOC_FAIL; 3728 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3729 (int)sshbuf_len(blob)) { 3730 r = SSH_ERR_ALLOC_FAIL; 3731 goto out; 3732 } 3733 3734 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3735 __UNCONST(passphrase))) == NULL) { 3736 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3737 goto out; 3738 } 3739 if (pk->type == EVP_PKEY_RSA && 3740 (type == KEY_UNSPEC || type == KEY_RSA)) { 3741 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3742 r = SSH_ERR_ALLOC_FAIL; 3743 goto out; 3744 } 3745 prv->rsa = EVP_PKEY_get1_RSA(pk); 3746 prv->type = KEY_RSA; 3747 #ifdef DEBUG_PK 3748 RSA_print_fp(stderr, prv->rsa, 8); 3749 #endif 3750 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3751 r = SSH_ERR_LIBCRYPTO_ERROR; 3752 goto out; 3753 } 3754 } else if (pk->type == EVP_PKEY_DSA && 3755 (type == KEY_UNSPEC || type == KEY_DSA)) { 3756 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3757 r = SSH_ERR_ALLOC_FAIL; 3758 goto out; 3759 } 3760 prv->dsa = EVP_PKEY_get1_DSA(pk); 3761 prv->type = KEY_DSA; 3762 #ifdef DEBUG_PK 3763 DSA_print_fp(stderr, prv->dsa, 8); 3764 #endif 3765 } else if (pk->type == EVP_PKEY_EC && 3766 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3767 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3768 r = SSH_ERR_ALLOC_FAIL; 3769 goto out; 3770 } 3771 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3772 prv->type = KEY_ECDSA; 3773 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3774 if (prv->ecdsa_nid == -1 || 3775 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3776 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3777 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3778 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3779 r = SSH_ERR_INVALID_FORMAT; 3780 goto out; 3781 } 3782 #ifdef DEBUG_PK 3783 if (prv != NULL && prv->ecdsa != NULL) 3784 sshkey_dump_ec_key(prv->ecdsa); 3785 #endif 3786 } else { 3787 r = SSH_ERR_INVALID_FORMAT; 3788 goto out; 3789 } 3790 r = 0; 3791 if (keyp != NULL) { 3792 *keyp = prv; 3793 prv = NULL; 3794 } 3795 out: 3796 BIO_free(bio); 3797 if (pk != NULL) 3798 EVP_PKEY_free(pk); 3799 sshkey_free(prv); 3800 return r; 3801 } 3802 #endif /* WITH_OPENSSL */ 3803 3804 int 3805 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3806 const char *passphrase, struct sshkey **keyp, char **commentp) 3807 { 3808 if (keyp != NULL) 3809 *keyp = NULL; 3810 if (commentp != NULL) 3811 *commentp = NULL; 3812 3813 switch (type) { 3814 #ifdef WITH_SSH1 3815 case KEY_RSA1: 3816 return sshkey_parse_private_rsa1(blob, passphrase, 3817 keyp, commentp); 3818 #endif /* WITH_SSH1 */ 3819 #ifdef WITH_OPENSSL 3820 case KEY_DSA: 3821 case KEY_ECDSA: 3822 case KEY_RSA: 3823 return sshkey_parse_private_pem_fileblob(blob, type, 3824 passphrase, keyp); 3825 #endif /* WITH_OPENSSL */ 3826 case KEY_ED25519: 3827 return sshkey_parse_private2(blob, type, passphrase, 3828 keyp, commentp); 3829 case KEY_UNSPEC: 3830 if (sshkey_parse_private2(blob, type, passphrase, keyp, 3831 commentp) == 0) 3832 return 0; 3833 #ifdef WITH_OPENSSL 3834 return sshkey_parse_private_pem_fileblob(blob, type, 3835 passphrase, keyp); 3836 #else 3837 return SSH_ERR_INVALID_FORMAT; 3838 #endif /* WITH_OPENSSL */ 3839 default: 3840 return SSH_ERR_KEY_TYPE_UNKNOWN; 3841 } 3842 } 3843 3844 int 3845 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3846 struct sshkey **keyp, char **commentp) 3847 { 3848 if (keyp != NULL) 3849 *keyp = NULL; 3850 if (commentp != NULL) 3851 *commentp = NULL; 3852 3853 #ifdef WITH_SSH1 3854 /* it's a SSH v1 key if the public key part is readable */ 3855 if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) { 3856 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, 3857 passphrase, keyp, commentp); 3858 } 3859 #endif /* WITH_SSH1 */ 3860 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3861 passphrase, keyp, commentp); 3862 } 3863