1 /* $NetBSD: sshkey.c,v 1.22 2020/02/27 00:24:40 christos Exp $ */ 2 /* $OpenBSD: sshkey.c,v 1.99 2020/01/21 05:56:56 djm Exp $ */ 3 /* 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 5 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 6 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 #include "includes.h" 29 __RCSID("$NetBSD: sshkey.c,v 1.22 2020/02/27 00:24:40 christos Exp $"); 30 31 #include <sys/types.h> 32 #include <netinet/in.h> 33 34 #ifdef WITH_OPENSSL 35 #include <openssl/evp.h> 36 #include <openssl/err.h> 37 #include <openssl/pem.h> 38 #endif 39 40 #include "crypto_api.h" 41 42 #include <errno.h> 43 #include <stdio.h> 44 #include <string.h> 45 #include <util.h> 46 #include <limits.h> 47 #include <resolv.h> 48 49 #include "ssh2.h" 50 #include "ssherr.h" 51 #include "misc.h" 52 #include "sshbuf.h" 53 #include "cipher.h" 54 #include "digest.h" 55 #define SSHKEY_INTERNAL 56 #include "sshkey.h" 57 #include "match.h" 58 #include "ssh-sk.h" 59 60 #ifdef WITH_XMSS 61 #include "sshkey-xmss.h" 62 #include "xmss_fast.h" 63 #endif 64 65 /* openssh private key file format */ 66 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 67 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 68 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 69 #define MARK_END_LEN (sizeof(MARK_END) - 1) 70 #define KDFNAME "bcrypt" 71 #define AUTH_MAGIC "openssh-key-v1" 72 #define SALT_LEN 16 73 #define DEFAULT_CIPHERNAME "aes256-ctr" 74 #define DEFAULT_ROUNDS 16 75 76 /* Version identification string for SSH v1 identity files. */ 77 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 78 79 /* 80 * Constants relating to "shielding" support; protection of keys expected 81 * to remain in memory for long durations 82 */ 83 #define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024) 84 #define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */ 85 #define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512 86 87 int sshkey_private_serialize_opt(struct sshkey *key, 88 struct sshbuf *buf, enum sshkey_serialize_rep); 89 static int sshkey_from_blob_internal(struct sshbuf *buf, 90 struct sshkey **keyp, int allow_cert); 91 92 /* Supported key types */ 93 struct keytype { 94 const char *name; 95 const char *shortname; 96 const char *sigalg; 97 int type; 98 int nid; 99 int cert; 100 int sigonly; 101 }; 102 static const struct keytype keytypes[] = { 103 { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 }, 104 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL, 105 KEY_ED25519_CERT, 0, 1, 0 }, 106 { "sk-ssh-ed25519@openssh.com", "ED25519-SK", NULL, 107 KEY_ED25519_SK, 0, 0, 0 }, 108 { "sk-ssh-ed25519-cert-v01@openssh.com", "ED25519-SK-CERT", NULL, 109 KEY_ED25519_SK_CERT, 0, 1, 0 }, 110 #ifdef WITH_XMSS 111 { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 }, 112 { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL, 113 KEY_XMSS_CERT, 0, 1, 0 }, 114 #endif /* WITH_XMSS */ 115 #ifdef WITH_OPENSSL 116 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 }, 117 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 118 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 119 { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 }, 120 { "ecdsa-sha2-nistp256", "ECDSA", NULL, 121 KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 122 { "ecdsa-sha2-nistp384", "ECDSA", NULL, 123 KEY_ECDSA, NID_secp384r1, 0, 0 }, 124 { "ecdsa-sha2-nistp521", "ECDSA", NULL, 125 KEY_ECDSA, NID_secp521r1, 0, 0 }, 126 { "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, 127 KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 0 }, 128 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, 129 KEY_RSA_CERT, 0, 1, 0 }, 130 { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT", 131 "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, 132 { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT", 133 "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, 134 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL, 135 KEY_DSA_CERT, 0, 1, 0 }, 136 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL, 137 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 138 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL, 139 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 140 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL, 141 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 142 { "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-SK-CERT", NULL, 143 KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, 144 #endif /* WITH_OPENSSL */ 145 { NULL, NULL, NULL, -1, -1, 0, 0 } 146 }; 147 148 const char * 149 sshkey_type(const struct sshkey *k) 150 { 151 const struct keytype *kt; 152 153 for (kt = keytypes; kt->type != -1; kt++) { 154 if (kt->type == k->type) 155 return kt->shortname; 156 } 157 return "unknown"; 158 } 159 160 static const char * 161 sshkey_ssh_name_from_type_nid(int type, int nid) 162 { 163 const struct keytype *kt; 164 165 for (kt = keytypes; kt->type != -1; kt++) { 166 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 167 return kt->name; 168 } 169 return "ssh-unknown"; 170 } 171 172 int 173 sshkey_type_is_cert(int type) 174 { 175 const struct keytype *kt; 176 177 for (kt = keytypes; kt->type != -1; kt++) { 178 if (kt->type == type) 179 return kt->cert; 180 } 181 return 0; 182 } 183 184 const char * 185 sshkey_ssh_name(const struct sshkey *k) 186 { 187 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 188 } 189 190 const char * 191 sshkey_ssh_name_plain(const struct sshkey *k) 192 { 193 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 194 k->ecdsa_nid); 195 } 196 197 int 198 sshkey_type_from_name(const char *name) 199 { 200 const struct keytype *kt; 201 202 for (kt = keytypes; kt->type != -1; kt++) { 203 /* Only allow shortname matches for plain key types */ 204 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 205 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 206 return kt->type; 207 } 208 return KEY_UNSPEC; 209 } 210 211 static int 212 key_type_is_ecdsa_variant(int type) 213 { 214 switch (type) { 215 case KEY_ECDSA: 216 case KEY_ECDSA_CERT: 217 case KEY_ECDSA_SK: 218 case KEY_ECDSA_SK_CERT: 219 return 1; 220 } 221 return 0; 222 } 223 224 int 225 sshkey_ecdsa_nid_from_name(const char *name) 226 { 227 const struct keytype *kt; 228 229 for (kt = keytypes; kt->type != -1; kt++) { 230 if (!key_type_is_ecdsa_variant(kt->type)) 231 continue; 232 if (kt->name != NULL && strcmp(name, kt->name) == 0) 233 return kt->nid; 234 } 235 return -1; 236 } 237 238 char * 239 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 240 { 241 char *tmp, *ret = NULL; 242 size_t nlen, rlen = 0; 243 const struct keytype *kt; 244 245 for (kt = keytypes; kt->type != -1; kt++) { 246 if (kt->name == NULL) 247 continue; 248 if (!include_sigonly && kt->sigonly) 249 continue; 250 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 251 continue; 252 if (ret != NULL) 253 ret[rlen++] = sep; 254 nlen = strlen(kt->name); 255 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 256 free(ret); 257 return NULL; 258 } 259 ret = tmp; 260 memcpy(ret + rlen, kt->name, nlen + 1); 261 rlen += nlen; 262 } 263 return ret; 264 } 265 266 int 267 sshkey_names_valid2(const char *names, int allow_wildcard) 268 { 269 char *s, *cp, *p; 270 const struct keytype *kt; 271 int type; 272 273 if (names == NULL || strcmp(names, "") == 0) 274 return 0; 275 if ((s = cp = strdup(names)) == NULL) 276 return 0; 277 for ((p = strsep(&cp, ",")); p && *p != '\0'; 278 (p = strsep(&cp, ","))) { 279 type = sshkey_type_from_name(p); 280 if (type == KEY_UNSPEC) { 281 if (allow_wildcard) { 282 /* 283 * Try matching key types against the string. 284 * If any has a positive or negative match then 285 * the component is accepted. 286 */ 287 for (kt = keytypes; kt->type != -1; kt++) { 288 if (match_pattern_list(kt->name, 289 p, 0) != 0) 290 break; 291 } 292 if (kt->type != -1) 293 continue; 294 } 295 free(s); 296 return 0; 297 } 298 } 299 free(s); 300 return 1; 301 } 302 303 u_int 304 sshkey_size(const struct sshkey *k) 305 { 306 #ifdef WITH_OPENSSL 307 const BIGNUM *rsa_n, *dsa_p; 308 #endif /* WITH_OPENSSL */ 309 310 switch (k->type) { 311 #ifdef WITH_OPENSSL 312 case KEY_RSA: 313 case KEY_RSA_CERT: 314 if (k->rsa == NULL) 315 return 0; 316 RSA_get0_key(k->rsa, &rsa_n, NULL, NULL); 317 return BN_num_bits(rsa_n); 318 case KEY_DSA: 319 case KEY_DSA_CERT: 320 if (k->dsa == NULL) 321 return 0; 322 DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL); 323 return BN_num_bits(dsa_p); 324 case KEY_ECDSA: 325 case KEY_ECDSA_CERT: 326 case KEY_ECDSA_SK: 327 case KEY_ECDSA_SK_CERT: 328 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 329 #endif /* WITH_OPENSSL */ 330 case KEY_ED25519: 331 case KEY_ED25519_CERT: 332 case KEY_ED25519_SK: 333 case KEY_ED25519_SK_CERT: 334 case KEY_XMSS: 335 case KEY_XMSS_CERT: 336 return 256; /* XXX */ 337 } 338 return 0; 339 } 340 341 static int 342 sshkey_type_is_valid_ca(int type) 343 { 344 switch (type) { 345 case KEY_RSA: 346 case KEY_DSA: 347 case KEY_ECDSA: 348 case KEY_ECDSA_SK: 349 case KEY_ED25519: 350 case KEY_ED25519_SK: 351 case KEY_XMSS: 352 return 1; 353 default: 354 return 0; 355 } 356 } 357 358 int 359 sshkey_is_cert(const struct sshkey *k) 360 { 361 if (k == NULL) 362 return 0; 363 return sshkey_type_is_cert(k->type); 364 } 365 366 int 367 sshkey_is_sk(const struct sshkey *k) 368 { 369 if (k == NULL) 370 return 0; 371 switch (sshkey_type_plain(k->type)) { 372 case KEY_ECDSA_SK: 373 case KEY_ED25519_SK: 374 return 1; 375 default: 376 return 0; 377 } 378 } 379 380 /* Return the cert-less equivalent to a certified key type */ 381 int 382 sshkey_type_plain(int type) 383 { 384 switch (type) { 385 case KEY_RSA_CERT: 386 return KEY_RSA; 387 case KEY_DSA_CERT: 388 return KEY_DSA; 389 case KEY_ECDSA_CERT: 390 return KEY_ECDSA; 391 case KEY_ECDSA_SK_CERT: 392 return KEY_ECDSA_SK; 393 case KEY_ED25519_CERT: 394 return KEY_ED25519; 395 case KEY_ED25519_SK_CERT: 396 return KEY_ED25519_SK; 397 case KEY_XMSS_CERT: 398 return KEY_XMSS; 399 default: 400 return type; 401 } 402 } 403 404 #ifdef WITH_OPENSSL 405 /* XXX: these are really begging for a table-driven approach */ 406 int 407 sshkey_curve_name_to_nid(const char *name) 408 { 409 if (strcmp(name, "nistp256") == 0) 410 return NID_X9_62_prime256v1; 411 else if (strcmp(name, "nistp384") == 0) 412 return NID_secp384r1; 413 else if (strcmp(name, "nistp521") == 0) 414 return NID_secp521r1; 415 else 416 return -1; 417 } 418 419 u_int 420 sshkey_curve_nid_to_bits(int nid) 421 { 422 switch (nid) { 423 case NID_X9_62_prime256v1: 424 return 256; 425 case NID_secp384r1: 426 return 384; 427 case NID_secp521r1: 428 return 521; 429 default: 430 return 0; 431 } 432 } 433 434 int 435 sshkey_ecdsa_bits_to_nid(int bits) 436 { 437 switch (bits) { 438 case 256: 439 return NID_X9_62_prime256v1; 440 case 384: 441 return NID_secp384r1; 442 case 521: 443 return NID_secp521r1; 444 default: 445 return -1; 446 } 447 } 448 449 const char * 450 sshkey_curve_nid_to_name(int nid) 451 { 452 switch (nid) { 453 case NID_X9_62_prime256v1: 454 return "nistp256"; 455 case NID_secp384r1: 456 return "nistp384"; 457 case NID_secp521r1: 458 return "nistp521"; 459 default: 460 return NULL; 461 } 462 } 463 464 int 465 sshkey_ec_nid_to_hash_alg(int nid) 466 { 467 int kbits = sshkey_curve_nid_to_bits(nid); 468 469 if (kbits <= 0) 470 return -1; 471 472 /* RFC5656 section 6.2.1 */ 473 if (kbits <= 256) 474 return SSH_DIGEST_SHA256; 475 else if (kbits <= 384) 476 return SSH_DIGEST_SHA384; 477 else 478 return SSH_DIGEST_SHA512; 479 } 480 #endif /* WITH_OPENSSL */ 481 482 static void 483 cert_free(struct sshkey_cert *cert) 484 { 485 u_int i; 486 487 if (cert == NULL) 488 return; 489 sshbuf_free(cert->certblob); 490 sshbuf_free(cert->critical); 491 sshbuf_free(cert->extensions); 492 free(cert->key_id); 493 for (i = 0; i < cert->nprincipals; i++) 494 free(cert->principals[i]); 495 free(cert->principals); 496 sshkey_free(cert->signature_key); 497 free(cert->signature_type); 498 freezero(cert, sizeof(*cert)); 499 } 500 501 static struct sshkey_cert * 502 cert_new(void) 503 { 504 struct sshkey_cert *cert; 505 506 if ((cert = calloc(1, sizeof(*cert))) == NULL) 507 return NULL; 508 if ((cert->certblob = sshbuf_new()) == NULL || 509 (cert->critical = sshbuf_new()) == NULL || 510 (cert->extensions = sshbuf_new()) == NULL) { 511 cert_free(cert); 512 return NULL; 513 } 514 cert->key_id = NULL; 515 cert->principals = NULL; 516 cert->signature_key = NULL; 517 cert->signature_type = NULL; 518 return cert; 519 } 520 521 struct sshkey * 522 sshkey_new(int type) 523 { 524 struct sshkey *k; 525 #ifdef WITH_OPENSSL 526 RSA *rsa; 527 DSA *dsa; 528 #endif /* WITH_OPENSSL */ 529 530 if ((k = calloc(1, sizeof(*k))) == NULL) 531 return NULL; 532 k->type = type; 533 k->ecdsa = NULL; 534 k->ecdsa_nid = -1; 535 k->dsa = NULL; 536 k->rsa = NULL; 537 k->cert = NULL; 538 k->ed25519_sk = NULL; 539 k->ed25519_pk = NULL; 540 k->xmss_sk = NULL; 541 k->xmss_pk = NULL; 542 switch (k->type) { 543 #ifdef WITH_OPENSSL 544 case KEY_RSA: 545 case KEY_RSA_CERT: 546 if ((rsa = RSA_new()) == NULL) { 547 free(k); 548 return NULL; 549 } 550 k->rsa = rsa; 551 break; 552 case KEY_DSA: 553 case KEY_DSA_CERT: 554 if ((dsa = DSA_new()) == NULL) { 555 free(k); 556 return NULL; 557 } 558 k->dsa = dsa; 559 break; 560 case KEY_ECDSA: 561 case KEY_ECDSA_CERT: 562 case KEY_ECDSA_SK: 563 case KEY_ECDSA_SK_CERT: 564 /* Cannot do anything until we know the group */ 565 break; 566 #endif /* WITH_OPENSSL */ 567 case KEY_ED25519: 568 case KEY_ED25519_CERT: 569 case KEY_ED25519_SK: 570 case KEY_ED25519_SK_CERT: 571 case KEY_XMSS: 572 case KEY_XMSS_CERT: 573 /* no need to prealloc */ 574 break; 575 case KEY_UNSPEC: 576 break; 577 default: 578 free(k); 579 return NULL; 580 } 581 582 if (sshkey_is_cert(k)) { 583 if ((k->cert = cert_new()) == NULL) { 584 sshkey_free(k); 585 return NULL; 586 } 587 } 588 589 return k; 590 } 591 592 void 593 sshkey_free(struct sshkey *k) 594 { 595 if (k == NULL) 596 return; 597 switch (k->type) { 598 #ifdef WITH_OPENSSL 599 case KEY_RSA: 600 case KEY_RSA_CERT: 601 RSA_free(k->rsa); 602 k->rsa = NULL; 603 break; 604 case KEY_DSA: 605 case KEY_DSA_CERT: 606 DSA_free(k->dsa); 607 k->dsa = NULL; 608 break; 609 case KEY_ECDSA_SK: 610 case KEY_ECDSA_SK_CERT: 611 free(k->sk_application); 612 sshbuf_free(k->sk_key_handle); 613 sshbuf_free(k->sk_reserved); 614 /* FALLTHROUGH */ 615 case KEY_ECDSA: 616 case KEY_ECDSA_CERT: 617 EC_KEY_free(k->ecdsa); 618 k->ecdsa = NULL; 619 break; 620 #endif /* WITH_OPENSSL */ 621 case KEY_ED25519_SK: 622 case KEY_ED25519_SK_CERT: 623 free(k->sk_application); 624 sshbuf_free(k->sk_key_handle); 625 sshbuf_free(k->sk_reserved); 626 /* FALLTHROUGH */ 627 case KEY_ED25519: 628 case KEY_ED25519_CERT: 629 freezero(k->ed25519_pk, ED25519_PK_SZ); 630 k->ed25519_pk = NULL; 631 freezero(k->ed25519_sk, ED25519_SK_SZ); 632 k->ed25519_sk = NULL; 633 break; 634 #ifdef WITH_XMSS 635 case KEY_XMSS: 636 case KEY_XMSS_CERT: 637 freezero(k->xmss_pk, sshkey_xmss_pklen(k)); 638 k->xmss_pk = NULL; 639 freezero(k->xmss_sk, sshkey_xmss_sklen(k)); 640 k->xmss_sk = NULL; 641 sshkey_xmss_free_state(k); 642 free(k->xmss_name); 643 k->xmss_name = NULL; 644 free(k->xmss_filename); 645 k->xmss_filename = NULL; 646 break; 647 #endif /* WITH_XMSS */ 648 case KEY_UNSPEC: 649 break; 650 default: 651 break; 652 } 653 if (sshkey_is_cert(k)) 654 cert_free(k->cert); 655 freezero(k->shielded_private, k->shielded_len); 656 freezero(k->shield_prekey, k->shield_prekey_len); 657 freezero(k, sizeof(*k)); 658 } 659 660 static int 661 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 662 { 663 if (a == NULL && b == NULL) 664 return 1; 665 if (a == NULL || b == NULL) 666 return 0; 667 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 668 return 0; 669 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 670 sshbuf_len(a->certblob)) != 0) 671 return 0; 672 return 1; 673 } 674 675 /* 676 * Compare public portions of key only, allowing comparisons between 677 * certificates and plain keys too. 678 */ 679 int 680 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 681 { 682 #ifdef WITH_OPENSSL 683 const BIGNUM *rsa_e_a, *rsa_n_a; 684 const BIGNUM *rsa_e_b, *rsa_n_b; 685 const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a; 686 const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b; 687 #endif /* WITH_OPENSSL */ 688 689 if (a == NULL || b == NULL || 690 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 691 return 0; 692 693 switch (a->type) { 694 #ifdef WITH_OPENSSL 695 case KEY_RSA_CERT: 696 case KEY_RSA: 697 if (a->rsa == NULL || b->rsa == NULL) 698 return 0; 699 RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL); 700 RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL); 701 return BN_cmp(rsa_e_a, rsa_e_b) == 0 && 702 BN_cmp(rsa_n_a, rsa_n_b) == 0; 703 case KEY_DSA_CERT: 704 case KEY_DSA: 705 if (a->dsa == NULL || b->dsa == NULL) 706 return 0; 707 DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a); 708 DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b); 709 DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL); 710 DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL); 711 return BN_cmp(dsa_p_a, dsa_p_b) == 0 && 712 BN_cmp(dsa_q_a, dsa_q_b) == 0 && 713 BN_cmp(dsa_g_a, dsa_g_b) == 0 && 714 BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0; 715 case KEY_ECDSA_SK: 716 case KEY_ECDSA_SK_CERT: 717 if (a->sk_application == NULL || b->sk_application == NULL) 718 return 0; 719 if (strcmp(a->sk_application, b->sk_application) != 0) 720 return 0; 721 /* FALLTHROUGH */ 722 case KEY_ECDSA_CERT: 723 case KEY_ECDSA: 724 if (a->ecdsa == NULL || b->ecdsa == NULL || 725 EC_KEY_get0_public_key(a->ecdsa) == NULL || 726 EC_KEY_get0_public_key(b->ecdsa) == NULL) 727 return 0; 728 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 729 EC_KEY_get0_group(b->ecdsa), NULL) != 0 || 730 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 731 EC_KEY_get0_public_key(a->ecdsa), 732 EC_KEY_get0_public_key(b->ecdsa), NULL) != 0) 733 return 0; 734 return 1; 735 #endif /* WITH_OPENSSL */ 736 case KEY_ED25519_SK: 737 case KEY_ED25519_SK_CERT: 738 if (a->sk_application == NULL || b->sk_application == NULL) 739 return 0; 740 if (strcmp(a->sk_application, b->sk_application) != 0) 741 return 0; 742 /* FALLTHROUGH */ 743 case KEY_ED25519: 744 case KEY_ED25519_CERT: 745 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 746 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 747 #ifdef WITH_XMSS 748 case KEY_XMSS: 749 case KEY_XMSS_CERT: 750 return a->xmss_pk != NULL && b->xmss_pk != NULL && 751 sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) && 752 memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0; 753 #endif /* WITH_XMSS */ 754 default: 755 return 0; 756 } 757 /* NOTREACHED */ 758 } 759 760 int 761 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 762 { 763 if (a == NULL || b == NULL || a->type != b->type) 764 return 0; 765 if (sshkey_is_cert(a)) { 766 if (!cert_compare(a->cert, b->cert)) 767 return 0; 768 } 769 return sshkey_equal_public(a, b); 770 } 771 772 static int 773 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, 774 enum sshkey_serialize_rep opts) 775 { 776 int type, ret = SSH_ERR_INTERNAL_ERROR; 777 const char *typename; 778 #ifdef WITH_OPENSSL 779 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 780 #endif /* WITH_OPENSSL */ 781 782 if (key == NULL) 783 return SSH_ERR_INVALID_ARGUMENT; 784 785 if (sshkey_is_cert(key)) { 786 if (key->cert == NULL) 787 return SSH_ERR_EXPECTED_CERT; 788 if (sshbuf_len(key->cert->certblob) == 0) 789 return SSH_ERR_KEY_LACKS_CERTBLOB; 790 } 791 type = force_plain ? sshkey_type_plain(key->type) : key->type; 792 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 793 794 switch (type) { 795 #ifdef WITH_OPENSSL 796 case KEY_DSA_CERT: 797 case KEY_ECDSA_CERT: 798 case KEY_ECDSA_SK_CERT: 799 case KEY_RSA_CERT: 800 #endif /* WITH_OPENSSL */ 801 case KEY_ED25519_CERT: 802 case KEY_ED25519_SK_CERT: 803 #ifdef WITH_XMSS 804 case KEY_XMSS_CERT: 805 #endif /* WITH_XMSS */ 806 /* Use the existing blob */ 807 /* XXX modified flag? */ 808 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 809 return ret; 810 break; 811 #ifdef WITH_OPENSSL 812 case KEY_DSA: 813 if (key->dsa == NULL) 814 return SSH_ERR_INVALID_ARGUMENT; 815 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 816 DSA_get0_key(key->dsa, &dsa_pub_key, NULL); 817 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 818 (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 || 819 (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 || 820 (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 || 821 (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0) 822 return ret; 823 break; 824 case KEY_ECDSA: 825 case KEY_ECDSA_SK: 826 if (key->ecdsa == NULL) 827 return SSH_ERR_INVALID_ARGUMENT; 828 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 829 (ret = sshbuf_put_cstring(b, 830 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 831 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 832 return ret; 833 if (type == KEY_ECDSA_SK) { 834 if ((ret = sshbuf_put_cstring(b, 835 key->sk_application)) != 0) 836 return ret; 837 } 838 break; 839 case KEY_RSA: 840 if (key->rsa == NULL) 841 return SSH_ERR_INVALID_ARGUMENT; 842 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL); 843 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 844 (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 || 845 (ret = sshbuf_put_bignum2(b, rsa_n)) != 0) 846 return ret; 847 break; 848 #endif /* WITH_OPENSSL */ 849 case KEY_ED25519: 850 case KEY_ED25519_SK: 851 if (key->ed25519_pk == NULL) 852 return SSH_ERR_INVALID_ARGUMENT; 853 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 854 (ret = sshbuf_put_string(b, 855 key->ed25519_pk, ED25519_PK_SZ)) != 0) 856 return ret; 857 if (type == KEY_ED25519_SK) { 858 if ((ret = sshbuf_put_cstring(b, 859 key->sk_application)) != 0) 860 return ret; 861 } 862 break; 863 #ifdef WITH_XMSS 864 case KEY_XMSS: 865 if (key->xmss_name == NULL || key->xmss_pk == NULL || 866 sshkey_xmss_pklen(key) == 0) 867 return SSH_ERR_INVALID_ARGUMENT; 868 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 869 (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 870 (ret = sshbuf_put_string(b, 871 key->xmss_pk, sshkey_xmss_pklen(key))) != 0 || 872 (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0) 873 return ret; 874 break; 875 #endif /* WITH_XMSS */ 876 default: 877 return SSH_ERR_KEY_TYPE_UNKNOWN; 878 } 879 return 0; 880 } 881 882 int 883 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 884 { 885 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); 886 } 887 888 int 889 sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, 890 enum sshkey_serialize_rep opts) 891 { 892 struct sshbuf *tmp; 893 int r; 894 895 if ((tmp = sshbuf_new()) == NULL) 896 return SSH_ERR_ALLOC_FAIL; 897 r = to_blob_buf(key, tmp, 0, opts); 898 if (r == 0) 899 r = sshbuf_put_stringb(b, tmp); 900 sshbuf_free(tmp); 901 return r; 902 } 903 904 int 905 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 906 { 907 return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); 908 } 909 910 int 911 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 912 { 913 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); 914 } 915 916 static int 917 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, 918 enum sshkey_serialize_rep opts) 919 { 920 int ret = SSH_ERR_INTERNAL_ERROR; 921 size_t len; 922 struct sshbuf *b = NULL; 923 924 if (lenp != NULL) 925 *lenp = 0; 926 if (blobp != NULL) 927 *blobp = NULL; 928 if ((b = sshbuf_new()) == NULL) 929 return SSH_ERR_ALLOC_FAIL; 930 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) 931 goto out; 932 len = sshbuf_len(b); 933 if (lenp != NULL) 934 *lenp = len; 935 if (blobp != NULL) { 936 if ((*blobp = malloc(len)) == NULL) { 937 ret = SSH_ERR_ALLOC_FAIL; 938 goto out; 939 } 940 memcpy(*blobp, sshbuf_ptr(b), len); 941 } 942 ret = 0; 943 out: 944 sshbuf_free(b); 945 return ret; 946 } 947 948 int 949 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 950 { 951 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); 952 } 953 954 int 955 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 956 { 957 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); 958 } 959 960 int 961 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 962 u_char **retp, size_t *lenp) 963 { 964 u_char *blob = NULL, *ret = NULL; 965 size_t blob_len = 0; 966 int r = SSH_ERR_INTERNAL_ERROR; 967 968 if (retp != NULL) 969 *retp = NULL; 970 if (lenp != NULL) 971 *lenp = 0; 972 if (ssh_digest_bytes(dgst_alg) == 0) { 973 r = SSH_ERR_INVALID_ARGUMENT; 974 goto out; 975 } 976 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) 977 != 0) 978 goto out; 979 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 980 r = SSH_ERR_ALLOC_FAIL; 981 goto out; 982 } 983 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 984 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 985 goto out; 986 /* success */ 987 if (retp != NULL) { 988 *retp = ret; 989 ret = NULL; 990 } 991 if (lenp != NULL) 992 *lenp = ssh_digest_bytes(dgst_alg); 993 r = 0; 994 out: 995 free(ret); 996 if (blob != NULL) { 997 explicit_bzero(blob, blob_len); 998 free(blob); 999 } 1000 return r; 1001 } 1002 1003 static char * 1004 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 1005 { 1006 char *ret; 1007 size_t plen = strlen(alg) + 1; 1008 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 1009 1010 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 1011 return NULL; 1012 strlcpy(ret, alg, rlen); 1013 strlcat(ret, ":", rlen); 1014 if (dgst_raw_len == 0) 1015 return ret; 1016 if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) { 1017 freezero(ret, rlen); 1018 return NULL; 1019 } 1020 /* Trim padding characters from end */ 1021 ret[strcspn(ret, "=")] = '\0'; 1022 return ret; 1023 } 1024 1025 static char * 1026 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 1027 { 1028 char *retval, hex[5]; 1029 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 1030 1031 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 1032 return NULL; 1033 strlcpy(retval, alg, rlen); 1034 strlcat(retval, ":", rlen); 1035 for (i = 0; i < dgst_raw_len; i++) { 1036 snprintf(hex, sizeof(hex), "%s%02x", 1037 i > 0 ? ":" : "", dgst_raw[i]); 1038 strlcat(retval, hex, rlen); 1039 } 1040 return retval; 1041 } 1042 1043 static char * 1044 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 1045 { 1046 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 1047 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 1048 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 1049 u_int i, j = 0, rounds, seed = 1; 1050 char *retval; 1051 1052 rounds = (dgst_raw_len / 2) + 1; 1053 if ((retval = calloc(rounds, 6)) == NULL) 1054 return NULL; 1055 retval[j++] = 'x'; 1056 for (i = 0; i < rounds; i++) { 1057 u_int idx0, idx1, idx2, idx3, idx4; 1058 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 1059 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 1060 seed) % 6; 1061 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 1062 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 1063 (seed / 6)) % 6; 1064 retval[j++] = vowels[idx0]; 1065 retval[j++] = consonants[idx1]; 1066 retval[j++] = vowels[idx2]; 1067 if ((i + 1) < rounds) { 1068 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 1069 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 1070 retval[j++] = consonants[idx3]; 1071 retval[j++] = '-'; 1072 retval[j++] = consonants[idx4]; 1073 seed = ((seed * 5) + 1074 ((((u_int)(dgst_raw[2 * i])) * 7) + 1075 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 1076 } 1077 } else { 1078 idx0 = seed % 6; 1079 idx1 = 16; 1080 idx2 = seed / 6; 1081 retval[j++] = vowels[idx0]; 1082 retval[j++] = consonants[idx1]; 1083 retval[j++] = vowels[idx2]; 1084 } 1085 } 1086 retval[j++] = 'x'; 1087 retval[j++] = '\0'; 1088 return retval; 1089 } 1090 1091 /* 1092 * Draw an ASCII-Art representing the fingerprint so human brain can 1093 * profit from its built-in pattern recognition ability. 1094 * This technique is called "random art" and can be found in some 1095 * scientific publications like this original paper: 1096 * 1097 * "Hash Visualization: a New Technique to improve Real-World Security", 1098 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1099 * Techniques and E-Commerce (CrypTEC '99) 1100 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1101 * 1102 * The subject came up in a talk by Dan Kaminsky, too. 1103 * 1104 * If you see the picture is different, the key is different. 1105 * If the picture looks the same, you still know nothing. 1106 * 1107 * The algorithm used here is a worm crawling over a discrete plane, 1108 * leaving a trace (augmenting the field) everywhere it goes. 1109 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1110 * makes the respective movement vector be ignored for this turn. 1111 * Graphs are not unambiguous, because circles in graphs can be 1112 * walked in either direction. 1113 */ 1114 1115 /* 1116 * Field sizes for the random art. Have to be odd, so the starting point 1117 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1118 * Else pictures would be too dense, and drawing the frame would 1119 * fail, too, because the key type would not fit in anymore. 1120 */ 1121 #define FLDBASE 8 1122 #define FLDSIZE_Y (FLDBASE + 1) 1123 #define FLDSIZE_X (FLDBASE * 2 + 1) 1124 static char * 1125 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1126 const struct sshkey *k) 1127 { 1128 /* 1129 * Chars to be used after each other every time the worm 1130 * intersects with itself. Matter of taste. 1131 */ 1132 const char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1133 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1134 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1135 size_t i, tlen, hlen; 1136 u_int b; 1137 int x, y, r; 1138 size_t len = strlen(augmentation_string) - 1; 1139 1140 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1141 return NULL; 1142 1143 /* initialize field */ 1144 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1145 x = FLDSIZE_X / 2; 1146 y = FLDSIZE_Y / 2; 1147 1148 /* process raw key */ 1149 for (i = 0; i < dgst_raw_len; i++) { 1150 int input; 1151 /* each byte conveys four 2-bit move commands */ 1152 input = dgst_raw[i]; 1153 for (b = 0; b < 4; b++) { 1154 /* evaluate 2 bit, rest is shifted later */ 1155 x += (input & 0x1) ? 1 : -1; 1156 y += (input & 0x2) ? 1 : -1; 1157 1158 /* assure we are still in bounds */ 1159 x = MAXIMUM(x, 0); 1160 y = MAXIMUM(y, 0); 1161 x = MINIMUM(x, FLDSIZE_X - 1); 1162 y = MINIMUM(y, FLDSIZE_Y - 1); 1163 1164 /* augment the field */ 1165 if (field[x][y] < len - 2) 1166 field[x][y]++; 1167 input = input >> 2; 1168 } 1169 } 1170 1171 /* mark starting point and end point*/ 1172 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1173 field[x][y] = len; 1174 1175 /* assemble title */ 1176 r = snprintf(title, sizeof(title), "[%s %u]", 1177 sshkey_type(k), sshkey_size(k)); 1178 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1179 if (r < 0 || r > (int)sizeof(title)) 1180 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1181 tlen = (r <= 0) ? 0 : strlen(title); 1182 1183 /* assemble hash ID. */ 1184 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1185 hlen = (r <= 0) ? 0 : strlen(hash); 1186 1187 /* output upper border */ 1188 p = retval; 1189 *p++ = '+'; 1190 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1191 *p++ = '-'; 1192 memcpy(p, title, tlen); 1193 p += tlen; 1194 for (i += tlen; i < FLDSIZE_X; i++) 1195 *p++ = '-'; 1196 *p++ = '+'; 1197 *p++ = '\n'; 1198 1199 /* output content */ 1200 for (y = 0; y < FLDSIZE_Y; y++) { 1201 *p++ = '|'; 1202 for (x = 0; x < FLDSIZE_X; x++) 1203 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1204 *p++ = '|'; 1205 *p++ = '\n'; 1206 } 1207 1208 /* output lower border */ 1209 *p++ = '+'; 1210 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1211 *p++ = '-'; 1212 memcpy(p, hash, hlen); 1213 p += hlen; 1214 for (i += hlen; i < FLDSIZE_X; i++) 1215 *p++ = '-'; 1216 *p++ = '+'; 1217 1218 return retval; 1219 } 1220 1221 char * 1222 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1223 enum sshkey_fp_rep dgst_rep) 1224 { 1225 char *retval = NULL; 1226 u_char *dgst_raw; 1227 size_t dgst_raw_len; 1228 1229 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1230 return NULL; 1231 switch (dgst_rep) { 1232 case SSH_FP_DEFAULT: 1233 if (dgst_alg == SSH_DIGEST_MD5) { 1234 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1235 dgst_raw, dgst_raw_len); 1236 } else { 1237 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1238 dgst_raw, dgst_raw_len); 1239 } 1240 break; 1241 case SSH_FP_HEX: 1242 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1243 dgst_raw, dgst_raw_len); 1244 break; 1245 case SSH_FP_BASE64: 1246 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1247 dgst_raw, dgst_raw_len); 1248 break; 1249 case SSH_FP_BUBBLEBABBLE: 1250 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1251 break; 1252 case SSH_FP_RANDOMART: 1253 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1254 dgst_raw, dgst_raw_len, k); 1255 break; 1256 default: 1257 explicit_bzero(dgst_raw, dgst_raw_len); 1258 free(dgst_raw); 1259 return NULL; 1260 } 1261 explicit_bzero(dgst_raw, dgst_raw_len); 1262 free(dgst_raw); 1263 return retval; 1264 } 1265 1266 static int 1267 peek_type_nid(const char *s, size_t l, int *nid) 1268 { 1269 const struct keytype *kt; 1270 1271 for (kt = keytypes; kt->type != -1; kt++) { 1272 if (kt->name == NULL || strlen(kt->name) != l) 1273 continue; 1274 if (memcmp(s, kt->name, l) == 0) { 1275 *nid = -1; 1276 if (key_type_is_ecdsa_variant(kt->type)) 1277 *nid = kt->nid; 1278 return kt->type; 1279 } 1280 } 1281 return KEY_UNSPEC; 1282 } 1283 1284 1285 /* XXX this can now be made const char * */ 1286 int 1287 sshkey_read(struct sshkey *ret, char **cpp) 1288 { 1289 struct sshkey *k; 1290 char *cp, *blobcopy; 1291 size_t space; 1292 int r, type, curve_nid = -1; 1293 struct sshbuf *blob; 1294 1295 if (ret == NULL) 1296 return SSH_ERR_INVALID_ARGUMENT; 1297 1298 switch (ret->type) { 1299 case KEY_UNSPEC: 1300 case KEY_RSA: 1301 case KEY_DSA: 1302 case KEY_ECDSA: 1303 case KEY_ECDSA_SK: 1304 case KEY_ED25519: 1305 case KEY_ED25519_SK: 1306 case KEY_DSA_CERT: 1307 case KEY_ECDSA_CERT: 1308 case KEY_ECDSA_SK_CERT: 1309 case KEY_RSA_CERT: 1310 case KEY_ED25519_CERT: 1311 case KEY_ED25519_SK_CERT: 1312 #ifdef WITH_XMSS 1313 case KEY_XMSS: 1314 case KEY_XMSS_CERT: 1315 #endif /* WITH_XMSS */ 1316 break; /* ok */ 1317 default: 1318 return SSH_ERR_INVALID_ARGUMENT; 1319 } 1320 1321 /* Decode type */ 1322 cp = *cpp; 1323 space = strcspn(cp, " \t"); 1324 if (space == strlen(cp)) 1325 return SSH_ERR_INVALID_FORMAT; 1326 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) 1327 return SSH_ERR_INVALID_FORMAT; 1328 1329 /* skip whitespace */ 1330 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1331 ; 1332 if (*cp == '\0') 1333 return SSH_ERR_INVALID_FORMAT; 1334 if (ret->type != KEY_UNSPEC && ret->type != type) 1335 return SSH_ERR_KEY_TYPE_MISMATCH; 1336 if ((blob = sshbuf_new()) == NULL) 1337 return SSH_ERR_ALLOC_FAIL; 1338 1339 /* find end of keyblob and decode */ 1340 space = strcspn(cp, " \t"); 1341 if ((blobcopy = strndup(cp, space)) == NULL) { 1342 sshbuf_free(blob); 1343 return SSH_ERR_ALLOC_FAIL; 1344 } 1345 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { 1346 free(blobcopy); 1347 sshbuf_free(blob); 1348 return r; 1349 } 1350 free(blobcopy); 1351 if ((r = sshkey_fromb(blob, &k)) != 0) { 1352 sshbuf_free(blob); 1353 return r; 1354 } 1355 sshbuf_free(blob); 1356 1357 /* skip whitespace and leave cp at start of comment */ 1358 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1359 ; 1360 1361 /* ensure type of blob matches type at start of line */ 1362 if (k->type != type) { 1363 sshkey_free(k); 1364 return SSH_ERR_KEY_TYPE_MISMATCH; 1365 } 1366 if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) { 1367 sshkey_free(k); 1368 return SSH_ERR_EC_CURVE_MISMATCH; 1369 } 1370 1371 /* Fill in ret from parsed key */ 1372 ret->type = type; 1373 if (sshkey_is_cert(ret)) { 1374 if (!sshkey_is_cert(k)) { 1375 sshkey_free(k); 1376 return SSH_ERR_EXPECTED_CERT; 1377 } 1378 if (ret->cert != NULL) 1379 cert_free(ret->cert); 1380 ret->cert = k->cert; 1381 k->cert = NULL; 1382 } 1383 switch (sshkey_type_plain(ret->type)) { 1384 #ifdef WITH_OPENSSL 1385 case KEY_RSA: 1386 RSA_free(ret->rsa); 1387 ret->rsa = k->rsa; 1388 k->rsa = NULL; 1389 #ifdef DEBUG_PK 1390 RSA_print_fp(stderr, ret->rsa, 8); 1391 #endif 1392 break; 1393 case KEY_DSA: 1394 DSA_free(ret->dsa); 1395 ret->dsa = k->dsa; 1396 k->dsa = NULL; 1397 #ifdef DEBUG_PK 1398 DSA_print_fp(stderr, ret->dsa, 8); 1399 #endif 1400 break; 1401 case KEY_ECDSA: 1402 EC_KEY_free(ret->ecdsa); 1403 ret->ecdsa = k->ecdsa; 1404 ret->ecdsa_nid = k->ecdsa_nid; 1405 k->ecdsa = NULL; 1406 k->ecdsa_nid = -1; 1407 #ifdef DEBUG_PK 1408 sshkey_dump_ec_key(ret->ecdsa); 1409 #endif 1410 break; 1411 case KEY_ECDSA_SK: 1412 EC_KEY_free(ret->ecdsa); 1413 ret->ecdsa = k->ecdsa; 1414 ret->ecdsa_nid = k->ecdsa_nid; 1415 ret->sk_application = k->sk_application; 1416 k->ecdsa = NULL; 1417 k->ecdsa_nid = -1; 1418 k->sk_application = NULL; 1419 #ifdef DEBUG_PK 1420 sshkey_dump_ec_key(ret->ecdsa); 1421 fprintf(stderr, "App: %s\n", ret->sk_application); 1422 #endif 1423 break; 1424 #endif /* WITH_OPENSSL */ 1425 case KEY_ED25519: 1426 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1427 ret->ed25519_pk = k->ed25519_pk; 1428 k->ed25519_pk = NULL; 1429 #ifdef DEBUG_PK 1430 /* XXX */ 1431 #endif 1432 break; 1433 case KEY_ED25519_SK: 1434 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1435 ret->ed25519_pk = k->ed25519_pk; 1436 ret->sk_application = k->sk_application; 1437 k->ed25519_pk = NULL; 1438 k->sk_application = NULL; 1439 break; 1440 #ifdef WITH_XMSS 1441 case KEY_XMSS: 1442 free(ret->xmss_pk); 1443 ret->xmss_pk = k->xmss_pk; 1444 k->xmss_pk = NULL; 1445 free(ret->xmss_state); 1446 ret->xmss_state = k->xmss_state; 1447 k->xmss_state = NULL; 1448 free(ret->xmss_name); 1449 ret->xmss_name = k->xmss_name; 1450 k->xmss_name = NULL; 1451 free(ret->xmss_filename); 1452 ret->xmss_filename = k->xmss_filename; 1453 k->xmss_filename = NULL; 1454 #ifdef DEBUG_PK 1455 /* XXX */ 1456 #endif 1457 break; 1458 #endif /* WITH_XMSS */ 1459 default: 1460 sshkey_free(k); 1461 return SSH_ERR_INTERNAL_ERROR; 1462 } 1463 sshkey_free(k); 1464 1465 /* success */ 1466 *cpp = cp; 1467 return 0; 1468 } 1469 1470 int 1471 sshkey_to_base64(const struct sshkey *key, char **b64p) 1472 { 1473 int r = SSH_ERR_INTERNAL_ERROR; 1474 struct sshbuf *b = NULL; 1475 char *uu = NULL; 1476 1477 if (b64p != NULL) 1478 *b64p = NULL; 1479 if ((b = sshbuf_new()) == NULL) 1480 return SSH_ERR_ALLOC_FAIL; 1481 if ((r = sshkey_putb(key, b)) != 0) 1482 goto out; 1483 if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) { 1484 r = SSH_ERR_ALLOC_FAIL; 1485 goto out; 1486 } 1487 /* Success */ 1488 if (b64p != NULL) { 1489 *b64p = uu; 1490 uu = NULL; 1491 } 1492 r = 0; 1493 out: 1494 sshbuf_free(b); 1495 free(uu); 1496 return r; 1497 } 1498 1499 int 1500 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1501 { 1502 int r = SSH_ERR_INTERNAL_ERROR; 1503 char *uu = NULL; 1504 1505 if ((r = sshkey_to_base64(key, &uu)) != 0) 1506 goto out; 1507 if ((r = sshbuf_putf(b, "%s %s", 1508 sshkey_ssh_name(key), uu)) != 0) 1509 goto out; 1510 r = 0; 1511 out: 1512 free(uu); 1513 return r; 1514 } 1515 1516 int 1517 sshkey_write(const struct sshkey *key, FILE *f) 1518 { 1519 struct sshbuf *b = NULL; 1520 int r = SSH_ERR_INTERNAL_ERROR; 1521 1522 if ((b = sshbuf_new()) == NULL) 1523 return SSH_ERR_ALLOC_FAIL; 1524 if ((r = sshkey_format_text(key, b)) != 0) 1525 goto out; 1526 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1527 if (feof(f)) 1528 errno = EPIPE; 1529 r = SSH_ERR_SYSTEM_ERROR; 1530 goto out; 1531 } 1532 /* Success */ 1533 r = 0; 1534 out: 1535 sshbuf_free(b); 1536 return r; 1537 } 1538 1539 const char * 1540 sshkey_cert_type(const struct sshkey *k) 1541 { 1542 switch (k->cert->type) { 1543 case SSH2_CERT_TYPE_USER: 1544 return "user"; 1545 case SSH2_CERT_TYPE_HOST: 1546 return "host"; 1547 default: 1548 return "unknown"; 1549 } 1550 } 1551 1552 #ifdef WITH_OPENSSL 1553 static int 1554 rsa_generate_private_key(u_int bits, RSA **rsap) 1555 { 1556 RSA *private = NULL; 1557 BIGNUM *f4 = NULL; 1558 int ret = SSH_ERR_INTERNAL_ERROR; 1559 1560 if (rsap == NULL) 1561 return SSH_ERR_INVALID_ARGUMENT; 1562 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1563 bits > SSHBUF_MAX_BIGNUM * 8) 1564 return SSH_ERR_KEY_LENGTH; 1565 *rsap = NULL; 1566 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1567 ret = SSH_ERR_ALLOC_FAIL; 1568 goto out; 1569 } 1570 if (!BN_set_word(f4, RSA_F4) || 1571 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1572 ret = SSH_ERR_LIBCRYPTO_ERROR; 1573 goto out; 1574 } 1575 *rsap = private; 1576 private = NULL; 1577 ret = 0; 1578 out: 1579 RSA_free(private); 1580 BN_free(f4); 1581 return ret; 1582 } 1583 1584 static int 1585 dsa_generate_private_key(u_int bits, DSA **dsap) 1586 { 1587 DSA *private; 1588 int ret = SSH_ERR_INTERNAL_ERROR; 1589 1590 if (dsap == NULL) 1591 return SSH_ERR_INVALID_ARGUMENT; 1592 if (bits != 1024) 1593 return SSH_ERR_KEY_LENGTH; 1594 if ((private = DSA_new()) == NULL) { 1595 ret = SSH_ERR_ALLOC_FAIL; 1596 goto out; 1597 } 1598 *dsap = NULL; 1599 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1600 NULL, NULL) || !DSA_generate_key(private)) { 1601 ret = SSH_ERR_LIBCRYPTO_ERROR; 1602 goto out; 1603 } 1604 *dsap = private; 1605 private = NULL; 1606 ret = 0; 1607 out: 1608 DSA_free(private); 1609 return ret; 1610 } 1611 1612 int 1613 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1614 { 1615 EC_GROUP *eg = NULL; /* XXXGCC: unneeded init */ 1616 int nids[] = { 1617 NID_X9_62_prime256v1, 1618 NID_secp384r1, 1619 NID_secp521r1, 1620 -1 1621 }; 1622 int nid; 1623 u_int i; 1624 const EC_GROUP *g = EC_KEY_get0_group(k); 1625 1626 /* 1627 * The group may be stored in a ASN.1 encoded private key in one of two 1628 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1629 * or explicit group parameters encoded into the key blob. Only the 1630 * "named group" case sets the group NID for us, but we can figure 1631 * it out for the other case by comparing against all the groups that 1632 * are supported. 1633 */ 1634 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1635 return nid; 1636 for (i = 0; nids[i] != -1; i++) { 1637 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) 1638 return -1; 1639 if (EC_GROUP_cmp(g, eg, NULL) == 0) 1640 break; 1641 EC_GROUP_free(eg); 1642 } 1643 if (nids[i] != -1) { 1644 /* Use the group with the NID attached */ 1645 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1646 if (EC_KEY_set_group(k, eg) != 1) { 1647 EC_GROUP_free(eg); 1648 return -1; 1649 } 1650 } 1651 return nids[i]; 1652 } 1653 1654 static int 1655 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1656 { 1657 EC_KEY *private; 1658 int ret = SSH_ERR_INTERNAL_ERROR; 1659 1660 if (nid == NULL || ecdsap == NULL) 1661 return SSH_ERR_INVALID_ARGUMENT; 1662 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1663 return SSH_ERR_KEY_LENGTH; 1664 *ecdsap = NULL; 1665 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1666 ret = SSH_ERR_ALLOC_FAIL; 1667 goto out; 1668 } 1669 if (EC_KEY_generate_key(private) != 1) { 1670 ret = SSH_ERR_LIBCRYPTO_ERROR; 1671 goto out; 1672 } 1673 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1674 *ecdsap = private; 1675 private = NULL; 1676 ret = 0; 1677 out: 1678 EC_KEY_free(private); 1679 return ret; 1680 } 1681 #endif /* WITH_OPENSSL */ 1682 1683 int 1684 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1685 { 1686 struct sshkey *k; 1687 int ret = SSH_ERR_INTERNAL_ERROR; 1688 1689 if (keyp == NULL) 1690 return SSH_ERR_INVALID_ARGUMENT; 1691 *keyp = NULL; 1692 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1693 return SSH_ERR_ALLOC_FAIL; 1694 switch (type) { 1695 case KEY_ED25519: 1696 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1697 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1698 ret = SSH_ERR_ALLOC_FAIL; 1699 break; 1700 } 1701 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1702 ret = 0; 1703 break; 1704 #ifdef WITH_XMSS 1705 case KEY_XMSS: 1706 ret = sshkey_xmss_generate_private_key(k, bits); 1707 break; 1708 #endif /* WITH_XMSS */ 1709 #ifdef WITH_OPENSSL 1710 case KEY_DSA: 1711 ret = dsa_generate_private_key(bits, &k->dsa); 1712 break; 1713 case KEY_ECDSA: 1714 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1715 &k->ecdsa); 1716 break; 1717 case KEY_RSA: 1718 ret = rsa_generate_private_key(bits, &k->rsa); 1719 break; 1720 #endif /* WITH_OPENSSL */ 1721 default: 1722 ret = SSH_ERR_INVALID_ARGUMENT; 1723 } 1724 if (ret == 0) { 1725 k->type = type; 1726 *keyp = k; 1727 } else 1728 sshkey_free(k); 1729 return ret; 1730 } 1731 1732 int 1733 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1734 { 1735 u_int i; 1736 const struct sshkey_cert *from; 1737 struct sshkey_cert *to; 1738 int r = SSH_ERR_INTERNAL_ERROR; 1739 1740 if (to_key == NULL || (from = from_key->cert) == NULL) 1741 return SSH_ERR_INVALID_ARGUMENT; 1742 1743 if ((to = cert_new()) == NULL) 1744 return SSH_ERR_ALLOC_FAIL; 1745 1746 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1747 (r = sshbuf_putb(to->critical, from->critical)) != 0 || 1748 (r = sshbuf_putb(to->extensions, from->extensions)) != 0) 1749 goto out; 1750 1751 to->serial = from->serial; 1752 to->type = from->type; 1753 if (from->key_id == NULL) 1754 to->key_id = NULL; 1755 else if ((to->key_id = strdup(from->key_id)) == NULL) { 1756 r = SSH_ERR_ALLOC_FAIL; 1757 goto out; 1758 } 1759 to->valid_after = from->valid_after; 1760 to->valid_before = from->valid_before; 1761 if (from->signature_key == NULL) 1762 to->signature_key = NULL; 1763 else if ((r = sshkey_from_private(from->signature_key, 1764 &to->signature_key)) != 0) 1765 goto out; 1766 if (from->signature_type != NULL && 1767 (to->signature_type = strdup(from->signature_type)) == NULL) { 1768 r = SSH_ERR_ALLOC_FAIL; 1769 goto out; 1770 } 1771 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { 1772 r = SSH_ERR_INVALID_ARGUMENT; 1773 goto out; 1774 } 1775 if (from->nprincipals > 0) { 1776 if ((to->principals = calloc(from->nprincipals, 1777 sizeof(*to->principals))) == NULL) { 1778 r = SSH_ERR_ALLOC_FAIL; 1779 goto out; 1780 } 1781 for (i = 0; i < from->nprincipals; i++) { 1782 to->principals[i] = strdup(from->principals[i]); 1783 if (to->principals[i] == NULL) { 1784 to->nprincipals = i; 1785 r = SSH_ERR_ALLOC_FAIL; 1786 goto out; 1787 } 1788 } 1789 } 1790 to->nprincipals = from->nprincipals; 1791 1792 /* success */ 1793 cert_free(to_key->cert); 1794 to_key->cert = to; 1795 to = NULL; 1796 r = 0; 1797 out: 1798 cert_free(to); 1799 return r; 1800 } 1801 1802 int 1803 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1804 { 1805 struct sshkey *n = NULL; 1806 int r = SSH_ERR_INTERNAL_ERROR; 1807 #ifdef WITH_OPENSSL 1808 const BIGNUM *rsa_n, *rsa_e; 1809 BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL; 1810 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 1811 BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL; 1812 BIGNUM *dsa_pub_key_dup = NULL; 1813 #endif /* WITH_OPENSSL */ 1814 1815 *pkp = NULL; 1816 if ((n = sshkey_new(k->type)) == NULL) { 1817 r = SSH_ERR_ALLOC_FAIL; 1818 goto out; 1819 } 1820 switch (k->type) { 1821 #ifdef WITH_OPENSSL 1822 case KEY_DSA: 1823 case KEY_DSA_CERT: 1824 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 1825 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 1826 if ((dsa_p_dup = BN_dup(dsa_p)) == NULL || 1827 (dsa_q_dup = BN_dup(dsa_q)) == NULL || 1828 (dsa_g_dup = BN_dup(dsa_g)) == NULL || 1829 (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) { 1830 r = SSH_ERR_ALLOC_FAIL; 1831 goto out; 1832 } 1833 if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) { 1834 r = SSH_ERR_LIBCRYPTO_ERROR; 1835 goto out; 1836 } 1837 dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */ 1838 if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) { 1839 r = SSH_ERR_LIBCRYPTO_ERROR; 1840 goto out; 1841 } 1842 dsa_pub_key_dup = NULL; /* transferred */ 1843 1844 break; 1845 case KEY_ECDSA: 1846 case KEY_ECDSA_CERT: 1847 case KEY_ECDSA_SK: 1848 case KEY_ECDSA_SK_CERT: 1849 n->ecdsa_nid = k->ecdsa_nid; 1850 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1851 if (n->ecdsa == NULL) { 1852 r = SSH_ERR_ALLOC_FAIL; 1853 goto out; 1854 } 1855 if (EC_KEY_set_public_key(n->ecdsa, 1856 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1857 r = SSH_ERR_LIBCRYPTO_ERROR; 1858 goto out; 1859 } 1860 if (k->type != KEY_ECDSA_SK && k->type != KEY_ECDSA_SK_CERT) 1861 break; 1862 /* Append security-key application string */ 1863 if ((n->sk_application = strdup(k->sk_application)) == NULL) 1864 goto out; 1865 break; 1866 case KEY_RSA: 1867 case KEY_RSA_CERT: 1868 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 1869 if ((rsa_n_dup = BN_dup(rsa_n)) == NULL || 1870 (rsa_e_dup = BN_dup(rsa_e)) == NULL) { 1871 r = SSH_ERR_ALLOC_FAIL; 1872 goto out; 1873 } 1874 if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) { 1875 r = SSH_ERR_LIBCRYPTO_ERROR; 1876 goto out; 1877 } 1878 rsa_n_dup = rsa_e_dup = NULL; /* transferred */ 1879 break; 1880 #endif /* WITH_OPENSSL */ 1881 case KEY_ED25519: 1882 case KEY_ED25519_CERT: 1883 case KEY_ED25519_SK: 1884 case KEY_ED25519_SK_CERT: 1885 if (k->ed25519_pk != NULL) { 1886 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1887 r = SSH_ERR_ALLOC_FAIL; 1888 goto out; 1889 } 1890 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1891 } 1892 if (k->type != KEY_ED25519_SK && 1893 k->type != KEY_ED25519_SK_CERT) 1894 break; 1895 /* Append security-key application string */ 1896 if ((n->sk_application = strdup(k->sk_application)) == NULL) 1897 goto out; 1898 break; 1899 #ifdef WITH_XMSS 1900 case KEY_XMSS: 1901 case KEY_XMSS_CERT: 1902 if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0) 1903 goto out; 1904 if (k->xmss_pk != NULL) { 1905 u_int32_t left; 1906 size_t pklen = sshkey_xmss_pklen(k); 1907 if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) { 1908 r = SSH_ERR_INTERNAL_ERROR; 1909 goto out; 1910 } 1911 if ((n->xmss_pk = malloc(pklen)) == NULL) { 1912 r = SSH_ERR_ALLOC_FAIL; 1913 goto out; 1914 } 1915 memcpy(n->xmss_pk, k->xmss_pk, pklen); 1916 /* simulate number of signatures left on pubkey */ 1917 left = sshkey_xmss_signatures_left(k); 1918 if (left) 1919 sshkey_xmss_enable_maxsign(n, left); 1920 } 1921 break; 1922 #endif /* WITH_XMSS */ 1923 default: 1924 r = SSH_ERR_KEY_TYPE_UNKNOWN; 1925 goto out; 1926 } 1927 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) 1928 goto out; 1929 /* success */ 1930 *pkp = n; 1931 n = NULL; 1932 r = 0; 1933 out: 1934 sshkey_free(n); 1935 #ifdef WITH_OPENSSL 1936 BN_clear_free(rsa_n_dup); 1937 BN_clear_free(rsa_e_dup); 1938 BN_clear_free(dsa_p_dup); 1939 BN_clear_free(dsa_q_dup); 1940 BN_clear_free(dsa_g_dup); 1941 BN_clear_free(dsa_pub_key_dup); 1942 #endif /* WITH_OPENSSL */ 1943 1944 return r; 1945 } 1946 1947 int 1948 sshkey_is_shielded(struct sshkey *k) 1949 { 1950 return k != NULL && k->shielded_private != NULL; 1951 } 1952 1953 int 1954 sshkey_shield_private(struct sshkey *k) 1955 { 1956 struct sshbuf *prvbuf = NULL; 1957 u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH]; 1958 struct sshcipher_ctx *cctx = NULL; 1959 const struct sshcipher *cipher; 1960 size_t i, enclen = 0; 1961 struct sshkey *kswap = NULL, tmp; 1962 int r = SSH_ERR_INTERNAL_ERROR; 1963 1964 #ifdef DEBUG_PK 1965 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 1966 #endif 1967 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 1968 r = SSH_ERR_INVALID_ARGUMENT; 1969 goto out; 1970 } 1971 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 1972 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 1973 r = SSH_ERR_INTERNAL_ERROR; 1974 goto out; 1975 } 1976 1977 /* Prepare a random pre-key, and from it an ephemeral key */ 1978 if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) { 1979 r = SSH_ERR_ALLOC_FAIL; 1980 goto out; 1981 } 1982 arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN); 1983 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 1984 prekey, SSHKEY_SHIELD_PREKEY_LEN, 1985 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 1986 goto out; 1987 #ifdef DEBUG_PK 1988 fprintf(stderr, "%s: key+iv\n", __func__); 1989 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 1990 stderr); 1991 #endif 1992 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 1993 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0) 1994 goto out; 1995 1996 /* Serialise and encrypt the private key using the ephemeral key */ 1997 if ((prvbuf = sshbuf_new()) == NULL) { 1998 r = SSH_ERR_ALLOC_FAIL; 1999 goto out; 2000 } 2001 if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0) 2002 goto out; 2003 if ((r = sshkey_private_serialize_opt(k, prvbuf, 2004 SSHKEY_SERIALIZE_SHIELD)) != 0) 2005 goto out; 2006 /* pad to cipher blocksize */ 2007 i = 0; 2008 while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) { 2009 if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0) 2010 goto out; 2011 } 2012 #ifdef DEBUG_PK 2013 fprintf(stderr, "%s: serialised\n", __func__); 2014 sshbuf_dump(prvbuf, stderr); 2015 #endif 2016 /* encrypt */ 2017 enclen = sshbuf_len(prvbuf); 2018 if ((enc = malloc(enclen)) == NULL) { 2019 r = SSH_ERR_ALLOC_FAIL; 2020 goto out; 2021 } 2022 if ((r = cipher_crypt(cctx, 0, enc, 2023 sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0) 2024 goto out; 2025 #ifdef DEBUG_PK 2026 fprintf(stderr, "%s: encrypted\n", __func__); 2027 sshbuf_dump_data(enc, enclen, stderr); 2028 #endif 2029 2030 /* Make a scrubbed, public-only copy of our private key argument */ 2031 if ((r = sshkey_from_private(k, &kswap)) != 0) 2032 goto out; 2033 2034 /* Swap the private key out (it will be destroyed below) */ 2035 tmp = *kswap; 2036 *kswap = *k; 2037 *k = tmp; 2038 2039 /* Insert the shielded key into our argument */ 2040 k->shielded_private = enc; 2041 k->shielded_len = enclen; 2042 k->shield_prekey = prekey; 2043 k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN; 2044 enc = prekey = NULL; /* transferred */ 2045 enclen = 0; 2046 2047 /* preserve key fields that are required for correct operation */ 2048 k->sk_flags = kswap->sk_flags; 2049 2050 /* success */ 2051 r = 0; 2052 2053 out: 2054 /* XXX behaviour on error - invalidate original private key? */ 2055 cipher_free(cctx); 2056 explicit_bzero(keyiv, sizeof(keyiv)); 2057 explicit_bzero(&tmp, sizeof(tmp)); 2058 freezero(enc, enclen); 2059 freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN); 2060 sshkey_free(kswap); 2061 sshbuf_free(prvbuf); 2062 return r; 2063 } 2064 2065 int 2066 sshkey_unshield_private(struct sshkey *k) 2067 { 2068 struct sshbuf *prvbuf = NULL; 2069 u_char pad, *cp, keyiv[SSH_DIGEST_MAX_LENGTH]; 2070 struct sshcipher_ctx *cctx = NULL; 2071 const struct sshcipher *cipher; 2072 size_t i; 2073 struct sshkey *kswap = NULL, tmp; 2074 int r = SSH_ERR_INTERNAL_ERROR; 2075 2076 #ifdef DEBUG_PK 2077 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 2078 #endif 2079 if (!sshkey_is_shielded(k)) 2080 return 0; /* nothing to do */ 2081 2082 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 2083 r = SSH_ERR_INVALID_ARGUMENT; 2084 goto out; 2085 } 2086 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 2087 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 2088 r = SSH_ERR_INTERNAL_ERROR; 2089 goto out; 2090 } 2091 /* check size of shielded key blob */ 2092 if (k->shielded_len < cipher_blocksize(cipher) || 2093 (k->shielded_len % cipher_blocksize(cipher)) != 0) { 2094 r = SSH_ERR_INVALID_FORMAT; 2095 goto out; 2096 } 2097 2098 /* Calculate the ephemeral key from the prekey */ 2099 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 2100 k->shield_prekey, k->shield_prekey_len, 2101 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 2102 goto out; 2103 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 2104 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0) 2105 goto out; 2106 #ifdef DEBUG_PK 2107 fprintf(stderr, "%s: key+iv\n", __func__); 2108 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 2109 stderr); 2110 #endif 2111 2112 /* Decrypt and parse the shielded private key using the ephemeral key */ 2113 if ((prvbuf = sshbuf_new()) == NULL) { 2114 r = SSH_ERR_ALLOC_FAIL; 2115 goto out; 2116 } 2117 if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0) 2118 goto out; 2119 /* decrypt */ 2120 #ifdef DEBUG_PK 2121 fprintf(stderr, "%s: encrypted\n", __func__); 2122 sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr); 2123 #endif 2124 if ((r = cipher_crypt(cctx, 0, cp, 2125 k->shielded_private, k->shielded_len, 0, 0)) != 0) 2126 goto out; 2127 #ifdef DEBUG_PK 2128 fprintf(stderr, "%s: serialised\n", __func__); 2129 sshbuf_dump(prvbuf, stderr); 2130 #endif 2131 /* Parse private key */ 2132 if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0) 2133 goto out; 2134 /* Check deterministic padding */ 2135 i = 0; 2136 while (sshbuf_len(prvbuf)) { 2137 if ((r = sshbuf_get_u8(prvbuf, &pad)) != 0) 2138 goto out; 2139 if (pad != (++i & 0xff)) { 2140 r = SSH_ERR_INVALID_FORMAT; 2141 goto out; 2142 } 2143 } 2144 2145 /* Swap the parsed key back into place */ 2146 tmp = *kswap; 2147 *kswap = *k; 2148 *k = tmp; 2149 2150 /* success */ 2151 r = 0; 2152 2153 out: 2154 cipher_free(cctx); 2155 explicit_bzero(keyiv, sizeof(keyiv)); 2156 explicit_bzero(&tmp, sizeof(tmp)); 2157 sshkey_free(kswap); 2158 sshbuf_free(prvbuf); 2159 return r; 2160 } 2161 2162 static int 2163 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 2164 { 2165 struct sshbuf *principals = NULL, *crit = NULL; 2166 struct sshbuf *exts = NULL, *ca = NULL; 2167 u_char *sig = NULL; 2168 size_t signed_len = 0, slen = 0, kidlen = 0; 2169 int ret = SSH_ERR_INTERNAL_ERROR; 2170 2171 /* Copy the entire key blob for verification and later serialisation */ 2172 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 2173 return ret; 2174 2175 /* Parse body of certificate up to signature */ 2176 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 2177 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 2178 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 2179 (ret = sshbuf_froms(b, &principals)) != 0 || 2180 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 2181 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 2182 (ret = sshbuf_froms(b, &crit)) != 0 || 2183 (ret = sshbuf_froms(b, &exts)) != 0 || 2184 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 2185 (ret = sshbuf_froms(b, &ca)) != 0) { 2186 /* XXX debug print error for ret */ 2187 ret = SSH_ERR_INVALID_FORMAT; 2188 goto out; 2189 } 2190 2191 /* Signature is left in the buffer so we can calculate this length */ 2192 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 2193 2194 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 2195 ret = SSH_ERR_INVALID_FORMAT; 2196 goto out; 2197 } 2198 2199 if (key->cert->type != SSH2_CERT_TYPE_USER && 2200 key->cert->type != SSH2_CERT_TYPE_HOST) { 2201 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 2202 goto out; 2203 } 2204 2205 /* Parse principals section */ 2206 while (sshbuf_len(principals) > 0) { 2207 char *principal = NULL; 2208 char **oprincipals = NULL; 2209 2210 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 2211 ret = SSH_ERR_INVALID_FORMAT; 2212 goto out; 2213 } 2214 if ((ret = sshbuf_get_cstring(principals, &principal, 2215 NULL)) != 0) { 2216 ret = SSH_ERR_INVALID_FORMAT; 2217 goto out; 2218 } 2219 oprincipals = key->cert->principals; 2220 key->cert->principals = recallocarray(key->cert->principals, 2221 key->cert->nprincipals, key->cert->nprincipals + 1, 2222 sizeof(*key->cert->principals)); 2223 if (key->cert->principals == NULL) { 2224 free(principal); 2225 key->cert->principals = oprincipals; 2226 ret = SSH_ERR_ALLOC_FAIL; 2227 goto out; 2228 } 2229 key->cert->principals[key->cert->nprincipals++] = principal; 2230 } 2231 2232 /* 2233 * Stash a copies of the critical options and extensions sections 2234 * for later use. 2235 */ 2236 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 2237 (exts != NULL && 2238 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 2239 goto out; 2240 2241 /* 2242 * Validate critical options and extensions sections format. 2243 */ 2244 while (sshbuf_len(crit) != 0) { 2245 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 2246 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 2247 sshbuf_reset(key->cert->critical); 2248 ret = SSH_ERR_INVALID_FORMAT; 2249 goto out; 2250 } 2251 } 2252 while (exts != NULL && sshbuf_len(exts) != 0) { 2253 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 2254 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 2255 sshbuf_reset(key->cert->extensions); 2256 ret = SSH_ERR_INVALID_FORMAT; 2257 goto out; 2258 } 2259 } 2260 2261 /* Parse CA key and check signature */ 2262 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 2263 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2264 goto out; 2265 } 2266 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 2267 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2268 goto out; 2269 } 2270 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 2271 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0) 2272 goto out; 2273 if ((ret = sshkey_get_sigtype(sig, slen, 2274 &key->cert->signature_type)) != 0) 2275 goto out; 2276 2277 /* Success */ 2278 ret = 0; 2279 out: 2280 sshbuf_free(ca); 2281 sshbuf_free(crit); 2282 sshbuf_free(exts); 2283 sshbuf_free(principals); 2284 free(sig); 2285 return ret; 2286 } 2287 2288 #ifdef WITH_OPENSSL 2289 static int 2290 check_rsa_length(const RSA *rsa) 2291 { 2292 const BIGNUM *rsa_n; 2293 2294 RSA_get0_key(rsa, &rsa_n, NULL, NULL); 2295 if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) 2296 return SSH_ERR_KEY_LENGTH; 2297 return 0; 2298 } 2299 #endif /* WITH_OPENSSL */ 2300 2301 static int 2302 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 2303 int allow_cert) 2304 { 2305 int type, ret = SSH_ERR_INTERNAL_ERROR; 2306 char *ktype = NULL, *curve = NULL, *xmss_name = NULL; 2307 struct sshkey *key = NULL; 2308 size_t len; 2309 u_char *pk = NULL; 2310 struct sshbuf *copy; 2311 #ifdef WITH_OPENSSL 2312 EC_POINT *q = NULL, *qq = NULL; 2313 BIGNUM *rsa_n = NULL, *rsa_e = NULL; 2314 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; 2315 #endif /* WITH_OPENSSL */ 2316 2317 #ifdef DEBUG_PK /* XXX */ 2318 sshbuf_dump(b, stderr); 2319 #endif 2320 if (keyp != NULL) 2321 *keyp = NULL; 2322 if ((copy = sshbuf_fromb(b)) == NULL) { 2323 ret = SSH_ERR_ALLOC_FAIL; 2324 goto out; 2325 } 2326 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 2327 ret = SSH_ERR_INVALID_FORMAT; 2328 goto out; 2329 } 2330 2331 type = sshkey_type_from_name(ktype); 2332 if (!allow_cert && sshkey_type_is_cert(type)) { 2333 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2334 goto out; 2335 } 2336 switch (type) { 2337 #ifdef WITH_OPENSSL 2338 case KEY_RSA_CERT: 2339 /* Skip nonce */ 2340 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2341 ret = SSH_ERR_INVALID_FORMAT; 2342 goto out; 2343 } 2344 /* FALLTHROUGH */ 2345 case KEY_RSA: 2346 if ((key = sshkey_new(type)) == NULL) { 2347 ret = SSH_ERR_ALLOC_FAIL; 2348 goto out; 2349 } 2350 if (sshbuf_get_bignum2(b, &rsa_e) != 0 || 2351 sshbuf_get_bignum2(b, &rsa_n) != 0) { 2352 ret = SSH_ERR_INVALID_FORMAT; 2353 goto out; 2354 } 2355 if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) { 2356 ret = SSH_ERR_LIBCRYPTO_ERROR; 2357 goto out; 2358 } 2359 rsa_n = rsa_e = NULL; /* transferred */ 2360 if ((ret = check_rsa_length(key->rsa)) != 0) 2361 goto out; 2362 #ifdef DEBUG_PK 2363 RSA_print_fp(stderr, key->rsa, 8); 2364 #endif 2365 break; 2366 case KEY_DSA_CERT: 2367 /* Skip nonce */ 2368 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2369 ret = SSH_ERR_INVALID_FORMAT; 2370 goto out; 2371 } 2372 /* FALLTHROUGH */ 2373 case KEY_DSA: 2374 if ((key = sshkey_new(type)) == NULL) { 2375 ret = SSH_ERR_ALLOC_FAIL; 2376 goto out; 2377 } 2378 if (sshbuf_get_bignum2(b, &dsa_p) != 0 || 2379 sshbuf_get_bignum2(b, &dsa_q) != 0 || 2380 sshbuf_get_bignum2(b, &dsa_g) != 0 || 2381 sshbuf_get_bignum2(b, &dsa_pub_key) != 0) { 2382 ret = SSH_ERR_INVALID_FORMAT; 2383 goto out; 2384 } 2385 if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) { 2386 ret = SSH_ERR_LIBCRYPTO_ERROR; 2387 goto out; 2388 } 2389 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2390 if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) { 2391 ret = SSH_ERR_LIBCRYPTO_ERROR; 2392 goto out; 2393 } 2394 dsa_pub_key = NULL; /* transferred */ 2395 #ifdef DEBUG_PK 2396 DSA_print_fp(stderr, key->dsa, 8); 2397 #endif 2398 break; 2399 case KEY_ECDSA_CERT: 2400 case KEY_ECDSA_SK_CERT: 2401 /* Skip nonce */ 2402 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2403 ret = SSH_ERR_INVALID_FORMAT; 2404 goto out; 2405 } 2406 /* FALLTHROUGH */ 2407 case KEY_ECDSA: 2408 case KEY_ECDSA_SK: 2409 if ((key = sshkey_new(type)) == NULL) { 2410 ret = SSH_ERR_ALLOC_FAIL; 2411 goto out; 2412 } 2413 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2414 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2415 ret = SSH_ERR_INVALID_FORMAT; 2416 goto out; 2417 } 2418 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2419 ret = SSH_ERR_EC_CURVE_MISMATCH; 2420 goto out; 2421 } 2422 EC_KEY_free(key->ecdsa); 2423 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2424 == NULL) { 2425 ret = SSH_ERR_EC_CURVE_INVALID; 2426 goto out; 2427 } 2428 if ((qq = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2429 ret = SSH_ERR_ALLOC_FAIL; 2430 goto out; 2431 } 2432 if (sshbuf_get_ec(b, qq, EC_KEY_get0_group(key->ecdsa)) != 0) { 2433 ret = SSH_ERR_INVALID_FORMAT; 2434 goto out; 2435 } 2436 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2437 qq) != 0) { 2438 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2439 goto out; 2440 } 2441 if (EC_KEY_set_public_key(key->ecdsa, qq) != 1) { 2442 /* XXX assume it is a allocation error */ 2443 ret = SSH_ERR_ALLOC_FAIL; 2444 goto out; 2445 } 2446 #ifdef DEBUG_PK 2447 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), qq); 2448 #endif 2449 if (type == KEY_ECDSA_SK || type == KEY_ECDSA_SK_CERT) { 2450 /* Parse additional security-key application string */ 2451 if (sshbuf_get_cstring(b, &key->sk_application, 2452 NULL) != 0) { 2453 ret = SSH_ERR_INVALID_FORMAT; 2454 goto out; 2455 } 2456 #ifdef DEBUG_PK 2457 fprintf(stderr, "App: %s\n", key->sk_application); 2458 #endif 2459 } 2460 break; 2461 #endif /* WITH_OPENSSL */ 2462 case KEY_ED25519_CERT: 2463 case KEY_ED25519_SK_CERT: 2464 /* Skip nonce */ 2465 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2466 ret = SSH_ERR_INVALID_FORMAT; 2467 goto out; 2468 } 2469 /* FALLTHROUGH */ 2470 case KEY_ED25519: 2471 case KEY_ED25519_SK: 2472 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2473 goto out; 2474 if (len != ED25519_PK_SZ) { 2475 ret = SSH_ERR_INVALID_FORMAT; 2476 goto out; 2477 } 2478 if ((key = sshkey_new(type)) == NULL) { 2479 ret = SSH_ERR_ALLOC_FAIL; 2480 goto out; 2481 } 2482 if (type == KEY_ED25519_SK || type == KEY_ED25519_SK_CERT) { 2483 /* Parse additional security-key application string */ 2484 if (sshbuf_get_cstring(b, &key->sk_application, 2485 NULL) != 0) { 2486 ret = SSH_ERR_INVALID_FORMAT; 2487 goto out; 2488 } 2489 #ifdef DEBUG_PK 2490 fprintf(stderr, "App: %s\n", key->sk_application); 2491 #endif 2492 } 2493 key->ed25519_pk = pk; 2494 pk = NULL; 2495 break; 2496 #ifdef WITH_XMSS 2497 case KEY_XMSS_CERT: 2498 /* Skip nonce */ 2499 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2500 ret = SSH_ERR_INVALID_FORMAT; 2501 goto out; 2502 } 2503 /* FALLTHROUGH */ 2504 case KEY_XMSS: 2505 if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0) 2506 goto out; 2507 if ((key = sshkey_new(type)) == NULL) { 2508 ret = SSH_ERR_ALLOC_FAIL; 2509 goto out; 2510 } 2511 if ((ret = sshkey_xmss_init(key, xmss_name)) != 0) 2512 goto out; 2513 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2514 goto out; 2515 if (len == 0 || len != sshkey_xmss_pklen(key)) { 2516 ret = SSH_ERR_INVALID_FORMAT; 2517 goto out; 2518 } 2519 key->xmss_pk = pk; 2520 pk = NULL; 2521 if (type != KEY_XMSS_CERT && 2522 (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0) 2523 goto out; 2524 break; 2525 #endif /* WITH_XMSS */ 2526 case KEY_UNSPEC: 2527 default: 2528 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2529 goto out; 2530 } 2531 2532 /* Parse certificate potion */ 2533 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2534 goto out; 2535 2536 if (key != NULL && sshbuf_len(b) != 0) { 2537 ret = SSH_ERR_INVALID_FORMAT; 2538 goto out; 2539 } 2540 ret = 0; 2541 if (keyp != NULL) { 2542 *keyp = key; 2543 key = NULL; 2544 } 2545 out: 2546 sshbuf_free(copy); 2547 sshkey_free(key); 2548 free(xmss_name); 2549 free(ktype); 2550 free(curve); 2551 free(pk); 2552 #ifdef WITH_OPENSSL 2553 EC_POINT_free(q); 2554 BN_clear_free(rsa_n); 2555 BN_clear_free(rsa_e); 2556 BN_clear_free(dsa_p); 2557 BN_clear_free(dsa_q); 2558 BN_clear_free(dsa_g); 2559 BN_clear_free(dsa_pub_key); 2560 #endif /* WITH_OPENSSL */ 2561 return ret; 2562 } 2563 2564 int 2565 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2566 { 2567 struct sshbuf *b; 2568 int r; 2569 2570 if ((b = sshbuf_from(blob, blen)) == NULL) 2571 return SSH_ERR_ALLOC_FAIL; 2572 r = sshkey_from_blob_internal(b, keyp, 1); 2573 sshbuf_free(b); 2574 return r; 2575 } 2576 2577 int 2578 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2579 { 2580 return sshkey_from_blob_internal(b, keyp, 1); 2581 } 2582 2583 int 2584 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2585 { 2586 struct sshbuf *b; 2587 int r; 2588 2589 if ((r = sshbuf_froms(buf, &b)) != 0) 2590 return r; 2591 r = sshkey_from_blob_internal(b, keyp, 1); 2592 sshbuf_free(b); 2593 return r; 2594 } 2595 2596 int 2597 sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2598 { 2599 int r; 2600 struct sshbuf *b = NULL; 2601 char *sigtype = NULL; 2602 2603 if (sigtypep != NULL) 2604 *sigtypep = NULL; 2605 if ((b = sshbuf_from(sig, siglen)) == NULL) 2606 return SSH_ERR_ALLOC_FAIL; 2607 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2608 goto out; 2609 /* success */ 2610 if (sigtypep != NULL) { 2611 *sigtypep = sigtype; 2612 sigtype = NULL; 2613 } 2614 r = 0; 2615 out: 2616 free(sigtype); 2617 sshbuf_free(b); 2618 return r; 2619 } 2620 2621 /* 2622 * 2623 * Checks whether a certificate's signature type is allowed. 2624 * Returns 0 (success) if the certificate signature type appears in the 2625 * "allowed" pattern-list, or the key is not a certificate to begin with. 2626 * Otherwise returns a ssherr.h code. 2627 */ 2628 int 2629 sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) 2630 { 2631 if (key == NULL || allowed == NULL) 2632 return SSH_ERR_INVALID_ARGUMENT; 2633 if (!sshkey_type_is_cert(key->type)) 2634 return 0; 2635 if (key->cert == NULL || key->cert->signature_type == NULL) 2636 return SSH_ERR_INVALID_ARGUMENT; 2637 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) 2638 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 2639 return 0; 2640 } 2641 2642 /* 2643 * Returns the expected signature algorithm for a given public key algorithm. 2644 */ 2645 const char * 2646 sshkey_sigalg_by_name(const char *name) 2647 { 2648 const struct keytype *kt; 2649 2650 for (kt = keytypes; kt->type != -1; kt++) { 2651 if (strcmp(kt->name, name) != 0) 2652 continue; 2653 if (kt->sigalg != NULL) 2654 return kt->sigalg; 2655 if (!kt->cert) 2656 return kt->name; 2657 return sshkey_ssh_name_from_type_nid( 2658 sshkey_type_plain(kt->type), kt->nid); 2659 } 2660 return NULL; 2661 } 2662 2663 /* 2664 * Verifies that the signature algorithm appearing inside the signature blob 2665 * matches that which was requested. 2666 */ 2667 int 2668 sshkey_check_sigtype(const u_char *sig, size_t siglen, 2669 const char *requested_alg) 2670 { 2671 const char *expected_alg; 2672 char *sigtype = NULL; 2673 int r; 2674 2675 if (requested_alg == NULL) 2676 return 0; 2677 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) 2678 return SSH_ERR_INVALID_ARGUMENT; 2679 if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) 2680 return r; 2681 r = strcmp(expected_alg, sigtype) == 0; 2682 free(sigtype); 2683 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; 2684 } 2685 2686 int 2687 sshkey_sign(struct sshkey *key, 2688 u_char **sigp, size_t *lenp, 2689 const u_char *data, size_t datalen, 2690 const char *alg, const char *sk_provider, u_int compat) 2691 { 2692 int was_shielded = sshkey_is_shielded(key); 2693 int r2, r = SSH_ERR_INTERNAL_ERROR; 2694 2695 if (sigp != NULL) 2696 *sigp = NULL; 2697 if (lenp != NULL) 2698 *lenp = 0; 2699 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2700 return SSH_ERR_INVALID_ARGUMENT; 2701 if ((r = sshkey_unshield_private(key)) != 0) 2702 return r; 2703 switch (key->type) { 2704 #ifdef WITH_OPENSSL 2705 case KEY_DSA_CERT: 2706 case KEY_DSA: 2707 r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2708 break; 2709 case KEY_ECDSA_CERT: 2710 case KEY_ECDSA: 2711 r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2712 break; 2713 case KEY_RSA_CERT: 2714 case KEY_RSA: 2715 r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2716 break; 2717 #endif /* WITH_OPENSSL */ 2718 case KEY_ED25519: 2719 case KEY_ED25519_CERT: 2720 r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2721 break; 2722 case KEY_ED25519_SK: 2723 case KEY_ED25519_SK_CERT: 2724 case KEY_ECDSA_SK_CERT: 2725 case KEY_ECDSA_SK: 2726 r = sshsk_sign(sk_provider, key, sigp, lenp, data, 2727 datalen, compat, /* XXX PIN */ NULL); 2728 break; 2729 #ifdef WITH_XMSS 2730 case KEY_XMSS: 2731 case KEY_XMSS_CERT: 2732 r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat); 2733 break; 2734 #endif /* WITH_XMSS */ 2735 default: 2736 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2737 break; 2738 } 2739 if (was_shielded && (r2 = sshkey_shield_private(key)) != 0) 2740 return r2; 2741 return r; 2742 } 2743 2744 /* 2745 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2746 * If "alg" specified, then the signature must use that algorithm. 2747 */ 2748 int 2749 sshkey_verify(const struct sshkey *key, 2750 const u_char *sig, size_t siglen, 2751 const u_char *data, size_t dlen, const char *alg, u_int compat, 2752 struct sshkey_sig_details **detailsp) 2753 { 2754 if (detailsp != NULL) 2755 *detailsp = NULL; 2756 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2757 return SSH_ERR_INVALID_ARGUMENT; 2758 switch (key->type) { 2759 #ifdef WITH_OPENSSL 2760 case KEY_DSA_CERT: 2761 case KEY_DSA: 2762 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2763 case KEY_ECDSA_CERT: 2764 case KEY_ECDSA: 2765 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2766 case KEY_ECDSA_SK_CERT: 2767 case KEY_ECDSA_SK: 2768 return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen, 2769 compat, detailsp); 2770 case KEY_RSA_CERT: 2771 case KEY_RSA: 2772 return ssh_rsa_verify(key, sig, siglen, data, dlen, alg); 2773 #endif /* WITH_OPENSSL */ 2774 case KEY_ED25519: 2775 case KEY_ED25519_CERT: 2776 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2777 case KEY_ED25519_SK: 2778 case KEY_ED25519_SK_CERT: 2779 return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen, 2780 compat, detailsp); 2781 #ifdef WITH_XMSS 2782 case KEY_XMSS: 2783 case KEY_XMSS_CERT: 2784 return ssh_xmss_verify(key, sig, siglen, data, dlen, compat); 2785 #endif /* WITH_XMSS */ 2786 default: 2787 return SSH_ERR_KEY_TYPE_UNKNOWN; 2788 } 2789 } 2790 2791 /* Convert a plain key to their _CERT equivalent */ 2792 int 2793 sshkey_to_certified(struct sshkey *k) 2794 { 2795 int newtype; 2796 2797 switch (k->type) { 2798 #ifdef WITH_OPENSSL 2799 case KEY_RSA: 2800 newtype = KEY_RSA_CERT; 2801 break; 2802 case KEY_DSA: 2803 newtype = KEY_DSA_CERT; 2804 break; 2805 case KEY_ECDSA: 2806 newtype = KEY_ECDSA_CERT; 2807 break; 2808 case KEY_ECDSA_SK: 2809 newtype = KEY_ECDSA_SK_CERT; 2810 break; 2811 #endif /* WITH_OPENSSL */ 2812 case KEY_ED25519_SK: 2813 newtype = KEY_ED25519_SK_CERT; 2814 break; 2815 case KEY_ED25519: 2816 newtype = KEY_ED25519_CERT; 2817 break; 2818 #ifdef WITH_XMSS 2819 case KEY_XMSS: 2820 newtype = KEY_XMSS_CERT; 2821 break; 2822 #endif /* WITH_XMSS */ 2823 default: 2824 return SSH_ERR_INVALID_ARGUMENT; 2825 } 2826 if ((k->cert = cert_new()) == NULL) 2827 return SSH_ERR_ALLOC_FAIL; 2828 k->type = newtype; 2829 return 0; 2830 } 2831 2832 /* Convert a certificate to its raw key equivalent */ 2833 int 2834 sshkey_drop_cert(struct sshkey *k) 2835 { 2836 if (!sshkey_type_is_cert(k->type)) 2837 return SSH_ERR_KEY_TYPE_UNKNOWN; 2838 cert_free(k->cert); 2839 k->cert = NULL; 2840 k->type = sshkey_type_plain(k->type); 2841 return 0; 2842 } 2843 2844 /* Sign a certified key, (re-)generating the signed certblob. */ 2845 int 2846 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2847 const char *sk_provider, sshkey_certify_signer *signer, void *signer_ctx) 2848 { 2849 struct sshbuf *principals = NULL; 2850 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2851 size_t i, ca_len, sig_len; 2852 int ret = SSH_ERR_INTERNAL_ERROR; 2853 struct sshbuf *cert = NULL; 2854 char *sigtype = NULL; 2855 #ifdef WITH_OPENSSL 2856 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 2857 #endif /* WITH_OPENSSL */ 2858 2859 if (k == NULL || k->cert == NULL || 2860 k->cert->certblob == NULL || ca == NULL) 2861 return SSH_ERR_INVALID_ARGUMENT; 2862 if (!sshkey_is_cert(k)) 2863 return SSH_ERR_KEY_TYPE_UNKNOWN; 2864 if (!sshkey_type_is_valid_ca(ca->type)) 2865 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2866 2867 /* 2868 * If no alg specified as argument but a signature_type was set, 2869 * then prefer that. If both were specified, then they must match. 2870 */ 2871 if (alg == NULL) 2872 alg = k->cert->signature_type; 2873 else if (k->cert->signature_type != NULL && 2874 strcmp(alg, k->cert->signature_type) != 0) 2875 return SSH_ERR_INVALID_ARGUMENT; 2876 2877 /* 2878 * If no signing algorithm or signature_type was specified and we're 2879 * using a RSA key, then default to a good signature algorithm. 2880 */ 2881 if (alg == NULL && ca->type == KEY_RSA) 2882 alg = "rsa-sha2-512"; 2883 2884 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2885 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2886 2887 cert = k->cert->certblob; /* for readability */ 2888 sshbuf_reset(cert); 2889 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2890 goto out; 2891 2892 /* -v01 certs put nonce first */ 2893 arc4random_buf(&nonce, sizeof(nonce)); 2894 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2895 goto out; 2896 2897 /* XXX this substantially duplicates to_blob(); refactor */ 2898 switch (k->type) { 2899 #ifdef WITH_OPENSSL 2900 case KEY_DSA_CERT: 2901 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 2902 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 2903 if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 || 2904 (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 || 2905 (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 || 2906 (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0) 2907 goto out; 2908 break; 2909 case KEY_ECDSA_CERT: 2910 case KEY_ECDSA_SK_CERT: 2911 if ((ret = sshbuf_put_cstring(cert, 2912 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2913 (ret = sshbuf_put_ec(cert, 2914 EC_KEY_get0_public_key(k->ecdsa), 2915 EC_KEY_get0_group(k->ecdsa))) != 0) 2916 goto out; 2917 if (k->type == KEY_ECDSA_SK_CERT) { 2918 if ((ret = sshbuf_put_cstring(cert, 2919 k->sk_application)) != 0) 2920 goto out; 2921 } 2922 break; 2923 case KEY_RSA_CERT: 2924 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 2925 if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 || 2926 (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0) 2927 goto out; 2928 break; 2929 #endif /* WITH_OPENSSL */ 2930 case KEY_ED25519_CERT: 2931 case KEY_ED25519_SK_CERT: 2932 if ((ret = sshbuf_put_string(cert, 2933 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2934 goto out; 2935 if (k->type == KEY_ED25519_SK_CERT) { 2936 if ((ret = sshbuf_put_cstring(cert, 2937 k->sk_application)) != 0) 2938 goto out; 2939 } 2940 break; 2941 #ifdef WITH_XMSS 2942 case KEY_XMSS_CERT: 2943 if (k->xmss_name == NULL) { 2944 ret = SSH_ERR_INVALID_ARGUMENT; 2945 goto out; 2946 } 2947 if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) || 2948 (ret = sshbuf_put_string(cert, 2949 k->xmss_pk, sshkey_xmss_pklen(k))) != 0) 2950 goto out; 2951 break; 2952 #endif /* WITH_XMSS */ 2953 default: 2954 ret = SSH_ERR_INVALID_ARGUMENT; 2955 goto out; 2956 } 2957 2958 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2959 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2960 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2961 goto out; 2962 2963 if ((principals = sshbuf_new()) == NULL) { 2964 ret = SSH_ERR_ALLOC_FAIL; 2965 goto out; 2966 } 2967 for (i = 0; i < k->cert->nprincipals; i++) { 2968 if ((ret = sshbuf_put_cstring(principals, 2969 k->cert->principals[i])) != 0) 2970 goto out; 2971 } 2972 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2973 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2974 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2975 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2976 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2977 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2978 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2979 goto out; 2980 2981 /* Sign the whole mess */ 2982 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2983 sshbuf_len(cert), alg, sk_provider, 0, signer_ctx)) != 0) 2984 goto out; 2985 /* Check and update signature_type against what was actually used */ 2986 if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) 2987 goto out; 2988 if (alg != NULL && strcmp(alg, sigtype) != 0) { 2989 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2990 goto out; 2991 } 2992 if (k->cert->signature_type == NULL) { 2993 k->cert->signature_type = sigtype; 2994 sigtype = NULL; 2995 } 2996 /* Append signature and we are done */ 2997 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2998 goto out; 2999 ret = 0; 3000 out: 3001 if (ret != 0) 3002 sshbuf_reset(cert); 3003 free(sig_blob); 3004 free(ca_blob); 3005 free(sigtype); 3006 sshbuf_free(principals); 3007 return ret; 3008 } 3009 3010 static int 3011 default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, 3012 const u_char *data, size_t datalen, 3013 const char *alg, const char *sk_provider, u_int compat, void *ctx) 3014 { 3015 if (ctx != NULL) 3016 return SSH_ERR_INVALID_ARGUMENT; 3017 return sshkey_sign(key, sigp, lenp, data, datalen, alg, 3018 sk_provider, compat); 3019 } 3020 3021 int 3022 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, 3023 const char *sk_provider) 3024 { 3025 return sshkey_certify_custom(k, ca, alg, sk_provider, 3026 default_key_sign, NULL); 3027 } 3028 3029 int 3030 sshkey_cert_check_authority(const struct sshkey *k, 3031 int want_host, int require_principal, 3032 const char *name, const char **reason) 3033 { 3034 u_int i, principal_matches; 3035 time_t now = time(NULL); 3036 3037 if (reason != NULL) 3038 *reason = NULL; 3039 3040 if (want_host) { 3041 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 3042 *reason = "Certificate invalid: not a host certificate"; 3043 return SSH_ERR_KEY_CERT_INVALID; 3044 } 3045 } else { 3046 if (k->cert->type != SSH2_CERT_TYPE_USER) { 3047 *reason = "Certificate invalid: not a user certificate"; 3048 return SSH_ERR_KEY_CERT_INVALID; 3049 } 3050 } 3051 if (now < 0) { 3052 /* yikes - system clock before epoch! */ 3053 *reason = "Certificate invalid: not yet valid"; 3054 return SSH_ERR_KEY_CERT_INVALID; 3055 } 3056 if ((u_int64_t)now < k->cert->valid_after) { 3057 *reason = "Certificate invalid: not yet valid"; 3058 return SSH_ERR_KEY_CERT_INVALID; 3059 } 3060 if ((u_int64_t)now >= k->cert->valid_before) { 3061 *reason = "Certificate invalid: expired"; 3062 return SSH_ERR_KEY_CERT_INVALID; 3063 } 3064 if (k->cert->nprincipals == 0) { 3065 if (require_principal) { 3066 *reason = "Certificate lacks principal list"; 3067 return SSH_ERR_KEY_CERT_INVALID; 3068 } 3069 } else if (name != NULL) { 3070 principal_matches = 0; 3071 for (i = 0; i < k->cert->nprincipals; i++) { 3072 if (strcmp(name, k->cert->principals[i]) == 0) { 3073 principal_matches = 1; 3074 break; 3075 } 3076 } 3077 if (!principal_matches) { 3078 *reason = "Certificate invalid: name is not a listed " 3079 "principal"; 3080 return SSH_ERR_KEY_CERT_INVALID; 3081 } 3082 } 3083 return 0; 3084 } 3085 3086 size_t 3087 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 3088 { 3089 char from[32], to[32], ret[128]; 3090 time_t tt; 3091 struct tm *tm; 3092 3093 *from = *to = '\0'; 3094 if (cert->valid_after == 0 && 3095 cert->valid_before == 0xffffffffffffffffULL) 3096 return strlcpy(s, "forever", l); 3097 3098 if (cert->valid_after != 0) { 3099 /* XXX revisit INT_MAX in 2038 :) */ 3100 tt = cert->valid_after > INT_MAX ? 3101 INT_MAX : cert->valid_after; 3102 tm = localtime(&tt); 3103 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 3104 } 3105 if (cert->valid_before != 0xffffffffffffffffULL) { 3106 /* XXX revisit INT_MAX in 2038 :) */ 3107 tt = cert->valid_before > INT_MAX ? 3108 INT_MAX : cert->valid_before; 3109 tm = localtime(&tt); 3110 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 3111 } 3112 3113 if (cert->valid_after == 0) 3114 snprintf(ret, sizeof(ret), "before %s", to); 3115 else if (cert->valid_before == 0xffffffffffffffffULL) 3116 snprintf(ret, sizeof(ret), "after %s", from); 3117 else 3118 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 3119 3120 return strlcpy(s, ret, l); 3121 } 3122 3123 int 3124 sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, 3125 enum sshkey_serialize_rep opts) 3126 { 3127 int r = SSH_ERR_INTERNAL_ERROR; 3128 int was_shielded = sshkey_is_shielded(key); 3129 struct sshbuf *b = NULL; 3130 #ifdef WITH_OPENSSL 3131 const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q; 3132 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key; 3133 #endif /* WITH_OPENSSL */ 3134 3135 if ((r = sshkey_unshield_private(key)) != 0) 3136 return r; 3137 if ((b = sshbuf_new()) == NULL) 3138 return SSH_ERR_ALLOC_FAIL; 3139 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 3140 goto out; 3141 switch (key->type) { 3142 #ifdef WITH_OPENSSL 3143 case KEY_RSA: 3144 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d); 3145 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 3146 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 3147 if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 || 3148 (r = sshbuf_put_bignum2(b, rsa_e)) != 0 || 3149 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 3150 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 3151 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 3152 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 3153 goto out; 3154 break; 3155 case KEY_RSA_CERT: 3156 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3157 r = SSH_ERR_INVALID_ARGUMENT; 3158 goto out; 3159 } 3160 RSA_get0_key(key->rsa, NULL, NULL, &rsa_d); 3161 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 3162 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 3163 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3164 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 3165 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 3166 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 3167 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 3168 goto out; 3169 break; 3170 case KEY_DSA: 3171 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 3172 DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key); 3173 if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 || 3174 (r = sshbuf_put_bignum2(b, dsa_q)) != 0 || 3175 (r = sshbuf_put_bignum2(b, dsa_g)) != 0 || 3176 (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 || 3177 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 3178 goto out; 3179 break; 3180 case KEY_DSA_CERT: 3181 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3182 r = SSH_ERR_INVALID_ARGUMENT; 3183 goto out; 3184 } 3185 DSA_get0_key(key->dsa, NULL, &dsa_priv_key); 3186 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3187 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 3188 goto out; 3189 break; 3190 case KEY_ECDSA: 3191 if ((r = sshbuf_put_cstring(b, 3192 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 3193 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 3194 (r = sshbuf_put_bignum2(b, 3195 EC_KEY_get0_private_key(key->ecdsa))) != 0) 3196 goto out; 3197 break; 3198 case KEY_ECDSA_CERT: 3199 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3200 r = SSH_ERR_INVALID_ARGUMENT; 3201 goto out; 3202 } 3203 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3204 (r = sshbuf_put_bignum2(b, 3205 EC_KEY_get0_private_key(key->ecdsa))) != 0) 3206 goto out; 3207 break; 3208 case KEY_ECDSA_SK: 3209 if ((r = sshbuf_put_cstring(b, 3210 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 3211 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 3212 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3213 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3214 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3215 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3216 goto out; 3217 break; 3218 case KEY_ECDSA_SK_CERT: 3219 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3220 r = SSH_ERR_INVALID_ARGUMENT; 3221 goto out; 3222 } 3223 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3224 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3225 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3226 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3227 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3228 goto out; 3229 break; 3230 #endif /* WITH_OPENSSL */ 3231 case KEY_ED25519: 3232 if ((r = sshbuf_put_string(b, key->ed25519_pk, 3233 ED25519_PK_SZ)) != 0 || 3234 (r = sshbuf_put_string(b, key->ed25519_sk, 3235 ED25519_SK_SZ)) != 0) 3236 goto out; 3237 break; 3238 case KEY_ED25519_CERT: 3239 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3240 r = SSH_ERR_INVALID_ARGUMENT; 3241 goto out; 3242 } 3243 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3244 (r = sshbuf_put_string(b, key->ed25519_pk, 3245 ED25519_PK_SZ)) != 0 || 3246 (r = sshbuf_put_string(b, key->ed25519_sk, 3247 ED25519_SK_SZ)) != 0) 3248 goto out; 3249 break; 3250 case KEY_ED25519_SK: 3251 if ((r = sshbuf_put_string(b, key->ed25519_pk, 3252 ED25519_PK_SZ)) != 0 || 3253 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3254 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3255 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3256 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3257 goto out; 3258 break; 3259 case KEY_ED25519_SK_CERT: 3260 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3261 r = SSH_ERR_INVALID_ARGUMENT; 3262 goto out; 3263 } 3264 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3265 (r = sshbuf_put_string(b, key->ed25519_pk, 3266 ED25519_PK_SZ)) != 0 || 3267 (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 3268 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 3269 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 3270 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 3271 goto out; 3272 break; 3273 #ifdef WITH_XMSS 3274 case KEY_XMSS: 3275 if (key->xmss_name == NULL) { 3276 r = SSH_ERR_INVALID_ARGUMENT; 3277 goto out; 3278 } 3279 if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 3280 (r = sshbuf_put_string(b, key->xmss_pk, 3281 sshkey_xmss_pklen(key))) != 0 || 3282 (r = sshbuf_put_string(b, key->xmss_sk, 3283 sshkey_xmss_sklen(key))) != 0 || 3284 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 3285 goto out; 3286 break; 3287 case KEY_XMSS_CERT: 3288 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 || 3289 key->xmss_name == NULL) { 3290 r = SSH_ERR_INVALID_ARGUMENT; 3291 goto out; 3292 } 3293 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3294 (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 3295 (r = sshbuf_put_string(b, key->xmss_pk, 3296 sshkey_xmss_pklen(key))) != 0 || 3297 (r = sshbuf_put_string(b, key->xmss_sk, 3298 sshkey_xmss_sklen(key))) != 0 || 3299 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 3300 goto out; 3301 break; 3302 #endif /* WITH_XMSS */ 3303 default: 3304 r = SSH_ERR_INVALID_ARGUMENT; 3305 goto out; 3306 } 3307 /* 3308 * success (but we still need to append the output to buf after 3309 * possibly re-shielding the private key) 3310 */ 3311 r = 0; 3312 out: 3313 if (was_shielded) 3314 r = sshkey_shield_private(key); 3315 if (r == 0) 3316 r = sshbuf_putb(buf, b); 3317 sshbuf_free(b); 3318 3319 return r; 3320 } 3321 3322 int 3323 sshkey_private_serialize(struct sshkey *key, struct sshbuf *b) 3324 { 3325 return sshkey_private_serialize_opt(key, b, 3326 SSHKEY_SERIALIZE_DEFAULT); 3327 } 3328 3329 int 3330 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 3331 { 3332 char *tname = NULL, *curve = NULL, *xmss_name = NULL; 3333 struct sshkey *k = NULL; 3334 size_t pklen = 0, sklen = 0; 3335 int type, r = SSH_ERR_INTERNAL_ERROR; 3336 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 3337 u_char *xmss_pk = NULL, *xmss_sk = NULL; 3338 #ifdef WITH_OPENSSL 3339 BIGNUM *exponent = NULL; 3340 BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; 3341 BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL; 3342 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL; 3343 BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; 3344 #endif /* WITH_OPENSSL */ 3345 3346 if (kp != NULL) 3347 *kp = NULL; 3348 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 3349 goto out; 3350 type = sshkey_type_from_name(tname); 3351 switch (type) { 3352 #ifdef WITH_OPENSSL 3353 case KEY_DSA: 3354 if ((k = sshkey_new(type)) == NULL) { 3355 r = SSH_ERR_ALLOC_FAIL; 3356 goto out; 3357 } 3358 if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 || 3359 (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 || 3360 (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 || 3361 (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0 || 3362 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 3363 goto out; 3364 if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) { 3365 r = SSH_ERR_LIBCRYPTO_ERROR; 3366 goto out; 3367 } 3368 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 3369 if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) { 3370 r = SSH_ERR_LIBCRYPTO_ERROR; 3371 goto out; 3372 } 3373 dsa_pub_key = dsa_priv_key = NULL; /* transferred */ 3374 break; 3375 case KEY_DSA_CERT: 3376 if ((r = sshkey_froms(buf, &k)) != 0 || 3377 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 3378 goto out; 3379 if (k->type != type) { 3380 r = SSH_ERR_INVALID_FORMAT; 3381 goto out; 3382 } 3383 if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { 3384 r = SSH_ERR_LIBCRYPTO_ERROR; 3385 goto out; 3386 } 3387 dsa_priv_key = NULL; /* transferred */ 3388 break; 3389 case KEY_ECDSA: 3390 if ((k = sshkey_new(type)) == NULL) { 3391 r = SSH_ERR_ALLOC_FAIL; 3392 goto out; 3393 } 3394 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 3395 r = SSH_ERR_INVALID_ARGUMENT; 3396 goto out; 3397 } 3398 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 3399 goto out; 3400 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 3401 r = SSH_ERR_EC_CURVE_MISMATCH; 3402 goto out; 3403 } 3404 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 3405 if (k->ecdsa == NULL) { 3406 r = SSH_ERR_LIBCRYPTO_ERROR; 3407 goto out; 3408 } 3409 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 3410 (r = sshbuf_get_bignum2(buf, &exponent))) 3411 goto out; 3412 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 3413 r = SSH_ERR_LIBCRYPTO_ERROR; 3414 goto out; 3415 } 3416 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3417 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 3418 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 3419 goto out; 3420 break; 3421 case KEY_ECDSA_CERT: 3422 if ((r = sshkey_froms(buf, &k)) != 0 || 3423 (r = sshbuf_get_bignum2(buf, &exponent)) != 0) 3424 goto out; 3425 if (k->type != type || 3426 k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { 3427 r = SSH_ERR_INVALID_FORMAT; 3428 goto out; 3429 } 3430 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 3431 r = SSH_ERR_LIBCRYPTO_ERROR; 3432 goto out; 3433 } 3434 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3435 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 3436 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 3437 goto out; 3438 break; 3439 case KEY_ECDSA_SK: 3440 if ((k = sshkey_new(type)) == NULL) { 3441 r = SSH_ERR_ALLOC_FAIL; 3442 goto out; 3443 } 3444 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 3445 r = SSH_ERR_INVALID_ARGUMENT; 3446 goto out; 3447 } 3448 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 3449 goto out; 3450 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 3451 r = SSH_ERR_EC_CURVE_MISMATCH; 3452 goto out; 3453 } 3454 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3455 (k->sk_reserved = sshbuf_new()) == NULL) { 3456 r = SSH_ERR_ALLOC_FAIL; 3457 goto out; 3458 } 3459 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 3460 if (k->ecdsa == NULL) { 3461 r = SSH_ERR_LIBCRYPTO_ERROR; 3462 goto out; 3463 } 3464 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 3465 (r = sshbuf_get_cstring(buf, &k->sk_application, 3466 NULL)) != 0 || 3467 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3468 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3469 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3470 goto out; 3471 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3472 EC_KEY_get0_public_key(k->ecdsa))) != 0) 3473 goto out; 3474 break; 3475 case KEY_ECDSA_SK_CERT: 3476 if ((r = sshkey_froms(buf, &k)) != 0) 3477 goto out; 3478 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3479 (k->sk_reserved = sshbuf_new()) == NULL) { 3480 r = SSH_ERR_ALLOC_FAIL; 3481 goto out; 3482 } 3483 if ((r = sshbuf_get_cstring(buf, &k->sk_application, 3484 NULL)) != 0 || 3485 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3486 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3487 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3488 goto out; 3489 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3490 EC_KEY_get0_public_key(k->ecdsa))) != 0) 3491 goto out; 3492 break; 3493 case KEY_RSA: 3494 if ((k = sshkey_new(type)) == NULL) { 3495 r = SSH_ERR_ALLOC_FAIL; 3496 goto out; 3497 } 3498 if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 || 3499 (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0 || 3500 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 3501 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 3502 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 3503 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 3504 goto out; 3505 if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) { 3506 r = SSH_ERR_LIBCRYPTO_ERROR; 3507 goto out; 3508 } 3509 rsa_n = rsa_e = rsa_d = NULL; /* transferred */ 3510 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 3511 r = SSH_ERR_LIBCRYPTO_ERROR; 3512 goto out; 3513 } 3514 rsa_p = rsa_q = NULL; /* transferred */ 3515 if ((r = check_rsa_length(k->rsa)) != 0) 3516 goto out; 3517 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 3518 goto out; 3519 break; 3520 case KEY_RSA_CERT: 3521 if ((r = sshkey_froms(buf, &k)) != 0 || 3522 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 3523 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 3524 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 3525 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 3526 goto out; 3527 if (k->type != type) { 3528 r = SSH_ERR_INVALID_FORMAT; 3529 goto out; 3530 } 3531 if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { 3532 r = SSH_ERR_LIBCRYPTO_ERROR; 3533 goto out; 3534 } 3535 rsa_d = NULL; /* transferred */ 3536 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 3537 r = SSH_ERR_LIBCRYPTO_ERROR; 3538 goto out; 3539 } 3540 rsa_p = rsa_q = NULL; /* transferred */ 3541 if ((r = check_rsa_length(k->rsa)) != 0) 3542 goto out; 3543 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 3544 goto out; 3545 break; 3546 #endif /* WITH_OPENSSL */ 3547 case KEY_ED25519: 3548 if ((k = sshkey_new(type)) == NULL) { 3549 r = SSH_ERR_ALLOC_FAIL; 3550 goto out; 3551 } 3552 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3553 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3554 goto out; 3555 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3556 r = SSH_ERR_INVALID_FORMAT; 3557 goto out; 3558 } 3559 k->ed25519_pk = ed25519_pk; 3560 k->ed25519_sk = ed25519_sk; 3561 ed25519_pk = ed25519_sk = NULL; 3562 break; 3563 case KEY_ED25519_CERT: 3564 if ((r = sshkey_froms(buf, &k)) != 0 || 3565 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3566 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3567 goto out; 3568 if (k->type != type) { 3569 r = SSH_ERR_INVALID_FORMAT; 3570 goto out; 3571 } 3572 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3573 r = SSH_ERR_INVALID_FORMAT; 3574 goto out; 3575 } 3576 k->ed25519_pk = ed25519_pk; 3577 k->ed25519_sk = ed25519_sk; 3578 ed25519_pk = ed25519_sk = NULL; /* transferred */ 3579 break; 3580 case KEY_ED25519_SK: 3581 if ((k = sshkey_new(type)) == NULL) { 3582 r = SSH_ERR_ALLOC_FAIL; 3583 goto out; 3584 } 3585 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0) 3586 goto out; 3587 if (pklen != ED25519_PK_SZ) { 3588 r = SSH_ERR_INVALID_FORMAT; 3589 goto out; 3590 } 3591 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3592 (k->sk_reserved = sshbuf_new()) == NULL) { 3593 r = SSH_ERR_ALLOC_FAIL; 3594 goto out; 3595 } 3596 if ((r = sshbuf_get_cstring(buf, &k->sk_application, 3597 NULL)) != 0 || 3598 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3599 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3600 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3601 goto out; 3602 k->ed25519_pk = ed25519_pk; 3603 ed25519_pk = NULL; 3604 break; 3605 case KEY_ED25519_SK_CERT: 3606 if ((r = sshkey_froms(buf, &k)) != 0 || 3607 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0) 3608 goto out; 3609 if (k->type != type) { 3610 r = SSH_ERR_INVALID_FORMAT; 3611 goto out; 3612 } 3613 if (pklen != ED25519_PK_SZ) { 3614 r = SSH_ERR_INVALID_FORMAT; 3615 goto out; 3616 } 3617 if ((k->sk_key_handle = sshbuf_new()) == NULL || 3618 (k->sk_reserved = sshbuf_new()) == NULL) { 3619 r = SSH_ERR_ALLOC_FAIL; 3620 goto out; 3621 } 3622 if ((r = sshbuf_get_cstring(buf, &k->sk_application, 3623 NULL)) != 0 || 3624 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 3625 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 3626 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 3627 goto out; 3628 k->ed25519_pk = ed25519_pk; 3629 ed25519_pk = NULL; /* transferred */ 3630 break; 3631 #ifdef WITH_XMSS 3632 case KEY_XMSS: 3633 if ((k = sshkey_new(type)) == NULL) { 3634 r = SSH_ERR_ALLOC_FAIL; 3635 goto out; 3636 } 3637 if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3638 (r = sshkey_xmss_init(k, xmss_name)) != 0 || 3639 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3640 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3641 goto out; 3642 if (pklen != sshkey_xmss_pklen(k) || 3643 sklen != sshkey_xmss_sklen(k)) { 3644 r = SSH_ERR_INVALID_FORMAT; 3645 goto out; 3646 } 3647 k->xmss_pk = xmss_pk; 3648 k->xmss_sk = xmss_sk; 3649 xmss_pk = xmss_sk = NULL; 3650 /* optional internal state */ 3651 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3652 goto out; 3653 break; 3654 case KEY_XMSS_CERT: 3655 if ((r = sshkey_froms(buf, &k)) != 0 || 3656 (r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3657 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3658 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3659 goto out; 3660 if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) { 3661 r = SSH_ERR_INVALID_FORMAT; 3662 goto out; 3663 } 3664 if (pklen != sshkey_xmss_pklen(k) || 3665 sklen != sshkey_xmss_sklen(k)) { 3666 r = SSH_ERR_INVALID_FORMAT; 3667 goto out; 3668 } 3669 k->xmss_pk = xmss_pk; 3670 k->xmss_sk = xmss_sk; 3671 xmss_pk = xmss_sk = NULL; 3672 /* optional internal state */ 3673 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3674 goto out; 3675 break; 3676 #endif /* WITH_XMSS */ 3677 default: 3678 r = SSH_ERR_KEY_TYPE_UNKNOWN; 3679 goto out; 3680 } 3681 #ifdef WITH_OPENSSL 3682 /* enable blinding */ 3683 switch (k->type) { 3684 case KEY_RSA: 3685 case KEY_RSA_CERT: 3686 if (RSA_blinding_on(k->rsa, NULL) != 1) { 3687 r = SSH_ERR_LIBCRYPTO_ERROR; 3688 goto out; 3689 } 3690 break; 3691 } 3692 #endif /* WITH_OPENSSL */ 3693 /* success */ 3694 r = 0; 3695 if (kp != NULL) { 3696 *kp = k; 3697 k = NULL; 3698 } 3699 out: 3700 free(tname); 3701 free(curve); 3702 #ifdef WITH_OPENSSL 3703 BN_clear_free(exponent); 3704 BN_clear_free(dsa_p); 3705 BN_clear_free(dsa_q); 3706 BN_clear_free(dsa_g); 3707 BN_clear_free(dsa_pub_key); 3708 BN_clear_free(dsa_priv_key); 3709 BN_clear_free(rsa_n); 3710 BN_clear_free(rsa_e); 3711 BN_clear_free(rsa_d); 3712 BN_clear_free(rsa_p); 3713 BN_clear_free(rsa_q); 3714 BN_clear_free(rsa_iqmp); 3715 #endif /* WITH_OPENSSL */ 3716 sshkey_free(k); 3717 freezero(ed25519_pk, pklen); 3718 freezero(ed25519_sk, sklen); 3719 free(xmss_name); 3720 freezero(xmss_pk, pklen); 3721 freezero(xmss_sk, sklen); 3722 return r; 3723 } 3724 3725 #ifdef WITH_OPENSSL 3726 int 3727 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 3728 { 3729 EC_POINT *nq = NULL; 3730 BIGNUM *order = NULL, *x = NULL, *y = NULL, *tmp = NULL; 3731 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3732 3733 /* 3734 * NB. This assumes OpenSSL has already verified that the public 3735 * point lies on the curve. This is done by EC_POINT_oct2point() 3736 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 3737 * reachable with public points not unmarshalled using 3738 * EC_POINT_oct2point then the caller will need to explicitly check. 3739 */ 3740 3741 /* 3742 * We shouldn't ever hit this case because bignum_get_ecpoint() 3743 * refuses to load GF2m points. 3744 */ 3745 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3746 NID_X9_62_prime_field) 3747 goto out; 3748 3749 /* Q != infinity */ 3750 if (EC_POINT_is_at_infinity(group, public)) 3751 goto out; 3752 3753 if ((x = BN_new()) == NULL || 3754 (y = BN_new()) == NULL || 3755 (order = BN_new()) == NULL || 3756 (tmp = BN_new()) == NULL) { 3757 ret = SSH_ERR_ALLOC_FAIL; 3758 goto out; 3759 } 3760 3761 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 3762 if (EC_GROUP_get_order(group, order, NULL) != 1 || 3763 EC_POINT_get_affine_coordinates_GFp(group, public, 3764 x, y, NULL) != 1) { 3765 ret = SSH_ERR_LIBCRYPTO_ERROR; 3766 goto out; 3767 } 3768 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 3769 BN_num_bits(y) <= BN_num_bits(order) / 2) 3770 goto out; 3771 3772 /* nQ == infinity (n == order of subgroup) */ 3773 if ((nq = EC_POINT_new(group)) == NULL) { 3774 ret = SSH_ERR_ALLOC_FAIL; 3775 goto out; 3776 } 3777 if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) { 3778 ret = SSH_ERR_LIBCRYPTO_ERROR; 3779 goto out; 3780 } 3781 if (EC_POINT_is_at_infinity(group, nq) != 1) 3782 goto out; 3783 3784 /* x < order - 1, y < order - 1 */ 3785 if (!BN_sub(tmp, order, BN_value_one())) { 3786 ret = SSH_ERR_LIBCRYPTO_ERROR; 3787 goto out; 3788 } 3789 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 3790 goto out; 3791 ret = 0; 3792 out: 3793 BN_clear_free(x); 3794 BN_clear_free(y); 3795 BN_clear_free(order); 3796 BN_clear_free(tmp); 3797 EC_POINT_free(nq); 3798 return ret; 3799 } 3800 3801 int 3802 sshkey_ec_validate_private(const EC_KEY *key) 3803 { 3804 BIGNUM *order = NULL, *tmp = NULL; 3805 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3806 3807 if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) { 3808 ret = SSH_ERR_ALLOC_FAIL; 3809 goto out; 3810 } 3811 3812 /* log2(private) > log2(order)/2 */ 3813 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) { 3814 ret = SSH_ERR_LIBCRYPTO_ERROR; 3815 goto out; 3816 } 3817 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 3818 BN_num_bits(order) / 2) 3819 goto out; 3820 3821 /* private < order - 1 */ 3822 if (!BN_sub(tmp, order, BN_value_one())) { 3823 ret = SSH_ERR_LIBCRYPTO_ERROR; 3824 goto out; 3825 } 3826 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 3827 goto out; 3828 ret = 0; 3829 out: 3830 BN_clear_free(order); 3831 BN_clear_free(tmp); 3832 return ret; 3833 } 3834 3835 void 3836 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 3837 { 3838 BIGNUM *x = NULL, *y = NULL; 3839 3840 if (point == NULL) { 3841 fputs("point=(NULL)\n", stderr); 3842 return; 3843 } 3844 if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) { 3845 fprintf(stderr, "%s: BN_new failed\n", __func__); 3846 goto out; 3847 } 3848 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3849 NID_X9_62_prime_field) { 3850 fprintf(stderr, "%s: group is not a prime field\n", __func__); 3851 goto out; 3852 } 3853 if (EC_POINT_get_affine_coordinates_GFp(group, point, 3854 x, y, NULL) != 1) { 3855 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 3856 __func__); 3857 goto out; 3858 } 3859 fputs("x=", stderr); 3860 BN_print_fp(stderr, x); 3861 fputs("\ny=", stderr); 3862 BN_print_fp(stderr, y); 3863 fputs("\n", stderr); 3864 out: 3865 BN_clear_free(x); 3866 BN_clear_free(y); 3867 } 3868 3869 void 3870 sshkey_dump_ec_key(const EC_KEY *key) 3871 { 3872 const BIGNUM *exponent; 3873 3874 sshkey_dump_ec_point(EC_KEY_get0_group(key), 3875 EC_KEY_get0_public_key(key)); 3876 fputs("exponent=", stderr); 3877 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 3878 fputs("(NULL)", stderr); 3879 else 3880 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 3881 fputs("\n", stderr); 3882 } 3883 #endif /* WITH_OPENSSL */ 3884 3885 static int 3886 sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob, 3887 const char *passphrase, const char *comment, const char *ciphername, 3888 int rounds) 3889 { 3890 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3891 u_char salt[SALT_LEN]; 3892 char *b64 = NULL; 3893 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3894 u_int check; 3895 int r = SSH_ERR_INTERNAL_ERROR; 3896 struct sshcipher_ctx *ciphercontext = NULL; 3897 const struct sshcipher *cipher; 3898 const char *kdfname = KDFNAME; 3899 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3900 3901 if (rounds <= 0) 3902 rounds = DEFAULT_ROUNDS; 3903 if (passphrase == NULL || !strlen(passphrase)) { 3904 ciphername = "none"; 3905 kdfname = "none"; 3906 } else if (ciphername == NULL) 3907 ciphername = DEFAULT_CIPHERNAME; 3908 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3909 r = SSH_ERR_INVALID_ARGUMENT; 3910 goto out; 3911 } 3912 3913 if ((kdf = sshbuf_new()) == NULL || 3914 (encoded = sshbuf_new()) == NULL || 3915 (encrypted = sshbuf_new()) == NULL) { 3916 r = SSH_ERR_ALLOC_FAIL; 3917 goto out; 3918 } 3919 blocksize = cipher_blocksize(cipher); 3920 keylen = cipher_keylen(cipher); 3921 ivlen = cipher_ivlen(cipher); 3922 authlen = cipher_authlen(cipher); 3923 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3924 r = SSH_ERR_ALLOC_FAIL; 3925 goto out; 3926 } 3927 if (strcmp(kdfname, "bcrypt") == 0) { 3928 arc4random_buf(salt, SALT_LEN); 3929 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3930 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3931 r = SSH_ERR_INVALID_ARGUMENT; 3932 goto out; 3933 } 3934 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3935 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3936 goto out; 3937 } else if (strcmp(kdfname, "none") != 0) { 3938 /* Unsupported KDF type */ 3939 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3940 goto out; 3941 } 3942 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3943 key + keylen, ivlen, 1)) != 0) 3944 goto out; 3945 3946 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3947 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3948 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3949 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3950 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3951 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3952 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3953 goto out; 3954 3955 /* set up the buffer that will be encrypted */ 3956 3957 /* Random check bytes */ 3958 check = arc4random(); 3959 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3960 (r = sshbuf_put_u32(encrypted, check)) != 0) 3961 goto out; 3962 3963 /* append private key and comment*/ 3964 if ((r = sshkey_private_serialize_opt(prv, encrypted, 3965 SSHKEY_SERIALIZE_FULL)) != 0 || 3966 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3967 goto out; 3968 3969 /* padding */ 3970 i = 0; 3971 while (sshbuf_len(encrypted) % blocksize) { 3972 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3973 goto out; 3974 } 3975 3976 /* length in destination buffer */ 3977 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3978 goto out; 3979 3980 /* encrypt */ 3981 if ((r = sshbuf_reserve(encoded, 3982 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3983 goto out; 3984 if ((r = cipher_crypt(ciphercontext, 0, cp, 3985 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3986 goto out; 3987 3988 sshbuf_reset(blob); 3989 3990 /* assemble uuencoded key */ 3991 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 || 3992 (r = sshbuf_dtob64(encoded, blob, 1)) != 0 || 3993 (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3994 goto out; 3995 3996 /* success */ 3997 r = 0; 3998 3999 out: 4000 sshbuf_free(kdf); 4001 sshbuf_free(encoded); 4002 sshbuf_free(encrypted); 4003 cipher_free(ciphercontext); 4004 explicit_bzero(salt, sizeof(salt)); 4005 if (key != NULL) { 4006 explicit_bzero(key, keylen + ivlen); 4007 free(key); 4008 } 4009 if (pubkeyblob != NULL) { 4010 explicit_bzero(pubkeyblob, pubkeylen); 4011 free(pubkeyblob); 4012 } 4013 if (b64 != NULL) { 4014 explicit_bzero(b64, strlen(b64)); 4015 free(b64); 4016 } 4017 return r; 4018 } 4019 4020 static int 4021 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 4022 struct sshkey **keyp, char **commentp) 4023 { 4024 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 4025 const struct sshcipher *cipher = NULL; 4026 const u_char *cp; 4027 int r = SSH_ERR_INTERNAL_ERROR; 4028 size_t encoded_len; 4029 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 4030 struct sshbuf *encoded = NULL, *decoded = NULL; 4031 struct sshbuf *kdf = NULL, *decrypted = NULL; 4032 struct sshcipher_ctx *ciphercontext = NULL; 4033 struct sshkey *k = NULL; 4034 u_char *key = NULL, *salt = NULL, *dp, pad, last; 4035 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 4036 4037 if (keyp != NULL) 4038 *keyp = NULL; 4039 if (commentp != NULL) 4040 *commentp = NULL; 4041 4042 if ((encoded = sshbuf_new()) == NULL || 4043 (decoded = sshbuf_new()) == NULL || 4044 (decrypted = sshbuf_new()) == NULL) { 4045 r = SSH_ERR_ALLOC_FAIL; 4046 goto out; 4047 } 4048 4049 /* check preamble */ 4050 cp = sshbuf_ptr(blob); 4051 encoded_len = sshbuf_len(blob); 4052 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 4053 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 4054 r = SSH_ERR_INVALID_FORMAT; 4055 goto out; 4056 } 4057 cp += MARK_BEGIN_LEN; 4058 encoded_len -= MARK_BEGIN_LEN; 4059 4060 /* Look for end marker, removing whitespace as we go */ 4061 while (encoded_len > 0) { 4062 if (*cp != '\n' && *cp != '\r') { 4063 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 4064 goto out; 4065 } 4066 last = *cp; 4067 encoded_len--; 4068 cp++; 4069 if (last == '\n') { 4070 if (encoded_len >= MARK_END_LEN && 4071 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 4072 /* \0 terminate */ 4073 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 4074 goto out; 4075 break; 4076 } 4077 } 4078 } 4079 if (encoded_len == 0) { 4080 r = SSH_ERR_INVALID_FORMAT; 4081 goto out; 4082 } 4083 4084 /* decode base64 */ 4085 if ((r = sshbuf_b64tod(decoded, (const char *)sshbuf_ptr(encoded))) != 0) 4086 goto out; 4087 4088 /* check magic */ 4089 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 4090 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 4091 r = SSH_ERR_INVALID_FORMAT; 4092 goto out; 4093 } 4094 /* parse public portion of key */ 4095 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 4096 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 4097 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 4098 (r = sshbuf_froms(decoded, &kdf)) != 0 || 4099 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 4100 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 4101 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 4102 goto out; 4103 4104 if ((cipher = cipher_by_name(ciphername)) == NULL) { 4105 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 4106 goto out; 4107 } 4108 if ((passphrase == NULL || strlen(passphrase) == 0) && 4109 strcmp(ciphername, "none") != 0) { 4110 /* passphrase required */ 4111 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4112 goto out; 4113 } 4114 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 4115 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 4116 goto out; 4117 } 4118 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 4119 r = SSH_ERR_INVALID_FORMAT; 4120 goto out; 4121 } 4122 if (nkeys != 1) { 4123 /* XXX only one key supported */ 4124 r = SSH_ERR_INVALID_FORMAT; 4125 goto out; 4126 } 4127 4128 /* check size of encrypted key blob */ 4129 blocksize = cipher_blocksize(cipher); 4130 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 4131 r = SSH_ERR_INVALID_FORMAT; 4132 goto out; 4133 } 4134 4135 /* setup key */ 4136 keylen = cipher_keylen(cipher); 4137 ivlen = cipher_ivlen(cipher); 4138 authlen = cipher_authlen(cipher); 4139 if ((key = calloc(1, keylen + ivlen)) == NULL) { 4140 r = SSH_ERR_ALLOC_FAIL; 4141 goto out; 4142 } 4143 if (strcmp(kdfname, "bcrypt") == 0) { 4144 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 4145 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 4146 goto out; 4147 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 4148 key, keylen + ivlen, rounds) < 0) { 4149 r = SSH_ERR_INVALID_FORMAT; 4150 goto out; 4151 } 4152 } 4153 4154 /* check that an appropriate amount of auth data is present */ 4155 if (sshbuf_len(decoded) < authlen || 4156 sshbuf_len(decoded) - authlen < encrypted_len) { 4157 r = SSH_ERR_INVALID_FORMAT; 4158 goto out; 4159 } 4160 4161 /* decrypt private portion of key */ 4162 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 4163 (r = cipher_init(&ciphercontext, cipher, key, keylen, 4164 key + keylen, ivlen, 0)) != 0) 4165 goto out; 4166 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 4167 encrypted_len, 0, authlen)) != 0) { 4168 /* an integrity error here indicates an incorrect passphrase */ 4169 if (r == SSH_ERR_MAC_INVALID) 4170 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4171 goto out; 4172 } 4173 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 4174 goto out; 4175 /* there should be no trailing data */ 4176 if (sshbuf_len(decoded) != 0) { 4177 r = SSH_ERR_INVALID_FORMAT; 4178 goto out; 4179 } 4180 4181 /* check check bytes */ 4182 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 4183 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 4184 goto out; 4185 if (check1 != check2) { 4186 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4187 goto out; 4188 } 4189 4190 /* Load the private key and comment */ 4191 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 4192 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 4193 goto out; 4194 4195 /* Check deterministic padding */ 4196 i = 0; 4197 while (sshbuf_len(decrypted)) { 4198 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 4199 goto out; 4200 if (pad != (++i & 0xff)) { 4201 r = SSH_ERR_INVALID_FORMAT; 4202 goto out; 4203 } 4204 } 4205 4206 /* XXX decode pubkey and check against private */ 4207 4208 /* success */ 4209 r = 0; 4210 if (keyp != NULL) { 4211 *keyp = k; 4212 k = NULL; 4213 } 4214 if (commentp != NULL) { 4215 *commentp = comment; 4216 comment = NULL; 4217 } 4218 out: 4219 pad = 0; 4220 cipher_free(ciphercontext); 4221 free(ciphername); 4222 free(kdfname); 4223 free(comment); 4224 if (salt != NULL) { 4225 explicit_bzero(salt, slen); 4226 free(salt); 4227 } 4228 if (key != NULL) { 4229 explicit_bzero(key, keylen + ivlen); 4230 free(key); 4231 } 4232 sshbuf_free(encoded); 4233 sshbuf_free(decoded); 4234 sshbuf_free(kdf); 4235 sshbuf_free(decrypted); 4236 sshkey_free(k); 4237 return r; 4238 } 4239 4240 4241 #ifdef WITH_OPENSSL 4242 /* convert SSH v2 key to PEM or PKCS#8 format */ 4243 static int 4244 sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, 4245 int format, const char *_passphrase, const char *comment) 4246 { 4247 int was_shielded = sshkey_is_shielded(key); 4248 int success, r; 4249 int blen, len = strlen(_passphrase); 4250 u_char *passphrase = (len > 0) ? __UNCONST(_passphrase) : NULL; 4251 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 4252 char *bptr; 4253 BIO *bio = NULL; 4254 struct sshbuf *blob; 4255 EVP_PKEY *pkey = NULL; 4256 4257 if (len > 0 && len <= 4) 4258 return SSH_ERR_PASSPHRASE_TOO_SHORT; 4259 if ((blob = sshbuf_new()) == NULL) 4260 return SSH_ERR_ALLOC_FAIL; 4261 if ((bio = BIO_new(BIO_s_mem())) == NULL) { 4262 r = SSH_ERR_ALLOC_FAIL; 4263 goto out; 4264 } 4265 if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) { 4266 r = SSH_ERR_ALLOC_FAIL; 4267 goto out; 4268 } 4269 if ((r = sshkey_unshield_private(key)) != 0) 4270 goto out; 4271 4272 switch (key->type) { 4273 case KEY_DSA: 4274 if (format == SSHKEY_PRIVATE_PEM) { 4275 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 4276 cipher, passphrase, len, NULL, NULL); 4277 } else { 4278 success = EVP_PKEY_set1_DSA(pkey, key->dsa); 4279 } 4280 break; 4281 case KEY_ECDSA: 4282 if (format == SSHKEY_PRIVATE_PEM) { 4283 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 4284 cipher, passphrase, len, NULL, NULL); 4285 } else { 4286 success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa); 4287 } 4288 break; 4289 case KEY_RSA: 4290 if (format == SSHKEY_PRIVATE_PEM) { 4291 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 4292 cipher, passphrase, len, NULL, NULL); 4293 } else { 4294 success = EVP_PKEY_set1_RSA(pkey, key->rsa); 4295 } 4296 break; 4297 default: 4298 success = 0; 4299 break; 4300 } 4301 if (success == 0) { 4302 r = SSH_ERR_LIBCRYPTO_ERROR; 4303 goto out; 4304 } 4305 if (format == SSHKEY_PRIVATE_PKCS8) { 4306 if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher, 4307 passphrase, len, NULL, NULL)) == 0) { 4308 r = SSH_ERR_LIBCRYPTO_ERROR; 4309 goto out; 4310 } 4311 } 4312 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 4313 r = SSH_ERR_INTERNAL_ERROR; 4314 goto out; 4315 } 4316 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 4317 goto out; 4318 r = 0; 4319 out: 4320 if (was_shielded) 4321 r = sshkey_shield_private(key); 4322 if (r == 0) 4323 r = sshbuf_putb(buf, blob); 4324 4325 EVP_PKEY_free(pkey); 4326 sshbuf_free(blob); 4327 BIO_free(bio); 4328 return r; 4329 } 4330 #endif /* WITH_OPENSSL */ 4331 4332 /* Serialise "key" to buffer "blob" */ 4333 int 4334 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 4335 const char *passphrase, const char *comment, 4336 int format, const char *openssh_format_cipher, int openssh_format_rounds) 4337 { 4338 switch (key->type) { 4339 #ifdef WITH_OPENSSL 4340 case KEY_DSA: 4341 case KEY_ECDSA: 4342 case KEY_RSA: 4343 break; /* see below */ 4344 #endif /* WITH_OPENSSL */ 4345 case KEY_ED25519: 4346 case KEY_ED25519_SK: 4347 #ifdef WITH_XMSS 4348 case KEY_XMSS: 4349 #endif /* WITH_XMSS */ 4350 #ifdef WITH_OPENSSL 4351 case KEY_ECDSA_SK: 4352 #endif /* WITH_OPENSSL */ 4353 return sshkey_private_to_blob2(key, blob, passphrase, 4354 comment, openssh_format_cipher, openssh_format_rounds); 4355 default: 4356 return SSH_ERR_KEY_TYPE_UNKNOWN; 4357 } 4358 4359 #ifdef WITH_OPENSSL 4360 switch (format) { 4361 case SSHKEY_PRIVATE_OPENSSH: 4362 return sshkey_private_to_blob2(key, blob, passphrase, 4363 comment, openssh_format_cipher, openssh_format_rounds); 4364 case SSHKEY_PRIVATE_PEM: 4365 case SSHKEY_PRIVATE_PKCS8: 4366 return sshkey_private_to_blob_pem_pkcs8(key, blob, 4367 format, passphrase, comment); 4368 default: 4369 return SSH_ERR_INVALID_ARGUMENT; 4370 } 4371 #endif /* WITH_OPENSSL */ 4372 } 4373 4374 #ifdef WITH_OPENSSL 4375 static int 4376 translate_libcrypto_error(unsigned long pem_err) 4377 { 4378 int pem_reason = ERR_GET_REASON(pem_err); 4379 4380 switch (ERR_GET_LIB(pem_err)) { 4381 case ERR_LIB_PEM: 4382 switch (pem_reason) { 4383 case PEM_R_BAD_PASSWORD_READ: 4384 case PEM_R_PROBLEMS_GETTING_PASSWORD: 4385 case PEM_R_BAD_DECRYPT: 4386 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4387 default: 4388 return SSH_ERR_INVALID_FORMAT; 4389 } 4390 case ERR_LIB_EVP: 4391 switch (pem_reason) { 4392 case EVP_R_BAD_DECRYPT: 4393 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4394 #ifdef EVP_R_BN_DECODE_ERROR 4395 case EVP_R_BN_DECODE_ERROR: 4396 #endif 4397 case EVP_R_DECODE_ERROR: 4398 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 4399 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 4400 #endif 4401 return SSH_ERR_INVALID_FORMAT; 4402 default: 4403 return SSH_ERR_LIBCRYPTO_ERROR; 4404 } 4405 case ERR_LIB_ASN1: 4406 return SSH_ERR_INVALID_FORMAT; 4407 } 4408 return SSH_ERR_LIBCRYPTO_ERROR; 4409 } 4410 4411 static void 4412 clear_libcrypto_errors(void) 4413 { 4414 while (ERR_get_error() != 0) 4415 ; 4416 } 4417 4418 /* 4419 * Translate OpenSSL error codes to determine whether 4420 * passphrase is required/incorrect. 4421 */ 4422 static int 4423 convert_libcrypto_error(void) 4424 { 4425 /* 4426 * Some password errors are reported at the beginning 4427 * of the error queue. 4428 */ 4429 if (translate_libcrypto_error(ERR_peek_error()) == 4430 SSH_ERR_KEY_WRONG_PASSPHRASE) 4431 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4432 return translate_libcrypto_error(ERR_peek_last_error()); 4433 } 4434 4435 static int 4436 pem_passphrase_cb(char *buf, int size, int rwflag, void *u) 4437 { 4438 char *p = (char *)u; 4439 size_t len; 4440 4441 if (p == NULL || (len = strlen(p)) == 0) 4442 return -1; 4443 if (size < 0 || len > (size_t)size) 4444 return -1; 4445 memcpy(buf, p, len); 4446 return (int)len; 4447 } 4448 4449 static int 4450 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 4451 const char *passphrase, struct sshkey **keyp) 4452 { 4453 EVP_PKEY *pk = NULL; 4454 struct sshkey *prv = NULL; 4455 BIO *bio = NULL; 4456 int r; 4457 4458 if (keyp != NULL) 4459 *keyp = NULL; 4460 4461 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 4462 return SSH_ERR_ALLOC_FAIL; 4463 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 4464 (int)sshbuf_len(blob)) { 4465 r = SSH_ERR_ALLOC_FAIL; 4466 goto out; 4467 } 4468 4469 clear_libcrypto_errors(); 4470 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb, 4471 __UNCONST(passphrase))) == NULL) { 4472 /* 4473 * libcrypto may return various ASN.1 errors when attempting 4474 * to parse a key with an incorrect passphrase. 4475 * Treat all format errors as "incorrect passphrase" if a 4476 * passphrase was supplied. 4477 */ 4478 if (passphrase != NULL && *passphrase != '\0') 4479 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4480 else 4481 r = convert_libcrypto_error(); 4482 goto out; 4483 } 4484 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && 4485 (type == KEY_UNSPEC || type == KEY_RSA)) { 4486 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4487 r = SSH_ERR_ALLOC_FAIL; 4488 goto out; 4489 } 4490 prv->rsa = EVP_PKEY_get1_RSA(pk); 4491 prv->type = KEY_RSA; 4492 #ifdef DEBUG_PK 4493 RSA_print_fp(stderr, prv->rsa, 8); 4494 #endif 4495 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 4496 r = SSH_ERR_LIBCRYPTO_ERROR; 4497 goto out; 4498 } 4499 if ((r = check_rsa_length(prv->rsa)) != 0) 4500 goto out; 4501 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && 4502 (type == KEY_UNSPEC || type == KEY_DSA)) { 4503 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4504 r = SSH_ERR_ALLOC_FAIL; 4505 goto out; 4506 } 4507 prv->dsa = EVP_PKEY_get1_DSA(pk); 4508 prv->type = KEY_DSA; 4509 #ifdef DEBUG_PK 4510 DSA_print_fp(stderr, prv->dsa, 8); 4511 #endif 4512 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && 4513 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 4514 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4515 r = SSH_ERR_ALLOC_FAIL; 4516 goto out; 4517 } 4518 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 4519 prv->type = KEY_ECDSA; 4520 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 4521 if (prv->ecdsa_nid == -1 || 4522 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 4523 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 4524 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 4525 sshkey_ec_validate_private(prv->ecdsa) != 0) { 4526 r = SSH_ERR_INVALID_FORMAT; 4527 goto out; 4528 } 4529 #ifdef DEBUG_PK 4530 if (prv != NULL && prv->ecdsa != NULL) 4531 sshkey_dump_ec_key(prv->ecdsa); 4532 #endif 4533 } else { 4534 r = SSH_ERR_INVALID_FORMAT; 4535 goto out; 4536 } 4537 r = 0; 4538 if (keyp != NULL) { 4539 *keyp = prv; 4540 prv = NULL; 4541 } 4542 out: 4543 BIO_free(bio); 4544 EVP_PKEY_free(pk); 4545 sshkey_free(prv); 4546 return r; 4547 } 4548 #endif /* WITH_OPENSSL */ 4549 4550 int 4551 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 4552 const char *passphrase, struct sshkey **keyp, char **commentp) 4553 { 4554 int r = SSH_ERR_INTERNAL_ERROR; 4555 4556 if (keyp != NULL) 4557 *keyp = NULL; 4558 if (commentp != NULL) 4559 *commentp = NULL; 4560 4561 switch (type) { 4562 #ifdef WITH_OPENSSL 4563 case KEY_DSA: 4564 case KEY_ECDSA: 4565 case KEY_RSA: 4566 return sshkey_parse_private_pem_fileblob(blob, type, 4567 passphrase, keyp); 4568 #endif /* WITH_OPENSSL */ 4569 case KEY_ED25519: 4570 #ifdef WITH_XMSS 4571 case KEY_XMSS: 4572 #endif /* WITH_XMSS */ 4573 return sshkey_parse_private2(blob, type, passphrase, 4574 keyp, commentp); 4575 case KEY_UNSPEC: 4576 r = sshkey_parse_private2(blob, type, passphrase, keyp, 4577 commentp); 4578 /* Do not fallback to PEM parser if only passphrase is wrong. */ 4579 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE) 4580 return r; 4581 #ifdef WITH_OPENSSL 4582 return sshkey_parse_private_pem_fileblob(blob, type, 4583 passphrase, keyp); 4584 #else 4585 return SSH_ERR_INVALID_FORMAT; 4586 #endif /* WITH_OPENSSL */ 4587 default: 4588 return SSH_ERR_KEY_TYPE_UNKNOWN; 4589 } 4590 } 4591 4592 int 4593 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 4594 struct sshkey **keyp, char **commentp) 4595 { 4596 if (keyp != NULL) 4597 *keyp = NULL; 4598 if (commentp != NULL) 4599 *commentp = NULL; 4600 4601 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 4602 passphrase, keyp, commentp); 4603 } 4604 4605 void 4606 sshkey_sig_details_free(struct sshkey_sig_details *details) 4607 { 4608 freezero(details, sizeof(*details)); 4609 } 4610 4611 #ifdef WITH_XMSS 4612 /* 4613 * serialize the key with the current state and forward the state 4614 * maxsign times. 4615 */ 4616 int 4617 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 4618 u_int32_t maxsign, sshkey_printfn *pr) 4619 { 4620 int r, rupdate; 4621 4622 if (maxsign == 0 || 4623 sshkey_type_plain(k->type) != KEY_XMSS) 4624 return sshkey_private_serialize_opt(k, b, 4625 SSHKEY_SERIALIZE_DEFAULT); 4626 if ((r = sshkey_xmss_get_state(k, pr)) != 0 || 4627 (r = sshkey_private_serialize_opt(k, b, 4628 SSHKEY_SERIALIZE_STATE)) != 0 || 4629 (r = sshkey_xmss_forward_state(k, maxsign)) != 0) 4630 goto out; 4631 r = 0; 4632 out: 4633 if ((rupdate = sshkey_xmss_update_state(k, pr)) != 0) { 4634 if (r == 0) 4635 r = rupdate; 4636 } 4637 return r; 4638 } 4639 4640 u_int32_t 4641 sshkey_signatures_left(const struct sshkey *k) 4642 { 4643 if (sshkey_type_plain(k->type) == KEY_XMSS) 4644 return sshkey_xmss_signatures_left(k); 4645 return 0; 4646 } 4647 4648 int 4649 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4650 { 4651 if (sshkey_type_plain(k->type) != KEY_XMSS) 4652 return SSH_ERR_INVALID_ARGUMENT; 4653 return sshkey_xmss_enable_maxsign(k, maxsign); 4654 } 4655 4656 int 4657 sshkey_set_filename(struct sshkey *k, const char *filename) 4658 { 4659 if (k == NULL) 4660 return SSH_ERR_INVALID_ARGUMENT; 4661 if (sshkey_type_plain(k->type) != KEY_XMSS) 4662 return 0; 4663 if (filename == NULL) 4664 return SSH_ERR_INVALID_ARGUMENT; 4665 if ((k->xmss_filename = strdup(filename)) == NULL) 4666 return SSH_ERR_ALLOC_FAIL; 4667 return 0; 4668 } 4669 #else 4670 int 4671 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 4672 u_int32_t maxsign, sshkey_printfn *pr) 4673 { 4674 return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); 4675 } 4676 4677 u_int32_t 4678 sshkey_signatures_left(const struct sshkey *k) 4679 { 4680 return 0; 4681 } 4682 4683 int 4684 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4685 { 4686 return SSH_ERR_INVALID_ARGUMENT; 4687 } 4688 4689 int 4690 sshkey_set_filename(struct sshkey *k, const char *filename) 4691 { 4692 if (k == NULL) 4693 return SSH_ERR_INVALID_ARGUMENT; 4694 return 0; 4695 } 4696 #endif /* WITH_XMSS */ 4697