1 /* $NetBSD: sshkey.c,v 1.19 2019/04/20 17:16:40 christos Exp $ */ 2 /* $OpenBSD: sshkey.c,v 1.73 2019/01/21 09:54:11 djm Exp $ */ 3 /* 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 5 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 6 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 #include "includes.h" 29 __RCSID("$NetBSD: sshkey.c,v 1.19 2019/04/20 17:16:40 christos Exp $"); 30 31 #include <sys/types.h> 32 #include <netinet/in.h> 33 34 #ifdef WITH_OPENSSL 35 #include <openssl/evp.h> 36 #include <openssl/err.h> 37 #include <openssl/pem.h> 38 #endif 39 40 #include "crypto_api.h" 41 42 #include <errno.h> 43 #include <stdio.h> 44 #include <string.h> 45 #include <util.h> 46 #include <limits.h> 47 #include <resolv.h> 48 49 #include "ssh2.h" 50 #include "ssherr.h" 51 #include "misc.h" 52 #include "sshbuf.h" 53 #include "cipher.h" 54 #include "digest.h" 55 #define SSHKEY_INTERNAL 56 #include "sshkey.h" 57 #include "sshkey-xmss.h" 58 #include "match.h" 59 60 #include "xmss_fast.h" 61 62 /* openssh private key file format */ 63 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 64 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 65 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 66 #define MARK_END_LEN (sizeof(MARK_END) - 1) 67 #define KDFNAME "bcrypt" 68 #define AUTH_MAGIC "openssh-key-v1" 69 #define SALT_LEN 16 70 #define DEFAULT_CIPHERNAME "aes256-ctr" 71 #define DEFAULT_ROUNDS 16 72 73 /* Version identification string for SSH v1 identity files. */ 74 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 75 76 int sshkey_private_serialize_opt(const struct sshkey *key, 77 struct sshbuf *buf, enum sshkey_serialize_rep); 78 static int sshkey_from_blob_internal(struct sshbuf *buf, 79 struct sshkey **keyp, int allow_cert); 80 static int get_sigtype(const u_char *sig, size_t siglen, char **sigtypep); 81 82 /* Supported key types */ 83 struct keytype { 84 const char *name; 85 const char *shortname; 86 const char *sigalg; 87 int type; 88 int nid; 89 int cert; 90 int sigonly; 91 }; 92 static const struct keytype keytypes[] = { 93 { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 }, 94 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL, 95 KEY_ED25519_CERT, 0, 1, 0 }, 96 #ifdef WITH_XMSS 97 { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 }, 98 { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL, 99 KEY_XMSS_CERT, 0, 1, 0 }, 100 #endif /* WITH_XMSS */ 101 #ifdef WITH_OPENSSL 102 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 }, 103 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 104 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 105 { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 }, 106 { "ecdsa-sha2-nistp256", "ECDSA", NULL, 107 KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 108 { "ecdsa-sha2-nistp384", "ECDSA", NULL, 109 KEY_ECDSA, NID_secp384r1, 0, 0 }, 110 { "ecdsa-sha2-nistp521", "ECDSA", NULL, 111 KEY_ECDSA, NID_secp521r1, 0, 0 }, 112 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, 113 KEY_RSA_CERT, 0, 1, 0 }, 114 { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT", 115 "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, 116 { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT", 117 "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, 118 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL, 119 KEY_DSA_CERT, 0, 1, 0 }, 120 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL, 121 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 122 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL, 123 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 124 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL, 125 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 126 #endif /* WITH_OPENSSL */ 127 { NULL, NULL, NULL, -1, -1, 0, 0 } 128 }; 129 130 const char * 131 sshkey_type(const struct sshkey *k) 132 { 133 const struct keytype *kt; 134 135 for (kt = keytypes; kt->type != -1; kt++) { 136 if (kt->type == k->type) 137 return kt->shortname; 138 } 139 return "unknown"; 140 } 141 142 static const char * 143 sshkey_ssh_name_from_type_nid(int type, int nid) 144 { 145 const struct keytype *kt; 146 147 for (kt = keytypes; kt->type != -1; kt++) { 148 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 149 return kt->name; 150 } 151 return "ssh-unknown"; 152 } 153 154 int 155 sshkey_type_is_cert(int type) 156 { 157 const struct keytype *kt; 158 159 for (kt = keytypes; kt->type != -1; kt++) { 160 if (kt->type == type) 161 return kt->cert; 162 } 163 return 0; 164 } 165 166 const char * 167 sshkey_ssh_name(const struct sshkey *k) 168 { 169 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 170 } 171 172 const char * 173 sshkey_ssh_name_plain(const struct sshkey *k) 174 { 175 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 176 k->ecdsa_nid); 177 } 178 179 int 180 sshkey_type_from_name(const char *name) 181 { 182 const struct keytype *kt; 183 184 for (kt = keytypes; kt->type != -1; kt++) { 185 /* Only allow shortname matches for plain key types */ 186 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 187 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 188 return kt->type; 189 } 190 return KEY_UNSPEC; 191 } 192 193 int 194 sshkey_ecdsa_nid_from_name(const char *name) 195 { 196 const struct keytype *kt; 197 198 for (kt = keytypes; kt->type != -1; kt++) { 199 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 200 continue; 201 if (kt->name != NULL && strcmp(name, kt->name) == 0) 202 return kt->nid; 203 } 204 return -1; 205 } 206 207 char * 208 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 209 { 210 char *tmp, *ret = NULL; 211 size_t nlen, rlen = 0; 212 const struct keytype *kt; 213 214 for (kt = keytypes; kt->type != -1; kt++) { 215 if (kt->name == NULL) 216 continue; 217 if (!include_sigonly && kt->sigonly) 218 continue; 219 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 220 continue; 221 if (ret != NULL) 222 ret[rlen++] = sep; 223 nlen = strlen(kt->name); 224 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 225 free(ret); 226 return NULL; 227 } 228 ret = tmp; 229 memcpy(ret + rlen, kt->name, nlen + 1); 230 rlen += nlen; 231 } 232 return ret; 233 } 234 235 int 236 sshkey_names_valid2(const char *names, int allow_wildcard) 237 { 238 char *s, *cp, *p; 239 const struct keytype *kt; 240 int type; 241 242 if (names == NULL || strcmp(names, "") == 0) 243 return 0; 244 if ((s = cp = strdup(names)) == NULL) 245 return 0; 246 for ((p = strsep(&cp, ",")); p && *p != '\0'; 247 (p = strsep(&cp, ","))) { 248 type = sshkey_type_from_name(p); 249 if (type == KEY_UNSPEC) { 250 if (allow_wildcard) { 251 /* 252 * Try matching key types against the string. 253 * If any has a positive or negative match then 254 * the component is accepted. 255 */ 256 for (kt = keytypes; kt->type != -1; kt++) { 257 if (match_pattern_list(kt->name, 258 p, 0) != 0) 259 break; 260 } 261 if (kt->type != -1) 262 continue; 263 } 264 free(s); 265 return 0; 266 } 267 } 268 free(s); 269 return 1; 270 } 271 272 u_int 273 sshkey_size(const struct sshkey *k) 274 { 275 #ifdef WITH_OPENSSL 276 const BIGNUM *rsa_n, *dsa_p; 277 #endif /* WITH_OPENSSL */ 278 279 switch (k->type) { 280 #ifdef WITH_OPENSSL 281 case KEY_RSA: 282 case KEY_RSA_CERT: 283 if (k->rsa == NULL) 284 return 0; 285 RSA_get0_key(k->rsa, &rsa_n, NULL, NULL); 286 return BN_num_bits(rsa_n); 287 case KEY_DSA: 288 case KEY_DSA_CERT: 289 if (k->dsa == NULL) 290 return 0; 291 DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL); 292 return BN_num_bits(dsa_p); 293 case KEY_ECDSA: 294 case KEY_ECDSA_CERT: 295 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 296 #endif /* WITH_OPENSSL */ 297 case KEY_ED25519: 298 case KEY_ED25519_CERT: 299 case KEY_XMSS: 300 case KEY_XMSS_CERT: 301 return 256; /* XXX */ 302 } 303 return 0; 304 } 305 306 static int 307 sshkey_type_is_valid_ca(int type) 308 { 309 switch (type) { 310 case KEY_RSA: 311 case KEY_DSA: 312 case KEY_ECDSA: 313 case KEY_ED25519: 314 case KEY_XMSS: 315 return 1; 316 default: 317 return 0; 318 } 319 } 320 321 int 322 sshkey_is_cert(const struct sshkey *k) 323 { 324 if (k == NULL) 325 return 0; 326 return sshkey_type_is_cert(k->type); 327 } 328 329 /* Return the cert-less equivalent to a certified key type */ 330 int 331 sshkey_type_plain(int type) 332 { 333 switch (type) { 334 case KEY_RSA_CERT: 335 return KEY_RSA; 336 case KEY_DSA_CERT: 337 return KEY_DSA; 338 case KEY_ECDSA_CERT: 339 return KEY_ECDSA; 340 case KEY_ED25519_CERT: 341 return KEY_ED25519; 342 case KEY_XMSS_CERT: 343 return KEY_XMSS; 344 default: 345 return type; 346 } 347 } 348 349 #ifdef WITH_OPENSSL 350 /* XXX: these are really begging for a table-driven approach */ 351 int 352 sshkey_curve_name_to_nid(const char *name) 353 { 354 if (strcmp(name, "nistp256") == 0) 355 return NID_X9_62_prime256v1; 356 else if (strcmp(name, "nistp384") == 0) 357 return NID_secp384r1; 358 else if (strcmp(name, "nistp521") == 0) 359 return NID_secp521r1; 360 else 361 return -1; 362 } 363 364 u_int 365 sshkey_curve_nid_to_bits(int nid) 366 { 367 switch (nid) { 368 case NID_X9_62_prime256v1: 369 return 256; 370 case NID_secp384r1: 371 return 384; 372 case NID_secp521r1: 373 return 521; 374 default: 375 return 0; 376 } 377 } 378 379 int 380 sshkey_ecdsa_bits_to_nid(int bits) 381 { 382 switch (bits) { 383 case 256: 384 return NID_X9_62_prime256v1; 385 case 384: 386 return NID_secp384r1; 387 case 521: 388 return NID_secp521r1; 389 default: 390 return -1; 391 } 392 } 393 394 const char * 395 sshkey_curve_nid_to_name(int nid) 396 { 397 switch (nid) { 398 case NID_X9_62_prime256v1: 399 return "nistp256"; 400 case NID_secp384r1: 401 return "nistp384"; 402 case NID_secp521r1: 403 return "nistp521"; 404 default: 405 return NULL; 406 } 407 } 408 409 int 410 sshkey_ec_nid_to_hash_alg(int nid) 411 { 412 int kbits = sshkey_curve_nid_to_bits(nid); 413 414 if (kbits <= 0) 415 return -1; 416 417 /* RFC5656 section 6.2.1 */ 418 if (kbits <= 256) 419 return SSH_DIGEST_SHA256; 420 else if (kbits <= 384) 421 return SSH_DIGEST_SHA384; 422 else 423 return SSH_DIGEST_SHA512; 424 } 425 #endif /* WITH_OPENSSL */ 426 427 static void 428 cert_free(struct sshkey_cert *cert) 429 { 430 u_int i; 431 432 if (cert == NULL) 433 return; 434 sshbuf_free(cert->certblob); 435 sshbuf_free(cert->critical); 436 sshbuf_free(cert->extensions); 437 free(cert->key_id); 438 for (i = 0; i < cert->nprincipals; i++) 439 free(cert->principals[i]); 440 free(cert->principals); 441 sshkey_free(cert->signature_key); 442 free(cert->signature_type); 443 freezero(cert, sizeof(*cert)); 444 } 445 446 static struct sshkey_cert * 447 cert_new(void) 448 { 449 struct sshkey_cert *cert; 450 451 if ((cert = calloc(1, sizeof(*cert))) == NULL) 452 return NULL; 453 if ((cert->certblob = sshbuf_new()) == NULL || 454 (cert->critical = sshbuf_new()) == NULL || 455 (cert->extensions = sshbuf_new()) == NULL) { 456 cert_free(cert); 457 return NULL; 458 } 459 cert->key_id = NULL; 460 cert->principals = NULL; 461 cert->signature_key = NULL; 462 cert->signature_type = NULL; 463 return cert; 464 } 465 466 struct sshkey * 467 sshkey_new(int type) 468 { 469 struct sshkey *k; 470 #ifdef WITH_OPENSSL 471 RSA *rsa; 472 DSA *dsa; 473 #endif /* WITH_OPENSSL */ 474 475 if ((k = calloc(1, sizeof(*k))) == NULL) 476 return NULL; 477 k->type = type; 478 k->ecdsa = NULL; 479 k->ecdsa_nid = -1; 480 k->dsa = NULL; 481 k->rsa = NULL; 482 k->cert = NULL; 483 k->ed25519_sk = NULL; 484 k->ed25519_pk = NULL; 485 k->xmss_sk = NULL; 486 k->xmss_pk = NULL; 487 switch (k->type) { 488 #ifdef WITH_OPENSSL 489 case KEY_RSA: 490 case KEY_RSA_CERT: 491 if ((rsa = RSA_new()) == NULL) { 492 free(k); 493 return NULL; 494 } 495 k->rsa = rsa; 496 break; 497 case KEY_DSA: 498 case KEY_DSA_CERT: 499 if ((dsa = DSA_new()) == NULL) { 500 free(k); 501 return NULL; 502 } 503 k->dsa = dsa; 504 break; 505 case KEY_ECDSA: 506 case KEY_ECDSA_CERT: 507 /* Cannot do anything until we know the group */ 508 break; 509 #endif /* WITH_OPENSSL */ 510 case KEY_ED25519: 511 case KEY_ED25519_CERT: 512 case KEY_XMSS: 513 case KEY_XMSS_CERT: 514 /* no need to prealloc */ 515 break; 516 case KEY_UNSPEC: 517 break; 518 default: 519 free(k); 520 return NULL; 521 } 522 523 if (sshkey_is_cert(k)) { 524 if ((k->cert = cert_new()) == NULL) { 525 sshkey_free(k); 526 return NULL; 527 } 528 } 529 530 return k; 531 } 532 533 void 534 sshkey_free(struct sshkey *k) 535 { 536 if (k == NULL) 537 return; 538 switch (k->type) { 539 #ifdef WITH_OPENSSL 540 case KEY_RSA: 541 case KEY_RSA_CERT: 542 RSA_free(k->rsa); 543 k->rsa = NULL; 544 break; 545 case KEY_DSA: 546 case KEY_DSA_CERT: 547 DSA_free(k->dsa); 548 k->dsa = NULL; 549 break; 550 case KEY_ECDSA: 551 case KEY_ECDSA_CERT: 552 EC_KEY_free(k->ecdsa); 553 k->ecdsa = NULL; 554 break; 555 #endif /* WITH_OPENSSL */ 556 case KEY_ED25519: 557 case KEY_ED25519_CERT: 558 freezero(k->ed25519_pk, ED25519_PK_SZ); 559 k->ed25519_pk = NULL; 560 freezero(k->ed25519_sk, ED25519_SK_SZ); 561 k->ed25519_sk = NULL; 562 break; 563 #ifdef WITH_XMSS 564 case KEY_XMSS: 565 case KEY_XMSS_CERT: 566 freezero(k->xmss_pk, sshkey_xmss_pklen(k)); 567 k->xmss_pk = NULL; 568 freezero(k->xmss_sk, sshkey_xmss_sklen(k)); 569 k->xmss_sk = NULL; 570 sshkey_xmss_free_state(k); 571 free(k->xmss_name); 572 k->xmss_name = NULL; 573 free(k->xmss_filename); 574 k->xmss_filename = NULL; 575 break; 576 #endif /* WITH_XMSS */ 577 case KEY_UNSPEC: 578 break; 579 default: 580 break; 581 } 582 if (sshkey_is_cert(k)) 583 cert_free(k->cert); 584 freezero(k, sizeof(*k)); 585 } 586 587 static int 588 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 589 { 590 if (a == NULL && b == NULL) 591 return 1; 592 if (a == NULL || b == NULL) 593 return 0; 594 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 595 return 0; 596 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 597 sshbuf_len(a->certblob)) != 0) 598 return 0; 599 return 1; 600 } 601 602 /* 603 * Compare public portions of key only, allowing comparisons between 604 * certificates and plain keys too. 605 */ 606 int 607 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 608 { 609 #ifdef WITH_OPENSSL 610 BN_CTX *bnctx; 611 const BIGNUM *rsa_e_a, *rsa_n_a; 612 const BIGNUM *rsa_e_b, *rsa_n_b; 613 const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a; 614 const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b; 615 #endif /* WITH_OPENSSL */ 616 617 if (a == NULL || b == NULL || 618 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 619 return 0; 620 621 switch (a->type) { 622 #ifdef WITH_OPENSSL 623 case KEY_RSA_CERT: 624 case KEY_RSA: 625 if (a->rsa == NULL || b->rsa == NULL) 626 return 0; 627 RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL); 628 RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL); 629 return BN_cmp(rsa_e_a, rsa_e_b) == 0 && 630 BN_cmp(rsa_n_a, rsa_n_b) == 0; 631 case KEY_DSA_CERT: 632 case KEY_DSA: 633 if (a->dsa == NULL || b->dsa == NULL) 634 return 0; 635 DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a); 636 DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b); 637 DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL); 638 DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL); 639 return BN_cmp(dsa_p_a, dsa_p_b) == 0 && 640 BN_cmp(dsa_q_a, dsa_q_b) == 0 && 641 BN_cmp(dsa_g_a, dsa_g_b) == 0 && 642 BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0; 643 case KEY_ECDSA_CERT: 644 case KEY_ECDSA: 645 if (a->ecdsa == NULL || b->ecdsa == NULL || 646 EC_KEY_get0_public_key(a->ecdsa) == NULL || 647 EC_KEY_get0_public_key(b->ecdsa) == NULL) 648 return 0; 649 if ((bnctx = BN_CTX_new()) == NULL) 650 return 0; 651 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 652 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 653 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 654 EC_KEY_get0_public_key(a->ecdsa), 655 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 656 BN_CTX_free(bnctx); 657 return 0; 658 } 659 BN_CTX_free(bnctx); 660 return 1; 661 #endif /* WITH_OPENSSL */ 662 case KEY_ED25519: 663 case KEY_ED25519_CERT: 664 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 665 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 666 #ifdef WITH_XMSS 667 case KEY_XMSS: 668 case KEY_XMSS_CERT: 669 return a->xmss_pk != NULL && b->xmss_pk != NULL && 670 sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) && 671 memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0; 672 #endif /* WITH_XMSS */ 673 default: 674 return 0; 675 } 676 /* NOTREACHED */ 677 } 678 679 int 680 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 681 { 682 if (a == NULL || b == NULL || a->type != b->type) 683 return 0; 684 if (sshkey_is_cert(a)) { 685 if (!cert_compare(a->cert, b->cert)) 686 return 0; 687 } 688 return sshkey_equal_public(a, b); 689 } 690 691 static int 692 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, 693 enum sshkey_serialize_rep opts) 694 { 695 int type, ret = SSH_ERR_INTERNAL_ERROR; 696 const char *typename; 697 #ifdef WITH_OPENSSL 698 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 699 #endif /* WITH_OPENSSL */ 700 701 if (key == NULL) 702 return SSH_ERR_INVALID_ARGUMENT; 703 704 if (sshkey_is_cert(key)) { 705 if (key->cert == NULL) 706 return SSH_ERR_EXPECTED_CERT; 707 if (sshbuf_len(key->cert->certblob) == 0) 708 return SSH_ERR_KEY_LACKS_CERTBLOB; 709 } 710 type = force_plain ? sshkey_type_plain(key->type) : key->type; 711 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 712 713 switch (type) { 714 #ifdef WITH_OPENSSL 715 case KEY_DSA_CERT: 716 case KEY_ECDSA_CERT: 717 case KEY_RSA_CERT: 718 #endif /* WITH_OPENSSL */ 719 case KEY_ED25519_CERT: 720 #ifdef WITH_XMSS 721 case KEY_XMSS_CERT: 722 #endif /* WITH_XMSS */ 723 /* Use the existing blob */ 724 /* XXX modified flag? */ 725 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 726 return ret; 727 break; 728 #ifdef WITH_OPENSSL 729 case KEY_DSA: 730 if (key->dsa == NULL) 731 return SSH_ERR_INVALID_ARGUMENT; 732 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 733 DSA_get0_key(key->dsa, &dsa_pub_key, NULL); 734 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 735 (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 || 736 (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 || 737 (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 || 738 (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0) 739 return ret; 740 break; 741 case KEY_ECDSA: 742 if (key->ecdsa == NULL) 743 return SSH_ERR_INVALID_ARGUMENT; 744 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 745 (ret = sshbuf_put_cstring(b, 746 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 747 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 748 return ret; 749 break; 750 case KEY_RSA: 751 if (key->rsa == NULL) 752 return SSH_ERR_INVALID_ARGUMENT; 753 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL); 754 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 755 (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 || 756 (ret = sshbuf_put_bignum2(b, rsa_n)) != 0) 757 return ret; 758 break; 759 #endif /* WITH_OPENSSL */ 760 case KEY_ED25519: 761 if (key->ed25519_pk == NULL) 762 return SSH_ERR_INVALID_ARGUMENT; 763 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 764 (ret = sshbuf_put_string(b, 765 key->ed25519_pk, ED25519_PK_SZ)) != 0) 766 return ret; 767 break; 768 #ifdef WITH_XMSS 769 case KEY_XMSS: 770 if (key->xmss_name == NULL || key->xmss_pk == NULL || 771 sshkey_xmss_pklen(key) == 0) 772 return SSH_ERR_INVALID_ARGUMENT; 773 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 774 (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 775 (ret = sshbuf_put_string(b, 776 key->xmss_pk, sshkey_xmss_pklen(key))) != 0 || 777 (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0) 778 return ret; 779 break; 780 #endif /* WITH_XMSS */ 781 default: 782 return SSH_ERR_KEY_TYPE_UNKNOWN; 783 } 784 return 0; 785 } 786 787 int 788 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 789 { 790 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); 791 } 792 793 int 794 sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, 795 enum sshkey_serialize_rep opts) 796 { 797 struct sshbuf *tmp; 798 int r; 799 800 if ((tmp = sshbuf_new()) == NULL) 801 return SSH_ERR_ALLOC_FAIL; 802 r = to_blob_buf(key, tmp, 0, opts); 803 if (r == 0) 804 r = sshbuf_put_stringb(b, tmp); 805 sshbuf_free(tmp); 806 return r; 807 } 808 809 int 810 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 811 { 812 return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); 813 } 814 815 int 816 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 817 { 818 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); 819 } 820 821 static int 822 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, 823 enum sshkey_serialize_rep opts) 824 { 825 int ret = SSH_ERR_INTERNAL_ERROR; 826 size_t len; 827 struct sshbuf *b = NULL; 828 829 if (lenp != NULL) 830 *lenp = 0; 831 if (blobp != NULL) 832 *blobp = NULL; 833 if ((b = sshbuf_new()) == NULL) 834 return SSH_ERR_ALLOC_FAIL; 835 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) 836 goto out; 837 len = sshbuf_len(b); 838 if (lenp != NULL) 839 *lenp = len; 840 if (blobp != NULL) { 841 if ((*blobp = malloc(len)) == NULL) { 842 ret = SSH_ERR_ALLOC_FAIL; 843 goto out; 844 } 845 memcpy(*blobp, sshbuf_ptr(b), len); 846 } 847 ret = 0; 848 out: 849 sshbuf_free(b); 850 return ret; 851 } 852 853 int 854 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 855 { 856 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); 857 } 858 859 int 860 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 861 { 862 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); 863 } 864 865 int 866 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 867 u_char **retp, size_t *lenp) 868 { 869 u_char *blob = NULL, *ret = NULL; 870 size_t blob_len = 0; 871 int r = SSH_ERR_INTERNAL_ERROR; 872 873 if (retp != NULL) 874 *retp = NULL; 875 if (lenp != NULL) 876 *lenp = 0; 877 if (ssh_digest_bytes(dgst_alg) == 0) { 878 r = SSH_ERR_INVALID_ARGUMENT; 879 goto out; 880 } 881 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) 882 != 0) 883 goto out; 884 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 885 r = SSH_ERR_ALLOC_FAIL; 886 goto out; 887 } 888 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 889 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 890 goto out; 891 /* success */ 892 if (retp != NULL) { 893 *retp = ret; 894 ret = NULL; 895 } 896 if (lenp != NULL) 897 *lenp = ssh_digest_bytes(dgst_alg); 898 r = 0; 899 out: 900 free(ret); 901 if (blob != NULL) { 902 explicit_bzero(blob, blob_len); 903 free(blob); 904 } 905 return r; 906 } 907 908 static char * 909 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 910 { 911 char *ret; 912 size_t plen = strlen(alg) + 1; 913 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 914 int r; 915 916 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 917 return NULL; 918 strlcpy(ret, alg, rlen); 919 strlcat(ret, ":", rlen); 920 if (dgst_raw_len == 0) 921 return ret; 922 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 923 ret + plen, rlen - plen)) == -1) { 924 freezero(ret, rlen); 925 return NULL; 926 } 927 /* Trim padding characters from end */ 928 ret[strcspn(ret, "=")] = '\0'; 929 return ret; 930 } 931 932 static char * 933 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 934 { 935 char *retval, hex[5]; 936 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 937 938 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 939 return NULL; 940 strlcpy(retval, alg, rlen); 941 strlcat(retval, ":", rlen); 942 for (i = 0; i < dgst_raw_len; i++) { 943 snprintf(hex, sizeof(hex), "%s%02x", 944 i > 0 ? ":" : "", dgst_raw[i]); 945 strlcat(retval, hex, rlen); 946 } 947 return retval; 948 } 949 950 static char * 951 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 952 { 953 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 954 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 955 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 956 u_int i, j = 0, rounds, seed = 1; 957 char *retval; 958 959 rounds = (dgst_raw_len / 2) + 1; 960 if ((retval = calloc(rounds, 6)) == NULL) 961 return NULL; 962 retval[j++] = 'x'; 963 for (i = 0; i < rounds; i++) { 964 u_int idx0, idx1, idx2, idx3, idx4; 965 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 966 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 967 seed) % 6; 968 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 969 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 970 (seed / 6)) % 6; 971 retval[j++] = vowels[idx0]; 972 retval[j++] = consonants[idx1]; 973 retval[j++] = vowels[idx2]; 974 if ((i + 1) < rounds) { 975 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 976 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 977 retval[j++] = consonants[idx3]; 978 retval[j++] = '-'; 979 retval[j++] = consonants[idx4]; 980 seed = ((seed * 5) + 981 ((((u_int)(dgst_raw[2 * i])) * 7) + 982 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 983 } 984 } else { 985 idx0 = seed % 6; 986 idx1 = 16; 987 idx2 = seed / 6; 988 retval[j++] = vowels[idx0]; 989 retval[j++] = consonants[idx1]; 990 retval[j++] = vowels[idx2]; 991 } 992 } 993 retval[j++] = 'x'; 994 retval[j++] = '\0'; 995 return retval; 996 } 997 998 /* 999 * Draw an ASCII-Art representing the fingerprint so human brain can 1000 * profit from its built-in pattern recognition ability. 1001 * This technique is called "random art" and can be found in some 1002 * scientific publications like this original paper: 1003 * 1004 * "Hash Visualization: a New Technique to improve Real-World Security", 1005 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1006 * Techniques and E-Commerce (CrypTEC '99) 1007 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1008 * 1009 * The subject came up in a talk by Dan Kaminsky, too. 1010 * 1011 * If you see the picture is different, the key is different. 1012 * If the picture looks the same, you still know nothing. 1013 * 1014 * The algorithm used here is a worm crawling over a discrete plane, 1015 * leaving a trace (augmenting the field) everywhere it goes. 1016 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1017 * makes the respective movement vector be ignored for this turn. 1018 * Graphs are not unambiguous, because circles in graphs can be 1019 * walked in either direction. 1020 */ 1021 1022 /* 1023 * Field sizes for the random art. Have to be odd, so the starting point 1024 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1025 * Else pictures would be too dense, and drawing the frame would 1026 * fail, too, because the key type would not fit in anymore. 1027 */ 1028 #define FLDBASE 8 1029 #define FLDSIZE_Y (FLDBASE + 1) 1030 #define FLDSIZE_X (FLDBASE * 2 + 1) 1031 static char * 1032 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1033 const struct sshkey *k) 1034 { 1035 /* 1036 * Chars to be used after each other every time the worm 1037 * intersects with itself. Matter of taste. 1038 */ 1039 const char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1040 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1041 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1042 size_t i, tlen, hlen; 1043 u_int b; 1044 int x, y, r; 1045 size_t len = strlen(augmentation_string) - 1; 1046 1047 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1048 return NULL; 1049 1050 /* initialize field */ 1051 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1052 x = FLDSIZE_X / 2; 1053 y = FLDSIZE_Y / 2; 1054 1055 /* process raw key */ 1056 for (i = 0; i < dgst_raw_len; i++) { 1057 int input; 1058 /* each byte conveys four 2-bit move commands */ 1059 input = dgst_raw[i]; 1060 for (b = 0; b < 4; b++) { 1061 /* evaluate 2 bit, rest is shifted later */ 1062 x += (input & 0x1) ? 1 : -1; 1063 y += (input & 0x2) ? 1 : -1; 1064 1065 /* assure we are still in bounds */ 1066 x = MAXIMUM(x, 0); 1067 y = MAXIMUM(y, 0); 1068 x = MINIMUM(x, FLDSIZE_X - 1); 1069 y = MINIMUM(y, FLDSIZE_Y - 1); 1070 1071 /* augment the field */ 1072 if (field[x][y] < len - 2) 1073 field[x][y]++; 1074 input = input >> 2; 1075 } 1076 } 1077 1078 /* mark starting point and end point*/ 1079 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1080 field[x][y] = len; 1081 1082 /* assemble title */ 1083 r = snprintf(title, sizeof(title), "[%s %u]", 1084 sshkey_type(k), sshkey_size(k)); 1085 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1086 if (r < 0 || r > (int)sizeof(title)) 1087 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1088 tlen = (r <= 0) ? 0 : strlen(title); 1089 1090 /* assemble hash ID. */ 1091 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1092 hlen = (r <= 0) ? 0 : strlen(hash); 1093 1094 /* output upper border */ 1095 p = retval; 1096 *p++ = '+'; 1097 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1098 *p++ = '-'; 1099 memcpy(p, title, tlen); 1100 p += tlen; 1101 for (i += tlen; i < FLDSIZE_X; i++) 1102 *p++ = '-'; 1103 *p++ = '+'; 1104 *p++ = '\n'; 1105 1106 /* output content */ 1107 for (y = 0; y < FLDSIZE_Y; y++) { 1108 *p++ = '|'; 1109 for (x = 0; x < FLDSIZE_X; x++) 1110 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1111 *p++ = '|'; 1112 *p++ = '\n'; 1113 } 1114 1115 /* output lower border */ 1116 *p++ = '+'; 1117 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1118 *p++ = '-'; 1119 memcpy(p, hash, hlen); 1120 p += hlen; 1121 for (i += hlen; i < FLDSIZE_X; i++) 1122 *p++ = '-'; 1123 *p++ = '+'; 1124 1125 return retval; 1126 } 1127 1128 char * 1129 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1130 enum sshkey_fp_rep dgst_rep) 1131 { 1132 char *retval = NULL; 1133 u_char *dgst_raw; 1134 size_t dgst_raw_len; 1135 1136 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1137 return NULL; 1138 switch (dgst_rep) { 1139 case SSH_FP_DEFAULT: 1140 if (dgst_alg == SSH_DIGEST_MD5) { 1141 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1142 dgst_raw, dgst_raw_len); 1143 } else { 1144 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1145 dgst_raw, dgst_raw_len); 1146 } 1147 break; 1148 case SSH_FP_HEX: 1149 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1150 dgst_raw, dgst_raw_len); 1151 break; 1152 case SSH_FP_BASE64: 1153 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1154 dgst_raw, dgst_raw_len); 1155 break; 1156 case SSH_FP_BUBBLEBABBLE: 1157 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1158 break; 1159 case SSH_FP_RANDOMART: 1160 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1161 dgst_raw, dgst_raw_len, k); 1162 break; 1163 default: 1164 explicit_bzero(dgst_raw, dgst_raw_len); 1165 free(dgst_raw); 1166 return NULL; 1167 } 1168 explicit_bzero(dgst_raw, dgst_raw_len); 1169 free(dgst_raw); 1170 return retval; 1171 } 1172 1173 static int 1174 peek_type_nid(const char *s, size_t l, int *nid) 1175 { 1176 const struct keytype *kt; 1177 1178 for (kt = keytypes; kt->type != -1; kt++) { 1179 if (kt->name == NULL || strlen(kt->name) != l) 1180 continue; 1181 if (memcmp(s, kt->name, l) == 0) { 1182 *nid = -1; 1183 if (kt->type == KEY_ECDSA || kt->type == KEY_ECDSA_CERT) 1184 *nid = kt->nid; 1185 return kt->type; 1186 } 1187 } 1188 return KEY_UNSPEC; 1189 } 1190 1191 1192 /* XXX this can now be made const char * */ 1193 int 1194 sshkey_read(struct sshkey *ret, char **cpp) 1195 { 1196 struct sshkey *k; 1197 char *cp, *blobcopy; 1198 size_t space; 1199 int r, type, curve_nid = -1; 1200 struct sshbuf *blob; 1201 1202 if (ret == NULL) 1203 return SSH_ERR_INVALID_ARGUMENT; 1204 1205 switch (ret->type) { 1206 case KEY_UNSPEC: 1207 case KEY_RSA: 1208 case KEY_DSA: 1209 case KEY_ECDSA: 1210 case KEY_ED25519: 1211 case KEY_DSA_CERT: 1212 case KEY_ECDSA_CERT: 1213 case KEY_RSA_CERT: 1214 case KEY_ED25519_CERT: 1215 #ifdef WITH_XMSS 1216 case KEY_XMSS: 1217 case KEY_XMSS_CERT: 1218 #endif /* WITH_XMSS */ 1219 break; /* ok */ 1220 default: 1221 return SSH_ERR_INVALID_ARGUMENT; 1222 } 1223 1224 /* Decode type */ 1225 cp = *cpp; 1226 space = strcspn(cp, " \t"); 1227 if (space == strlen(cp)) 1228 return SSH_ERR_INVALID_FORMAT; 1229 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) 1230 return SSH_ERR_INVALID_FORMAT; 1231 1232 /* skip whitespace */ 1233 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1234 ; 1235 if (*cp == '\0') 1236 return SSH_ERR_INVALID_FORMAT; 1237 if (ret->type != KEY_UNSPEC && ret->type != type) 1238 return SSH_ERR_KEY_TYPE_MISMATCH; 1239 if ((blob = sshbuf_new()) == NULL) 1240 return SSH_ERR_ALLOC_FAIL; 1241 1242 /* find end of keyblob and decode */ 1243 space = strcspn(cp, " \t"); 1244 if ((blobcopy = strndup(cp, space)) == NULL) { 1245 sshbuf_free(blob); 1246 return SSH_ERR_ALLOC_FAIL; 1247 } 1248 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { 1249 free(blobcopy); 1250 sshbuf_free(blob); 1251 return r; 1252 } 1253 free(blobcopy); 1254 if ((r = sshkey_fromb(blob, &k)) != 0) { 1255 sshbuf_free(blob); 1256 return r; 1257 } 1258 sshbuf_free(blob); 1259 1260 /* skip whitespace and leave cp at start of comment */ 1261 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1262 ; 1263 1264 /* ensure type of blob matches type at start of line */ 1265 if (k->type != type) { 1266 sshkey_free(k); 1267 return SSH_ERR_KEY_TYPE_MISMATCH; 1268 } 1269 if (sshkey_type_plain(type) == KEY_ECDSA && curve_nid != k->ecdsa_nid) { 1270 sshkey_free(k); 1271 return SSH_ERR_EC_CURVE_MISMATCH; 1272 } 1273 1274 /* Fill in ret from parsed key */ 1275 ret->type = type; 1276 if (sshkey_is_cert(ret)) { 1277 if (!sshkey_is_cert(k)) { 1278 sshkey_free(k); 1279 return SSH_ERR_EXPECTED_CERT; 1280 } 1281 if (ret->cert != NULL) 1282 cert_free(ret->cert); 1283 ret->cert = k->cert; 1284 k->cert = NULL; 1285 } 1286 switch (sshkey_type_plain(ret->type)) { 1287 #ifdef WITH_OPENSSL 1288 case KEY_RSA: 1289 RSA_free(ret->rsa); 1290 ret->rsa = k->rsa; 1291 k->rsa = NULL; 1292 #ifdef DEBUG_PK 1293 RSA_print_fp(stderr, ret->rsa, 8); 1294 #endif 1295 break; 1296 case KEY_DSA: 1297 DSA_free(ret->dsa); 1298 ret->dsa = k->dsa; 1299 k->dsa = NULL; 1300 #ifdef DEBUG_PK 1301 DSA_print_fp(stderr, ret->dsa, 8); 1302 #endif 1303 break; 1304 case KEY_ECDSA: 1305 EC_KEY_free(ret->ecdsa); 1306 ret->ecdsa = k->ecdsa; 1307 ret->ecdsa_nid = k->ecdsa_nid; 1308 k->ecdsa = NULL; 1309 k->ecdsa_nid = -1; 1310 #ifdef DEBUG_PK 1311 sshkey_dump_ec_key(ret->ecdsa); 1312 #endif 1313 break; 1314 #endif /* WITH_OPENSSL */ 1315 case KEY_ED25519: 1316 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1317 ret->ed25519_pk = k->ed25519_pk; 1318 k->ed25519_pk = NULL; 1319 #ifdef DEBUG_PK 1320 /* XXX */ 1321 #endif 1322 break; 1323 #ifdef WITH_XMSS 1324 case KEY_XMSS: 1325 free(ret->xmss_pk); 1326 ret->xmss_pk = k->xmss_pk; 1327 k->xmss_pk = NULL; 1328 free(ret->xmss_state); 1329 ret->xmss_state = k->xmss_state; 1330 k->xmss_state = NULL; 1331 free(ret->xmss_name); 1332 ret->xmss_name = k->xmss_name; 1333 k->xmss_name = NULL; 1334 free(ret->xmss_filename); 1335 ret->xmss_filename = k->xmss_filename; 1336 k->xmss_filename = NULL; 1337 #ifdef DEBUG_PK 1338 /* XXX */ 1339 #endif 1340 break; 1341 #endif /* WITH_XMSS */ 1342 default: 1343 sshkey_free(k); 1344 return SSH_ERR_INTERNAL_ERROR; 1345 } 1346 sshkey_free(k); 1347 1348 /* success */ 1349 *cpp = cp; 1350 return 0; 1351 } 1352 1353 int 1354 sshkey_to_base64(const struct sshkey *key, char **b64p) 1355 { 1356 int r = SSH_ERR_INTERNAL_ERROR; 1357 struct sshbuf *b = NULL; 1358 char *uu = NULL; 1359 1360 if (b64p != NULL) 1361 *b64p = NULL; 1362 if ((b = sshbuf_new()) == NULL) 1363 return SSH_ERR_ALLOC_FAIL; 1364 if ((r = sshkey_putb(key, b)) != 0) 1365 goto out; 1366 if ((uu = sshbuf_dtob64(b)) == NULL) { 1367 r = SSH_ERR_ALLOC_FAIL; 1368 goto out; 1369 } 1370 /* Success */ 1371 if (b64p != NULL) { 1372 *b64p = uu; 1373 uu = NULL; 1374 } 1375 r = 0; 1376 out: 1377 sshbuf_free(b); 1378 free(uu); 1379 return r; 1380 } 1381 1382 int 1383 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1384 { 1385 int r = SSH_ERR_INTERNAL_ERROR; 1386 char *uu = NULL; 1387 1388 if ((r = sshkey_to_base64(key, &uu)) != 0) 1389 goto out; 1390 if ((r = sshbuf_putf(b, "%s %s", 1391 sshkey_ssh_name(key), uu)) != 0) 1392 goto out; 1393 r = 0; 1394 out: 1395 free(uu); 1396 return r; 1397 } 1398 1399 int 1400 sshkey_write(const struct sshkey *key, FILE *f) 1401 { 1402 struct sshbuf *b = NULL; 1403 int r = SSH_ERR_INTERNAL_ERROR; 1404 1405 if ((b = sshbuf_new()) == NULL) 1406 return SSH_ERR_ALLOC_FAIL; 1407 if ((r = sshkey_format_text(key, b)) != 0) 1408 goto out; 1409 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1410 if (feof(f)) 1411 errno = EPIPE; 1412 r = SSH_ERR_SYSTEM_ERROR; 1413 goto out; 1414 } 1415 /* Success */ 1416 r = 0; 1417 out: 1418 sshbuf_free(b); 1419 return r; 1420 } 1421 1422 const char * 1423 sshkey_cert_type(const struct sshkey *k) 1424 { 1425 switch (k->cert->type) { 1426 case SSH2_CERT_TYPE_USER: 1427 return "user"; 1428 case SSH2_CERT_TYPE_HOST: 1429 return "host"; 1430 default: 1431 return "unknown"; 1432 } 1433 } 1434 1435 #ifdef WITH_OPENSSL 1436 static int 1437 rsa_generate_private_key(u_int bits, RSA **rsap) 1438 { 1439 RSA *private = NULL; 1440 BIGNUM *f4 = NULL; 1441 int ret = SSH_ERR_INTERNAL_ERROR; 1442 1443 if (rsap == NULL) 1444 return SSH_ERR_INVALID_ARGUMENT; 1445 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1446 bits > SSHBUF_MAX_BIGNUM * 8) 1447 return SSH_ERR_KEY_LENGTH; 1448 *rsap = NULL; 1449 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1450 ret = SSH_ERR_ALLOC_FAIL; 1451 goto out; 1452 } 1453 if (!BN_set_word(f4, RSA_F4) || 1454 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1455 ret = SSH_ERR_LIBCRYPTO_ERROR; 1456 goto out; 1457 } 1458 *rsap = private; 1459 private = NULL; 1460 ret = 0; 1461 out: 1462 RSA_free(private); 1463 BN_free(f4); 1464 return ret; 1465 } 1466 1467 static int 1468 dsa_generate_private_key(u_int bits, DSA **dsap) 1469 { 1470 DSA *private; 1471 int ret = SSH_ERR_INTERNAL_ERROR; 1472 1473 if (dsap == NULL) 1474 return SSH_ERR_INVALID_ARGUMENT; 1475 if (bits != 1024) 1476 return SSH_ERR_KEY_LENGTH; 1477 if ((private = DSA_new()) == NULL) { 1478 ret = SSH_ERR_ALLOC_FAIL; 1479 goto out; 1480 } 1481 *dsap = NULL; 1482 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1483 NULL, NULL) || !DSA_generate_key(private)) { 1484 ret = SSH_ERR_LIBCRYPTO_ERROR; 1485 goto out; 1486 } 1487 *dsap = private; 1488 private = NULL; 1489 ret = 0; 1490 out: 1491 DSA_free(private); 1492 return ret; 1493 } 1494 1495 int 1496 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1497 { 1498 EC_GROUP *eg = NULL; /* XXXGCC: unneeded init */ 1499 int nids[] = { 1500 NID_X9_62_prime256v1, 1501 NID_secp384r1, 1502 NID_secp521r1, 1503 -1 1504 }; 1505 int nid; 1506 u_int i; 1507 BN_CTX *bnctx; 1508 const EC_GROUP *g = EC_KEY_get0_group(k); 1509 1510 /* 1511 * The group may be stored in a ASN.1 encoded private key in one of two 1512 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1513 * or explicit group parameters encoded into the key blob. Only the 1514 * "named group" case sets the group NID for us, but we can figure 1515 * it out for the other case by comparing against all the groups that 1516 * are supported. 1517 */ 1518 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1519 return nid; 1520 if ((bnctx = BN_CTX_new()) == NULL) 1521 return -1; 1522 for (i = 0; nids[i] != -1; i++) { 1523 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1524 BN_CTX_free(bnctx); 1525 return -1; 1526 } 1527 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1528 break; 1529 EC_GROUP_free(eg); 1530 } 1531 BN_CTX_free(bnctx); 1532 if (nids[i] != -1) { 1533 /* Use the group with the NID attached */ 1534 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1535 if (EC_KEY_set_group(k, eg) != 1) { 1536 EC_GROUP_free(eg); 1537 return -1; 1538 } 1539 } 1540 return nids[i]; 1541 } 1542 1543 static int 1544 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1545 { 1546 EC_KEY *private; 1547 int ret = SSH_ERR_INTERNAL_ERROR; 1548 1549 if (nid == NULL || ecdsap == NULL) 1550 return SSH_ERR_INVALID_ARGUMENT; 1551 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1552 return SSH_ERR_KEY_LENGTH; 1553 *ecdsap = NULL; 1554 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1555 ret = SSH_ERR_ALLOC_FAIL; 1556 goto out; 1557 } 1558 if (EC_KEY_generate_key(private) != 1) { 1559 ret = SSH_ERR_LIBCRYPTO_ERROR; 1560 goto out; 1561 } 1562 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1563 *ecdsap = private; 1564 private = NULL; 1565 ret = 0; 1566 out: 1567 EC_KEY_free(private); 1568 return ret; 1569 } 1570 #endif /* WITH_OPENSSL */ 1571 1572 int 1573 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1574 { 1575 struct sshkey *k; 1576 int ret = SSH_ERR_INTERNAL_ERROR; 1577 1578 if (keyp == NULL) 1579 return SSH_ERR_INVALID_ARGUMENT; 1580 *keyp = NULL; 1581 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1582 return SSH_ERR_ALLOC_FAIL; 1583 switch (type) { 1584 case KEY_ED25519: 1585 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1586 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1587 ret = SSH_ERR_ALLOC_FAIL; 1588 break; 1589 } 1590 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1591 ret = 0; 1592 break; 1593 #ifdef WITH_XMSS 1594 case KEY_XMSS: 1595 ret = sshkey_xmss_generate_private_key(k, bits); 1596 break; 1597 #endif /* WITH_XMSS */ 1598 #ifdef WITH_OPENSSL 1599 case KEY_DSA: 1600 ret = dsa_generate_private_key(bits, &k->dsa); 1601 break; 1602 case KEY_ECDSA: 1603 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1604 &k->ecdsa); 1605 break; 1606 case KEY_RSA: 1607 ret = rsa_generate_private_key(bits, &k->rsa); 1608 break; 1609 #endif /* WITH_OPENSSL */ 1610 default: 1611 ret = SSH_ERR_INVALID_ARGUMENT; 1612 } 1613 if (ret == 0) { 1614 k->type = type; 1615 *keyp = k; 1616 } else 1617 sshkey_free(k); 1618 return ret; 1619 } 1620 1621 int 1622 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1623 { 1624 u_int i; 1625 const struct sshkey_cert *from; 1626 struct sshkey_cert *to; 1627 int r = SSH_ERR_INTERNAL_ERROR; 1628 1629 if (to_key == NULL || (from = from_key->cert) == NULL) 1630 return SSH_ERR_INVALID_ARGUMENT; 1631 1632 if ((to = cert_new()) == NULL) 1633 return SSH_ERR_ALLOC_FAIL; 1634 1635 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1636 (r = sshbuf_putb(to->critical, from->critical)) != 0 || 1637 (r = sshbuf_putb(to->extensions, from->extensions)) != 0) 1638 goto out; 1639 1640 to->serial = from->serial; 1641 to->type = from->type; 1642 if (from->key_id == NULL) 1643 to->key_id = NULL; 1644 else if ((to->key_id = strdup(from->key_id)) == NULL) { 1645 r = SSH_ERR_ALLOC_FAIL; 1646 goto out; 1647 } 1648 to->valid_after = from->valid_after; 1649 to->valid_before = from->valid_before; 1650 if (from->signature_key == NULL) 1651 to->signature_key = NULL; 1652 else if ((r = sshkey_from_private(from->signature_key, 1653 &to->signature_key)) != 0) 1654 goto out; 1655 if (from->signature_type != NULL && 1656 (to->signature_type = strdup(from->signature_type)) == NULL) { 1657 r = SSH_ERR_ALLOC_FAIL; 1658 goto out; 1659 } 1660 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { 1661 r = SSH_ERR_INVALID_ARGUMENT; 1662 goto out; 1663 } 1664 if (from->nprincipals > 0) { 1665 if ((to->principals = calloc(from->nprincipals, 1666 sizeof(*to->principals))) == NULL) { 1667 r = SSH_ERR_ALLOC_FAIL; 1668 goto out; 1669 } 1670 for (i = 0; i < from->nprincipals; i++) { 1671 to->principals[i] = strdup(from->principals[i]); 1672 if (to->principals[i] == NULL) { 1673 to->nprincipals = i; 1674 r = SSH_ERR_ALLOC_FAIL; 1675 goto out; 1676 } 1677 } 1678 } 1679 to->nprincipals = from->nprincipals; 1680 1681 /* success */ 1682 cert_free(to_key->cert); 1683 to_key->cert = to; 1684 to = NULL; 1685 r = 0; 1686 out: 1687 cert_free(to); 1688 return r; 1689 } 1690 1691 int 1692 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1693 { 1694 struct sshkey *n = NULL; 1695 int r = SSH_ERR_INTERNAL_ERROR; 1696 #ifdef WITH_OPENSSL 1697 const BIGNUM *rsa_n, *rsa_e; 1698 BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL; 1699 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 1700 BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL; 1701 BIGNUM *dsa_pub_key_dup = NULL; 1702 #endif /* WITH_OPENSSL */ 1703 1704 *pkp = NULL; 1705 switch (k->type) { 1706 #ifdef WITH_OPENSSL 1707 case KEY_DSA: 1708 case KEY_DSA_CERT: 1709 if ((n = sshkey_new(k->type)) == NULL) { 1710 r = SSH_ERR_ALLOC_FAIL; 1711 goto out; 1712 } 1713 1714 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 1715 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 1716 if ((dsa_p_dup = BN_dup(dsa_p)) == NULL || 1717 (dsa_q_dup = BN_dup(dsa_q)) == NULL || 1718 (dsa_g_dup = BN_dup(dsa_g)) == NULL || 1719 (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) { 1720 r = SSH_ERR_ALLOC_FAIL; 1721 goto out; 1722 } 1723 if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) { 1724 r = SSH_ERR_LIBCRYPTO_ERROR; 1725 goto out; 1726 } 1727 dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */ 1728 if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) { 1729 r = SSH_ERR_LIBCRYPTO_ERROR; 1730 goto out; 1731 } 1732 dsa_pub_key_dup = NULL; /* transferred */ 1733 1734 break; 1735 case KEY_ECDSA: 1736 case KEY_ECDSA_CERT: 1737 if ((n = sshkey_new(k->type)) == NULL) { 1738 r = SSH_ERR_ALLOC_FAIL; 1739 goto out; 1740 } 1741 n->ecdsa_nid = k->ecdsa_nid; 1742 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1743 if (n->ecdsa == NULL) { 1744 r = SSH_ERR_ALLOC_FAIL; 1745 goto out; 1746 } 1747 if (EC_KEY_set_public_key(n->ecdsa, 1748 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1749 r = SSH_ERR_LIBCRYPTO_ERROR; 1750 goto out; 1751 } 1752 break; 1753 case KEY_RSA: 1754 case KEY_RSA_CERT: 1755 if ((n = sshkey_new(k->type)) == NULL) { 1756 r = SSH_ERR_ALLOC_FAIL; 1757 goto out; 1758 } 1759 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 1760 if ((rsa_n_dup = BN_dup(rsa_n)) == NULL || 1761 (rsa_e_dup = BN_dup(rsa_e)) == NULL) { 1762 r = SSH_ERR_ALLOC_FAIL; 1763 goto out; 1764 } 1765 if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) { 1766 r = SSH_ERR_LIBCRYPTO_ERROR; 1767 goto out; 1768 } 1769 rsa_n_dup = rsa_e_dup = NULL; /* transferred */ 1770 break; 1771 #endif /* WITH_OPENSSL */ 1772 case KEY_ED25519: 1773 case KEY_ED25519_CERT: 1774 if ((n = sshkey_new(k->type)) == NULL) { 1775 r = SSH_ERR_ALLOC_FAIL; 1776 goto out; 1777 } 1778 if (k->ed25519_pk != NULL) { 1779 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1780 r = SSH_ERR_ALLOC_FAIL; 1781 goto out; 1782 } 1783 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1784 } 1785 break; 1786 #ifdef WITH_XMSS 1787 case KEY_XMSS: 1788 case KEY_XMSS_CERT: 1789 if ((n = sshkey_new(k->type)) == NULL) { 1790 r = SSH_ERR_ALLOC_FAIL; 1791 goto out; 1792 } 1793 if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0) 1794 goto out; 1795 if (k->xmss_pk != NULL) { 1796 size_t pklen = sshkey_xmss_pklen(k); 1797 if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) { 1798 r = SSH_ERR_INTERNAL_ERROR; 1799 goto out; 1800 } 1801 if ((n->xmss_pk = malloc(pklen)) == NULL) { 1802 r = SSH_ERR_ALLOC_FAIL; 1803 goto out; 1804 } 1805 memcpy(n->xmss_pk, k->xmss_pk, pklen); 1806 } 1807 break; 1808 #endif /* WITH_XMSS */ 1809 default: 1810 r = SSH_ERR_KEY_TYPE_UNKNOWN; 1811 goto out; 1812 } 1813 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) 1814 goto out; 1815 /* success */ 1816 *pkp = n; 1817 n = NULL; 1818 r = 0; 1819 out: 1820 sshkey_free(n); 1821 BN_clear_free(rsa_n_dup); 1822 BN_clear_free(rsa_e_dup); 1823 BN_clear_free(dsa_p_dup); 1824 BN_clear_free(dsa_q_dup); 1825 BN_clear_free(dsa_g_dup); 1826 BN_clear_free(dsa_pub_key_dup); 1827 1828 return r; 1829 } 1830 1831 static int 1832 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1833 { 1834 struct sshbuf *principals = NULL, *crit = NULL; 1835 struct sshbuf *exts = NULL, *ca = NULL; 1836 u_char *sig = NULL; 1837 size_t signed_len = 0, slen = 0, kidlen = 0; 1838 int ret = SSH_ERR_INTERNAL_ERROR; 1839 1840 /* Copy the entire key blob for verification and later serialisation */ 1841 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1842 return ret; 1843 1844 /* Parse body of certificate up to signature */ 1845 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1846 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1847 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1848 (ret = sshbuf_froms(b, &principals)) != 0 || 1849 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1850 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1851 (ret = sshbuf_froms(b, &crit)) != 0 || 1852 (ret = sshbuf_froms(b, &exts)) != 0 || 1853 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1854 (ret = sshbuf_froms(b, &ca)) != 0) { 1855 /* XXX debug print error for ret */ 1856 ret = SSH_ERR_INVALID_FORMAT; 1857 goto out; 1858 } 1859 1860 /* Signature is left in the buffer so we can calculate this length */ 1861 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1862 1863 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1864 ret = SSH_ERR_INVALID_FORMAT; 1865 goto out; 1866 } 1867 1868 if (key->cert->type != SSH2_CERT_TYPE_USER && 1869 key->cert->type != SSH2_CERT_TYPE_HOST) { 1870 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1871 goto out; 1872 } 1873 1874 /* Parse principals section */ 1875 while (sshbuf_len(principals) > 0) { 1876 char *principal = NULL; 1877 char **oprincipals = NULL; 1878 1879 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1880 ret = SSH_ERR_INVALID_FORMAT; 1881 goto out; 1882 } 1883 if ((ret = sshbuf_get_cstring(principals, &principal, 1884 NULL)) != 0) { 1885 ret = SSH_ERR_INVALID_FORMAT; 1886 goto out; 1887 } 1888 oprincipals = key->cert->principals; 1889 key->cert->principals = recallocarray(key->cert->principals, 1890 key->cert->nprincipals, key->cert->nprincipals + 1, 1891 sizeof(*key->cert->principals)); 1892 if (key->cert->principals == NULL) { 1893 free(principal); 1894 key->cert->principals = oprincipals; 1895 ret = SSH_ERR_ALLOC_FAIL; 1896 goto out; 1897 } 1898 key->cert->principals[key->cert->nprincipals++] = principal; 1899 } 1900 1901 /* 1902 * Stash a copies of the critical options and extensions sections 1903 * for later use. 1904 */ 1905 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1906 (exts != NULL && 1907 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1908 goto out; 1909 1910 /* 1911 * Validate critical options and extensions sections format. 1912 */ 1913 while (sshbuf_len(crit) != 0) { 1914 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1915 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1916 sshbuf_reset(key->cert->critical); 1917 ret = SSH_ERR_INVALID_FORMAT; 1918 goto out; 1919 } 1920 } 1921 while (exts != NULL && sshbuf_len(exts) != 0) { 1922 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1923 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1924 sshbuf_reset(key->cert->extensions); 1925 ret = SSH_ERR_INVALID_FORMAT; 1926 goto out; 1927 } 1928 } 1929 1930 /* Parse CA key and check signature */ 1931 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1932 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1933 goto out; 1934 } 1935 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1936 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1937 goto out; 1938 } 1939 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1940 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0)) != 0) 1941 goto out; 1942 if ((ret = get_sigtype(sig, slen, &key->cert->signature_type)) != 0) 1943 goto out; 1944 1945 /* Success */ 1946 ret = 0; 1947 out: 1948 sshbuf_free(ca); 1949 sshbuf_free(crit); 1950 sshbuf_free(exts); 1951 sshbuf_free(principals); 1952 free(sig); 1953 return ret; 1954 } 1955 1956 static int 1957 check_rsa_length(const RSA *rsa) 1958 { 1959 const BIGNUM *rsa_n; 1960 1961 RSA_get0_key(rsa, &rsa_n, NULL, NULL); 1962 if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) 1963 return SSH_ERR_KEY_LENGTH; 1964 return 0; 1965 } 1966 1967 static int 1968 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1969 int allow_cert) 1970 { 1971 int type, ret = SSH_ERR_INTERNAL_ERROR; 1972 char *ktype = NULL, *curve = NULL, *xmss_name = NULL; 1973 struct sshkey *key = NULL; 1974 size_t len; 1975 u_char *pk = NULL; 1976 struct sshbuf *copy; 1977 #ifdef WITH_OPENSSL 1978 EC_POINT *q = NULL, *qq = NULL; 1979 BIGNUM *rsa_n = NULL, *rsa_e = NULL; 1980 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; 1981 #endif /* WITH_OPENSSL */ 1982 1983 #ifdef DEBUG_PK /* XXX */ 1984 sshbuf_dump(b, stderr); 1985 #endif 1986 if (keyp != NULL) 1987 *keyp = NULL; 1988 if ((copy = sshbuf_fromb(b)) == NULL) { 1989 ret = SSH_ERR_ALLOC_FAIL; 1990 goto out; 1991 } 1992 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1993 ret = SSH_ERR_INVALID_FORMAT; 1994 goto out; 1995 } 1996 1997 type = sshkey_type_from_name(ktype); 1998 if (!allow_cert && sshkey_type_is_cert(type)) { 1999 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2000 goto out; 2001 } 2002 switch (type) { 2003 #ifdef WITH_OPENSSL 2004 case KEY_RSA_CERT: 2005 /* Skip nonce */ 2006 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2007 ret = SSH_ERR_INVALID_FORMAT; 2008 goto out; 2009 } 2010 /* FALLTHROUGH */ 2011 case KEY_RSA: 2012 if ((key = sshkey_new(type)) == NULL) { 2013 ret = SSH_ERR_ALLOC_FAIL; 2014 goto out; 2015 } 2016 if (sshbuf_get_bignum2(b, &rsa_e) != 0 || 2017 sshbuf_get_bignum2(b, &rsa_n) != 0) { 2018 ret = SSH_ERR_INVALID_FORMAT; 2019 goto out; 2020 } 2021 if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) { 2022 ret = SSH_ERR_LIBCRYPTO_ERROR; 2023 goto out; 2024 } 2025 rsa_n = rsa_e = NULL; /* transferred */ 2026 if ((ret = check_rsa_length(key->rsa)) != 0) 2027 goto out; 2028 #ifdef DEBUG_PK 2029 RSA_print_fp(stderr, key->rsa, 8); 2030 #endif 2031 break; 2032 case KEY_DSA_CERT: 2033 /* Skip nonce */ 2034 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2035 ret = SSH_ERR_INVALID_FORMAT; 2036 goto out; 2037 } 2038 /* FALLTHROUGH */ 2039 case KEY_DSA: 2040 if ((key = sshkey_new(type)) == NULL) { 2041 ret = SSH_ERR_ALLOC_FAIL; 2042 goto out; 2043 } 2044 if (sshbuf_get_bignum2(b, &dsa_p) != 0 || 2045 sshbuf_get_bignum2(b, &dsa_q) != 0 || 2046 sshbuf_get_bignum2(b, &dsa_g) != 0 || 2047 sshbuf_get_bignum2(b, &dsa_pub_key) != 0) { 2048 ret = SSH_ERR_INVALID_FORMAT; 2049 goto out; 2050 } 2051 if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) { 2052 ret = SSH_ERR_LIBCRYPTO_ERROR; 2053 goto out; 2054 } 2055 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2056 if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) { 2057 ret = SSH_ERR_LIBCRYPTO_ERROR; 2058 goto out; 2059 } 2060 dsa_pub_key = NULL; /* transferred */ 2061 #ifdef DEBUG_PK 2062 DSA_print_fp(stderr, key->dsa, 8); 2063 #endif 2064 break; 2065 case KEY_ECDSA_CERT: 2066 /* Skip nonce */ 2067 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2068 ret = SSH_ERR_INVALID_FORMAT; 2069 goto out; 2070 } 2071 /* FALLTHROUGH */ 2072 case KEY_ECDSA: 2073 if ((key = sshkey_new(type)) == NULL) { 2074 ret = SSH_ERR_ALLOC_FAIL; 2075 goto out; 2076 } 2077 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2078 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2079 ret = SSH_ERR_INVALID_FORMAT; 2080 goto out; 2081 } 2082 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2083 ret = SSH_ERR_EC_CURVE_MISMATCH; 2084 goto out; 2085 } 2086 EC_KEY_free(key->ecdsa); 2087 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2088 == NULL) { 2089 ret = SSH_ERR_EC_CURVE_INVALID; 2090 goto out; 2091 } 2092 if ((qq = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2093 ret = SSH_ERR_ALLOC_FAIL; 2094 goto out; 2095 } 2096 if (sshbuf_get_ec(b, qq, EC_KEY_get0_group(key->ecdsa)) != 0) { 2097 ret = SSH_ERR_INVALID_FORMAT; 2098 goto out; 2099 } 2100 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2101 qq) != 0) { 2102 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2103 goto out; 2104 } 2105 if (EC_KEY_set_public_key(key->ecdsa, qq) != 1) { 2106 /* XXX assume it is a allocation error */ 2107 ret = SSH_ERR_ALLOC_FAIL; 2108 goto out; 2109 } 2110 #ifdef DEBUG_PK 2111 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), qq); 2112 #endif 2113 break; 2114 #endif /* WITH_OPENSSL */ 2115 case KEY_ED25519_CERT: 2116 /* Skip nonce */ 2117 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2118 ret = SSH_ERR_INVALID_FORMAT; 2119 goto out; 2120 } 2121 /* FALLTHROUGH */ 2122 case KEY_ED25519: 2123 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2124 goto out; 2125 if (len != ED25519_PK_SZ) { 2126 ret = SSH_ERR_INVALID_FORMAT; 2127 goto out; 2128 } 2129 if ((key = sshkey_new(type)) == NULL) { 2130 ret = SSH_ERR_ALLOC_FAIL; 2131 goto out; 2132 } 2133 key->ed25519_pk = pk; 2134 pk = NULL; 2135 break; 2136 #ifdef WITH_XMSS 2137 case KEY_XMSS_CERT: 2138 /* Skip nonce */ 2139 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2140 ret = SSH_ERR_INVALID_FORMAT; 2141 goto out; 2142 } 2143 /* FALLTHROUGH */ 2144 case KEY_XMSS: 2145 if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0) 2146 goto out; 2147 if ((key = sshkey_new(type)) == NULL) { 2148 ret = SSH_ERR_ALLOC_FAIL; 2149 goto out; 2150 } 2151 if ((ret = sshkey_xmss_init(key, xmss_name)) != 0) 2152 goto out; 2153 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2154 goto out; 2155 if (len == 0 || len != sshkey_xmss_pklen(key)) { 2156 ret = SSH_ERR_INVALID_FORMAT; 2157 goto out; 2158 } 2159 key->xmss_pk = pk; 2160 pk = NULL; 2161 if (type != KEY_XMSS_CERT && 2162 (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0) 2163 goto out; 2164 break; 2165 #endif /* WITH_XMSS */ 2166 case KEY_UNSPEC: 2167 default: 2168 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2169 goto out; 2170 } 2171 2172 /* Parse certificate potion */ 2173 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2174 goto out; 2175 2176 if (key != NULL && sshbuf_len(b) != 0) { 2177 ret = SSH_ERR_INVALID_FORMAT; 2178 goto out; 2179 } 2180 ret = 0; 2181 if (keyp != NULL) { 2182 *keyp = key; 2183 key = NULL; 2184 } 2185 out: 2186 sshbuf_free(copy); 2187 sshkey_free(key); 2188 free(xmss_name); 2189 free(ktype); 2190 free(curve); 2191 free(pk); 2192 #ifdef WITH_OPENSSL 2193 EC_POINT_free(q); 2194 BN_clear_free(rsa_n); 2195 BN_clear_free(rsa_e); 2196 BN_clear_free(dsa_p); 2197 BN_clear_free(dsa_q); 2198 BN_clear_free(dsa_g); 2199 BN_clear_free(dsa_pub_key); 2200 #endif /* WITH_OPENSSL */ 2201 return ret; 2202 } 2203 2204 int 2205 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2206 { 2207 struct sshbuf *b; 2208 int r; 2209 2210 if ((b = sshbuf_from(blob, blen)) == NULL) 2211 return SSH_ERR_ALLOC_FAIL; 2212 r = sshkey_from_blob_internal(b, keyp, 1); 2213 sshbuf_free(b); 2214 return r; 2215 } 2216 2217 int 2218 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2219 { 2220 return sshkey_from_blob_internal(b, keyp, 1); 2221 } 2222 2223 int 2224 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2225 { 2226 struct sshbuf *b; 2227 int r; 2228 2229 if ((r = sshbuf_froms(buf, &b)) != 0) 2230 return r; 2231 r = sshkey_from_blob_internal(b, keyp, 1); 2232 sshbuf_free(b); 2233 return r; 2234 } 2235 2236 static int 2237 get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2238 { 2239 int r; 2240 struct sshbuf *b = NULL; 2241 char *sigtype = NULL; 2242 2243 if (sigtypep != NULL) 2244 *sigtypep = NULL; 2245 if ((b = sshbuf_from(sig, siglen)) == NULL) 2246 return SSH_ERR_ALLOC_FAIL; 2247 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2248 goto out; 2249 /* success */ 2250 if (sigtypep != NULL) { 2251 *sigtypep = sigtype; 2252 sigtype = NULL; 2253 } 2254 r = 0; 2255 out: 2256 free(sigtype); 2257 sshbuf_free(b); 2258 return r; 2259 } 2260 2261 /* 2262 * 2263 * Checks whether a certificate's signature type is allowed. 2264 * Returns 0 (success) if the certificate signature type appears in the 2265 * "allowed" pattern-list, or the key is not a certificate to begin with. 2266 * Otherwise returns a ssherr.h code. 2267 */ 2268 int 2269 sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) 2270 { 2271 if (key == NULL || allowed == NULL) 2272 return SSH_ERR_INVALID_ARGUMENT; 2273 if (!sshkey_type_is_cert(key->type)) 2274 return 0; 2275 if (key->cert == NULL || key->cert->signature_type == NULL) 2276 return SSH_ERR_INVALID_ARGUMENT; 2277 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) 2278 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 2279 return 0; 2280 } 2281 2282 /* 2283 * Returns the expected signature algorithm for a given public key algorithm. 2284 */ 2285 const char * 2286 sshkey_sigalg_by_name(const char *name) 2287 { 2288 const struct keytype *kt; 2289 2290 for (kt = keytypes; kt->type != -1; kt++) { 2291 if (strcmp(kt->name, name) != 0) 2292 continue; 2293 if (kt->sigalg != NULL) 2294 return kt->sigalg; 2295 if (!kt->cert) 2296 return kt->name; 2297 return sshkey_ssh_name_from_type_nid( 2298 sshkey_type_plain(kt->type), kt->nid); 2299 } 2300 return NULL; 2301 } 2302 2303 /* 2304 * Verifies that the signature algorithm appearing inside the signature blob 2305 * matches that which was requested. 2306 */ 2307 int 2308 sshkey_check_sigtype(const u_char *sig, size_t siglen, 2309 const char *requested_alg) 2310 { 2311 const char *expected_alg; 2312 char *sigtype = NULL; 2313 int r; 2314 2315 if (requested_alg == NULL) 2316 return 0; 2317 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) 2318 return SSH_ERR_INVALID_ARGUMENT; 2319 if ((r = get_sigtype(sig, siglen, &sigtype)) != 0) 2320 return r; 2321 r = strcmp(expected_alg, sigtype) == 0; 2322 free(sigtype); 2323 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; 2324 } 2325 2326 int 2327 sshkey_sign(const struct sshkey *key, 2328 u_char **sigp, size_t *lenp, 2329 const u_char *data, size_t datalen, const char *alg, u_int compat) 2330 { 2331 if (sigp != NULL) 2332 *sigp = NULL; 2333 if (lenp != NULL) 2334 *lenp = 0; 2335 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2336 return SSH_ERR_INVALID_ARGUMENT; 2337 switch (key->type) { 2338 #ifdef WITH_OPENSSL 2339 case KEY_DSA_CERT: 2340 case KEY_DSA: 2341 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2342 case KEY_ECDSA_CERT: 2343 case KEY_ECDSA: 2344 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2345 case KEY_RSA_CERT: 2346 case KEY_RSA: 2347 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2348 #endif /* WITH_OPENSSL */ 2349 case KEY_ED25519: 2350 case KEY_ED25519_CERT: 2351 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2352 #ifdef WITH_XMSS 2353 case KEY_XMSS: 2354 case KEY_XMSS_CERT: 2355 return ssh_xmss_sign(key, sigp, lenp, data, datalen, compat); 2356 #endif /* WITH_XMSS */ 2357 default: 2358 return SSH_ERR_KEY_TYPE_UNKNOWN; 2359 } 2360 } 2361 2362 /* 2363 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2364 * If "alg" specified, then the signature must use that algorithm. 2365 */ 2366 int 2367 sshkey_verify(const struct sshkey *key, 2368 const u_char *sig, size_t siglen, 2369 const u_char *data, size_t dlen, const char *alg, u_int compat) 2370 { 2371 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2372 return SSH_ERR_INVALID_ARGUMENT; 2373 switch (key->type) { 2374 #ifdef WITH_OPENSSL 2375 case KEY_DSA_CERT: 2376 case KEY_DSA: 2377 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2378 case KEY_ECDSA_CERT: 2379 case KEY_ECDSA: 2380 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2381 case KEY_RSA_CERT: 2382 case KEY_RSA: 2383 return ssh_rsa_verify(key, sig, siglen, data, dlen, alg); 2384 #endif /* WITH_OPENSSL */ 2385 case KEY_ED25519: 2386 case KEY_ED25519_CERT: 2387 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2388 #ifdef WITH_XMSS 2389 case KEY_XMSS: 2390 case KEY_XMSS_CERT: 2391 return ssh_xmss_verify(key, sig, siglen, data, dlen, compat); 2392 #endif /* WITH_XMSS */ 2393 default: 2394 return SSH_ERR_KEY_TYPE_UNKNOWN; 2395 } 2396 } 2397 2398 /* Convert a plain key to their _CERT equivalent */ 2399 int 2400 sshkey_to_certified(struct sshkey *k) 2401 { 2402 int newtype; 2403 2404 switch (k->type) { 2405 #ifdef WITH_OPENSSL 2406 case KEY_RSA: 2407 newtype = KEY_RSA_CERT; 2408 break; 2409 case KEY_DSA: 2410 newtype = KEY_DSA_CERT; 2411 break; 2412 case KEY_ECDSA: 2413 newtype = KEY_ECDSA_CERT; 2414 break; 2415 #endif /* WITH_OPENSSL */ 2416 case KEY_ED25519: 2417 newtype = KEY_ED25519_CERT; 2418 break; 2419 #ifdef WITH_XMSS 2420 case KEY_XMSS: 2421 newtype = KEY_XMSS_CERT; 2422 break; 2423 #endif /* WITH_XMSS */ 2424 default: 2425 return SSH_ERR_INVALID_ARGUMENT; 2426 } 2427 if ((k->cert = cert_new()) == NULL) 2428 return SSH_ERR_ALLOC_FAIL; 2429 k->type = newtype; 2430 return 0; 2431 } 2432 2433 /* Convert a certificate to its raw key equivalent */ 2434 int 2435 sshkey_drop_cert(struct sshkey *k) 2436 { 2437 if (!sshkey_type_is_cert(k->type)) 2438 return SSH_ERR_KEY_TYPE_UNKNOWN; 2439 cert_free(k->cert); 2440 k->cert = NULL; 2441 k->type = sshkey_type_plain(k->type); 2442 return 0; 2443 } 2444 2445 /* Sign a certified key, (re-)generating the signed certblob. */ 2446 int 2447 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2448 sshkey_certify_signer *signer, void *signer_ctx) 2449 { 2450 struct sshbuf *principals = NULL; 2451 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2452 size_t i, ca_len, sig_len; 2453 int ret = SSH_ERR_INTERNAL_ERROR; 2454 struct sshbuf *cert = NULL; 2455 char *sigtype = NULL; 2456 #ifdef WITH_OPENSSL 2457 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 2458 #endif /* WITH_OPENSSL */ 2459 2460 if (k == NULL || k->cert == NULL || 2461 k->cert->certblob == NULL || ca == NULL) 2462 return SSH_ERR_INVALID_ARGUMENT; 2463 if (!sshkey_is_cert(k)) 2464 return SSH_ERR_KEY_TYPE_UNKNOWN; 2465 if (!sshkey_type_is_valid_ca(ca->type)) 2466 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2467 2468 /* 2469 * If no alg specified as argument but a signature_type was set, 2470 * then prefer that. If both were specified, then they must match. 2471 */ 2472 if (alg == NULL) 2473 alg = k->cert->signature_type; 2474 else if (k->cert->signature_type != NULL && 2475 strcmp(alg, k->cert->signature_type) != 0) 2476 return SSH_ERR_INVALID_ARGUMENT; 2477 2478 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2479 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2480 2481 cert = k->cert->certblob; /* for readability */ 2482 sshbuf_reset(cert); 2483 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2484 goto out; 2485 2486 /* -v01 certs put nonce first */ 2487 arc4random_buf(&nonce, sizeof(nonce)); 2488 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2489 goto out; 2490 2491 /* XXX this substantially duplicates to_blob(); refactor */ 2492 switch (k->type) { 2493 #ifdef WITH_OPENSSL 2494 case KEY_DSA_CERT: 2495 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 2496 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 2497 if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 || 2498 (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 || 2499 (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 || 2500 (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0) 2501 goto out; 2502 break; 2503 case KEY_ECDSA_CERT: 2504 if ((ret = sshbuf_put_cstring(cert, 2505 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2506 (ret = sshbuf_put_ec(cert, 2507 EC_KEY_get0_public_key(k->ecdsa), 2508 EC_KEY_get0_group(k->ecdsa))) != 0) 2509 goto out; 2510 break; 2511 case KEY_RSA_CERT: 2512 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 2513 if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 || 2514 (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0) 2515 goto out; 2516 break; 2517 #endif /* WITH_OPENSSL */ 2518 case KEY_ED25519_CERT: 2519 if ((ret = sshbuf_put_string(cert, 2520 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2521 goto out; 2522 break; 2523 #ifdef WITH_XMSS 2524 case KEY_XMSS_CERT: 2525 if (k->xmss_name == NULL) { 2526 ret = SSH_ERR_INVALID_ARGUMENT; 2527 goto out; 2528 } 2529 if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) || 2530 (ret = sshbuf_put_string(cert, 2531 k->xmss_pk, sshkey_xmss_pklen(k))) != 0) 2532 goto out; 2533 break; 2534 #endif /* WITH_XMSS */ 2535 default: 2536 ret = SSH_ERR_INVALID_ARGUMENT; 2537 goto out; 2538 } 2539 2540 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2541 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2542 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2543 goto out; 2544 2545 if ((principals = sshbuf_new()) == NULL) { 2546 ret = SSH_ERR_ALLOC_FAIL; 2547 goto out; 2548 } 2549 for (i = 0; i < k->cert->nprincipals; i++) { 2550 if ((ret = sshbuf_put_cstring(principals, 2551 k->cert->principals[i])) != 0) 2552 goto out; 2553 } 2554 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2555 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2556 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2557 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2558 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2559 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2560 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2561 goto out; 2562 2563 /* Sign the whole mess */ 2564 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2565 sshbuf_len(cert), alg, 0, signer_ctx)) != 0) 2566 goto out; 2567 /* Check and update signature_type against what was actually used */ 2568 if ((ret = get_sigtype(sig_blob, sig_len, &sigtype)) != 0) 2569 goto out; 2570 if (alg != NULL && strcmp(alg, sigtype) != 0) { 2571 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2572 goto out; 2573 } 2574 if (k->cert->signature_type == NULL) { 2575 k->cert->signature_type = sigtype; 2576 sigtype = NULL; 2577 } 2578 /* Append signature and we are done */ 2579 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2580 goto out; 2581 ret = 0; 2582 out: 2583 if (ret != 0) 2584 sshbuf_reset(cert); 2585 free(sig_blob); 2586 free(ca_blob); 2587 free(sigtype); 2588 sshbuf_free(principals); 2589 return ret; 2590 } 2591 2592 static int 2593 default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 2594 const u_char *data, size_t datalen, 2595 const char *alg, u_int compat, void *ctx) 2596 { 2597 if (ctx != NULL) 2598 return SSH_ERR_INVALID_ARGUMENT; 2599 return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat); 2600 } 2601 2602 int 2603 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2604 { 2605 return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL); 2606 } 2607 2608 int 2609 sshkey_cert_check_authority(const struct sshkey *k, 2610 int want_host, int require_principal, 2611 const char *name, const char **reason) 2612 { 2613 u_int i, principal_matches; 2614 time_t now = time(NULL); 2615 2616 if (reason != NULL) 2617 *reason = NULL; 2618 2619 if (want_host) { 2620 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2621 *reason = "Certificate invalid: not a host certificate"; 2622 return SSH_ERR_KEY_CERT_INVALID; 2623 } 2624 } else { 2625 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2626 *reason = "Certificate invalid: not a user certificate"; 2627 return SSH_ERR_KEY_CERT_INVALID; 2628 } 2629 } 2630 if (now < 0) { 2631 /* yikes - system clock before epoch! */ 2632 *reason = "Certificate invalid: not yet valid"; 2633 return SSH_ERR_KEY_CERT_INVALID; 2634 } 2635 if ((u_int64_t)now < k->cert->valid_after) { 2636 *reason = "Certificate invalid: not yet valid"; 2637 return SSH_ERR_KEY_CERT_INVALID; 2638 } 2639 if ((u_int64_t)now >= k->cert->valid_before) { 2640 *reason = "Certificate invalid: expired"; 2641 return SSH_ERR_KEY_CERT_INVALID; 2642 } 2643 if (k->cert->nprincipals == 0) { 2644 if (require_principal) { 2645 *reason = "Certificate lacks principal list"; 2646 return SSH_ERR_KEY_CERT_INVALID; 2647 } 2648 } else if (name != NULL) { 2649 principal_matches = 0; 2650 for (i = 0; i < k->cert->nprincipals; i++) { 2651 if (strcmp(name, k->cert->principals[i]) == 0) { 2652 principal_matches = 1; 2653 break; 2654 } 2655 } 2656 if (!principal_matches) { 2657 *reason = "Certificate invalid: name is not a listed " 2658 "principal"; 2659 return SSH_ERR_KEY_CERT_INVALID; 2660 } 2661 } 2662 return 0; 2663 } 2664 2665 size_t 2666 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2667 { 2668 char from[32], to[32], ret[64]; 2669 time_t tt; 2670 struct tm *tm; 2671 2672 *from = *to = '\0'; 2673 if (cert->valid_after == 0 && 2674 cert->valid_before == 0xffffffffffffffffULL) 2675 return strlcpy(s, "forever", l); 2676 2677 if (cert->valid_after != 0) { 2678 /* XXX revisit INT_MAX in 2038 :) */ 2679 tt = cert->valid_after > INT_MAX ? 2680 INT_MAX : cert->valid_after; 2681 tm = localtime(&tt); 2682 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2683 } 2684 if (cert->valid_before != 0xffffffffffffffffULL) { 2685 /* XXX revisit INT_MAX in 2038 :) */ 2686 tt = cert->valid_before > INT_MAX ? 2687 INT_MAX : cert->valid_before; 2688 tm = localtime(&tt); 2689 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2690 } 2691 2692 if (cert->valid_after == 0) 2693 snprintf(ret, sizeof(ret), "before %s", to); 2694 else if (cert->valid_before == 0xffffffffffffffffULL) 2695 snprintf(ret, sizeof(ret), "after %s", from); 2696 else 2697 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2698 2699 return strlcpy(s, ret, l); 2700 } 2701 2702 int 2703 sshkey_private_serialize_opt(const struct sshkey *key, struct sshbuf *b, 2704 enum sshkey_serialize_rep opts) 2705 { 2706 int r = SSH_ERR_INTERNAL_ERROR; 2707 #ifdef WITH_OPENSSL 2708 const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q; 2709 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key; 2710 #endif /* WITH_OPENSSL */ 2711 2712 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2713 goto out; 2714 switch (key->type) { 2715 #ifdef WITH_OPENSSL 2716 case KEY_RSA: 2717 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d); 2718 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 2719 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 2720 if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 || 2721 (r = sshbuf_put_bignum2(b, rsa_e)) != 0 || 2722 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 2723 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 2724 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 2725 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 2726 goto out; 2727 break; 2728 case KEY_RSA_CERT: 2729 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2730 r = SSH_ERR_INVALID_ARGUMENT; 2731 goto out; 2732 } 2733 RSA_get0_key(key->rsa, NULL, NULL, &rsa_d); 2734 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 2735 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 2736 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2737 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 2738 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 2739 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 2740 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 2741 goto out; 2742 break; 2743 case KEY_DSA: 2744 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 2745 DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key); 2746 if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 || 2747 (r = sshbuf_put_bignum2(b, dsa_q)) != 0 || 2748 (r = sshbuf_put_bignum2(b, dsa_g)) != 0 || 2749 (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 || 2750 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 2751 goto out; 2752 break; 2753 case KEY_DSA_CERT: 2754 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2755 r = SSH_ERR_INVALID_ARGUMENT; 2756 goto out; 2757 } 2758 DSA_get0_key(key->dsa, NULL, &dsa_priv_key); 2759 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2760 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 2761 goto out; 2762 break; 2763 case KEY_ECDSA: 2764 if ((r = sshbuf_put_cstring(b, 2765 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2766 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2767 (r = sshbuf_put_bignum2(b, 2768 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2769 goto out; 2770 break; 2771 case KEY_ECDSA_CERT: 2772 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2773 r = SSH_ERR_INVALID_ARGUMENT; 2774 goto out; 2775 } 2776 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2777 (r = sshbuf_put_bignum2(b, 2778 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2779 goto out; 2780 break; 2781 #endif /* WITH_OPENSSL */ 2782 case KEY_ED25519: 2783 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2784 ED25519_PK_SZ)) != 0 || 2785 (r = sshbuf_put_string(b, key->ed25519_sk, 2786 ED25519_SK_SZ)) != 0) 2787 goto out; 2788 break; 2789 case KEY_ED25519_CERT: 2790 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2791 r = SSH_ERR_INVALID_ARGUMENT; 2792 goto out; 2793 } 2794 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2795 (r = sshbuf_put_string(b, key->ed25519_pk, 2796 ED25519_PK_SZ)) != 0 || 2797 (r = sshbuf_put_string(b, key->ed25519_sk, 2798 ED25519_SK_SZ)) != 0) 2799 goto out; 2800 break; 2801 #ifdef WITH_XMSS 2802 case KEY_XMSS: 2803 if (key->xmss_name == NULL) { 2804 r = SSH_ERR_INVALID_ARGUMENT; 2805 goto out; 2806 } 2807 if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 2808 (r = sshbuf_put_string(b, key->xmss_pk, 2809 sshkey_xmss_pklen(key))) != 0 || 2810 (r = sshbuf_put_string(b, key->xmss_sk, 2811 sshkey_xmss_sklen(key))) != 0 || 2812 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 2813 goto out; 2814 break; 2815 case KEY_XMSS_CERT: 2816 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 || 2817 key->xmss_name == NULL) { 2818 r = SSH_ERR_INVALID_ARGUMENT; 2819 goto out; 2820 } 2821 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2822 (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 2823 (r = sshbuf_put_string(b, key->xmss_pk, 2824 sshkey_xmss_pklen(key))) != 0 || 2825 (r = sshbuf_put_string(b, key->xmss_sk, 2826 sshkey_xmss_sklen(key))) != 0 || 2827 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 2828 goto out; 2829 break; 2830 #endif /* WITH_XMSS */ 2831 default: 2832 r = SSH_ERR_INVALID_ARGUMENT; 2833 goto out; 2834 } 2835 /* success */ 2836 r = 0; 2837 out: 2838 return r; 2839 } 2840 2841 int 2842 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2843 { 2844 return sshkey_private_serialize_opt(key, b, 2845 SSHKEY_SERIALIZE_DEFAULT); 2846 } 2847 2848 int 2849 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2850 { 2851 char *tname = NULL, *curve = NULL, *xmss_name = NULL; 2852 struct sshkey *k = NULL; 2853 size_t pklen = 0, sklen = 0; 2854 int type, r = SSH_ERR_INTERNAL_ERROR; 2855 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2856 u_char *xmss_pk = NULL, *xmss_sk = NULL; 2857 #ifdef WITH_OPENSSL 2858 BIGNUM *exponent = NULL; 2859 BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; 2860 BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL; 2861 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL; 2862 BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; 2863 #endif /* WITH_OPENSSL */ 2864 2865 if (kp != NULL) 2866 *kp = NULL; 2867 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2868 goto out; 2869 type = sshkey_type_from_name(tname); 2870 switch (type) { 2871 #ifdef WITH_OPENSSL 2872 case KEY_DSA: 2873 if ((k = sshkey_new(type)) == NULL) { 2874 r = SSH_ERR_ALLOC_FAIL; 2875 goto out; 2876 } 2877 if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 || 2878 (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 || 2879 (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 || 2880 (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0 || 2881 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 2882 goto out; 2883 if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) { 2884 r = SSH_ERR_LIBCRYPTO_ERROR; 2885 goto out; 2886 } 2887 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2888 if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) { 2889 r = SSH_ERR_LIBCRYPTO_ERROR; 2890 goto out; 2891 } 2892 dsa_pub_key = dsa_priv_key = NULL; /* transferred */ 2893 break; 2894 case KEY_DSA_CERT: 2895 if ((r = sshkey_froms(buf, &k)) != 0 || 2896 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 2897 goto out; 2898 if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { 2899 r = SSH_ERR_LIBCRYPTO_ERROR; 2900 goto out; 2901 } 2902 dsa_priv_key = NULL; /* transferred */ 2903 break; 2904 case KEY_ECDSA: 2905 if ((k = sshkey_new(type)) == NULL) { 2906 r = SSH_ERR_ALLOC_FAIL; 2907 goto out; 2908 } 2909 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2910 r = SSH_ERR_INVALID_ARGUMENT; 2911 goto out; 2912 } 2913 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2914 goto out; 2915 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2916 r = SSH_ERR_EC_CURVE_MISMATCH; 2917 goto out; 2918 } 2919 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2920 if (k->ecdsa == NULL) { 2921 r = SSH_ERR_LIBCRYPTO_ERROR; 2922 goto out; 2923 } 2924 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2925 (r = sshbuf_get_bignum2(buf, &exponent))) 2926 goto out; 2927 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2928 r = SSH_ERR_LIBCRYPTO_ERROR; 2929 goto out; 2930 } 2931 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2932 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2933 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2934 goto out; 2935 break; 2936 case KEY_ECDSA_CERT: 2937 if ((r = sshkey_froms(buf, &k)) != 0 || 2938 (r = sshbuf_get_bignum2(buf, &exponent)) != 0) 2939 goto out; 2940 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2941 r = SSH_ERR_LIBCRYPTO_ERROR; 2942 goto out; 2943 } 2944 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2945 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2946 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2947 goto out; 2948 break; 2949 case KEY_RSA: 2950 if ((k = sshkey_new(type)) == NULL) { 2951 r = SSH_ERR_ALLOC_FAIL; 2952 goto out; 2953 } 2954 if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 || 2955 (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0 || 2956 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 2957 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 2958 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 2959 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 2960 goto out; 2961 if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) { 2962 r = SSH_ERR_LIBCRYPTO_ERROR; 2963 goto out; 2964 } 2965 rsa_n = rsa_e = rsa_d = NULL; /* transferred */ 2966 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 2967 r = SSH_ERR_LIBCRYPTO_ERROR; 2968 goto out; 2969 } 2970 rsa_p = rsa_q = NULL; /* transferred */ 2971 if ((r = check_rsa_length(k->rsa)) != 0) 2972 goto out; 2973 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 2974 goto out; 2975 break; 2976 case KEY_RSA_CERT: 2977 if ((r = sshkey_froms(buf, &k)) != 0 || 2978 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 2979 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 2980 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 2981 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 2982 goto out; 2983 if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { 2984 r = SSH_ERR_LIBCRYPTO_ERROR; 2985 goto out; 2986 } 2987 rsa_d = NULL; /* transferred */ 2988 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 2989 r = SSH_ERR_LIBCRYPTO_ERROR; 2990 goto out; 2991 } 2992 rsa_p = rsa_q = NULL; /* transferred */ 2993 if ((r = check_rsa_length(k->rsa)) != 0) 2994 goto out; 2995 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 2996 goto out; 2997 break; 2998 #endif /* WITH_OPENSSL */ 2999 case KEY_ED25519: 3000 if ((k = sshkey_new(type)) == NULL) { 3001 r = SSH_ERR_ALLOC_FAIL; 3002 goto out; 3003 } 3004 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3005 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3006 goto out; 3007 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3008 r = SSH_ERR_INVALID_FORMAT; 3009 goto out; 3010 } 3011 k->ed25519_pk = ed25519_pk; 3012 k->ed25519_sk = ed25519_sk; 3013 ed25519_pk = ed25519_sk = NULL; 3014 break; 3015 case KEY_ED25519_CERT: 3016 if ((r = sshkey_froms(buf, &k)) != 0 || 3017 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3018 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3019 goto out; 3020 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3021 r = SSH_ERR_INVALID_FORMAT; 3022 goto out; 3023 } 3024 k->ed25519_pk = ed25519_pk; 3025 k->ed25519_sk = ed25519_sk; 3026 ed25519_pk = ed25519_sk = NULL; 3027 break; 3028 #ifdef WITH_XMSS 3029 case KEY_XMSS: 3030 if ((k = sshkey_new(type)) == NULL) { 3031 r = SSH_ERR_ALLOC_FAIL; 3032 goto out; 3033 } 3034 if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3035 (r = sshkey_xmss_init(k, xmss_name)) != 0 || 3036 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3037 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3038 goto out; 3039 if (pklen != sshkey_xmss_pklen(k) || 3040 sklen != sshkey_xmss_sklen(k)) { 3041 r = SSH_ERR_INVALID_FORMAT; 3042 goto out; 3043 } 3044 k->xmss_pk = xmss_pk; 3045 k->xmss_sk = xmss_sk; 3046 xmss_pk = xmss_sk = NULL; 3047 /* optional internal state */ 3048 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3049 goto out; 3050 break; 3051 case KEY_XMSS_CERT: 3052 if ((r = sshkey_froms(buf, &k)) != 0 || 3053 (r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3054 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3055 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3056 goto out; 3057 if (strcmp(xmss_name, k->xmss_name)) { 3058 r = SSH_ERR_INVALID_FORMAT; 3059 goto out; 3060 } 3061 if (pklen != sshkey_xmss_pklen(k) || 3062 sklen != sshkey_xmss_sklen(k)) { 3063 r = SSH_ERR_INVALID_FORMAT; 3064 goto out; 3065 } 3066 k->xmss_pk = xmss_pk; 3067 k->xmss_sk = xmss_sk; 3068 xmss_pk = xmss_sk = NULL; 3069 /* optional internal state */ 3070 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3071 goto out; 3072 break; 3073 #endif /* WITH_XMSS */ 3074 default: 3075 r = SSH_ERR_KEY_TYPE_UNKNOWN; 3076 goto out; 3077 } 3078 #ifdef WITH_OPENSSL 3079 /* enable blinding */ 3080 switch (k->type) { 3081 case KEY_RSA: 3082 case KEY_RSA_CERT: 3083 if (RSA_blinding_on(k->rsa, NULL) != 1) { 3084 r = SSH_ERR_LIBCRYPTO_ERROR; 3085 goto out; 3086 } 3087 break; 3088 } 3089 #endif /* WITH_OPENSSL */ 3090 /* success */ 3091 r = 0; 3092 if (kp != NULL) { 3093 *kp = k; 3094 k = NULL; 3095 } 3096 out: 3097 free(tname); 3098 free(curve); 3099 #ifdef WITH_OPENSSL 3100 BN_clear_free(exponent); 3101 BN_clear_free(dsa_p); 3102 BN_clear_free(dsa_q); 3103 BN_clear_free(dsa_g); 3104 BN_clear_free(dsa_pub_key); 3105 BN_clear_free(dsa_priv_key); 3106 BN_clear_free(rsa_n); 3107 BN_clear_free(rsa_e); 3108 BN_clear_free(rsa_d); 3109 BN_clear_free(rsa_p); 3110 BN_clear_free(rsa_q); 3111 BN_clear_free(rsa_iqmp); 3112 #endif /* WITH_OPENSSL */ 3113 sshkey_free(k); 3114 freezero(ed25519_pk, pklen); 3115 freezero(ed25519_sk, sklen); 3116 free(xmss_name); 3117 freezero(xmss_pk, pklen); 3118 freezero(xmss_sk, sklen); 3119 return r; 3120 } 3121 3122 #ifdef WITH_OPENSSL 3123 int 3124 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 3125 { 3126 BN_CTX *bnctx; 3127 EC_POINT *nq = NULL; 3128 BIGNUM *order, *x, *y, *tmp; 3129 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3130 3131 /* 3132 * NB. This assumes OpenSSL has already verified that the public 3133 * point lies on the curve. This is done by EC_POINT_oct2point() 3134 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 3135 * reachable with public points not unmarshalled using 3136 * EC_POINT_oct2point then the caller will need to explicitly check. 3137 */ 3138 3139 if ((bnctx = BN_CTX_new()) == NULL) 3140 return SSH_ERR_ALLOC_FAIL; 3141 BN_CTX_start(bnctx); 3142 3143 /* 3144 * We shouldn't ever hit this case because bignum_get_ecpoint() 3145 * refuses to load GF2m points. 3146 */ 3147 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3148 NID_X9_62_prime_field) 3149 goto out; 3150 3151 /* Q != infinity */ 3152 if (EC_POINT_is_at_infinity(group, public)) 3153 goto out; 3154 3155 if ((x = BN_CTX_get(bnctx)) == NULL || 3156 (y = BN_CTX_get(bnctx)) == NULL || 3157 (order = BN_CTX_get(bnctx)) == NULL || 3158 (tmp = BN_CTX_get(bnctx)) == NULL) { 3159 ret = SSH_ERR_ALLOC_FAIL; 3160 goto out; 3161 } 3162 3163 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 3164 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 3165 EC_POINT_get_affine_coordinates_GFp(group, public, 3166 x, y, bnctx) != 1) { 3167 ret = SSH_ERR_LIBCRYPTO_ERROR; 3168 goto out; 3169 } 3170 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 3171 BN_num_bits(y) <= BN_num_bits(order) / 2) 3172 goto out; 3173 3174 /* nQ == infinity (n == order of subgroup) */ 3175 if ((nq = EC_POINT_new(group)) == NULL) { 3176 ret = SSH_ERR_ALLOC_FAIL; 3177 goto out; 3178 } 3179 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 3180 ret = SSH_ERR_LIBCRYPTO_ERROR; 3181 goto out; 3182 } 3183 if (EC_POINT_is_at_infinity(group, nq) != 1) 3184 goto out; 3185 3186 /* x < order - 1, y < order - 1 */ 3187 if (!BN_sub(tmp, order, BN_value_one())) { 3188 ret = SSH_ERR_LIBCRYPTO_ERROR; 3189 goto out; 3190 } 3191 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 3192 goto out; 3193 ret = 0; 3194 out: 3195 BN_CTX_free(bnctx); 3196 EC_POINT_free(nq); 3197 return ret; 3198 } 3199 3200 int 3201 sshkey_ec_validate_private(const EC_KEY *key) 3202 { 3203 BN_CTX *bnctx; 3204 BIGNUM *order, *tmp; 3205 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3206 3207 if ((bnctx = BN_CTX_new()) == NULL) 3208 return SSH_ERR_ALLOC_FAIL; 3209 BN_CTX_start(bnctx); 3210 3211 if ((order = BN_CTX_get(bnctx)) == NULL || 3212 (tmp = BN_CTX_get(bnctx)) == NULL) { 3213 ret = SSH_ERR_ALLOC_FAIL; 3214 goto out; 3215 } 3216 3217 /* log2(private) > log2(order)/2 */ 3218 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 3219 ret = SSH_ERR_LIBCRYPTO_ERROR; 3220 goto out; 3221 } 3222 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 3223 BN_num_bits(order) / 2) 3224 goto out; 3225 3226 /* private < order - 1 */ 3227 if (!BN_sub(tmp, order, BN_value_one())) { 3228 ret = SSH_ERR_LIBCRYPTO_ERROR; 3229 goto out; 3230 } 3231 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 3232 goto out; 3233 ret = 0; 3234 out: 3235 BN_CTX_free(bnctx); 3236 return ret; 3237 } 3238 3239 void 3240 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 3241 { 3242 BIGNUM *x, *y; 3243 BN_CTX *bnctx; 3244 3245 if (point == NULL) { 3246 fputs("point=(NULL)\n", stderr); 3247 return; 3248 } 3249 if ((bnctx = BN_CTX_new()) == NULL) { 3250 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 3251 return; 3252 } 3253 BN_CTX_start(bnctx); 3254 if ((x = BN_CTX_get(bnctx)) == NULL || 3255 (y = BN_CTX_get(bnctx)) == NULL) { 3256 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 3257 return; 3258 } 3259 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3260 NID_X9_62_prime_field) { 3261 fprintf(stderr, "%s: group is not a prime field\n", __func__); 3262 return; 3263 } 3264 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 3265 bnctx) != 1) { 3266 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 3267 __func__); 3268 return; 3269 } 3270 fputs("x=", stderr); 3271 BN_print_fp(stderr, x); 3272 fputs("\ny=", stderr); 3273 BN_print_fp(stderr, y); 3274 fputs("\n", stderr); 3275 BN_CTX_free(bnctx); 3276 } 3277 3278 void 3279 sshkey_dump_ec_key(const EC_KEY *key) 3280 { 3281 const BIGNUM *exponent; 3282 3283 sshkey_dump_ec_point(EC_KEY_get0_group(key), 3284 EC_KEY_get0_public_key(key)); 3285 fputs("exponent=", stderr); 3286 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 3287 fputs("(NULL)", stderr); 3288 else 3289 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 3290 fputs("\n", stderr); 3291 } 3292 #endif /* WITH_OPENSSL */ 3293 3294 static int 3295 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 3296 const char *passphrase, const char *comment, const char *ciphername, 3297 int rounds) 3298 { 3299 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3300 u_char salt[SALT_LEN]; 3301 char *b64 = NULL; 3302 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3303 u_int check; 3304 int r = SSH_ERR_INTERNAL_ERROR; 3305 struct sshcipher_ctx *ciphercontext = NULL; 3306 const struct sshcipher *cipher; 3307 const char *kdfname = KDFNAME; 3308 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3309 3310 if (rounds <= 0) 3311 rounds = DEFAULT_ROUNDS; 3312 if (passphrase == NULL || !strlen(passphrase)) { 3313 ciphername = "none"; 3314 kdfname = "none"; 3315 } else if (ciphername == NULL) 3316 ciphername = DEFAULT_CIPHERNAME; 3317 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3318 r = SSH_ERR_INVALID_ARGUMENT; 3319 goto out; 3320 } 3321 3322 if ((kdf = sshbuf_new()) == NULL || 3323 (encoded = sshbuf_new()) == NULL || 3324 (encrypted = sshbuf_new()) == NULL) { 3325 r = SSH_ERR_ALLOC_FAIL; 3326 goto out; 3327 } 3328 blocksize = cipher_blocksize(cipher); 3329 keylen = cipher_keylen(cipher); 3330 ivlen = cipher_ivlen(cipher); 3331 authlen = cipher_authlen(cipher); 3332 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3333 r = SSH_ERR_ALLOC_FAIL; 3334 goto out; 3335 } 3336 if (strcmp(kdfname, "bcrypt") == 0) { 3337 arc4random_buf(salt, SALT_LEN); 3338 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3339 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3340 r = SSH_ERR_INVALID_ARGUMENT; 3341 goto out; 3342 } 3343 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3344 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3345 goto out; 3346 } else if (strcmp(kdfname, "none") != 0) { 3347 /* Unsupported KDF type */ 3348 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3349 goto out; 3350 } 3351 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3352 key + keylen, ivlen, 1)) != 0) 3353 goto out; 3354 3355 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3356 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3357 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3358 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3359 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3360 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3361 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3362 goto out; 3363 3364 /* set up the buffer that will be encrypted */ 3365 3366 /* Random check bytes */ 3367 check = arc4random(); 3368 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3369 (r = sshbuf_put_u32(encrypted, check)) != 0) 3370 goto out; 3371 3372 /* append private key and comment*/ 3373 if ((r = sshkey_private_serialize_opt(prv, encrypted, 3374 SSHKEY_SERIALIZE_FULL)) != 0 || 3375 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3376 goto out; 3377 3378 /* padding */ 3379 i = 0; 3380 while (sshbuf_len(encrypted) % blocksize) { 3381 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3382 goto out; 3383 } 3384 3385 /* length in destination buffer */ 3386 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3387 goto out; 3388 3389 /* encrypt */ 3390 if ((r = sshbuf_reserve(encoded, 3391 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3392 goto out; 3393 if ((r = cipher_crypt(ciphercontext, 0, cp, 3394 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3395 goto out; 3396 3397 /* uuencode */ 3398 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3399 r = SSH_ERR_ALLOC_FAIL; 3400 goto out; 3401 } 3402 3403 sshbuf_reset(blob); 3404 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3405 goto out; 3406 for (i = 0; i < strlen(b64); i++) { 3407 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3408 goto out; 3409 /* insert line breaks */ 3410 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3411 goto out; 3412 } 3413 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3414 goto out; 3415 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3416 goto out; 3417 3418 /* success */ 3419 r = 0; 3420 3421 out: 3422 sshbuf_free(kdf); 3423 sshbuf_free(encoded); 3424 sshbuf_free(encrypted); 3425 cipher_free(ciphercontext); 3426 explicit_bzero(salt, sizeof(salt)); 3427 if (key != NULL) { 3428 explicit_bzero(key, keylen + ivlen); 3429 free(key); 3430 } 3431 if (pubkeyblob != NULL) { 3432 explicit_bzero(pubkeyblob, pubkeylen); 3433 free(pubkeyblob); 3434 } 3435 if (b64 != NULL) { 3436 explicit_bzero(b64, strlen(b64)); 3437 free(b64); 3438 } 3439 return r; 3440 } 3441 3442 static int 3443 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3444 struct sshkey **keyp, char **commentp) 3445 { 3446 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3447 const struct sshcipher *cipher = NULL; 3448 const u_char *cp; 3449 int r = SSH_ERR_INTERNAL_ERROR; 3450 size_t encoded_len; 3451 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3452 struct sshbuf *encoded = NULL, *decoded = NULL; 3453 struct sshbuf *kdf = NULL, *decrypted = NULL; 3454 struct sshcipher_ctx *ciphercontext = NULL; 3455 struct sshkey *k = NULL; 3456 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3457 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3458 3459 if (keyp != NULL) 3460 *keyp = NULL; 3461 if (commentp != NULL) 3462 *commentp = NULL; 3463 3464 if ((encoded = sshbuf_new()) == NULL || 3465 (decoded = sshbuf_new()) == NULL || 3466 (decrypted = sshbuf_new()) == NULL) { 3467 r = SSH_ERR_ALLOC_FAIL; 3468 goto out; 3469 } 3470 3471 /* check preamble */ 3472 cp = sshbuf_ptr(blob); 3473 encoded_len = sshbuf_len(blob); 3474 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3475 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3476 r = SSH_ERR_INVALID_FORMAT; 3477 goto out; 3478 } 3479 cp += MARK_BEGIN_LEN; 3480 encoded_len -= MARK_BEGIN_LEN; 3481 3482 /* Look for end marker, removing whitespace as we go */ 3483 while (encoded_len > 0) { 3484 if (*cp != '\n' && *cp != '\r') { 3485 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3486 goto out; 3487 } 3488 last = *cp; 3489 encoded_len--; 3490 cp++; 3491 if (last == '\n') { 3492 if (encoded_len >= MARK_END_LEN && 3493 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3494 /* \0 terminate */ 3495 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3496 goto out; 3497 break; 3498 } 3499 } 3500 } 3501 if (encoded_len == 0) { 3502 r = SSH_ERR_INVALID_FORMAT; 3503 goto out; 3504 } 3505 3506 /* decode base64 */ 3507 if ((r = sshbuf_b64tod(decoded, (const char *)sshbuf_ptr(encoded))) != 0) 3508 goto out; 3509 3510 /* check magic */ 3511 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3512 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3513 r = SSH_ERR_INVALID_FORMAT; 3514 goto out; 3515 } 3516 /* parse public portion of key */ 3517 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3518 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3519 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3520 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3521 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3522 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3523 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3524 goto out; 3525 3526 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3527 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3528 goto out; 3529 } 3530 if ((passphrase == NULL || strlen(passphrase) == 0) && 3531 strcmp(ciphername, "none") != 0) { 3532 /* passphrase required */ 3533 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3534 goto out; 3535 } 3536 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3537 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3538 goto out; 3539 } 3540 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3541 r = SSH_ERR_INVALID_FORMAT; 3542 goto out; 3543 } 3544 if (nkeys != 1) { 3545 /* XXX only one key supported */ 3546 r = SSH_ERR_INVALID_FORMAT; 3547 goto out; 3548 } 3549 3550 /* check size of encrypted key blob */ 3551 blocksize = cipher_blocksize(cipher); 3552 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3553 r = SSH_ERR_INVALID_FORMAT; 3554 goto out; 3555 } 3556 3557 /* setup key */ 3558 keylen = cipher_keylen(cipher); 3559 ivlen = cipher_ivlen(cipher); 3560 authlen = cipher_authlen(cipher); 3561 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3562 r = SSH_ERR_ALLOC_FAIL; 3563 goto out; 3564 } 3565 if (strcmp(kdfname, "bcrypt") == 0) { 3566 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3567 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3568 goto out; 3569 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3570 key, keylen + ivlen, rounds) < 0) { 3571 r = SSH_ERR_INVALID_FORMAT; 3572 goto out; 3573 } 3574 } 3575 3576 /* check that an appropriate amount of auth data is present */ 3577 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3578 r = SSH_ERR_INVALID_FORMAT; 3579 goto out; 3580 } 3581 3582 /* decrypt private portion of key */ 3583 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3584 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3585 key + keylen, ivlen, 0)) != 0) 3586 goto out; 3587 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3588 encrypted_len, 0, authlen)) != 0) { 3589 /* an integrity error here indicates an incorrect passphrase */ 3590 if (r == SSH_ERR_MAC_INVALID) 3591 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3592 goto out; 3593 } 3594 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3595 goto out; 3596 /* there should be no trailing data */ 3597 if (sshbuf_len(decoded) != 0) { 3598 r = SSH_ERR_INVALID_FORMAT; 3599 goto out; 3600 } 3601 3602 /* check check bytes */ 3603 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3604 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3605 goto out; 3606 if (check1 != check2) { 3607 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3608 goto out; 3609 } 3610 3611 /* Load the private key and comment */ 3612 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3613 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3614 goto out; 3615 3616 /* Check deterministic padding */ 3617 i = 0; 3618 while (sshbuf_len(decrypted)) { 3619 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3620 goto out; 3621 if (pad != (++i & 0xff)) { 3622 r = SSH_ERR_INVALID_FORMAT; 3623 goto out; 3624 } 3625 } 3626 3627 /* XXX decode pubkey and check against private */ 3628 3629 /* success */ 3630 r = 0; 3631 if (keyp != NULL) { 3632 *keyp = k; 3633 k = NULL; 3634 } 3635 if (commentp != NULL) { 3636 *commentp = comment; 3637 comment = NULL; 3638 } 3639 out: 3640 pad = 0; 3641 cipher_free(ciphercontext); 3642 free(ciphername); 3643 free(kdfname); 3644 free(comment); 3645 if (salt != NULL) { 3646 explicit_bzero(salt, slen); 3647 free(salt); 3648 } 3649 if (key != NULL) { 3650 explicit_bzero(key, keylen + ivlen); 3651 free(key); 3652 } 3653 sshbuf_free(encoded); 3654 sshbuf_free(decoded); 3655 sshbuf_free(kdf); 3656 sshbuf_free(decrypted); 3657 sshkey_free(k); 3658 return r; 3659 } 3660 3661 3662 #ifdef WITH_OPENSSL 3663 /* convert SSH v2 key in OpenSSL PEM format */ 3664 static int 3665 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3666 const char *_passphrase, const char *comment) 3667 { 3668 int success, r; 3669 int blen, len = strlen(_passphrase); 3670 u_char *passphrase = (len > 0) ? __UNCONST(_passphrase) : NULL; 3671 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3672 char *bptr; 3673 BIO *bio = NULL; 3674 3675 if (len > 0 && len <= 4) 3676 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3677 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3678 return SSH_ERR_ALLOC_FAIL; 3679 3680 switch (key->type) { 3681 case KEY_DSA: 3682 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3683 cipher, passphrase, len, NULL, NULL); 3684 break; 3685 case KEY_ECDSA: 3686 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3687 cipher, passphrase, len, NULL, NULL); 3688 break; 3689 case KEY_RSA: 3690 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3691 cipher, passphrase, len, NULL, NULL); 3692 break; 3693 default: 3694 success = 0; 3695 break; 3696 } 3697 if (success == 0) { 3698 r = SSH_ERR_LIBCRYPTO_ERROR; 3699 goto out; 3700 } 3701 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3702 r = SSH_ERR_INTERNAL_ERROR; 3703 goto out; 3704 } 3705 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3706 goto out; 3707 r = 0; 3708 out: 3709 BIO_free(bio); 3710 return r; 3711 } 3712 #endif /* WITH_OPENSSL */ 3713 3714 /* Serialise "key" to buffer "blob" */ 3715 int 3716 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3717 const char *passphrase, const char *comment, 3718 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3719 { 3720 switch (key->type) { 3721 #ifdef WITH_OPENSSL 3722 case KEY_DSA: 3723 case KEY_ECDSA: 3724 case KEY_RSA: 3725 if (force_new_format) { 3726 return sshkey_private_to_blob2(key, blob, passphrase, 3727 comment, new_format_cipher, new_format_rounds); 3728 } 3729 return sshkey_private_pem_to_blob(key, blob, 3730 passphrase, comment); 3731 #endif /* WITH_OPENSSL */ 3732 case KEY_ED25519: 3733 #ifdef WITH_XMSS 3734 case KEY_XMSS: 3735 #endif /* WITH_XMSS */ 3736 return sshkey_private_to_blob2(key, blob, passphrase, 3737 comment, new_format_cipher, new_format_rounds); 3738 default: 3739 return SSH_ERR_KEY_TYPE_UNKNOWN; 3740 } 3741 } 3742 3743 3744 #ifdef WITH_OPENSSL 3745 static int 3746 translate_libcrypto_error(unsigned long pem_err) 3747 { 3748 int pem_reason = ERR_GET_REASON(pem_err); 3749 3750 switch (ERR_GET_LIB(pem_err)) { 3751 case ERR_LIB_PEM: 3752 switch (pem_reason) { 3753 case PEM_R_BAD_PASSWORD_READ: 3754 case PEM_R_PROBLEMS_GETTING_PASSWORD: 3755 case PEM_R_BAD_DECRYPT: 3756 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3757 default: 3758 return SSH_ERR_INVALID_FORMAT; 3759 } 3760 case ERR_LIB_EVP: 3761 switch (pem_reason) { 3762 case EVP_R_BAD_DECRYPT: 3763 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3764 #ifdef EVP_R_BN_DECODE_ERROR 3765 case EVP_R_BN_DECODE_ERROR: 3766 #endif 3767 case EVP_R_DECODE_ERROR: 3768 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 3769 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 3770 #endif 3771 return SSH_ERR_INVALID_FORMAT; 3772 default: 3773 return SSH_ERR_LIBCRYPTO_ERROR; 3774 } 3775 case ERR_LIB_ASN1: 3776 return SSH_ERR_INVALID_FORMAT; 3777 } 3778 return SSH_ERR_LIBCRYPTO_ERROR; 3779 } 3780 3781 static void 3782 clear_libcrypto_errors(void) 3783 { 3784 while (ERR_get_error() != 0) 3785 ; 3786 } 3787 3788 /* 3789 * Translate OpenSSL error codes to determine whether 3790 * passphrase is required/incorrect. 3791 */ 3792 static int 3793 convert_libcrypto_error(void) 3794 { 3795 /* 3796 * Some password errors are reported at the beginning 3797 * of the error queue. 3798 */ 3799 if (translate_libcrypto_error(ERR_peek_error()) == 3800 SSH_ERR_KEY_WRONG_PASSPHRASE) 3801 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3802 return translate_libcrypto_error(ERR_peek_last_error()); 3803 } 3804 3805 static int 3806 pem_passphrase_cb(char *buf, int size, int rwflag, void *u) 3807 { 3808 char *p = (char *)u; 3809 size_t len; 3810 3811 if (p == NULL || (len = strlen(p)) == 0) 3812 return -1; 3813 if (size < 0 || len > (size_t)size) 3814 return -1; 3815 memcpy(buf, p, len); 3816 return (int)len; 3817 } 3818 3819 static int 3820 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3821 const char *passphrase, struct sshkey **keyp) 3822 { 3823 EVP_PKEY *pk = NULL; 3824 struct sshkey *prv = NULL; 3825 BIO *bio = NULL; 3826 int r; 3827 3828 if (keyp != NULL) 3829 *keyp = NULL; 3830 3831 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3832 return SSH_ERR_ALLOC_FAIL; 3833 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3834 (int)sshbuf_len(blob)) { 3835 r = SSH_ERR_ALLOC_FAIL; 3836 goto out; 3837 } 3838 3839 clear_libcrypto_errors(); 3840 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb, 3841 __UNCONST(passphrase))) == NULL) { 3842 /* 3843 * libcrypto may return various ASN.1 errors when attempting 3844 * to parse a key with an incorrect passphrase. 3845 * Treat all format errors as "incorrect passphrase" if a 3846 * passphrase was supplied. 3847 */ 3848 if (passphrase != NULL && *passphrase != '\0') 3849 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3850 else 3851 r = convert_libcrypto_error(); 3852 goto out; 3853 } 3854 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && 3855 (type == KEY_UNSPEC || type == KEY_RSA)) { 3856 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3857 r = SSH_ERR_ALLOC_FAIL; 3858 goto out; 3859 } 3860 prv->rsa = EVP_PKEY_get1_RSA(pk); 3861 prv->type = KEY_RSA; 3862 #ifdef DEBUG_PK 3863 RSA_print_fp(stderr, prv->rsa, 8); 3864 #endif 3865 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3866 r = SSH_ERR_LIBCRYPTO_ERROR; 3867 goto out; 3868 } 3869 if ((r = check_rsa_length(prv->rsa)) != 0) 3870 goto out; 3871 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && 3872 (type == KEY_UNSPEC || type == KEY_DSA)) { 3873 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3874 r = SSH_ERR_ALLOC_FAIL; 3875 goto out; 3876 } 3877 prv->dsa = EVP_PKEY_get1_DSA(pk); 3878 prv->type = KEY_DSA; 3879 #ifdef DEBUG_PK 3880 DSA_print_fp(stderr, prv->dsa, 8); 3881 #endif 3882 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && 3883 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3884 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3885 r = SSH_ERR_ALLOC_FAIL; 3886 goto out; 3887 } 3888 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3889 prv->type = KEY_ECDSA; 3890 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3891 if (prv->ecdsa_nid == -1 || 3892 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3893 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3894 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3895 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3896 r = SSH_ERR_INVALID_FORMAT; 3897 goto out; 3898 } 3899 #ifdef DEBUG_PK 3900 if (prv != NULL && prv->ecdsa != NULL) 3901 sshkey_dump_ec_key(prv->ecdsa); 3902 #endif 3903 } else { 3904 r = SSH_ERR_INVALID_FORMAT; 3905 goto out; 3906 } 3907 r = 0; 3908 if (keyp != NULL) { 3909 *keyp = prv; 3910 prv = NULL; 3911 } 3912 out: 3913 BIO_free(bio); 3914 EVP_PKEY_free(pk); 3915 sshkey_free(prv); 3916 return r; 3917 } 3918 #endif /* WITH_OPENSSL */ 3919 3920 int 3921 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3922 const char *passphrase, struct sshkey **keyp, char **commentp) 3923 { 3924 int r = SSH_ERR_INTERNAL_ERROR; 3925 3926 if (keyp != NULL) 3927 *keyp = NULL; 3928 if (commentp != NULL) 3929 *commentp = NULL; 3930 3931 switch (type) { 3932 #ifdef WITH_OPENSSL 3933 case KEY_DSA: 3934 case KEY_ECDSA: 3935 case KEY_RSA: 3936 return sshkey_parse_private_pem_fileblob(blob, type, 3937 passphrase, keyp); 3938 #endif /* WITH_OPENSSL */ 3939 case KEY_ED25519: 3940 #ifdef WITH_XMSS 3941 case KEY_XMSS: 3942 #endif /* WITH_XMSS */ 3943 return sshkey_parse_private2(blob, type, passphrase, 3944 keyp, commentp); 3945 case KEY_UNSPEC: 3946 r = sshkey_parse_private2(blob, type, passphrase, keyp, 3947 commentp); 3948 /* Do not fallback to PEM parser if only passphrase is wrong. */ 3949 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE) 3950 return r; 3951 #ifdef WITH_OPENSSL 3952 return sshkey_parse_private_pem_fileblob(blob, type, 3953 passphrase, keyp); 3954 #else 3955 return SSH_ERR_INVALID_FORMAT; 3956 #endif /* WITH_OPENSSL */ 3957 default: 3958 return SSH_ERR_KEY_TYPE_UNKNOWN; 3959 } 3960 } 3961 3962 int 3963 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3964 struct sshkey **keyp, char **commentp) 3965 { 3966 if (keyp != NULL) 3967 *keyp = NULL; 3968 if (commentp != NULL) 3969 *commentp = NULL; 3970 3971 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3972 passphrase, keyp, commentp); 3973 } 3974 3975 #ifdef WITH_XMSS 3976 /* 3977 * serialize the key with the current state and forward the state 3978 * maxsign times. 3979 */ 3980 int 3981 sshkey_private_serialize_maxsign(const struct sshkey *k, struct sshbuf *b, 3982 u_int32_t maxsign, sshkey_printfn *pr) 3983 { 3984 int r, rupdate; 3985 3986 if (maxsign == 0 || 3987 sshkey_type_plain(k->type) != KEY_XMSS) 3988 return sshkey_private_serialize_opt(k, b, 3989 SSHKEY_SERIALIZE_DEFAULT); 3990 if ((r = sshkey_xmss_get_state(k, pr)) != 0 || 3991 (r = sshkey_private_serialize_opt(k, b, 3992 SSHKEY_SERIALIZE_STATE)) != 0 || 3993 (r = sshkey_xmss_forward_state(k, maxsign)) != 0) 3994 goto out; 3995 r = 0; 3996 out: 3997 if ((rupdate = sshkey_xmss_update_state(k, pr)) != 0) { 3998 if (r == 0) 3999 r = rupdate; 4000 } 4001 return r; 4002 } 4003 4004 u_int32_t 4005 sshkey_signatures_left(const struct sshkey *k) 4006 { 4007 if (sshkey_type_plain(k->type) == KEY_XMSS) 4008 return sshkey_xmss_signatures_left(k); 4009 return 0; 4010 } 4011 4012 int 4013 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4014 { 4015 if (sshkey_type_plain(k->type) != KEY_XMSS) 4016 return SSH_ERR_INVALID_ARGUMENT; 4017 return sshkey_xmss_enable_maxsign(k, maxsign); 4018 } 4019 4020 int 4021 sshkey_set_filename(struct sshkey *k, const char *filename) 4022 { 4023 if (k == NULL) 4024 return SSH_ERR_INVALID_ARGUMENT; 4025 if (sshkey_type_plain(k->type) != KEY_XMSS) 4026 return 0; 4027 if (filename == NULL) 4028 return SSH_ERR_INVALID_ARGUMENT; 4029 if ((k->xmss_filename = strdup(filename)) == NULL) 4030 return SSH_ERR_ALLOC_FAIL; 4031 return 0; 4032 } 4033 #else 4034 int 4035 sshkey_private_serialize_maxsign(const struct sshkey *k, struct sshbuf *b, 4036 u_int32_t maxsign, sshkey_printfn *pr) 4037 { 4038 return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); 4039 } 4040 4041 u_int32_t 4042 sshkey_signatures_left(const struct sshkey *k) 4043 { 4044 return 0; 4045 } 4046 4047 int 4048 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4049 { 4050 return SSH_ERR_INVALID_ARGUMENT; 4051 } 4052 4053 int 4054 sshkey_set_filename(struct sshkey *k, const char *filename) 4055 { 4056 if (k == NULL) 4057 return SSH_ERR_INVALID_ARGUMENT; 4058 return 0; 4059 } 4060 #endif /* WITH_XMSS */ 4061