1 /* $NetBSD: sshkey.c,v 1.3 2015/04/03 23:58:19 christos Exp $ */ 2 /* $OpenBSD: sshkey.c,v 1.15 2015/03/06 01:40:56 djm Exp $ */ 3 /* 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 5 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 6 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 #include "includes.h" 29 __RCSID("$NetBSD: sshkey.c,v 1.3 2015/04/03 23:58:19 christos Exp $"); 30 31 #include <sys/param.h> /* MIN MAX */ 32 #include <sys/types.h> 33 #include <netinet/in.h> 34 35 #ifdef WITH_OPENSSL 36 #include <openssl/evp.h> 37 #include <openssl/err.h> 38 #include <openssl/pem.h> 39 #endif 40 41 #include "crypto_api.h" 42 43 #include <errno.h> 44 #include <stdio.h> 45 #include <string.h> 46 #include <util.h> 47 #include <limits.h> 48 #include <resolv.h> 49 50 #include "ssh2.h" 51 #include "ssherr.h" 52 #include "misc.h" 53 #include "sshbuf.h" 54 #include "rsa.h" 55 #include "cipher.h" 56 #include "digest.h" 57 #define SSHKEY_INTERNAL 58 #include "sshkey.h" 59 #include "match.h" 60 61 /* openssh private key file format */ 62 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 63 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 64 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 65 #define MARK_END_LEN (sizeof(MARK_END) - 1) 66 #define KDFNAME "bcrypt" 67 #define AUTH_MAGIC "openssh-key-v1" 68 #define SALT_LEN 16 69 #define DEFAULT_CIPHERNAME "aes256-cbc" 70 #define DEFAULT_ROUNDS 16 71 72 /* Version identification string for SSH v1 identity files. */ 73 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 74 75 static int sshkey_from_blob_internal(struct sshbuf *buf, 76 struct sshkey **keyp, int allow_cert); 77 78 /* Supported key types */ 79 struct keytype { 80 const char *name; 81 const char *shortname; 82 int type; 83 int nid; 84 int cert; 85 }; 86 static const struct keytype keytypes[] = { 87 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, 88 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 89 KEY_ED25519_CERT, 0, 1 }, 90 #ifdef WITH_OPENSSL 91 { NULL, "RSA1", KEY_RSA1, 0, 0 }, 92 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, 93 { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, 94 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, 95 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, 96 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, 97 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, 98 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, 99 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 100 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 101 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 102 KEY_ECDSA_CERT, NID_secp384r1, 1 }, 103 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 104 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 105 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", 106 KEY_RSA_CERT_V00, 0, 1 }, 107 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", 108 KEY_DSA_CERT_V00, 0, 1 }, 109 #endif /* WITH_OPENSSL */ 110 { NULL, NULL, -1, -1, 0 } 111 }; 112 113 const char * 114 sshkey_type(const struct sshkey *k) 115 { 116 const struct keytype *kt; 117 118 for (kt = keytypes; kt->type != -1; kt++) { 119 if (kt->type == k->type) 120 return kt->shortname; 121 } 122 return "unknown"; 123 } 124 125 static const char * 126 sshkey_ssh_name_from_type_nid(int type, int nid) 127 { 128 const struct keytype *kt; 129 130 for (kt = keytypes; kt->type != -1; kt++) { 131 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 132 return kt->name; 133 } 134 return "ssh-unknown"; 135 } 136 137 int 138 sshkey_type_is_cert(int type) 139 { 140 const struct keytype *kt; 141 142 for (kt = keytypes; kt->type != -1; kt++) { 143 if (kt->type == type) 144 return kt->cert; 145 } 146 return 0; 147 } 148 149 const char * 150 sshkey_ssh_name(const struct sshkey *k) 151 { 152 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 153 } 154 155 const char * 156 sshkey_ssh_name_plain(const struct sshkey *k) 157 { 158 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 159 k->ecdsa_nid); 160 } 161 162 int 163 sshkey_type_from_name(const char *name) 164 { 165 const struct keytype *kt; 166 167 for (kt = keytypes; kt->type != -1; kt++) { 168 /* Only allow shortname matches for plain key types */ 169 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 170 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 171 return kt->type; 172 } 173 return KEY_UNSPEC; 174 } 175 176 int 177 sshkey_ecdsa_nid_from_name(const char *name) 178 { 179 const struct keytype *kt; 180 181 for (kt = keytypes; kt->type != -1; kt++) { 182 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 183 continue; 184 if (kt->name != NULL && strcmp(name, kt->name) == 0) 185 return kt->nid; 186 } 187 return -1; 188 } 189 190 char * 191 key_alg_list(int certs_only, int plain_only) 192 { 193 char *tmp, *ret = NULL; 194 size_t nlen, rlen = 0; 195 const struct keytype *kt; 196 197 for (kt = keytypes; kt->type != -1; kt++) { 198 if (kt->name == NULL) 199 continue; 200 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 201 continue; 202 if (ret != NULL) 203 ret[rlen++] = '\n'; 204 nlen = strlen(kt->name); 205 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 206 free(ret); 207 return NULL; 208 } 209 ret = tmp; 210 memcpy(ret + rlen, kt->name, nlen + 1); 211 rlen += nlen; 212 } 213 return ret; 214 } 215 216 int 217 sshkey_names_valid2(const char *names, int allow_wildcard) 218 { 219 char *s, *cp, *p; 220 const struct keytype *kt; 221 int type; 222 223 if (names == NULL || strcmp(names, "") == 0) 224 return 0; 225 if ((s = cp = strdup(names)) == NULL) 226 return 0; 227 for ((p = strsep(&cp, ",")); p && *p != '\0'; 228 (p = strsep(&cp, ","))) { 229 type = sshkey_type_from_name(p); 230 if (type == KEY_RSA1) { 231 free(s); 232 return 0; 233 } 234 if (type == KEY_UNSPEC) { 235 if (allow_wildcard) { 236 /* 237 * Try matching key types against the string. 238 * If any has a positive or negative match then 239 * the component is accepted. 240 */ 241 for (kt = keytypes; kt->type != -1; kt++) { 242 if (kt->type == KEY_RSA1) 243 continue; 244 if (match_pattern_list(kt->name, 245 p, strlen(p), 0) != 0) 246 break; 247 } 248 if (kt->type != -1) 249 continue; 250 } 251 free(s); 252 return 0; 253 } 254 } 255 free(s); 256 return 1; 257 } 258 259 u_int 260 sshkey_size(const struct sshkey *k) 261 { 262 switch (k->type) { 263 #ifdef WITH_OPENSSL 264 case KEY_RSA1: 265 case KEY_RSA: 266 case KEY_RSA_CERT_V00: 267 case KEY_RSA_CERT: 268 return BN_num_bits(k->rsa->n); 269 case KEY_DSA: 270 case KEY_DSA_CERT_V00: 271 case KEY_DSA_CERT: 272 return BN_num_bits(k->dsa->p); 273 case KEY_ECDSA: 274 case KEY_ECDSA_CERT: 275 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 276 #endif /* WITH_OPENSSL */ 277 case KEY_ED25519: 278 case KEY_ED25519_CERT: 279 return 256; /* XXX */ 280 } 281 return 0; 282 } 283 284 int 285 sshkey_cert_is_legacy(const struct sshkey *k) 286 { 287 switch (k->type) { 288 case KEY_DSA_CERT_V00: 289 case KEY_RSA_CERT_V00: 290 return 1; 291 default: 292 return 0; 293 } 294 } 295 296 static int 297 sshkey_type_is_valid_ca(int type) 298 { 299 switch (type) { 300 case KEY_RSA: 301 case KEY_DSA: 302 case KEY_ECDSA: 303 case KEY_ED25519: 304 return 1; 305 default: 306 return 0; 307 } 308 } 309 310 int 311 sshkey_is_cert(const struct sshkey *k) 312 { 313 if (k == NULL) 314 return 0; 315 return sshkey_type_is_cert(k->type); 316 } 317 318 /* Return the cert-less equivalent to a certified key type */ 319 int 320 sshkey_type_plain(int type) 321 { 322 switch (type) { 323 case KEY_RSA_CERT_V00: 324 case KEY_RSA_CERT: 325 return KEY_RSA; 326 case KEY_DSA_CERT_V00: 327 case KEY_DSA_CERT: 328 return KEY_DSA; 329 case KEY_ECDSA_CERT: 330 return KEY_ECDSA; 331 case KEY_ED25519_CERT: 332 return KEY_ED25519; 333 default: 334 return type; 335 } 336 } 337 338 #ifdef WITH_OPENSSL 339 /* XXX: these are really begging for a table-driven approach */ 340 int 341 sshkey_curve_name_to_nid(const char *name) 342 { 343 if (strcmp(name, "nistp256") == 0) 344 return NID_X9_62_prime256v1; 345 else if (strcmp(name, "nistp384") == 0) 346 return NID_secp384r1; 347 else if (strcmp(name, "nistp521") == 0) 348 return NID_secp521r1; 349 else 350 return -1; 351 } 352 353 u_int 354 sshkey_curve_nid_to_bits(int nid) 355 { 356 switch (nid) { 357 case NID_X9_62_prime256v1: 358 return 256; 359 case NID_secp384r1: 360 return 384; 361 case NID_secp521r1: 362 return 521; 363 default: 364 return 0; 365 } 366 } 367 368 int 369 sshkey_ecdsa_bits_to_nid(int bits) 370 { 371 switch (bits) { 372 case 256: 373 return NID_X9_62_prime256v1; 374 case 384: 375 return NID_secp384r1; 376 case 521: 377 return NID_secp521r1; 378 default: 379 return -1; 380 } 381 } 382 383 const char * 384 sshkey_curve_nid_to_name(int nid) 385 { 386 switch (nid) { 387 case NID_X9_62_prime256v1: 388 return "nistp256"; 389 case NID_secp384r1: 390 return "nistp384"; 391 case NID_secp521r1: 392 return "nistp521"; 393 default: 394 return NULL; 395 } 396 } 397 398 int 399 sshkey_ec_nid_to_hash_alg(int nid) 400 { 401 int kbits = sshkey_curve_nid_to_bits(nid); 402 403 if (kbits <= 0) 404 return -1; 405 406 /* RFC5656 section 6.2.1 */ 407 if (kbits <= 256) 408 return SSH_DIGEST_SHA256; 409 else if (kbits <= 384) 410 return SSH_DIGEST_SHA384; 411 else 412 return SSH_DIGEST_SHA512; 413 } 414 #endif /* WITH_OPENSSL */ 415 416 static void 417 cert_free(struct sshkey_cert *cert) 418 { 419 u_int i; 420 421 if (cert == NULL) 422 return; 423 if (cert->certblob != NULL) 424 sshbuf_free(cert->certblob); 425 if (cert->critical != NULL) 426 sshbuf_free(cert->critical); 427 if (cert->extensions != NULL) 428 sshbuf_free(cert->extensions); 429 if (cert->key_id != NULL) 430 free(cert->key_id); 431 for (i = 0; i < cert->nprincipals; i++) 432 free(cert->principals[i]); 433 if (cert->principals != NULL) 434 free(cert->principals); 435 if (cert->signature_key != NULL) 436 sshkey_free(cert->signature_key); 437 explicit_bzero(cert, sizeof(*cert)); 438 free(cert); 439 } 440 441 static struct sshkey_cert * 442 cert_new(void) 443 { 444 struct sshkey_cert *cert; 445 446 if ((cert = calloc(1, sizeof(*cert))) == NULL) 447 return NULL; 448 if ((cert->certblob = sshbuf_new()) == NULL || 449 (cert->critical = sshbuf_new()) == NULL || 450 (cert->extensions = sshbuf_new()) == NULL) { 451 cert_free(cert); 452 return NULL; 453 } 454 cert->key_id = NULL; 455 cert->principals = NULL; 456 cert->signature_key = NULL; 457 return cert; 458 } 459 460 struct sshkey * 461 sshkey_new(int type) 462 { 463 struct sshkey *k; 464 #ifdef WITH_OPENSSL 465 RSA *rsa; 466 DSA *dsa; 467 #endif /* WITH_OPENSSL */ 468 469 if ((k = calloc(1, sizeof(*k))) == NULL) 470 return NULL; 471 k->type = type; 472 k->ecdsa = NULL; 473 k->ecdsa_nid = -1; 474 k->dsa = NULL; 475 k->rsa = NULL; 476 k->cert = NULL; 477 k->ed25519_sk = NULL; 478 k->ed25519_pk = NULL; 479 switch (k->type) { 480 #ifdef WITH_OPENSSL 481 case KEY_RSA1: 482 case KEY_RSA: 483 case KEY_RSA_CERT_V00: 484 case KEY_RSA_CERT: 485 if ((rsa = RSA_new()) == NULL || 486 (rsa->n = BN_new()) == NULL || 487 (rsa->e = BN_new()) == NULL) { 488 if (rsa != NULL) 489 RSA_free(rsa); 490 free(k); 491 return NULL; 492 } 493 k->rsa = rsa; 494 break; 495 case KEY_DSA: 496 case KEY_DSA_CERT_V00: 497 case KEY_DSA_CERT: 498 if ((dsa = DSA_new()) == NULL || 499 (dsa->p = BN_new()) == NULL || 500 (dsa->q = BN_new()) == NULL || 501 (dsa->g = BN_new()) == NULL || 502 (dsa->pub_key = BN_new()) == NULL) { 503 if (dsa != NULL) 504 DSA_free(dsa); 505 free(k); 506 return NULL; 507 } 508 k->dsa = dsa; 509 break; 510 case KEY_ECDSA: 511 case KEY_ECDSA_CERT: 512 /* Cannot do anything until we know the group */ 513 break; 514 #endif /* WITH_OPENSSL */ 515 case KEY_ED25519: 516 case KEY_ED25519_CERT: 517 /* no need to prealloc */ 518 break; 519 case KEY_UNSPEC: 520 break; 521 default: 522 free(k); 523 return NULL; 524 break; 525 } 526 527 if (sshkey_is_cert(k)) { 528 if ((k->cert = cert_new()) == NULL) { 529 sshkey_free(k); 530 return NULL; 531 } 532 } 533 534 return k; 535 } 536 537 int 538 sshkey_add_private(struct sshkey *k) 539 { 540 switch (k->type) { 541 #ifdef WITH_OPENSSL 542 case KEY_RSA1: 543 case KEY_RSA: 544 case KEY_RSA_CERT_V00: 545 case KEY_RSA_CERT: 546 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 547 if (bn_maybe_alloc_failed(k->rsa->d) || 548 bn_maybe_alloc_failed(k->rsa->iqmp) || 549 bn_maybe_alloc_failed(k->rsa->q) || 550 bn_maybe_alloc_failed(k->rsa->p) || 551 bn_maybe_alloc_failed(k->rsa->dmq1) || 552 bn_maybe_alloc_failed(k->rsa->dmp1)) 553 return SSH_ERR_ALLOC_FAIL; 554 break; 555 case KEY_DSA: 556 case KEY_DSA_CERT_V00: 557 case KEY_DSA_CERT: 558 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 559 return SSH_ERR_ALLOC_FAIL; 560 break; 561 #undef bn_maybe_alloc_failed 562 case KEY_ECDSA: 563 case KEY_ECDSA_CERT: 564 /* Cannot do anything until we know the group */ 565 break; 566 #endif /* WITH_OPENSSL */ 567 case KEY_ED25519: 568 case KEY_ED25519_CERT: 569 /* no need to prealloc */ 570 break; 571 case KEY_UNSPEC: 572 break; 573 default: 574 return SSH_ERR_INVALID_ARGUMENT; 575 } 576 return 0; 577 } 578 579 struct sshkey * 580 sshkey_new_private(int type) 581 { 582 struct sshkey *k = sshkey_new(type); 583 584 if (k == NULL) 585 return NULL; 586 if (sshkey_add_private(k) != 0) { 587 sshkey_free(k); 588 return NULL; 589 } 590 return k; 591 } 592 593 void 594 sshkey_free(struct sshkey *k) 595 { 596 if (k == NULL) 597 return; 598 switch (k->type) { 599 #ifdef WITH_OPENSSL 600 case KEY_RSA1: 601 case KEY_RSA: 602 case KEY_RSA_CERT_V00: 603 case KEY_RSA_CERT: 604 if (k->rsa != NULL) 605 RSA_free(k->rsa); 606 k->rsa = NULL; 607 break; 608 case KEY_DSA: 609 case KEY_DSA_CERT_V00: 610 case KEY_DSA_CERT: 611 if (k->dsa != NULL) 612 DSA_free(k->dsa); 613 k->dsa = NULL; 614 break; 615 case KEY_ECDSA: 616 case KEY_ECDSA_CERT: 617 if (k->ecdsa != NULL) 618 EC_KEY_free(k->ecdsa); 619 k->ecdsa = NULL; 620 break; 621 #endif /* WITH_OPENSSL */ 622 case KEY_ED25519: 623 case KEY_ED25519_CERT: 624 if (k->ed25519_pk) { 625 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 626 free(k->ed25519_pk); 627 k->ed25519_pk = NULL; 628 } 629 if (k->ed25519_sk) { 630 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 631 free(k->ed25519_sk); 632 k->ed25519_sk = NULL; 633 } 634 break; 635 case KEY_UNSPEC: 636 break; 637 default: 638 break; 639 } 640 if (sshkey_is_cert(k)) 641 cert_free(k->cert); 642 explicit_bzero(k, sizeof(*k)); 643 free(k); 644 } 645 646 static int 647 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 648 { 649 if (a == NULL && b == NULL) 650 return 1; 651 if (a == NULL || b == NULL) 652 return 0; 653 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 654 return 0; 655 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 656 sshbuf_len(a->certblob)) != 0) 657 return 0; 658 return 1; 659 } 660 661 /* 662 * Compare public portions of key only, allowing comparisons between 663 * certificates and plain keys too. 664 */ 665 int 666 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 667 { 668 #ifdef WITH_OPENSSL 669 BN_CTX *bnctx; 670 #endif /* WITH_OPENSSL */ 671 672 if (a == NULL || b == NULL || 673 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 674 return 0; 675 676 switch (a->type) { 677 #ifdef WITH_OPENSSL 678 case KEY_RSA1: 679 case KEY_RSA_CERT_V00: 680 case KEY_RSA_CERT: 681 case KEY_RSA: 682 return a->rsa != NULL && b->rsa != NULL && 683 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 684 BN_cmp(a->rsa->n, b->rsa->n) == 0; 685 case KEY_DSA_CERT_V00: 686 case KEY_DSA_CERT: 687 case KEY_DSA: 688 return a->dsa != NULL && b->dsa != NULL && 689 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 690 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 691 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 692 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 693 case KEY_ECDSA_CERT: 694 case KEY_ECDSA: 695 if (a->ecdsa == NULL || b->ecdsa == NULL || 696 EC_KEY_get0_public_key(a->ecdsa) == NULL || 697 EC_KEY_get0_public_key(b->ecdsa) == NULL) 698 return 0; 699 if ((bnctx = BN_CTX_new()) == NULL) 700 return 0; 701 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 702 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 703 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 704 EC_KEY_get0_public_key(a->ecdsa), 705 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 706 BN_CTX_free(bnctx); 707 return 0; 708 } 709 BN_CTX_free(bnctx); 710 return 1; 711 #endif /* WITH_OPENSSL */ 712 case KEY_ED25519: 713 case KEY_ED25519_CERT: 714 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 715 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 716 default: 717 return 0; 718 } 719 /* NOTREACHED */ 720 } 721 722 int 723 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 724 { 725 if (a == NULL || b == NULL || a->type != b->type) 726 return 0; 727 if (sshkey_is_cert(a)) { 728 if (!cert_compare(a->cert, b->cert)) 729 return 0; 730 } 731 return sshkey_equal_public(a, b); 732 } 733 734 static int 735 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 736 { 737 int type, ret = SSH_ERR_INTERNAL_ERROR; 738 const char *typename; 739 740 if (key == NULL) 741 return SSH_ERR_INVALID_ARGUMENT; 742 743 type = force_plain ? sshkey_type_plain(key->type) : key->type; 744 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 745 746 switch (type) { 747 #ifdef WITH_OPENSSL 748 case KEY_DSA_CERT_V00: 749 case KEY_RSA_CERT_V00: 750 case KEY_DSA_CERT: 751 case KEY_ECDSA_CERT: 752 case KEY_RSA_CERT: 753 #endif /* WITH_OPENSSL */ 754 case KEY_ED25519_CERT: 755 /* Use the existing blob */ 756 /* XXX modified flag? */ 757 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 758 return ret; 759 break; 760 #ifdef WITH_OPENSSL 761 case KEY_DSA: 762 if (key->dsa == NULL) 763 return SSH_ERR_INVALID_ARGUMENT; 764 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 765 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 766 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 767 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 768 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 769 return ret; 770 break; 771 case KEY_ECDSA: 772 if (key->ecdsa == NULL) 773 return SSH_ERR_INVALID_ARGUMENT; 774 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 775 (ret = sshbuf_put_cstring(b, 776 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 777 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 778 return ret; 779 break; 780 case KEY_RSA: 781 if (key->rsa == NULL) 782 return SSH_ERR_INVALID_ARGUMENT; 783 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 784 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 785 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 786 return ret; 787 break; 788 #endif /* WITH_OPENSSL */ 789 case KEY_ED25519: 790 if (key->ed25519_pk == NULL) 791 return SSH_ERR_INVALID_ARGUMENT; 792 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 793 (ret = sshbuf_put_string(b, 794 key->ed25519_pk, ED25519_PK_SZ)) != 0) 795 return ret; 796 break; 797 default: 798 return SSH_ERR_KEY_TYPE_UNKNOWN; 799 } 800 return 0; 801 } 802 803 int 804 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 805 { 806 return to_blob_buf(key, b, 0); 807 } 808 809 int 810 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 811 { 812 struct sshbuf *tmp; 813 int r; 814 815 if ((tmp = sshbuf_new()) == NULL) 816 return SSH_ERR_ALLOC_FAIL; 817 r = to_blob_buf(key, tmp, 0); 818 if (r == 0) 819 r = sshbuf_put_stringb(b, tmp); 820 sshbuf_free(tmp); 821 return r; 822 } 823 824 int 825 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 826 { 827 return to_blob_buf(key, b, 1); 828 } 829 830 static int 831 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 832 { 833 int ret = SSH_ERR_INTERNAL_ERROR; 834 size_t len; 835 struct sshbuf *b = NULL; 836 837 if (lenp != NULL) 838 *lenp = 0; 839 if (blobp != NULL) 840 *blobp = NULL; 841 if ((b = sshbuf_new()) == NULL) 842 return SSH_ERR_ALLOC_FAIL; 843 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 844 goto out; 845 len = sshbuf_len(b); 846 if (lenp != NULL) 847 *lenp = len; 848 if (blobp != NULL) { 849 if ((*blobp = malloc(len)) == NULL) { 850 ret = SSH_ERR_ALLOC_FAIL; 851 goto out; 852 } 853 memcpy(*blobp, sshbuf_ptr(b), len); 854 } 855 ret = 0; 856 out: 857 sshbuf_free(b); 858 return ret; 859 } 860 861 int 862 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 863 { 864 return to_blob(key, blobp, lenp, 0); 865 } 866 867 int 868 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 869 { 870 return to_blob(key, blobp, lenp, 1); 871 } 872 873 int 874 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 875 u_char **retp, size_t *lenp) 876 { 877 u_char *blob = NULL, *ret = NULL; 878 size_t blob_len = 0; 879 int r = SSH_ERR_INTERNAL_ERROR; 880 881 if (retp != NULL) 882 *retp = NULL; 883 if (lenp != NULL) 884 *lenp = 0; 885 if (ssh_digest_bytes(dgst_alg) == 0) { 886 r = SSH_ERR_INVALID_ARGUMENT; 887 goto out; 888 } 889 890 if (k->type == KEY_RSA1) { 891 #ifdef WITH_OPENSSL 892 int nlen = BN_num_bytes(k->rsa->n); 893 int elen = BN_num_bytes(k->rsa->e); 894 895 blob_len = nlen + elen; 896 if (nlen >= INT_MAX - elen || 897 (blob = malloc(blob_len)) == NULL) { 898 r = SSH_ERR_ALLOC_FAIL; 899 goto out; 900 } 901 BN_bn2bin(k->rsa->n, blob); 902 BN_bn2bin(k->rsa->e, blob + nlen); 903 #endif /* WITH_OPENSSL */ 904 } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 905 goto out; 906 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 907 r = SSH_ERR_ALLOC_FAIL; 908 goto out; 909 } 910 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 911 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 912 goto out; 913 /* success */ 914 if (retp != NULL) { 915 *retp = ret; 916 ret = NULL; 917 } 918 if (lenp != NULL) 919 *lenp = ssh_digest_bytes(dgst_alg); 920 r = 0; 921 out: 922 free(ret); 923 if (blob != NULL) { 924 explicit_bzero(blob, blob_len); 925 free(blob); 926 } 927 return r; 928 } 929 930 static char * 931 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 932 { 933 char *ret; 934 size_t plen = strlen(alg) + 1; 935 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 936 int r; 937 938 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 939 return NULL; 940 strlcpy(ret, alg, rlen); 941 strlcat(ret, ":", rlen); 942 if (dgst_raw_len == 0) 943 return ret; 944 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 945 ret + plen, rlen - plen)) == -1) { 946 explicit_bzero(ret, rlen); 947 free(ret); 948 return NULL; 949 } 950 /* Trim padding characters from end */ 951 ret[strcspn(ret, "=")] = '\0'; 952 return ret; 953 } 954 955 static char * 956 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 957 { 958 char *retval, hex[5]; 959 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 960 961 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 962 return NULL; 963 strlcpy(retval, alg, rlen); 964 strlcat(retval, ":", rlen); 965 for (i = 0; i < dgst_raw_len; i++) { 966 snprintf(hex, sizeof(hex), "%s%02x", 967 i > 0 ? ":" : "", dgst_raw[i]); 968 strlcat(retval, hex, rlen); 969 } 970 return retval; 971 } 972 973 static char * 974 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 975 { 976 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 977 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 978 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 979 u_int i, j = 0, rounds, seed = 1; 980 char *retval; 981 982 rounds = (dgst_raw_len / 2) + 1; 983 if ((retval = calloc(rounds, 6)) == NULL) 984 return NULL; 985 retval[j++] = 'x'; 986 for (i = 0; i < rounds; i++) { 987 u_int idx0, idx1, idx2, idx3, idx4; 988 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 989 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 990 seed) % 6; 991 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 992 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 993 (seed / 6)) % 6; 994 retval[j++] = vowels[idx0]; 995 retval[j++] = consonants[idx1]; 996 retval[j++] = vowels[idx2]; 997 if ((i + 1) < rounds) { 998 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 999 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 1000 retval[j++] = consonants[idx3]; 1001 retval[j++] = '-'; 1002 retval[j++] = consonants[idx4]; 1003 seed = ((seed * 5) + 1004 ((((u_int)(dgst_raw[2 * i])) * 7) + 1005 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 1006 } 1007 } else { 1008 idx0 = seed % 6; 1009 idx1 = 16; 1010 idx2 = seed / 6; 1011 retval[j++] = vowels[idx0]; 1012 retval[j++] = consonants[idx1]; 1013 retval[j++] = vowels[idx2]; 1014 } 1015 } 1016 retval[j++] = 'x'; 1017 retval[j++] = '\0'; 1018 return retval; 1019 } 1020 1021 /* 1022 * Draw an ASCII-Art representing the fingerprint so human brain can 1023 * profit from its built-in pattern recognition ability. 1024 * This technique is called "random art" and can be found in some 1025 * scientific publications like this original paper: 1026 * 1027 * "Hash Visualization: a New Technique to improve Real-World Security", 1028 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1029 * Techniques and E-Commerce (CrypTEC '99) 1030 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1031 * 1032 * The subject came up in a talk by Dan Kaminsky, too. 1033 * 1034 * If you see the picture is different, the key is different. 1035 * If the picture looks the same, you still know nothing. 1036 * 1037 * The algorithm used here is a worm crawling over a discrete plane, 1038 * leaving a trace (augmenting the field) everywhere it goes. 1039 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1040 * makes the respective movement vector be ignored for this turn. 1041 * Graphs are not unambiguous, because circles in graphs can be 1042 * walked in either direction. 1043 */ 1044 1045 /* 1046 * Field sizes for the random art. Have to be odd, so the starting point 1047 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1048 * Else pictures would be too dense, and drawing the frame would 1049 * fail, too, because the key type would not fit in anymore. 1050 */ 1051 #define FLDBASE 8 1052 #define FLDSIZE_Y (FLDBASE + 1) 1053 #define FLDSIZE_X (FLDBASE * 2 + 1) 1054 static char * 1055 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1056 const struct sshkey *k) 1057 { 1058 /* 1059 * Chars to be used after each other every time the worm 1060 * intersects with itself. Matter of taste. 1061 */ 1062 const char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1063 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1064 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1065 size_t i, tlen, hlen; 1066 u_int b; 1067 int x, y, r; 1068 size_t len = strlen(augmentation_string) - 1; 1069 1070 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1071 return NULL; 1072 1073 /* initialize field */ 1074 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1075 x = FLDSIZE_X / 2; 1076 y = FLDSIZE_Y / 2; 1077 1078 /* process raw key */ 1079 for (i = 0; i < dgst_raw_len; i++) { 1080 int input; 1081 /* each byte conveys four 2-bit move commands */ 1082 input = dgst_raw[i]; 1083 for (b = 0; b < 4; b++) { 1084 /* evaluate 2 bit, rest is shifted later */ 1085 x += (input & 0x1) ? 1 : -1; 1086 y += (input & 0x2) ? 1 : -1; 1087 1088 /* assure we are still in bounds */ 1089 x = MAX(x, 0); 1090 y = MAX(y, 0); 1091 x = MIN(x, FLDSIZE_X - 1); 1092 y = MIN(y, FLDSIZE_Y - 1); 1093 1094 /* augment the field */ 1095 if (field[x][y] < len - 2) 1096 field[x][y]++; 1097 input = input >> 2; 1098 } 1099 } 1100 1101 /* mark starting point and end point*/ 1102 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1103 field[x][y] = len; 1104 1105 /* assemble title */ 1106 r = snprintf(title, sizeof(title), "[%s %u]", 1107 sshkey_type(k), sshkey_size(k)); 1108 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1109 if (r < 0 || r > (int)sizeof(title)) 1110 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1111 tlen = (r <= 0) ? 0 : strlen(title); 1112 1113 /* assemble hash ID. */ 1114 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1115 hlen = (r <= 0) ? 0 : strlen(hash); 1116 1117 /* output upper border */ 1118 p = retval; 1119 *p++ = '+'; 1120 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1121 *p++ = '-'; 1122 memcpy(p, title, tlen); 1123 p += tlen; 1124 for (i += tlen; i < FLDSIZE_X; i++) 1125 *p++ = '-'; 1126 *p++ = '+'; 1127 *p++ = '\n'; 1128 1129 /* output content */ 1130 for (y = 0; y < FLDSIZE_Y; y++) { 1131 *p++ = '|'; 1132 for (x = 0; x < FLDSIZE_X; x++) 1133 *p++ = augmentation_string[MIN(field[x][y], len)]; 1134 *p++ = '|'; 1135 *p++ = '\n'; 1136 } 1137 1138 /* output lower border */ 1139 *p++ = '+'; 1140 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1141 *p++ = '-'; 1142 memcpy(p, hash, hlen); 1143 p += hlen; 1144 for (i += hlen; i < FLDSIZE_X; i++) 1145 *p++ = '-'; 1146 *p++ = '+'; 1147 1148 return retval; 1149 } 1150 1151 char * 1152 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1153 enum sshkey_fp_rep dgst_rep) 1154 { 1155 char *retval = NULL; 1156 u_char *dgst_raw; 1157 size_t dgst_raw_len; 1158 1159 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1160 return NULL; 1161 switch (dgst_rep) { 1162 case SSH_FP_DEFAULT: 1163 if (dgst_alg == SSH_DIGEST_MD5) { 1164 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1165 dgst_raw, dgst_raw_len); 1166 } else { 1167 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1168 dgst_raw, dgst_raw_len); 1169 } 1170 break; 1171 case SSH_FP_HEX: 1172 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1173 dgst_raw, dgst_raw_len); 1174 break; 1175 case SSH_FP_BASE64: 1176 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1177 dgst_raw, dgst_raw_len); 1178 break; 1179 case SSH_FP_BUBBLEBABBLE: 1180 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1181 break; 1182 case SSH_FP_RANDOMART: 1183 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1184 dgst_raw, dgst_raw_len, k); 1185 break; 1186 default: 1187 explicit_bzero(dgst_raw, dgst_raw_len); 1188 free(dgst_raw); 1189 return NULL; 1190 } 1191 explicit_bzero(dgst_raw, dgst_raw_len); 1192 free(dgst_raw); 1193 return retval; 1194 } 1195 1196 #ifdef WITH_SSH1 1197 /* 1198 * Reads a multiple-precision integer in decimal from the buffer, and advances 1199 * the pointer. The integer must already be initialized. This function is 1200 * permitted to modify the buffer. This leaves *cpp to point just beyond the 1201 * last processed character. 1202 */ 1203 static int 1204 read_decimal_bignum(char **cpp, BIGNUM *v) 1205 { 1206 char *cp; 1207 size_t e; 1208 int skip = 1; /* skip white space */ 1209 1210 cp = *cpp; 1211 while (*cp == ' ' || *cp == '\t') 1212 cp++; 1213 e = strspn(cp, "0123456789"); 1214 if (e == 0) 1215 return SSH_ERR_INVALID_FORMAT; 1216 if (e > SSHBUF_MAX_BIGNUM * 3) 1217 return SSH_ERR_BIGNUM_TOO_LARGE; 1218 if (cp[e] == '\0') 1219 skip = 0; 1220 else if (index(" \t\r\n", cp[e]) == NULL) 1221 return SSH_ERR_INVALID_FORMAT; 1222 cp[e] = '\0'; 1223 if (BN_dec2bn(&v, cp) <= 0) 1224 return SSH_ERR_INVALID_FORMAT; 1225 *cpp = cp + e + skip; 1226 return 0; 1227 } 1228 #endif /* WITH_SSH1 */ 1229 1230 /* returns 0 ok, and < 0 error */ 1231 int 1232 sshkey_read(struct sshkey *ret, char **cpp) 1233 { 1234 struct sshkey *k; 1235 int retval = SSH_ERR_INVALID_FORMAT; 1236 char *cp, *space; 1237 int r, type, curve_nid = -1; 1238 struct sshbuf *blob; 1239 #ifdef WITH_SSH1 1240 char *ep; 1241 u_long bits; 1242 #endif /* WITH_SSH1 */ 1243 1244 cp = *cpp; 1245 1246 switch (ret->type) { 1247 case KEY_RSA1: 1248 #ifdef WITH_SSH1 1249 /* Get number of bits. */ 1250 bits = strtoul(cp, &ep, 10); 1251 if (*cp == '\0' || index(" \t\r\n", *ep) == NULL || 1252 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) 1253 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ 1254 /* Get public exponent, public modulus. */ 1255 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0) 1256 return r; 1257 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) 1258 return r; 1259 *cpp = ep; 1260 /* validate the claimed number of bits */ 1261 if (BN_num_bits(ret->rsa->n) != (int)bits) 1262 return SSH_ERR_KEY_BITS_MISMATCH; 1263 retval = 0; 1264 #endif /* WITH_SSH1 */ 1265 break; 1266 case KEY_UNSPEC: 1267 case KEY_RSA: 1268 case KEY_DSA: 1269 case KEY_ECDSA: 1270 case KEY_ED25519: 1271 case KEY_DSA_CERT_V00: 1272 case KEY_RSA_CERT_V00: 1273 case KEY_DSA_CERT: 1274 case KEY_ECDSA_CERT: 1275 case KEY_RSA_CERT: 1276 case KEY_ED25519_CERT: 1277 space = strchr(cp, ' '); 1278 if (space == NULL) 1279 return SSH_ERR_INVALID_FORMAT; 1280 *space = '\0'; 1281 type = sshkey_type_from_name(cp); 1282 if (sshkey_type_plain(type) == KEY_ECDSA && 1283 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1284 return SSH_ERR_EC_CURVE_INVALID; 1285 *space = ' '; 1286 if (type == KEY_UNSPEC) 1287 return SSH_ERR_INVALID_FORMAT; 1288 cp = space+1; 1289 if (*cp == '\0') 1290 return SSH_ERR_INVALID_FORMAT; 1291 if (ret->type != KEY_UNSPEC && ret->type != type) 1292 return SSH_ERR_KEY_TYPE_MISMATCH; 1293 if ((blob = sshbuf_new()) == NULL) 1294 return SSH_ERR_ALLOC_FAIL; 1295 /* trim comment */ 1296 space = strchr(cp, ' '); 1297 if (space) { 1298 /* advance 'space': skip whitespace */ 1299 *space++ = '\0'; 1300 while (*space == ' ' || *space == '\t') 1301 space++; 1302 *cpp = space; 1303 } else 1304 *cpp = cp + strlen(cp); 1305 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1306 sshbuf_free(blob); 1307 return r; 1308 } 1309 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1310 sshbuf_len(blob), &k)) != 0) { 1311 sshbuf_free(blob); 1312 return r; 1313 } 1314 sshbuf_free(blob); 1315 if (k->type != type) { 1316 sshkey_free(k); 1317 return SSH_ERR_KEY_TYPE_MISMATCH; 1318 } 1319 if (sshkey_type_plain(type) == KEY_ECDSA && 1320 curve_nid != k->ecdsa_nid) { 1321 sshkey_free(k); 1322 return SSH_ERR_EC_CURVE_MISMATCH; 1323 } 1324 ret->type = type; 1325 if (sshkey_is_cert(ret)) { 1326 if (!sshkey_is_cert(k)) { 1327 sshkey_free(k); 1328 return SSH_ERR_EXPECTED_CERT; 1329 } 1330 if (ret->cert != NULL) 1331 cert_free(ret->cert); 1332 ret->cert = k->cert; 1333 k->cert = NULL; 1334 } 1335 #ifdef WITH_OPENSSL 1336 if (sshkey_type_plain(ret->type) == KEY_RSA) { 1337 if (ret->rsa != NULL) 1338 RSA_free(ret->rsa); 1339 ret->rsa = k->rsa; 1340 k->rsa = NULL; 1341 #ifdef DEBUG_PK 1342 RSA_print_fp(stderr, ret->rsa, 8); 1343 #endif 1344 } 1345 if (sshkey_type_plain(ret->type) == KEY_DSA) { 1346 if (ret->dsa != NULL) 1347 DSA_free(ret->dsa); 1348 ret->dsa = k->dsa; 1349 k->dsa = NULL; 1350 #ifdef DEBUG_PK 1351 DSA_print_fp(stderr, ret->dsa, 8); 1352 #endif 1353 } 1354 if (sshkey_type_plain(ret->type) == KEY_ECDSA) { 1355 if (ret->ecdsa != NULL) 1356 EC_KEY_free(ret->ecdsa); 1357 ret->ecdsa = k->ecdsa; 1358 ret->ecdsa_nid = k->ecdsa_nid; 1359 k->ecdsa = NULL; 1360 k->ecdsa_nid = -1; 1361 #ifdef DEBUG_PK 1362 sshkey_dump_ec_key(ret->ecdsa); 1363 #endif 1364 } 1365 #endif /* WITH_OPENSSL */ 1366 if (sshkey_type_plain(ret->type) == KEY_ED25519) { 1367 free(ret->ed25519_pk); 1368 ret->ed25519_pk = k->ed25519_pk; 1369 k->ed25519_pk = NULL; 1370 #ifdef DEBUG_PK 1371 /* XXX */ 1372 #endif 1373 } 1374 retval = 0; 1375 /*XXXX*/ 1376 sshkey_free(k); 1377 if (retval != 0) 1378 break; 1379 break; 1380 default: 1381 return SSH_ERR_INVALID_ARGUMENT; 1382 } 1383 return retval; 1384 } 1385 1386 int 1387 sshkey_write(const struct sshkey *key, FILE *f) 1388 { 1389 int ret = SSH_ERR_INTERNAL_ERROR; 1390 struct sshbuf *b = NULL, *bb = NULL; 1391 char *uu = NULL; 1392 #ifdef WITH_SSH1 1393 u_int bits = 0; 1394 char *dec_e = NULL, *dec_n = NULL; 1395 #endif /* WITH_SSH1 */ 1396 1397 if (sshkey_is_cert(key)) { 1398 if (key->cert == NULL) 1399 return SSH_ERR_EXPECTED_CERT; 1400 if (sshbuf_len(key->cert->certblob) == 0) 1401 return SSH_ERR_KEY_LACKS_CERTBLOB; 1402 } 1403 if ((b = sshbuf_new()) == NULL) 1404 return SSH_ERR_ALLOC_FAIL; 1405 switch (key->type) { 1406 #ifdef WITH_SSH1 1407 case KEY_RSA1: 1408 if (key->rsa == NULL || key->rsa->e == NULL || 1409 key->rsa->n == NULL) { 1410 ret = SSH_ERR_INVALID_ARGUMENT; 1411 goto out; 1412 } 1413 if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || 1414 (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { 1415 ret = SSH_ERR_ALLOC_FAIL; 1416 goto out; 1417 } 1418 /* size of modulus 'n' */ 1419 if ((bits = BN_num_bits(key->rsa->n)) <= 0) { 1420 ret = SSH_ERR_INVALID_ARGUMENT; 1421 goto out; 1422 } 1423 if ((ret = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) 1424 goto out; 1425 #endif /* WITH_SSH1 */ 1426 break; 1427 #ifdef WITH_OPENSSL 1428 case KEY_DSA: 1429 case KEY_DSA_CERT_V00: 1430 case KEY_DSA_CERT: 1431 case KEY_ECDSA: 1432 case KEY_ECDSA_CERT: 1433 case KEY_RSA: 1434 case KEY_RSA_CERT_V00: 1435 case KEY_RSA_CERT: 1436 #endif /* WITH_OPENSSL */ 1437 case KEY_ED25519: 1438 case KEY_ED25519_CERT: 1439 if ((bb = sshbuf_new()) == NULL) { 1440 ret = SSH_ERR_ALLOC_FAIL; 1441 goto out; 1442 } 1443 if ((ret = sshkey_putb(key, bb)) != 0) 1444 goto out; 1445 if ((uu = sshbuf_dtob64(bb)) == NULL) { 1446 ret = SSH_ERR_ALLOC_FAIL; 1447 goto out; 1448 } 1449 if ((ret = sshbuf_putf(b, "%s ", sshkey_ssh_name(key))) != 0) 1450 goto out; 1451 if ((ret = sshbuf_put(b, uu, strlen(uu))) != 0) 1452 goto out; 1453 break; 1454 default: 1455 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 1456 goto out; 1457 } 1458 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1459 if (feof(f)) 1460 errno = EPIPE; 1461 ret = SSH_ERR_SYSTEM_ERROR; 1462 goto out; 1463 } 1464 ret = 0; 1465 out: 1466 if (b != NULL) 1467 sshbuf_free(b); 1468 if (bb != NULL) 1469 sshbuf_free(bb); 1470 if (uu != NULL) 1471 free(uu); 1472 #ifdef WITH_SSH1 1473 if (dec_e != NULL) 1474 OPENSSL_free(dec_e); 1475 if (dec_n != NULL) 1476 OPENSSL_free(dec_n); 1477 #endif /* WITH_SSH1 */ 1478 return ret; 1479 } 1480 1481 const char * 1482 sshkey_cert_type(const struct sshkey *k) 1483 { 1484 switch (k->cert->type) { 1485 case SSH2_CERT_TYPE_USER: 1486 return "user"; 1487 case SSH2_CERT_TYPE_HOST: 1488 return "host"; 1489 default: 1490 return "unknown"; 1491 } 1492 } 1493 1494 #ifdef WITH_OPENSSL 1495 static int 1496 rsa_generate_private_key(u_int bits, RSA **rsap) 1497 { 1498 RSA *private = NULL; 1499 BIGNUM *f4 = NULL; 1500 int ret = SSH_ERR_INTERNAL_ERROR; 1501 1502 if (rsap == NULL || 1503 bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1504 bits > SSHBUF_MAX_BIGNUM * 8) 1505 return SSH_ERR_INVALID_ARGUMENT; 1506 *rsap = NULL; 1507 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1508 ret = SSH_ERR_ALLOC_FAIL; 1509 goto out; 1510 } 1511 if (!BN_set_word(f4, RSA_F4) || 1512 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1513 ret = SSH_ERR_LIBCRYPTO_ERROR; 1514 goto out; 1515 } 1516 *rsap = private; 1517 private = NULL; 1518 ret = 0; 1519 out: 1520 if (private != NULL) 1521 RSA_free(private); 1522 if (f4 != NULL) 1523 BN_free(f4); 1524 return ret; 1525 } 1526 1527 static int 1528 dsa_generate_private_key(u_int bits, DSA **dsap) 1529 { 1530 DSA *private; 1531 int ret = SSH_ERR_INTERNAL_ERROR; 1532 1533 if (dsap == NULL || bits != 1024) 1534 return SSH_ERR_INVALID_ARGUMENT; 1535 if ((private = DSA_new()) == NULL) { 1536 ret = SSH_ERR_ALLOC_FAIL; 1537 goto out; 1538 } 1539 *dsap = NULL; 1540 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1541 NULL, NULL) || !DSA_generate_key(private)) { 1542 DSA_free(private); 1543 ret = SSH_ERR_LIBCRYPTO_ERROR; 1544 goto out; 1545 } 1546 *dsap = private; 1547 private = NULL; 1548 ret = 0; 1549 out: 1550 if (private != NULL) 1551 DSA_free(private); 1552 return ret; 1553 } 1554 1555 int 1556 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1557 { 1558 EC_GROUP *eg; 1559 int nids[] = { 1560 NID_X9_62_prime256v1, 1561 NID_secp384r1, 1562 NID_secp521r1, 1563 -1 1564 }; 1565 int nid; 1566 u_int i; 1567 BN_CTX *bnctx; 1568 const EC_GROUP *g = EC_KEY_get0_group(k); 1569 1570 /* 1571 * The group may be stored in a ASN.1 encoded private key in one of two 1572 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1573 * or explicit group parameters encoded into the key blob. Only the 1574 * "named group" case sets the group NID for us, but we can figure 1575 * it out for the other case by comparing against all the groups that 1576 * are supported. 1577 */ 1578 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1579 return nid; 1580 if ((bnctx = BN_CTX_new()) == NULL) 1581 return -1; 1582 for (i = 0; nids[i] != -1; i++) { 1583 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1584 BN_CTX_free(bnctx); 1585 return -1; 1586 } 1587 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1588 break; 1589 EC_GROUP_free(eg); 1590 } 1591 BN_CTX_free(bnctx); 1592 if (nids[i] != -1) { 1593 /* Use the group with the NID attached */ 1594 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1595 if (EC_KEY_set_group(k, eg) != 1) { 1596 EC_GROUP_free(eg); 1597 return -1; 1598 } 1599 } 1600 return nids[i]; 1601 } 1602 1603 static int 1604 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1605 { 1606 EC_KEY *private; 1607 int ret = SSH_ERR_INTERNAL_ERROR; 1608 1609 if (nid == NULL || ecdsap == NULL || 1610 (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1611 return SSH_ERR_INVALID_ARGUMENT; 1612 *ecdsap = NULL; 1613 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1614 ret = SSH_ERR_ALLOC_FAIL; 1615 goto out; 1616 } 1617 if (EC_KEY_generate_key(private) != 1) { 1618 ret = SSH_ERR_LIBCRYPTO_ERROR; 1619 goto out; 1620 } 1621 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1622 *ecdsap = private; 1623 private = NULL; 1624 ret = 0; 1625 out: 1626 if (private != NULL) 1627 EC_KEY_free(private); 1628 return ret; 1629 } 1630 #endif /* WITH_OPENSSL */ 1631 1632 int 1633 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1634 { 1635 struct sshkey *k; 1636 int ret = SSH_ERR_INTERNAL_ERROR; 1637 1638 if (keyp == NULL) 1639 return SSH_ERR_INVALID_ARGUMENT; 1640 *keyp = NULL; 1641 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1642 return SSH_ERR_ALLOC_FAIL; 1643 switch (type) { 1644 case KEY_ED25519: 1645 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1646 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1647 ret = SSH_ERR_ALLOC_FAIL; 1648 break; 1649 } 1650 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1651 ret = 0; 1652 break; 1653 #ifdef WITH_OPENSSL 1654 case KEY_DSA: 1655 ret = dsa_generate_private_key(bits, &k->dsa); 1656 break; 1657 case KEY_ECDSA: 1658 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1659 &k->ecdsa); 1660 break; 1661 case KEY_RSA: 1662 case KEY_RSA1: 1663 ret = rsa_generate_private_key(bits, &k->rsa); 1664 break; 1665 #endif /* WITH_OPENSSL */ 1666 default: 1667 ret = SSH_ERR_INVALID_ARGUMENT; 1668 } 1669 if (ret == 0) { 1670 k->type = type; 1671 *keyp = k; 1672 } else 1673 sshkey_free(k); 1674 return ret; 1675 } 1676 1677 int 1678 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1679 { 1680 u_int i; 1681 const struct sshkey_cert *from; 1682 struct sshkey_cert *to; 1683 int ret = SSH_ERR_INTERNAL_ERROR; 1684 1685 if (to_key->cert != NULL) { 1686 cert_free(to_key->cert); 1687 to_key->cert = NULL; 1688 } 1689 1690 if ((from = from_key->cert) == NULL) 1691 return SSH_ERR_INVALID_ARGUMENT; 1692 1693 if ((to = to_key->cert = cert_new()) == NULL) 1694 return SSH_ERR_ALLOC_FAIL; 1695 1696 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1697 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1698 (ret = sshbuf_putb(to->extensions, from->extensions) != 0)) 1699 return ret; 1700 1701 to->serial = from->serial; 1702 to->type = from->type; 1703 if (from->key_id == NULL) 1704 to->key_id = NULL; 1705 else if ((to->key_id = strdup(from->key_id)) == NULL) 1706 return SSH_ERR_ALLOC_FAIL; 1707 to->valid_after = from->valid_after; 1708 to->valid_before = from->valid_before; 1709 if (from->signature_key == NULL) 1710 to->signature_key = NULL; 1711 else if ((ret = sshkey_from_private(from->signature_key, 1712 &to->signature_key)) != 0) 1713 return ret; 1714 1715 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1716 return SSH_ERR_INVALID_ARGUMENT; 1717 if (from->nprincipals > 0) { 1718 if ((to->principals = calloc(from->nprincipals, 1719 sizeof(*to->principals))) == NULL) 1720 return SSH_ERR_ALLOC_FAIL; 1721 for (i = 0; i < from->nprincipals; i++) { 1722 to->principals[i] = strdup(from->principals[i]); 1723 if (to->principals[i] == NULL) { 1724 to->nprincipals = i; 1725 return SSH_ERR_ALLOC_FAIL; 1726 } 1727 } 1728 } 1729 to->nprincipals = from->nprincipals; 1730 return 0; 1731 } 1732 1733 int 1734 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1735 { 1736 struct sshkey *n = NULL; 1737 int ret = SSH_ERR_INTERNAL_ERROR; 1738 1739 if (pkp != NULL) 1740 *pkp = NULL; 1741 1742 switch (k->type) { 1743 #ifdef WITH_OPENSSL 1744 case KEY_DSA: 1745 case KEY_DSA_CERT_V00: 1746 case KEY_DSA_CERT: 1747 if ((n = sshkey_new(k->type)) == NULL) 1748 return SSH_ERR_ALLOC_FAIL; 1749 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1750 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1751 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1752 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1753 sshkey_free(n); 1754 return SSH_ERR_ALLOC_FAIL; 1755 } 1756 break; 1757 case KEY_ECDSA: 1758 case KEY_ECDSA_CERT: 1759 if ((n = sshkey_new(k->type)) == NULL) 1760 return SSH_ERR_ALLOC_FAIL; 1761 n->ecdsa_nid = k->ecdsa_nid; 1762 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1763 if (n->ecdsa == NULL) { 1764 sshkey_free(n); 1765 return SSH_ERR_ALLOC_FAIL; 1766 } 1767 if (EC_KEY_set_public_key(n->ecdsa, 1768 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1769 sshkey_free(n); 1770 return SSH_ERR_LIBCRYPTO_ERROR; 1771 } 1772 break; 1773 case KEY_RSA: 1774 case KEY_RSA1: 1775 case KEY_RSA_CERT_V00: 1776 case KEY_RSA_CERT: 1777 if ((n = sshkey_new(k->type)) == NULL) 1778 return SSH_ERR_ALLOC_FAIL; 1779 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1780 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1781 sshkey_free(n); 1782 return SSH_ERR_ALLOC_FAIL; 1783 } 1784 break; 1785 #endif /* WITH_OPENSSL */ 1786 case KEY_ED25519: 1787 case KEY_ED25519_CERT: 1788 if ((n = sshkey_new(k->type)) == NULL) 1789 return SSH_ERR_ALLOC_FAIL; 1790 if (k->ed25519_pk != NULL) { 1791 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1792 sshkey_free(n); 1793 return SSH_ERR_ALLOC_FAIL; 1794 } 1795 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1796 } 1797 break; 1798 default: 1799 return SSH_ERR_KEY_TYPE_UNKNOWN; 1800 } 1801 if (sshkey_is_cert(k)) { 1802 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1803 sshkey_free(n); 1804 return ret; 1805 } 1806 } 1807 *pkp = n; 1808 return 0; 1809 } 1810 1811 static int 1812 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1813 { 1814 struct sshbuf *principals = NULL, *crit = NULL; 1815 struct sshbuf *exts = NULL, *ca = NULL; 1816 u_char *sig = NULL; 1817 size_t signed_len = 0, slen = 0, kidlen = 0; 1818 int ret = SSH_ERR_INTERNAL_ERROR; 1819 int v00 = sshkey_cert_is_legacy(key); 1820 1821 /* Copy the entire key blob for verification and later serialisation */ 1822 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1823 return ret; 1824 1825 if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || 1826 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1827 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1828 (ret = sshbuf_froms(b, &principals)) != 0 || 1829 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1830 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1831 (ret = sshbuf_froms(b, &crit)) != 0 || 1832 (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) || 1833 (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) || 1834 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1835 (ret = sshbuf_froms(b, &ca)) != 0) { 1836 /* XXX debug print error for ret */ 1837 ret = SSH_ERR_INVALID_FORMAT; 1838 goto out; 1839 } 1840 1841 /* Signature is left in the buffer so we can calculate this length */ 1842 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1843 1844 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1845 ret = SSH_ERR_INVALID_FORMAT; 1846 goto out; 1847 } 1848 1849 if (key->cert->type != SSH2_CERT_TYPE_USER && 1850 key->cert->type != SSH2_CERT_TYPE_HOST) { 1851 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1852 goto out; 1853 } 1854 1855 /* Parse principals section */ 1856 while (sshbuf_len(principals) > 0) { 1857 char *principal = NULL; 1858 char **oprincipals = NULL; 1859 1860 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1861 ret = SSH_ERR_INVALID_FORMAT; 1862 goto out; 1863 } 1864 if ((ret = sshbuf_get_cstring(principals, &principal, 1865 NULL)) != 0) { 1866 ret = SSH_ERR_INVALID_FORMAT; 1867 goto out; 1868 } 1869 oprincipals = key->cert->principals; 1870 key->cert->principals = realloc(key->cert->principals, 1871 (key->cert->nprincipals + 1) * 1872 sizeof(*key->cert->principals)); 1873 if (key->cert->principals == NULL) { 1874 free(principal); 1875 key->cert->principals = oprincipals; 1876 ret = SSH_ERR_ALLOC_FAIL; 1877 goto out; 1878 } 1879 key->cert->principals[key->cert->nprincipals++] = principal; 1880 } 1881 1882 /* 1883 * Stash a copies of the critical options and extensions sections 1884 * for later use. 1885 */ 1886 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1887 (exts != NULL && 1888 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1889 goto out; 1890 1891 /* 1892 * Validate critical options and extensions sections format. 1893 * NB. extensions are not present in v00 certs. 1894 */ 1895 while (sshbuf_len(crit) != 0) { 1896 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1897 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1898 sshbuf_reset(key->cert->critical); 1899 ret = SSH_ERR_INVALID_FORMAT; 1900 goto out; 1901 } 1902 } 1903 while (exts != NULL && sshbuf_len(exts) != 0) { 1904 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1905 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1906 sshbuf_reset(key->cert->extensions); 1907 ret = SSH_ERR_INVALID_FORMAT; 1908 goto out; 1909 } 1910 } 1911 1912 /* Parse CA key and check signature */ 1913 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1914 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1915 goto out; 1916 } 1917 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1918 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1919 goto out; 1920 } 1921 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1922 sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) 1923 goto out; 1924 1925 /* Success */ 1926 ret = 0; 1927 out: 1928 sshbuf_free(ca); 1929 sshbuf_free(crit); 1930 sshbuf_free(exts); 1931 sshbuf_free(principals); 1932 free(sig); 1933 return ret; 1934 } 1935 1936 static int 1937 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1938 int allow_cert) 1939 { 1940 int type, ret = SSH_ERR_INTERNAL_ERROR; 1941 char *ktype = NULL, *curve = NULL; 1942 struct sshkey *key = NULL; 1943 size_t len; 1944 u_char *pk = NULL; 1945 struct sshbuf *copy; 1946 #ifdef WITH_OPENSSL 1947 EC_POINT *q = NULL; 1948 #endif /* WITH_OPENSSL */ 1949 1950 #ifdef DEBUG_PK /* XXX */ 1951 sshbuf_dump(b, stderr); 1952 #endif 1953 *keyp = NULL; 1954 if ((copy = sshbuf_fromb(b)) == NULL) { 1955 ret = SSH_ERR_ALLOC_FAIL; 1956 goto out; 1957 } 1958 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1959 ret = SSH_ERR_INVALID_FORMAT; 1960 goto out; 1961 } 1962 1963 type = sshkey_type_from_name(ktype); 1964 if (!allow_cert && sshkey_type_is_cert(type)) { 1965 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1966 goto out; 1967 } 1968 switch (type) { 1969 #ifdef WITH_OPENSSL 1970 case KEY_RSA_CERT: 1971 /* Skip nonce */ 1972 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1973 ret = SSH_ERR_INVALID_FORMAT; 1974 goto out; 1975 } 1976 /* FALLTHROUGH */ 1977 case KEY_RSA: 1978 case KEY_RSA_CERT_V00: 1979 if ((key = sshkey_new(type)) == NULL) { 1980 ret = SSH_ERR_ALLOC_FAIL; 1981 goto out; 1982 } 1983 if (sshbuf_get_bignum2(b, key->rsa->e) == -1 || 1984 sshbuf_get_bignum2(b, key->rsa->n) == -1) { 1985 ret = SSH_ERR_INVALID_FORMAT; 1986 goto out; 1987 } 1988 #ifdef DEBUG_PK 1989 RSA_print_fp(stderr, key->rsa, 8); 1990 #endif 1991 break; 1992 case KEY_DSA_CERT: 1993 /* Skip nonce */ 1994 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1995 ret = SSH_ERR_INVALID_FORMAT; 1996 goto out; 1997 } 1998 /* FALLTHROUGH */ 1999 case KEY_DSA: 2000 case KEY_DSA_CERT_V00: 2001 if ((key = sshkey_new(type)) == NULL) { 2002 ret = SSH_ERR_ALLOC_FAIL; 2003 goto out; 2004 } 2005 if (sshbuf_get_bignum2(b, key->dsa->p) == -1 || 2006 sshbuf_get_bignum2(b, key->dsa->q) == -1 || 2007 sshbuf_get_bignum2(b, key->dsa->g) == -1 || 2008 sshbuf_get_bignum2(b, key->dsa->pub_key) == -1) { 2009 ret = SSH_ERR_INVALID_FORMAT; 2010 goto out; 2011 } 2012 #ifdef DEBUG_PK 2013 DSA_print_fp(stderr, key->dsa, 8); 2014 #endif 2015 break; 2016 case KEY_ECDSA_CERT: 2017 /* Skip nonce */ 2018 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2019 ret = SSH_ERR_INVALID_FORMAT; 2020 goto out; 2021 } 2022 /* FALLTHROUGH */ 2023 case KEY_ECDSA: 2024 if ((key = sshkey_new(type)) == NULL) { 2025 ret = SSH_ERR_ALLOC_FAIL; 2026 goto out; 2027 } 2028 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2029 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2030 ret = SSH_ERR_INVALID_FORMAT; 2031 goto out; 2032 } 2033 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2034 ret = SSH_ERR_EC_CURVE_MISMATCH; 2035 goto out; 2036 } 2037 if (key->ecdsa != NULL) 2038 EC_KEY_free(key->ecdsa); 2039 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2040 == NULL) { 2041 ret = SSH_ERR_EC_CURVE_INVALID; 2042 goto out; 2043 } 2044 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2045 ret = SSH_ERR_ALLOC_FAIL; 2046 goto out; 2047 } 2048 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 2049 ret = SSH_ERR_INVALID_FORMAT; 2050 goto out; 2051 } 2052 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2053 q) != 0) { 2054 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2055 goto out; 2056 } 2057 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 2058 /* XXX assume it is a allocation error */ 2059 ret = SSH_ERR_ALLOC_FAIL; 2060 goto out; 2061 } 2062 #ifdef DEBUG_PK 2063 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 2064 #endif 2065 break; 2066 #endif /* WITH_OPENSSL */ 2067 case KEY_ED25519_CERT: 2068 /* Skip nonce */ 2069 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2070 ret = SSH_ERR_INVALID_FORMAT; 2071 goto out; 2072 } 2073 /* FALLTHROUGH */ 2074 case KEY_ED25519: 2075 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2076 goto out; 2077 if (len != ED25519_PK_SZ) { 2078 ret = SSH_ERR_INVALID_FORMAT; 2079 goto out; 2080 } 2081 if ((key = sshkey_new(type)) == NULL) { 2082 ret = SSH_ERR_ALLOC_FAIL; 2083 goto out; 2084 } 2085 key->ed25519_pk = pk; 2086 pk = NULL; 2087 break; 2088 case KEY_UNSPEC: 2089 if ((key = sshkey_new(type)) == NULL) { 2090 ret = SSH_ERR_ALLOC_FAIL; 2091 goto out; 2092 } 2093 break; 2094 default: 2095 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2096 goto out; 2097 } 2098 2099 /* Parse certificate potion */ 2100 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2101 goto out; 2102 2103 if (key != NULL && sshbuf_len(b) != 0) { 2104 ret = SSH_ERR_INVALID_FORMAT; 2105 goto out; 2106 } 2107 ret = 0; 2108 *keyp = key; 2109 key = NULL; 2110 out: 2111 sshbuf_free(copy); 2112 sshkey_free(key); 2113 free(ktype); 2114 free(curve); 2115 free(pk); 2116 #ifdef WITH_OPENSSL 2117 if (q != NULL) 2118 EC_POINT_free(q); 2119 #endif /* WITH_OPENSSL */ 2120 return ret; 2121 } 2122 2123 int 2124 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2125 { 2126 struct sshbuf *b; 2127 int r; 2128 2129 if ((b = sshbuf_from(blob, blen)) == NULL) 2130 return SSH_ERR_ALLOC_FAIL; 2131 r = sshkey_from_blob_internal(b, keyp, 1); 2132 sshbuf_free(b); 2133 return r; 2134 } 2135 2136 int 2137 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2138 { 2139 return sshkey_from_blob_internal(b, keyp, 1); 2140 } 2141 2142 int 2143 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2144 { 2145 struct sshbuf *b; 2146 int r; 2147 2148 if ((r = sshbuf_froms(buf, &b)) != 0) 2149 return r; 2150 r = sshkey_from_blob_internal(b, keyp, 1); 2151 sshbuf_free(b); 2152 return r; 2153 } 2154 2155 int 2156 sshkey_sign(const struct sshkey *key, 2157 u_char **sigp, size_t *lenp, 2158 const u_char *data, size_t datalen, u_int compat) 2159 { 2160 if (sigp != NULL) 2161 *sigp = NULL; 2162 if (lenp != NULL) 2163 *lenp = 0; 2164 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2165 return SSH_ERR_INVALID_ARGUMENT; 2166 switch (key->type) { 2167 #ifdef WITH_OPENSSL 2168 case KEY_DSA_CERT_V00: 2169 case KEY_DSA_CERT: 2170 case KEY_DSA: 2171 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2172 case KEY_ECDSA_CERT: 2173 case KEY_ECDSA: 2174 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2175 case KEY_RSA_CERT_V00: 2176 case KEY_RSA_CERT: 2177 case KEY_RSA: 2178 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2179 #endif /* WITH_OPENSSL */ 2180 case KEY_ED25519: 2181 case KEY_ED25519_CERT: 2182 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2183 default: 2184 return SSH_ERR_KEY_TYPE_UNKNOWN; 2185 } 2186 } 2187 2188 /* 2189 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2190 */ 2191 int 2192 sshkey_verify(const struct sshkey *key, 2193 const u_char *sig, size_t siglen, 2194 const u_char *data, size_t dlen, u_int compat) 2195 { 2196 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2197 return SSH_ERR_INVALID_ARGUMENT; 2198 switch (key->type) { 2199 #ifdef WITH_OPENSSL 2200 case KEY_DSA_CERT_V00: 2201 case KEY_DSA_CERT: 2202 case KEY_DSA: 2203 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2204 case KEY_ECDSA_CERT: 2205 case KEY_ECDSA: 2206 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2207 case KEY_RSA_CERT_V00: 2208 case KEY_RSA_CERT: 2209 case KEY_RSA: 2210 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2211 #endif /* WITH_OPENSSL */ 2212 case KEY_ED25519: 2213 case KEY_ED25519_CERT: 2214 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2215 default: 2216 return SSH_ERR_KEY_TYPE_UNKNOWN; 2217 } 2218 } 2219 2220 /* Converts a private to a public key */ 2221 int 2222 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2223 { 2224 struct sshkey *pk; 2225 int ret = SSH_ERR_INTERNAL_ERROR; 2226 2227 if (dkp != NULL) 2228 *dkp = NULL; 2229 2230 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2231 return SSH_ERR_ALLOC_FAIL; 2232 pk->type = k->type; 2233 pk->flags = k->flags; 2234 pk->ecdsa_nid = k->ecdsa_nid; 2235 pk->dsa = NULL; 2236 pk->ecdsa = NULL; 2237 pk->rsa = NULL; 2238 pk->ed25519_pk = NULL; 2239 pk->ed25519_sk = NULL; 2240 2241 switch (k->type) { 2242 #ifdef WITH_OPENSSL 2243 case KEY_RSA_CERT_V00: 2244 case KEY_RSA_CERT: 2245 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2246 goto fail; 2247 /* FALLTHROUGH */ 2248 case KEY_RSA1: 2249 case KEY_RSA: 2250 if ((pk->rsa = RSA_new()) == NULL || 2251 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2252 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2253 ret = SSH_ERR_ALLOC_FAIL; 2254 goto fail; 2255 } 2256 break; 2257 case KEY_DSA_CERT_V00: 2258 case KEY_DSA_CERT: 2259 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2260 goto fail; 2261 /* FALLTHROUGH */ 2262 case KEY_DSA: 2263 if ((pk->dsa = DSA_new()) == NULL || 2264 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2265 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2266 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2267 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2268 ret = SSH_ERR_ALLOC_FAIL; 2269 goto fail; 2270 } 2271 break; 2272 case KEY_ECDSA_CERT: 2273 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2274 goto fail; 2275 /* FALLTHROUGH */ 2276 case KEY_ECDSA: 2277 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2278 if (pk->ecdsa == NULL) { 2279 ret = SSH_ERR_ALLOC_FAIL; 2280 goto fail; 2281 } 2282 if (EC_KEY_set_public_key(pk->ecdsa, 2283 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2284 ret = SSH_ERR_LIBCRYPTO_ERROR; 2285 goto fail; 2286 } 2287 break; 2288 #endif /* WITH_OPENSSL */ 2289 case KEY_ED25519_CERT: 2290 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2291 goto fail; 2292 /* FALLTHROUGH */ 2293 case KEY_ED25519: 2294 if (k->ed25519_pk != NULL) { 2295 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2296 ret = SSH_ERR_ALLOC_FAIL; 2297 goto fail; 2298 } 2299 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2300 } 2301 break; 2302 default: 2303 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2304 fail: 2305 sshkey_free(pk); 2306 return ret; 2307 } 2308 *dkp = pk; 2309 return 0; 2310 } 2311 2312 /* Convert a plain key to their _CERT equivalent */ 2313 int 2314 sshkey_to_certified(struct sshkey *k, int legacy) 2315 { 2316 int newtype; 2317 2318 switch (k->type) { 2319 #ifdef WITH_OPENSSL 2320 case KEY_RSA: 2321 newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; 2322 break; 2323 case KEY_DSA: 2324 newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; 2325 break; 2326 case KEY_ECDSA: 2327 if (legacy) 2328 return SSH_ERR_INVALID_ARGUMENT; 2329 newtype = KEY_ECDSA_CERT; 2330 break; 2331 #endif /* WITH_OPENSSL */ 2332 case KEY_ED25519: 2333 if (legacy) 2334 return SSH_ERR_INVALID_ARGUMENT; 2335 newtype = KEY_ED25519_CERT; 2336 break; 2337 default: 2338 return SSH_ERR_INVALID_ARGUMENT; 2339 } 2340 if ((k->cert = cert_new()) == NULL) 2341 return SSH_ERR_ALLOC_FAIL; 2342 k->type = newtype; 2343 return 0; 2344 } 2345 2346 /* Convert a certificate to its raw key equivalent */ 2347 int 2348 sshkey_drop_cert(struct sshkey *k) 2349 { 2350 if (!sshkey_type_is_cert(k->type)) 2351 return SSH_ERR_KEY_TYPE_UNKNOWN; 2352 cert_free(k->cert); 2353 k->cert = NULL; 2354 k->type = sshkey_type_plain(k->type); 2355 return 0; 2356 } 2357 2358 /* Sign a certified key, (re-)generating the signed certblob. */ 2359 int 2360 sshkey_certify(struct sshkey *k, struct sshkey *ca) 2361 { 2362 struct sshbuf *principals = NULL; 2363 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2364 size_t i, ca_len, sig_len; 2365 int ret = SSH_ERR_INTERNAL_ERROR; 2366 struct sshbuf *cert; 2367 2368 if (k == NULL || k->cert == NULL || 2369 k->cert->certblob == NULL || ca == NULL) 2370 return SSH_ERR_INVALID_ARGUMENT; 2371 if (!sshkey_is_cert(k)) 2372 return SSH_ERR_KEY_TYPE_UNKNOWN; 2373 if (!sshkey_type_is_valid_ca(ca->type)) 2374 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2375 2376 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2377 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2378 2379 cert = k->cert->certblob; /* for readability */ 2380 sshbuf_reset(cert); 2381 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2382 goto out; 2383 2384 /* -v01 certs put nonce first */ 2385 arc4random_buf(&nonce, sizeof(nonce)); 2386 if (!sshkey_cert_is_legacy(k)) { 2387 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2388 goto out; 2389 } 2390 2391 /* XXX this substantially duplicates to_blob(); refactor */ 2392 switch (k->type) { 2393 #ifdef WITH_OPENSSL 2394 case KEY_DSA_CERT_V00: 2395 case KEY_DSA_CERT: 2396 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2397 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2398 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2399 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2400 goto out; 2401 break; 2402 case KEY_ECDSA_CERT: 2403 if ((ret = sshbuf_put_cstring(cert, 2404 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2405 (ret = sshbuf_put_ec(cert, 2406 EC_KEY_get0_public_key(k->ecdsa), 2407 EC_KEY_get0_group(k->ecdsa))) != 0) 2408 goto out; 2409 break; 2410 case KEY_RSA_CERT_V00: 2411 case KEY_RSA_CERT: 2412 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2413 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2414 goto out; 2415 break; 2416 #endif /* WITH_OPENSSL */ 2417 case KEY_ED25519_CERT: 2418 if ((ret = sshbuf_put_string(cert, 2419 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2420 goto out; 2421 break; 2422 default: 2423 ret = SSH_ERR_INVALID_ARGUMENT; 2424 goto out; 2425 } 2426 2427 /* -v01 certs have a serial number next */ 2428 if (!sshkey_cert_is_legacy(k)) { 2429 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0) 2430 goto out; 2431 } 2432 2433 if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2434 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2435 goto out; 2436 2437 if ((principals = sshbuf_new()) == NULL) { 2438 ret = SSH_ERR_ALLOC_FAIL; 2439 goto out; 2440 } 2441 for (i = 0; i < k->cert->nprincipals; i++) { 2442 if ((ret = sshbuf_put_cstring(principals, 2443 k->cert->principals[i])) != 0) 2444 goto out; 2445 } 2446 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2447 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2448 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2449 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) 2450 goto out; 2451 2452 /* -v01 certs have non-critical options here */ 2453 if (!sshkey_cert_is_legacy(k)) { 2454 if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0) 2455 goto out; 2456 } 2457 2458 /* -v00 certs put the nonce at the end */ 2459 if (sshkey_cert_is_legacy(k)) { 2460 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2461 goto out; 2462 } 2463 2464 if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2465 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2466 goto out; 2467 2468 /* Sign the whole mess */ 2469 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2470 sshbuf_len(cert), 0)) != 0) 2471 goto out; 2472 2473 /* Append signature and we are done */ 2474 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2475 goto out; 2476 ret = 0; 2477 out: 2478 if (ret != 0) 2479 sshbuf_reset(cert); 2480 if (sig_blob != NULL) 2481 free(sig_blob); 2482 if (ca_blob != NULL) 2483 free(ca_blob); 2484 if (principals != NULL) 2485 sshbuf_free(principals); 2486 return ret; 2487 } 2488 2489 int 2490 sshkey_cert_check_authority(const struct sshkey *k, 2491 int want_host, int require_principal, 2492 const char *name, const char **reason) 2493 { 2494 u_int i, principal_matches; 2495 time_t now = time(NULL); 2496 2497 if (reason != NULL) 2498 *reason = NULL; 2499 2500 if (want_host) { 2501 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2502 *reason = "Certificate invalid: not a host certificate"; 2503 return SSH_ERR_KEY_CERT_INVALID; 2504 } 2505 } else { 2506 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2507 *reason = "Certificate invalid: not a user certificate"; 2508 return SSH_ERR_KEY_CERT_INVALID; 2509 } 2510 } 2511 if (now < 0) { 2512 /* yikes - system clock before epoch! */ 2513 *reason = "Certificate invalid: not yet valid"; 2514 return SSH_ERR_KEY_CERT_INVALID; 2515 } 2516 if ((u_int64_t)now < k->cert->valid_after) { 2517 *reason = "Certificate invalid: not yet valid"; 2518 return SSH_ERR_KEY_CERT_INVALID; 2519 } 2520 if ((u_int64_t)now >= k->cert->valid_before) { 2521 *reason = "Certificate invalid: expired"; 2522 return SSH_ERR_KEY_CERT_INVALID; 2523 } 2524 if (k->cert->nprincipals == 0) { 2525 if (require_principal) { 2526 *reason = "Certificate lacks principal list"; 2527 return SSH_ERR_KEY_CERT_INVALID; 2528 } 2529 } else if (name != NULL) { 2530 principal_matches = 0; 2531 for (i = 0; i < k->cert->nprincipals; i++) { 2532 if (strcmp(name, k->cert->principals[i]) == 0) { 2533 principal_matches = 1; 2534 break; 2535 } 2536 } 2537 if (!principal_matches) { 2538 *reason = "Certificate invalid: name is not a listed " 2539 "principal"; 2540 return SSH_ERR_KEY_CERT_INVALID; 2541 } 2542 } 2543 return 0; 2544 } 2545 2546 int 2547 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2548 { 2549 int r = SSH_ERR_INTERNAL_ERROR; 2550 2551 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2552 goto out; 2553 switch (key->type) { 2554 #ifdef WITH_OPENSSL 2555 case KEY_RSA: 2556 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2557 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2558 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2559 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2560 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2561 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2562 goto out; 2563 break; 2564 case KEY_RSA_CERT_V00: 2565 case KEY_RSA_CERT: 2566 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2567 r = SSH_ERR_INVALID_ARGUMENT; 2568 goto out; 2569 } 2570 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2571 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2572 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2573 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2574 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2575 goto out; 2576 break; 2577 case KEY_DSA: 2578 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2579 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2580 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2581 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2582 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2583 goto out; 2584 break; 2585 case KEY_DSA_CERT_V00: 2586 case KEY_DSA_CERT: 2587 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2588 r = SSH_ERR_INVALID_ARGUMENT; 2589 goto out; 2590 } 2591 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2592 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2593 goto out; 2594 break; 2595 case KEY_ECDSA: 2596 if ((r = sshbuf_put_cstring(b, 2597 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2598 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2599 (r = sshbuf_put_bignum2(b, 2600 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2601 goto out; 2602 break; 2603 case KEY_ECDSA_CERT: 2604 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2605 r = SSH_ERR_INVALID_ARGUMENT; 2606 goto out; 2607 } 2608 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2609 (r = sshbuf_put_bignum2(b, 2610 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2611 goto out; 2612 break; 2613 #endif /* WITH_OPENSSL */ 2614 case KEY_ED25519: 2615 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2616 ED25519_PK_SZ)) != 0 || 2617 (r = sshbuf_put_string(b, key->ed25519_sk, 2618 ED25519_SK_SZ)) != 0) 2619 goto out; 2620 break; 2621 case KEY_ED25519_CERT: 2622 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2623 r = SSH_ERR_INVALID_ARGUMENT; 2624 goto out; 2625 } 2626 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2627 (r = sshbuf_put_string(b, key->ed25519_pk, 2628 ED25519_PK_SZ)) != 0 || 2629 (r = sshbuf_put_string(b, key->ed25519_sk, 2630 ED25519_SK_SZ)) != 0) 2631 goto out; 2632 break; 2633 default: 2634 r = SSH_ERR_INVALID_ARGUMENT; 2635 goto out; 2636 } 2637 /* success */ 2638 r = 0; 2639 out: 2640 return r; 2641 } 2642 2643 int 2644 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2645 { 2646 char *tname = NULL, *curve = NULL; 2647 struct sshkey *k = NULL; 2648 size_t pklen = 0, sklen = 0; 2649 int type, r = SSH_ERR_INTERNAL_ERROR; 2650 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2651 #ifdef WITH_OPENSSL 2652 BIGNUM *exponent = NULL; 2653 #endif /* WITH_OPENSSL */ 2654 2655 if (kp != NULL) 2656 *kp = NULL; 2657 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2658 goto out; 2659 type = sshkey_type_from_name(tname); 2660 switch (type) { 2661 #ifdef WITH_OPENSSL 2662 case KEY_DSA: 2663 if ((k = sshkey_new_private(type)) == NULL) { 2664 r = SSH_ERR_ALLOC_FAIL; 2665 goto out; 2666 } 2667 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2668 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2669 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2670 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2671 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2672 goto out; 2673 break; 2674 case KEY_DSA_CERT_V00: 2675 case KEY_DSA_CERT: 2676 if ((r = sshkey_froms(buf, &k)) != 0 || 2677 (r = sshkey_add_private(k)) != 0 || 2678 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2679 goto out; 2680 break; 2681 case KEY_ECDSA: 2682 if ((k = sshkey_new_private(type)) == NULL) { 2683 r = SSH_ERR_ALLOC_FAIL; 2684 goto out; 2685 } 2686 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2687 r = SSH_ERR_INVALID_ARGUMENT; 2688 goto out; 2689 } 2690 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2691 goto out; 2692 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2693 r = SSH_ERR_EC_CURVE_MISMATCH; 2694 goto out; 2695 } 2696 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2697 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2698 r = SSH_ERR_LIBCRYPTO_ERROR; 2699 goto out; 2700 } 2701 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2702 (r = sshbuf_get_bignum2(buf, exponent))) 2703 goto out; 2704 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2705 r = SSH_ERR_LIBCRYPTO_ERROR; 2706 goto out; 2707 } 2708 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2709 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2710 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2711 goto out; 2712 break; 2713 case KEY_ECDSA_CERT: 2714 if ((exponent = BN_new()) == NULL) { 2715 r = SSH_ERR_LIBCRYPTO_ERROR; 2716 goto out; 2717 } 2718 if ((r = sshkey_froms(buf, &k)) != 0 || 2719 (r = sshkey_add_private(k)) != 0 || 2720 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2721 goto out; 2722 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2723 r = SSH_ERR_LIBCRYPTO_ERROR; 2724 goto out; 2725 } 2726 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2727 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2728 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2729 goto out; 2730 break; 2731 case KEY_RSA: 2732 if ((k = sshkey_new_private(type)) == NULL) { 2733 r = SSH_ERR_ALLOC_FAIL; 2734 goto out; 2735 } 2736 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2737 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2738 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2739 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2740 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2741 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2742 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2743 goto out; 2744 break; 2745 case KEY_RSA_CERT_V00: 2746 case KEY_RSA_CERT: 2747 if ((r = sshkey_froms(buf, &k)) != 0 || 2748 (r = sshkey_add_private(k)) != 0 || 2749 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || 2750 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || 2751 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || 2752 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || 2753 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2754 goto out; 2755 break; 2756 #endif /* WITH_OPENSSL */ 2757 case KEY_ED25519: 2758 if ((k = sshkey_new_private(type)) == NULL) { 2759 r = SSH_ERR_ALLOC_FAIL; 2760 goto out; 2761 } 2762 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2763 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2764 goto out; 2765 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2766 r = SSH_ERR_INVALID_FORMAT; 2767 goto out; 2768 } 2769 k->ed25519_pk = ed25519_pk; 2770 k->ed25519_sk = ed25519_sk; 2771 ed25519_pk = ed25519_sk = NULL; 2772 break; 2773 case KEY_ED25519_CERT: 2774 if ((r = sshkey_froms(buf, &k)) != 0 || 2775 (r = sshkey_add_private(k)) != 0 || 2776 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2777 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2778 goto out; 2779 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2780 r = SSH_ERR_INVALID_FORMAT; 2781 goto out; 2782 } 2783 k->ed25519_pk = ed25519_pk; 2784 k->ed25519_sk = ed25519_sk; 2785 ed25519_pk = ed25519_sk = NULL; 2786 break; 2787 default: 2788 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2789 goto out; 2790 } 2791 #ifdef WITH_OPENSSL 2792 /* enable blinding */ 2793 switch (k->type) { 2794 case KEY_RSA: 2795 case KEY_RSA_CERT_V00: 2796 case KEY_RSA_CERT: 2797 case KEY_RSA1: 2798 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2799 r = SSH_ERR_LIBCRYPTO_ERROR; 2800 goto out; 2801 } 2802 break; 2803 } 2804 #endif /* WITH_OPENSSL */ 2805 /* success */ 2806 r = 0; 2807 if (kp != NULL) { 2808 *kp = k; 2809 k = NULL; 2810 } 2811 out: 2812 free(tname); 2813 free(curve); 2814 #ifdef WITH_OPENSSL 2815 if (exponent != NULL) 2816 BN_clear_free(exponent); 2817 #endif /* WITH_OPENSSL */ 2818 sshkey_free(k); 2819 if (ed25519_pk != NULL) { 2820 explicit_bzero(ed25519_pk, pklen); 2821 free(ed25519_pk); 2822 } 2823 if (ed25519_sk != NULL) { 2824 explicit_bzero(ed25519_sk, sklen); 2825 free(ed25519_sk); 2826 } 2827 return r; 2828 } 2829 2830 #ifdef WITH_OPENSSL 2831 int 2832 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2833 { 2834 BN_CTX *bnctx; 2835 EC_POINT *nq = NULL; 2836 BIGNUM *order, *x, *y, *tmp; 2837 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2838 2839 if ((bnctx = BN_CTX_new()) == NULL) 2840 return SSH_ERR_ALLOC_FAIL; 2841 BN_CTX_start(bnctx); 2842 2843 /* 2844 * We shouldn't ever hit this case because bignum_get_ecpoint() 2845 * refuses to load GF2m points. 2846 */ 2847 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2848 NID_X9_62_prime_field) 2849 goto out; 2850 2851 /* Q != infinity */ 2852 if (EC_POINT_is_at_infinity(group, public)) 2853 goto out; 2854 2855 if ((x = BN_CTX_get(bnctx)) == NULL || 2856 (y = BN_CTX_get(bnctx)) == NULL || 2857 (order = BN_CTX_get(bnctx)) == NULL || 2858 (tmp = BN_CTX_get(bnctx)) == NULL) { 2859 ret = SSH_ERR_ALLOC_FAIL; 2860 goto out; 2861 } 2862 2863 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2864 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2865 EC_POINT_get_affine_coordinates_GFp(group, public, 2866 x, y, bnctx) != 1) { 2867 ret = SSH_ERR_LIBCRYPTO_ERROR; 2868 goto out; 2869 } 2870 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2871 BN_num_bits(y) <= BN_num_bits(order) / 2) 2872 goto out; 2873 2874 /* nQ == infinity (n == order of subgroup) */ 2875 if ((nq = EC_POINT_new(group)) == NULL) { 2876 ret = SSH_ERR_ALLOC_FAIL; 2877 goto out; 2878 } 2879 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2880 ret = SSH_ERR_LIBCRYPTO_ERROR; 2881 goto out; 2882 } 2883 if (EC_POINT_is_at_infinity(group, nq) != 1) 2884 goto out; 2885 2886 /* x < order - 1, y < order - 1 */ 2887 if (!BN_sub(tmp, order, BN_value_one())) { 2888 ret = SSH_ERR_LIBCRYPTO_ERROR; 2889 goto out; 2890 } 2891 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2892 goto out; 2893 ret = 0; 2894 out: 2895 BN_CTX_free(bnctx); 2896 if (nq != NULL) 2897 EC_POINT_free(nq); 2898 return ret; 2899 } 2900 2901 int 2902 sshkey_ec_validate_private(const EC_KEY *key) 2903 { 2904 BN_CTX *bnctx; 2905 BIGNUM *order, *tmp; 2906 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2907 2908 if ((bnctx = BN_CTX_new()) == NULL) 2909 return SSH_ERR_ALLOC_FAIL; 2910 BN_CTX_start(bnctx); 2911 2912 if ((order = BN_CTX_get(bnctx)) == NULL || 2913 (tmp = BN_CTX_get(bnctx)) == NULL) { 2914 ret = SSH_ERR_ALLOC_FAIL; 2915 goto out; 2916 } 2917 2918 /* log2(private) > log2(order)/2 */ 2919 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2920 ret = SSH_ERR_LIBCRYPTO_ERROR; 2921 goto out; 2922 } 2923 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2924 BN_num_bits(order) / 2) 2925 goto out; 2926 2927 /* private < order - 1 */ 2928 if (!BN_sub(tmp, order, BN_value_one())) { 2929 ret = SSH_ERR_LIBCRYPTO_ERROR; 2930 goto out; 2931 } 2932 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2933 goto out; 2934 ret = 0; 2935 out: 2936 BN_CTX_free(bnctx); 2937 return ret; 2938 } 2939 2940 void 2941 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2942 { 2943 BIGNUM *x, *y; 2944 BN_CTX *bnctx; 2945 2946 if (point == NULL) { 2947 fputs("point=(NULL)\n", stderr); 2948 return; 2949 } 2950 if ((bnctx = BN_CTX_new()) == NULL) { 2951 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2952 return; 2953 } 2954 BN_CTX_start(bnctx); 2955 if ((x = BN_CTX_get(bnctx)) == NULL || 2956 (y = BN_CTX_get(bnctx)) == NULL) { 2957 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 2958 return; 2959 } 2960 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2961 NID_X9_62_prime_field) { 2962 fprintf(stderr, "%s: group is not a prime field\n", __func__); 2963 return; 2964 } 2965 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 2966 bnctx) != 1) { 2967 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2968 __func__); 2969 return; 2970 } 2971 fputs("x=", stderr); 2972 BN_print_fp(stderr, x); 2973 fputs("\ny=", stderr); 2974 BN_print_fp(stderr, y); 2975 fputs("\n", stderr); 2976 BN_CTX_free(bnctx); 2977 } 2978 2979 void 2980 sshkey_dump_ec_key(const EC_KEY *key) 2981 { 2982 const BIGNUM *exponent; 2983 2984 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2985 EC_KEY_get0_public_key(key)); 2986 fputs("exponent=", stderr); 2987 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2988 fputs("(NULL)", stderr); 2989 else 2990 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2991 fputs("\n", stderr); 2992 } 2993 #endif /* WITH_OPENSSL */ 2994 2995 static int 2996 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 2997 const char *passphrase, const char *comment, const char *ciphername, 2998 int rounds) 2999 { 3000 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3001 u_char salt[SALT_LEN]; 3002 char *b64 = NULL; 3003 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3004 u_int check; 3005 int r = SSH_ERR_INTERNAL_ERROR; 3006 struct sshcipher_ctx ciphercontext; 3007 const struct sshcipher *cipher; 3008 const char *kdfname = KDFNAME; 3009 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3010 3011 memset(&ciphercontext, 0, sizeof(ciphercontext)); 3012 3013 if (rounds <= 0) 3014 rounds = DEFAULT_ROUNDS; 3015 if (passphrase == NULL || !strlen(passphrase)) { 3016 ciphername = "none"; 3017 kdfname = "none"; 3018 } else if (ciphername == NULL) 3019 ciphername = DEFAULT_CIPHERNAME; 3020 else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) { 3021 r = SSH_ERR_INVALID_ARGUMENT; 3022 goto out; 3023 } 3024 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3025 r = SSH_ERR_INTERNAL_ERROR; 3026 goto out; 3027 } 3028 3029 if ((kdf = sshbuf_new()) == NULL || 3030 (encoded = sshbuf_new()) == NULL || 3031 (encrypted = sshbuf_new()) == NULL) { 3032 r = SSH_ERR_ALLOC_FAIL; 3033 goto out; 3034 } 3035 blocksize = cipher_blocksize(cipher); 3036 keylen = cipher_keylen(cipher); 3037 ivlen = cipher_ivlen(cipher); 3038 authlen = cipher_authlen(cipher); 3039 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3040 r = SSH_ERR_ALLOC_FAIL; 3041 goto out; 3042 } 3043 if (strcmp(kdfname, "bcrypt") == 0) { 3044 arc4random_buf(salt, SALT_LEN); 3045 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3046 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3047 r = SSH_ERR_INVALID_ARGUMENT; 3048 goto out; 3049 } 3050 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3051 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3052 goto out; 3053 } else if (strcmp(kdfname, "none") != 0) { 3054 /* Unsupported KDF type */ 3055 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3056 goto out; 3057 } 3058 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3059 key + keylen, ivlen, 1)) != 0) 3060 goto out; 3061 3062 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3063 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3064 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3065 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3066 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3067 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3068 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3069 goto out; 3070 3071 /* set up the buffer that will be encrypted */ 3072 3073 /* Random check bytes */ 3074 check = arc4random(); 3075 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3076 (r = sshbuf_put_u32(encrypted, check)) != 0) 3077 goto out; 3078 3079 /* append private key and comment*/ 3080 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 3081 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3082 goto out; 3083 3084 /* padding */ 3085 i = 0; 3086 while (sshbuf_len(encrypted) % blocksize) { 3087 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3088 goto out; 3089 } 3090 3091 /* length in destination buffer */ 3092 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3093 goto out; 3094 3095 /* encrypt */ 3096 if ((r = sshbuf_reserve(encoded, 3097 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3098 goto out; 3099 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3100 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3101 goto out; 3102 3103 /* uuencode */ 3104 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3105 r = SSH_ERR_ALLOC_FAIL; 3106 goto out; 3107 } 3108 3109 sshbuf_reset(blob); 3110 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3111 goto out; 3112 for (i = 0; i < strlen(b64); i++) { 3113 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3114 goto out; 3115 /* insert line breaks */ 3116 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3117 goto out; 3118 } 3119 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3120 goto out; 3121 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3122 goto out; 3123 3124 /* success */ 3125 r = 0; 3126 3127 out: 3128 sshbuf_free(kdf); 3129 sshbuf_free(encoded); 3130 sshbuf_free(encrypted); 3131 cipher_cleanup(&ciphercontext); 3132 explicit_bzero(salt, sizeof(salt)); 3133 if (key != NULL) { 3134 explicit_bzero(key, keylen + ivlen); 3135 free(key); 3136 } 3137 if (pubkeyblob != NULL) { 3138 explicit_bzero(pubkeyblob, pubkeylen); 3139 free(pubkeyblob); 3140 } 3141 if (b64 != NULL) { 3142 explicit_bzero(b64, strlen(b64)); 3143 free(b64); 3144 } 3145 return r; 3146 } 3147 3148 static int 3149 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3150 struct sshkey **keyp, char **commentp) 3151 { 3152 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3153 const struct sshcipher *cipher = NULL; 3154 const u_char *cp; 3155 int r = SSH_ERR_INTERNAL_ERROR; 3156 size_t encoded_len; 3157 size_t i, keylen = 0, ivlen = 0, slen = 0; 3158 struct sshbuf *encoded = NULL, *decoded = NULL; 3159 struct sshbuf *kdf = NULL, *decrypted = NULL; 3160 struct sshcipher_ctx ciphercontext; 3161 struct sshkey *k = NULL; 3162 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3163 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3164 3165 memset(&ciphercontext, 0, sizeof(ciphercontext)); 3166 if (keyp != NULL) 3167 *keyp = NULL; 3168 if (commentp != NULL) 3169 *commentp = NULL; 3170 3171 if ((encoded = sshbuf_new()) == NULL || 3172 (decoded = sshbuf_new()) == NULL || 3173 (decrypted = sshbuf_new()) == NULL) { 3174 r = SSH_ERR_ALLOC_FAIL; 3175 goto out; 3176 } 3177 3178 /* check preamble */ 3179 cp = sshbuf_ptr(blob); 3180 encoded_len = sshbuf_len(blob); 3181 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3182 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3183 r = SSH_ERR_INVALID_FORMAT; 3184 goto out; 3185 } 3186 cp += MARK_BEGIN_LEN; 3187 encoded_len -= MARK_BEGIN_LEN; 3188 3189 /* Look for end marker, removing whitespace as we go */ 3190 while (encoded_len > 0) { 3191 if (*cp != '\n' && *cp != '\r') { 3192 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3193 goto out; 3194 } 3195 last = *cp; 3196 encoded_len--; 3197 cp++; 3198 if (last == '\n') { 3199 if (encoded_len >= MARK_END_LEN && 3200 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3201 /* \0 terminate */ 3202 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3203 goto out; 3204 break; 3205 } 3206 } 3207 } 3208 if (encoded_len == 0) { 3209 r = SSH_ERR_INVALID_FORMAT; 3210 goto out; 3211 } 3212 3213 /* decode base64 */ 3214 if ((r = sshbuf_b64tod(decoded, (const char *)sshbuf_ptr(encoded))) != 0) 3215 goto out; 3216 3217 /* check magic */ 3218 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3219 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3220 r = SSH_ERR_INVALID_FORMAT; 3221 goto out; 3222 } 3223 /* parse public portion of key */ 3224 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3225 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3226 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3227 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3228 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3229 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3230 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3231 goto out; 3232 3233 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3234 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3235 goto out; 3236 } 3237 if ((passphrase == NULL || strlen(passphrase) == 0) && 3238 strcmp(ciphername, "none") != 0) { 3239 /* passphrase required */ 3240 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3241 goto out; 3242 } 3243 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3244 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3245 goto out; 3246 } 3247 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3248 r = SSH_ERR_INVALID_FORMAT; 3249 goto out; 3250 } 3251 if (nkeys != 1) { 3252 /* XXX only one key supported */ 3253 r = SSH_ERR_INVALID_FORMAT; 3254 goto out; 3255 } 3256 3257 /* check size of encrypted key blob */ 3258 blocksize = cipher_blocksize(cipher); 3259 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3260 r = SSH_ERR_INVALID_FORMAT; 3261 goto out; 3262 } 3263 3264 /* setup key */ 3265 keylen = cipher_keylen(cipher); 3266 ivlen = cipher_ivlen(cipher); 3267 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3268 r = SSH_ERR_ALLOC_FAIL; 3269 goto out; 3270 } 3271 if (strcmp(kdfname, "bcrypt") == 0) { 3272 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3273 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3274 goto out; 3275 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3276 key, keylen + ivlen, rounds) < 0) { 3277 r = SSH_ERR_INVALID_FORMAT; 3278 goto out; 3279 } 3280 } 3281 3282 /* decrypt private portion of key */ 3283 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3284 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3285 key + keylen, ivlen, 0)) != 0) 3286 goto out; 3287 if ((r = cipher_crypt(&ciphercontext, 0, dp, sshbuf_ptr(decoded), 3288 sshbuf_len(decoded), 0, cipher_authlen(cipher))) != 0) { 3289 /* an integrity error here indicates an incorrect passphrase */ 3290 if (r == SSH_ERR_MAC_INVALID) 3291 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3292 goto out; 3293 } 3294 if ((r = sshbuf_consume(decoded, encrypted_len)) != 0) 3295 goto out; 3296 /* there should be no trailing data */ 3297 if (sshbuf_len(decoded) != 0) { 3298 r = SSH_ERR_INVALID_FORMAT; 3299 goto out; 3300 } 3301 3302 /* check check bytes */ 3303 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3304 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3305 goto out; 3306 if (check1 != check2) { 3307 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3308 goto out; 3309 } 3310 3311 /* Load the private key and comment */ 3312 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3313 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3314 goto out; 3315 3316 /* Check deterministic padding */ 3317 i = 0; 3318 while (sshbuf_len(decrypted)) { 3319 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3320 goto out; 3321 if (pad != (++i & 0xff)) { 3322 r = SSH_ERR_INVALID_FORMAT; 3323 goto out; 3324 } 3325 } 3326 3327 /* XXX decode pubkey and check against private */ 3328 3329 /* success */ 3330 r = 0; 3331 if (keyp != NULL) { 3332 *keyp = k; 3333 k = NULL; 3334 } 3335 if (commentp != NULL) { 3336 *commentp = comment; 3337 comment = NULL; 3338 } 3339 out: 3340 pad = 0; 3341 cipher_cleanup(&ciphercontext); 3342 free(ciphername); 3343 free(kdfname); 3344 free(comment); 3345 if (salt != NULL) { 3346 explicit_bzero(salt, slen); 3347 free(salt); 3348 } 3349 if (key != NULL) { 3350 explicit_bzero(key, keylen + ivlen); 3351 free(key); 3352 } 3353 sshbuf_free(encoded); 3354 sshbuf_free(decoded); 3355 sshbuf_free(kdf); 3356 sshbuf_free(decrypted); 3357 sshkey_free(k); 3358 return r; 3359 } 3360 3361 #if WITH_SSH1 3362 /* 3363 * Serialises the authentication (private) key to a blob, encrypting it with 3364 * passphrase. The identification of the blob (lowest 64 bits of n) will 3365 * precede the key to provide identification of the key without needing a 3366 * passphrase. 3367 */ 3368 static int 3369 sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, 3370 const char *passphrase, const char *comment) 3371 { 3372 struct sshbuf *buffer = NULL, *encrypted = NULL; 3373 u_char buf[8]; 3374 int r, cipher_num; 3375 struct sshcipher_ctx ciphercontext; 3376 const struct sshcipher *cipher; 3377 u_char *cp; 3378 3379 /* 3380 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting 3381 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. 3382 */ 3383 cipher_num = (strcmp(passphrase, "") == 0) ? 3384 SSH_CIPHER_NONE : SSH_CIPHER_3DES; 3385 if ((cipher = cipher_by_number(cipher_num)) == NULL) 3386 return SSH_ERR_INTERNAL_ERROR; 3387 3388 /* This buffer is used to build the secret part of the private key. */ 3389 if ((buffer = sshbuf_new()) == NULL) 3390 return SSH_ERR_ALLOC_FAIL; 3391 3392 /* Put checkbytes for checking passphrase validity. */ 3393 if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0) 3394 goto out; 3395 arc4random_buf(cp, 2); 3396 memcpy(cp + 2, cp, 2); 3397 3398 /* 3399 * Store the private key (n and e will not be stored because they 3400 * will be stored in plain text, and storing them also in encrypted 3401 * format would just give known plaintext). 3402 * Note: q and p are stored in reverse order to SSL. 3403 */ 3404 if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 || 3405 (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 || 3406 (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 || 3407 (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0) 3408 goto out; 3409 3410 /* Pad the part to be encrypted to a size that is a multiple of 8. */ 3411 explicit_bzero(buf, 8); 3412 if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0) 3413 goto out; 3414 3415 /* This buffer will be used to contain the data in the file. */ 3416 if ((encrypted = sshbuf_new()) == NULL) { 3417 r = SSH_ERR_ALLOC_FAIL; 3418 goto out; 3419 } 3420 3421 /* First store keyfile id string. */ 3422 if ((r = sshbuf_put(encrypted, LEGACY_BEGIN, 3423 sizeof(LEGACY_BEGIN))) != 0) 3424 goto out; 3425 3426 /* Store cipher type and "reserved" field. */ 3427 if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 || 3428 (r = sshbuf_put_u32(encrypted, 0)) != 0) 3429 goto out; 3430 3431 /* Store public key. This will be in plain text. */ 3432 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || 3433 (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) || 3434 (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) || 3435 (r = sshbuf_put_cstring(encrypted, comment) != 0)) 3436 goto out; 3437 3438 /* Allocate space for the private part of the key in the buffer. */ 3439 if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0) 3440 goto out; 3441 3442 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3443 CIPHER_ENCRYPT)) != 0) 3444 goto out; 3445 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3446 sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0) 3447 goto out; 3448 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3449 goto out; 3450 3451 r = sshbuf_putb(blob, encrypted); 3452 3453 out: 3454 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3455 explicit_bzero(buf, sizeof(buf)); 3456 if (buffer != NULL) 3457 sshbuf_free(buffer); 3458 if (encrypted != NULL) 3459 sshbuf_free(encrypted); 3460 3461 return r; 3462 } 3463 #endif /* WITH_SSH1 */ 3464 3465 #ifdef WITH_OPENSSL 3466 /* convert SSH v2 key in OpenSSL PEM format */ 3467 static int 3468 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3469 const char *_passphrase, const char *comment) 3470 { 3471 int success, r; 3472 int blen, len = strlen(_passphrase); 3473 u_char *passphrase = (len > 0) ? __UNCONST(_passphrase) : NULL; 3474 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3475 const u_char *bptr; 3476 BIO *bio = NULL; 3477 3478 if (len > 0 && len <= 4) 3479 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3480 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3481 return SSH_ERR_ALLOC_FAIL; 3482 3483 switch (key->type) { 3484 case KEY_DSA: 3485 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3486 cipher, passphrase, len, NULL, NULL); 3487 break; 3488 case KEY_ECDSA: 3489 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3490 cipher, passphrase, len, NULL, NULL); 3491 break; 3492 case KEY_RSA: 3493 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3494 cipher, passphrase, len, NULL, NULL); 3495 break; 3496 default: 3497 success = 0; 3498 break; 3499 } 3500 if (success == 0) { 3501 r = SSH_ERR_LIBCRYPTO_ERROR; 3502 goto out; 3503 } 3504 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3505 r = SSH_ERR_INTERNAL_ERROR; 3506 goto out; 3507 } 3508 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3509 goto out; 3510 r = 0; 3511 out: 3512 BIO_free(bio); 3513 return r; 3514 } 3515 #endif /* WITH_OPENSSL */ 3516 3517 /* Serialise "key" to buffer "blob" */ 3518 int 3519 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3520 const char *passphrase, const char *comment, 3521 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3522 { 3523 switch (key->type) { 3524 #ifdef WITH_SSH1 3525 case KEY_RSA1: 3526 return sshkey_private_rsa1_to_blob(key, blob, 3527 passphrase, comment); 3528 #endif /* WITH_SSH1 */ 3529 #ifdef WITH_OPENSSL 3530 case KEY_DSA: 3531 case KEY_ECDSA: 3532 case KEY_RSA: 3533 if (force_new_format) { 3534 return sshkey_private_to_blob2(key, blob, passphrase, 3535 comment, new_format_cipher, new_format_rounds); 3536 } 3537 return sshkey_private_pem_to_blob(key, blob, 3538 passphrase, comment); 3539 #endif /* WITH_OPENSSL */ 3540 case KEY_ED25519: 3541 return sshkey_private_to_blob2(key, blob, passphrase, 3542 comment, new_format_cipher, new_format_rounds); 3543 default: 3544 return SSH_ERR_KEY_TYPE_UNKNOWN; 3545 } 3546 } 3547 3548 #ifdef WITH_SSH1 3549 /* 3550 * Parse the public, unencrypted portion of a RSA1 key. 3551 */ 3552 int 3553 sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, 3554 struct sshkey **keyp, char **commentp) 3555 { 3556 int r; 3557 struct sshkey *pub = NULL; 3558 struct sshbuf *copy = NULL; 3559 3560 if (keyp != NULL) 3561 *keyp = NULL; 3562 if (commentp != NULL) 3563 *commentp = NULL; 3564 3565 /* Check that it is at least big enough to contain the ID string. */ 3566 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3567 return SSH_ERR_INVALID_FORMAT; 3568 3569 /* 3570 * Make sure it begins with the id string. Consume the id string 3571 * from the buffer. 3572 */ 3573 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3574 return SSH_ERR_INVALID_FORMAT; 3575 /* Make a working copy of the keyblob and skip past the magic */ 3576 if ((copy = sshbuf_fromb(blob)) == NULL) 3577 return SSH_ERR_ALLOC_FAIL; 3578 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3579 goto out; 3580 3581 /* Skip cipher type, reserved data and key bits. */ 3582 if ((r = sshbuf_get_u8(copy, NULL)) != 0 || /* cipher type */ 3583 (r = sshbuf_get_u32(copy, NULL)) != 0 || /* reserved */ 3584 (r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */ 3585 goto out; 3586 3587 /* Read the public key from the buffer. */ 3588 if ((pub = sshkey_new(KEY_RSA1)) == NULL || 3589 (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 || 3590 (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0) 3591 goto out; 3592 3593 /* Finally, the comment */ 3594 if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0) 3595 goto out; 3596 3597 /* The encrypted private part is not parsed by this function. */ 3598 3599 r = 0; 3600 if (keyp != NULL) 3601 *keyp = pub; 3602 else 3603 sshkey_free(pub); 3604 pub = NULL; 3605 3606 out: 3607 if (copy != NULL) 3608 sshbuf_free(copy); 3609 if (pub != NULL) 3610 sshkey_free(pub); 3611 return r; 3612 } 3613 3614 static int 3615 sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, 3616 struct sshkey **keyp, char **commentp) 3617 { 3618 int r; 3619 u_int16_t check1, check2; 3620 u_int8_t cipher_type; 3621 struct sshbuf *decrypted = NULL, *copy = NULL; 3622 u_char *cp; 3623 char *comment = NULL; 3624 struct sshcipher_ctx ciphercontext; 3625 const struct sshcipher *cipher; 3626 struct sshkey *prv = NULL; 3627 3628 *keyp = NULL; 3629 if (commentp != NULL) 3630 *commentp = NULL; 3631 3632 /* Check that it is at least big enough to contain the ID string. */ 3633 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3634 return SSH_ERR_INVALID_FORMAT; 3635 3636 /* 3637 * Make sure it begins with the id string. Consume the id string 3638 * from the buffer. 3639 */ 3640 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3641 return SSH_ERR_INVALID_FORMAT; 3642 3643 if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) { 3644 r = SSH_ERR_ALLOC_FAIL; 3645 goto out; 3646 } 3647 if ((copy = sshbuf_fromb(blob)) == NULL || 3648 (decrypted = sshbuf_new()) == NULL) { 3649 r = SSH_ERR_ALLOC_FAIL; 3650 goto out; 3651 } 3652 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3653 goto out; 3654 3655 /* Read cipher type. */ 3656 if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 || 3657 (r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */ 3658 goto out; 3659 3660 /* Read the public key and comment from the buffer. */ 3661 if ((r = sshbuf_get_u32(copy, NULL)) != 0 || /* key bits */ 3662 (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 || 3663 (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 || 3664 (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0) 3665 goto out; 3666 3667 /* Check that it is a supported cipher. */ 3668 cipher = cipher_by_number(cipher_type); 3669 if (cipher == NULL) { 3670 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3671 goto out; 3672 } 3673 /* Initialize space for decrypted data. */ 3674 if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0) 3675 goto out; 3676 3677 /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ 3678 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3679 CIPHER_DECRYPT)) != 0) 3680 goto out; 3681 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3682 sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) { 3683 cipher_cleanup(&ciphercontext); 3684 goto out; 3685 } 3686 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3687 goto out; 3688 3689 if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 || 3690 (r = sshbuf_get_u16(decrypted, &check2)) != 0) 3691 goto out; 3692 if (check1 != check2) { 3693 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3694 goto out; 3695 } 3696 3697 /* Read the rest of the private key. */ 3698 if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 || 3699 (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 || 3700 (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 || 3701 (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0) 3702 goto out; 3703 3704 /* calculate p-1 and q-1 */ 3705 if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0) 3706 goto out; 3707 3708 /* enable blinding */ 3709 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3710 r = SSH_ERR_LIBCRYPTO_ERROR; 3711 goto out; 3712 } 3713 r = 0; 3714 *keyp = prv; 3715 prv = NULL; 3716 if (commentp != NULL) { 3717 *commentp = comment; 3718 comment = NULL; 3719 } 3720 out: 3721 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3722 if (comment != NULL) 3723 free(comment); 3724 if (prv != NULL) 3725 sshkey_free(prv); 3726 if (copy != NULL) 3727 sshbuf_free(copy); 3728 if (decrypted != NULL) 3729 sshbuf_free(decrypted); 3730 return r; 3731 } 3732 #endif /* WITH_SSH1 */ 3733 3734 #ifdef WITH_OPENSSL 3735 static int 3736 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3737 const char *passphrase, struct sshkey **keyp) 3738 { 3739 EVP_PKEY *pk = NULL; 3740 struct sshkey *prv = NULL; 3741 BIO *bio = NULL; 3742 int r; 3743 3744 *keyp = NULL; 3745 3746 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3747 return SSH_ERR_ALLOC_FAIL; 3748 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3749 (int)sshbuf_len(blob)) { 3750 r = SSH_ERR_ALLOC_FAIL; 3751 goto out; 3752 } 3753 3754 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3755 __UNCONST(passphrase))) == NULL) { 3756 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3757 goto out; 3758 } 3759 if (pk->type == EVP_PKEY_RSA && 3760 (type == KEY_UNSPEC || type == KEY_RSA)) { 3761 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3762 r = SSH_ERR_ALLOC_FAIL; 3763 goto out; 3764 } 3765 prv->rsa = EVP_PKEY_get1_RSA(pk); 3766 prv->type = KEY_RSA; 3767 #ifdef DEBUG_PK 3768 RSA_print_fp(stderr, prv->rsa, 8); 3769 #endif 3770 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3771 r = SSH_ERR_LIBCRYPTO_ERROR; 3772 goto out; 3773 } 3774 } else if (pk->type == EVP_PKEY_DSA && 3775 (type == KEY_UNSPEC || type == KEY_DSA)) { 3776 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3777 r = SSH_ERR_ALLOC_FAIL; 3778 goto out; 3779 } 3780 prv->dsa = EVP_PKEY_get1_DSA(pk); 3781 prv->type = KEY_DSA; 3782 #ifdef DEBUG_PK 3783 DSA_print_fp(stderr, prv->dsa, 8); 3784 #endif 3785 } else if (pk->type == EVP_PKEY_EC && 3786 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3787 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3788 r = SSH_ERR_ALLOC_FAIL; 3789 goto out; 3790 } 3791 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3792 prv->type = KEY_ECDSA; 3793 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3794 if (prv->ecdsa_nid == -1 || 3795 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3796 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3797 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3798 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3799 r = SSH_ERR_INVALID_FORMAT; 3800 goto out; 3801 } 3802 #ifdef DEBUG_PK 3803 if (prv != NULL && prv->ecdsa != NULL) 3804 sshkey_dump_ec_key(prv->ecdsa); 3805 #endif 3806 } else { 3807 r = SSH_ERR_INVALID_FORMAT; 3808 goto out; 3809 } 3810 r = 0; 3811 *keyp = prv; 3812 prv = NULL; 3813 out: 3814 BIO_free(bio); 3815 if (pk != NULL) 3816 EVP_PKEY_free(pk); 3817 if (prv != NULL) 3818 sshkey_free(prv); 3819 return r; 3820 } 3821 #endif /* WITH_OPENSSL */ 3822 3823 int 3824 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3825 const char *passphrase, struct sshkey **keyp, char **commentp) 3826 { 3827 int r; 3828 3829 *keyp = NULL; 3830 if (commentp != NULL) 3831 *commentp = NULL; 3832 3833 switch (type) { 3834 #ifdef WITH_SSH1 3835 case KEY_RSA1: 3836 return sshkey_parse_private_rsa1(blob, passphrase, 3837 keyp, commentp); 3838 #endif /* WITH_SSH1 */ 3839 #ifdef WITH_OPENSSL 3840 case KEY_DSA: 3841 case KEY_ECDSA: 3842 case KEY_RSA: 3843 return sshkey_parse_private_pem_fileblob(blob, type, 3844 passphrase, keyp); 3845 #endif /* WITH_OPENSSL */ 3846 case KEY_ED25519: 3847 return sshkey_parse_private2(blob, type, passphrase, 3848 keyp, commentp); 3849 case KEY_UNSPEC: 3850 if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, 3851 commentp)) == 0) 3852 return 0; 3853 #ifdef WITH_OPENSSL 3854 return sshkey_parse_private_pem_fileblob(blob, type, 3855 passphrase, keyp); 3856 #else 3857 return SSH_ERR_INVALID_FORMAT; 3858 #endif /* WITH_OPENSSL */ 3859 default: 3860 return SSH_ERR_KEY_TYPE_UNKNOWN; 3861 } 3862 } 3863 3864 int 3865 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3866 const char *filename, struct sshkey **keyp, char **commentp) 3867 { 3868 int r; 3869 3870 if (keyp != NULL) 3871 *keyp = NULL; 3872 if (commentp != NULL) 3873 *commentp = NULL; 3874 3875 #ifdef WITH_SSH1 3876 /* it's a SSH v1 key if the public key part is readable */ 3877 if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) { 3878 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, 3879 passphrase, keyp, commentp); 3880 } 3881 #endif /* WITH_SSH1 */ 3882 if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3883 passphrase, keyp, commentp)) == 0) 3884 return 0; 3885 return r; 3886 } 3887