1 /* $OpenBSD: sshkey.c,v 1.74 2019/05/03 03:25:18 dtucker Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/types.h> 29 #include <netinet/in.h> 30 31 #ifdef WITH_OPENSSL 32 #include <openssl/evp.h> 33 #include <openssl/err.h> 34 #include <openssl/pem.h> 35 #endif 36 37 #include "crypto_api.h" 38 39 #include <errno.h> 40 #include <stdio.h> 41 #include <string.h> 42 #include <util.h> 43 #include <limits.h> 44 #include <resolv.h> 45 46 #include "ssh2.h" 47 #include "ssherr.h" 48 #include "misc.h" 49 #include "sshbuf.h" 50 #include "cipher.h" 51 #include "digest.h" 52 #define SSHKEY_INTERNAL 53 #include "sshkey.h" 54 #include "match.h" 55 56 #ifdef WITH_XMSS 57 #include "sshkey-xmss.h" 58 #include "xmss_fast.h" 59 #endif 60 61 /* openssh private key file format */ 62 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 63 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 64 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 65 #define MARK_END_LEN (sizeof(MARK_END) - 1) 66 #define KDFNAME "bcrypt" 67 #define AUTH_MAGIC "openssh-key-v1" 68 #define SALT_LEN 16 69 #define DEFAULT_CIPHERNAME "aes256-ctr" 70 #define DEFAULT_ROUNDS 16 71 72 /* Version identification string for SSH v1 identity files. */ 73 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 74 75 int sshkey_private_serialize_opt(const struct sshkey *key, 76 struct sshbuf *buf, enum sshkey_serialize_rep); 77 static int sshkey_from_blob_internal(struct sshbuf *buf, 78 struct sshkey **keyp, int allow_cert); 79 static int get_sigtype(const u_char *sig, size_t siglen, char **sigtypep); 80 81 /* Supported key types */ 82 struct keytype { 83 const char *name; 84 const char *shortname; 85 const char *sigalg; 86 int type; 87 int nid; 88 int cert; 89 int sigonly; 90 }; 91 static const struct keytype keytypes[] = { 92 { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 }, 93 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL, 94 KEY_ED25519_CERT, 0, 1, 0 }, 95 #ifdef WITH_XMSS 96 { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 }, 97 { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL, 98 KEY_XMSS_CERT, 0, 1, 0 }, 99 #endif /* WITH_XMSS */ 100 #ifdef WITH_OPENSSL 101 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 }, 102 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 103 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 104 { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 }, 105 { "ecdsa-sha2-nistp256", "ECDSA", NULL, 106 KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 107 { "ecdsa-sha2-nistp384", "ECDSA", NULL, 108 KEY_ECDSA, NID_secp384r1, 0, 0 }, 109 { "ecdsa-sha2-nistp521", "ECDSA", NULL, 110 KEY_ECDSA, NID_secp521r1, 0, 0 }, 111 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, 112 KEY_RSA_CERT, 0, 1, 0 }, 113 { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT", 114 "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, 115 { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT", 116 "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, 117 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL, 118 KEY_DSA_CERT, 0, 1, 0 }, 119 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL, 120 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 121 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL, 122 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 123 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL, 124 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 125 #endif /* WITH_OPENSSL */ 126 { NULL, NULL, NULL, -1, -1, 0, 0 } 127 }; 128 129 const char * 130 sshkey_type(const struct sshkey *k) 131 { 132 const struct keytype *kt; 133 134 for (kt = keytypes; kt->type != -1; kt++) { 135 if (kt->type == k->type) 136 return kt->shortname; 137 } 138 return "unknown"; 139 } 140 141 static const char * 142 sshkey_ssh_name_from_type_nid(int type, int nid) 143 { 144 const struct keytype *kt; 145 146 for (kt = keytypes; kt->type != -1; kt++) { 147 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 148 return kt->name; 149 } 150 return "ssh-unknown"; 151 } 152 153 int 154 sshkey_type_is_cert(int type) 155 { 156 const struct keytype *kt; 157 158 for (kt = keytypes; kt->type != -1; kt++) { 159 if (kt->type == type) 160 return kt->cert; 161 } 162 return 0; 163 } 164 165 const char * 166 sshkey_ssh_name(const struct sshkey *k) 167 { 168 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 169 } 170 171 const char * 172 sshkey_ssh_name_plain(const struct sshkey *k) 173 { 174 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 175 k->ecdsa_nid); 176 } 177 178 int 179 sshkey_type_from_name(const char *name) 180 { 181 const struct keytype *kt; 182 183 for (kt = keytypes; kt->type != -1; kt++) { 184 /* Only allow shortname matches for plain key types */ 185 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 186 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 187 return kt->type; 188 } 189 return KEY_UNSPEC; 190 } 191 192 int 193 sshkey_ecdsa_nid_from_name(const char *name) 194 { 195 const struct keytype *kt; 196 197 for (kt = keytypes; kt->type != -1; kt++) { 198 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 199 continue; 200 if (kt->name != NULL && strcmp(name, kt->name) == 0) 201 return kt->nid; 202 } 203 return -1; 204 } 205 206 char * 207 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 208 { 209 char *tmp, *ret = NULL; 210 size_t nlen, rlen = 0; 211 const struct keytype *kt; 212 213 for (kt = keytypes; kt->type != -1; kt++) { 214 if (kt->name == NULL) 215 continue; 216 if (!include_sigonly && kt->sigonly) 217 continue; 218 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 219 continue; 220 if (ret != NULL) 221 ret[rlen++] = sep; 222 nlen = strlen(kt->name); 223 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 224 free(ret); 225 return NULL; 226 } 227 ret = tmp; 228 memcpy(ret + rlen, kt->name, nlen + 1); 229 rlen += nlen; 230 } 231 return ret; 232 } 233 234 int 235 sshkey_names_valid2(const char *names, int allow_wildcard) 236 { 237 char *s, *cp, *p; 238 const struct keytype *kt; 239 int type; 240 241 if (names == NULL || strcmp(names, "") == 0) 242 return 0; 243 if ((s = cp = strdup(names)) == NULL) 244 return 0; 245 for ((p = strsep(&cp, ",")); p && *p != '\0'; 246 (p = strsep(&cp, ","))) { 247 type = sshkey_type_from_name(p); 248 if (type == KEY_UNSPEC) { 249 if (allow_wildcard) { 250 /* 251 * Try matching key types against the string. 252 * If any has a positive or negative match then 253 * the component is accepted. 254 */ 255 for (kt = keytypes; kt->type != -1; kt++) { 256 if (match_pattern_list(kt->name, 257 p, 0) != 0) 258 break; 259 } 260 if (kt->type != -1) 261 continue; 262 } 263 free(s); 264 return 0; 265 } 266 } 267 free(s); 268 return 1; 269 } 270 271 u_int 272 sshkey_size(const struct sshkey *k) 273 { 274 #ifdef WITH_OPENSSL 275 const BIGNUM *rsa_n, *dsa_p; 276 #endif /* WITH_OPENSSL */ 277 278 switch (k->type) { 279 #ifdef WITH_OPENSSL 280 case KEY_RSA: 281 case KEY_RSA_CERT: 282 if (k->rsa == NULL) 283 return 0; 284 RSA_get0_key(k->rsa, &rsa_n, NULL, NULL); 285 return BN_num_bits(rsa_n); 286 case KEY_DSA: 287 case KEY_DSA_CERT: 288 if (k->dsa == NULL) 289 return 0; 290 DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL); 291 return BN_num_bits(dsa_p); 292 case KEY_ECDSA: 293 case KEY_ECDSA_CERT: 294 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 295 #endif /* WITH_OPENSSL */ 296 case KEY_ED25519: 297 case KEY_ED25519_CERT: 298 case KEY_XMSS: 299 case KEY_XMSS_CERT: 300 return 256; /* XXX */ 301 } 302 return 0; 303 } 304 305 static int 306 sshkey_type_is_valid_ca(int type) 307 { 308 switch (type) { 309 case KEY_RSA: 310 case KEY_DSA: 311 case KEY_ECDSA: 312 case KEY_ED25519: 313 case KEY_XMSS: 314 return 1; 315 default: 316 return 0; 317 } 318 } 319 320 int 321 sshkey_is_cert(const struct sshkey *k) 322 { 323 if (k == NULL) 324 return 0; 325 return sshkey_type_is_cert(k->type); 326 } 327 328 /* Return the cert-less equivalent to a certified key type */ 329 int 330 sshkey_type_plain(int type) 331 { 332 switch (type) { 333 case KEY_RSA_CERT: 334 return KEY_RSA; 335 case KEY_DSA_CERT: 336 return KEY_DSA; 337 case KEY_ECDSA_CERT: 338 return KEY_ECDSA; 339 case KEY_ED25519_CERT: 340 return KEY_ED25519; 341 case KEY_XMSS_CERT: 342 return KEY_XMSS; 343 default: 344 return type; 345 } 346 } 347 348 #ifdef WITH_OPENSSL 349 /* XXX: these are really begging for a table-driven approach */ 350 int 351 sshkey_curve_name_to_nid(const char *name) 352 { 353 if (strcmp(name, "nistp256") == 0) 354 return NID_X9_62_prime256v1; 355 else if (strcmp(name, "nistp384") == 0) 356 return NID_secp384r1; 357 else if (strcmp(name, "nistp521") == 0) 358 return NID_secp521r1; 359 else 360 return -1; 361 } 362 363 u_int 364 sshkey_curve_nid_to_bits(int nid) 365 { 366 switch (nid) { 367 case NID_X9_62_prime256v1: 368 return 256; 369 case NID_secp384r1: 370 return 384; 371 case NID_secp521r1: 372 return 521; 373 default: 374 return 0; 375 } 376 } 377 378 int 379 sshkey_ecdsa_bits_to_nid(int bits) 380 { 381 switch (bits) { 382 case 256: 383 return NID_X9_62_prime256v1; 384 case 384: 385 return NID_secp384r1; 386 case 521: 387 return NID_secp521r1; 388 default: 389 return -1; 390 } 391 } 392 393 const char * 394 sshkey_curve_nid_to_name(int nid) 395 { 396 switch (nid) { 397 case NID_X9_62_prime256v1: 398 return "nistp256"; 399 case NID_secp384r1: 400 return "nistp384"; 401 case NID_secp521r1: 402 return "nistp521"; 403 default: 404 return NULL; 405 } 406 } 407 408 int 409 sshkey_ec_nid_to_hash_alg(int nid) 410 { 411 int kbits = sshkey_curve_nid_to_bits(nid); 412 413 if (kbits <= 0) 414 return -1; 415 416 /* RFC5656 section 6.2.1 */ 417 if (kbits <= 256) 418 return SSH_DIGEST_SHA256; 419 else if (kbits <= 384) 420 return SSH_DIGEST_SHA384; 421 else 422 return SSH_DIGEST_SHA512; 423 } 424 #endif /* WITH_OPENSSL */ 425 426 static void 427 cert_free(struct sshkey_cert *cert) 428 { 429 u_int i; 430 431 if (cert == NULL) 432 return; 433 sshbuf_free(cert->certblob); 434 sshbuf_free(cert->critical); 435 sshbuf_free(cert->extensions); 436 free(cert->key_id); 437 for (i = 0; i < cert->nprincipals; i++) 438 free(cert->principals[i]); 439 free(cert->principals); 440 sshkey_free(cert->signature_key); 441 free(cert->signature_type); 442 freezero(cert, sizeof(*cert)); 443 } 444 445 static struct sshkey_cert * 446 cert_new(void) 447 { 448 struct sshkey_cert *cert; 449 450 if ((cert = calloc(1, sizeof(*cert))) == NULL) 451 return NULL; 452 if ((cert->certblob = sshbuf_new()) == NULL || 453 (cert->critical = sshbuf_new()) == NULL || 454 (cert->extensions = sshbuf_new()) == NULL) { 455 cert_free(cert); 456 return NULL; 457 } 458 cert->key_id = NULL; 459 cert->principals = NULL; 460 cert->signature_key = NULL; 461 cert->signature_type = NULL; 462 return cert; 463 } 464 465 struct sshkey * 466 sshkey_new(int type) 467 { 468 struct sshkey *k; 469 #ifdef WITH_OPENSSL 470 RSA *rsa; 471 DSA *dsa; 472 #endif /* WITH_OPENSSL */ 473 474 if ((k = calloc(1, sizeof(*k))) == NULL) 475 return NULL; 476 k->type = type; 477 k->ecdsa = NULL; 478 k->ecdsa_nid = -1; 479 k->dsa = NULL; 480 k->rsa = NULL; 481 k->cert = NULL; 482 k->ed25519_sk = NULL; 483 k->ed25519_pk = NULL; 484 k->xmss_sk = NULL; 485 k->xmss_pk = NULL; 486 switch (k->type) { 487 #ifdef WITH_OPENSSL 488 case KEY_RSA: 489 case KEY_RSA_CERT: 490 if ((rsa = RSA_new()) == NULL) { 491 free(k); 492 return NULL; 493 } 494 k->rsa = rsa; 495 break; 496 case KEY_DSA: 497 case KEY_DSA_CERT: 498 if ((dsa = DSA_new()) == NULL) { 499 free(k); 500 return NULL; 501 } 502 k->dsa = dsa; 503 break; 504 case KEY_ECDSA: 505 case KEY_ECDSA_CERT: 506 /* Cannot do anything until we know the group */ 507 break; 508 #endif /* WITH_OPENSSL */ 509 case KEY_ED25519: 510 case KEY_ED25519_CERT: 511 case KEY_XMSS: 512 case KEY_XMSS_CERT: 513 /* no need to prealloc */ 514 break; 515 case KEY_UNSPEC: 516 break; 517 default: 518 free(k); 519 return NULL; 520 } 521 522 if (sshkey_is_cert(k)) { 523 if ((k->cert = cert_new()) == NULL) { 524 sshkey_free(k); 525 return NULL; 526 } 527 } 528 529 return k; 530 } 531 532 void 533 sshkey_free(struct sshkey *k) 534 { 535 if (k == NULL) 536 return; 537 switch (k->type) { 538 #ifdef WITH_OPENSSL 539 case KEY_RSA: 540 case KEY_RSA_CERT: 541 RSA_free(k->rsa); 542 k->rsa = NULL; 543 break; 544 case KEY_DSA: 545 case KEY_DSA_CERT: 546 DSA_free(k->dsa); 547 k->dsa = NULL; 548 break; 549 case KEY_ECDSA: 550 case KEY_ECDSA_CERT: 551 EC_KEY_free(k->ecdsa); 552 k->ecdsa = NULL; 553 break; 554 #endif /* WITH_OPENSSL */ 555 case KEY_ED25519: 556 case KEY_ED25519_CERT: 557 freezero(k->ed25519_pk, ED25519_PK_SZ); 558 k->ed25519_pk = NULL; 559 freezero(k->ed25519_sk, ED25519_SK_SZ); 560 k->ed25519_sk = NULL; 561 break; 562 #ifdef WITH_XMSS 563 case KEY_XMSS: 564 case KEY_XMSS_CERT: 565 freezero(k->xmss_pk, sshkey_xmss_pklen(k)); 566 k->xmss_pk = NULL; 567 freezero(k->xmss_sk, sshkey_xmss_sklen(k)); 568 k->xmss_sk = NULL; 569 sshkey_xmss_free_state(k); 570 free(k->xmss_name); 571 k->xmss_name = NULL; 572 free(k->xmss_filename); 573 k->xmss_filename = NULL; 574 break; 575 #endif /* WITH_XMSS */ 576 case KEY_UNSPEC: 577 break; 578 default: 579 break; 580 } 581 if (sshkey_is_cert(k)) 582 cert_free(k->cert); 583 freezero(k, sizeof(*k)); 584 } 585 586 static int 587 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 588 { 589 if (a == NULL && b == NULL) 590 return 1; 591 if (a == NULL || b == NULL) 592 return 0; 593 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 594 return 0; 595 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 596 sshbuf_len(a->certblob)) != 0) 597 return 0; 598 return 1; 599 } 600 601 /* 602 * Compare public portions of key only, allowing comparisons between 603 * certificates and plain keys too. 604 */ 605 int 606 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 607 { 608 #ifdef WITH_OPENSSL 609 BN_CTX *bnctx; 610 const BIGNUM *rsa_e_a, *rsa_n_a; 611 const BIGNUM *rsa_e_b, *rsa_n_b; 612 const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a; 613 const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b; 614 #endif /* WITH_OPENSSL */ 615 616 if (a == NULL || b == NULL || 617 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 618 return 0; 619 620 switch (a->type) { 621 #ifdef WITH_OPENSSL 622 case KEY_RSA_CERT: 623 case KEY_RSA: 624 if (a->rsa == NULL || b->rsa == NULL) 625 return 0; 626 RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL); 627 RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL); 628 return BN_cmp(rsa_e_a, rsa_e_b) == 0 && 629 BN_cmp(rsa_n_a, rsa_n_b) == 0; 630 case KEY_DSA_CERT: 631 case KEY_DSA: 632 if (a->dsa == NULL || b->dsa == NULL) 633 return 0; 634 DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a); 635 DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b); 636 DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL); 637 DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL); 638 return BN_cmp(dsa_p_a, dsa_p_b) == 0 && 639 BN_cmp(dsa_q_a, dsa_q_b) == 0 && 640 BN_cmp(dsa_g_a, dsa_g_b) == 0 && 641 BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0; 642 case KEY_ECDSA_CERT: 643 case KEY_ECDSA: 644 if (a->ecdsa == NULL || b->ecdsa == NULL || 645 EC_KEY_get0_public_key(a->ecdsa) == NULL || 646 EC_KEY_get0_public_key(b->ecdsa) == NULL) 647 return 0; 648 if ((bnctx = BN_CTX_new()) == NULL) 649 return 0; 650 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 651 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 652 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 653 EC_KEY_get0_public_key(a->ecdsa), 654 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 655 BN_CTX_free(bnctx); 656 return 0; 657 } 658 BN_CTX_free(bnctx); 659 return 1; 660 #endif /* WITH_OPENSSL */ 661 case KEY_ED25519: 662 case KEY_ED25519_CERT: 663 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 664 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 665 #ifdef WITH_XMSS 666 case KEY_XMSS: 667 case KEY_XMSS_CERT: 668 return a->xmss_pk != NULL && b->xmss_pk != NULL && 669 sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) && 670 memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0; 671 #endif /* WITH_XMSS */ 672 default: 673 return 0; 674 } 675 /* NOTREACHED */ 676 } 677 678 int 679 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 680 { 681 if (a == NULL || b == NULL || a->type != b->type) 682 return 0; 683 if (sshkey_is_cert(a)) { 684 if (!cert_compare(a->cert, b->cert)) 685 return 0; 686 } 687 return sshkey_equal_public(a, b); 688 } 689 690 static int 691 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, 692 enum sshkey_serialize_rep opts) 693 { 694 int type, ret = SSH_ERR_INTERNAL_ERROR; 695 const char *typename; 696 #ifdef WITH_OPENSSL 697 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 698 #endif /* WITH_OPENSSL */ 699 700 if (key == NULL) 701 return SSH_ERR_INVALID_ARGUMENT; 702 703 if (sshkey_is_cert(key)) { 704 if (key->cert == NULL) 705 return SSH_ERR_EXPECTED_CERT; 706 if (sshbuf_len(key->cert->certblob) == 0) 707 return SSH_ERR_KEY_LACKS_CERTBLOB; 708 } 709 type = force_plain ? sshkey_type_plain(key->type) : key->type; 710 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 711 712 switch (type) { 713 #ifdef WITH_OPENSSL 714 case KEY_DSA_CERT: 715 case KEY_ECDSA_CERT: 716 case KEY_RSA_CERT: 717 #endif /* WITH_OPENSSL */ 718 case KEY_ED25519_CERT: 719 #ifdef WITH_XMSS 720 case KEY_XMSS_CERT: 721 #endif /* WITH_XMSS */ 722 /* Use the existing blob */ 723 /* XXX modified flag? */ 724 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 725 return ret; 726 break; 727 #ifdef WITH_OPENSSL 728 case KEY_DSA: 729 if (key->dsa == NULL) 730 return SSH_ERR_INVALID_ARGUMENT; 731 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 732 DSA_get0_key(key->dsa, &dsa_pub_key, NULL); 733 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 734 (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 || 735 (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 || 736 (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 || 737 (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0) 738 return ret; 739 break; 740 case KEY_ECDSA: 741 if (key->ecdsa == NULL) 742 return SSH_ERR_INVALID_ARGUMENT; 743 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 744 (ret = sshbuf_put_cstring(b, 745 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 746 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 747 return ret; 748 break; 749 case KEY_RSA: 750 if (key->rsa == NULL) 751 return SSH_ERR_INVALID_ARGUMENT; 752 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL); 753 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 754 (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 || 755 (ret = sshbuf_put_bignum2(b, rsa_n)) != 0) 756 return ret; 757 break; 758 #endif /* WITH_OPENSSL */ 759 case KEY_ED25519: 760 if (key->ed25519_pk == NULL) 761 return SSH_ERR_INVALID_ARGUMENT; 762 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 763 (ret = sshbuf_put_string(b, 764 key->ed25519_pk, ED25519_PK_SZ)) != 0) 765 return ret; 766 break; 767 #ifdef WITH_XMSS 768 case KEY_XMSS: 769 if (key->xmss_name == NULL || key->xmss_pk == NULL || 770 sshkey_xmss_pklen(key) == 0) 771 return SSH_ERR_INVALID_ARGUMENT; 772 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 773 (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 774 (ret = sshbuf_put_string(b, 775 key->xmss_pk, sshkey_xmss_pklen(key))) != 0 || 776 (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0) 777 return ret; 778 break; 779 #endif /* WITH_XMSS */ 780 default: 781 return SSH_ERR_KEY_TYPE_UNKNOWN; 782 } 783 return 0; 784 } 785 786 int 787 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 788 { 789 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); 790 } 791 792 int 793 sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, 794 enum sshkey_serialize_rep opts) 795 { 796 struct sshbuf *tmp; 797 int r; 798 799 if ((tmp = sshbuf_new()) == NULL) 800 return SSH_ERR_ALLOC_FAIL; 801 r = to_blob_buf(key, tmp, 0, opts); 802 if (r == 0) 803 r = sshbuf_put_stringb(b, tmp); 804 sshbuf_free(tmp); 805 return r; 806 } 807 808 int 809 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 810 { 811 return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); 812 } 813 814 int 815 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 816 { 817 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); 818 } 819 820 static int 821 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, 822 enum sshkey_serialize_rep opts) 823 { 824 int ret = SSH_ERR_INTERNAL_ERROR; 825 size_t len; 826 struct sshbuf *b = NULL; 827 828 if (lenp != NULL) 829 *lenp = 0; 830 if (blobp != NULL) 831 *blobp = NULL; 832 if ((b = sshbuf_new()) == NULL) 833 return SSH_ERR_ALLOC_FAIL; 834 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) 835 goto out; 836 len = sshbuf_len(b); 837 if (lenp != NULL) 838 *lenp = len; 839 if (blobp != NULL) { 840 if ((*blobp = malloc(len)) == NULL) { 841 ret = SSH_ERR_ALLOC_FAIL; 842 goto out; 843 } 844 memcpy(*blobp, sshbuf_ptr(b), len); 845 } 846 ret = 0; 847 out: 848 sshbuf_free(b); 849 return ret; 850 } 851 852 int 853 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 854 { 855 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); 856 } 857 858 int 859 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 860 { 861 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); 862 } 863 864 int 865 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 866 u_char **retp, size_t *lenp) 867 { 868 u_char *blob = NULL, *ret = NULL; 869 size_t blob_len = 0; 870 int r = SSH_ERR_INTERNAL_ERROR; 871 872 if (retp != NULL) 873 *retp = NULL; 874 if (lenp != NULL) 875 *lenp = 0; 876 if (ssh_digest_bytes(dgst_alg) == 0) { 877 r = SSH_ERR_INVALID_ARGUMENT; 878 goto out; 879 } 880 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) 881 != 0) 882 goto out; 883 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 884 r = SSH_ERR_ALLOC_FAIL; 885 goto out; 886 } 887 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 888 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 889 goto out; 890 /* success */ 891 if (retp != NULL) { 892 *retp = ret; 893 ret = NULL; 894 } 895 if (lenp != NULL) 896 *lenp = ssh_digest_bytes(dgst_alg); 897 r = 0; 898 out: 899 free(ret); 900 if (blob != NULL) { 901 explicit_bzero(blob, blob_len); 902 free(blob); 903 } 904 return r; 905 } 906 907 static char * 908 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 909 { 910 char *ret; 911 size_t plen = strlen(alg) + 1; 912 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 913 int r; 914 915 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 916 return NULL; 917 strlcpy(ret, alg, rlen); 918 strlcat(ret, ":", rlen); 919 if (dgst_raw_len == 0) 920 return ret; 921 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 922 ret + plen, rlen - plen)) == -1) { 923 freezero(ret, rlen); 924 return NULL; 925 } 926 /* Trim padding characters from end */ 927 ret[strcspn(ret, "=")] = '\0'; 928 return ret; 929 } 930 931 static char * 932 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 933 { 934 char *retval, hex[5]; 935 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 936 937 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 938 return NULL; 939 strlcpy(retval, alg, rlen); 940 strlcat(retval, ":", rlen); 941 for (i = 0; i < dgst_raw_len; i++) { 942 snprintf(hex, sizeof(hex), "%s%02x", 943 i > 0 ? ":" : "", dgst_raw[i]); 944 strlcat(retval, hex, rlen); 945 } 946 return retval; 947 } 948 949 static char * 950 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 951 { 952 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 953 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 954 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 955 u_int i, j = 0, rounds, seed = 1; 956 char *retval; 957 958 rounds = (dgst_raw_len / 2) + 1; 959 if ((retval = calloc(rounds, 6)) == NULL) 960 return NULL; 961 retval[j++] = 'x'; 962 for (i = 0; i < rounds; i++) { 963 u_int idx0, idx1, idx2, idx3, idx4; 964 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 965 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 966 seed) % 6; 967 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 968 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 969 (seed / 6)) % 6; 970 retval[j++] = vowels[idx0]; 971 retval[j++] = consonants[idx1]; 972 retval[j++] = vowels[idx2]; 973 if ((i + 1) < rounds) { 974 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 975 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 976 retval[j++] = consonants[idx3]; 977 retval[j++] = '-'; 978 retval[j++] = consonants[idx4]; 979 seed = ((seed * 5) + 980 ((((u_int)(dgst_raw[2 * i])) * 7) + 981 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 982 } 983 } else { 984 idx0 = seed % 6; 985 idx1 = 16; 986 idx2 = seed / 6; 987 retval[j++] = vowels[idx0]; 988 retval[j++] = consonants[idx1]; 989 retval[j++] = vowels[idx2]; 990 } 991 } 992 retval[j++] = 'x'; 993 retval[j++] = '\0'; 994 return retval; 995 } 996 997 /* 998 * Draw an ASCII-Art representing the fingerprint so human brain can 999 * profit from its built-in pattern recognition ability. 1000 * This technique is called "random art" and can be found in some 1001 * scientific publications like this original paper: 1002 * 1003 * "Hash Visualization: a New Technique to improve Real-World Security", 1004 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1005 * Techniques and E-Commerce (CrypTEC '99) 1006 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1007 * 1008 * The subject came up in a talk by Dan Kaminsky, too. 1009 * 1010 * If you see the picture is different, the key is different. 1011 * If the picture looks the same, you still know nothing. 1012 * 1013 * The algorithm used here is a worm crawling over a discrete plane, 1014 * leaving a trace (augmenting the field) everywhere it goes. 1015 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1016 * makes the respective movement vector be ignored for this turn. 1017 * Graphs are not unambiguous, because circles in graphs can be 1018 * walked in either direction. 1019 */ 1020 1021 /* 1022 * Field sizes for the random art. Have to be odd, so the starting point 1023 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1024 * Else pictures would be too dense, and drawing the frame would 1025 * fail, too, because the key type would not fit in anymore. 1026 */ 1027 #define FLDBASE 8 1028 #define FLDSIZE_Y (FLDBASE + 1) 1029 #define FLDSIZE_X (FLDBASE * 2 + 1) 1030 static char * 1031 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1032 const struct sshkey *k) 1033 { 1034 /* 1035 * Chars to be used after each other every time the worm 1036 * intersects with itself. Matter of taste. 1037 */ 1038 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1039 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1040 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1041 size_t i, tlen, hlen; 1042 u_int b; 1043 int x, y, r; 1044 size_t len = strlen(augmentation_string) - 1; 1045 1046 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1047 return NULL; 1048 1049 /* initialize field */ 1050 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1051 x = FLDSIZE_X / 2; 1052 y = FLDSIZE_Y / 2; 1053 1054 /* process raw key */ 1055 for (i = 0; i < dgst_raw_len; i++) { 1056 int input; 1057 /* each byte conveys four 2-bit move commands */ 1058 input = dgst_raw[i]; 1059 for (b = 0; b < 4; b++) { 1060 /* evaluate 2 bit, rest is shifted later */ 1061 x += (input & 0x1) ? 1 : -1; 1062 y += (input & 0x2) ? 1 : -1; 1063 1064 /* assure we are still in bounds */ 1065 x = MAXIMUM(x, 0); 1066 y = MAXIMUM(y, 0); 1067 x = MINIMUM(x, FLDSIZE_X - 1); 1068 y = MINIMUM(y, FLDSIZE_Y - 1); 1069 1070 /* augment the field */ 1071 if (field[x][y] < len - 2) 1072 field[x][y]++; 1073 input = input >> 2; 1074 } 1075 } 1076 1077 /* mark starting point and end point*/ 1078 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1079 field[x][y] = len; 1080 1081 /* assemble title */ 1082 r = snprintf(title, sizeof(title), "[%s %u]", 1083 sshkey_type(k), sshkey_size(k)); 1084 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1085 if (r < 0 || r > (int)sizeof(title)) 1086 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1087 tlen = (r <= 0) ? 0 : strlen(title); 1088 1089 /* assemble hash ID. */ 1090 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1091 hlen = (r <= 0) ? 0 : strlen(hash); 1092 1093 /* output upper border */ 1094 p = retval; 1095 *p++ = '+'; 1096 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1097 *p++ = '-'; 1098 memcpy(p, title, tlen); 1099 p += tlen; 1100 for (i += tlen; i < FLDSIZE_X; i++) 1101 *p++ = '-'; 1102 *p++ = '+'; 1103 *p++ = '\n'; 1104 1105 /* output content */ 1106 for (y = 0; y < FLDSIZE_Y; y++) { 1107 *p++ = '|'; 1108 for (x = 0; x < FLDSIZE_X; x++) 1109 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1110 *p++ = '|'; 1111 *p++ = '\n'; 1112 } 1113 1114 /* output lower border */ 1115 *p++ = '+'; 1116 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1117 *p++ = '-'; 1118 memcpy(p, hash, hlen); 1119 p += hlen; 1120 for (i += hlen; i < FLDSIZE_X; i++) 1121 *p++ = '-'; 1122 *p++ = '+'; 1123 1124 return retval; 1125 } 1126 1127 char * 1128 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1129 enum sshkey_fp_rep dgst_rep) 1130 { 1131 char *retval = NULL; 1132 u_char *dgst_raw; 1133 size_t dgst_raw_len; 1134 1135 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1136 return NULL; 1137 switch (dgst_rep) { 1138 case SSH_FP_DEFAULT: 1139 if (dgst_alg == SSH_DIGEST_MD5) { 1140 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1141 dgst_raw, dgst_raw_len); 1142 } else { 1143 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1144 dgst_raw, dgst_raw_len); 1145 } 1146 break; 1147 case SSH_FP_HEX: 1148 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1149 dgst_raw, dgst_raw_len); 1150 break; 1151 case SSH_FP_BASE64: 1152 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1153 dgst_raw, dgst_raw_len); 1154 break; 1155 case SSH_FP_BUBBLEBABBLE: 1156 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1157 break; 1158 case SSH_FP_RANDOMART: 1159 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1160 dgst_raw, dgst_raw_len, k); 1161 break; 1162 default: 1163 explicit_bzero(dgst_raw, dgst_raw_len); 1164 free(dgst_raw); 1165 return NULL; 1166 } 1167 explicit_bzero(dgst_raw, dgst_raw_len); 1168 free(dgst_raw); 1169 return retval; 1170 } 1171 1172 static int 1173 peek_type_nid(const char *s, size_t l, int *nid) 1174 { 1175 const struct keytype *kt; 1176 1177 for (kt = keytypes; kt->type != -1; kt++) { 1178 if (kt->name == NULL || strlen(kt->name) != l) 1179 continue; 1180 if (memcmp(s, kt->name, l) == 0) { 1181 *nid = -1; 1182 if (kt->type == KEY_ECDSA || kt->type == KEY_ECDSA_CERT) 1183 *nid = kt->nid; 1184 return kt->type; 1185 } 1186 } 1187 return KEY_UNSPEC; 1188 } 1189 1190 1191 /* XXX this can now be made const char * */ 1192 int 1193 sshkey_read(struct sshkey *ret, char **cpp) 1194 { 1195 struct sshkey *k; 1196 char *cp, *blobcopy; 1197 size_t space; 1198 int r, type, curve_nid = -1; 1199 struct sshbuf *blob; 1200 1201 if (ret == NULL) 1202 return SSH_ERR_INVALID_ARGUMENT; 1203 1204 switch (ret->type) { 1205 case KEY_UNSPEC: 1206 case KEY_RSA: 1207 case KEY_DSA: 1208 case KEY_ECDSA: 1209 case KEY_ED25519: 1210 case KEY_DSA_CERT: 1211 case KEY_ECDSA_CERT: 1212 case KEY_RSA_CERT: 1213 case KEY_ED25519_CERT: 1214 #ifdef WITH_XMSS 1215 case KEY_XMSS: 1216 case KEY_XMSS_CERT: 1217 #endif /* WITH_XMSS */ 1218 break; /* ok */ 1219 default: 1220 return SSH_ERR_INVALID_ARGUMENT; 1221 } 1222 1223 /* Decode type */ 1224 cp = *cpp; 1225 space = strcspn(cp, " \t"); 1226 if (space == strlen(cp)) 1227 return SSH_ERR_INVALID_FORMAT; 1228 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) 1229 return SSH_ERR_INVALID_FORMAT; 1230 1231 /* skip whitespace */ 1232 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1233 ; 1234 if (*cp == '\0') 1235 return SSH_ERR_INVALID_FORMAT; 1236 if (ret->type != KEY_UNSPEC && ret->type != type) 1237 return SSH_ERR_KEY_TYPE_MISMATCH; 1238 if ((blob = sshbuf_new()) == NULL) 1239 return SSH_ERR_ALLOC_FAIL; 1240 1241 /* find end of keyblob and decode */ 1242 space = strcspn(cp, " \t"); 1243 if ((blobcopy = strndup(cp, space)) == NULL) { 1244 sshbuf_free(blob); 1245 return SSH_ERR_ALLOC_FAIL; 1246 } 1247 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { 1248 free(blobcopy); 1249 sshbuf_free(blob); 1250 return r; 1251 } 1252 free(blobcopy); 1253 if ((r = sshkey_fromb(blob, &k)) != 0) { 1254 sshbuf_free(blob); 1255 return r; 1256 } 1257 sshbuf_free(blob); 1258 1259 /* skip whitespace and leave cp at start of comment */ 1260 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1261 ; 1262 1263 /* ensure type of blob matches type at start of line */ 1264 if (k->type != type) { 1265 sshkey_free(k); 1266 return SSH_ERR_KEY_TYPE_MISMATCH; 1267 } 1268 if (sshkey_type_plain(type) == KEY_ECDSA && curve_nid != k->ecdsa_nid) { 1269 sshkey_free(k); 1270 return SSH_ERR_EC_CURVE_MISMATCH; 1271 } 1272 1273 /* Fill in ret from parsed key */ 1274 ret->type = type; 1275 if (sshkey_is_cert(ret)) { 1276 if (!sshkey_is_cert(k)) { 1277 sshkey_free(k); 1278 return SSH_ERR_EXPECTED_CERT; 1279 } 1280 if (ret->cert != NULL) 1281 cert_free(ret->cert); 1282 ret->cert = k->cert; 1283 k->cert = NULL; 1284 } 1285 switch (sshkey_type_plain(ret->type)) { 1286 #ifdef WITH_OPENSSL 1287 case KEY_RSA: 1288 RSA_free(ret->rsa); 1289 ret->rsa = k->rsa; 1290 k->rsa = NULL; 1291 #ifdef DEBUG_PK 1292 RSA_print_fp(stderr, ret->rsa, 8); 1293 #endif 1294 break; 1295 case KEY_DSA: 1296 DSA_free(ret->dsa); 1297 ret->dsa = k->dsa; 1298 k->dsa = NULL; 1299 #ifdef DEBUG_PK 1300 DSA_print_fp(stderr, ret->dsa, 8); 1301 #endif 1302 break; 1303 case KEY_ECDSA: 1304 EC_KEY_free(ret->ecdsa); 1305 ret->ecdsa = k->ecdsa; 1306 ret->ecdsa_nid = k->ecdsa_nid; 1307 k->ecdsa = NULL; 1308 k->ecdsa_nid = -1; 1309 #ifdef DEBUG_PK 1310 sshkey_dump_ec_key(ret->ecdsa); 1311 #endif 1312 break; 1313 #endif /* WITH_OPENSSL */ 1314 case KEY_ED25519: 1315 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1316 ret->ed25519_pk = k->ed25519_pk; 1317 k->ed25519_pk = NULL; 1318 #ifdef DEBUG_PK 1319 /* XXX */ 1320 #endif 1321 break; 1322 #ifdef WITH_XMSS 1323 case KEY_XMSS: 1324 free(ret->xmss_pk); 1325 ret->xmss_pk = k->xmss_pk; 1326 k->xmss_pk = NULL; 1327 free(ret->xmss_state); 1328 ret->xmss_state = k->xmss_state; 1329 k->xmss_state = NULL; 1330 free(ret->xmss_name); 1331 ret->xmss_name = k->xmss_name; 1332 k->xmss_name = NULL; 1333 free(ret->xmss_filename); 1334 ret->xmss_filename = k->xmss_filename; 1335 k->xmss_filename = NULL; 1336 #ifdef DEBUG_PK 1337 /* XXX */ 1338 #endif 1339 break; 1340 #endif /* WITH_XMSS */ 1341 default: 1342 sshkey_free(k); 1343 return SSH_ERR_INTERNAL_ERROR; 1344 } 1345 sshkey_free(k); 1346 1347 /* success */ 1348 *cpp = cp; 1349 return 0; 1350 } 1351 1352 int 1353 sshkey_to_base64(const struct sshkey *key, char **b64p) 1354 { 1355 int r = SSH_ERR_INTERNAL_ERROR; 1356 struct sshbuf *b = NULL; 1357 char *uu = NULL; 1358 1359 if (b64p != NULL) 1360 *b64p = NULL; 1361 if ((b = sshbuf_new()) == NULL) 1362 return SSH_ERR_ALLOC_FAIL; 1363 if ((r = sshkey_putb(key, b)) != 0) 1364 goto out; 1365 if ((uu = sshbuf_dtob64(b)) == NULL) { 1366 r = SSH_ERR_ALLOC_FAIL; 1367 goto out; 1368 } 1369 /* Success */ 1370 if (b64p != NULL) { 1371 *b64p = uu; 1372 uu = NULL; 1373 } 1374 r = 0; 1375 out: 1376 sshbuf_free(b); 1377 free(uu); 1378 return r; 1379 } 1380 1381 int 1382 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1383 { 1384 int r = SSH_ERR_INTERNAL_ERROR; 1385 char *uu = NULL; 1386 1387 if ((r = sshkey_to_base64(key, &uu)) != 0) 1388 goto out; 1389 if ((r = sshbuf_putf(b, "%s %s", 1390 sshkey_ssh_name(key), uu)) != 0) 1391 goto out; 1392 r = 0; 1393 out: 1394 free(uu); 1395 return r; 1396 } 1397 1398 int 1399 sshkey_write(const struct sshkey *key, FILE *f) 1400 { 1401 struct sshbuf *b = NULL; 1402 int r = SSH_ERR_INTERNAL_ERROR; 1403 1404 if ((b = sshbuf_new()) == NULL) 1405 return SSH_ERR_ALLOC_FAIL; 1406 if ((r = sshkey_format_text(key, b)) != 0) 1407 goto out; 1408 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1409 if (feof(f)) 1410 errno = EPIPE; 1411 r = SSH_ERR_SYSTEM_ERROR; 1412 goto out; 1413 } 1414 /* Success */ 1415 r = 0; 1416 out: 1417 sshbuf_free(b); 1418 return r; 1419 } 1420 1421 const char * 1422 sshkey_cert_type(const struct sshkey *k) 1423 { 1424 switch (k->cert->type) { 1425 case SSH2_CERT_TYPE_USER: 1426 return "user"; 1427 case SSH2_CERT_TYPE_HOST: 1428 return "host"; 1429 default: 1430 return "unknown"; 1431 } 1432 } 1433 1434 #ifdef WITH_OPENSSL 1435 static int 1436 rsa_generate_private_key(u_int bits, RSA **rsap) 1437 { 1438 RSA *private = NULL; 1439 BIGNUM *f4 = NULL; 1440 int ret = SSH_ERR_INTERNAL_ERROR; 1441 1442 if (rsap == NULL) 1443 return SSH_ERR_INVALID_ARGUMENT; 1444 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1445 bits > SSHBUF_MAX_BIGNUM * 8) 1446 return SSH_ERR_KEY_LENGTH; 1447 *rsap = NULL; 1448 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1449 ret = SSH_ERR_ALLOC_FAIL; 1450 goto out; 1451 } 1452 if (!BN_set_word(f4, RSA_F4) || 1453 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1454 ret = SSH_ERR_LIBCRYPTO_ERROR; 1455 goto out; 1456 } 1457 *rsap = private; 1458 private = NULL; 1459 ret = 0; 1460 out: 1461 RSA_free(private); 1462 BN_free(f4); 1463 return ret; 1464 } 1465 1466 static int 1467 dsa_generate_private_key(u_int bits, DSA **dsap) 1468 { 1469 DSA *private; 1470 int ret = SSH_ERR_INTERNAL_ERROR; 1471 1472 if (dsap == NULL) 1473 return SSH_ERR_INVALID_ARGUMENT; 1474 if (bits != 1024) 1475 return SSH_ERR_KEY_LENGTH; 1476 if ((private = DSA_new()) == NULL) { 1477 ret = SSH_ERR_ALLOC_FAIL; 1478 goto out; 1479 } 1480 *dsap = NULL; 1481 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1482 NULL, NULL) || !DSA_generate_key(private)) { 1483 ret = SSH_ERR_LIBCRYPTO_ERROR; 1484 goto out; 1485 } 1486 *dsap = private; 1487 private = NULL; 1488 ret = 0; 1489 out: 1490 DSA_free(private); 1491 return ret; 1492 } 1493 1494 int 1495 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1496 { 1497 EC_GROUP *eg; 1498 int nids[] = { 1499 NID_X9_62_prime256v1, 1500 NID_secp384r1, 1501 NID_secp521r1, 1502 -1 1503 }; 1504 int nid; 1505 u_int i; 1506 BN_CTX *bnctx; 1507 const EC_GROUP *g = EC_KEY_get0_group(k); 1508 1509 /* 1510 * The group may be stored in a ASN.1 encoded private key in one of two 1511 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1512 * or explicit group parameters encoded into the key blob. Only the 1513 * "named group" case sets the group NID for us, but we can figure 1514 * it out for the other case by comparing against all the groups that 1515 * are supported. 1516 */ 1517 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1518 return nid; 1519 if ((bnctx = BN_CTX_new()) == NULL) 1520 return -1; 1521 for (i = 0; nids[i] != -1; i++) { 1522 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1523 BN_CTX_free(bnctx); 1524 return -1; 1525 } 1526 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1527 break; 1528 EC_GROUP_free(eg); 1529 } 1530 BN_CTX_free(bnctx); 1531 if (nids[i] != -1) { 1532 /* Use the group with the NID attached */ 1533 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1534 if (EC_KEY_set_group(k, eg) != 1) { 1535 EC_GROUP_free(eg); 1536 return -1; 1537 } 1538 } 1539 return nids[i]; 1540 } 1541 1542 static int 1543 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1544 { 1545 EC_KEY *private; 1546 int ret = SSH_ERR_INTERNAL_ERROR; 1547 1548 if (nid == NULL || ecdsap == NULL) 1549 return SSH_ERR_INVALID_ARGUMENT; 1550 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1551 return SSH_ERR_KEY_LENGTH; 1552 *ecdsap = NULL; 1553 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1554 ret = SSH_ERR_ALLOC_FAIL; 1555 goto out; 1556 } 1557 if (EC_KEY_generate_key(private) != 1) { 1558 ret = SSH_ERR_LIBCRYPTO_ERROR; 1559 goto out; 1560 } 1561 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1562 *ecdsap = private; 1563 private = NULL; 1564 ret = 0; 1565 out: 1566 EC_KEY_free(private); 1567 return ret; 1568 } 1569 #endif /* WITH_OPENSSL */ 1570 1571 int 1572 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1573 { 1574 struct sshkey *k; 1575 int ret = SSH_ERR_INTERNAL_ERROR; 1576 1577 if (keyp == NULL) 1578 return SSH_ERR_INVALID_ARGUMENT; 1579 *keyp = NULL; 1580 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1581 return SSH_ERR_ALLOC_FAIL; 1582 switch (type) { 1583 case KEY_ED25519: 1584 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1585 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1586 ret = SSH_ERR_ALLOC_FAIL; 1587 break; 1588 } 1589 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1590 ret = 0; 1591 break; 1592 #ifdef WITH_XMSS 1593 case KEY_XMSS: 1594 ret = sshkey_xmss_generate_private_key(k, bits); 1595 break; 1596 #endif /* WITH_XMSS */ 1597 #ifdef WITH_OPENSSL 1598 case KEY_DSA: 1599 ret = dsa_generate_private_key(bits, &k->dsa); 1600 break; 1601 case KEY_ECDSA: 1602 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1603 &k->ecdsa); 1604 break; 1605 case KEY_RSA: 1606 ret = rsa_generate_private_key(bits, &k->rsa); 1607 break; 1608 #endif /* WITH_OPENSSL */ 1609 default: 1610 ret = SSH_ERR_INVALID_ARGUMENT; 1611 } 1612 if (ret == 0) { 1613 k->type = type; 1614 *keyp = k; 1615 } else 1616 sshkey_free(k); 1617 return ret; 1618 } 1619 1620 int 1621 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1622 { 1623 u_int i; 1624 const struct sshkey_cert *from; 1625 struct sshkey_cert *to; 1626 int r = SSH_ERR_INTERNAL_ERROR; 1627 1628 if (to_key == NULL || (from = from_key->cert) == NULL) 1629 return SSH_ERR_INVALID_ARGUMENT; 1630 1631 if ((to = cert_new()) == NULL) 1632 return SSH_ERR_ALLOC_FAIL; 1633 1634 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1635 (r = sshbuf_putb(to->critical, from->critical)) != 0 || 1636 (r = sshbuf_putb(to->extensions, from->extensions)) != 0) 1637 goto out; 1638 1639 to->serial = from->serial; 1640 to->type = from->type; 1641 if (from->key_id == NULL) 1642 to->key_id = NULL; 1643 else if ((to->key_id = strdup(from->key_id)) == NULL) { 1644 r = SSH_ERR_ALLOC_FAIL; 1645 goto out; 1646 } 1647 to->valid_after = from->valid_after; 1648 to->valid_before = from->valid_before; 1649 if (from->signature_key == NULL) 1650 to->signature_key = NULL; 1651 else if ((r = sshkey_from_private(from->signature_key, 1652 &to->signature_key)) != 0) 1653 goto out; 1654 if (from->signature_type != NULL && 1655 (to->signature_type = strdup(from->signature_type)) == NULL) { 1656 r = SSH_ERR_ALLOC_FAIL; 1657 goto out; 1658 } 1659 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { 1660 r = SSH_ERR_INVALID_ARGUMENT; 1661 goto out; 1662 } 1663 if (from->nprincipals > 0) { 1664 if ((to->principals = calloc(from->nprincipals, 1665 sizeof(*to->principals))) == NULL) { 1666 r = SSH_ERR_ALLOC_FAIL; 1667 goto out; 1668 } 1669 for (i = 0; i < from->nprincipals; i++) { 1670 to->principals[i] = strdup(from->principals[i]); 1671 if (to->principals[i] == NULL) { 1672 to->nprincipals = i; 1673 r = SSH_ERR_ALLOC_FAIL; 1674 goto out; 1675 } 1676 } 1677 } 1678 to->nprincipals = from->nprincipals; 1679 1680 /* success */ 1681 cert_free(to_key->cert); 1682 to_key->cert = to; 1683 to = NULL; 1684 r = 0; 1685 out: 1686 cert_free(to); 1687 return r; 1688 } 1689 1690 int 1691 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1692 { 1693 struct sshkey *n = NULL; 1694 int r = SSH_ERR_INTERNAL_ERROR; 1695 #ifdef WITH_OPENSSL 1696 const BIGNUM *rsa_n, *rsa_e; 1697 BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL; 1698 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 1699 BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL; 1700 BIGNUM *dsa_pub_key_dup = NULL; 1701 #endif /* WITH_OPENSSL */ 1702 1703 *pkp = NULL; 1704 switch (k->type) { 1705 #ifdef WITH_OPENSSL 1706 case KEY_DSA: 1707 case KEY_DSA_CERT: 1708 if ((n = sshkey_new(k->type)) == NULL) { 1709 r = SSH_ERR_ALLOC_FAIL; 1710 goto out; 1711 } 1712 1713 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 1714 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 1715 if ((dsa_p_dup = BN_dup(dsa_p)) == NULL || 1716 (dsa_q_dup = BN_dup(dsa_q)) == NULL || 1717 (dsa_g_dup = BN_dup(dsa_g)) == NULL || 1718 (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) { 1719 r = SSH_ERR_ALLOC_FAIL; 1720 goto out; 1721 } 1722 if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) { 1723 r = SSH_ERR_LIBCRYPTO_ERROR; 1724 goto out; 1725 } 1726 dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */ 1727 if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) { 1728 r = SSH_ERR_LIBCRYPTO_ERROR; 1729 goto out; 1730 } 1731 dsa_pub_key_dup = NULL; /* transferred */ 1732 1733 break; 1734 case KEY_ECDSA: 1735 case KEY_ECDSA_CERT: 1736 if ((n = sshkey_new(k->type)) == NULL) { 1737 r = SSH_ERR_ALLOC_FAIL; 1738 goto out; 1739 } 1740 n->ecdsa_nid = k->ecdsa_nid; 1741 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1742 if (n->ecdsa == NULL) { 1743 r = SSH_ERR_ALLOC_FAIL; 1744 goto out; 1745 } 1746 if (EC_KEY_set_public_key(n->ecdsa, 1747 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1748 r = SSH_ERR_LIBCRYPTO_ERROR; 1749 goto out; 1750 } 1751 break; 1752 case KEY_RSA: 1753 case KEY_RSA_CERT: 1754 if ((n = sshkey_new(k->type)) == NULL) { 1755 r = SSH_ERR_ALLOC_FAIL; 1756 goto out; 1757 } 1758 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 1759 if ((rsa_n_dup = BN_dup(rsa_n)) == NULL || 1760 (rsa_e_dup = BN_dup(rsa_e)) == NULL) { 1761 r = SSH_ERR_ALLOC_FAIL; 1762 goto out; 1763 } 1764 if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) { 1765 r = SSH_ERR_LIBCRYPTO_ERROR; 1766 goto out; 1767 } 1768 rsa_n_dup = rsa_e_dup = NULL; /* transferred */ 1769 break; 1770 #endif /* WITH_OPENSSL */ 1771 case KEY_ED25519: 1772 case KEY_ED25519_CERT: 1773 if ((n = sshkey_new(k->type)) == NULL) { 1774 r = SSH_ERR_ALLOC_FAIL; 1775 goto out; 1776 } 1777 if (k->ed25519_pk != NULL) { 1778 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1779 r = SSH_ERR_ALLOC_FAIL; 1780 goto out; 1781 } 1782 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1783 } 1784 break; 1785 #ifdef WITH_XMSS 1786 case KEY_XMSS: 1787 case KEY_XMSS_CERT: 1788 if ((n = sshkey_new(k->type)) == NULL) { 1789 r = SSH_ERR_ALLOC_FAIL; 1790 goto out; 1791 } 1792 if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0) 1793 goto out; 1794 if (k->xmss_pk != NULL) { 1795 size_t pklen = sshkey_xmss_pklen(k); 1796 if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) { 1797 r = SSH_ERR_INTERNAL_ERROR; 1798 goto out; 1799 } 1800 if ((n->xmss_pk = malloc(pklen)) == NULL) { 1801 r = SSH_ERR_ALLOC_FAIL; 1802 goto out; 1803 } 1804 memcpy(n->xmss_pk, k->xmss_pk, pklen); 1805 } 1806 break; 1807 #endif /* WITH_XMSS */ 1808 default: 1809 r = SSH_ERR_KEY_TYPE_UNKNOWN; 1810 goto out; 1811 } 1812 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) 1813 goto out; 1814 /* success */ 1815 *pkp = n; 1816 n = NULL; 1817 r = 0; 1818 out: 1819 sshkey_free(n); 1820 BN_clear_free(rsa_n_dup); 1821 BN_clear_free(rsa_e_dup); 1822 BN_clear_free(dsa_p_dup); 1823 BN_clear_free(dsa_q_dup); 1824 BN_clear_free(dsa_g_dup); 1825 BN_clear_free(dsa_pub_key_dup); 1826 1827 return r; 1828 } 1829 1830 static int 1831 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1832 { 1833 struct sshbuf *principals = NULL, *crit = NULL; 1834 struct sshbuf *exts = NULL, *ca = NULL; 1835 u_char *sig = NULL; 1836 size_t signed_len = 0, slen = 0, kidlen = 0; 1837 int ret = SSH_ERR_INTERNAL_ERROR; 1838 1839 /* Copy the entire key blob for verification and later serialisation */ 1840 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1841 return ret; 1842 1843 /* Parse body of certificate up to signature */ 1844 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1845 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1846 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1847 (ret = sshbuf_froms(b, &principals)) != 0 || 1848 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1849 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1850 (ret = sshbuf_froms(b, &crit)) != 0 || 1851 (ret = sshbuf_froms(b, &exts)) != 0 || 1852 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1853 (ret = sshbuf_froms(b, &ca)) != 0) { 1854 /* XXX debug print error for ret */ 1855 ret = SSH_ERR_INVALID_FORMAT; 1856 goto out; 1857 } 1858 1859 /* Signature is left in the buffer so we can calculate this length */ 1860 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1861 1862 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1863 ret = SSH_ERR_INVALID_FORMAT; 1864 goto out; 1865 } 1866 1867 if (key->cert->type != SSH2_CERT_TYPE_USER && 1868 key->cert->type != SSH2_CERT_TYPE_HOST) { 1869 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1870 goto out; 1871 } 1872 1873 /* Parse principals section */ 1874 while (sshbuf_len(principals) > 0) { 1875 char *principal = NULL; 1876 char **oprincipals = NULL; 1877 1878 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1879 ret = SSH_ERR_INVALID_FORMAT; 1880 goto out; 1881 } 1882 if ((ret = sshbuf_get_cstring(principals, &principal, 1883 NULL)) != 0) { 1884 ret = SSH_ERR_INVALID_FORMAT; 1885 goto out; 1886 } 1887 oprincipals = key->cert->principals; 1888 key->cert->principals = recallocarray(key->cert->principals, 1889 key->cert->nprincipals, key->cert->nprincipals + 1, 1890 sizeof(*key->cert->principals)); 1891 if (key->cert->principals == NULL) { 1892 free(principal); 1893 key->cert->principals = oprincipals; 1894 ret = SSH_ERR_ALLOC_FAIL; 1895 goto out; 1896 } 1897 key->cert->principals[key->cert->nprincipals++] = principal; 1898 } 1899 1900 /* 1901 * Stash a copies of the critical options and extensions sections 1902 * for later use. 1903 */ 1904 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1905 (exts != NULL && 1906 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1907 goto out; 1908 1909 /* 1910 * Validate critical options and extensions sections format. 1911 */ 1912 while (sshbuf_len(crit) != 0) { 1913 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1914 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1915 sshbuf_reset(key->cert->critical); 1916 ret = SSH_ERR_INVALID_FORMAT; 1917 goto out; 1918 } 1919 } 1920 while (exts != NULL && sshbuf_len(exts) != 0) { 1921 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1922 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1923 sshbuf_reset(key->cert->extensions); 1924 ret = SSH_ERR_INVALID_FORMAT; 1925 goto out; 1926 } 1927 } 1928 1929 /* Parse CA key and check signature */ 1930 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1931 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1932 goto out; 1933 } 1934 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1935 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1936 goto out; 1937 } 1938 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1939 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0)) != 0) 1940 goto out; 1941 if ((ret = get_sigtype(sig, slen, &key->cert->signature_type)) != 0) 1942 goto out; 1943 1944 /* Success */ 1945 ret = 0; 1946 out: 1947 sshbuf_free(ca); 1948 sshbuf_free(crit); 1949 sshbuf_free(exts); 1950 sshbuf_free(principals); 1951 free(sig); 1952 return ret; 1953 } 1954 1955 static int 1956 check_rsa_length(const RSA *rsa) 1957 { 1958 const BIGNUM *rsa_n; 1959 1960 RSA_get0_key(rsa, &rsa_n, NULL, NULL); 1961 if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) 1962 return SSH_ERR_KEY_LENGTH; 1963 return 0; 1964 } 1965 1966 static int 1967 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1968 int allow_cert) 1969 { 1970 int type, ret = SSH_ERR_INTERNAL_ERROR; 1971 char *ktype = NULL, *curve = NULL, *xmss_name = NULL; 1972 struct sshkey *key = NULL; 1973 size_t len; 1974 u_char *pk = NULL; 1975 struct sshbuf *copy; 1976 #ifdef WITH_OPENSSL 1977 EC_POINT *q = NULL; 1978 BIGNUM *rsa_n = NULL, *rsa_e = NULL; 1979 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; 1980 #endif /* WITH_OPENSSL */ 1981 1982 #ifdef DEBUG_PK /* XXX */ 1983 sshbuf_dump(b, stderr); 1984 #endif 1985 if (keyp != NULL) 1986 *keyp = NULL; 1987 if ((copy = sshbuf_fromb(b)) == NULL) { 1988 ret = SSH_ERR_ALLOC_FAIL; 1989 goto out; 1990 } 1991 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1992 ret = SSH_ERR_INVALID_FORMAT; 1993 goto out; 1994 } 1995 1996 type = sshkey_type_from_name(ktype); 1997 if (!allow_cert && sshkey_type_is_cert(type)) { 1998 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1999 goto out; 2000 } 2001 switch (type) { 2002 #ifdef WITH_OPENSSL 2003 case KEY_RSA_CERT: 2004 /* Skip nonce */ 2005 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2006 ret = SSH_ERR_INVALID_FORMAT; 2007 goto out; 2008 } 2009 /* FALLTHROUGH */ 2010 case KEY_RSA: 2011 if ((key = sshkey_new(type)) == NULL) { 2012 ret = SSH_ERR_ALLOC_FAIL; 2013 goto out; 2014 } 2015 if (sshbuf_get_bignum2(b, &rsa_e) != 0 || 2016 sshbuf_get_bignum2(b, &rsa_n) != 0) { 2017 ret = SSH_ERR_INVALID_FORMAT; 2018 goto out; 2019 } 2020 if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) { 2021 ret = SSH_ERR_LIBCRYPTO_ERROR; 2022 goto out; 2023 } 2024 rsa_n = rsa_e = NULL; /* transferred */ 2025 if ((ret = check_rsa_length(key->rsa)) != 0) 2026 goto out; 2027 #ifdef DEBUG_PK 2028 RSA_print_fp(stderr, key->rsa, 8); 2029 #endif 2030 break; 2031 case KEY_DSA_CERT: 2032 /* Skip nonce */ 2033 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2034 ret = SSH_ERR_INVALID_FORMAT; 2035 goto out; 2036 } 2037 /* FALLTHROUGH */ 2038 case KEY_DSA: 2039 if ((key = sshkey_new(type)) == NULL) { 2040 ret = SSH_ERR_ALLOC_FAIL; 2041 goto out; 2042 } 2043 if (sshbuf_get_bignum2(b, &dsa_p) != 0 || 2044 sshbuf_get_bignum2(b, &dsa_q) != 0 || 2045 sshbuf_get_bignum2(b, &dsa_g) != 0 || 2046 sshbuf_get_bignum2(b, &dsa_pub_key) != 0) { 2047 ret = SSH_ERR_INVALID_FORMAT; 2048 goto out; 2049 } 2050 if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) { 2051 ret = SSH_ERR_LIBCRYPTO_ERROR; 2052 goto out; 2053 } 2054 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2055 if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) { 2056 ret = SSH_ERR_LIBCRYPTO_ERROR; 2057 goto out; 2058 } 2059 dsa_pub_key = NULL; /* transferred */ 2060 #ifdef DEBUG_PK 2061 DSA_print_fp(stderr, key->dsa, 8); 2062 #endif 2063 break; 2064 case KEY_ECDSA_CERT: 2065 /* Skip nonce */ 2066 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2067 ret = SSH_ERR_INVALID_FORMAT; 2068 goto out; 2069 } 2070 /* FALLTHROUGH */ 2071 case KEY_ECDSA: 2072 if ((key = sshkey_new(type)) == NULL) { 2073 ret = SSH_ERR_ALLOC_FAIL; 2074 goto out; 2075 } 2076 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2077 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2078 ret = SSH_ERR_INVALID_FORMAT; 2079 goto out; 2080 } 2081 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2082 ret = SSH_ERR_EC_CURVE_MISMATCH; 2083 goto out; 2084 } 2085 EC_KEY_free(key->ecdsa); 2086 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2087 == NULL) { 2088 ret = SSH_ERR_EC_CURVE_INVALID; 2089 goto out; 2090 } 2091 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2092 ret = SSH_ERR_ALLOC_FAIL; 2093 goto out; 2094 } 2095 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 2096 ret = SSH_ERR_INVALID_FORMAT; 2097 goto out; 2098 } 2099 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2100 q) != 0) { 2101 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2102 goto out; 2103 } 2104 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 2105 /* XXX assume it is a allocation error */ 2106 ret = SSH_ERR_ALLOC_FAIL; 2107 goto out; 2108 } 2109 #ifdef DEBUG_PK 2110 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 2111 #endif 2112 break; 2113 #endif /* WITH_OPENSSL */ 2114 case KEY_ED25519_CERT: 2115 /* Skip nonce */ 2116 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2117 ret = SSH_ERR_INVALID_FORMAT; 2118 goto out; 2119 } 2120 /* FALLTHROUGH */ 2121 case KEY_ED25519: 2122 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2123 goto out; 2124 if (len != ED25519_PK_SZ) { 2125 ret = SSH_ERR_INVALID_FORMAT; 2126 goto out; 2127 } 2128 if ((key = sshkey_new(type)) == NULL) { 2129 ret = SSH_ERR_ALLOC_FAIL; 2130 goto out; 2131 } 2132 key->ed25519_pk = pk; 2133 pk = NULL; 2134 break; 2135 #ifdef WITH_XMSS 2136 case KEY_XMSS_CERT: 2137 /* Skip nonce */ 2138 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2139 ret = SSH_ERR_INVALID_FORMAT; 2140 goto out; 2141 } 2142 /* FALLTHROUGH */ 2143 case KEY_XMSS: 2144 if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0) 2145 goto out; 2146 if ((key = sshkey_new(type)) == NULL) { 2147 ret = SSH_ERR_ALLOC_FAIL; 2148 goto out; 2149 } 2150 if ((ret = sshkey_xmss_init(key, xmss_name)) != 0) 2151 goto out; 2152 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2153 goto out; 2154 if (len == 0 || len != sshkey_xmss_pklen(key)) { 2155 ret = SSH_ERR_INVALID_FORMAT; 2156 goto out; 2157 } 2158 key->xmss_pk = pk; 2159 pk = NULL; 2160 if (type != KEY_XMSS_CERT && 2161 (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0) 2162 goto out; 2163 break; 2164 #endif /* WITH_XMSS */ 2165 case KEY_UNSPEC: 2166 default: 2167 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2168 goto out; 2169 } 2170 2171 /* Parse certificate potion */ 2172 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2173 goto out; 2174 2175 if (key != NULL && sshbuf_len(b) != 0) { 2176 ret = SSH_ERR_INVALID_FORMAT; 2177 goto out; 2178 } 2179 ret = 0; 2180 if (keyp != NULL) { 2181 *keyp = key; 2182 key = NULL; 2183 } 2184 out: 2185 sshbuf_free(copy); 2186 sshkey_free(key); 2187 free(xmss_name); 2188 free(ktype); 2189 free(curve); 2190 free(pk); 2191 #ifdef WITH_OPENSSL 2192 EC_POINT_free(q); 2193 BN_clear_free(rsa_n); 2194 BN_clear_free(rsa_e); 2195 BN_clear_free(dsa_p); 2196 BN_clear_free(dsa_q); 2197 BN_clear_free(dsa_g); 2198 BN_clear_free(dsa_pub_key); 2199 #endif /* WITH_OPENSSL */ 2200 return ret; 2201 } 2202 2203 int 2204 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2205 { 2206 struct sshbuf *b; 2207 int r; 2208 2209 if ((b = sshbuf_from(blob, blen)) == NULL) 2210 return SSH_ERR_ALLOC_FAIL; 2211 r = sshkey_from_blob_internal(b, keyp, 1); 2212 sshbuf_free(b); 2213 return r; 2214 } 2215 2216 int 2217 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2218 { 2219 return sshkey_from_blob_internal(b, keyp, 1); 2220 } 2221 2222 int 2223 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2224 { 2225 struct sshbuf *b; 2226 int r; 2227 2228 if ((r = sshbuf_froms(buf, &b)) != 0) 2229 return r; 2230 r = sshkey_from_blob_internal(b, keyp, 1); 2231 sshbuf_free(b); 2232 return r; 2233 } 2234 2235 static int 2236 get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2237 { 2238 int r; 2239 struct sshbuf *b = NULL; 2240 char *sigtype = NULL; 2241 2242 if (sigtypep != NULL) 2243 *sigtypep = NULL; 2244 if ((b = sshbuf_from(sig, siglen)) == NULL) 2245 return SSH_ERR_ALLOC_FAIL; 2246 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2247 goto out; 2248 /* success */ 2249 if (sigtypep != NULL) { 2250 *sigtypep = sigtype; 2251 sigtype = NULL; 2252 } 2253 r = 0; 2254 out: 2255 free(sigtype); 2256 sshbuf_free(b); 2257 return r; 2258 } 2259 2260 /* 2261 * 2262 * Checks whether a certificate's signature type is allowed. 2263 * Returns 0 (success) if the certificate signature type appears in the 2264 * "allowed" pattern-list, or the key is not a certificate to begin with. 2265 * Otherwise returns a ssherr.h code. 2266 */ 2267 int 2268 sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) 2269 { 2270 if (key == NULL || allowed == NULL) 2271 return SSH_ERR_INVALID_ARGUMENT; 2272 if (!sshkey_type_is_cert(key->type)) 2273 return 0; 2274 if (key->cert == NULL || key->cert->signature_type == NULL) 2275 return SSH_ERR_INVALID_ARGUMENT; 2276 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) 2277 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 2278 return 0; 2279 } 2280 2281 /* 2282 * Returns the expected signature algorithm for a given public key algorithm. 2283 */ 2284 const char * 2285 sshkey_sigalg_by_name(const char *name) 2286 { 2287 const struct keytype *kt; 2288 2289 for (kt = keytypes; kt->type != -1; kt++) { 2290 if (strcmp(kt->name, name) != 0) 2291 continue; 2292 if (kt->sigalg != NULL) 2293 return kt->sigalg; 2294 if (!kt->cert) 2295 return kt->name; 2296 return sshkey_ssh_name_from_type_nid( 2297 sshkey_type_plain(kt->type), kt->nid); 2298 } 2299 return NULL; 2300 } 2301 2302 /* 2303 * Verifies that the signature algorithm appearing inside the signature blob 2304 * matches that which was requested. 2305 */ 2306 int 2307 sshkey_check_sigtype(const u_char *sig, size_t siglen, 2308 const char *requested_alg) 2309 { 2310 const char *expected_alg; 2311 char *sigtype = NULL; 2312 int r; 2313 2314 if (requested_alg == NULL) 2315 return 0; 2316 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) 2317 return SSH_ERR_INVALID_ARGUMENT; 2318 if ((r = get_sigtype(sig, siglen, &sigtype)) != 0) 2319 return r; 2320 r = strcmp(expected_alg, sigtype) == 0; 2321 free(sigtype); 2322 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; 2323 } 2324 2325 int 2326 sshkey_sign(const struct sshkey *key, 2327 u_char **sigp, size_t *lenp, 2328 const u_char *data, size_t datalen, const char *alg, u_int compat) 2329 { 2330 if (sigp != NULL) 2331 *sigp = NULL; 2332 if (lenp != NULL) 2333 *lenp = 0; 2334 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2335 return SSH_ERR_INVALID_ARGUMENT; 2336 switch (key->type) { 2337 #ifdef WITH_OPENSSL 2338 case KEY_DSA_CERT: 2339 case KEY_DSA: 2340 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2341 case KEY_ECDSA_CERT: 2342 case KEY_ECDSA: 2343 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2344 case KEY_RSA_CERT: 2345 case KEY_RSA: 2346 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2347 #endif /* WITH_OPENSSL */ 2348 case KEY_ED25519: 2349 case KEY_ED25519_CERT: 2350 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2351 #ifdef WITH_XMSS 2352 case KEY_XMSS: 2353 case KEY_XMSS_CERT: 2354 return ssh_xmss_sign(key, sigp, lenp, data, datalen, compat); 2355 #endif /* WITH_XMSS */ 2356 default: 2357 return SSH_ERR_KEY_TYPE_UNKNOWN; 2358 } 2359 } 2360 2361 /* 2362 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2363 * If "alg" specified, then the signature must use that algorithm. 2364 */ 2365 int 2366 sshkey_verify(const struct sshkey *key, 2367 const u_char *sig, size_t siglen, 2368 const u_char *data, size_t dlen, const char *alg, u_int compat) 2369 { 2370 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2371 return SSH_ERR_INVALID_ARGUMENT; 2372 switch (key->type) { 2373 #ifdef WITH_OPENSSL 2374 case KEY_DSA_CERT: 2375 case KEY_DSA: 2376 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2377 case KEY_ECDSA_CERT: 2378 case KEY_ECDSA: 2379 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2380 case KEY_RSA_CERT: 2381 case KEY_RSA: 2382 return ssh_rsa_verify(key, sig, siglen, data, dlen, alg); 2383 #endif /* WITH_OPENSSL */ 2384 case KEY_ED25519: 2385 case KEY_ED25519_CERT: 2386 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2387 #ifdef WITH_XMSS 2388 case KEY_XMSS: 2389 case KEY_XMSS_CERT: 2390 return ssh_xmss_verify(key, sig, siglen, data, dlen, compat); 2391 #endif /* WITH_XMSS */ 2392 default: 2393 return SSH_ERR_KEY_TYPE_UNKNOWN; 2394 } 2395 } 2396 2397 /* Convert a plain key to their _CERT equivalent */ 2398 int 2399 sshkey_to_certified(struct sshkey *k) 2400 { 2401 int newtype; 2402 2403 switch (k->type) { 2404 #ifdef WITH_OPENSSL 2405 case KEY_RSA: 2406 newtype = KEY_RSA_CERT; 2407 break; 2408 case KEY_DSA: 2409 newtype = KEY_DSA_CERT; 2410 break; 2411 case KEY_ECDSA: 2412 newtype = KEY_ECDSA_CERT; 2413 break; 2414 #endif /* WITH_OPENSSL */ 2415 case KEY_ED25519: 2416 newtype = KEY_ED25519_CERT; 2417 break; 2418 #ifdef WITH_XMSS 2419 case KEY_XMSS: 2420 newtype = KEY_XMSS_CERT; 2421 break; 2422 #endif /* WITH_XMSS */ 2423 default: 2424 return SSH_ERR_INVALID_ARGUMENT; 2425 } 2426 if ((k->cert = cert_new()) == NULL) 2427 return SSH_ERR_ALLOC_FAIL; 2428 k->type = newtype; 2429 return 0; 2430 } 2431 2432 /* Convert a certificate to its raw key equivalent */ 2433 int 2434 sshkey_drop_cert(struct sshkey *k) 2435 { 2436 if (!sshkey_type_is_cert(k->type)) 2437 return SSH_ERR_KEY_TYPE_UNKNOWN; 2438 cert_free(k->cert); 2439 k->cert = NULL; 2440 k->type = sshkey_type_plain(k->type); 2441 return 0; 2442 } 2443 2444 /* Sign a certified key, (re-)generating the signed certblob. */ 2445 int 2446 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2447 sshkey_certify_signer *signer, void *signer_ctx) 2448 { 2449 struct sshbuf *principals = NULL; 2450 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2451 size_t i, ca_len, sig_len; 2452 int ret = SSH_ERR_INTERNAL_ERROR; 2453 struct sshbuf *cert = NULL; 2454 char *sigtype = NULL; 2455 #ifdef WITH_OPENSSL 2456 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 2457 #endif /* WITH_OPENSSL */ 2458 2459 if (k == NULL || k->cert == NULL || 2460 k->cert->certblob == NULL || ca == NULL) 2461 return SSH_ERR_INVALID_ARGUMENT; 2462 if (!sshkey_is_cert(k)) 2463 return SSH_ERR_KEY_TYPE_UNKNOWN; 2464 if (!sshkey_type_is_valid_ca(ca->type)) 2465 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2466 2467 /* 2468 * If no alg specified as argument but a signature_type was set, 2469 * then prefer that. If both were specified, then they must match. 2470 */ 2471 if (alg == NULL) 2472 alg = k->cert->signature_type; 2473 else if (k->cert->signature_type != NULL && 2474 strcmp(alg, k->cert->signature_type) != 0) 2475 return SSH_ERR_INVALID_ARGUMENT; 2476 2477 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2478 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2479 2480 cert = k->cert->certblob; /* for readability */ 2481 sshbuf_reset(cert); 2482 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2483 goto out; 2484 2485 /* -v01 certs put nonce first */ 2486 arc4random_buf(&nonce, sizeof(nonce)); 2487 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2488 goto out; 2489 2490 /* XXX this substantially duplicates to_blob(); refactor */ 2491 switch (k->type) { 2492 #ifdef WITH_OPENSSL 2493 case KEY_DSA_CERT: 2494 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 2495 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 2496 if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 || 2497 (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 || 2498 (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 || 2499 (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0) 2500 goto out; 2501 break; 2502 case KEY_ECDSA_CERT: 2503 if ((ret = sshbuf_put_cstring(cert, 2504 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2505 (ret = sshbuf_put_ec(cert, 2506 EC_KEY_get0_public_key(k->ecdsa), 2507 EC_KEY_get0_group(k->ecdsa))) != 0) 2508 goto out; 2509 break; 2510 case KEY_RSA_CERT: 2511 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 2512 if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 || 2513 (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0) 2514 goto out; 2515 break; 2516 #endif /* WITH_OPENSSL */ 2517 case KEY_ED25519_CERT: 2518 if ((ret = sshbuf_put_string(cert, 2519 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2520 goto out; 2521 break; 2522 #ifdef WITH_XMSS 2523 case KEY_XMSS_CERT: 2524 if (k->xmss_name == NULL) { 2525 ret = SSH_ERR_INVALID_ARGUMENT; 2526 goto out; 2527 } 2528 if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) || 2529 (ret = sshbuf_put_string(cert, 2530 k->xmss_pk, sshkey_xmss_pklen(k))) != 0) 2531 goto out; 2532 break; 2533 #endif /* WITH_XMSS */ 2534 default: 2535 ret = SSH_ERR_INVALID_ARGUMENT; 2536 goto out; 2537 } 2538 2539 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2540 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2541 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2542 goto out; 2543 2544 if ((principals = sshbuf_new()) == NULL) { 2545 ret = SSH_ERR_ALLOC_FAIL; 2546 goto out; 2547 } 2548 for (i = 0; i < k->cert->nprincipals; i++) { 2549 if ((ret = sshbuf_put_cstring(principals, 2550 k->cert->principals[i])) != 0) 2551 goto out; 2552 } 2553 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2554 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2555 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2556 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2557 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2558 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2559 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2560 goto out; 2561 2562 /* Sign the whole mess */ 2563 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2564 sshbuf_len(cert), alg, 0, signer_ctx)) != 0) 2565 goto out; 2566 /* Check and update signature_type against what was actually used */ 2567 if ((ret = get_sigtype(sig_blob, sig_len, &sigtype)) != 0) 2568 goto out; 2569 if (alg != NULL && strcmp(alg, sigtype) != 0) { 2570 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2571 goto out; 2572 } 2573 if (k->cert->signature_type == NULL) { 2574 k->cert->signature_type = sigtype; 2575 sigtype = NULL; 2576 } 2577 /* Append signature and we are done */ 2578 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2579 goto out; 2580 ret = 0; 2581 out: 2582 if (ret != 0) 2583 sshbuf_reset(cert); 2584 free(sig_blob); 2585 free(ca_blob); 2586 free(sigtype); 2587 sshbuf_free(principals); 2588 return ret; 2589 } 2590 2591 static int 2592 default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 2593 const u_char *data, size_t datalen, 2594 const char *alg, u_int compat, void *ctx) 2595 { 2596 if (ctx != NULL) 2597 return SSH_ERR_INVALID_ARGUMENT; 2598 return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat); 2599 } 2600 2601 int 2602 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2603 { 2604 return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL); 2605 } 2606 2607 int 2608 sshkey_cert_check_authority(const struct sshkey *k, 2609 int want_host, int require_principal, 2610 const char *name, const char **reason) 2611 { 2612 u_int i, principal_matches; 2613 time_t now = time(NULL); 2614 2615 if (reason != NULL) 2616 *reason = NULL; 2617 2618 if (want_host) { 2619 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2620 *reason = "Certificate invalid: not a host certificate"; 2621 return SSH_ERR_KEY_CERT_INVALID; 2622 } 2623 } else { 2624 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2625 *reason = "Certificate invalid: not a user certificate"; 2626 return SSH_ERR_KEY_CERT_INVALID; 2627 } 2628 } 2629 if (now < 0) { 2630 /* yikes - system clock before epoch! */ 2631 *reason = "Certificate invalid: not yet valid"; 2632 return SSH_ERR_KEY_CERT_INVALID; 2633 } 2634 if ((u_int64_t)now < k->cert->valid_after) { 2635 *reason = "Certificate invalid: not yet valid"; 2636 return SSH_ERR_KEY_CERT_INVALID; 2637 } 2638 if ((u_int64_t)now >= k->cert->valid_before) { 2639 *reason = "Certificate invalid: expired"; 2640 return SSH_ERR_KEY_CERT_INVALID; 2641 } 2642 if (k->cert->nprincipals == 0) { 2643 if (require_principal) { 2644 *reason = "Certificate lacks principal list"; 2645 return SSH_ERR_KEY_CERT_INVALID; 2646 } 2647 } else if (name != NULL) { 2648 principal_matches = 0; 2649 for (i = 0; i < k->cert->nprincipals; i++) { 2650 if (strcmp(name, k->cert->principals[i]) == 0) { 2651 principal_matches = 1; 2652 break; 2653 } 2654 } 2655 if (!principal_matches) { 2656 *reason = "Certificate invalid: name is not a listed " 2657 "principal"; 2658 return SSH_ERR_KEY_CERT_INVALID; 2659 } 2660 } 2661 return 0; 2662 } 2663 2664 size_t 2665 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2666 { 2667 char from[32], to[32], ret[64]; 2668 time_t tt; 2669 struct tm *tm; 2670 2671 *from = *to = '\0'; 2672 if (cert->valid_after == 0 && 2673 cert->valid_before == 0xffffffffffffffffULL) 2674 return strlcpy(s, "forever", l); 2675 2676 if (cert->valid_after != 0) { 2677 /* XXX revisit INT_MAX in 2038 :) */ 2678 tt = cert->valid_after > INT_MAX ? 2679 INT_MAX : cert->valid_after; 2680 tm = localtime(&tt); 2681 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2682 } 2683 if (cert->valid_before != 0xffffffffffffffffULL) { 2684 /* XXX revisit INT_MAX in 2038 :) */ 2685 tt = cert->valid_before > INT_MAX ? 2686 INT_MAX : cert->valid_before; 2687 tm = localtime(&tt); 2688 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2689 } 2690 2691 if (cert->valid_after == 0) 2692 snprintf(ret, sizeof(ret), "before %s", to); 2693 else if (cert->valid_before == 0xffffffffffffffffULL) 2694 snprintf(ret, sizeof(ret), "after %s", from); 2695 else 2696 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2697 2698 return strlcpy(s, ret, l); 2699 } 2700 2701 int 2702 sshkey_private_serialize_opt(const struct sshkey *key, struct sshbuf *b, 2703 enum sshkey_serialize_rep opts) 2704 { 2705 int r = SSH_ERR_INTERNAL_ERROR; 2706 #ifdef WITH_OPENSSL 2707 const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q; 2708 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key; 2709 #endif /* WITH_OPENSSL */ 2710 2711 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2712 goto out; 2713 switch (key->type) { 2714 #ifdef WITH_OPENSSL 2715 case KEY_RSA: 2716 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d); 2717 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 2718 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 2719 if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 || 2720 (r = sshbuf_put_bignum2(b, rsa_e)) != 0 || 2721 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 2722 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 2723 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 2724 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 2725 goto out; 2726 break; 2727 case KEY_RSA_CERT: 2728 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2729 r = SSH_ERR_INVALID_ARGUMENT; 2730 goto out; 2731 } 2732 RSA_get0_key(key->rsa, NULL, NULL, &rsa_d); 2733 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 2734 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 2735 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2736 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 2737 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 2738 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 2739 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 2740 goto out; 2741 break; 2742 case KEY_DSA: 2743 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 2744 DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key); 2745 if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 || 2746 (r = sshbuf_put_bignum2(b, dsa_q)) != 0 || 2747 (r = sshbuf_put_bignum2(b, dsa_g)) != 0 || 2748 (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 || 2749 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 2750 goto out; 2751 break; 2752 case KEY_DSA_CERT: 2753 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2754 r = SSH_ERR_INVALID_ARGUMENT; 2755 goto out; 2756 } 2757 DSA_get0_key(key->dsa, NULL, &dsa_priv_key); 2758 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2759 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 2760 goto out; 2761 break; 2762 case KEY_ECDSA: 2763 if ((r = sshbuf_put_cstring(b, 2764 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2765 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2766 (r = sshbuf_put_bignum2(b, 2767 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2768 goto out; 2769 break; 2770 case KEY_ECDSA_CERT: 2771 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2772 r = SSH_ERR_INVALID_ARGUMENT; 2773 goto out; 2774 } 2775 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2776 (r = sshbuf_put_bignum2(b, 2777 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2778 goto out; 2779 break; 2780 #endif /* WITH_OPENSSL */ 2781 case KEY_ED25519: 2782 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2783 ED25519_PK_SZ)) != 0 || 2784 (r = sshbuf_put_string(b, key->ed25519_sk, 2785 ED25519_SK_SZ)) != 0) 2786 goto out; 2787 break; 2788 case KEY_ED25519_CERT: 2789 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2790 r = SSH_ERR_INVALID_ARGUMENT; 2791 goto out; 2792 } 2793 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2794 (r = sshbuf_put_string(b, key->ed25519_pk, 2795 ED25519_PK_SZ)) != 0 || 2796 (r = sshbuf_put_string(b, key->ed25519_sk, 2797 ED25519_SK_SZ)) != 0) 2798 goto out; 2799 break; 2800 #ifdef WITH_XMSS 2801 case KEY_XMSS: 2802 if (key->xmss_name == NULL) { 2803 r = SSH_ERR_INVALID_ARGUMENT; 2804 goto out; 2805 } 2806 if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 2807 (r = sshbuf_put_string(b, key->xmss_pk, 2808 sshkey_xmss_pklen(key))) != 0 || 2809 (r = sshbuf_put_string(b, key->xmss_sk, 2810 sshkey_xmss_sklen(key))) != 0 || 2811 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 2812 goto out; 2813 break; 2814 case KEY_XMSS_CERT: 2815 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 || 2816 key->xmss_name == NULL) { 2817 r = SSH_ERR_INVALID_ARGUMENT; 2818 goto out; 2819 } 2820 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2821 (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 2822 (r = sshbuf_put_string(b, key->xmss_pk, 2823 sshkey_xmss_pklen(key))) != 0 || 2824 (r = sshbuf_put_string(b, key->xmss_sk, 2825 sshkey_xmss_sklen(key))) != 0 || 2826 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 2827 goto out; 2828 break; 2829 #endif /* WITH_XMSS */ 2830 default: 2831 r = SSH_ERR_INVALID_ARGUMENT; 2832 goto out; 2833 } 2834 /* success */ 2835 r = 0; 2836 out: 2837 return r; 2838 } 2839 2840 int 2841 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2842 { 2843 return sshkey_private_serialize_opt(key, b, 2844 SSHKEY_SERIALIZE_DEFAULT); 2845 } 2846 2847 int 2848 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2849 { 2850 char *tname = NULL, *curve = NULL, *xmss_name = NULL; 2851 struct sshkey *k = NULL; 2852 size_t pklen = 0, sklen = 0; 2853 int type, r = SSH_ERR_INTERNAL_ERROR; 2854 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2855 u_char *xmss_pk = NULL, *xmss_sk = NULL; 2856 #ifdef WITH_OPENSSL 2857 BIGNUM *exponent = NULL; 2858 BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; 2859 BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL; 2860 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL; 2861 BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; 2862 #endif /* WITH_OPENSSL */ 2863 2864 if (kp != NULL) 2865 *kp = NULL; 2866 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2867 goto out; 2868 type = sshkey_type_from_name(tname); 2869 switch (type) { 2870 #ifdef WITH_OPENSSL 2871 case KEY_DSA: 2872 if ((k = sshkey_new(type)) == NULL) { 2873 r = SSH_ERR_ALLOC_FAIL; 2874 goto out; 2875 } 2876 if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 || 2877 (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 || 2878 (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 || 2879 (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0 || 2880 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 2881 goto out; 2882 if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) { 2883 r = SSH_ERR_LIBCRYPTO_ERROR; 2884 goto out; 2885 } 2886 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2887 if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) { 2888 r = SSH_ERR_LIBCRYPTO_ERROR; 2889 goto out; 2890 } 2891 dsa_pub_key = dsa_priv_key = NULL; /* transferred */ 2892 break; 2893 case KEY_DSA_CERT: 2894 if ((r = sshkey_froms(buf, &k)) != 0 || 2895 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 2896 goto out; 2897 if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { 2898 r = SSH_ERR_LIBCRYPTO_ERROR; 2899 goto out; 2900 } 2901 dsa_priv_key = NULL; /* transferred */ 2902 break; 2903 case KEY_ECDSA: 2904 if ((k = sshkey_new(type)) == NULL) { 2905 r = SSH_ERR_ALLOC_FAIL; 2906 goto out; 2907 } 2908 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2909 r = SSH_ERR_INVALID_ARGUMENT; 2910 goto out; 2911 } 2912 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2913 goto out; 2914 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2915 r = SSH_ERR_EC_CURVE_MISMATCH; 2916 goto out; 2917 } 2918 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2919 if (k->ecdsa == NULL) { 2920 r = SSH_ERR_LIBCRYPTO_ERROR; 2921 goto out; 2922 } 2923 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2924 (r = sshbuf_get_bignum2(buf, &exponent))) 2925 goto out; 2926 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2927 r = SSH_ERR_LIBCRYPTO_ERROR; 2928 goto out; 2929 } 2930 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2931 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2932 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2933 goto out; 2934 break; 2935 case KEY_ECDSA_CERT: 2936 if ((r = sshkey_froms(buf, &k)) != 0 || 2937 (r = sshbuf_get_bignum2(buf, &exponent)) != 0) 2938 goto out; 2939 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2940 r = SSH_ERR_LIBCRYPTO_ERROR; 2941 goto out; 2942 } 2943 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2944 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2945 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2946 goto out; 2947 break; 2948 case KEY_RSA: 2949 if ((k = sshkey_new(type)) == NULL) { 2950 r = SSH_ERR_ALLOC_FAIL; 2951 goto out; 2952 } 2953 if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 || 2954 (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0 || 2955 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 2956 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 2957 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 2958 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 2959 goto out; 2960 if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) { 2961 r = SSH_ERR_LIBCRYPTO_ERROR; 2962 goto out; 2963 } 2964 rsa_n = rsa_e = rsa_d = NULL; /* transferred */ 2965 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 2966 r = SSH_ERR_LIBCRYPTO_ERROR; 2967 goto out; 2968 } 2969 rsa_p = rsa_q = NULL; /* transferred */ 2970 if ((r = check_rsa_length(k->rsa)) != 0) 2971 goto out; 2972 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 2973 goto out; 2974 break; 2975 case KEY_RSA_CERT: 2976 if ((r = sshkey_froms(buf, &k)) != 0 || 2977 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 2978 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 2979 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 2980 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 2981 goto out; 2982 if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { 2983 r = SSH_ERR_LIBCRYPTO_ERROR; 2984 goto out; 2985 } 2986 rsa_d = NULL; /* transferred */ 2987 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 2988 r = SSH_ERR_LIBCRYPTO_ERROR; 2989 goto out; 2990 } 2991 rsa_p = rsa_q = NULL; /* transferred */ 2992 if ((r = check_rsa_length(k->rsa)) != 0) 2993 goto out; 2994 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 2995 goto out; 2996 break; 2997 #endif /* WITH_OPENSSL */ 2998 case KEY_ED25519: 2999 if ((k = sshkey_new(type)) == NULL) { 3000 r = SSH_ERR_ALLOC_FAIL; 3001 goto out; 3002 } 3003 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3004 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3005 goto out; 3006 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3007 r = SSH_ERR_INVALID_FORMAT; 3008 goto out; 3009 } 3010 k->ed25519_pk = ed25519_pk; 3011 k->ed25519_sk = ed25519_sk; 3012 ed25519_pk = ed25519_sk = NULL; 3013 break; 3014 case KEY_ED25519_CERT: 3015 if ((r = sshkey_froms(buf, &k)) != 0 || 3016 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3017 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3018 goto out; 3019 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3020 r = SSH_ERR_INVALID_FORMAT; 3021 goto out; 3022 } 3023 k->ed25519_pk = ed25519_pk; 3024 k->ed25519_sk = ed25519_sk; 3025 ed25519_pk = ed25519_sk = NULL; 3026 break; 3027 #ifdef WITH_XMSS 3028 case KEY_XMSS: 3029 if ((k = sshkey_new(type)) == NULL) { 3030 r = SSH_ERR_ALLOC_FAIL; 3031 goto out; 3032 } 3033 if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3034 (r = sshkey_xmss_init(k, xmss_name)) != 0 || 3035 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3036 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3037 goto out; 3038 if (pklen != sshkey_xmss_pklen(k) || 3039 sklen != sshkey_xmss_sklen(k)) { 3040 r = SSH_ERR_INVALID_FORMAT; 3041 goto out; 3042 } 3043 k->xmss_pk = xmss_pk; 3044 k->xmss_sk = xmss_sk; 3045 xmss_pk = xmss_sk = NULL; 3046 /* optional internal state */ 3047 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3048 goto out; 3049 break; 3050 case KEY_XMSS_CERT: 3051 if ((r = sshkey_froms(buf, &k)) != 0 || 3052 (r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3053 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3054 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3055 goto out; 3056 if (strcmp(xmss_name, k->xmss_name)) { 3057 r = SSH_ERR_INVALID_FORMAT; 3058 goto out; 3059 } 3060 if (pklen != sshkey_xmss_pklen(k) || 3061 sklen != sshkey_xmss_sklen(k)) { 3062 r = SSH_ERR_INVALID_FORMAT; 3063 goto out; 3064 } 3065 k->xmss_pk = xmss_pk; 3066 k->xmss_sk = xmss_sk; 3067 xmss_pk = xmss_sk = NULL; 3068 /* optional internal state */ 3069 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3070 goto out; 3071 break; 3072 #endif /* WITH_XMSS */ 3073 default: 3074 r = SSH_ERR_KEY_TYPE_UNKNOWN; 3075 goto out; 3076 } 3077 #ifdef WITH_OPENSSL 3078 /* enable blinding */ 3079 switch (k->type) { 3080 case KEY_RSA: 3081 case KEY_RSA_CERT: 3082 if (RSA_blinding_on(k->rsa, NULL) != 1) { 3083 r = SSH_ERR_LIBCRYPTO_ERROR; 3084 goto out; 3085 } 3086 break; 3087 } 3088 #endif /* WITH_OPENSSL */ 3089 /* success */ 3090 r = 0; 3091 if (kp != NULL) { 3092 *kp = k; 3093 k = NULL; 3094 } 3095 out: 3096 free(tname); 3097 free(curve); 3098 #ifdef WITH_OPENSSL 3099 BN_clear_free(exponent); 3100 BN_clear_free(dsa_p); 3101 BN_clear_free(dsa_q); 3102 BN_clear_free(dsa_g); 3103 BN_clear_free(dsa_pub_key); 3104 BN_clear_free(dsa_priv_key); 3105 BN_clear_free(rsa_n); 3106 BN_clear_free(rsa_e); 3107 BN_clear_free(rsa_d); 3108 BN_clear_free(rsa_p); 3109 BN_clear_free(rsa_q); 3110 BN_clear_free(rsa_iqmp); 3111 #endif /* WITH_OPENSSL */ 3112 sshkey_free(k); 3113 freezero(ed25519_pk, pklen); 3114 freezero(ed25519_sk, sklen); 3115 free(xmss_name); 3116 freezero(xmss_pk, pklen); 3117 freezero(xmss_sk, sklen); 3118 return r; 3119 } 3120 3121 #ifdef WITH_OPENSSL 3122 int 3123 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 3124 { 3125 BN_CTX *bnctx; 3126 EC_POINT *nq = NULL; 3127 BIGNUM *order, *x, *y, *tmp; 3128 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3129 3130 /* 3131 * NB. This assumes OpenSSL has already verified that the public 3132 * point lies on the curve. This is done by EC_POINT_oct2point() 3133 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 3134 * reachable with public points not unmarshalled using 3135 * EC_POINT_oct2point then the caller will need to explicitly check. 3136 */ 3137 3138 if ((bnctx = BN_CTX_new()) == NULL) 3139 return SSH_ERR_ALLOC_FAIL; 3140 BN_CTX_start(bnctx); 3141 3142 /* 3143 * We shouldn't ever hit this case because bignum_get_ecpoint() 3144 * refuses to load GF2m points. 3145 */ 3146 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3147 NID_X9_62_prime_field) 3148 goto out; 3149 3150 /* Q != infinity */ 3151 if (EC_POINT_is_at_infinity(group, public)) 3152 goto out; 3153 3154 if ((x = BN_CTX_get(bnctx)) == NULL || 3155 (y = BN_CTX_get(bnctx)) == NULL || 3156 (order = BN_CTX_get(bnctx)) == NULL || 3157 (tmp = BN_CTX_get(bnctx)) == NULL) { 3158 ret = SSH_ERR_ALLOC_FAIL; 3159 goto out; 3160 } 3161 3162 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 3163 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 3164 EC_POINT_get_affine_coordinates_GFp(group, public, 3165 x, y, bnctx) != 1) { 3166 ret = SSH_ERR_LIBCRYPTO_ERROR; 3167 goto out; 3168 } 3169 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 3170 BN_num_bits(y) <= BN_num_bits(order) / 2) 3171 goto out; 3172 3173 /* nQ == infinity (n == order of subgroup) */ 3174 if ((nq = EC_POINT_new(group)) == NULL) { 3175 ret = SSH_ERR_ALLOC_FAIL; 3176 goto out; 3177 } 3178 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 3179 ret = SSH_ERR_LIBCRYPTO_ERROR; 3180 goto out; 3181 } 3182 if (EC_POINT_is_at_infinity(group, nq) != 1) 3183 goto out; 3184 3185 /* x < order - 1, y < order - 1 */ 3186 if (!BN_sub(tmp, order, BN_value_one())) { 3187 ret = SSH_ERR_LIBCRYPTO_ERROR; 3188 goto out; 3189 } 3190 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 3191 goto out; 3192 ret = 0; 3193 out: 3194 BN_CTX_free(bnctx); 3195 EC_POINT_free(nq); 3196 return ret; 3197 } 3198 3199 int 3200 sshkey_ec_validate_private(const EC_KEY *key) 3201 { 3202 BN_CTX *bnctx; 3203 BIGNUM *order, *tmp; 3204 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3205 3206 if ((bnctx = BN_CTX_new()) == NULL) 3207 return SSH_ERR_ALLOC_FAIL; 3208 BN_CTX_start(bnctx); 3209 3210 if ((order = BN_CTX_get(bnctx)) == NULL || 3211 (tmp = BN_CTX_get(bnctx)) == NULL) { 3212 ret = SSH_ERR_ALLOC_FAIL; 3213 goto out; 3214 } 3215 3216 /* log2(private) > log2(order)/2 */ 3217 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 3218 ret = SSH_ERR_LIBCRYPTO_ERROR; 3219 goto out; 3220 } 3221 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 3222 BN_num_bits(order) / 2) 3223 goto out; 3224 3225 /* private < order - 1 */ 3226 if (!BN_sub(tmp, order, BN_value_one())) { 3227 ret = SSH_ERR_LIBCRYPTO_ERROR; 3228 goto out; 3229 } 3230 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 3231 goto out; 3232 ret = 0; 3233 out: 3234 BN_CTX_free(bnctx); 3235 return ret; 3236 } 3237 3238 void 3239 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 3240 { 3241 BIGNUM *x, *y; 3242 BN_CTX *bnctx; 3243 3244 if (point == NULL) { 3245 fputs("point=(NULL)\n", stderr); 3246 return; 3247 } 3248 if ((bnctx = BN_CTX_new()) == NULL) { 3249 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 3250 return; 3251 } 3252 BN_CTX_start(bnctx); 3253 if ((x = BN_CTX_get(bnctx)) == NULL || 3254 (y = BN_CTX_get(bnctx)) == NULL) { 3255 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 3256 return; 3257 } 3258 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3259 NID_X9_62_prime_field) { 3260 fprintf(stderr, "%s: group is not a prime field\n", __func__); 3261 return; 3262 } 3263 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 3264 bnctx) != 1) { 3265 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 3266 __func__); 3267 return; 3268 } 3269 fputs("x=", stderr); 3270 BN_print_fp(stderr, x); 3271 fputs("\ny=", stderr); 3272 BN_print_fp(stderr, y); 3273 fputs("\n", stderr); 3274 BN_CTX_free(bnctx); 3275 } 3276 3277 void 3278 sshkey_dump_ec_key(const EC_KEY *key) 3279 { 3280 const BIGNUM *exponent; 3281 3282 sshkey_dump_ec_point(EC_KEY_get0_group(key), 3283 EC_KEY_get0_public_key(key)); 3284 fputs("exponent=", stderr); 3285 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 3286 fputs("(NULL)", stderr); 3287 else 3288 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 3289 fputs("\n", stderr); 3290 } 3291 #endif /* WITH_OPENSSL */ 3292 3293 static int 3294 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 3295 const char *passphrase, const char *comment, const char *ciphername, 3296 int rounds) 3297 { 3298 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3299 u_char salt[SALT_LEN]; 3300 char *b64 = NULL; 3301 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3302 u_int check; 3303 int r = SSH_ERR_INTERNAL_ERROR; 3304 struct sshcipher_ctx *ciphercontext = NULL; 3305 const struct sshcipher *cipher; 3306 const char *kdfname = KDFNAME; 3307 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3308 3309 if (rounds <= 0) 3310 rounds = DEFAULT_ROUNDS; 3311 if (passphrase == NULL || !strlen(passphrase)) { 3312 ciphername = "none"; 3313 kdfname = "none"; 3314 } else if (ciphername == NULL) 3315 ciphername = DEFAULT_CIPHERNAME; 3316 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3317 r = SSH_ERR_INVALID_ARGUMENT; 3318 goto out; 3319 } 3320 3321 if ((kdf = sshbuf_new()) == NULL || 3322 (encoded = sshbuf_new()) == NULL || 3323 (encrypted = sshbuf_new()) == NULL) { 3324 r = SSH_ERR_ALLOC_FAIL; 3325 goto out; 3326 } 3327 blocksize = cipher_blocksize(cipher); 3328 keylen = cipher_keylen(cipher); 3329 ivlen = cipher_ivlen(cipher); 3330 authlen = cipher_authlen(cipher); 3331 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3332 r = SSH_ERR_ALLOC_FAIL; 3333 goto out; 3334 } 3335 if (strcmp(kdfname, "bcrypt") == 0) { 3336 arc4random_buf(salt, SALT_LEN); 3337 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3338 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3339 r = SSH_ERR_INVALID_ARGUMENT; 3340 goto out; 3341 } 3342 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3343 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3344 goto out; 3345 } else if (strcmp(kdfname, "none") != 0) { 3346 /* Unsupported KDF type */ 3347 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3348 goto out; 3349 } 3350 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3351 key + keylen, ivlen, 1)) != 0) 3352 goto out; 3353 3354 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3355 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3356 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3357 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3358 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3359 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3360 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3361 goto out; 3362 3363 /* set up the buffer that will be encrypted */ 3364 3365 /* Random check bytes */ 3366 check = arc4random(); 3367 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3368 (r = sshbuf_put_u32(encrypted, check)) != 0) 3369 goto out; 3370 3371 /* append private key and comment*/ 3372 if ((r = sshkey_private_serialize_opt(prv, encrypted, 3373 SSHKEY_SERIALIZE_FULL)) != 0 || 3374 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3375 goto out; 3376 3377 /* padding */ 3378 i = 0; 3379 while (sshbuf_len(encrypted) % blocksize) { 3380 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3381 goto out; 3382 } 3383 3384 /* length in destination buffer */ 3385 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3386 goto out; 3387 3388 /* encrypt */ 3389 if ((r = sshbuf_reserve(encoded, 3390 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3391 goto out; 3392 if ((r = cipher_crypt(ciphercontext, 0, cp, 3393 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3394 goto out; 3395 3396 /* uuencode */ 3397 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3398 r = SSH_ERR_ALLOC_FAIL; 3399 goto out; 3400 } 3401 3402 sshbuf_reset(blob); 3403 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3404 goto out; 3405 for (i = 0; i < strlen(b64); i++) { 3406 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3407 goto out; 3408 /* insert line breaks */ 3409 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3410 goto out; 3411 } 3412 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3413 goto out; 3414 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3415 goto out; 3416 3417 /* success */ 3418 r = 0; 3419 3420 out: 3421 sshbuf_free(kdf); 3422 sshbuf_free(encoded); 3423 sshbuf_free(encrypted); 3424 cipher_free(ciphercontext); 3425 explicit_bzero(salt, sizeof(salt)); 3426 if (key != NULL) { 3427 explicit_bzero(key, keylen + ivlen); 3428 free(key); 3429 } 3430 if (pubkeyblob != NULL) { 3431 explicit_bzero(pubkeyblob, pubkeylen); 3432 free(pubkeyblob); 3433 } 3434 if (b64 != NULL) { 3435 explicit_bzero(b64, strlen(b64)); 3436 free(b64); 3437 } 3438 return r; 3439 } 3440 3441 static int 3442 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3443 struct sshkey **keyp, char **commentp) 3444 { 3445 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3446 const struct sshcipher *cipher = NULL; 3447 const u_char *cp; 3448 int r = SSH_ERR_INTERNAL_ERROR; 3449 size_t encoded_len; 3450 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3451 struct sshbuf *encoded = NULL, *decoded = NULL; 3452 struct sshbuf *kdf = NULL, *decrypted = NULL; 3453 struct sshcipher_ctx *ciphercontext = NULL; 3454 struct sshkey *k = NULL; 3455 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3456 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3457 3458 if (keyp != NULL) 3459 *keyp = NULL; 3460 if (commentp != NULL) 3461 *commentp = NULL; 3462 3463 if ((encoded = sshbuf_new()) == NULL || 3464 (decoded = sshbuf_new()) == NULL || 3465 (decrypted = sshbuf_new()) == NULL) { 3466 r = SSH_ERR_ALLOC_FAIL; 3467 goto out; 3468 } 3469 3470 /* check preamble */ 3471 cp = sshbuf_ptr(blob); 3472 encoded_len = sshbuf_len(blob); 3473 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3474 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3475 r = SSH_ERR_INVALID_FORMAT; 3476 goto out; 3477 } 3478 cp += MARK_BEGIN_LEN; 3479 encoded_len -= MARK_BEGIN_LEN; 3480 3481 /* Look for end marker, removing whitespace as we go */ 3482 while (encoded_len > 0) { 3483 if (*cp != '\n' && *cp != '\r') { 3484 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3485 goto out; 3486 } 3487 last = *cp; 3488 encoded_len--; 3489 cp++; 3490 if (last == '\n') { 3491 if (encoded_len >= MARK_END_LEN && 3492 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3493 /* \0 terminate */ 3494 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3495 goto out; 3496 break; 3497 } 3498 } 3499 } 3500 if (encoded_len == 0) { 3501 r = SSH_ERR_INVALID_FORMAT; 3502 goto out; 3503 } 3504 3505 /* decode base64 */ 3506 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3507 goto out; 3508 3509 /* check magic */ 3510 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3511 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3512 r = SSH_ERR_INVALID_FORMAT; 3513 goto out; 3514 } 3515 /* parse public portion of key */ 3516 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3517 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3518 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3519 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3520 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3521 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3522 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3523 goto out; 3524 3525 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3526 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3527 goto out; 3528 } 3529 if ((passphrase == NULL || strlen(passphrase) == 0) && 3530 strcmp(ciphername, "none") != 0) { 3531 /* passphrase required */ 3532 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3533 goto out; 3534 } 3535 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3536 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3537 goto out; 3538 } 3539 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3540 r = SSH_ERR_INVALID_FORMAT; 3541 goto out; 3542 } 3543 if (nkeys != 1) { 3544 /* XXX only one key supported */ 3545 r = SSH_ERR_INVALID_FORMAT; 3546 goto out; 3547 } 3548 3549 /* check size of encrypted key blob */ 3550 blocksize = cipher_blocksize(cipher); 3551 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3552 r = SSH_ERR_INVALID_FORMAT; 3553 goto out; 3554 } 3555 3556 /* setup key */ 3557 keylen = cipher_keylen(cipher); 3558 ivlen = cipher_ivlen(cipher); 3559 authlen = cipher_authlen(cipher); 3560 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3561 r = SSH_ERR_ALLOC_FAIL; 3562 goto out; 3563 } 3564 if (strcmp(kdfname, "bcrypt") == 0) { 3565 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3566 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3567 goto out; 3568 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3569 key, keylen + ivlen, rounds) < 0) { 3570 r = SSH_ERR_INVALID_FORMAT; 3571 goto out; 3572 } 3573 } 3574 3575 /* check that an appropriate amount of auth data is present */ 3576 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3577 r = SSH_ERR_INVALID_FORMAT; 3578 goto out; 3579 } 3580 3581 /* decrypt private portion of key */ 3582 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3583 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3584 key + keylen, ivlen, 0)) != 0) 3585 goto out; 3586 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3587 encrypted_len, 0, authlen)) != 0) { 3588 /* an integrity error here indicates an incorrect passphrase */ 3589 if (r == SSH_ERR_MAC_INVALID) 3590 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3591 goto out; 3592 } 3593 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3594 goto out; 3595 /* there should be no trailing data */ 3596 if (sshbuf_len(decoded) != 0) { 3597 r = SSH_ERR_INVALID_FORMAT; 3598 goto out; 3599 } 3600 3601 /* check check bytes */ 3602 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3603 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3604 goto out; 3605 if (check1 != check2) { 3606 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3607 goto out; 3608 } 3609 3610 /* Load the private key and comment */ 3611 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3612 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3613 goto out; 3614 3615 /* Check deterministic padding */ 3616 i = 0; 3617 while (sshbuf_len(decrypted)) { 3618 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3619 goto out; 3620 if (pad != (++i & 0xff)) { 3621 r = SSH_ERR_INVALID_FORMAT; 3622 goto out; 3623 } 3624 } 3625 3626 /* XXX decode pubkey and check against private */ 3627 3628 /* success */ 3629 r = 0; 3630 if (keyp != NULL) { 3631 *keyp = k; 3632 k = NULL; 3633 } 3634 if (commentp != NULL) { 3635 *commentp = comment; 3636 comment = NULL; 3637 } 3638 out: 3639 pad = 0; 3640 cipher_free(ciphercontext); 3641 free(ciphername); 3642 free(kdfname); 3643 free(comment); 3644 if (salt != NULL) { 3645 explicit_bzero(salt, slen); 3646 free(salt); 3647 } 3648 if (key != NULL) { 3649 explicit_bzero(key, keylen + ivlen); 3650 free(key); 3651 } 3652 sshbuf_free(encoded); 3653 sshbuf_free(decoded); 3654 sshbuf_free(kdf); 3655 sshbuf_free(decrypted); 3656 sshkey_free(k); 3657 return r; 3658 } 3659 3660 3661 #ifdef WITH_OPENSSL 3662 /* convert SSH v2 key in OpenSSL PEM format */ 3663 static int 3664 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3665 const char *_passphrase, const char *comment) 3666 { 3667 int success, r; 3668 int blen, len = strlen(_passphrase); 3669 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3670 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3671 char *bptr; 3672 BIO *bio = NULL; 3673 3674 if (len > 0 && len <= 4) 3675 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3676 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3677 return SSH_ERR_ALLOC_FAIL; 3678 3679 switch (key->type) { 3680 case KEY_DSA: 3681 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3682 cipher, passphrase, len, NULL, NULL); 3683 break; 3684 case KEY_ECDSA: 3685 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3686 cipher, passphrase, len, NULL, NULL); 3687 break; 3688 case KEY_RSA: 3689 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3690 cipher, passphrase, len, NULL, NULL); 3691 break; 3692 default: 3693 success = 0; 3694 break; 3695 } 3696 if (success == 0) { 3697 r = SSH_ERR_LIBCRYPTO_ERROR; 3698 goto out; 3699 } 3700 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3701 r = SSH_ERR_INTERNAL_ERROR; 3702 goto out; 3703 } 3704 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3705 goto out; 3706 r = 0; 3707 out: 3708 BIO_free(bio); 3709 return r; 3710 } 3711 #endif /* WITH_OPENSSL */ 3712 3713 /* Serialise "key" to buffer "blob" */ 3714 int 3715 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3716 const char *passphrase, const char *comment, 3717 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3718 { 3719 switch (key->type) { 3720 #ifdef WITH_OPENSSL 3721 case KEY_DSA: 3722 case KEY_ECDSA: 3723 case KEY_RSA: 3724 if (force_new_format) { 3725 return sshkey_private_to_blob2(key, blob, passphrase, 3726 comment, new_format_cipher, new_format_rounds); 3727 } 3728 return sshkey_private_pem_to_blob(key, blob, 3729 passphrase, comment); 3730 #endif /* WITH_OPENSSL */ 3731 case KEY_ED25519: 3732 #ifdef WITH_XMSS 3733 case KEY_XMSS: 3734 #endif /* WITH_XMSS */ 3735 return sshkey_private_to_blob2(key, blob, passphrase, 3736 comment, new_format_cipher, new_format_rounds); 3737 default: 3738 return SSH_ERR_KEY_TYPE_UNKNOWN; 3739 } 3740 } 3741 3742 3743 #ifdef WITH_OPENSSL 3744 static int 3745 translate_libcrypto_error(unsigned long pem_err) 3746 { 3747 int pem_reason = ERR_GET_REASON(pem_err); 3748 3749 switch (ERR_GET_LIB(pem_err)) { 3750 case ERR_LIB_PEM: 3751 switch (pem_reason) { 3752 case PEM_R_BAD_PASSWORD_READ: 3753 case PEM_R_PROBLEMS_GETTING_PASSWORD: 3754 case PEM_R_BAD_DECRYPT: 3755 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3756 default: 3757 return SSH_ERR_INVALID_FORMAT; 3758 } 3759 case ERR_LIB_EVP: 3760 switch (pem_reason) { 3761 case EVP_R_BAD_DECRYPT: 3762 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3763 #ifdef EVP_R_BN_DECODE_ERROR 3764 case EVP_R_BN_DECODE_ERROR: 3765 #endif 3766 case EVP_R_DECODE_ERROR: 3767 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 3768 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 3769 #endif 3770 return SSH_ERR_INVALID_FORMAT; 3771 default: 3772 return SSH_ERR_LIBCRYPTO_ERROR; 3773 } 3774 case ERR_LIB_ASN1: 3775 return SSH_ERR_INVALID_FORMAT; 3776 } 3777 return SSH_ERR_LIBCRYPTO_ERROR; 3778 } 3779 3780 static void 3781 clear_libcrypto_errors(void) 3782 { 3783 while (ERR_get_error() != 0) 3784 ; 3785 } 3786 3787 /* 3788 * Translate OpenSSL error codes to determine whether 3789 * passphrase is required/incorrect. 3790 */ 3791 static int 3792 convert_libcrypto_error(void) 3793 { 3794 /* 3795 * Some password errors are reported at the beginning 3796 * of the error queue. 3797 */ 3798 if (translate_libcrypto_error(ERR_peek_error()) == 3799 SSH_ERR_KEY_WRONG_PASSPHRASE) 3800 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3801 return translate_libcrypto_error(ERR_peek_last_error()); 3802 } 3803 3804 static int 3805 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3806 const char *passphrase, struct sshkey **keyp) 3807 { 3808 EVP_PKEY *pk = NULL; 3809 struct sshkey *prv = NULL; 3810 BIO *bio = NULL; 3811 int r; 3812 3813 if (keyp != NULL) 3814 *keyp = NULL; 3815 3816 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3817 return SSH_ERR_ALLOC_FAIL; 3818 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3819 (int)sshbuf_len(blob)) { 3820 r = SSH_ERR_ALLOC_FAIL; 3821 goto out; 3822 } 3823 3824 clear_libcrypto_errors(); 3825 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3826 (char *)passphrase)) == NULL) { 3827 /* 3828 * libcrypto may return various ASN.1 errors when attempting 3829 * to parse a key with an incorrect passphrase. 3830 * Treat all format errors as "incorrect passphrase" if a 3831 * passphrase was supplied. 3832 */ 3833 if (passphrase != NULL && *passphrase != '\0') 3834 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3835 else 3836 r = convert_libcrypto_error(); 3837 goto out; 3838 } 3839 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && 3840 (type == KEY_UNSPEC || type == KEY_RSA)) { 3841 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3842 r = SSH_ERR_ALLOC_FAIL; 3843 goto out; 3844 } 3845 prv->rsa = EVP_PKEY_get1_RSA(pk); 3846 prv->type = KEY_RSA; 3847 #ifdef DEBUG_PK 3848 RSA_print_fp(stderr, prv->rsa, 8); 3849 #endif 3850 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3851 r = SSH_ERR_LIBCRYPTO_ERROR; 3852 goto out; 3853 } 3854 if ((r = check_rsa_length(prv->rsa)) != 0) 3855 goto out; 3856 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && 3857 (type == KEY_UNSPEC || type == KEY_DSA)) { 3858 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3859 r = SSH_ERR_ALLOC_FAIL; 3860 goto out; 3861 } 3862 prv->dsa = EVP_PKEY_get1_DSA(pk); 3863 prv->type = KEY_DSA; 3864 #ifdef DEBUG_PK 3865 DSA_print_fp(stderr, prv->dsa, 8); 3866 #endif 3867 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && 3868 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3869 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3870 r = SSH_ERR_ALLOC_FAIL; 3871 goto out; 3872 } 3873 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3874 prv->type = KEY_ECDSA; 3875 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3876 if (prv->ecdsa_nid == -1 || 3877 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3878 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3879 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3880 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3881 r = SSH_ERR_INVALID_FORMAT; 3882 goto out; 3883 } 3884 #ifdef DEBUG_PK 3885 if (prv != NULL && prv->ecdsa != NULL) 3886 sshkey_dump_ec_key(prv->ecdsa); 3887 #endif 3888 } else { 3889 r = SSH_ERR_INVALID_FORMAT; 3890 goto out; 3891 } 3892 r = 0; 3893 if (keyp != NULL) { 3894 *keyp = prv; 3895 prv = NULL; 3896 } 3897 out: 3898 BIO_free(bio); 3899 EVP_PKEY_free(pk); 3900 sshkey_free(prv); 3901 return r; 3902 } 3903 #endif /* WITH_OPENSSL */ 3904 3905 int 3906 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3907 const char *passphrase, struct sshkey **keyp, char **commentp) 3908 { 3909 int r = SSH_ERR_INTERNAL_ERROR; 3910 3911 if (keyp != NULL) 3912 *keyp = NULL; 3913 if (commentp != NULL) 3914 *commentp = NULL; 3915 3916 switch (type) { 3917 #ifdef WITH_OPENSSL 3918 case KEY_DSA: 3919 case KEY_ECDSA: 3920 case KEY_RSA: 3921 return sshkey_parse_private_pem_fileblob(blob, type, 3922 passphrase, keyp); 3923 #endif /* WITH_OPENSSL */ 3924 case KEY_ED25519: 3925 #ifdef WITH_XMSS 3926 case KEY_XMSS: 3927 #endif /* WITH_XMSS */ 3928 return sshkey_parse_private2(blob, type, passphrase, 3929 keyp, commentp); 3930 case KEY_UNSPEC: 3931 r = sshkey_parse_private2(blob, type, passphrase, keyp, 3932 commentp); 3933 /* Do not fallback to PEM parser if only passphrase is wrong. */ 3934 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE) 3935 return r; 3936 #ifdef WITH_OPENSSL 3937 return sshkey_parse_private_pem_fileblob(blob, type, 3938 passphrase, keyp); 3939 #else 3940 return SSH_ERR_INVALID_FORMAT; 3941 #endif /* WITH_OPENSSL */ 3942 default: 3943 return SSH_ERR_KEY_TYPE_UNKNOWN; 3944 } 3945 } 3946 3947 int 3948 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3949 struct sshkey **keyp, char **commentp) 3950 { 3951 if (keyp != NULL) 3952 *keyp = NULL; 3953 if (commentp != NULL) 3954 *commentp = NULL; 3955 3956 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3957 passphrase, keyp, commentp); 3958 } 3959 3960 #ifdef WITH_XMSS 3961 /* 3962 * serialize the key with the current state and forward the state 3963 * maxsign times. 3964 */ 3965 int 3966 sshkey_private_serialize_maxsign(const struct sshkey *k, struct sshbuf *b, 3967 u_int32_t maxsign, sshkey_printfn *pr) 3968 { 3969 int r, rupdate; 3970 3971 if (maxsign == 0 || 3972 sshkey_type_plain(k->type) != KEY_XMSS) 3973 return sshkey_private_serialize_opt(k, b, 3974 SSHKEY_SERIALIZE_DEFAULT); 3975 if ((r = sshkey_xmss_get_state(k, pr)) != 0 || 3976 (r = sshkey_private_serialize_opt(k, b, 3977 SSHKEY_SERIALIZE_STATE)) != 0 || 3978 (r = sshkey_xmss_forward_state(k, maxsign)) != 0) 3979 goto out; 3980 r = 0; 3981 out: 3982 if ((rupdate = sshkey_xmss_update_state(k, pr)) != 0) { 3983 if (r == 0) 3984 r = rupdate; 3985 } 3986 return r; 3987 } 3988 3989 u_int32_t 3990 sshkey_signatures_left(const struct sshkey *k) 3991 { 3992 if (sshkey_type_plain(k->type) == KEY_XMSS) 3993 return sshkey_xmss_signatures_left(k); 3994 return 0; 3995 } 3996 3997 int 3998 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 3999 { 4000 if (sshkey_type_plain(k->type) != KEY_XMSS) 4001 return SSH_ERR_INVALID_ARGUMENT; 4002 return sshkey_xmss_enable_maxsign(k, maxsign); 4003 } 4004 4005 int 4006 sshkey_set_filename(struct sshkey *k, const char *filename) 4007 { 4008 if (k == NULL) 4009 return SSH_ERR_INVALID_ARGUMENT; 4010 if (sshkey_type_plain(k->type) != KEY_XMSS) 4011 return 0; 4012 if (filename == NULL) 4013 return SSH_ERR_INVALID_ARGUMENT; 4014 if ((k->xmss_filename = strdup(filename)) == NULL) 4015 return SSH_ERR_ALLOC_FAIL; 4016 return 0; 4017 } 4018 #else 4019 int 4020 sshkey_private_serialize_maxsign(const struct sshkey *k, struct sshbuf *b, 4021 u_int32_t maxsign, sshkey_printfn *pr) 4022 { 4023 return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); 4024 } 4025 4026 u_int32_t 4027 sshkey_signatures_left(const struct sshkey *k) 4028 { 4029 return 0; 4030 } 4031 4032 int 4033 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4034 { 4035 return SSH_ERR_INVALID_ARGUMENT; 4036 } 4037 4038 int 4039 sshkey_set_filename(struct sshkey *k, const char *filename) 4040 { 4041 if (k == NULL) 4042 return SSH_ERR_INVALID_ARGUMENT; 4043 return 0; 4044 } 4045 #endif /* WITH_XMSS */ 4046