1 /* $OpenBSD: sshkey.c,v 1.5 2014/11/18 01:02:25 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/param.h> 29 #include <sys/types.h> 30 31 #include <openssl/evp.h> 32 #include <openssl/err.h> 33 #include <openssl/pem.h> 34 35 #include "crypto_api.h" 36 37 #include <errno.h> 38 #include <stdio.h> 39 #include <string.h> 40 #include <util.h> 41 42 #include "ssh2.h" 43 #include "ssherr.h" 44 #include "misc.h" 45 #include "sshbuf.h" 46 #include "rsa.h" 47 #include "cipher.h" 48 #include "digest.h" 49 #define SSHKEY_INTERNAL 50 #include "sshkey.h" 51 52 /* openssh private key file format */ 53 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 54 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 55 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 56 #define MARK_END_LEN (sizeof(MARK_END) - 1) 57 #define KDFNAME "bcrypt" 58 #define AUTH_MAGIC "openssh-key-v1" 59 #define SALT_LEN 16 60 #define DEFAULT_CIPHERNAME "aes256-cbc" 61 #define DEFAULT_ROUNDS 16 62 63 /* Version identification string for SSH v1 identity files. */ 64 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 65 66 static int sshkey_from_blob_internal(const u_char *blob, size_t blen, 67 struct sshkey **keyp, int allow_cert); 68 69 /* Supported key types */ 70 struct keytype { 71 const char *name; 72 const char *shortname; 73 int type; 74 int nid; 75 int cert; 76 }; 77 static const struct keytype keytypes[] = { 78 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, 79 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 80 KEY_ED25519_CERT, 0, 1 }, 81 #ifdef WITH_OPENSSL 82 { NULL, "RSA1", KEY_RSA1, 0, 0 }, 83 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, 84 { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, 85 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, 86 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, 87 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, 88 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, 89 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, 90 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 91 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 92 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 93 KEY_ECDSA_CERT, NID_secp384r1, 1 }, 94 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 95 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 96 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", 97 KEY_RSA_CERT_V00, 0, 1 }, 98 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", 99 KEY_DSA_CERT_V00, 0, 1 }, 100 #endif /* WITH_OPENSSL */ 101 { NULL, NULL, -1, -1, 0 } 102 }; 103 104 const char * 105 sshkey_type(const struct sshkey *k) 106 { 107 const struct keytype *kt; 108 109 for (kt = keytypes; kt->type != -1; kt++) { 110 if (kt->type == k->type) 111 return kt->shortname; 112 } 113 return "unknown"; 114 } 115 116 static const char * 117 sshkey_ssh_name_from_type_nid(int type, int nid) 118 { 119 const struct keytype *kt; 120 121 for (kt = keytypes; kt->type != -1; kt++) { 122 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 123 return kt->name; 124 } 125 return "ssh-unknown"; 126 } 127 128 int 129 sshkey_type_is_cert(int type) 130 { 131 const struct keytype *kt; 132 133 for (kt = keytypes; kt->type != -1; kt++) { 134 if (kt->type == type) 135 return kt->cert; 136 } 137 return 0; 138 } 139 140 const char * 141 sshkey_ssh_name(const struct sshkey *k) 142 { 143 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 144 } 145 146 const char * 147 sshkey_ssh_name_plain(const struct sshkey *k) 148 { 149 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 150 k->ecdsa_nid); 151 } 152 153 int 154 sshkey_type_from_name(const char *name) 155 { 156 const struct keytype *kt; 157 158 for (kt = keytypes; kt->type != -1; kt++) { 159 /* Only allow shortname matches for plain key types */ 160 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 161 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 162 return kt->type; 163 } 164 return KEY_UNSPEC; 165 } 166 167 int 168 sshkey_ecdsa_nid_from_name(const char *name) 169 { 170 const struct keytype *kt; 171 172 for (kt = keytypes; kt->type != -1; kt++) { 173 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 174 continue; 175 if (kt->name != NULL && strcmp(name, kt->name) == 0) 176 return kt->nid; 177 } 178 return -1; 179 } 180 181 char * 182 key_alg_list(int certs_only, int plain_only) 183 { 184 char *tmp, *ret = NULL; 185 size_t nlen, rlen = 0; 186 const struct keytype *kt; 187 188 for (kt = keytypes; kt->type != -1; kt++) { 189 if (kt->name == NULL) 190 continue; 191 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 192 continue; 193 if (ret != NULL) 194 ret[rlen++] = '\n'; 195 nlen = strlen(kt->name); 196 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 197 free(ret); 198 return NULL; 199 } 200 ret = tmp; 201 memcpy(ret + rlen, kt->name, nlen + 1); 202 rlen += nlen; 203 } 204 return ret; 205 } 206 207 int 208 sshkey_names_valid2(const char *names) 209 { 210 char *s, *cp, *p; 211 212 if (names == NULL || strcmp(names, "") == 0) 213 return 0; 214 if ((s = cp = strdup(names)) == NULL) 215 return 0; 216 for ((p = strsep(&cp, ",")); p && *p != '\0'; 217 (p = strsep(&cp, ","))) { 218 switch (sshkey_type_from_name(p)) { 219 case KEY_RSA1: 220 case KEY_UNSPEC: 221 free(s); 222 return 0; 223 } 224 } 225 free(s); 226 return 1; 227 } 228 229 u_int 230 sshkey_size(const struct sshkey *k) 231 { 232 switch (k->type) { 233 #ifdef WITH_OPENSSL 234 case KEY_RSA1: 235 case KEY_RSA: 236 case KEY_RSA_CERT_V00: 237 case KEY_RSA_CERT: 238 return BN_num_bits(k->rsa->n); 239 case KEY_DSA: 240 case KEY_DSA_CERT_V00: 241 case KEY_DSA_CERT: 242 return BN_num_bits(k->dsa->p); 243 case KEY_ECDSA: 244 case KEY_ECDSA_CERT: 245 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 246 #endif /* WITH_OPENSSL */ 247 case KEY_ED25519: 248 case KEY_ED25519_CERT: 249 return 256; /* XXX */ 250 } 251 return 0; 252 } 253 254 int 255 sshkey_cert_is_legacy(const struct sshkey *k) 256 { 257 switch (k->type) { 258 case KEY_DSA_CERT_V00: 259 case KEY_RSA_CERT_V00: 260 return 1; 261 default: 262 return 0; 263 } 264 } 265 266 static int 267 sshkey_type_is_valid_ca(int type) 268 { 269 switch (type) { 270 case KEY_RSA: 271 case KEY_DSA: 272 case KEY_ECDSA: 273 case KEY_ED25519: 274 return 1; 275 default: 276 return 0; 277 } 278 } 279 280 int 281 sshkey_is_cert(const struct sshkey *k) 282 { 283 if (k == NULL) 284 return 0; 285 return sshkey_type_is_cert(k->type); 286 } 287 288 /* Return the cert-less equivalent to a certified key type */ 289 int 290 sshkey_type_plain(int type) 291 { 292 switch (type) { 293 case KEY_RSA_CERT_V00: 294 case KEY_RSA_CERT: 295 return KEY_RSA; 296 case KEY_DSA_CERT_V00: 297 case KEY_DSA_CERT: 298 return KEY_DSA; 299 case KEY_ECDSA_CERT: 300 return KEY_ECDSA; 301 case KEY_ED25519_CERT: 302 return KEY_ED25519; 303 default: 304 return type; 305 } 306 } 307 308 #ifdef WITH_OPENSSL 309 /* XXX: these are really begging for a table-driven approach */ 310 int 311 sshkey_curve_name_to_nid(const char *name) 312 { 313 if (strcmp(name, "nistp256") == 0) 314 return NID_X9_62_prime256v1; 315 else if (strcmp(name, "nistp384") == 0) 316 return NID_secp384r1; 317 else if (strcmp(name, "nistp521") == 0) 318 return NID_secp521r1; 319 else 320 return -1; 321 } 322 323 u_int 324 sshkey_curve_nid_to_bits(int nid) 325 { 326 switch (nid) { 327 case NID_X9_62_prime256v1: 328 return 256; 329 case NID_secp384r1: 330 return 384; 331 case NID_secp521r1: 332 return 521; 333 default: 334 return 0; 335 } 336 } 337 338 int 339 sshkey_ecdsa_bits_to_nid(int bits) 340 { 341 switch (bits) { 342 case 256: 343 return NID_X9_62_prime256v1; 344 case 384: 345 return NID_secp384r1; 346 case 521: 347 return NID_secp521r1; 348 default: 349 return -1; 350 } 351 } 352 353 const char * 354 sshkey_curve_nid_to_name(int nid) 355 { 356 switch (nid) { 357 case NID_X9_62_prime256v1: 358 return "nistp256"; 359 case NID_secp384r1: 360 return "nistp384"; 361 case NID_secp521r1: 362 return "nistp521"; 363 default: 364 return NULL; 365 } 366 } 367 368 int 369 sshkey_ec_nid_to_hash_alg(int nid) 370 { 371 int kbits = sshkey_curve_nid_to_bits(nid); 372 373 if (kbits <= 0) 374 return -1; 375 376 /* RFC5656 section 6.2.1 */ 377 if (kbits <= 256) 378 return SSH_DIGEST_SHA256; 379 else if (kbits <= 384) 380 return SSH_DIGEST_SHA384; 381 else 382 return SSH_DIGEST_SHA512; 383 } 384 #endif /* WITH_OPENSSL */ 385 386 static void 387 cert_free(struct sshkey_cert *cert) 388 { 389 u_int i; 390 391 if (cert == NULL) 392 return; 393 if (cert->certblob != NULL) 394 sshbuf_free(cert->certblob); 395 if (cert->critical != NULL) 396 sshbuf_free(cert->critical); 397 if (cert->extensions != NULL) 398 sshbuf_free(cert->extensions); 399 if (cert->key_id != NULL) 400 free(cert->key_id); 401 for (i = 0; i < cert->nprincipals; i++) 402 free(cert->principals[i]); 403 if (cert->principals != NULL) 404 free(cert->principals); 405 if (cert->signature_key != NULL) 406 sshkey_free(cert->signature_key); 407 explicit_bzero(cert, sizeof(*cert)); 408 free(cert); 409 } 410 411 static struct sshkey_cert * 412 cert_new(void) 413 { 414 struct sshkey_cert *cert; 415 416 if ((cert = calloc(1, sizeof(*cert))) == NULL) 417 return NULL; 418 if ((cert->certblob = sshbuf_new()) == NULL || 419 (cert->critical = sshbuf_new()) == NULL || 420 (cert->extensions = sshbuf_new()) == NULL) { 421 cert_free(cert); 422 return NULL; 423 } 424 cert->key_id = NULL; 425 cert->principals = NULL; 426 cert->signature_key = NULL; 427 return cert; 428 } 429 430 struct sshkey * 431 sshkey_new(int type) 432 { 433 struct sshkey *k; 434 #ifdef WITH_OPENSSL 435 RSA *rsa; 436 DSA *dsa; 437 #endif /* WITH_OPENSSL */ 438 439 if ((k = calloc(1, sizeof(*k))) == NULL) 440 return NULL; 441 k->type = type; 442 k->ecdsa = NULL; 443 k->ecdsa_nid = -1; 444 k->dsa = NULL; 445 k->rsa = NULL; 446 k->cert = NULL; 447 k->ed25519_sk = NULL; 448 k->ed25519_pk = NULL; 449 switch (k->type) { 450 #ifdef WITH_OPENSSL 451 case KEY_RSA1: 452 case KEY_RSA: 453 case KEY_RSA_CERT_V00: 454 case KEY_RSA_CERT: 455 if ((rsa = RSA_new()) == NULL || 456 (rsa->n = BN_new()) == NULL || 457 (rsa->e = BN_new()) == NULL) { 458 if (rsa != NULL) 459 RSA_free(rsa); 460 free(k); 461 return NULL; 462 } 463 k->rsa = rsa; 464 break; 465 case KEY_DSA: 466 case KEY_DSA_CERT_V00: 467 case KEY_DSA_CERT: 468 if ((dsa = DSA_new()) == NULL || 469 (dsa->p = BN_new()) == NULL || 470 (dsa->q = BN_new()) == NULL || 471 (dsa->g = BN_new()) == NULL || 472 (dsa->pub_key = BN_new()) == NULL) { 473 if (dsa != NULL) 474 DSA_free(dsa); 475 free(k); 476 return NULL; 477 } 478 k->dsa = dsa; 479 break; 480 case KEY_ECDSA: 481 case KEY_ECDSA_CERT: 482 /* Cannot do anything until we know the group */ 483 break; 484 #endif /* WITH_OPENSSL */ 485 case KEY_ED25519: 486 case KEY_ED25519_CERT: 487 /* no need to prealloc */ 488 break; 489 case KEY_UNSPEC: 490 break; 491 default: 492 free(k); 493 return NULL; 494 break; 495 } 496 497 if (sshkey_is_cert(k)) { 498 if ((k->cert = cert_new()) == NULL) { 499 sshkey_free(k); 500 return NULL; 501 } 502 } 503 504 return k; 505 } 506 507 int 508 sshkey_add_private(struct sshkey *k) 509 { 510 switch (k->type) { 511 #ifdef WITH_OPENSSL 512 case KEY_RSA1: 513 case KEY_RSA: 514 case KEY_RSA_CERT_V00: 515 case KEY_RSA_CERT: 516 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 517 if (bn_maybe_alloc_failed(k->rsa->d) || 518 bn_maybe_alloc_failed(k->rsa->iqmp) || 519 bn_maybe_alloc_failed(k->rsa->q) || 520 bn_maybe_alloc_failed(k->rsa->p) || 521 bn_maybe_alloc_failed(k->rsa->dmq1) || 522 bn_maybe_alloc_failed(k->rsa->dmp1)) 523 return SSH_ERR_ALLOC_FAIL; 524 break; 525 case KEY_DSA: 526 case KEY_DSA_CERT_V00: 527 case KEY_DSA_CERT: 528 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 529 return SSH_ERR_ALLOC_FAIL; 530 break; 531 #undef bn_maybe_alloc_failed 532 case KEY_ECDSA: 533 case KEY_ECDSA_CERT: 534 /* Cannot do anything until we know the group */ 535 break; 536 #endif /* WITH_OPENSSL */ 537 case KEY_ED25519: 538 case KEY_ED25519_CERT: 539 /* no need to prealloc */ 540 break; 541 case KEY_UNSPEC: 542 break; 543 default: 544 return SSH_ERR_INVALID_ARGUMENT; 545 } 546 return 0; 547 } 548 549 struct sshkey * 550 sshkey_new_private(int type) 551 { 552 struct sshkey *k = sshkey_new(type); 553 554 if (k == NULL) 555 return NULL; 556 if (sshkey_add_private(k) != 0) { 557 sshkey_free(k); 558 return NULL; 559 } 560 return k; 561 } 562 563 void 564 sshkey_free(struct sshkey *k) 565 { 566 if (k == NULL) 567 return; 568 switch (k->type) { 569 #ifdef WITH_OPENSSL 570 case KEY_RSA1: 571 case KEY_RSA: 572 case KEY_RSA_CERT_V00: 573 case KEY_RSA_CERT: 574 if (k->rsa != NULL) 575 RSA_free(k->rsa); 576 k->rsa = NULL; 577 break; 578 case KEY_DSA: 579 case KEY_DSA_CERT_V00: 580 case KEY_DSA_CERT: 581 if (k->dsa != NULL) 582 DSA_free(k->dsa); 583 k->dsa = NULL; 584 break; 585 case KEY_ECDSA: 586 case KEY_ECDSA_CERT: 587 if (k->ecdsa != NULL) 588 EC_KEY_free(k->ecdsa); 589 k->ecdsa = NULL; 590 break; 591 #endif /* WITH_OPENSSL */ 592 case KEY_ED25519: 593 case KEY_ED25519_CERT: 594 if (k->ed25519_pk) { 595 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 596 free(k->ed25519_pk); 597 k->ed25519_pk = NULL; 598 } 599 if (k->ed25519_sk) { 600 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 601 free(k->ed25519_sk); 602 k->ed25519_sk = NULL; 603 } 604 break; 605 case KEY_UNSPEC: 606 break; 607 default: 608 break; 609 } 610 if (sshkey_is_cert(k)) 611 cert_free(k->cert); 612 explicit_bzero(k, sizeof(*k)); 613 free(k); 614 } 615 616 static int 617 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 618 { 619 if (a == NULL && b == NULL) 620 return 1; 621 if (a == NULL || b == NULL) 622 return 0; 623 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 624 return 0; 625 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 626 sshbuf_len(a->certblob)) != 0) 627 return 0; 628 return 1; 629 } 630 631 /* 632 * Compare public portions of key only, allowing comparisons between 633 * certificates and plain keys too. 634 */ 635 int 636 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 637 { 638 #ifdef WITH_OPENSSL 639 BN_CTX *bnctx; 640 #endif /* WITH_OPENSSL */ 641 642 if (a == NULL || b == NULL || 643 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 644 return 0; 645 646 switch (a->type) { 647 #ifdef WITH_OPENSSL 648 case KEY_RSA1: 649 case KEY_RSA_CERT_V00: 650 case KEY_RSA_CERT: 651 case KEY_RSA: 652 return a->rsa != NULL && b->rsa != NULL && 653 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 654 BN_cmp(a->rsa->n, b->rsa->n) == 0; 655 case KEY_DSA_CERT_V00: 656 case KEY_DSA_CERT: 657 case KEY_DSA: 658 return a->dsa != NULL && b->dsa != NULL && 659 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 660 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 661 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 662 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 663 case KEY_ECDSA_CERT: 664 case KEY_ECDSA: 665 if (a->ecdsa == NULL || b->ecdsa == NULL || 666 EC_KEY_get0_public_key(a->ecdsa) == NULL || 667 EC_KEY_get0_public_key(b->ecdsa) == NULL) 668 return 0; 669 if ((bnctx = BN_CTX_new()) == NULL) 670 return 0; 671 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 672 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 673 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 674 EC_KEY_get0_public_key(a->ecdsa), 675 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 676 BN_CTX_free(bnctx); 677 return 0; 678 } 679 BN_CTX_free(bnctx); 680 return 1; 681 #endif /* WITH_OPENSSL */ 682 case KEY_ED25519: 683 case KEY_ED25519_CERT: 684 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 685 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 686 default: 687 return 0; 688 } 689 /* NOTREACHED */ 690 } 691 692 int 693 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 694 { 695 if (a == NULL || b == NULL || a->type != b->type) 696 return 0; 697 if (sshkey_is_cert(a)) { 698 if (!cert_compare(a->cert, b->cert)) 699 return 0; 700 } 701 return sshkey_equal_public(a, b); 702 } 703 704 static int 705 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 706 { 707 int type, ret = SSH_ERR_INTERNAL_ERROR; 708 const char *typename; 709 710 if (key == NULL) 711 return SSH_ERR_INVALID_ARGUMENT; 712 713 type = force_plain ? sshkey_type_plain(key->type) : key->type; 714 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 715 716 switch (type) { 717 #ifdef WITH_OPENSSL 718 case KEY_DSA_CERT_V00: 719 case KEY_RSA_CERT_V00: 720 case KEY_DSA_CERT: 721 case KEY_ECDSA_CERT: 722 case KEY_RSA_CERT: 723 #endif /* WITH_OPENSSL */ 724 case KEY_ED25519_CERT: 725 /* Use the existing blob */ 726 /* XXX modified flag? */ 727 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 728 return ret; 729 break; 730 #ifdef WITH_OPENSSL 731 case KEY_DSA: 732 if (key->dsa == NULL) 733 return SSH_ERR_INVALID_ARGUMENT; 734 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 735 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 736 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 737 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 738 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 739 return ret; 740 break; 741 case KEY_ECDSA: 742 if (key->ecdsa == NULL) 743 return SSH_ERR_INVALID_ARGUMENT; 744 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 745 (ret = sshbuf_put_cstring(b, 746 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 747 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 748 return ret; 749 break; 750 case KEY_RSA: 751 if (key->rsa == NULL) 752 return SSH_ERR_INVALID_ARGUMENT; 753 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 754 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 755 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 756 return ret; 757 break; 758 #endif /* WITH_OPENSSL */ 759 case KEY_ED25519: 760 if (key->ed25519_pk == NULL) 761 return SSH_ERR_INVALID_ARGUMENT; 762 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 763 (ret = sshbuf_put_string(b, 764 key->ed25519_pk, ED25519_PK_SZ)) != 0) 765 return ret; 766 break; 767 default: 768 return SSH_ERR_KEY_TYPE_UNKNOWN; 769 } 770 return 0; 771 } 772 773 int 774 sshkey_to_blob_buf(const struct sshkey *key, struct sshbuf *b) 775 { 776 return to_blob_buf(key, b, 0); 777 } 778 779 int 780 sshkey_plain_to_blob_buf(const struct sshkey *key, struct sshbuf *b) 781 { 782 return to_blob_buf(key, b, 1); 783 } 784 785 static int 786 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 787 { 788 int ret = SSH_ERR_INTERNAL_ERROR; 789 size_t len; 790 struct sshbuf *b = NULL; 791 792 if (lenp != NULL) 793 *lenp = 0; 794 if (blobp != NULL) 795 *blobp = NULL; 796 if ((b = sshbuf_new()) == NULL) 797 return SSH_ERR_ALLOC_FAIL; 798 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 799 goto out; 800 len = sshbuf_len(b); 801 if (lenp != NULL) 802 *lenp = len; 803 if (blobp != NULL) { 804 if ((*blobp = malloc(len)) == NULL) { 805 ret = SSH_ERR_ALLOC_FAIL; 806 goto out; 807 } 808 memcpy(*blobp, sshbuf_ptr(b), len); 809 } 810 ret = 0; 811 out: 812 sshbuf_free(b); 813 return ret; 814 } 815 816 int 817 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 818 { 819 return to_blob(key, blobp, lenp, 0); 820 } 821 822 int 823 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 824 { 825 return to_blob(key, blobp, lenp, 1); 826 } 827 828 int 829 sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, 830 u_char **retp, size_t *lenp) 831 { 832 u_char *blob = NULL, *ret = NULL; 833 size_t blob_len = 0; 834 int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR; 835 836 if (retp != NULL) 837 *retp = NULL; 838 if (lenp != NULL) 839 *lenp = 0; 840 841 switch (dgst_type) { 842 case SSH_FP_MD5: 843 hash_alg = SSH_DIGEST_MD5; 844 break; 845 case SSH_FP_SHA1: 846 hash_alg = SSH_DIGEST_SHA1; 847 break; 848 case SSH_FP_SHA256: 849 hash_alg = SSH_DIGEST_SHA256; 850 break; 851 default: 852 r = SSH_ERR_INVALID_ARGUMENT; 853 goto out; 854 } 855 856 if (k->type == KEY_RSA1) { 857 #ifdef WITH_OPENSSL 858 int nlen = BN_num_bytes(k->rsa->n); 859 int elen = BN_num_bytes(k->rsa->e); 860 861 blob_len = nlen + elen; 862 if (nlen >= INT_MAX - elen || 863 (blob = malloc(blob_len)) == NULL) { 864 r = SSH_ERR_ALLOC_FAIL; 865 goto out; 866 } 867 BN_bn2bin(k->rsa->n, blob); 868 BN_bn2bin(k->rsa->e, blob + nlen); 869 #endif /* WITH_OPENSSL */ 870 } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 871 goto out; 872 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 873 r = SSH_ERR_ALLOC_FAIL; 874 goto out; 875 } 876 if ((r = ssh_digest_memory(hash_alg, blob, blob_len, 877 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 878 goto out; 879 /* success */ 880 if (retp != NULL) { 881 *retp = ret; 882 ret = NULL; 883 } 884 if (lenp != NULL) 885 *lenp = ssh_digest_bytes(hash_alg); 886 r = 0; 887 out: 888 free(ret); 889 if (blob != NULL) { 890 explicit_bzero(blob, blob_len); 891 free(blob); 892 } 893 return r; 894 } 895 896 static char * 897 fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len) 898 { 899 char *retval; 900 size_t i; 901 902 if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL) 903 return NULL; 904 for (i = 0; i < dgst_raw_len; i++) { 905 char hex[4]; 906 snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); 907 strlcat(retval, hex, dgst_raw_len * 3 + 1); 908 } 909 910 /* Remove the trailing ':' character */ 911 retval[(dgst_raw_len * 3) - 1] = '\0'; 912 return retval; 913 } 914 915 static char * 916 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 917 { 918 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 919 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 920 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 921 u_int i, j = 0, rounds, seed = 1; 922 char *retval; 923 924 rounds = (dgst_raw_len / 2) + 1; 925 if ((retval = calloc(rounds, 6)) == NULL) 926 return NULL; 927 retval[j++] = 'x'; 928 for (i = 0; i < rounds; i++) { 929 u_int idx0, idx1, idx2, idx3, idx4; 930 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 931 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 932 seed) % 6; 933 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 934 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 935 (seed / 6)) % 6; 936 retval[j++] = vowels[idx0]; 937 retval[j++] = consonants[idx1]; 938 retval[j++] = vowels[idx2]; 939 if ((i + 1) < rounds) { 940 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 941 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 942 retval[j++] = consonants[idx3]; 943 retval[j++] = '-'; 944 retval[j++] = consonants[idx4]; 945 seed = ((seed * 5) + 946 ((((u_int)(dgst_raw[2 * i])) * 7) + 947 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 948 } 949 } else { 950 idx0 = seed % 6; 951 idx1 = 16; 952 idx2 = seed / 6; 953 retval[j++] = vowels[idx0]; 954 retval[j++] = consonants[idx1]; 955 retval[j++] = vowels[idx2]; 956 } 957 } 958 retval[j++] = 'x'; 959 retval[j++] = '\0'; 960 return retval; 961 } 962 963 /* 964 * Draw an ASCII-Art representing the fingerprint so human brain can 965 * profit from its built-in pattern recognition ability. 966 * This technique is called "random art" and can be found in some 967 * scientific publications like this original paper: 968 * 969 * "Hash Visualization: a New Technique to improve Real-World Security", 970 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 971 * Techniques and E-Commerce (CrypTEC '99) 972 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 973 * 974 * The subject came up in a talk by Dan Kaminsky, too. 975 * 976 * If you see the picture is different, the key is different. 977 * If the picture looks the same, you still know nothing. 978 * 979 * The algorithm used here is a worm crawling over a discrete plane, 980 * leaving a trace (augmenting the field) everywhere it goes. 981 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 982 * makes the respective movement vector be ignored for this turn. 983 * Graphs are not unambiguous, because circles in graphs can be 984 * walked in either direction. 985 */ 986 987 /* 988 * Field sizes for the random art. Have to be odd, so the starting point 989 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 990 * Else pictures would be too dense, and drawing the frame would 991 * fail, too, because the key type would not fit in anymore. 992 */ 993 #define FLDBASE 8 994 #define FLDSIZE_Y (FLDBASE + 1) 995 #define FLDSIZE_X (FLDBASE * 2 + 1) 996 static char * 997 fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, 998 const struct sshkey *k) 999 { 1000 /* 1001 * Chars to be used after each other every time the worm 1002 * intersects with itself. Matter of taste. 1003 */ 1004 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1005 char *retval, *p, title[FLDSIZE_X]; 1006 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1007 size_t i, tlen; 1008 u_int b; 1009 int x, y, r; 1010 size_t len = strlen(augmentation_string) - 1; 1011 1012 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1013 return NULL; 1014 1015 /* initialize field */ 1016 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1017 x = FLDSIZE_X / 2; 1018 y = FLDSIZE_Y / 2; 1019 1020 /* process raw key */ 1021 for (i = 0; i < dgst_raw_len; i++) { 1022 int input; 1023 /* each byte conveys four 2-bit move commands */ 1024 input = dgst_raw[i]; 1025 for (b = 0; b < 4; b++) { 1026 /* evaluate 2 bit, rest is shifted later */ 1027 x += (input & 0x1) ? 1 : -1; 1028 y += (input & 0x2) ? 1 : -1; 1029 1030 /* assure we are still in bounds */ 1031 x = MAX(x, 0); 1032 y = MAX(y, 0); 1033 x = MIN(x, FLDSIZE_X - 1); 1034 y = MIN(y, FLDSIZE_Y - 1); 1035 1036 /* augment the field */ 1037 if (field[x][y] < len - 2) 1038 field[x][y]++; 1039 input = input >> 2; 1040 } 1041 } 1042 1043 /* mark starting point and end point*/ 1044 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1045 field[x][y] = len; 1046 1047 /* assemble title */ 1048 r = snprintf(title, sizeof(title), "[%s %u]", 1049 sshkey_type(k), sshkey_size(k)); 1050 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1051 if (r < 0 || r > (int)sizeof(title)) 1052 snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1053 tlen = strlen(title); 1054 1055 /* output upper border */ 1056 p = retval; 1057 *p++ = '+'; 1058 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1059 *p++ = '-'; 1060 memcpy(p, title, tlen); 1061 p += tlen; 1062 for (i = p - retval - 1; i < FLDSIZE_X; i++) 1063 *p++ = '-'; 1064 *p++ = '+'; 1065 *p++ = '\n'; 1066 1067 /* output content */ 1068 for (y = 0; y < FLDSIZE_Y; y++) { 1069 *p++ = '|'; 1070 for (x = 0; x < FLDSIZE_X; x++) 1071 *p++ = augmentation_string[MIN(field[x][y], len)]; 1072 *p++ = '|'; 1073 *p++ = '\n'; 1074 } 1075 1076 /* output lower border */ 1077 *p++ = '+'; 1078 for (i = 0; i < FLDSIZE_X; i++) 1079 *p++ = '-'; 1080 *p++ = '+'; 1081 1082 return retval; 1083 } 1084 1085 char * 1086 sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type, 1087 enum sshkey_fp_rep dgst_rep) 1088 { 1089 char *retval = NULL; 1090 u_char *dgst_raw; 1091 size_t dgst_raw_len; 1092 1093 if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0) 1094 return NULL; 1095 switch (dgst_rep) { 1096 case SSH_FP_HEX: 1097 retval = fingerprint_hex(dgst_raw, dgst_raw_len); 1098 break; 1099 case SSH_FP_BUBBLEBABBLE: 1100 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1101 break; 1102 case SSH_FP_RANDOMART: 1103 retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k); 1104 break; 1105 default: 1106 explicit_bzero(dgst_raw, dgst_raw_len); 1107 free(dgst_raw); 1108 return NULL; 1109 } 1110 explicit_bzero(dgst_raw, dgst_raw_len); 1111 free(dgst_raw); 1112 return retval; 1113 } 1114 1115 #ifdef WITH_SSH1 1116 /* 1117 * Reads a multiple-precision integer in decimal from the buffer, and advances 1118 * the pointer. The integer must already be initialized. This function is 1119 * permitted to modify the buffer. This leaves *cpp to point just beyond the 1120 * last processed character. 1121 */ 1122 static int 1123 read_decimal_bignum(char **cpp, BIGNUM *v) 1124 { 1125 char *cp; 1126 size_t e; 1127 int skip = 1; /* skip white space */ 1128 1129 cp = *cpp; 1130 while (*cp == ' ' || *cp == '\t') 1131 cp++; 1132 e = strspn(cp, "0123456789"); 1133 if (e == 0) 1134 return SSH_ERR_INVALID_FORMAT; 1135 if (e > SSHBUF_MAX_BIGNUM * 3) 1136 return SSH_ERR_BIGNUM_TOO_LARGE; 1137 if (cp[e] == '\0') 1138 skip = 0; 1139 else if (index(" \t\r\n", cp[e]) == NULL) 1140 return SSH_ERR_INVALID_FORMAT; 1141 cp[e] = '\0'; 1142 if (BN_dec2bn(&v, cp) <= 0) 1143 return SSH_ERR_INVALID_FORMAT; 1144 *cpp = cp + e + skip; 1145 return 0; 1146 } 1147 #endif /* WITH_SSH1 */ 1148 1149 /* returns 0 ok, and < 0 error */ 1150 int 1151 sshkey_read(struct sshkey *ret, char **cpp) 1152 { 1153 struct sshkey *k; 1154 int retval = SSH_ERR_INVALID_FORMAT; 1155 char *cp, *space; 1156 int r, type, curve_nid = -1; 1157 struct sshbuf *blob; 1158 #ifdef WITH_SSH1 1159 char *ep; 1160 u_long bits; 1161 #endif /* WITH_SSH1 */ 1162 1163 cp = *cpp; 1164 1165 switch (ret->type) { 1166 case KEY_RSA1: 1167 #ifdef WITH_SSH1 1168 /* Get number of bits. */ 1169 bits = strtoul(cp, &ep, 10); 1170 if (*cp == '\0' || index(" \t\r\n", *ep) == NULL || 1171 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) 1172 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ 1173 /* Get public exponent, public modulus. */ 1174 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0) 1175 return r; 1176 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) 1177 return r; 1178 *cpp = ep; 1179 /* validate the claimed number of bits */ 1180 if (BN_num_bits(ret->rsa->n) != (int)bits) 1181 return SSH_ERR_KEY_BITS_MISMATCH; 1182 retval = 0; 1183 #endif /* WITH_SSH1 */ 1184 break; 1185 case KEY_UNSPEC: 1186 case KEY_RSA: 1187 case KEY_DSA: 1188 case KEY_ECDSA: 1189 case KEY_ED25519: 1190 case KEY_DSA_CERT_V00: 1191 case KEY_RSA_CERT_V00: 1192 case KEY_DSA_CERT: 1193 case KEY_ECDSA_CERT: 1194 case KEY_RSA_CERT: 1195 case KEY_ED25519_CERT: 1196 space = strchr(cp, ' '); 1197 if (space == NULL) 1198 return SSH_ERR_INVALID_FORMAT; 1199 *space = '\0'; 1200 type = sshkey_type_from_name(cp); 1201 if (sshkey_type_plain(type) == KEY_ECDSA && 1202 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1203 return SSH_ERR_EC_CURVE_INVALID; 1204 *space = ' '; 1205 if (type == KEY_UNSPEC) 1206 return SSH_ERR_INVALID_FORMAT; 1207 cp = space+1; 1208 if (*cp == '\0') 1209 return SSH_ERR_INVALID_FORMAT; 1210 if (ret->type != KEY_UNSPEC && ret->type != type) 1211 return SSH_ERR_KEY_TYPE_MISMATCH; 1212 if ((blob = sshbuf_new()) == NULL) 1213 return SSH_ERR_ALLOC_FAIL; 1214 /* trim comment */ 1215 space = strchr(cp, ' '); 1216 if (space) 1217 *space = '\0'; 1218 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1219 sshbuf_free(blob); 1220 return r; 1221 } 1222 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1223 sshbuf_len(blob), &k)) != 0) { 1224 sshbuf_free(blob); 1225 return r; 1226 } 1227 sshbuf_free(blob); 1228 if (k->type != type) { 1229 sshkey_free(k); 1230 return SSH_ERR_KEY_TYPE_MISMATCH; 1231 } 1232 if (sshkey_type_plain(type) == KEY_ECDSA && 1233 curve_nid != k->ecdsa_nid) { 1234 sshkey_free(k); 1235 return SSH_ERR_EC_CURVE_MISMATCH; 1236 } 1237 ret->type = type; 1238 if (sshkey_is_cert(ret)) { 1239 if (!sshkey_is_cert(k)) { 1240 sshkey_free(k); 1241 return SSH_ERR_EXPECTED_CERT; 1242 } 1243 if (ret->cert != NULL) 1244 cert_free(ret->cert); 1245 ret->cert = k->cert; 1246 k->cert = NULL; 1247 } 1248 #ifdef WITH_OPENSSL 1249 if (sshkey_type_plain(ret->type) == KEY_RSA) { 1250 if (ret->rsa != NULL) 1251 RSA_free(ret->rsa); 1252 ret->rsa = k->rsa; 1253 k->rsa = NULL; 1254 #ifdef DEBUG_PK 1255 RSA_print_fp(stderr, ret->rsa, 8); 1256 #endif 1257 } 1258 if (sshkey_type_plain(ret->type) == KEY_DSA) { 1259 if (ret->dsa != NULL) 1260 DSA_free(ret->dsa); 1261 ret->dsa = k->dsa; 1262 k->dsa = NULL; 1263 #ifdef DEBUG_PK 1264 DSA_print_fp(stderr, ret->dsa, 8); 1265 #endif 1266 } 1267 if (sshkey_type_plain(ret->type) == KEY_ECDSA) { 1268 if (ret->ecdsa != NULL) 1269 EC_KEY_free(ret->ecdsa); 1270 ret->ecdsa = k->ecdsa; 1271 ret->ecdsa_nid = k->ecdsa_nid; 1272 k->ecdsa = NULL; 1273 k->ecdsa_nid = -1; 1274 #ifdef DEBUG_PK 1275 sshkey_dump_ec_key(ret->ecdsa); 1276 #endif 1277 } 1278 #endif /* WITH_OPENSSL */ 1279 if (sshkey_type_plain(ret->type) == KEY_ED25519) { 1280 free(ret->ed25519_pk); 1281 ret->ed25519_pk = k->ed25519_pk; 1282 k->ed25519_pk = NULL; 1283 #ifdef DEBUG_PK 1284 /* XXX */ 1285 #endif 1286 } 1287 retval = 0; 1288 /*XXXX*/ 1289 sshkey_free(k); 1290 if (retval != 0) 1291 break; 1292 /* advance cp: skip whitespace and data */ 1293 while (*cp == ' ' || *cp == '\t') 1294 cp++; 1295 while (*cp != '\0' && *cp != ' ' && *cp != '\t') 1296 cp++; 1297 *cpp = cp; 1298 break; 1299 default: 1300 return SSH_ERR_INVALID_ARGUMENT; 1301 } 1302 return retval; 1303 } 1304 1305 int 1306 sshkey_write(const struct sshkey *key, FILE *f) 1307 { 1308 int ret = SSH_ERR_INTERNAL_ERROR; 1309 struct sshbuf *b = NULL, *bb = NULL; 1310 char *uu = NULL; 1311 #ifdef WITH_SSH1 1312 u_int bits = 0; 1313 char *dec_e = NULL, *dec_n = NULL; 1314 #endif /* WITH_SSH1 */ 1315 1316 if (sshkey_is_cert(key)) { 1317 if (key->cert == NULL) 1318 return SSH_ERR_EXPECTED_CERT; 1319 if (sshbuf_len(key->cert->certblob) == 0) 1320 return SSH_ERR_KEY_LACKS_CERTBLOB; 1321 } 1322 if ((b = sshbuf_new()) == NULL) 1323 return SSH_ERR_ALLOC_FAIL; 1324 switch (key->type) { 1325 #ifdef WITH_SSH1 1326 case KEY_RSA1: 1327 if (key->rsa == NULL || key->rsa->e == NULL || 1328 key->rsa->n == NULL) { 1329 ret = SSH_ERR_INVALID_ARGUMENT; 1330 goto out; 1331 } 1332 if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || 1333 (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { 1334 ret = SSH_ERR_ALLOC_FAIL; 1335 goto out; 1336 } 1337 /* size of modulus 'n' */ 1338 if ((bits = BN_num_bits(key->rsa->n)) <= 0) { 1339 ret = SSH_ERR_INVALID_ARGUMENT; 1340 goto out; 1341 } 1342 if ((ret = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) 1343 goto out; 1344 #endif /* WITH_SSH1 */ 1345 break; 1346 #ifdef WITH_OPENSSL 1347 case KEY_DSA: 1348 case KEY_DSA_CERT_V00: 1349 case KEY_DSA_CERT: 1350 case KEY_ECDSA: 1351 case KEY_ECDSA_CERT: 1352 case KEY_RSA: 1353 case KEY_RSA_CERT_V00: 1354 case KEY_RSA_CERT: 1355 #endif /* WITH_OPENSSL */ 1356 case KEY_ED25519: 1357 case KEY_ED25519_CERT: 1358 if ((bb = sshbuf_new()) == NULL) { 1359 ret = SSH_ERR_ALLOC_FAIL; 1360 goto out; 1361 } 1362 if ((ret = sshkey_to_blob_buf(key, bb)) != 0) 1363 goto out; 1364 if ((uu = sshbuf_dtob64(bb)) == NULL) { 1365 ret = SSH_ERR_ALLOC_FAIL; 1366 goto out; 1367 } 1368 if ((ret = sshbuf_putf(b, "%s ", sshkey_ssh_name(key))) != 0) 1369 goto out; 1370 if ((ret = sshbuf_put(b, uu, strlen(uu))) != 0) 1371 goto out; 1372 break; 1373 default: 1374 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 1375 goto out; 1376 } 1377 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1378 if (feof(f)) 1379 errno = EPIPE; 1380 ret = SSH_ERR_SYSTEM_ERROR; 1381 goto out; 1382 } 1383 ret = 0; 1384 out: 1385 if (b != NULL) 1386 sshbuf_free(b); 1387 if (bb != NULL) 1388 sshbuf_free(bb); 1389 if (uu != NULL) 1390 free(uu); 1391 #ifdef WITH_SSH1 1392 if (dec_e != NULL) 1393 OPENSSL_free(dec_e); 1394 if (dec_n != NULL) 1395 OPENSSL_free(dec_n); 1396 #endif /* WITH_SSH1 */ 1397 return ret; 1398 } 1399 1400 const char * 1401 sshkey_cert_type(const struct sshkey *k) 1402 { 1403 switch (k->cert->type) { 1404 case SSH2_CERT_TYPE_USER: 1405 return "user"; 1406 case SSH2_CERT_TYPE_HOST: 1407 return "host"; 1408 default: 1409 return "unknown"; 1410 } 1411 } 1412 1413 #ifdef WITH_OPENSSL 1414 static int 1415 rsa_generate_private_key(u_int bits, RSA **rsap) 1416 { 1417 RSA *private = NULL; 1418 BIGNUM *f4 = NULL; 1419 int ret = SSH_ERR_INTERNAL_ERROR; 1420 1421 if (rsap == NULL || 1422 bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1423 bits > SSHBUF_MAX_BIGNUM * 8) 1424 return SSH_ERR_INVALID_ARGUMENT; 1425 *rsap = NULL; 1426 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1427 ret = SSH_ERR_ALLOC_FAIL; 1428 goto out; 1429 } 1430 if (!BN_set_word(f4, RSA_F4) || 1431 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1432 ret = SSH_ERR_LIBCRYPTO_ERROR; 1433 goto out; 1434 } 1435 *rsap = private; 1436 private = NULL; 1437 ret = 0; 1438 out: 1439 if (private != NULL) 1440 RSA_free(private); 1441 if (f4 != NULL) 1442 BN_free(f4); 1443 return ret; 1444 } 1445 1446 static int 1447 dsa_generate_private_key(u_int bits, DSA **dsap) 1448 { 1449 DSA *private; 1450 int ret = SSH_ERR_INTERNAL_ERROR; 1451 1452 if (dsap == NULL || bits != 1024) 1453 return SSH_ERR_INVALID_ARGUMENT; 1454 if ((private = DSA_new()) == NULL) { 1455 ret = SSH_ERR_ALLOC_FAIL; 1456 goto out; 1457 } 1458 *dsap = NULL; 1459 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1460 NULL, NULL) || !DSA_generate_key(private)) { 1461 DSA_free(private); 1462 ret = SSH_ERR_LIBCRYPTO_ERROR; 1463 goto out; 1464 } 1465 *dsap = private; 1466 private = NULL; 1467 ret = 0; 1468 out: 1469 if (private != NULL) 1470 DSA_free(private); 1471 return ret; 1472 } 1473 1474 int 1475 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1476 { 1477 EC_GROUP *eg; 1478 int nids[] = { 1479 NID_X9_62_prime256v1, 1480 NID_secp384r1, 1481 NID_secp521r1, 1482 -1 1483 }; 1484 int nid; 1485 u_int i; 1486 BN_CTX *bnctx; 1487 const EC_GROUP *g = EC_KEY_get0_group(k); 1488 1489 /* 1490 * The group may be stored in a ASN.1 encoded private key in one of two 1491 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1492 * or explicit group parameters encoded into the key blob. Only the 1493 * "named group" case sets the group NID for us, but we can figure 1494 * it out for the other case by comparing against all the groups that 1495 * are supported. 1496 */ 1497 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1498 return nid; 1499 if ((bnctx = BN_CTX_new()) == NULL) 1500 return -1; 1501 for (i = 0; nids[i] != -1; i++) { 1502 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1503 BN_CTX_free(bnctx); 1504 return -1; 1505 } 1506 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1507 break; 1508 EC_GROUP_free(eg); 1509 } 1510 BN_CTX_free(bnctx); 1511 if (nids[i] != -1) { 1512 /* Use the group with the NID attached */ 1513 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1514 if (EC_KEY_set_group(k, eg) != 1) { 1515 EC_GROUP_free(eg); 1516 return -1; 1517 } 1518 } 1519 return nids[i]; 1520 } 1521 1522 static int 1523 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1524 { 1525 EC_KEY *private; 1526 int ret = SSH_ERR_INTERNAL_ERROR; 1527 1528 if (nid == NULL || ecdsap == NULL || 1529 (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1530 return SSH_ERR_INVALID_ARGUMENT; 1531 *ecdsap = NULL; 1532 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1533 ret = SSH_ERR_ALLOC_FAIL; 1534 goto out; 1535 } 1536 if (EC_KEY_generate_key(private) != 1) { 1537 ret = SSH_ERR_LIBCRYPTO_ERROR; 1538 goto out; 1539 } 1540 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1541 *ecdsap = private; 1542 private = NULL; 1543 ret = 0; 1544 out: 1545 if (private != NULL) 1546 EC_KEY_free(private); 1547 return ret; 1548 } 1549 #endif /* WITH_OPENSSL */ 1550 1551 int 1552 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1553 { 1554 struct sshkey *k; 1555 int ret = SSH_ERR_INTERNAL_ERROR; 1556 1557 if (keyp == NULL) 1558 return SSH_ERR_INVALID_ARGUMENT; 1559 *keyp = NULL; 1560 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1561 return SSH_ERR_ALLOC_FAIL; 1562 switch (type) { 1563 case KEY_ED25519: 1564 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1565 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1566 ret = SSH_ERR_ALLOC_FAIL; 1567 break; 1568 } 1569 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1570 ret = 0; 1571 break; 1572 #ifdef WITH_OPENSSL 1573 case KEY_DSA: 1574 ret = dsa_generate_private_key(bits, &k->dsa); 1575 break; 1576 case KEY_ECDSA: 1577 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1578 &k->ecdsa); 1579 break; 1580 case KEY_RSA: 1581 case KEY_RSA1: 1582 ret = rsa_generate_private_key(bits, &k->rsa); 1583 break; 1584 #endif /* WITH_OPENSSL */ 1585 default: 1586 ret = SSH_ERR_INVALID_ARGUMENT; 1587 } 1588 if (ret == 0) { 1589 k->type = type; 1590 *keyp = k; 1591 } else 1592 sshkey_free(k); 1593 return ret; 1594 } 1595 1596 int 1597 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1598 { 1599 u_int i; 1600 const struct sshkey_cert *from; 1601 struct sshkey_cert *to; 1602 int ret = SSH_ERR_INTERNAL_ERROR; 1603 1604 if (to_key->cert != NULL) { 1605 cert_free(to_key->cert); 1606 to_key->cert = NULL; 1607 } 1608 1609 if ((from = from_key->cert) == NULL) 1610 return SSH_ERR_INVALID_ARGUMENT; 1611 1612 if ((to = to_key->cert = cert_new()) == NULL) 1613 return SSH_ERR_ALLOC_FAIL; 1614 1615 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1616 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1617 (ret = sshbuf_putb(to->extensions, from->extensions) != 0)) 1618 return ret; 1619 1620 to->serial = from->serial; 1621 to->type = from->type; 1622 if (from->key_id == NULL) 1623 to->key_id = NULL; 1624 else if ((to->key_id = strdup(from->key_id)) == NULL) 1625 return SSH_ERR_ALLOC_FAIL; 1626 to->valid_after = from->valid_after; 1627 to->valid_before = from->valid_before; 1628 if (from->signature_key == NULL) 1629 to->signature_key = NULL; 1630 else if ((ret = sshkey_from_private(from->signature_key, 1631 &to->signature_key)) != 0) 1632 return ret; 1633 1634 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1635 return SSH_ERR_INVALID_ARGUMENT; 1636 if (from->nprincipals > 0) { 1637 if ((to->principals = calloc(from->nprincipals, 1638 sizeof(*to->principals))) == NULL) 1639 return SSH_ERR_ALLOC_FAIL; 1640 for (i = 0; i < from->nprincipals; i++) { 1641 to->principals[i] = strdup(from->principals[i]); 1642 if (to->principals[i] == NULL) { 1643 to->nprincipals = i; 1644 return SSH_ERR_ALLOC_FAIL; 1645 } 1646 } 1647 } 1648 to->nprincipals = from->nprincipals; 1649 return 0; 1650 } 1651 1652 int 1653 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1654 { 1655 struct sshkey *n = NULL; 1656 int ret = SSH_ERR_INTERNAL_ERROR; 1657 1658 if (pkp != NULL) 1659 *pkp = NULL; 1660 1661 switch (k->type) { 1662 #ifdef WITH_OPENSSL 1663 case KEY_DSA: 1664 case KEY_DSA_CERT_V00: 1665 case KEY_DSA_CERT: 1666 if ((n = sshkey_new(k->type)) == NULL) 1667 return SSH_ERR_ALLOC_FAIL; 1668 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1669 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1670 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1671 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1672 sshkey_free(n); 1673 return SSH_ERR_ALLOC_FAIL; 1674 } 1675 break; 1676 case KEY_ECDSA: 1677 case KEY_ECDSA_CERT: 1678 if ((n = sshkey_new(k->type)) == NULL) 1679 return SSH_ERR_ALLOC_FAIL; 1680 n->ecdsa_nid = k->ecdsa_nid; 1681 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1682 if (n->ecdsa == NULL) { 1683 sshkey_free(n); 1684 return SSH_ERR_ALLOC_FAIL; 1685 } 1686 if (EC_KEY_set_public_key(n->ecdsa, 1687 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1688 sshkey_free(n); 1689 return SSH_ERR_LIBCRYPTO_ERROR; 1690 } 1691 break; 1692 case KEY_RSA: 1693 case KEY_RSA1: 1694 case KEY_RSA_CERT_V00: 1695 case KEY_RSA_CERT: 1696 if ((n = sshkey_new(k->type)) == NULL) 1697 return SSH_ERR_ALLOC_FAIL; 1698 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1699 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1700 sshkey_free(n); 1701 return SSH_ERR_ALLOC_FAIL; 1702 } 1703 break; 1704 #endif /* WITH_OPENSSL */ 1705 case KEY_ED25519: 1706 case KEY_ED25519_CERT: 1707 if ((n = sshkey_new(k->type)) == NULL) 1708 return SSH_ERR_ALLOC_FAIL; 1709 if (k->ed25519_pk != NULL) { 1710 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1711 sshkey_free(n); 1712 return SSH_ERR_ALLOC_FAIL; 1713 } 1714 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1715 } 1716 break; 1717 default: 1718 return SSH_ERR_KEY_TYPE_UNKNOWN; 1719 } 1720 if (sshkey_is_cert(k)) { 1721 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1722 sshkey_free(n); 1723 return ret; 1724 } 1725 } 1726 *pkp = n; 1727 return 0; 1728 } 1729 1730 static int 1731 cert_parse(struct sshbuf *b, struct sshkey *key, const u_char *blob, 1732 size_t blen) 1733 { 1734 struct sshbuf *principals = NULL, *crit = NULL, *exts = NULL; 1735 u_char *sig_key = NULL, *sig = NULL; 1736 size_t signed_len = 0, sklen = 0, slen = 0, kidlen = 0; 1737 int ret = SSH_ERR_INTERNAL_ERROR; 1738 int v00 = sshkey_cert_is_legacy(key); 1739 1740 /* Copy the entire key blob for verification and later serialisation */ 1741 if ((ret = sshbuf_put(key->cert->certblob, blob, blen)) != 0) 1742 return ret; 1743 1744 if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || 1745 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1746 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1747 (ret = sshbuf_froms(b, &principals)) != 0 || 1748 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1749 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1750 (ret = sshbuf_froms(b, &crit)) != 0 || 1751 (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) || 1752 (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) || 1753 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1754 (ret = sshbuf_get_string(b, &sig_key, &sklen)) != 0) { 1755 /* XXX debug print error for ret */ 1756 ret = SSH_ERR_INVALID_FORMAT; 1757 goto out; 1758 } 1759 1760 /* Signature is left in the buffer so we can calculate this length */ 1761 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1762 1763 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1764 ret = SSH_ERR_INVALID_FORMAT; 1765 goto out; 1766 } 1767 1768 if (key->cert->type != SSH2_CERT_TYPE_USER && 1769 key->cert->type != SSH2_CERT_TYPE_HOST) { 1770 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1771 goto out; 1772 } 1773 1774 /* Parse principals section */ 1775 while (sshbuf_len(principals) > 0) { 1776 char *principal = NULL; 1777 char **oprincipals = NULL; 1778 1779 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1780 ret = SSH_ERR_INVALID_FORMAT; 1781 goto out; 1782 } 1783 if ((ret = sshbuf_get_cstring(principals, &principal, 1784 NULL)) != 0) { 1785 ret = SSH_ERR_INVALID_FORMAT; 1786 goto out; 1787 } 1788 oprincipals = key->cert->principals; 1789 key->cert->principals = realloc(key->cert->principals, 1790 (key->cert->nprincipals + 1) * 1791 sizeof(*key->cert->principals)); 1792 if (key->cert->principals == NULL) { 1793 free(principal); 1794 key->cert->principals = oprincipals; 1795 ret = SSH_ERR_ALLOC_FAIL; 1796 goto out; 1797 } 1798 key->cert->principals[key->cert->nprincipals++] = principal; 1799 } 1800 1801 /* 1802 * Stash a copies of the critical options and extensions sections 1803 * for later use. 1804 */ 1805 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1806 (exts != NULL && 1807 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1808 goto out; 1809 1810 /* 1811 * Validate critical options and extensions sections format. 1812 * NB. extensions are not present in v00 certs. 1813 */ 1814 while (sshbuf_len(crit) != 0) { 1815 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1816 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1817 sshbuf_reset(key->cert->critical); 1818 ret = SSH_ERR_INVALID_FORMAT; 1819 goto out; 1820 } 1821 } 1822 while (exts != NULL && sshbuf_len(exts) != 0) { 1823 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1824 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1825 sshbuf_reset(key->cert->extensions); 1826 ret = SSH_ERR_INVALID_FORMAT; 1827 goto out; 1828 } 1829 } 1830 1831 /* Parse CA key and check signature */ 1832 if (sshkey_from_blob_internal(sig_key, sklen, 1833 &key->cert->signature_key, 0) != 0) { 1834 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1835 goto out; 1836 } 1837 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1838 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1839 goto out; 1840 } 1841 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1842 sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) 1843 goto out; 1844 1845 /* Success */ 1846 ret = 0; 1847 out: 1848 sshbuf_free(crit); 1849 sshbuf_free(exts); 1850 sshbuf_free(principals); 1851 free(sig_key); 1852 free(sig); 1853 return ret; 1854 } 1855 1856 static int 1857 sshkey_from_blob_internal(const u_char *blob, size_t blen, 1858 struct sshkey **keyp, int allow_cert) 1859 { 1860 struct sshbuf *b = NULL; 1861 int type, nid = -1, ret = SSH_ERR_INTERNAL_ERROR; 1862 char *ktype = NULL, *curve = NULL; 1863 struct sshkey *key = NULL; 1864 size_t len; 1865 u_char *pk = NULL; 1866 #ifdef WITH_OPENSSL 1867 EC_POINT *q = NULL; 1868 #endif /* WITH_OPENSSL */ 1869 1870 #ifdef DEBUG_PK /* XXX */ 1871 dump_base64(stderr, blob, blen); 1872 #endif 1873 *keyp = NULL; 1874 if ((b = sshbuf_from(blob, blen)) == NULL) 1875 return SSH_ERR_ALLOC_FAIL; 1876 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1877 ret = SSH_ERR_INVALID_FORMAT; 1878 goto out; 1879 } 1880 1881 type = sshkey_type_from_name(ktype); 1882 if (sshkey_type_plain(type) == KEY_ECDSA) 1883 nid = sshkey_ecdsa_nid_from_name(ktype); 1884 if (!allow_cert && sshkey_type_is_cert(type)) { 1885 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1886 goto out; 1887 } 1888 switch (type) { 1889 #ifdef WITH_OPENSSL 1890 case KEY_RSA_CERT: 1891 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1892 ret = SSH_ERR_INVALID_FORMAT; 1893 goto out; 1894 } 1895 /* FALLTHROUGH */ 1896 case KEY_RSA: 1897 case KEY_RSA_CERT_V00: 1898 if ((key = sshkey_new(type)) == NULL) { 1899 ret = SSH_ERR_ALLOC_FAIL; 1900 goto out; 1901 } 1902 if (sshbuf_get_bignum2(b, key->rsa->e) == -1 || 1903 sshbuf_get_bignum2(b, key->rsa->n) == -1) { 1904 ret = SSH_ERR_INVALID_FORMAT; 1905 goto out; 1906 } 1907 #ifdef DEBUG_PK 1908 RSA_print_fp(stderr, key->rsa, 8); 1909 #endif 1910 break; 1911 case KEY_DSA_CERT: 1912 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1913 ret = SSH_ERR_INVALID_FORMAT; 1914 goto out; 1915 } 1916 /* FALLTHROUGH */ 1917 case KEY_DSA: 1918 case KEY_DSA_CERT_V00: 1919 if ((key = sshkey_new(type)) == NULL) { 1920 ret = SSH_ERR_ALLOC_FAIL; 1921 goto out; 1922 } 1923 if (sshbuf_get_bignum2(b, key->dsa->p) == -1 || 1924 sshbuf_get_bignum2(b, key->dsa->q) == -1 || 1925 sshbuf_get_bignum2(b, key->dsa->g) == -1 || 1926 sshbuf_get_bignum2(b, key->dsa->pub_key) == -1) { 1927 ret = SSH_ERR_INVALID_FORMAT; 1928 goto out; 1929 } 1930 #ifdef DEBUG_PK 1931 DSA_print_fp(stderr, key->dsa, 8); 1932 #endif 1933 break; 1934 case KEY_ECDSA_CERT: 1935 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1936 ret = SSH_ERR_INVALID_FORMAT; 1937 goto out; 1938 } 1939 /* FALLTHROUGH */ 1940 case KEY_ECDSA: 1941 if ((key = sshkey_new(type)) == NULL) { 1942 ret = SSH_ERR_ALLOC_FAIL; 1943 goto out; 1944 } 1945 key->ecdsa_nid = nid; 1946 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 1947 ret = SSH_ERR_INVALID_FORMAT; 1948 goto out; 1949 } 1950 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 1951 ret = SSH_ERR_EC_CURVE_MISMATCH; 1952 goto out; 1953 } 1954 if (key->ecdsa != NULL) 1955 EC_KEY_free(key->ecdsa); 1956 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 1957 == NULL) { 1958 ret = SSH_ERR_EC_CURVE_INVALID; 1959 goto out; 1960 } 1961 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 1962 ret = SSH_ERR_ALLOC_FAIL; 1963 goto out; 1964 } 1965 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 1966 ret = SSH_ERR_INVALID_FORMAT; 1967 goto out; 1968 } 1969 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 1970 q) != 0) { 1971 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 1972 goto out; 1973 } 1974 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 1975 /* XXX assume it is a allocation error */ 1976 ret = SSH_ERR_ALLOC_FAIL; 1977 goto out; 1978 } 1979 #ifdef DEBUG_PK 1980 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 1981 #endif 1982 break; 1983 #endif /* WITH_OPENSSL */ 1984 case KEY_ED25519_CERT: 1985 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1986 ret = SSH_ERR_INVALID_FORMAT; 1987 goto out; 1988 } 1989 /* FALLTHROUGH */ 1990 case KEY_ED25519: 1991 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 1992 goto out; 1993 if (len != ED25519_PK_SZ) { 1994 ret = SSH_ERR_INVALID_FORMAT; 1995 goto out; 1996 } 1997 if ((key = sshkey_new(type)) == NULL) { 1998 ret = SSH_ERR_ALLOC_FAIL; 1999 goto out; 2000 } 2001 key->ed25519_pk = pk; 2002 pk = NULL; 2003 break; 2004 case KEY_UNSPEC: 2005 if ((key = sshkey_new(type)) == NULL) { 2006 ret = SSH_ERR_ALLOC_FAIL; 2007 goto out; 2008 } 2009 break; 2010 default: 2011 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2012 goto out; 2013 } 2014 2015 /* Parse certificate potion */ 2016 if (sshkey_is_cert(key) && 2017 (ret = cert_parse(b, key, blob, blen)) != 0) 2018 goto out; 2019 2020 if (key != NULL && sshbuf_len(b) != 0) { 2021 ret = SSH_ERR_INVALID_FORMAT; 2022 goto out; 2023 } 2024 ret = 0; 2025 *keyp = key; 2026 key = NULL; 2027 out: 2028 sshbuf_free(b); 2029 sshkey_free(key); 2030 free(ktype); 2031 free(curve); 2032 free(pk); 2033 #ifdef WITH_OPENSSL 2034 if (q != NULL) 2035 EC_POINT_free(q); 2036 #endif /* WITH_OPENSSL */ 2037 return ret; 2038 } 2039 2040 int 2041 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2042 { 2043 return sshkey_from_blob_internal(blob, blen, keyp, 1); 2044 } 2045 2046 int 2047 sshkey_sign(const struct sshkey *key, 2048 u_char **sigp, size_t *lenp, 2049 const u_char *data, size_t datalen, u_int compat) 2050 { 2051 if (sigp != NULL) 2052 *sigp = NULL; 2053 if (lenp != NULL) 2054 *lenp = 0; 2055 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2056 return SSH_ERR_INVALID_ARGUMENT; 2057 switch (key->type) { 2058 #ifdef WITH_OPENSSL 2059 case KEY_DSA_CERT_V00: 2060 case KEY_DSA_CERT: 2061 case KEY_DSA: 2062 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2063 case KEY_ECDSA_CERT: 2064 case KEY_ECDSA: 2065 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2066 case KEY_RSA_CERT_V00: 2067 case KEY_RSA_CERT: 2068 case KEY_RSA: 2069 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2070 #endif /* WITH_OPENSSL */ 2071 case KEY_ED25519: 2072 case KEY_ED25519_CERT: 2073 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2074 default: 2075 return SSH_ERR_KEY_TYPE_UNKNOWN; 2076 } 2077 } 2078 2079 /* 2080 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2081 */ 2082 int 2083 sshkey_verify(const struct sshkey *key, 2084 const u_char *sig, size_t siglen, 2085 const u_char *data, size_t dlen, u_int compat) 2086 { 2087 if (siglen == 0) 2088 return -1; 2089 2090 if (dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2091 return SSH_ERR_INVALID_ARGUMENT; 2092 switch (key->type) { 2093 #ifdef WITH_OPENSSL 2094 case KEY_DSA_CERT_V00: 2095 case KEY_DSA_CERT: 2096 case KEY_DSA: 2097 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2098 case KEY_ECDSA_CERT: 2099 case KEY_ECDSA: 2100 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2101 case KEY_RSA_CERT_V00: 2102 case KEY_RSA_CERT: 2103 case KEY_RSA: 2104 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2105 #endif /* WITH_OPENSSL */ 2106 case KEY_ED25519: 2107 case KEY_ED25519_CERT: 2108 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2109 default: 2110 return SSH_ERR_KEY_TYPE_UNKNOWN; 2111 } 2112 } 2113 2114 /* Converts a private to a public key */ 2115 int 2116 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2117 { 2118 struct sshkey *pk; 2119 int ret = SSH_ERR_INTERNAL_ERROR; 2120 2121 if (dkp != NULL) 2122 *dkp = NULL; 2123 2124 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2125 return SSH_ERR_ALLOC_FAIL; 2126 pk->type = k->type; 2127 pk->flags = k->flags; 2128 pk->ecdsa_nid = k->ecdsa_nid; 2129 pk->dsa = NULL; 2130 pk->ecdsa = NULL; 2131 pk->rsa = NULL; 2132 pk->ed25519_pk = NULL; 2133 pk->ed25519_sk = NULL; 2134 2135 switch (k->type) { 2136 #ifdef WITH_OPENSSL 2137 case KEY_RSA_CERT_V00: 2138 case KEY_RSA_CERT: 2139 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2140 goto fail; 2141 /* FALLTHROUGH */ 2142 case KEY_RSA1: 2143 case KEY_RSA: 2144 if ((pk->rsa = RSA_new()) == NULL || 2145 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2146 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2147 ret = SSH_ERR_ALLOC_FAIL; 2148 goto fail; 2149 } 2150 break; 2151 case KEY_DSA_CERT_V00: 2152 case KEY_DSA_CERT: 2153 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2154 goto fail; 2155 /* FALLTHROUGH */ 2156 case KEY_DSA: 2157 if ((pk->dsa = DSA_new()) == NULL || 2158 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2159 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2160 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2161 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2162 ret = SSH_ERR_ALLOC_FAIL; 2163 goto fail; 2164 } 2165 break; 2166 case KEY_ECDSA_CERT: 2167 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2168 goto fail; 2169 /* FALLTHROUGH */ 2170 case KEY_ECDSA: 2171 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2172 if (pk->ecdsa == NULL) { 2173 ret = SSH_ERR_ALLOC_FAIL; 2174 goto fail; 2175 } 2176 if (EC_KEY_set_public_key(pk->ecdsa, 2177 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2178 ret = SSH_ERR_LIBCRYPTO_ERROR; 2179 goto fail; 2180 } 2181 break; 2182 #endif /* WITH_OPENSSL */ 2183 case KEY_ED25519_CERT: 2184 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2185 goto fail; 2186 /* FALLTHROUGH */ 2187 case KEY_ED25519: 2188 if (k->ed25519_pk != NULL) { 2189 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2190 ret = SSH_ERR_ALLOC_FAIL; 2191 goto fail; 2192 } 2193 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2194 } 2195 break; 2196 default: 2197 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2198 fail: 2199 sshkey_free(pk); 2200 return ret; 2201 } 2202 *dkp = pk; 2203 return 0; 2204 } 2205 2206 /* Convert a plain key to their _CERT equivalent */ 2207 int 2208 sshkey_to_certified(struct sshkey *k, int legacy) 2209 { 2210 int newtype; 2211 2212 switch (k->type) { 2213 #ifdef WITH_OPENSSL 2214 case KEY_RSA: 2215 newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; 2216 break; 2217 case KEY_DSA: 2218 newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; 2219 break; 2220 case KEY_ECDSA: 2221 if (legacy) 2222 return SSH_ERR_INVALID_ARGUMENT; 2223 newtype = KEY_ECDSA_CERT; 2224 break; 2225 #endif /* WITH_OPENSSL */ 2226 case KEY_ED25519: 2227 if (legacy) 2228 return SSH_ERR_INVALID_ARGUMENT; 2229 newtype = KEY_ED25519_CERT; 2230 break; 2231 default: 2232 return SSH_ERR_INVALID_ARGUMENT; 2233 } 2234 if ((k->cert = cert_new()) == NULL) 2235 return SSH_ERR_ALLOC_FAIL; 2236 k->type = newtype; 2237 return 0; 2238 } 2239 2240 /* Convert a certificate to its raw key equivalent */ 2241 int 2242 sshkey_drop_cert(struct sshkey *k) 2243 { 2244 if (!sshkey_type_is_cert(k->type)) 2245 return SSH_ERR_KEY_TYPE_UNKNOWN; 2246 cert_free(k->cert); 2247 k->cert = NULL; 2248 k->type = sshkey_type_plain(k->type); 2249 return 0; 2250 } 2251 2252 /* Sign a certified key, (re-)generating the signed certblob. */ 2253 int 2254 sshkey_certify(struct sshkey *k, struct sshkey *ca) 2255 { 2256 struct sshbuf *principals = NULL; 2257 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2258 size_t i, ca_len, sig_len; 2259 int ret = SSH_ERR_INTERNAL_ERROR; 2260 struct sshbuf *cert; 2261 2262 if (k == NULL || k->cert == NULL || 2263 k->cert->certblob == NULL || ca == NULL) 2264 return SSH_ERR_INVALID_ARGUMENT; 2265 if (!sshkey_is_cert(k)) 2266 return SSH_ERR_KEY_TYPE_UNKNOWN; 2267 if (!sshkey_type_is_valid_ca(ca->type)) 2268 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2269 2270 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2271 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2272 2273 cert = k->cert->certblob; /* for readability */ 2274 sshbuf_reset(cert); 2275 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2276 goto out; 2277 2278 /* -v01 certs put nonce first */ 2279 arc4random_buf(&nonce, sizeof(nonce)); 2280 if (!sshkey_cert_is_legacy(k)) { 2281 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2282 goto out; 2283 } 2284 2285 /* XXX this substantially duplicates to_blob(); refactor */ 2286 switch (k->type) { 2287 #ifdef WITH_OPENSSL 2288 case KEY_DSA_CERT_V00: 2289 case KEY_DSA_CERT: 2290 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2291 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2292 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2293 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2294 goto out; 2295 break; 2296 case KEY_ECDSA_CERT: 2297 if ((ret = sshbuf_put_cstring(cert, 2298 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2299 (ret = sshbuf_put_ec(cert, 2300 EC_KEY_get0_public_key(k->ecdsa), 2301 EC_KEY_get0_group(k->ecdsa))) != 0) 2302 goto out; 2303 break; 2304 case KEY_RSA_CERT_V00: 2305 case KEY_RSA_CERT: 2306 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2307 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2308 goto out; 2309 break; 2310 #endif /* WITH_OPENSSL */ 2311 case KEY_ED25519_CERT: 2312 if ((ret = sshbuf_put_string(cert, 2313 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2314 goto out; 2315 break; 2316 default: 2317 ret = SSH_ERR_INVALID_ARGUMENT; 2318 } 2319 2320 /* -v01 certs have a serial number next */ 2321 if (!sshkey_cert_is_legacy(k)) { 2322 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0) 2323 goto out; 2324 } 2325 2326 if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2327 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2328 goto out; 2329 2330 if ((principals = sshbuf_new()) == NULL) { 2331 ret = SSH_ERR_ALLOC_FAIL; 2332 goto out; 2333 } 2334 for (i = 0; i < k->cert->nprincipals; i++) { 2335 if ((ret = sshbuf_put_cstring(principals, 2336 k->cert->principals[i])) != 0) 2337 goto out; 2338 } 2339 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2340 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2341 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2342 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) 2343 goto out; 2344 2345 /* -v01 certs have non-critical options here */ 2346 if (!sshkey_cert_is_legacy(k)) { 2347 if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0) 2348 goto out; 2349 } 2350 2351 /* -v00 certs put the nonce at the end */ 2352 if (sshkey_cert_is_legacy(k)) { 2353 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2354 goto out; 2355 } 2356 2357 if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2358 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2359 goto out; 2360 2361 /* Sign the whole mess */ 2362 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2363 sshbuf_len(cert), 0)) != 0) 2364 goto out; 2365 2366 /* Append signature and we are done */ 2367 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2368 goto out; 2369 ret = 0; 2370 out: 2371 if (ret != 0) 2372 sshbuf_reset(cert); 2373 if (sig_blob != NULL) 2374 free(sig_blob); 2375 if (ca_blob != NULL) 2376 free(ca_blob); 2377 if (principals != NULL) 2378 sshbuf_free(principals); 2379 return ret; 2380 } 2381 2382 int 2383 sshkey_cert_check_authority(const struct sshkey *k, 2384 int want_host, int require_principal, 2385 const char *name, const char **reason) 2386 { 2387 u_int i, principal_matches; 2388 time_t now = time(NULL); 2389 2390 if (reason != NULL) 2391 *reason = NULL; 2392 2393 if (want_host) { 2394 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2395 *reason = "Certificate invalid: not a host certificate"; 2396 return SSH_ERR_KEY_CERT_INVALID; 2397 } 2398 } else { 2399 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2400 *reason = "Certificate invalid: not a user certificate"; 2401 return SSH_ERR_KEY_CERT_INVALID; 2402 } 2403 } 2404 if (now < 0) { 2405 /* yikes - system clock before epoch! */ 2406 *reason = "Certificate invalid: not yet valid"; 2407 return SSH_ERR_KEY_CERT_INVALID; 2408 } 2409 if ((u_int64_t)now < k->cert->valid_after) { 2410 *reason = "Certificate invalid: not yet valid"; 2411 return SSH_ERR_KEY_CERT_INVALID; 2412 } 2413 if ((u_int64_t)now >= k->cert->valid_before) { 2414 *reason = "Certificate invalid: expired"; 2415 return SSH_ERR_KEY_CERT_INVALID; 2416 } 2417 if (k->cert->nprincipals == 0) { 2418 if (require_principal) { 2419 *reason = "Certificate lacks principal list"; 2420 return SSH_ERR_KEY_CERT_INVALID; 2421 } 2422 } else if (name != NULL) { 2423 principal_matches = 0; 2424 for (i = 0; i < k->cert->nprincipals; i++) { 2425 if (strcmp(name, k->cert->principals[i]) == 0) { 2426 principal_matches = 1; 2427 break; 2428 } 2429 } 2430 if (!principal_matches) { 2431 *reason = "Certificate invalid: name is not a listed " 2432 "principal"; 2433 return SSH_ERR_KEY_CERT_INVALID; 2434 } 2435 } 2436 return 0; 2437 } 2438 2439 int 2440 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2441 { 2442 int r = SSH_ERR_INTERNAL_ERROR; 2443 2444 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2445 goto out; 2446 switch (key->type) { 2447 #ifdef WITH_OPENSSL 2448 case KEY_RSA: 2449 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2450 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2451 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2452 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2453 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2454 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2455 goto out; 2456 break; 2457 case KEY_RSA_CERT_V00: 2458 case KEY_RSA_CERT: 2459 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2460 r = SSH_ERR_INVALID_ARGUMENT; 2461 goto out; 2462 } 2463 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2464 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2465 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2466 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2467 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2468 goto out; 2469 break; 2470 case KEY_DSA: 2471 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2472 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2473 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2474 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2475 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2476 goto out; 2477 break; 2478 case KEY_DSA_CERT_V00: 2479 case KEY_DSA_CERT: 2480 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2481 r = SSH_ERR_INVALID_ARGUMENT; 2482 goto out; 2483 } 2484 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2485 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2486 goto out; 2487 break; 2488 case KEY_ECDSA: 2489 if ((r = sshbuf_put_cstring(b, 2490 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2491 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2492 (r = sshbuf_put_bignum2(b, 2493 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2494 goto out; 2495 break; 2496 case KEY_ECDSA_CERT: 2497 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2498 r = SSH_ERR_INVALID_ARGUMENT; 2499 goto out; 2500 } 2501 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2502 (r = sshbuf_put_bignum2(b, 2503 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2504 goto out; 2505 break; 2506 #endif /* WITH_OPENSSL */ 2507 case KEY_ED25519: 2508 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2509 ED25519_PK_SZ)) != 0 || 2510 (r = sshbuf_put_string(b, key->ed25519_sk, 2511 ED25519_SK_SZ)) != 0) 2512 goto out; 2513 break; 2514 case KEY_ED25519_CERT: 2515 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2516 r = SSH_ERR_INVALID_ARGUMENT; 2517 goto out; 2518 } 2519 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2520 (r = sshbuf_put_string(b, key->ed25519_pk, 2521 ED25519_PK_SZ)) != 0 || 2522 (r = sshbuf_put_string(b, key->ed25519_sk, 2523 ED25519_SK_SZ)) != 0) 2524 goto out; 2525 break; 2526 default: 2527 r = SSH_ERR_INVALID_ARGUMENT; 2528 goto out; 2529 } 2530 /* success */ 2531 r = 0; 2532 out: 2533 return r; 2534 } 2535 2536 int 2537 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2538 { 2539 char *tname = NULL, *curve = NULL; 2540 struct sshkey *k = NULL; 2541 const u_char *cert; 2542 size_t len, pklen = 0, sklen = 0; 2543 int type, r = SSH_ERR_INTERNAL_ERROR; 2544 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2545 #ifdef WITH_OPENSSL 2546 BIGNUM *exponent = NULL; 2547 #endif /* WITH_OPENSSL */ 2548 2549 if (kp != NULL) 2550 *kp = NULL; 2551 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2552 goto out; 2553 type = sshkey_type_from_name(tname); 2554 switch (type) { 2555 #ifdef WITH_OPENSSL 2556 case KEY_DSA: 2557 if ((k = sshkey_new_private(type)) == NULL) { 2558 r = SSH_ERR_ALLOC_FAIL; 2559 goto out; 2560 } 2561 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2562 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2563 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2564 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2565 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2566 goto out; 2567 break; 2568 case KEY_DSA_CERT_V00: 2569 case KEY_DSA_CERT: 2570 if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || 2571 (r = sshkey_from_blob(cert, len, &k)) != 0 || 2572 (r = sshkey_add_private(k)) != 0 || 2573 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2574 goto out; 2575 break; 2576 case KEY_ECDSA: 2577 if ((k = sshkey_new_private(type)) == NULL) { 2578 r = SSH_ERR_ALLOC_FAIL; 2579 goto out; 2580 } 2581 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2582 r = SSH_ERR_INVALID_ARGUMENT; 2583 goto out; 2584 } 2585 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2586 goto out; 2587 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2588 r = SSH_ERR_EC_CURVE_MISMATCH; 2589 goto out; 2590 } 2591 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2592 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2593 r = SSH_ERR_LIBCRYPTO_ERROR; 2594 goto out; 2595 } 2596 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2597 (r = sshbuf_get_bignum2(buf, exponent))) 2598 goto out; 2599 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2600 r = SSH_ERR_LIBCRYPTO_ERROR; 2601 goto out; 2602 } 2603 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2604 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2605 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2606 goto out; 2607 break; 2608 case KEY_ECDSA_CERT: 2609 if ((exponent = BN_new()) == NULL) { 2610 r = SSH_ERR_LIBCRYPTO_ERROR; 2611 goto out; 2612 } 2613 if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || 2614 (r = sshkey_from_blob(cert, len, &k)) != 0 || 2615 (r = sshkey_add_private(k)) != 0 || 2616 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2617 goto out; 2618 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2619 r = SSH_ERR_LIBCRYPTO_ERROR; 2620 goto out; 2621 } 2622 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2623 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2624 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2625 goto out; 2626 break; 2627 case KEY_RSA: 2628 if ((k = sshkey_new_private(type)) == NULL) { 2629 r = SSH_ERR_ALLOC_FAIL; 2630 goto out; 2631 } 2632 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2633 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2634 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2635 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2636 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2637 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2638 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2639 goto out; 2640 break; 2641 case KEY_RSA_CERT_V00: 2642 case KEY_RSA_CERT: 2643 if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || 2644 (r = sshkey_from_blob(cert, len, &k)) != 0 || 2645 (r = sshkey_add_private(k)) != 0 || 2646 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || 2647 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || 2648 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || 2649 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || 2650 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2651 goto out; 2652 break; 2653 #endif /* WITH_OPENSSL */ 2654 case KEY_ED25519: 2655 if ((k = sshkey_new_private(type)) == NULL) { 2656 r = SSH_ERR_ALLOC_FAIL; 2657 goto out; 2658 } 2659 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2660 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2661 goto out; 2662 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2663 r = SSH_ERR_INVALID_FORMAT; 2664 goto out; 2665 } 2666 k->ed25519_pk = ed25519_pk; 2667 k->ed25519_sk = ed25519_sk; 2668 ed25519_pk = ed25519_sk = NULL; 2669 break; 2670 case KEY_ED25519_CERT: 2671 if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || 2672 (r = sshkey_from_blob(cert, len, &k)) != 0 || 2673 (r = sshkey_add_private(k)) != 0 || 2674 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2675 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2676 goto out; 2677 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2678 r = SSH_ERR_INVALID_FORMAT; 2679 goto out; 2680 } 2681 k->ed25519_pk = ed25519_pk; 2682 k->ed25519_sk = ed25519_sk; 2683 ed25519_pk = ed25519_sk = NULL; 2684 break; 2685 default: 2686 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2687 goto out; 2688 } 2689 #ifdef WITH_OPENSSL 2690 /* enable blinding */ 2691 switch (k->type) { 2692 case KEY_RSA: 2693 case KEY_RSA_CERT_V00: 2694 case KEY_RSA_CERT: 2695 case KEY_RSA1: 2696 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2697 r = SSH_ERR_LIBCRYPTO_ERROR; 2698 goto out; 2699 } 2700 break; 2701 } 2702 #endif /* WITH_OPENSSL */ 2703 /* success */ 2704 r = 0; 2705 if (kp != NULL) { 2706 *kp = k; 2707 k = NULL; 2708 } 2709 out: 2710 free(tname); 2711 free(curve); 2712 #ifdef WITH_OPENSSL 2713 if (exponent != NULL) 2714 BN_clear_free(exponent); 2715 #endif /* WITH_OPENSSL */ 2716 sshkey_free(k); 2717 if (ed25519_pk != NULL) { 2718 explicit_bzero(ed25519_pk, pklen); 2719 free(ed25519_pk); 2720 } 2721 if (ed25519_sk != NULL) { 2722 explicit_bzero(ed25519_sk, sklen); 2723 free(ed25519_sk); 2724 } 2725 return r; 2726 } 2727 2728 #ifdef WITH_OPENSSL 2729 int 2730 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2731 { 2732 BN_CTX *bnctx; 2733 EC_POINT *nq = NULL; 2734 BIGNUM *order, *x, *y, *tmp; 2735 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2736 2737 if ((bnctx = BN_CTX_new()) == NULL) 2738 return SSH_ERR_ALLOC_FAIL; 2739 BN_CTX_start(bnctx); 2740 2741 /* 2742 * We shouldn't ever hit this case because bignum_get_ecpoint() 2743 * refuses to load GF2m points. 2744 */ 2745 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2746 NID_X9_62_prime_field) 2747 goto out; 2748 2749 /* Q != infinity */ 2750 if (EC_POINT_is_at_infinity(group, public)) 2751 goto out; 2752 2753 if ((x = BN_CTX_get(bnctx)) == NULL || 2754 (y = BN_CTX_get(bnctx)) == NULL || 2755 (order = BN_CTX_get(bnctx)) == NULL || 2756 (tmp = BN_CTX_get(bnctx)) == NULL) { 2757 ret = SSH_ERR_ALLOC_FAIL; 2758 goto out; 2759 } 2760 2761 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2762 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2763 EC_POINT_get_affine_coordinates_GFp(group, public, 2764 x, y, bnctx) != 1) { 2765 ret = SSH_ERR_LIBCRYPTO_ERROR; 2766 goto out; 2767 } 2768 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2769 BN_num_bits(y) <= BN_num_bits(order) / 2) 2770 goto out; 2771 2772 /* nQ == infinity (n == order of subgroup) */ 2773 if ((nq = EC_POINT_new(group)) == NULL) { 2774 ret = SSH_ERR_ALLOC_FAIL; 2775 goto out; 2776 } 2777 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2778 ret = SSH_ERR_LIBCRYPTO_ERROR; 2779 goto out; 2780 } 2781 if (EC_POINT_is_at_infinity(group, nq) != 1) 2782 goto out; 2783 2784 /* x < order - 1, y < order - 1 */ 2785 if (!BN_sub(tmp, order, BN_value_one())) { 2786 ret = SSH_ERR_LIBCRYPTO_ERROR; 2787 goto out; 2788 } 2789 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2790 goto out; 2791 ret = 0; 2792 out: 2793 BN_CTX_free(bnctx); 2794 if (nq != NULL) 2795 EC_POINT_free(nq); 2796 return ret; 2797 } 2798 2799 int 2800 sshkey_ec_validate_private(const EC_KEY *key) 2801 { 2802 BN_CTX *bnctx; 2803 BIGNUM *order, *tmp; 2804 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2805 2806 if ((bnctx = BN_CTX_new()) == NULL) 2807 return SSH_ERR_ALLOC_FAIL; 2808 BN_CTX_start(bnctx); 2809 2810 if ((order = BN_CTX_get(bnctx)) == NULL || 2811 (tmp = BN_CTX_get(bnctx)) == NULL) { 2812 ret = SSH_ERR_ALLOC_FAIL; 2813 goto out; 2814 } 2815 2816 /* log2(private) > log2(order)/2 */ 2817 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2818 ret = SSH_ERR_LIBCRYPTO_ERROR; 2819 goto out; 2820 } 2821 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2822 BN_num_bits(order) / 2) 2823 goto out; 2824 2825 /* private < order - 1 */ 2826 if (!BN_sub(tmp, order, BN_value_one())) { 2827 ret = SSH_ERR_LIBCRYPTO_ERROR; 2828 goto out; 2829 } 2830 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2831 goto out; 2832 ret = 0; 2833 out: 2834 BN_CTX_free(bnctx); 2835 return ret; 2836 } 2837 2838 void 2839 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2840 { 2841 BIGNUM *x, *y; 2842 BN_CTX *bnctx; 2843 2844 if (point == NULL) { 2845 fputs("point=(NULL)\n", stderr); 2846 return; 2847 } 2848 if ((bnctx = BN_CTX_new()) == NULL) { 2849 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2850 return; 2851 } 2852 BN_CTX_start(bnctx); 2853 if ((x = BN_CTX_get(bnctx)) == NULL || 2854 (y = BN_CTX_get(bnctx)) == NULL) { 2855 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 2856 return; 2857 } 2858 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2859 NID_X9_62_prime_field) { 2860 fprintf(stderr, "%s: group is not a prime field\n", __func__); 2861 return; 2862 } 2863 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 2864 bnctx) != 1) { 2865 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2866 __func__); 2867 return; 2868 } 2869 fputs("x=", stderr); 2870 BN_print_fp(stderr, x); 2871 fputs("\ny=", stderr); 2872 BN_print_fp(stderr, y); 2873 fputs("\n", stderr); 2874 BN_CTX_free(bnctx); 2875 } 2876 2877 void 2878 sshkey_dump_ec_key(const EC_KEY *key) 2879 { 2880 const BIGNUM *exponent; 2881 2882 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2883 EC_KEY_get0_public_key(key)); 2884 fputs("exponent=", stderr); 2885 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2886 fputs("(NULL)", stderr); 2887 else 2888 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2889 fputs("\n", stderr); 2890 } 2891 #endif /* WITH_OPENSSL */ 2892 2893 static int 2894 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 2895 const char *passphrase, const char *comment, const char *ciphername, 2896 int rounds) 2897 { 2898 u_char *cp, *key = NULL, *pubkeyblob = NULL; 2899 u_char salt[SALT_LEN]; 2900 char *b64 = NULL; 2901 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 2902 u_int check; 2903 int r = SSH_ERR_INTERNAL_ERROR; 2904 struct sshcipher_ctx ciphercontext; 2905 const struct sshcipher *cipher; 2906 const char *kdfname = KDFNAME; 2907 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 2908 2909 memset(&ciphercontext, 0, sizeof(ciphercontext)); 2910 2911 if (rounds <= 0) 2912 rounds = DEFAULT_ROUNDS; 2913 if (passphrase == NULL || !strlen(passphrase)) { 2914 ciphername = "none"; 2915 kdfname = "none"; 2916 } else if (ciphername == NULL) 2917 ciphername = DEFAULT_CIPHERNAME; 2918 else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) { 2919 r = SSH_ERR_INVALID_ARGUMENT; 2920 goto out; 2921 } 2922 if ((cipher = cipher_by_name(ciphername)) == NULL) { 2923 r = SSH_ERR_INTERNAL_ERROR; 2924 goto out; 2925 } 2926 2927 if ((kdf = sshbuf_new()) == NULL || 2928 (encoded = sshbuf_new()) == NULL || 2929 (encrypted = sshbuf_new()) == NULL) { 2930 r = SSH_ERR_ALLOC_FAIL; 2931 goto out; 2932 } 2933 blocksize = cipher_blocksize(cipher); 2934 keylen = cipher_keylen(cipher); 2935 ivlen = cipher_ivlen(cipher); 2936 authlen = cipher_authlen(cipher); 2937 if ((key = calloc(1, keylen + ivlen)) == NULL) { 2938 r = SSH_ERR_ALLOC_FAIL; 2939 goto out; 2940 } 2941 if (strcmp(kdfname, "bcrypt") == 0) { 2942 arc4random_buf(salt, SALT_LEN); 2943 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 2944 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 2945 r = SSH_ERR_INVALID_ARGUMENT; 2946 goto out; 2947 } 2948 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 2949 (r = sshbuf_put_u32(kdf, rounds)) != 0) 2950 goto out; 2951 } else if (strcmp(kdfname, "none") != 0) { 2952 /* Unsupported KDF type */ 2953 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 2954 goto out; 2955 } 2956 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 2957 key + keylen, ivlen, 1)) != 0) 2958 goto out; 2959 2960 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 2961 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 2962 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 2963 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 2964 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 2965 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 2966 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 2967 goto out; 2968 2969 /* set up the buffer that will be encrypted */ 2970 2971 /* Random check bytes */ 2972 check = arc4random(); 2973 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 2974 (r = sshbuf_put_u32(encrypted, check)) != 0) 2975 goto out; 2976 2977 /* append private key and comment*/ 2978 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 2979 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 2980 goto out; 2981 2982 /* padding */ 2983 i = 0; 2984 while (sshbuf_len(encrypted) % blocksize) { 2985 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 2986 goto out; 2987 } 2988 2989 /* length in destination buffer */ 2990 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 2991 goto out; 2992 2993 /* encrypt */ 2994 if ((r = sshbuf_reserve(encoded, 2995 sshbuf_len(encrypted) + authlen, &cp)) != 0) 2996 goto out; 2997 if ((r = cipher_crypt(&ciphercontext, 0, cp, 2998 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 2999 goto out; 3000 3001 /* uuencode */ 3002 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3003 r = SSH_ERR_ALLOC_FAIL; 3004 goto out; 3005 } 3006 3007 sshbuf_reset(blob); 3008 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3009 goto out; 3010 for (i = 0; i < strlen(b64); i++) { 3011 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3012 goto out; 3013 /* insert line breaks */ 3014 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3015 goto out; 3016 } 3017 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3018 goto out; 3019 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3020 goto out; 3021 3022 /* success */ 3023 r = 0; 3024 3025 out: 3026 sshbuf_free(kdf); 3027 sshbuf_free(encoded); 3028 sshbuf_free(encrypted); 3029 cipher_cleanup(&ciphercontext); 3030 explicit_bzero(salt, sizeof(salt)); 3031 if (key != NULL) { 3032 explicit_bzero(key, keylen + ivlen); 3033 free(key); 3034 } 3035 if (pubkeyblob != NULL) { 3036 explicit_bzero(pubkeyblob, pubkeylen); 3037 free(pubkeyblob); 3038 } 3039 if (b64 != NULL) { 3040 explicit_bzero(b64, strlen(b64)); 3041 free(b64); 3042 } 3043 return r; 3044 } 3045 3046 static int 3047 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3048 struct sshkey **keyp, char **commentp) 3049 { 3050 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3051 const struct sshcipher *cipher = NULL; 3052 const u_char *cp; 3053 int r = SSH_ERR_INTERNAL_ERROR; 3054 size_t encoded_len; 3055 size_t i, keylen = 0, ivlen = 0, slen = 0; 3056 struct sshbuf *encoded = NULL, *decoded = NULL; 3057 struct sshbuf *kdf = NULL, *decrypted = NULL; 3058 struct sshcipher_ctx ciphercontext; 3059 struct sshkey *k = NULL; 3060 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3061 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3062 3063 memset(&ciphercontext, 0, sizeof(ciphercontext)); 3064 if (keyp != NULL) 3065 *keyp = NULL; 3066 if (commentp != NULL) 3067 *commentp = NULL; 3068 3069 if ((encoded = sshbuf_new()) == NULL || 3070 (decoded = sshbuf_new()) == NULL || 3071 (decrypted = sshbuf_new()) == NULL) { 3072 r = SSH_ERR_ALLOC_FAIL; 3073 goto out; 3074 } 3075 3076 /* check preamble */ 3077 cp = sshbuf_ptr(blob); 3078 encoded_len = sshbuf_len(blob); 3079 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3080 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3081 r = SSH_ERR_INVALID_FORMAT; 3082 goto out; 3083 } 3084 cp += MARK_BEGIN_LEN; 3085 encoded_len -= MARK_BEGIN_LEN; 3086 3087 /* Look for end marker, removing whitespace as we go */ 3088 while (encoded_len > 0) { 3089 if (*cp != '\n' && *cp != '\r') { 3090 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3091 goto out; 3092 } 3093 last = *cp; 3094 encoded_len--; 3095 cp++; 3096 if (last == '\n') { 3097 if (encoded_len >= MARK_END_LEN && 3098 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3099 /* \0 terminate */ 3100 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3101 goto out; 3102 break; 3103 } 3104 } 3105 } 3106 if (encoded_len == 0) { 3107 r = SSH_ERR_INVALID_FORMAT; 3108 goto out; 3109 } 3110 3111 /* decode base64 */ 3112 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3113 goto out; 3114 3115 /* check magic */ 3116 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3117 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3118 r = SSH_ERR_INVALID_FORMAT; 3119 goto out; 3120 } 3121 /* parse public portion of key */ 3122 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3123 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3124 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3125 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3126 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3127 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3128 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3129 goto out; 3130 3131 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3132 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3133 goto out; 3134 } 3135 if ((passphrase == NULL || strlen(passphrase) == 0) && 3136 strcmp(ciphername, "none") != 0) { 3137 /* passphrase required */ 3138 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3139 goto out; 3140 } 3141 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3142 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3143 goto out; 3144 } 3145 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3146 r = SSH_ERR_INVALID_FORMAT; 3147 goto out; 3148 } 3149 if (nkeys != 1) { 3150 /* XXX only one key supported */ 3151 r = SSH_ERR_INVALID_FORMAT; 3152 goto out; 3153 } 3154 3155 /* check size of encrypted key blob */ 3156 blocksize = cipher_blocksize(cipher); 3157 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3158 r = SSH_ERR_INVALID_FORMAT; 3159 goto out; 3160 } 3161 3162 /* setup key */ 3163 keylen = cipher_keylen(cipher); 3164 ivlen = cipher_ivlen(cipher); 3165 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3166 r = SSH_ERR_ALLOC_FAIL; 3167 goto out; 3168 } 3169 if (strcmp(kdfname, "bcrypt") == 0) { 3170 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3171 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3172 goto out; 3173 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3174 key, keylen + ivlen, rounds) < 0) { 3175 r = SSH_ERR_INVALID_FORMAT; 3176 goto out; 3177 } 3178 } 3179 3180 /* decrypt private portion of key */ 3181 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3182 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3183 key + keylen, ivlen, 0)) != 0) 3184 goto out; 3185 if ((r = cipher_crypt(&ciphercontext, 0, dp, sshbuf_ptr(decoded), 3186 sshbuf_len(decoded), 0, cipher_authlen(cipher))) != 0) { 3187 /* an integrity error here indicates an incorrect passphrase */ 3188 if (r == SSH_ERR_MAC_INVALID) 3189 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3190 goto out; 3191 } 3192 if ((r = sshbuf_consume(decoded, encrypted_len)) != 0) 3193 goto out; 3194 /* there should be no trailing data */ 3195 if (sshbuf_len(decoded) != 0) { 3196 r = SSH_ERR_INVALID_FORMAT; 3197 goto out; 3198 } 3199 3200 /* check check bytes */ 3201 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3202 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3203 goto out; 3204 if (check1 != check2) { 3205 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3206 goto out; 3207 } 3208 3209 /* Load the private key and comment */ 3210 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3211 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3212 goto out; 3213 3214 /* Check deterministic padding */ 3215 i = 0; 3216 while (sshbuf_len(decrypted)) { 3217 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3218 goto out; 3219 if (pad != (++i & 0xff)) { 3220 r = SSH_ERR_INVALID_FORMAT; 3221 goto out; 3222 } 3223 } 3224 3225 /* XXX decode pubkey and check against private */ 3226 3227 /* success */ 3228 r = 0; 3229 if (keyp != NULL) { 3230 *keyp = k; 3231 k = NULL; 3232 } 3233 if (commentp != NULL) { 3234 *commentp = comment; 3235 comment = NULL; 3236 } 3237 out: 3238 pad = 0; 3239 cipher_cleanup(&ciphercontext); 3240 free(ciphername); 3241 free(kdfname); 3242 free(comment); 3243 if (salt != NULL) { 3244 explicit_bzero(salt, slen); 3245 free(salt); 3246 } 3247 if (key != NULL) { 3248 explicit_bzero(key, keylen + ivlen); 3249 free(key); 3250 } 3251 sshbuf_free(encoded); 3252 sshbuf_free(decoded); 3253 sshbuf_free(kdf); 3254 sshbuf_free(decrypted); 3255 sshkey_free(k); 3256 return r; 3257 } 3258 3259 #if WITH_SSH1 3260 /* 3261 * Serialises the authentication (private) key to a blob, encrypting it with 3262 * passphrase. The identification of the blob (lowest 64 bits of n) will 3263 * precede the key to provide identification of the key without needing a 3264 * passphrase. 3265 */ 3266 static int 3267 sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, 3268 const char *passphrase, const char *comment) 3269 { 3270 struct sshbuf *buffer = NULL, *encrypted = NULL; 3271 u_char buf[8]; 3272 int r, cipher_num; 3273 struct sshcipher_ctx ciphercontext; 3274 const struct sshcipher *cipher; 3275 u_char *cp; 3276 3277 /* 3278 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting 3279 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. 3280 */ 3281 cipher_num = (strcmp(passphrase, "") == 0) ? 3282 SSH_CIPHER_NONE : SSH_CIPHER_3DES; 3283 if ((cipher = cipher_by_number(cipher_num)) == NULL) 3284 return SSH_ERR_INTERNAL_ERROR; 3285 3286 /* This buffer is used to build the secret part of the private key. */ 3287 if ((buffer = sshbuf_new()) == NULL) 3288 return SSH_ERR_ALLOC_FAIL; 3289 3290 /* Put checkbytes for checking passphrase validity. */ 3291 if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0) 3292 goto out; 3293 arc4random_buf(cp, 2); 3294 memcpy(cp + 2, cp, 2); 3295 3296 /* 3297 * Store the private key (n and e will not be stored because they 3298 * will be stored in plain text, and storing them also in encrypted 3299 * format would just give known plaintext). 3300 * Note: q and p are stored in reverse order to SSL. 3301 */ 3302 if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 || 3303 (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 || 3304 (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 || 3305 (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0) 3306 goto out; 3307 3308 /* Pad the part to be encrypted to a size that is a multiple of 8. */ 3309 explicit_bzero(buf, 8); 3310 if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0) 3311 goto out; 3312 3313 /* This buffer will be used to contain the data in the file. */ 3314 if ((encrypted = sshbuf_new()) == NULL) { 3315 r = SSH_ERR_ALLOC_FAIL; 3316 goto out; 3317 } 3318 3319 /* First store keyfile id string. */ 3320 if ((r = sshbuf_put(encrypted, LEGACY_BEGIN, 3321 sizeof(LEGACY_BEGIN))) != 0) 3322 goto out; 3323 3324 /* Store cipher type and "reserved" field. */ 3325 if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 || 3326 (r = sshbuf_put_u32(encrypted, 0)) != 0) 3327 goto out; 3328 3329 /* Store public key. This will be in plain text. */ 3330 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || 3331 (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) || 3332 (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) || 3333 (r = sshbuf_put_cstring(encrypted, comment) != 0)) 3334 goto out; 3335 3336 /* Allocate space for the private part of the key in the buffer. */ 3337 if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0) 3338 goto out; 3339 3340 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3341 CIPHER_ENCRYPT)) != 0) 3342 goto out; 3343 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3344 sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0) 3345 goto out; 3346 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3347 goto out; 3348 3349 r = sshbuf_putb(blob, encrypted); 3350 3351 out: 3352 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3353 explicit_bzero(buf, sizeof(buf)); 3354 if (buffer != NULL) 3355 sshbuf_free(buffer); 3356 if (encrypted != NULL) 3357 sshbuf_free(encrypted); 3358 3359 return r; 3360 } 3361 #endif /* WITH_SSH1 */ 3362 3363 #ifdef WITH_OPENSSL 3364 /* convert SSH v2 key in OpenSSL PEM format */ 3365 static int 3366 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3367 const char *_passphrase, const char *comment) 3368 { 3369 int success, r; 3370 int blen, len = strlen(_passphrase); 3371 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3372 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3373 const u_char *bptr; 3374 BIO *bio = NULL; 3375 3376 if (len > 0 && len <= 4) 3377 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3378 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3379 return SSH_ERR_ALLOC_FAIL; 3380 3381 switch (key->type) { 3382 case KEY_DSA: 3383 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3384 cipher, passphrase, len, NULL, NULL); 3385 break; 3386 case KEY_ECDSA: 3387 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3388 cipher, passphrase, len, NULL, NULL); 3389 break; 3390 case KEY_RSA: 3391 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3392 cipher, passphrase, len, NULL, NULL); 3393 break; 3394 default: 3395 success = 0; 3396 break; 3397 } 3398 if (success == 0) { 3399 r = SSH_ERR_LIBCRYPTO_ERROR; 3400 goto out; 3401 } 3402 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3403 r = SSH_ERR_INTERNAL_ERROR; 3404 goto out; 3405 } 3406 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3407 goto out; 3408 r = 0; 3409 out: 3410 BIO_free(bio); 3411 return r; 3412 } 3413 #endif /* WITH_OPENSSL */ 3414 3415 /* Serialise "key" to buffer "blob" */ 3416 int 3417 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3418 const char *passphrase, const char *comment, 3419 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3420 { 3421 switch (key->type) { 3422 #ifdef WITH_OPENSSL 3423 case KEY_RSA1: 3424 return sshkey_private_rsa1_to_blob(key, blob, 3425 passphrase, comment); 3426 case KEY_DSA: 3427 case KEY_ECDSA: 3428 case KEY_RSA: 3429 if (force_new_format) { 3430 return sshkey_private_to_blob2(key, blob, passphrase, 3431 comment, new_format_cipher, new_format_rounds); 3432 } 3433 return sshkey_private_pem_to_blob(key, blob, 3434 passphrase, comment); 3435 #endif /* WITH_OPENSSL */ 3436 case KEY_ED25519: 3437 return sshkey_private_to_blob2(key, blob, passphrase, 3438 comment, new_format_cipher, new_format_rounds); 3439 default: 3440 return SSH_ERR_KEY_TYPE_UNKNOWN; 3441 } 3442 } 3443 3444 #ifdef WITH_SSH1 3445 /* 3446 * Parse the public, unencrypted portion of a RSA1 key. 3447 */ 3448 int 3449 sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, 3450 struct sshkey **keyp, char **commentp) 3451 { 3452 int r; 3453 struct sshkey *pub = NULL; 3454 struct sshbuf *copy = NULL; 3455 3456 if (keyp != NULL) 3457 *keyp = NULL; 3458 if (commentp != NULL) 3459 *commentp = NULL; 3460 3461 /* Check that it is at least big enough to contain the ID string. */ 3462 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3463 return SSH_ERR_INVALID_FORMAT; 3464 3465 /* 3466 * Make sure it begins with the id string. Consume the id string 3467 * from the buffer. 3468 */ 3469 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3470 return SSH_ERR_INVALID_FORMAT; 3471 /* Make a working copy of the keyblob and skip past the magic */ 3472 if ((copy = sshbuf_fromb(blob)) == NULL) 3473 return SSH_ERR_ALLOC_FAIL; 3474 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3475 goto out; 3476 3477 /* Skip cipher type, reserved data and key bits. */ 3478 if ((r = sshbuf_get_u8(copy, NULL)) != 0 || /* cipher type */ 3479 (r = sshbuf_get_u32(copy, NULL)) != 0 || /* reserved */ 3480 (r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */ 3481 goto out; 3482 3483 /* Read the public key from the buffer. */ 3484 if ((pub = sshkey_new(KEY_RSA1)) == NULL || 3485 (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 || 3486 (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0) 3487 goto out; 3488 3489 /* Finally, the comment */ 3490 if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0) 3491 goto out; 3492 3493 /* The encrypted private part is not parsed by this function. */ 3494 3495 r = 0; 3496 if (keyp != NULL) 3497 *keyp = pub; 3498 else 3499 sshkey_free(pub); 3500 pub = NULL; 3501 3502 out: 3503 if (copy != NULL) 3504 sshbuf_free(copy); 3505 if (pub != NULL) 3506 sshkey_free(pub); 3507 return r; 3508 } 3509 3510 static int 3511 sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, 3512 struct sshkey **keyp, char **commentp) 3513 { 3514 int r; 3515 u_int16_t check1, check2; 3516 u_int8_t cipher_type; 3517 struct sshbuf *decrypted = NULL, *copy = NULL; 3518 u_char *cp; 3519 char *comment = NULL; 3520 struct sshcipher_ctx ciphercontext; 3521 const struct sshcipher *cipher; 3522 struct sshkey *prv = NULL; 3523 3524 *keyp = NULL; 3525 if (commentp != NULL) 3526 *commentp = NULL; 3527 3528 /* Check that it is at least big enough to contain the ID string. */ 3529 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3530 return SSH_ERR_INVALID_FORMAT; 3531 3532 /* 3533 * Make sure it begins with the id string. Consume the id string 3534 * from the buffer. 3535 */ 3536 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3537 return SSH_ERR_INVALID_FORMAT; 3538 3539 if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) { 3540 r = SSH_ERR_ALLOC_FAIL; 3541 goto out; 3542 } 3543 if ((copy = sshbuf_fromb(blob)) == NULL || 3544 (decrypted = sshbuf_new()) == NULL) { 3545 r = SSH_ERR_ALLOC_FAIL; 3546 goto out; 3547 } 3548 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3549 goto out; 3550 3551 /* Read cipher type. */ 3552 if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 || 3553 (r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */ 3554 goto out; 3555 3556 /* Read the public key and comment from the buffer. */ 3557 if ((r = sshbuf_get_u32(copy, NULL)) != 0 || /* key bits */ 3558 (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 || 3559 (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 || 3560 (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0) 3561 goto out; 3562 3563 /* Check that it is a supported cipher. */ 3564 cipher = cipher_by_number(cipher_type); 3565 if (cipher == NULL) { 3566 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3567 goto out; 3568 } 3569 /* Initialize space for decrypted data. */ 3570 if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0) 3571 goto out; 3572 3573 /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ 3574 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3575 CIPHER_DECRYPT)) != 0) 3576 goto out; 3577 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3578 sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) { 3579 cipher_cleanup(&ciphercontext); 3580 goto out; 3581 } 3582 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3583 goto out; 3584 3585 if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 || 3586 (r = sshbuf_get_u16(decrypted, &check2)) != 0) 3587 goto out; 3588 if (check1 != check2) { 3589 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3590 goto out; 3591 } 3592 3593 /* Read the rest of the private key. */ 3594 if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 || 3595 (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 || 3596 (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 || 3597 (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0) 3598 goto out; 3599 3600 /* calculate p-1 and q-1 */ 3601 if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0) 3602 goto out; 3603 3604 /* enable blinding */ 3605 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3606 r = SSH_ERR_LIBCRYPTO_ERROR; 3607 goto out; 3608 } 3609 r = 0; 3610 *keyp = prv; 3611 prv = NULL; 3612 if (commentp != NULL) { 3613 *commentp = comment; 3614 comment = NULL; 3615 } 3616 out: 3617 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3618 if (comment != NULL) 3619 free(comment); 3620 if (prv != NULL) 3621 sshkey_free(prv); 3622 if (copy != NULL) 3623 sshbuf_free(copy); 3624 if (decrypted != NULL) 3625 sshbuf_free(decrypted); 3626 return r; 3627 } 3628 #endif /* WITH_SSH1 */ 3629 3630 #ifdef WITH_OPENSSL 3631 /* XXX make private once ssh-keysign.c fixed */ 3632 int 3633 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3634 const char *passphrase, struct sshkey **keyp, char **commentp) 3635 { 3636 EVP_PKEY *pk = NULL; 3637 struct sshkey *prv = NULL; 3638 char *name = "<no key>"; 3639 BIO *bio = NULL; 3640 int r; 3641 3642 *keyp = NULL; 3643 if (commentp != NULL) 3644 *commentp = NULL; 3645 3646 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3647 return SSH_ERR_ALLOC_FAIL; 3648 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3649 (int)sshbuf_len(blob)) { 3650 r = SSH_ERR_ALLOC_FAIL; 3651 goto out; 3652 } 3653 3654 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3655 (char *)passphrase)) == NULL) { 3656 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3657 goto out; 3658 } 3659 if (pk->type == EVP_PKEY_RSA && 3660 (type == KEY_UNSPEC || type == KEY_RSA)) { 3661 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3662 r = SSH_ERR_ALLOC_FAIL; 3663 goto out; 3664 } 3665 prv->rsa = EVP_PKEY_get1_RSA(pk); 3666 prv->type = KEY_RSA; 3667 name = "rsa w/o comment"; 3668 #ifdef DEBUG_PK 3669 RSA_print_fp(stderr, prv->rsa, 8); 3670 #endif 3671 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3672 r = SSH_ERR_LIBCRYPTO_ERROR; 3673 goto out; 3674 } 3675 } else if (pk->type == EVP_PKEY_DSA && 3676 (type == KEY_UNSPEC || type == KEY_DSA)) { 3677 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3678 r = SSH_ERR_ALLOC_FAIL; 3679 goto out; 3680 } 3681 prv->dsa = EVP_PKEY_get1_DSA(pk); 3682 prv->type = KEY_DSA; 3683 name = "dsa w/o comment"; 3684 #ifdef DEBUG_PK 3685 DSA_print_fp(stderr, prv->dsa, 8); 3686 #endif 3687 } else if (pk->type == EVP_PKEY_EC && 3688 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3689 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3690 r = SSH_ERR_ALLOC_FAIL; 3691 goto out; 3692 } 3693 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3694 prv->type = KEY_ECDSA; 3695 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3696 if (prv->ecdsa_nid == -1 || 3697 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3698 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3699 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3700 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3701 r = SSH_ERR_INVALID_FORMAT; 3702 goto out; 3703 } 3704 name = "ecdsa w/o comment"; 3705 #ifdef DEBUG_PK 3706 if (prv != NULL && prv->ecdsa != NULL) 3707 sshkey_dump_ec_key(prv->ecdsa); 3708 #endif 3709 } else { 3710 r = SSH_ERR_INVALID_FORMAT; 3711 goto out; 3712 } 3713 if (commentp != NULL && 3714 (*commentp = strdup(name)) == NULL) { 3715 r = SSH_ERR_ALLOC_FAIL; 3716 goto out; 3717 } 3718 r = 0; 3719 *keyp = prv; 3720 prv = NULL; 3721 out: 3722 BIO_free(bio); 3723 if (pk != NULL) 3724 EVP_PKEY_free(pk); 3725 if (prv != NULL) 3726 sshkey_free(prv); 3727 return r; 3728 } 3729 #endif /* WITH_OPENSSL */ 3730 3731 int 3732 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3733 const char *passphrase, struct sshkey **keyp, char **commentp) 3734 { 3735 int r; 3736 3737 *keyp = NULL; 3738 if (commentp != NULL) 3739 *commentp = NULL; 3740 3741 switch (type) { 3742 #ifdef WITH_OPENSSL 3743 case KEY_RSA1: 3744 return sshkey_parse_private_rsa1(blob, passphrase, 3745 keyp, commentp); 3746 case KEY_DSA: 3747 case KEY_ECDSA: 3748 case KEY_RSA: 3749 return sshkey_parse_private_pem_fileblob(blob, type, passphrase, 3750 keyp, commentp); 3751 #endif /* WITH_OPENSSL */ 3752 case KEY_ED25519: 3753 return sshkey_parse_private2(blob, type, passphrase, 3754 keyp, commentp); 3755 case KEY_UNSPEC: 3756 if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, 3757 commentp)) == 0) 3758 return 0; 3759 #ifdef WITH_OPENSSL 3760 return sshkey_parse_private_pem_fileblob(blob, type, passphrase, 3761 keyp, commentp); 3762 #else 3763 return SSH_ERR_INVALID_FORMAT; 3764 #endif /* WITH_OPENSSL */ 3765 default: 3766 return SSH_ERR_KEY_TYPE_UNKNOWN; 3767 } 3768 } 3769 3770 int 3771 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3772 const char *filename, struct sshkey **keyp, char **commentp) 3773 { 3774 int r; 3775 3776 if (keyp != NULL) 3777 *keyp = NULL; 3778 if (commentp != NULL) 3779 *commentp = NULL; 3780 3781 #ifdef WITH_SSH1 3782 /* it's a SSH v1 key if the public key part is readable */ 3783 if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) { 3784 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, 3785 passphrase, keyp, commentp); 3786 } 3787 #endif /* WITH_SSH1 */ 3788 if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3789 passphrase, keyp, commentp)) == 0) 3790 return 0; 3791 return r; 3792 } 3793