1 /* $OpenBSD: sshkey.c,v 1.77 2019/06/23 12:21:46 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/types.h> 29 #include <netinet/in.h> 30 31 #ifdef WITH_OPENSSL 32 #include <openssl/evp.h> 33 #include <openssl/err.h> 34 #include <openssl/pem.h> 35 #endif 36 37 #include "crypto_api.h" 38 39 #include <errno.h> 40 #include <stdio.h> 41 #include <string.h> 42 #include <util.h> 43 #include <limits.h> 44 #include <resolv.h> 45 46 #include "ssh2.h" 47 #include "ssherr.h" 48 #include "misc.h" 49 #include "sshbuf.h" 50 #include "cipher.h" 51 #include "digest.h" 52 #define SSHKEY_INTERNAL 53 #include "sshkey.h" 54 #include "match.h" 55 56 #ifdef WITH_XMSS 57 #include "sshkey-xmss.h" 58 #include "xmss_fast.h" 59 #endif 60 61 /* openssh private key file format */ 62 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 63 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 64 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 65 #define MARK_END_LEN (sizeof(MARK_END) - 1) 66 #define KDFNAME "bcrypt" 67 #define AUTH_MAGIC "openssh-key-v1" 68 #define SALT_LEN 16 69 #define DEFAULT_CIPHERNAME "aes256-ctr" 70 #define DEFAULT_ROUNDS 16 71 72 /* Version identification string for SSH v1 identity files. */ 73 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 74 75 /* 76 * Constants relating to "shielding" support; protection of keys expected 77 * to remain in memory for long durations 78 */ 79 #define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024) 80 #define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */ 81 #define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512 82 83 int sshkey_private_serialize_opt(struct sshkey *key, 84 struct sshbuf *buf, enum sshkey_serialize_rep); 85 static int sshkey_from_blob_internal(struct sshbuf *buf, 86 struct sshkey **keyp, int allow_cert); 87 static int get_sigtype(const u_char *sig, size_t siglen, char **sigtypep); 88 89 /* Supported key types */ 90 struct keytype { 91 const char *name; 92 const char *shortname; 93 const char *sigalg; 94 int type; 95 int nid; 96 int cert; 97 int sigonly; 98 }; 99 static const struct keytype keytypes[] = { 100 { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 }, 101 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL, 102 KEY_ED25519_CERT, 0, 1, 0 }, 103 #ifdef WITH_XMSS 104 { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 }, 105 { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL, 106 KEY_XMSS_CERT, 0, 1, 0 }, 107 #endif /* WITH_XMSS */ 108 #ifdef WITH_OPENSSL 109 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 }, 110 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 111 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 112 { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 }, 113 { "ecdsa-sha2-nistp256", "ECDSA", NULL, 114 KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 115 { "ecdsa-sha2-nistp384", "ECDSA", NULL, 116 KEY_ECDSA, NID_secp384r1, 0, 0 }, 117 { "ecdsa-sha2-nistp521", "ECDSA", NULL, 118 KEY_ECDSA, NID_secp521r1, 0, 0 }, 119 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, 120 KEY_RSA_CERT, 0, 1, 0 }, 121 { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT", 122 "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, 123 { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT", 124 "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, 125 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL, 126 KEY_DSA_CERT, 0, 1, 0 }, 127 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL, 128 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 129 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL, 130 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 131 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL, 132 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 133 #endif /* WITH_OPENSSL */ 134 { NULL, NULL, NULL, -1, -1, 0, 0 } 135 }; 136 137 const char * 138 sshkey_type(const struct sshkey *k) 139 { 140 const struct keytype *kt; 141 142 for (kt = keytypes; kt->type != -1; kt++) { 143 if (kt->type == k->type) 144 return kt->shortname; 145 } 146 return "unknown"; 147 } 148 149 static const char * 150 sshkey_ssh_name_from_type_nid(int type, int nid) 151 { 152 const struct keytype *kt; 153 154 for (kt = keytypes; kt->type != -1; kt++) { 155 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 156 return kt->name; 157 } 158 return "ssh-unknown"; 159 } 160 161 int 162 sshkey_type_is_cert(int type) 163 { 164 const struct keytype *kt; 165 166 for (kt = keytypes; kt->type != -1; kt++) { 167 if (kt->type == type) 168 return kt->cert; 169 } 170 return 0; 171 } 172 173 const char * 174 sshkey_ssh_name(const struct sshkey *k) 175 { 176 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 177 } 178 179 const char * 180 sshkey_ssh_name_plain(const struct sshkey *k) 181 { 182 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 183 k->ecdsa_nid); 184 } 185 186 int 187 sshkey_type_from_name(const char *name) 188 { 189 const struct keytype *kt; 190 191 for (kt = keytypes; kt->type != -1; kt++) { 192 /* Only allow shortname matches for plain key types */ 193 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 194 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 195 return kt->type; 196 } 197 return KEY_UNSPEC; 198 } 199 200 int 201 sshkey_ecdsa_nid_from_name(const char *name) 202 { 203 const struct keytype *kt; 204 205 for (kt = keytypes; kt->type != -1; kt++) { 206 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 207 continue; 208 if (kt->name != NULL && strcmp(name, kt->name) == 0) 209 return kt->nid; 210 } 211 return -1; 212 } 213 214 char * 215 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 216 { 217 char *tmp, *ret = NULL; 218 size_t nlen, rlen = 0; 219 const struct keytype *kt; 220 221 for (kt = keytypes; kt->type != -1; kt++) { 222 if (kt->name == NULL) 223 continue; 224 if (!include_sigonly && kt->sigonly) 225 continue; 226 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 227 continue; 228 if (ret != NULL) 229 ret[rlen++] = sep; 230 nlen = strlen(kt->name); 231 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 232 free(ret); 233 return NULL; 234 } 235 ret = tmp; 236 memcpy(ret + rlen, kt->name, nlen + 1); 237 rlen += nlen; 238 } 239 return ret; 240 } 241 242 int 243 sshkey_names_valid2(const char *names, int allow_wildcard) 244 { 245 char *s, *cp, *p; 246 const struct keytype *kt; 247 int type; 248 249 if (names == NULL || strcmp(names, "") == 0) 250 return 0; 251 if ((s = cp = strdup(names)) == NULL) 252 return 0; 253 for ((p = strsep(&cp, ",")); p && *p != '\0'; 254 (p = strsep(&cp, ","))) { 255 type = sshkey_type_from_name(p); 256 if (type == KEY_UNSPEC) { 257 if (allow_wildcard) { 258 /* 259 * Try matching key types against the string. 260 * If any has a positive or negative match then 261 * the component is accepted. 262 */ 263 for (kt = keytypes; kt->type != -1; kt++) { 264 if (match_pattern_list(kt->name, 265 p, 0) != 0) 266 break; 267 } 268 if (kt->type != -1) 269 continue; 270 } 271 free(s); 272 return 0; 273 } 274 } 275 free(s); 276 return 1; 277 } 278 279 u_int 280 sshkey_size(const struct sshkey *k) 281 { 282 #ifdef WITH_OPENSSL 283 const BIGNUM *rsa_n, *dsa_p; 284 #endif /* WITH_OPENSSL */ 285 286 switch (k->type) { 287 #ifdef WITH_OPENSSL 288 case KEY_RSA: 289 case KEY_RSA_CERT: 290 if (k->rsa == NULL) 291 return 0; 292 RSA_get0_key(k->rsa, &rsa_n, NULL, NULL); 293 return BN_num_bits(rsa_n); 294 case KEY_DSA: 295 case KEY_DSA_CERT: 296 if (k->dsa == NULL) 297 return 0; 298 DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL); 299 return BN_num_bits(dsa_p); 300 case KEY_ECDSA: 301 case KEY_ECDSA_CERT: 302 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 303 #endif /* WITH_OPENSSL */ 304 case KEY_ED25519: 305 case KEY_ED25519_CERT: 306 case KEY_XMSS: 307 case KEY_XMSS_CERT: 308 return 256; /* XXX */ 309 } 310 return 0; 311 } 312 313 static int 314 sshkey_type_is_valid_ca(int type) 315 { 316 switch (type) { 317 case KEY_RSA: 318 case KEY_DSA: 319 case KEY_ECDSA: 320 case KEY_ED25519: 321 case KEY_XMSS: 322 return 1; 323 default: 324 return 0; 325 } 326 } 327 328 int 329 sshkey_is_cert(const struct sshkey *k) 330 { 331 if (k == NULL) 332 return 0; 333 return sshkey_type_is_cert(k->type); 334 } 335 336 /* Return the cert-less equivalent to a certified key type */ 337 int 338 sshkey_type_plain(int type) 339 { 340 switch (type) { 341 case KEY_RSA_CERT: 342 return KEY_RSA; 343 case KEY_DSA_CERT: 344 return KEY_DSA; 345 case KEY_ECDSA_CERT: 346 return KEY_ECDSA; 347 case KEY_ED25519_CERT: 348 return KEY_ED25519; 349 case KEY_XMSS_CERT: 350 return KEY_XMSS; 351 default: 352 return type; 353 } 354 } 355 356 #ifdef WITH_OPENSSL 357 /* XXX: these are really begging for a table-driven approach */ 358 int 359 sshkey_curve_name_to_nid(const char *name) 360 { 361 if (strcmp(name, "nistp256") == 0) 362 return NID_X9_62_prime256v1; 363 else if (strcmp(name, "nistp384") == 0) 364 return NID_secp384r1; 365 else if (strcmp(name, "nistp521") == 0) 366 return NID_secp521r1; 367 else 368 return -1; 369 } 370 371 u_int 372 sshkey_curve_nid_to_bits(int nid) 373 { 374 switch (nid) { 375 case NID_X9_62_prime256v1: 376 return 256; 377 case NID_secp384r1: 378 return 384; 379 case NID_secp521r1: 380 return 521; 381 default: 382 return 0; 383 } 384 } 385 386 int 387 sshkey_ecdsa_bits_to_nid(int bits) 388 { 389 switch (bits) { 390 case 256: 391 return NID_X9_62_prime256v1; 392 case 384: 393 return NID_secp384r1; 394 case 521: 395 return NID_secp521r1; 396 default: 397 return -1; 398 } 399 } 400 401 const char * 402 sshkey_curve_nid_to_name(int nid) 403 { 404 switch (nid) { 405 case NID_X9_62_prime256v1: 406 return "nistp256"; 407 case NID_secp384r1: 408 return "nistp384"; 409 case NID_secp521r1: 410 return "nistp521"; 411 default: 412 return NULL; 413 } 414 } 415 416 int 417 sshkey_ec_nid_to_hash_alg(int nid) 418 { 419 int kbits = sshkey_curve_nid_to_bits(nid); 420 421 if (kbits <= 0) 422 return -1; 423 424 /* RFC5656 section 6.2.1 */ 425 if (kbits <= 256) 426 return SSH_DIGEST_SHA256; 427 else if (kbits <= 384) 428 return SSH_DIGEST_SHA384; 429 else 430 return SSH_DIGEST_SHA512; 431 } 432 #endif /* WITH_OPENSSL */ 433 434 static void 435 cert_free(struct sshkey_cert *cert) 436 { 437 u_int i; 438 439 if (cert == NULL) 440 return; 441 sshbuf_free(cert->certblob); 442 sshbuf_free(cert->critical); 443 sshbuf_free(cert->extensions); 444 free(cert->key_id); 445 for (i = 0; i < cert->nprincipals; i++) 446 free(cert->principals[i]); 447 free(cert->principals); 448 sshkey_free(cert->signature_key); 449 free(cert->signature_type); 450 freezero(cert, sizeof(*cert)); 451 } 452 453 static struct sshkey_cert * 454 cert_new(void) 455 { 456 struct sshkey_cert *cert; 457 458 if ((cert = calloc(1, sizeof(*cert))) == NULL) 459 return NULL; 460 if ((cert->certblob = sshbuf_new()) == NULL || 461 (cert->critical = sshbuf_new()) == NULL || 462 (cert->extensions = sshbuf_new()) == NULL) { 463 cert_free(cert); 464 return NULL; 465 } 466 cert->key_id = NULL; 467 cert->principals = NULL; 468 cert->signature_key = NULL; 469 cert->signature_type = NULL; 470 return cert; 471 } 472 473 struct sshkey * 474 sshkey_new(int type) 475 { 476 struct sshkey *k; 477 #ifdef WITH_OPENSSL 478 RSA *rsa; 479 DSA *dsa; 480 #endif /* WITH_OPENSSL */ 481 482 if ((k = calloc(1, sizeof(*k))) == NULL) 483 return NULL; 484 k->type = type; 485 k->ecdsa = NULL; 486 k->ecdsa_nid = -1; 487 k->dsa = NULL; 488 k->rsa = NULL; 489 k->cert = NULL; 490 k->ed25519_sk = NULL; 491 k->ed25519_pk = NULL; 492 k->xmss_sk = NULL; 493 k->xmss_pk = NULL; 494 switch (k->type) { 495 #ifdef WITH_OPENSSL 496 case KEY_RSA: 497 case KEY_RSA_CERT: 498 if ((rsa = RSA_new()) == NULL) { 499 free(k); 500 return NULL; 501 } 502 k->rsa = rsa; 503 break; 504 case KEY_DSA: 505 case KEY_DSA_CERT: 506 if ((dsa = DSA_new()) == NULL) { 507 free(k); 508 return NULL; 509 } 510 k->dsa = dsa; 511 break; 512 case KEY_ECDSA: 513 case KEY_ECDSA_CERT: 514 /* Cannot do anything until we know the group */ 515 break; 516 #endif /* WITH_OPENSSL */ 517 case KEY_ED25519: 518 case KEY_ED25519_CERT: 519 case KEY_XMSS: 520 case KEY_XMSS_CERT: 521 /* no need to prealloc */ 522 break; 523 case KEY_UNSPEC: 524 break; 525 default: 526 free(k); 527 return NULL; 528 } 529 530 if (sshkey_is_cert(k)) { 531 if ((k->cert = cert_new()) == NULL) { 532 sshkey_free(k); 533 return NULL; 534 } 535 } 536 537 return k; 538 } 539 540 void 541 sshkey_free(struct sshkey *k) 542 { 543 if (k == NULL) 544 return; 545 switch (k->type) { 546 #ifdef WITH_OPENSSL 547 case KEY_RSA: 548 case KEY_RSA_CERT: 549 RSA_free(k->rsa); 550 k->rsa = NULL; 551 break; 552 case KEY_DSA: 553 case KEY_DSA_CERT: 554 DSA_free(k->dsa); 555 k->dsa = NULL; 556 break; 557 case KEY_ECDSA: 558 case KEY_ECDSA_CERT: 559 EC_KEY_free(k->ecdsa); 560 k->ecdsa = NULL; 561 break; 562 #endif /* WITH_OPENSSL */ 563 case KEY_ED25519: 564 case KEY_ED25519_CERT: 565 freezero(k->ed25519_pk, ED25519_PK_SZ); 566 k->ed25519_pk = NULL; 567 freezero(k->ed25519_sk, ED25519_SK_SZ); 568 k->ed25519_sk = NULL; 569 break; 570 #ifdef WITH_XMSS 571 case KEY_XMSS: 572 case KEY_XMSS_CERT: 573 freezero(k->xmss_pk, sshkey_xmss_pklen(k)); 574 k->xmss_pk = NULL; 575 freezero(k->xmss_sk, sshkey_xmss_sklen(k)); 576 k->xmss_sk = NULL; 577 sshkey_xmss_free_state(k); 578 free(k->xmss_name); 579 k->xmss_name = NULL; 580 free(k->xmss_filename); 581 k->xmss_filename = NULL; 582 break; 583 #endif /* WITH_XMSS */ 584 case KEY_UNSPEC: 585 break; 586 default: 587 break; 588 } 589 if (sshkey_is_cert(k)) 590 cert_free(k->cert); 591 freezero(k->shielded_private, k->shielded_len); 592 freezero(k->shield_prekey, k->shield_prekey_len); 593 freezero(k, sizeof(*k)); 594 } 595 596 static int 597 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 598 { 599 if (a == NULL && b == NULL) 600 return 1; 601 if (a == NULL || b == NULL) 602 return 0; 603 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 604 return 0; 605 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 606 sshbuf_len(a->certblob)) != 0) 607 return 0; 608 return 1; 609 } 610 611 /* 612 * Compare public portions of key only, allowing comparisons between 613 * certificates and plain keys too. 614 */ 615 int 616 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 617 { 618 #ifdef WITH_OPENSSL 619 BN_CTX *bnctx; 620 const BIGNUM *rsa_e_a, *rsa_n_a; 621 const BIGNUM *rsa_e_b, *rsa_n_b; 622 const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a; 623 const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b; 624 #endif /* WITH_OPENSSL */ 625 626 if (a == NULL || b == NULL || 627 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 628 return 0; 629 630 switch (a->type) { 631 #ifdef WITH_OPENSSL 632 case KEY_RSA_CERT: 633 case KEY_RSA: 634 if (a->rsa == NULL || b->rsa == NULL) 635 return 0; 636 RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL); 637 RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL); 638 return BN_cmp(rsa_e_a, rsa_e_b) == 0 && 639 BN_cmp(rsa_n_a, rsa_n_b) == 0; 640 case KEY_DSA_CERT: 641 case KEY_DSA: 642 if (a->dsa == NULL || b->dsa == NULL) 643 return 0; 644 DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a); 645 DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b); 646 DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL); 647 DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL); 648 return BN_cmp(dsa_p_a, dsa_p_b) == 0 && 649 BN_cmp(dsa_q_a, dsa_q_b) == 0 && 650 BN_cmp(dsa_g_a, dsa_g_b) == 0 && 651 BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0; 652 case KEY_ECDSA_CERT: 653 case KEY_ECDSA: 654 if (a->ecdsa == NULL || b->ecdsa == NULL || 655 EC_KEY_get0_public_key(a->ecdsa) == NULL || 656 EC_KEY_get0_public_key(b->ecdsa) == NULL) 657 return 0; 658 if ((bnctx = BN_CTX_new()) == NULL) 659 return 0; 660 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 661 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 662 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 663 EC_KEY_get0_public_key(a->ecdsa), 664 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 665 BN_CTX_free(bnctx); 666 return 0; 667 } 668 BN_CTX_free(bnctx); 669 return 1; 670 #endif /* WITH_OPENSSL */ 671 case KEY_ED25519: 672 case KEY_ED25519_CERT: 673 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 674 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 675 #ifdef WITH_XMSS 676 case KEY_XMSS: 677 case KEY_XMSS_CERT: 678 return a->xmss_pk != NULL && b->xmss_pk != NULL && 679 sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) && 680 memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0; 681 #endif /* WITH_XMSS */ 682 default: 683 return 0; 684 } 685 /* NOTREACHED */ 686 } 687 688 int 689 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 690 { 691 if (a == NULL || b == NULL || a->type != b->type) 692 return 0; 693 if (sshkey_is_cert(a)) { 694 if (!cert_compare(a->cert, b->cert)) 695 return 0; 696 } 697 return sshkey_equal_public(a, b); 698 } 699 700 static int 701 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, 702 enum sshkey_serialize_rep opts) 703 { 704 int type, ret = SSH_ERR_INTERNAL_ERROR; 705 const char *typename; 706 #ifdef WITH_OPENSSL 707 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 708 #endif /* WITH_OPENSSL */ 709 710 if (key == NULL) 711 return SSH_ERR_INVALID_ARGUMENT; 712 713 if (sshkey_is_cert(key)) { 714 if (key->cert == NULL) 715 return SSH_ERR_EXPECTED_CERT; 716 if (sshbuf_len(key->cert->certblob) == 0) 717 return SSH_ERR_KEY_LACKS_CERTBLOB; 718 } 719 type = force_plain ? sshkey_type_plain(key->type) : key->type; 720 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 721 722 switch (type) { 723 #ifdef WITH_OPENSSL 724 case KEY_DSA_CERT: 725 case KEY_ECDSA_CERT: 726 case KEY_RSA_CERT: 727 #endif /* WITH_OPENSSL */ 728 case KEY_ED25519_CERT: 729 #ifdef WITH_XMSS 730 case KEY_XMSS_CERT: 731 #endif /* WITH_XMSS */ 732 /* Use the existing blob */ 733 /* XXX modified flag? */ 734 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 735 return ret; 736 break; 737 #ifdef WITH_OPENSSL 738 case KEY_DSA: 739 if (key->dsa == NULL) 740 return SSH_ERR_INVALID_ARGUMENT; 741 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 742 DSA_get0_key(key->dsa, &dsa_pub_key, NULL); 743 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 744 (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 || 745 (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 || 746 (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 || 747 (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0) 748 return ret; 749 break; 750 case KEY_ECDSA: 751 if (key->ecdsa == NULL) 752 return SSH_ERR_INVALID_ARGUMENT; 753 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 754 (ret = sshbuf_put_cstring(b, 755 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 756 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 757 return ret; 758 break; 759 case KEY_RSA: 760 if (key->rsa == NULL) 761 return SSH_ERR_INVALID_ARGUMENT; 762 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL); 763 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 764 (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 || 765 (ret = sshbuf_put_bignum2(b, rsa_n)) != 0) 766 return ret; 767 break; 768 #endif /* WITH_OPENSSL */ 769 case KEY_ED25519: 770 if (key->ed25519_pk == NULL) 771 return SSH_ERR_INVALID_ARGUMENT; 772 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 773 (ret = sshbuf_put_string(b, 774 key->ed25519_pk, ED25519_PK_SZ)) != 0) 775 return ret; 776 break; 777 #ifdef WITH_XMSS 778 case KEY_XMSS: 779 if (key->xmss_name == NULL || key->xmss_pk == NULL || 780 sshkey_xmss_pklen(key) == 0) 781 return SSH_ERR_INVALID_ARGUMENT; 782 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 783 (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 784 (ret = sshbuf_put_string(b, 785 key->xmss_pk, sshkey_xmss_pklen(key))) != 0 || 786 (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0) 787 return ret; 788 break; 789 #endif /* WITH_XMSS */ 790 default: 791 return SSH_ERR_KEY_TYPE_UNKNOWN; 792 } 793 return 0; 794 } 795 796 int 797 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 798 { 799 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); 800 } 801 802 int 803 sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, 804 enum sshkey_serialize_rep opts) 805 { 806 struct sshbuf *tmp; 807 int r; 808 809 if ((tmp = sshbuf_new()) == NULL) 810 return SSH_ERR_ALLOC_FAIL; 811 r = to_blob_buf(key, tmp, 0, opts); 812 if (r == 0) 813 r = sshbuf_put_stringb(b, tmp); 814 sshbuf_free(tmp); 815 return r; 816 } 817 818 int 819 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 820 { 821 return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); 822 } 823 824 int 825 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 826 { 827 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); 828 } 829 830 static int 831 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, 832 enum sshkey_serialize_rep opts) 833 { 834 int ret = SSH_ERR_INTERNAL_ERROR; 835 size_t len; 836 struct sshbuf *b = NULL; 837 838 if (lenp != NULL) 839 *lenp = 0; 840 if (blobp != NULL) 841 *blobp = NULL; 842 if ((b = sshbuf_new()) == NULL) 843 return SSH_ERR_ALLOC_FAIL; 844 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) 845 goto out; 846 len = sshbuf_len(b); 847 if (lenp != NULL) 848 *lenp = len; 849 if (blobp != NULL) { 850 if ((*blobp = malloc(len)) == NULL) { 851 ret = SSH_ERR_ALLOC_FAIL; 852 goto out; 853 } 854 memcpy(*blobp, sshbuf_ptr(b), len); 855 } 856 ret = 0; 857 out: 858 sshbuf_free(b); 859 return ret; 860 } 861 862 int 863 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 864 { 865 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); 866 } 867 868 int 869 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 870 { 871 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); 872 } 873 874 int 875 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 876 u_char **retp, size_t *lenp) 877 { 878 u_char *blob = NULL, *ret = NULL; 879 size_t blob_len = 0; 880 int r = SSH_ERR_INTERNAL_ERROR; 881 882 if (retp != NULL) 883 *retp = NULL; 884 if (lenp != NULL) 885 *lenp = 0; 886 if (ssh_digest_bytes(dgst_alg) == 0) { 887 r = SSH_ERR_INVALID_ARGUMENT; 888 goto out; 889 } 890 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) 891 != 0) 892 goto out; 893 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 894 r = SSH_ERR_ALLOC_FAIL; 895 goto out; 896 } 897 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 898 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 899 goto out; 900 /* success */ 901 if (retp != NULL) { 902 *retp = ret; 903 ret = NULL; 904 } 905 if (lenp != NULL) 906 *lenp = ssh_digest_bytes(dgst_alg); 907 r = 0; 908 out: 909 free(ret); 910 if (blob != NULL) { 911 explicit_bzero(blob, blob_len); 912 free(blob); 913 } 914 return r; 915 } 916 917 static char * 918 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 919 { 920 char *ret; 921 size_t plen = strlen(alg) + 1; 922 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 923 int r; 924 925 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 926 return NULL; 927 strlcpy(ret, alg, rlen); 928 strlcat(ret, ":", rlen); 929 if (dgst_raw_len == 0) 930 return ret; 931 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 932 ret + plen, rlen - plen)) == -1) { 933 freezero(ret, rlen); 934 return NULL; 935 } 936 /* Trim padding characters from end */ 937 ret[strcspn(ret, "=")] = '\0'; 938 return ret; 939 } 940 941 static char * 942 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 943 { 944 char *retval, hex[5]; 945 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 946 947 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 948 return NULL; 949 strlcpy(retval, alg, rlen); 950 strlcat(retval, ":", rlen); 951 for (i = 0; i < dgst_raw_len; i++) { 952 snprintf(hex, sizeof(hex), "%s%02x", 953 i > 0 ? ":" : "", dgst_raw[i]); 954 strlcat(retval, hex, rlen); 955 } 956 return retval; 957 } 958 959 static char * 960 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 961 { 962 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 963 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 964 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 965 u_int i, j = 0, rounds, seed = 1; 966 char *retval; 967 968 rounds = (dgst_raw_len / 2) + 1; 969 if ((retval = calloc(rounds, 6)) == NULL) 970 return NULL; 971 retval[j++] = 'x'; 972 for (i = 0; i < rounds; i++) { 973 u_int idx0, idx1, idx2, idx3, idx4; 974 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 975 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 976 seed) % 6; 977 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 978 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 979 (seed / 6)) % 6; 980 retval[j++] = vowels[idx0]; 981 retval[j++] = consonants[idx1]; 982 retval[j++] = vowels[idx2]; 983 if ((i + 1) < rounds) { 984 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 985 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 986 retval[j++] = consonants[idx3]; 987 retval[j++] = '-'; 988 retval[j++] = consonants[idx4]; 989 seed = ((seed * 5) + 990 ((((u_int)(dgst_raw[2 * i])) * 7) + 991 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 992 } 993 } else { 994 idx0 = seed % 6; 995 idx1 = 16; 996 idx2 = seed / 6; 997 retval[j++] = vowels[idx0]; 998 retval[j++] = consonants[idx1]; 999 retval[j++] = vowels[idx2]; 1000 } 1001 } 1002 retval[j++] = 'x'; 1003 retval[j++] = '\0'; 1004 return retval; 1005 } 1006 1007 /* 1008 * Draw an ASCII-Art representing the fingerprint so human brain can 1009 * profit from its built-in pattern recognition ability. 1010 * This technique is called "random art" and can be found in some 1011 * scientific publications like this original paper: 1012 * 1013 * "Hash Visualization: a New Technique to improve Real-World Security", 1014 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1015 * Techniques and E-Commerce (CrypTEC '99) 1016 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1017 * 1018 * The subject came up in a talk by Dan Kaminsky, too. 1019 * 1020 * If you see the picture is different, the key is different. 1021 * If the picture looks the same, you still know nothing. 1022 * 1023 * The algorithm used here is a worm crawling over a discrete plane, 1024 * leaving a trace (augmenting the field) everywhere it goes. 1025 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1026 * makes the respective movement vector be ignored for this turn. 1027 * Graphs are not unambiguous, because circles in graphs can be 1028 * walked in either direction. 1029 */ 1030 1031 /* 1032 * Field sizes for the random art. Have to be odd, so the starting point 1033 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1034 * Else pictures would be too dense, and drawing the frame would 1035 * fail, too, because the key type would not fit in anymore. 1036 */ 1037 #define FLDBASE 8 1038 #define FLDSIZE_Y (FLDBASE + 1) 1039 #define FLDSIZE_X (FLDBASE * 2 + 1) 1040 static char * 1041 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1042 const struct sshkey *k) 1043 { 1044 /* 1045 * Chars to be used after each other every time the worm 1046 * intersects with itself. Matter of taste. 1047 */ 1048 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1049 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1050 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1051 size_t i, tlen, hlen; 1052 u_int b; 1053 int x, y, r; 1054 size_t len = strlen(augmentation_string) - 1; 1055 1056 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1057 return NULL; 1058 1059 /* initialize field */ 1060 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1061 x = FLDSIZE_X / 2; 1062 y = FLDSIZE_Y / 2; 1063 1064 /* process raw key */ 1065 for (i = 0; i < dgst_raw_len; i++) { 1066 int input; 1067 /* each byte conveys four 2-bit move commands */ 1068 input = dgst_raw[i]; 1069 for (b = 0; b < 4; b++) { 1070 /* evaluate 2 bit, rest is shifted later */ 1071 x += (input & 0x1) ? 1 : -1; 1072 y += (input & 0x2) ? 1 : -1; 1073 1074 /* assure we are still in bounds */ 1075 x = MAXIMUM(x, 0); 1076 y = MAXIMUM(y, 0); 1077 x = MINIMUM(x, FLDSIZE_X - 1); 1078 y = MINIMUM(y, FLDSIZE_Y - 1); 1079 1080 /* augment the field */ 1081 if (field[x][y] < len - 2) 1082 field[x][y]++; 1083 input = input >> 2; 1084 } 1085 } 1086 1087 /* mark starting point and end point*/ 1088 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1089 field[x][y] = len; 1090 1091 /* assemble title */ 1092 r = snprintf(title, sizeof(title), "[%s %u]", 1093 sshkey_type(k), sshkey_size(k)); 1094 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1095 if (r < 0 || r > (int)sizeof(title)) 1096 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1097 tlen = (r <= 0) ? 0 : strlen(title); 1098 1099 /* assemble hash ID. */ 1100 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1101 hlen = (r <= 0) ? 0 : strlen(hash); 1102 1103 /* output upper border */ 1104 p = retval; 1105 *p++ = '+'; 1106 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1107 *p++ = '-'; 1108 memcpy(p, title, tlen); 1109 p += tlen; 1110 for (i += tlen; i < FLDSIZE_X; i++) 1111 *p++ = '-'; 1112 *p++ = '+'; 1113 *p++ = '\n'; 1114 1115 /* output content */ 1116 for (y = 0; y < FLDSIZE_Y; y++) { 1117 *p++ = '|'; 1118 for (x = 0; x < FLDSIZE_X; x++) 1119 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1120 *p++ = '|'; 1121 *p++ = '\n'; 1122 } 1123 1124 /* output lower border */ 1125 *p++ = '+'; 1126 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1127 *p++ = '-'; 1128 memcpy(p, hash, hlen); 1129 p += hlen; 1130 for (i += hlen; i < FLDSIZE_X; i++) 1131 *p++ = '-'; 1132 *p++ = '+'; 1133 1134 return retval; 1135 } 1136 1137 char * 1138 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1139 enum sshkey_fp_rep dgst_rep) 1140 { 1141 char *retval = NULL; 1142 u_char *dgst_raw; 1143 size_t dgst_raw_len; 1144 1145 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1146 return NULL; 1147 switch (dgst_rep) { 1148 case SSH_FP_DEFAULT: 1149 if (dgst_alg == SSH_DIGEST_MD5) { 1150 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1151 dgst_raw, dgst_raw_len); 1152 } else { 1153 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1154 dgst_raw, dgst_raw_len); 1155 } 1156 break; 1157 case SSH_FP_HEX: 1158 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1159 dgst_raw, dgst_raw_len); 1160 break; 1161 case SSH_FP_BASE64: 1162 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1163 dgst_raw, dgst_raw_len); 1164 break; 1165 case SSH_FP_BUBBLEBABBLE: 1166 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1167 break; 1168 case SSH_FP_RANDOMART: 1169 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1170 dgst_raw, dgst_raw_len, k); 1171 break; 1172 default: 1173 explicit_bzero(dgst_raw, dgst_raw_len); 1174 free(dgst_raw); 1175 return NULL; 1176 } 1177 explicit_bzero(dgst_raw, dgst_raw_len); 1178 free(dgst_raw); 1179 return retval; 1180 } 1181 1182 static int 1183 peek_type_nid(const char *s, size_t l, int *nid) 1184 { 1185 const struct keytype *kt; 1186 1187 for (kt = keytypes; kt->type != -1; kt++) { 1188 if (kt->name == NULL || strlen(kt->name) != l) 1189 continue; 1190 if (memcmp(s, kt->name, l) == 0) { 1191 *nid = -1; 1192 if (kt->type == KEY_ECDSA || kt->type == KEY_ECDSA_CERT) 1193 *nid = kt->nid; 1194 return kt->type; 1195 } 1196 } 1197 return KEY_UNSPEC; 1198 } 1199 1200 1201 /* XXX this can now be made const char * */ 1202 int 1203 sshkey_read(struct sshkey *ret, char **cpp) 1204 { 1205 struct sshkey *k; 1206 char *cp, *blobcopy; 1207 size_t space; 1208 int r, type, curve_nid = -1; 1209 struct sshbuf *blob; 1210 1211 if (ret == NULL) 1212 return SSH_ERR_INVALID_ARGUMENT; 1213 1214 switch (ret->type) { 1215 case KEY_UNSPEC: 1216 case KEY_RSA: 1217 case KEY_DSA: 1218 case KEY_ECDSA: 1219 case KEY_ED25519: 1220 case KEY_DSA_CERT: 1221 case KEY_ECDSA_CERT: 1222 case KEY_RSA_CERT: 1223 case KEY_ED25519_CERT: 1224 #ifdef WITH_XMSS 1225 case KEY_XMSS: 1226 case KEY_XMSS_CERT: 1227 #endif /* WITH_XMSS */ 1228 break; /* ok */ 1229 default: 1230 return SSH_ERR_INVALID_ARGUMENT; 1231 } 1232 1233 /* Decode type */ 1234 cp = *cpp; 1235 space = strcspn(cp, " \t"); 1236 if (space == strlen(cp)) 1237 return SSH_ERR_INVALID_FORMAT; 1238 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) 1239 return SSH_ERR_INVALID_FORMAT; 1240 1241 /* skip whitespace */ 1242 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1243 ; 1244 if (*cp == '\0') 1245 return SSH_ERR_INVALID_FORMAT; 1246 if (ret->type != KEY_UNSPEC && ret->type != type) 1247 return SSH_ERR_KEY_TYPE_MISMATCH; 1248 if ((blob = sshbuf_new()) == NULL) 1249 return SSH_ERR_ALLOC_FAIL; 1250 1251 /* find end of keyblob and decode */ 1252 space = strcspn(cp, " \t"); 1253 if ((blobcopy = strndup(cp, space)) == NULL) { 1254 sshbuf_free(blob); 1255 return SSH_ERR_ALLOC_FAIL; 1256 } 1257 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { 1258 free(blobcopy); 1259 sshbuf_free(blob); 1260 return r; 1261 } 1262 free(blobcopy); 1263 if ((r = sshkey_fromb(blob, &k)) != 0) { 1264 sshbuf_free(blob); 1265 return r; 1266 } 1267 sshbuf_free(blob); 1268 1269 /* skip whitespace and leave cp at start of comment */ 1270 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1271 ; 1272 1273 /* ensure type of blob matches type at start of line */ 1274 if (k->type != type) { 1275 sshkey_free(k); 1276 return SSH_ERR_KEY_TYPE_MISMATCH; 1277 } 1278 if (sshkey_type_plain(type) == KEY_ECDSA && curve_nid != k->ecdsa_nid) { 1279 sshkey_free(k); 1280 return SSH_ERR_EC_CURVE_MISMATCH; 1281 } 1282 1283 /* Fill in ret from parsed key */ 1284 ret->type = type; 1285 if (sshkey_is_cert(ret)) { 1286 if (!sshkey_is_cert(k)) { 1287 sshkey_free(k); 1288 return SSH_ERR_EXPECTED_CERT; 1289 } 1290 if (ret->cert != NULL) 1291 cert_free(ret->cert); 1292 ret->cert = k->cert; 1293 k->cert = NULL; 1294 } 1295 switch (sshkey_type_plain(ret->type)) { 1296 #ifdef WITH_OPENSSL 1297 case KEY_RSA: 1298 RSA_free(ret->rsa); 1299 ret->rsa = k->rsa; 1300 k->rsa = NULL; 1301 #ifdef DEBUG_PK 1302 RSA_print_fp(stderr, ret->rsa, 8); 1303 #endif 1304 break; 1305 case KEY_DSA: 1306 DSA_free(ret->dsa); 1307 ret->dsa = k->dsa; 1308 k->dsa = NULL; 1309 #ifdef DEBUG_PK 1310 DSA_print_fp(stderr, ret->dsa, 8); 1311 #endif 1312 break; 1313 case KEY_ECDSA: 1314 EC_KEY_free(ret->ecdsa); 1315 ret->ecdsa = k->ecdsa; 1316 ret->ecdsa_nid = k->ecdsa_nid; 1317 k->ecdsa = NULL; 1318 k->ecdsa_nid = -1; 1319 #ifdef DEBUG_PK 1320 sshkey_dump_ec_key(ret->ecdsa); 1321 #endif 1322 break; 1323 #endif /* WITH_OPENSSL */ 1324 case KEY_ED25519: 1325 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1326 ret->ed25519_pk = k->ed25519_pk; 1327 k->ed25519_pk = NULL; 1328 #ifdef DEBUG_PK 1329 /* XXX */ 1330 #endif 1331 break; 1332 #ifdef WITH_XMSS 1333 case KEY_XMSS: 1334 free(ret->xmss_pk); 1335 ret->xmss_pk = k->xmss_pk; 1336 k->xmss_pk = NULL; 1337 free(ret->xmss_state); 1338 ret->xmss_state = k->xmss_state; 1339 k->xmss_state = NULL; 1340 free(ret->xmss_name); 1341 ret->xmss_name = k->xmss_name; 1342 k->xmss_name = NULL; 1343 free(ret->xmss_filename); 1344 ret->xmss_filename = k->xmss_filename; 1345 k->xmss_filename = NULL; 1346 #ifdef DEBUG_PK 1347 /* XXX */ 1348 #endif 1349 break; 1350 #endif /* WITH_XMSS */ 1351 default: 1352 sshkey_free(k); 1353 return SSH_ERR_INTERNAL_ERROR; 1354 } 1355 sshkey_free(k); 1356 1357 /* success */ 1358 *cpp = cp; 1359 return 0; 1360 } 1361 1362 int 1363 sshkey_to_base64(const struct sshkey *key, char **b64p) 1364 { 1365 int r = SSH_ERR_INTERNAL_ERROR; 1366 struct sshbuf *b = NULL; 1367 char *uu = NULL; 1368 1369 if (b64p != NULL) 1370 *b64p = NULL; 1371 if ((b = sshbuf_new()) == NULL) 1372 return SSH_ERR_ALLOC_FAIL; 1373 if ((r = sshkey_putb(key, b)) != 0) 1374 goto out; 1375 if ((uu = sshbuf_dtob64(b)) == NULL) { 1376 r = SSH_ERR_ALLOC_FAIL; 1377 goto out; 1378 } 1379 /* Success */ 1380 if (b64p != NULL) { 1381 *b64p = uu; 1382 uu = NULL; 1383 } 1384 r = 0; 1385 out: 1386 sshbuf_free(b); 1387 free(uu); 1388 return r; 1389 } 1390 1391 int 1392 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1393 { 1394 int r = SSH_ERR_INTERNAL_ERROR; 1395 char *uu = NULL; 1396 1397 if ((r = sshkey_to_base64(key, &uu)) != 0) 1398 goto out; 1399 if ((r = sshbuf_putf(b, "%s %s", 1400 sshkey_ssh_name(key), uu)) != 0) 1401 goto out; 1402 r = 0; 1403 out: 1404 free(uu); 1405 return r; 1406 } 1407 1408 int 1409 sshkey_write(const struct sshkey *key, FILE *f) 1410 { 1411 struct sshbuf *b = NULL; 1412 int r = SSH_ERR_INTERNAL_ERROR; 1413 1414 if ((b = sshbuf_new()) == NULL) 1415 return SSH_ERR_ALLOC_FAIL; 1416 if ((r = sshkey_format_text(key, b)) != 0) 1417 goto out; 1418 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1419 if (feof(f)) 1420 errno = EPIPE; 1421 r = SSH_ERR_SYSTEM_ERROR; 1422 goto out; 1423 } 1424 /* Success */ 1425 r = 0; 1426 out: 1427 sshbuf_free(b); 1428 return r; 1429 } 1430 1431 const char * 1432 sshkey_cert_type(const struct sshkey *k) 1433 { 1434 switch (k->cert->type) { 1435 case SSH2_CERT_TYPE_USER: 1436 return "user"; 1437 case SSH2_CERT_TYPE_HOST: 1438 return "host"; 1439 default: 1440 return "unknown"; 1441 } 1442 } 1443 1444 #ifdef WITH_OPENSSL 1445 static int 1446 rsa_generate_private_key(u_int bits, RSA **rsap) 1447 { 1448 RSA *private = NULL; 1449 BIGNUM *f4 = NULL; 1450 int ret = SSH_ERR_INTERNAL_ERROR; 1451 1452 if (rsap == NULL) 1453 return SSH_ERR_INVALID_ARGUMENT; 1454 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1455 bits > SSHBUF_MAX_BIGNUM * 8) 1456 return SSH_ERR_KEY_LENGTH; 1457 *rsap = NULL; 1458 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1459 ret = SSH_ERR_ALLOC_FAIL; 1460 goto out; 1461 } 1462 if (!BN_set_word(f4, RSA_F4) || 1463 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1464 ret = SSH_ERR_LIBCRYPTO_ERROR; 1465 goto out; 1466 } 1467 *rsap = private; 1468 private = NULL; 1469 ret = 0; 1470 out: 1471 RSA_free(private); 1472 BN_free(f4); 1473 return ret; 1474 } 1475 1476 static int 1477 dsa_generate_private_key(u_int bits, DSA **dsap) 1478 { 1479 DSA *private; 1480 int ret = SSH_ERR_INTERNAL_ERROR; 1481 1482 if (dsap == NULL) 1483 return SSH_ERR_INVALID_ARGUMENT; 1484 if (bits != 1024) 1485 return SSH_ERR_KEY_LENGTH; 1486 if ((private = DSA_new()) == NULL) { 1487 ret = SSH_ERR_ALLOC_FAIL; 1488 goto out; 1489 } 1490 *dsap = NULL; 1491 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1492 NULL, NULL) || !DSA_generate_key(private)) { 1493 ret = SSH_ERR_LIBCRYPTO_ERROR; 1494 goto out; 1495 } 1496 *dsap = private; 1497 private = NULL; 1498 ret = 0; 1499 out: 1500 DSA_free(private); 1501 return ret; 1502 } 1503 1504 int 1505 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1506 { 1507 EC_GROUP *eg; 1508 int nids[] = { 1509 NID_X9_62_prime256v1, 1510 NID_secp384r1, 1511 NID_secp521r1, 1512 -1 1513 }; 1514 int nid; 1515 u_int i; 1516 BN_CTX *bnctx; 1517 const EC_GROUP *g = EC_KEY_get0_group(k); 1518 1519 /* 1520 * The group may be stored in a ASN.1 encoded private key in one of two 1521 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1522 * or explicit group parameters encoded into the key blob. Only the 1523 * "named group" case sets the group NID for us, but we can figure 1524 * it out for the other case by comparing against all the groups that 1525 * are supported. 1526 */ 1527 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1528 return nid; 1529 if ((bnctx = BN_CTX_new()) == NULL) 1530 return -1; 1531 for (i = 0; nids[i] != -1; i++) { 1532 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1533 BN_CTX_free(bnctx); 1534 return -1; 1535 } 1536 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1537 break; 1538 EC_GROUP_free(eg); 1539 } 1540 BN_CTX_free(bnctx); 1541 if (nids[i] != -1) { 1542 /* Use the group with the NID attached */ 1543 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1544 if (EC_KEY_set_group(k, eg) != 1) { 1545 EC_GROUP_free(eg); 1546 return -1; 1547 } 1548 } 1549 return nids[i]; 1550 } 1551 1552 static int 1553 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1554 { 1555 EC_KEY *private; 1556 int ret = SSH_ERR_INTERNAL_ERROR; 1557 1558 if (nid == NULL || ecdsap == NULL) 1559 return SSH_ERR_INVALID_ARGUMENT; 1560 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1561 return SSH_ERR_KEY_LENGTH; 1562 *ecdsap = NULL; 1563 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1564 ret = SSH_ERR_ALLOC_FAIL; 1565 goto out; 1566 } 1567 if (EC_KEY_generate_key(private) != 1) { 1568 ret = SSH_ERR_LIBCRYPTO_ERROR; 1569 goto out; 1570 } 1571 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1572 *ecdsap = private; 1573 private = NULL; 1574 ret = 0; 1575 out: 1576 EC_KEY_free(private); 1577 return ret; 1578 } 1579 #endif /* WITH_OPENSSL */ 1580 1581 int 1582 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1583 { 1584 struct sshkey *k; 1585 int ret = SSH_ERR_INTERNAL_ERROR; 1586 1587 if (keyp == NULL) 1588 return SSH_ERR_INVALID_ARGUMENT; 1589 *keyp = NULL; 1590 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1591 return SSH_ERR_ALLOC_FAIL; 1592 switch (type) { 1593 case KEY_ED25519: 1594 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1595 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1596 ret = SSH_ERR_ALLOC_FAIL; 1597 break; 1598 } 1599 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1600 ret = 0; 1601 break; 1602 #ifdef WITH_XMSS 1603 case KEY_XMSS: 1604 ret = sshkey_xmss_generate_private_key(k, bits); 1605 break; 1606 #endif /* WITH_XMSS */ 1607 #ifdef WITH_OPENSSL 1608 case KEY_DSA: 1609 ret = dsa_generate_private_key(bits, &k->dsa); 1610 break; 1611 case KEY_ECDSA: 1612 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1613 &k->ecdsa); 1614 break; 1615 case KEY_RSA: 1616 ret = rsa_generate_private_key(bits, &k->rsa); 1617 break; 1618 #endif /* WITH_OPENSSL */ 1619 default: 1620 ret = SSH_ERR_INVALID_ARGUMENT; 1621 } 1622 if (ret == 0) { 1623 k->type = type; 1624 *keyp = k; 1625 } else 1626 sshkey_free(k); 1627 return ret; 1628 } 1629 1630 int 1631 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1632 { 1633 u_int i; 1634 const struct sshkey_cert *from; 1635 struct sshkey_cert *to; 1636 int r = SSH_ERR_INTERNAL_ERROR; 1637 1638 if (to_key == NULL || (from = from_key->cert) == NULL) 1639 return SSH_ERR_INVALID_ARGUMENT; 1640 1641 if ((to = cert_new()) == NULL) 1642 return SSH_ERR_ALLOC_FAIL; 1643 1644 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1645 (r = sshbuf_putb(to->critical, from->critical)) != 0 || 1646 (r = sshbuf_putb(to->extensions, from->extensions)) != 0) 1647 goto out; 1648 1649 to->serial = from->serial; 1650 to->type = from->type; 1651 if (from->key_id == NULL) 1652 to->key_id = NULL; 1653 else if ((to->key_id = strdup(from->key_id)) == NULL) { 1654 r = SSH_ERR_ALLOC_FAIL; 1655 goto out; 1656 } 1657 to->valid_after = from->valid_after; 1658 to->valid_before = from->valid_before; 1659 if (from->signature_key == NULL) 1660 to->signature_key = NULL; 1661 else if ((r = sshkey_from_private(from->signature_key, 1662 &to->signature_key)) != 0) 1663 goto out; 1664 if (from->signature_type != NULL && 1665 (to->signature_type = strdup(from->signature_type)) == NULL) { 1666 r = SSH_ERR_ALLOC_FAIL; 1667 goto out; 1668 } 1669 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { 1670 r = SSH_ERR_INVALID_ARGUMENT; 1671 goto out; 1672 } 1673 if (from->nprincipals > 0) { 1674 if ((to->principals = calloc(from->nprincipals, 1675 sizeof(*to->principals))) == NULL) { 1676 r = SSH_ERR_ALLOC_FAIL; 1677 goto out; 1678 } 1679 for (i = 0; i < from->nprincipals; i++) { 1680 to->principals[i] = strdup(from->principals[i]); 1681 if (to->principals[i] == NULL) { 1682 to->nprincipals = i; 1683 r = SSH_ERR_ALLOC_FAIL; 1684 goto out; 1685 } 1686 } 1687 } 1688 to->nprincipals = from->nprincipals; 1689 1690 /* success */ 1691 cert_free(to_key->cert); 1692 to_key->cert = to; 1693 to = NULL; 1694 r = 0; 1695 out: 1696 cert_free(to); 1697 return r; 1698 } 1699 1700 int 1701 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1702 { 1703 struct sshkey *n = NULL; 1704 int r = SSH_ERR_INTERNAL_ERROR; 1705 #ifdef WITH_OPENSSL 1706 const BIGNUM *rsa_n, *rsa_e; 1707 BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL; 1708 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 1709 BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL; 1710 BIGNUM *dsa_pub_key_dup = NULL; 1711 #endif /* WITH_OPENSSL */ 1712 1713 *pkp = NULL; 1714 switch (k->type) { 1715 #ifdef WITH_OPENSSL 1716 case KEY_DSA: 1717 case KEY_DSA_CERT: 1718 if ((n = sshkey_new(k->type)) == NULL) { 1719 r = SSH_ERR_ALLOC_FAIL; 1720 goto out; 1721 } 1722 1723 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 1724 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 1725 if ((dsa_p_dup = BN_dup(dsa_p)) == NULL || 1726 (dsa_q_dup = BN_dup(dsa_q)) == NULL || 1727 (dsa_g_dup = BN_dup(dsa_g)) == NULL || 1728 (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) { 1729 r = SSH_ERR_ALLOC_FAIL; 1730 goto out; 1731 } 1732 if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) { 1733 r = SSH_ERR_LIBCRYPTO_ERROR; 1734 goto out; 1735 } 1736 dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */ 1737 if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) { 1738 r = SSH_ERR_LIBCRYPTO_ERROR; 1739 goto out; 1740 } 1741 dsa_pub_key_dup = NULL; /* transferred */ 1742 1743 break; 1744 case KEY_ECDSA: 1745 case KEY_ECDSA_CERT: 1746 if ((n = sshkey_new(k->type)) == NULL) { 1747 r = SSH_ERR_ALLOC_FAIL; 1748 goto out; 1749 } 1750 n->ecdsa_nid = k->ecdsa_nid; 1751 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1752 if (n->ecdsa == NULL) { 1753 r = SSH_ERR_ALLOC_FAIL; 1754 goto out; 1755 } 1756 if (EC_KEY_set_public_key(n->ecdsa, 1757 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1758 r = SSH_ERR_LIBCRYPTO_ERROR; 1759 goto out; 1760 } 1761 break; 1762 case KEY_RSA: 1763 case KEY_RSA_CERT: 1764 if ((n = sshkey_new(k->type)) == NULL) { 1765 r = SSH_ERR_ALLOC_FAIL; 1766 goto out; 1767 } 1768 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 1769 if ((rsa_n_dup = BN_dup(rsa_n)) == NULL || 1770 (rsa_e_dup = BN_dup(rsa_e)) == NULL) { 1771 r = SSH_ERR_ALLOC_FAIL; 1772 goto out; 1773 } 1774 if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) { 1775 r = SSH_ERR_LIBCRYPTO_ERROR; 1776 goto out; 1777 } 1778 rsa_n_dup = rsa_e_dup = NULL; /* transferred */ 1779 break; 1780 #endif /* WITH_OPENSSL */ 1781 case KEY_ED25519: 1782 case KEY_ED25519_CERT: 1783 if ((n = sshkey_new(k->type)) == NULL) { 1784 r = SSH_ERR_ALLOC_FAIL; 1785 goto out; 1786 } 1787 if (k->ed25519_pk != NULL) { 1788 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1789 r = SSH_ERR_ALLOC_FAIL; 1790 goto out; 1791 } 1792 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1793 } 1794 break; 1795 #ifdef WITH_XMSS 1796 case KEY_XMSS: 1797 case KEY_XMSS_CERT: 1798 if ((n = sshkey_new(k->type)) == NULL) { 1799 r = SSH_ERR_ALLOC_FAIL; 1800 goto out; 1801 } 1802 if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0) 1803 goto out; 1804 if (k->xmss_pk != NULL) { 1805 size_t pklen = sshkey_xmss_pklen(k); 1806 if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) { 1807 r = SSH_ERR_INTERNAL_ERROR; 1808 goto out; 1809 } 1810 if ((n->xmss_pk = malloc(pklen)) == NULL) { 1811 r = SSH_ERR_ALLOC_FAIL; 1812 goto out; 1813 } 1814 memcpy(n->xmss_pk, k->xmss_pk, pklen); 1815 } 1816 break; 1817 #endif /* WITH_XMSS */ 1818 default: 1819 r = SSH_ERR_KEY_TYPE_UNKNOWN; 1820 goto out; 1821 } 1822 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) 1823 goto out; 1824 /* success */ 1825 *pkp = n; 1826 n = NULL; 1827 r = 0; 1828 out: 1829 sshkey_free(n); 1830 BN_clear_free(rsa_n_dup); 1831 BN_clear_free(rsa_e_dup); 1832 BN_clear_free(dsa_p_dup); 1833 BN_clear_free(dsa_q_dup); 1834 BN_clear_free(dsa_g_dup); 1835 BN_clear_free(dsa_pub_key_dup); 1836 1837 return r; 1838 } 1839 1840 int 1841 sshkey_is_shielded(struct sshkey *k) 1842 { 1843 return k != NULL && k->shielded_private != NULL; 1844 } 1845 1846 int 1847 sshkey_shield_private(struct sshkey *k) 1848 { 1849 struct sshbuf *prvbuf = NULL; 1850 u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH]; 1851 struct sshcipher_ctx *cctx = NULL; 1852 const struct sshcipher *cipher; 1853 size_t i, enclen = 0; 1854 struct sshkey *kswap = NULL, tmp; 1855 int r = SSH_ERR_INTERNAL_ERROR; 1856 1857 #ifdef DEBUG_PK 1858 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 1859 #endif 1860 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 1861 r = SSH_ERR_INVALID_ARGUMENT; 1862 goto out; 1863 } 1864 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 1865 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 1866 r = SSH_ERR_INTERNAL_ERROR; 1867 goto out; 1868 } 1869 1870 /* Prepare a random pre-key, and from it an ephemeral key */ 1871 if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) { 1872 r = SSH_ERR_ALLOC_FAIL; 1873 goto out; 1874 } 1875 arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN); 1876 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 1877 prekey, SSHKEY_SHIELD_PREKEY_LEN, 1878 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 1879 goto out; 1880 #ifdef DEBUG_PK 1881 fprintf(stderr, "%s: key+iv\n", __func__); 1882 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 1883 stderr); 1884 #endif 1885 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 1886 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0) 1887 goto out; 1888 1889 /* Serialise and encrypt the private key using the ephemeral key */ 1890 if ((prvbuf = sshbuf_new()) == NULL) { 1891 r = SSH_ERR_ALLOC_FAIL; 1892 goto out; 1893 } 1894 if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0) 1895 goto out; 1896 if ((r = sshkey_private_serialize_opt(k, prvbuf, 1897 SSHKEY_SERIALIZE_FULL)) != 0) 1898 goto out; 1899 /* pad to cipher blocksize */ 1900 i = 0; 1901 while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) { 1902 if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0) 1903 goto out; 1904 } 1905 #ifdef DEBUG_PK 1906 fprintf(stderr, "%s: serialised\n", __func__); 1907 sshbuf_dump(prvbuf, stderr); 1908 #endif 1909 /* encrypt */ 1910 enclen = sshbuf_len(prvbuf); 1911 if ((enc = malloc(enclen)) == NULL) { 1912 r = SSH_ERR_ALLOC_FAIL; 1913 goto out; 1914 } 1915 if ((r = cipher_crypt(cctx, 0, enc, 1916 sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0) 1917 goto out; 1918 #ifdef DEBUG_PK 1919 fprintf(stderr, "%s: encrypted\n", __func__); 1920 sshbuf_dump_data(enc, enclen, stderr); 1921 #endif 1922 1923 /* Make a scrubbed, public-only copy of our private key argument */ 1924 if ((r = sshkey_from_private(k, &kswap)) != 0) 1925 goto out; 1926 1927 /* Swap the private key out (it will be destroyed below) */ 1928 tmp = *kswap; 1929 *kswap = *k; 1930 *k = tmp; 1931 1932 /* Insert the shielded key into our argument */ 1933 k->shielded_private = enc; 1934 k->shielded_len = enclen; 1935 k->shield_prekey = prekey; 1936 k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN; 1937 enc = prekey = NULL; /* transferred */ 1938 enclen = 0; 1939 1940 /* success */ 1941 r = 0; 1942 1943 out: 1944 /* XXX behaviour on error - invalidate original private key? */ 1945 cipher_free(cctx); 1946 explicit_bzero(enc, enclen); 1947 explicit_bzero(keyiv, sizeof(keyiv)); 1948 explicit_bzero(&tmp, sizeof(tmp)); 1949 freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN); 1950 sshkey_free(kswap); 1951 sshbuf_free(prvbuf); 1952 return r; 1953 } 1954 1955 int 1956 sshkey_unshield_private(struct sshkey *k) 1957 { 1958 struct sshbuf *prvbuf = NULL; 1959 u_char pad, *cp, keyiv[SSH_DIGEST_MAX_LENGTH]; 1960 struct sshcipher_ctx *cctx = NULL; 1961 const struct sshcipher *cipher; 1962 size_t i; 1963 struct sshkey *kswap = NULL, tmp; 1964 int r = SSH_ERR_INTERNAL_ERROR; 1965 1966 #ifdef DEBUG_PK 1967 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 1968 #endif 1969 if (!sshkey_is_shielded(k)) 1970 return 0; /* nothing to do */ 1971 1972 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 1973 r = SSH_ERR_INVALID_ARGUMENT; 1974 goto out; 1975 } 1976 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 1977 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 1978 r = SSH_ERR_INTERNAL_ERROR; 1979 goto out; 1980 } 1981 /* check size of shielded key blob */ 1982 if (k->shielded_len < cipher_blocksize(cipher) || 1983 (k->shielded_len % cipher_blocksize(cipher)) != 0) { 1984 r = SSH_ERR_INVALID_FORMAT; 1985 goto out; 1986 } 1987 1988 /* Calculate the ephemeral key from the prekey */ 1989 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 1990 k->shield_prekey, k->shield_prekey_len, 1991 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 1992 goto out; 1993 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 1994 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0) 1995 goto out; 1996 #ifdef DEBUG_PK 1997 fprintf(stderr, "%s: key+iv\n", __func__); 1998 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 1999 stderr); 2000 #endif 2001 2002 /* Decrypt and parse the shielded private key using the ephemeral key */ 2003 if ((prvbuf = sshbuf_new()) == NULL) { 2004 r = SSH_ERR_ALLOC_FAIL; 2005 goto out; 2006 } 2007 if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0) 2008 goto out; 2009 /* decrypt */ 2010 #ifdef DEBUG_PK 2011 fprintf(stderr, "%s: encrypted\n", __func__); 2012 sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr); 2013 #endif 2014 if ((r = cipher_crypt(cctx, 0, cp, 2015 k->shielded_private, k->shielded_len, 0, 0)) != 0) 2016 goto out; 2017 #ifdef DEBUG_PK 2018 fprintf(stderr, "%s: serialised\n", __func__); 2019 sshbuf_dump(prvbuf, stderr); 2020 #endif 2021 /* Parse private key */ 2022 if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0) 2023 goto out; 2024 /* Check deterministic padding */ 2025 i = 0; 2026 while (sshbuf_len(prvbuf)) { 2027 if ((r = sshbuf_get_u8(prvbuf, &pad)) != 0) 2028 goto out; 2029 if (pad != (++i & 0xff)) { 2030 r = SSH_ERR_INVALID_FORMAT; 2031 goto out; 2032 } 2033 } 2034 2035 /* Swap the parsed key back into place */ 2036 tmp = *kswap; 2037 *kswap = *k; 2038 *k = tmp; 2039 2040 /* success */ 2041 r = 0; 2042 2043 out: 2044 cipher_free(cctx); 2045 explicit_bzero(keyiv, sizeof(keyiv)); 2046 explicit_bzero(&tmp, sizeof(tmp)); 2047 sshkey_free(kswap); 2048 sshbuf_free(prvbuf); 2049 return r; 2050 } 2051 2052 static int 2053 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 2054 { 2055 struct sshbuf *principals = NULL, *crit = NULL; 2056 struct sshbuf *exts = NULL, *ca = NULL; 2057 u_char *sig = NULL; 2058 size_t signed_len = 0, slen = 0, kidlen = 0; 2059 int ret = SSH_ERR_INTERNAL_ERROR; 2060 2061 /* Copy the entire key blob for verification and later serialisation */ 2062 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 2063 return ret; 2064 2065 /* Parse body of certificate up to signature */ 2066 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 2067 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 2068 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 2069 (ret = sshbuf_froms(b, &principals)) != 0 || 2070 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 2071 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 2072 (ret = sshbuf_froms(b, &crit)) != 0 || 2073 (ret = sshbuf_froms(b, &exts)) != 0 || 2074 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 2075 (ret = sshbuf_froms(b, &ca)) != 0) { 2076 /* XXX debug print error for ret */ 2077 ret = SSH_ERR_INVALID_FORMAT; 2078 goto out; 2079 } 2080 2081 /* Signature is left in the buffer so we can calculate this length */ 2082 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 2083 2084 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 2085 ret = SSH_ERR_INVALID_FORMAT; 2086 goto out; 2087 } 2088 2089 if (key->cert->type != SSH2_CERT_TYPE_USER && 2090 key->cert->type != SSH2_CERT_TYPE_HOST) { 2091 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 2092 goto out; 2093 } 2094 2095 /* Parse principals section */ 2096 while (sshbuf_len(principals) > 0) { 2097 char *principal = NULL; 2098 char **oprincipals = NULL; 2099 2100 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 2101 ret = SSH_ERR_INVALID_FORMAT; 2102 goto out; 2103 } 2104 if ((ret = sshbuf_get_cstring(principals, &principal, 2105 NULL)) != 0) { 2106 ret = SSH_ERR_INVALID_FORMAT; 2107 goto out; 2108 } 2109 oprincipals = key->cert->principals; 2110 key->cert->principals = recallocarray(key->cert->principals, 2111 key->cert->nprincipals, key->cert->nprincipals + 1, 2112 sizeof(*key->cert->principals)); 2113 if (key->cert->principals == NULL) { 2114 free(principal); 2115 key->cert->principals = oprincipals; 2116 ret = SSH_ERR_ALLOC_FAIL; 2117 goto out; 2118 } 2119 key->cert->principals[key->cert->nprincipals++] = principal; 2120 } 2121 2122 /* 2123 * Stash a copies of the critical options and extensions sections 2124 * for later use. 2125 */ 2126 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 2127 (exts != NULL && 2128 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 2129 goto out; 2130 2131 /* 2132 * Validate critical options and extensions sections format. 2133 */ 2134 while (sshbuf_len(crit) != 0) { 2135 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 2136 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 2137 sshbuf_reset(key->cert->critical); 2138 ret = SSH_ERR_INVALID_FORMAT; 2139 goto out; 2140 } 2141 } 2142 while (exts != NULL && sshbuf_len(exts) != 0) { 2143 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 2144 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 2145 sshbuf_reset(key->cert->extensions); 2146 ret = SSH_ERR_INVALID_FORMAT; 2147 goto out; 2148 } 2149 } 2150 2151 /* Parse CA key and check signature */ 2152 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 2153 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2154 goto out; 2155 } 2156 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 2157 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2158 goto out; 2159 } 2160 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 2161 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0)) != 0) 2162 goto out; 2163 if ((ret = get_sigtype(sig, slen, &key->cert->signature_type)) != 0) 2164 goto out; 2165 2166 /* Success */ 2167 ret = 0; 2168 out: 2169 sshbuf_free(ca); 2170 sshbuf_free(crit); 2171 sshbuf_free(exts); 2172 sshbuf_free(principals); 2173 free(sig); 2174 return ret; 2175 } 2176 2177 static int 2178 check_rsa_length(const RSA *rsa) 2179 { 2180 const BIGNUM *rsa_n; 2181 2182 RSA_get0_key(rsa, &rsa_n, NULL, NULL); 2183 if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) 2184 return SSH_ERR_KEY_LENGTH; 2185 return 0; 2186 } 2187 2188 static int 2189 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 2190 int allow_cert) 2191 { 2192 int type, ret = SSH_ERR_INTERNAL_ERROR; 2193 char *ktype = NULL, *curve = NULL, *xmss_name = NULL; 2194 struct sshkey *key = NULL; 2195 size_t len; 2196 u_char *pk = NULL; 2197 struct sshbuf *copy; 2198 #ifdef WITH_OPENSSL 2199 EC_POINT *q = NULL; 2200 BIGNUM *rsa_n = NULL, *rsa_e = NULL; 2201 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; 2202 #endif /* WITH_OPENSSL */ 2203 2204 #ifdef DEBUG_PK /* XXX */ 2205 sshbuf_dump(b, stderr); 2206 #endif 2207 if (keyp != NULL) 2208 *keyp = NULL; 2209 if ((copy = sshbuf_fromb(b)) == NULL) { 2210 ret = SSH_ERR_ALLOC_FAIL; 2211 goto out; 2212 } 2213 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 2214 ret = SSH_ERR_INVALID_FORMAT; 2215 goto out; 2216 } 2217 2218 type = sshkey_type_from_name(ktype); 2219 if (!allow_cert && sshkey_type_is_cert(type)) { 2220 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2221 goto out; 2222 } 2223 switch (type) { 2224 #ifdef WITH_OPENSSL 2225 case KEY_RSA_CERT: 2226 /* Skip nonce */ 2227 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2228 ret = SSH_ERR_INVALID_FORMAT; 2229 goto out; 2230 } 2231 /* FALLTHROUGH */ 2232 case KEY_RSA: 2233 if ((key = sshkey_new(type)) == NULL) { 2234 ret = SSH_ERR_ALLOC_FAIL; 2235 goto out; 2236 } 2237 if (sshbuf_get_bignum2(b, &rsa_e) != 0 || 2238 sshbuf_get_bignum2(b, &rsa_n) != 0) { 2239 ret = SSH_ERR_INVALID_FORMAT; 2240 goto out; 2241 } 2242 if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) { 2243 ret = SSH_ERR_LIBCRYPTO_ERROR; 2244 goto out; 2245 } 2246 rsa_n = rsa_e = NULL; /* transferred */ 2247 if ((ret = check_rsa_length(key->rsa)) != 0) 2248 goto out; 2249 #ifdef DEBUG_PK 2250 RSA_print_fp(stderr, key->rsa, 8); 2251 #endif 2252 break; 2253 case KEY_DSA_CERT: 2254 /* Skip nonce */ 2255 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2256 ret = SSH_ERR_INVALID_FORMAT; 2257 goto out; 2258 } 2259 /* FALLTHROUGH */ 2260 case KEY_DSA: 2261 if ((key = sshkey_new(type)) == NULL) { 2262 ret = SSH_ERR_ALLOC_FAIL; 2263 goto out; 2264 } 2265 if (sshbuf_get_bignum2(b, &dsa_p) != 0 || 2266 sshbuf_get_bignum2(b, &dsa_q) != 0 || 2267 sshbuf_get_bignum2(b, &dsa_g) != 0 || 2268 sshbuf_get_bignum2(b, &dsa_pub_key) != 0) { 2269 ret = SSH_ERR_INVALID_FORMAT; 2270 goto out; 2271 } 2272 if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) { 2273 ret = SSH_ERR_LIBCRYPTO_ERROR; 2274 goto out; 2275 } 2276 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2277 if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) { 2278 ret = SSH_ERR_LIBCRYPTO_ERROR; 2279 goto out; 2280 } 2281 dsa_pub_key = NULL; /* transferred */ 2282 #ifdef DEBUG_PK 2283 DSA_print_fp(stderr, key->dsa, 8); 2284 #endif 2285 break; 2286 case KEY_ECDSA_CERT: 2287 /* Skip nonce */ 2288 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2289 ret = SSH_ERR_INVALID_FORMAT; 2290 goto out; 2291 } 2292 /* FALLTHROUGH */ 2293 case KEY_ECDSA: 2294 if ((key = sshkey_new(type)) == NULL) { 2295 ret = SSH_ERR_ALLOC_FAIL; 2296 goto out; 2297 } 2298 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2299 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2300 ret = SSH_ERR_INVALID_FORMAT; 2301 goto out; 2302 } 2303 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2304 ret = SSH_ERR_EC_CURVE_MISMATCH; 2305 goto out; 2306 } 2307 EC_KEY_free(key->ecdsa); 2308 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2309 == NULL) { 2310 ret = SSH_ERR_EC_CURVE_INVALID; 2311 goto out; 2312 } 2313 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2314 ret = SSH_ERR_ALLOC_FAIL; 2315 goto out; 2316 } 2317 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 2318 ret = SSH_ERR_INVALID_FORMAT; 2319 goto out; 2320 } 2321 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2322 q) != 0) { 2323 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2324 goto out; 2325 } 2326 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 2327 /* XXX assume it is a allocation error */ 2328 ret = SSH_ERR_ALLOC_FAIL; 2329 goto out; 2330 } 2331 #ifdef DEBUG_PK 2332 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 2333 #endif 2334 break; 2335 #endif /* WITH_OPENSSL */ 2336 case KEY_ED25519_CERT: 2337 /* Skip nonce */ 2338 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2339 ret = SSH_ERR_INVALID_FORMAT; 2340 goto out; 2341 } 2342 /* FALLTHROUGH */ 2343 case KEY_ED25519: 2344 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2345 goto out; 2346 if (len != ED25519_PK_SZ) { 2347 ret = SSH_ERR_INVALID_FORMAT; 2348 goto out; 2349 } 2350 if ((key = sshkey_new(type)) == NULL) { 2351 ret = SSH_ERR_ALLOC_FAIL; 2352 goto out; 2353 } 2354 key->ed25519_pk = pk; 2355 pk = NULL; 2356 break; 2357 #ifdef WITH_XMSS 2358 case KEY_XMSS_CERT: 2359 /* Skip nonce */ 2360 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2361 ret = SSH_ERR_INVALID_FORMAT; 2362 goto out; 2363 } 2364 /* FALLTHROUGH */ 2365 case KEY_XMSS: 2366 if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0) 2367 goto out; 2368 if ((key = sshkey_new(type)) == NULL) { 2369 ret = SSH_ERR_ALLOC_FAIL; 2370 goto out; 2371 } 2372 if ((ret = sshkey_xmss_init(key, xmss_name)) != 0) 2373 goto out; 2374 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2375 goto out; 2376 if (len == 0 || len != sshkey_xmss_pklen(key)) { 2377 ret = SSH_ERR_INVALID_FORMAT; 2378 goto out; 2379 } 2380 key->xmss_pk = pk; 2381 pk = NULL; 2382 if (type != KEY_XMSS_CERT && 2383 (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0) 2384 goto out; 2385 break; 2386 #endif /* WITH_XMSS */ 2387 case KEY_UNSPEC: 2388 default: 2389 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2390 goto out; 2391 } 2392 2393 /* Parse certificate potion */ 2394 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2395 goto out; 2396 2397 if (key != NULL && sshbuf_len(b) != 0) { 2398 ret = SSH_ERR_INVALID_FORMAT; 2399 goto out; 2400 } 2401 ret = 0; 2402 if (keyp != NULL) { 2403 *keyp = key; 2404 key = NULL; 2405 } 2406 out: 2407 sshbuf_free(copy); 2408 sshkey_free(key); 2409 free(xmss_name); 2410 free(ktype); 2411 free(curve); 2412 free(pk); 2413 #ifdef WITH_OPENSSL 2414 EC_POINT_free(q); 2415 BN_clear_free(rsa_n); 2416 BN_clear_free(rsa_e); 2417 BN_clear_free(dsa_p); 2418 BN_clear_free(dsa_q); 2419 BN_clear_free(dsa_g); 2420 BN_clear_free(dsa_pub_key); 2421 #endif /* WITH_OPENSSL */ 2422 return ret; 2423 } 2424 2425 int 2426 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2427 { 2428 struct sshbuf *b; 2429 int r; 2430 2431 if ((b = sshbuf_from(blob, blen)) == NULL) 2432 return SSH_ERR_ALLOC_FAIL; 2433 r = sshkey_from_blob_internal(b, keyp, 1); 2434 sshbuf_free(b); 2435 return r; 2436 } 2437 2438 int 2439 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2440 { 2441 return sshkey_from_blob_internal(b, keyp, 1); 2442 } 2443 2444 int 2445 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2446 { 2447 struct sshbuf *b; 2448 int r; 2449 2450 if ((r = sshbuf_froms(buf, &b)) != 0) 2451 return r; 2452 r = sshkey_from_blob_internal(b, keyp, 1); 2453 sshbuf_free(b); 2454 return r; 2455 } 2456 2457 static int 2458 get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2459 { 2460 int r; 2461 struct sshbuf *b = NULL; 2462 char *sigtype = NULL; 2463 2464 if (sigtypep != NULL) 2465 *sigtypep = NULL; 2466 if ((b = sshbuf_from(sig, siglen)) == NULL) 2467 return SSH_ERR_ALLOC_FAIL; 2468 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2469 goto out; 2470 /* success */ 2471 if (sigtypep != NULL) { 2472 *sigtypep = sigtype; 2473 sigtype = NULL; 2474 } 2475 r = 0; 2476 out: 2477 free(sigtype); 2478 sshbuf_free(b); 2479 return r; 2480 } 2481 2482 /* 2483 * 2484 * Checks whether a certificate's signature type is allowed. 2485 * Returns 0 (success) if the certificate signature type appears in the 2486 * "allowed" pattern-list, or the key is not a certificate to begin with. 2487 * Otherwise returns a ssherr.h code. 2488 */ 2489 int 2490 sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) 2491 { 2492 if (key == NULL || allowed == NULL) 2493 return SSH_ERR_INVALID_ARGUMENT; 2494 if (!sshkey_type_is_cert(key->type)) 2495 return 0; 2496 if (key->cert == NULL || key->cert->signature_type == NULL) 2497 return SSH_ERR_INVALID_ARGUMENT; 2498 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) 2499 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 2500 return 0; 2501 } 2502 2503 /* 2504 * Returns the expected signature algorithm for a given public key algorithm. 2505 */ 2506 const char * 2507 sshkey_sigalg_by_name(const char *name) 2508 { 2509 const struct keytype *kt; 2510 2511 for (kt = keytypes; kt->type != -1; kt++) { 2512 if (strcmp(kt->name, name) != 0) 2513 continue; 2514 if (kt->sigalg != NULL) 2515 return kt->sigalg; 2516 if (!kt->cert) 2517 return kt->name; 2518 return sshkey_ssh_name_from_type_nid( 2519 sshkey_type_plain(kt->type), kt->nid); 2520 } 2521 return NULL; 2522 } 2523 2524 /* 2525 * Verifies that the signature algorithm appearing inside the signature blob 2526 * matches that which was requested. 2527 */ 2528 int 2529 sshkey_check_sigtype(const u_char *sig, size_t siglen, 2530 const char *requested_alg) 2531 { 2532 const char *expected_alg; 2533 char *sigtype = NULL; 2534 int r; 2535 2536 if (requested_alg == NULL) 2537 return 0; 2538 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) 2539 return SSH_ERR_INVALID_ARGUMENT; 2540 if ((r = get_sigtype(sig, siglen, &sigtype)) != 0) 2541 return r; 2542 r = strcmp(expected_alg, sigtype) == 0; 2543 free(sigtype); 2544 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; 2545 } 2546 2547 int 2548 sshkey_sign(struct sshkey *key, 2549 u_char **sigp, size_t *lenp, 2550 const u_char *data, size_t datalen, const char *alg, u_int compat) 2551 { 2552 int was_shielded = sshkey_is_shielded(key); 2553 int r2, r = SSH_ERR_INTERNAL_ERROR; 2554 2555 if (sigp != NULL) 2556 *sigp = NULL; 2557 if (lenp != NULL) 2558 *lenp = 0; 2559 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2560 return SSH_ERR_INVALID_ARGUMENT; 2561 if ((r = sshkey_unshield_private(key)) != 0) 2562 return r; 2563 switch (key->type) { 2564 #ifdef WITH_OPENSSL 2565 case KEY_DSA_CERT: 2566 case KEY_DSA: 2567 r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2568 break; 2569 case KEY_ECDSA_CERT: 2570 case KEY_ECDSA: 2571 r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2572 break; 2573 case KEY_RSA_CERT: 2574 case KEY_RSA: 2575 r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2576 break; 2577 #endif /* WITH_OPENSSL */ 2578 case KEY_ED25519: 2579 case KEY_ED25519_CERT: 2580 r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2581 break; 2582 #ifdef WITH_XMSS 2583 case KEY_XMSS: 2584 case KEY_XMSS_CERT: 2585 r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat); 2586 break; 2587 #endif /* WITH_XMSS */ 2588 default: 2589 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2590 break; 2591 } 2592 if (was_shielded && (r2 = sshkey_shield_private(key)) != 0) 2593 return r2; 2594 return r; 2595 } 2596 2597 /* 2598 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2599 * If "alg" specified, then the signature must use that algorithm. 2600 */ 2601 int 2602 sshkey_verify(const struct sshkey *key, 2603 const u_char *sig, size_t siglen, 2604 const u_char *data, size_t dlen, const char *alg, u_int compat) 2605 { 2606 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2607 return SSH_ERR_INVALID_ARGUMENT; 2608 switch (key->type) { 2609 #ifdef WITH_OPENSSL 2610 case KEY_DSA_CERT: 2611 case KEY_DSA: 2612 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2613 case KEY_ECDSA_CERT: 2614 case KEY_ECDSA: 2615 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2616 case KEY_RSA_CERT: 2617 case KEY_RSA: 2618 return ssh_rsa_verify(key, sig, siglen, data, dlen, alg); 2619 #endif /* WITH_OPENSSL */ 2620 case KEY_ED25519: 2621 case KEY_ED25519_CERT: 2622 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2623 #ifdef WITH_XMSS 2624 case KEY_XMSS: 2625 case KEY_XMSS_CERT: 2626 return ssh_xmss_verify(key, sig, siglen, data, dlen, compat); 2627 #endif /* WITH_XMSS */ 2628 default: 2629 return SSH_ERR_KEY_TYPE_UNKNOWN; 2630 } 2631 } 2632 2633 /* Convert a plain key to their _CERT equivalent */ 2634 int 2635 sshkey_to_certified(struct sshkey *k) 2636 { 2637 int newtype; 2638 2639 switch (k->type) { 2640 #ifdef WITH_OPENSSL 2641 case KEY_RSA: 2642 newtype = KEY_RSA_CERT; 2643 break; 2644 case KEY_DSA: 2645 newtype = KEY_DSA_CERT; 2646 break; 2647 case KEY_ECDSA: 2648 newtype = KEY_ECDSA_CERT; 2649 break; 2650 #endif /* WITH_OPENSSL */ 2651 case KEY_ED25519: 2652 newtype = KEY_ED25519_CERT; 2653 break; 2654 #ifdef WITH_XMSS 2655 case KEY_XMSS: 2656 newtype = KEY_XMSS_CERT; 2657 break; 2658 #endif /* WITH_XMSS */ 2659 default: 2660 return SSH_ERR_INVALID_ARGUMENT; 2661 } 2662 if ((k->cert = cert_new()) == NULL) 2663 return SSH_ERR_ALLOC_FAIL; 2664 k->type = newtype; 2665 return 0; 2666 } 2667 2668 /* Convert a certificate to its raw key equivalent */ 2669 int 2670 sshkey_drop_cert(struct sshkey *k) 2671 { 2672 if (!sshkey_type_is_cert(k->type)) 2673 return SSH_ERR_KEY_TYPE_UNKNOWN; 2674 cert_free(k->cert); 2675 k->cert = NULL; 2676 k->type = sshkey_type_plain(k->type); 2677 return 0; 2678 } 2679 2680 /* Sign a certified key, (re-)generating the signed certblob. */ 2681 int 2682 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2683 sshkey_certify_signer *signer, void *signer_ctx) 2684 { 2685 struct sshbuf *principals = NULL; 2686 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2687 size_t i, ca_len, sig_len; 2688 int ret = SSH_ERR_INTERNAL_ERROR; 2689 struct sshbuf *cert = NULL; 2690 char *sigtype = NULL; 2691 #ifdef WITH_OPENSSL 2692 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 2693 #endif /* WITH_OPENSSL */ 2694 2695 if (k == NULL || k->cert == NULL || 2696 k->cert->certblob == NULL || ca == NULL) 2697 return SSH_ERR_INVALID_ARGUMENT; 2698 if (!sshkey_is_cert(k)) 2699 return SSH_ERR_KEY_TYPE_UNKNOWN; 2700 if (!sshkey_type_is_valid_ca(ca->type)) 2701 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2702 2703 /* 2704 * If no alg specified as argument but a signature_type was set, 2705 * then prefer that. If both were specified, then they must match. 2706 */ 2707 if (alg == NULL) 2708 alg = k->cert->signature_type; 2709 else if (k->cert->signature_type != NULL && 2710 strcmp(alg, k->cert->signature_type) != 0) 2711 return SSH_ERR_INVALID_ARGUMENT; 2712 2713 /* 2714 * If no signing algorithm or signature_type was specified and we're 2715 * using a RSA key, then default to a good signature algorithm. 2716 */ 2717 if (alg == NULL && ca->type == KEY_RSA) 2718 alg = "rsa-sha2-512"; 2719 2720 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2721 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2722 2723 cert = k->cert->certblob; /* for readability */ 2724 sshbuf_reset(cert); 2725 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2726 goto out; 2727 2728 /* -v01 certs put nonce first */ 2729 arc4random_buf(&nonce, sizeof(nonce)); 2730 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2731 goto out; 2732 2733 /* XXX this substantially duplicates to_blob(); refactor */ 2734 switch (k->type) { 2735 #ifdef WITH_OPENSSL 2736 case KEY_DSA_CERT: 2737 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 2738 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 2739 if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 || 2740 (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 || 2741 (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 || 2742 (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0) 2743 goto out; 2744 break; 2745 case KEY_ECDSA_CERT: 2746 if ((ret = sshbuf_put_cstring(cert, 2747 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2748 (ret = sshbuf_put_ec(cert, 2749 EC_KEY_get0_public_key(k->ecdsa), 2750 EC_KEY_get0_group(k->ecdsa))) != 0) 2751 goto out; 2752 break; 2753 case KEY_RSA_CERT: 2754 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 2755 if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 || 2756 (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0) 2757 goto out; 2758 break; 2759 #endif /* WITH_OPENSSL */ 2760 case KEY_ED25519_CERT: 2761 if ((ret = sshbuf_put_string(cert, 2762 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2763 goto out; 2764 break; 2765 #ifdef WITH_XMSS 2766 case KEY_XMSS_CERT: 2767 if (k->xmss_name == NULL) { 2768 ret = SSH_ERR_INVALID_ARGUMENT; 2769 goto out; 2770 } 2771 if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) || 2772 (ret = sshbuf_put_string(cert, 2773 k->xmss_pk, sshkey_xmss_pklen(k))) != 0) 2774 goto out; 2775 break; 2776 #endif /* WITH_XMSS */ 2777 default: 2778 ret = SSH_ERR_INVALID_ARGUMENT; 2779 goto out; 2780 } 2781 2782 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2783 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2784 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2785 goto out; 2786 2787 if ((principals = sshbuf_new()) == NULL) { 2788 ret = SSH_ERR_ALLOC_FAIL; 2789 goto out; 2790 } 2791 for (i = 0; i < k->cert->nprincipals; i++) { 2792 if ((ret = sshbuf_put_cstring(principals, 2793 k->cert->principals[i])) != 0) 2794 goto out; 2795 } 2796 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2797 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2798 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2799 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2800 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2801 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2802 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2803 goto out; 2804 2805 /* Sign the whole mess */ 2806 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2807 sshbuf_len(cert), alg, 0, signer_ctx)) != 0) 2808 goto out; 2809 /* Check and update signature_type against what was actually used */ 2810 if ((ret = get_sigtype(sig_blob, sig_len, &sigtype)) != 0) 2811 goto out; 2812 if (alg != NULL && strcmp(alg, sigtype) != 0) { 2813 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2814 goto out; 2815 } 2816 if (k->cert->signature_type == NULL) { 2817 k->cert->signature_type = sigtype; 2818 sigtype = NULL; 2819 } 2820 /* Append signature and we are done */ 2821 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2822 goto out; 2823 ret = 0; 2824 out: 2825 if (ret != 0) 2826 sshbuf_reset(cert); 2827 free(sig_blob); 2828 free(ca_blob); 2829 free(sigtype); 2830 sshbuf_free(principals); 2831 return ret; 2832 } 2833 2834 static int 2835 default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, 2836 const u_char *data, size_t datalen, 2837 const char *alg, u_int compat, void *ctx) 2838 { 2839 if (ctx != NULL) 2840 return SSH_ERR_INVALID_ARGUMENT; 2841 return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat); 2842 } 2843 2844 int 2845 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2846 { 2847 return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL); 2848 } 2849 2850 int 2851 sshkey_cert_check_authority(const struct sshkey *k, 2852 int want_host, int require_principal, 2853 const char *name, const char **reason) 2854 { 2855 u_int i, principal_matches; 2856 time_t now = time(NULL); 2857 2858 if (reason != NULL) 2859 *reason = NULL; 2860 2861 if (want_host) { 2862 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2863 *reason = "Certificate invalid: not a host certificate"; 2864 return SSH_ERR_KEY_CERT_INVALID; 2865 } 2866 } else { 2867 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2868 *reason = "Certificate invalid: not a user certificate"; 2869 return SSH_ERR_KEY_CERT_INVALID; 2870 } 2871 } 2872 if (now < 0) { 2873 /* yikes - system clock before epoch! */ 2874 *reason = "Certificate invalid: not yet valid"; 2875 return SSH_ERR_KEY_CERT_INVALID; 2876 } 2877 if ((u_int64_t)now < k->cert->valid_after) { 2878 *reason = "Certificate invalid: not yet valid"; 2879 return SSH_ERR_KEY_CERT_INVALID; 2880 } 2881 if ((u_int64_t)now >= k->cert->valid_before) { 2882 *reason = "Certificate invalid: expired"; 2883 return SSH_ERR_KEY_CERT_INVALID; 2884 } 2885 if (k->cert->nprincipals == 0) { 2886 if (require_principal) { 2887 *reason = "Certificate lacks principal list"; 2888 return SSH_ERR_KEY_CERT_INVALID; 2889 } 2890 } else if (name != NULL) { 2891 principal_matches = 0; 2892 for (i = 0; i < k->cert->nprincipals; i++) { 2893 if (strcmp(name, k->cert->principals[i]) == 0) { 2894 principal_matches = 1; 2895 break; 2896 } 2897 } 2898 if (!principal_matches) { 2899 *reason = "Certificate invalid: name is not a listed " 2900 "principal"; 2901 return SSH_ERR_KEY_CERT_INVALID; 2902 } 2903 } 2904 return 0; 2905 } 2906 2907 size_t 2908 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2909 { 2910 char from[32], to[32], ret[64]; 2911 time_t tt; 2912 struct tm *tm; 2913 2914 *from = *to = '\0'; 2915 if (cert->valid_after == 0 && 2916 cert->valid_before == 0xffffffffffffffffULL) 2917 return strlcpy(s, "forever", l); 2918 2919 if (cert->valid_after != 0) { 2920 /* XXX revisit INT_MAX in 2038 :) */ 2921 tt = cert->valid_after > INT_MAX ? 2922 INT_MAX : cert->valid_after; 2923 tm = localtime(&tt); 2924 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2925 } 2926 if (cert->valid_before != 0xffffffffffffffffULL) { 2927 /* XXX revisit INT_MAX in 2038 :) */ 2928 tt = cert->valid_before > INT_MAX ? 2929 INT_MAX : cert->valid_before; 2930 tm = localtime(&tt); 2931 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2932 } 2933 2934 if (cert->valid_after == 0) 2935 snprintf(ret, sizeof(ret), "before %s", to); 2936 else if (cert->valid_before == 0xffffffffffffffffULL) 2937 snprintf(ret, sizeof(ret), "after %s", from); 2938 else 2939 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2940 2941 return strlcpy(s, ret, l); 2942 } 2943 2944 int 2945 sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, 2946 enum sshkey_serialize_rep opts) 2947 { 2948 int r = SSH_ERR_INTERNAL_ERROR; 2949 int was_shielded = sshkey_is_shielded(key); 2950 struct sshbuf *b = NULL; 2951 #ifdef WITH_OPENSSL 2952 const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q; 2953 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key; 2954 #endif /* WITH_OPENSSL */ 2955 2956 if ((r = sshkey_unshield_private(key)) != 0) 2957 return r; 2958 if ((b = sshbuf_new()) == NULL) 2959 return SSH_ERR_ALLOC_FAIL; 2960 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2961 goto out; 2962 switch (key->type) { 2963 #ifdef WITH_OPENSSL 2964 case KEY_RSA: 2965 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d); 2966 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 2967 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 2968 if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 || 2969 (r = sshbuf_put_bignum2(b, rsa_e)) != 0 || 2970 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 2971 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 2972 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 2973 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 2974 goto out; 2975 break; 2976 case KEY_RSA_CERT: 2977 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2978 r = SSH_ERR_INVALID_ARGUMENT; 2979 goto out; 2980 } 2981 RSA_get0_key(key->rsa, NULL, NULL, &rsa_d); 2982 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 2983 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 2984 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2985 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 2986 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 2987 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 2988 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 2989 goto out; 2990 break; 2991 case KEY_DSA: 2992 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 2993 DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key); 2994 if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 || 2995 (r = sshbuf_put_bignum2(b, dsa_q)) != 0 || 2996 (r = sshbuf_put_bignum2(b, dsa_g)) != 0 || 2997 (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 || 2998 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 2999 goto out; 3000 break; 3001 case KEY_DSA_CERT: 3002 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3003 r = SSH_ERR_INVALID_ARGUMENT; 3004 goto out; 3005 } 3006 DSA_get0_key(key->dsa, NULL, &dsa_priv_key); 3007 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3008 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 3009 goto out; 3010 break; 3011 case KEY_ECDSA: 3012 if ((r = sshbuf_put_cstring(b, 3013 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 3014 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 3015 (r = sshbuf_put_bignum2(b, 3016 EC_KEY_get0_private_key(key->ecdsa))) != 0) 3017 goto out; 3018 break; 3019 case KEY_ECDSA_CERT: 3020 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3021 r = SSH_ERR_INVALID_ARGUMENT; 3022 goto out; 3023 } 3024 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3025 (r = sshbuf_put_bignum2(b, 3026 EC_KEY_get0_private_key(key->ecdsa))) != 0) 3027 goto out; 3028 break; 3029 #endif /* WITH_OPENSSL */ 3030 case KEY_ED25519: 3031 if ((r = sshbuf_put_string(b, key->ed25519_pk, 3032 ED25519_PK_SZ)) != 0 || 3033 (r = sshbuf_put_string(b, key->ed25519_sk, 3034 ED25519_SK_SZ)) != 0) 3035 goto out; 3036 break; 3037 case KEY_ED25519_CERT: 3038 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 3039 r = SSH_ERR_INVALID_ARGUMENT; 3040 goto out; 3041 } 3042 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3043 (r = sshbuf_put_string(b, key->ed25519_pk, 3044 ED25519_PK_SZ)) != 0 || 3045 (r = sshbuf_put_string(b, key->ed25519_sk, 3046 ED25519_SK_SZ)) != 0) 3047 goto out; 3048 break; 3049 #ifdef WITH_XMSS 3050 case KEY_XMSS: 3051 if (key->xmss_name == NULL) { 3052 r = SSH_ERR_INVALID_ARGUMENT; 3053 goto out; 3054 } 3055 if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 3056 (r = sshbuf_put_string(b, key->xmss_pk, 3057 sshkey_xmss_pklen(key))) != 0 || 3058 (r = sshbuf_put_string(b, key->xmss_sk, 3059 sshkey_xmss_sklen(key))) != 0 || 3060 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 3061 goto out; 3062 break; 3063 case KEY_XMSS_CERT: 3064 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 || 3065 key->xmss_name == NULL) { 3066 r = SSH_ERR_INVALID_ARGUMENT; 3067 goto out; 3068 } 3069 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 3070 (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 3071 (r = sshbuf_put_string(b, key->xmss_pk, 3072 sshkey_xmss_pklen(key))) != 0 || 3073 (r = sshbuf_put_string(b, key->xmss_sk, 3074 sshkey_xmss_sklen(key))) != 0 || 3075 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 3076 goto out; 3077 break; 3078 #endif /* WITH_XMSS */ 3079 default: 3080 r = SSH_ERR_INVALID_ARGUMENT; 3081 goto out; 3082 } 3083 /* 3084 * success (but we still need to append the output to buf after 3085 * possibly re-shielding the private key) 3086 */ 3087 r = 0; 3088 out: 3089 if (was_shielded) 3090 r = sshkey_shield_private(key); 3091 if (r == 0) 3092 r = sshbuf_putb(buf, b); 3093 sshbuf_free(b); 3094 3095 return r; 3096 } 3097 3098 int 3099 sshkey_private_serialize(struct sshkey *key, struct sshbuf *b) 3100 { 3101 return sshkey_private_serialize_opt(key, b, 3102 SSHKEY_SERIALIZE_DEFAULT); 3103 } 3104 3105 int 3106 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 3107 { 3108 char *tname = NULL, *curve = NULL, *xmss_name = NULL; 3109 struct sshkey *k = NULL; 3110 size_t pklen = 0, sklen = 0; 3111 int type, r = SSH_ERR_INTERNAL_ERROR; 3112 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 3113 u_char *xmss_pk = NULL, *xmss_sk = NULL; 3114 #ifdef WITH_OPENSSL 3115 BIGNUM *exponent = NULL; 3116 BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; 3117 BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL; 3118 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL; 3119 BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; 3120 #endif /* WITH_OPENSSL */ 3121 3122 if (kp != NULL) 3123 *kp = NULL; 3124 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 3125 goto out; 3126 type = sshkey_type_from_name(tname); 3127 switch (type) { 3128 #ifdef WITH_OPENSSL 3129 case KEY_DSA: 3130 if ((k = sshkey_new(type)) == NULL) { 3131 r = SSH_ERR_ALLOC_FAIL; 3132 goto out; 3133 } 3134 if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 || 3135 (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 || 3136 (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 || 3137 (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0 || 3138 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 3139 goto out; 3140 if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) { 3141 r = SSH_ERR_LIBCRYPTO_ERROR; 3142 goto out; 3143 } 3144 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 3145 if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) { 3146 r = SSH_ERR_LIBCRYPTO_ERROR; 3147 goto out; 3148 } 3149 dsa_pub_key = dsa_priv_key = NULL; /* transferred */ 3150 break; 3151 case KEY_DSA_CERT: 3152 if ((r = sshkey_froms(buf, &k)) != 0 || 3153 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 3154 goto out; 3155 if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { 3156 r = SSH_ERR_LIBCRYPTO_ERROR; 3157 goto out; 3158 } 3159 dsa_priv_key = NULL; /* transferred */ 3160 break; 3161 case KEY_ECDSA: 3162 if ((k = sshkey_new(type)) == NULL) { 3163 r = SSH_ERR_ALLOC_FAIL; 3164 goto out; 3165 } 3166 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 3167 r = SSH_ERR_INVALID_ARGUMENT; 3168 goto out; 3169 } 3170 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 3171 goto out; 3172 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 3173 r = SSH_ERR_EC_CURVE_MISMATCH; 3174 goto out; 3175 } 3176 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 3177 if (k->ecdsa == NULL) { 3178 r = SSH_ERR_LIBCRYPTO_ERROR; 3179 goto out; 3180 } 3181 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 3182 (r = sshbuf_get_bignum2(buf, &exponent))) 3183 goto out; 3184 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 3185 r = SSH_ERR_LIBCRYPTO_ERROR; 3186 goto out; 3187 } 3188 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3189 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 3190 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 3191 goto out; 3192 break; 3193 case KEY_ECDSA_CERT: 3194 if ((r = sshkey_froms(buf, &k)) != 0 || 3195 (r = sshbuf_get_bignum2(buf, &exponent)) != 0) 3196 goto out; 3197 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 3198 r = SSH_ERR_LIBCRYPTO_ERROR; 3199 goto out; 3200 } 3201 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 3202 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 3203 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 3204 goto out; 3205 break; 3206 case KEY_RSA: 3207 if ((k = sshkey_new(type)) == NULL) { 3208 r = SSH_ERR_ALLOC_FAIL; 3209 goto out; 3210 } 3211 if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 || 3212 (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0 || 3213 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 3214 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 3215 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 3216 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 3217 goto out; 3218 if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) { 3219 r = SSH_ERR_LIBCRYPTO_ERROR; 3220 goto out; 3221 } 3222 rsa_n = rsa_e = rsa_d = NULL; /* transferred */ 3223 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 3224 r = SSH_ERR_LIBCRYPTO_ERROR; 3225 goto out; 3226 } 3227 rsa_p = rsa_q = NULL; /* transferred */ 3228 if ((r = check_rsa_length(k->rsa)) != 0) 3229 goto out; 3230 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 3231 goto out; 3232 break; 3233 case KEY_RSA_CERT: 3234 if ((r = sshkey_froms(buf, &k)) != 0 || 3235 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 3236 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 3237 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 3238 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 3239 goto out; 3240 if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { 3241 r = SSH_ERR_LIBCRYPTO_ERROR; 3242 goto out; 3243 } 3244 rsa_d = NULL; /* transferred */ 3245 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 3246 r = SSH_ERR_LIBCRYPTO_ERROR; 3247 goto out; 3248 } 3249 rsa_p = rsa_q = NULL; /* transferred */ 3250 if ((r = check_rsa_length(k->rsa)) != 0) 3251 goto out; 3252 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 3253 goto out; 3254 break; 3255 #endif /* WITH_OPENSSL */ 3256 case KEY_ED25519: 3257 if ((k = sshkey_new(type)) == NULL) { 3258 r = SSH_ERR_ALLOC_FAIL; 3259 goto out; 3260 } 3261 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3262 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3263 goto out; 3264 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3265 r = SSH_ERR_INVALID_FORMAT; 3266 goto out; 3267 } 3268 k->ed25519_pk = ed25519_pk; 3269 k->ed25519_sk = ed25519_sk; 3270 ed25519_pk = ed25519_sk = NULL; 3271 break; 3272 case KEY_ED25519_CERT: 3273 if ((r = sshkey_froms(buf, &k)) != 0 || 3274 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3275 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3276 goto out; 3277 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3278 r = SSH_ERR_INVALID_FORMAT; 3279 goto out; 3280 } 3281 k->ed25519_pk = ed25519_pk; 3282 k->ed25519_sk = ed25519_sk; 3283 ed25519_pk = ed25519_sk = NULL; 3284 break; 3285 #ifdef WITH_XMSS 3286 case KEY_XMSS: 3287 if ((k = sshkey_new(type)) == NULL) { 3288 r = SSH_ERR_ALLOC_FAIL; 3289 goto out; 3290 } 3291 if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3292 (r = sshkey_xmss_init(k, xmss_name)) != 0 || 3293 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3294 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3295 goto out; 3296 if (pklen != sshkey_xmss_pklen(k) || 3297 sklen != sshkey_xmss_sklen(k)) { 3298 r = SSH_ERR_INVALID_FORMAT; 3299 goto out; 3300 } 3301 k->xmss_pk = xmss_pk; 3302 k->xmss_sk = xmss_sk; 3303 xmss_pk = xmss_sk = NULL; 3304 /* optional internal state */ 3305 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3306 goto out; 3307 break; 3308 case KEY_XMSS_CERT: 3309 if ((r = sshkey_froms(buf, &k)) != 0 || 3310 (r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3311 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3312 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3313 goto out; 3314 if (strcmp(xmss_name, k->xmss_name)) { 3315 r = SSH_ERR_INVALID_FORMAT; 3316 goto out; 3317 } 3318 if (pklen != sshkey_xmss_pklen(k) || 3319 sklen != sshkey_xmss_sklen(k)) { 3320 r = SSH_ERR_INVALID_FORMAT; 3321 goto out; 3322 } 3323 k->xmss_pk = xmss_pk; 3324 k->xmss_sk = xmss_sk; 3325 xmss_pk = xmss_sk = NULL; 3326 /* optional internal state */ 3327 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3328 goto out; 3329 break; 3330 #endif /* WITH_XMSS */ 3331 default: 3332 r = SSH_ERR_KEY_TYPE_UNKNOWN; 3333 goto out; 3334 } 3335 #ifdef WITH_OPENSSL 3336 /* enable blinding */ 3337 switch (k->type) { 3338 case KEY_RSA: 3339 case KEY_RSA_CERT: 3340 if (RSA_blinding_on(k->rsa, NULL) != 1) { 3341 r = SSH_ERR_LIBCRYPTO_ERROR; 3342 goto out; 3343 } 3344 break; 3345 } 3346 #endif /* WITH_OPENSSL */ 3347 /* success */ 3348 r = 0; 3349 if (kp != NULL) { 3350 *kp = k; 3351 k = NULL; 3352 } 3353 out: 3354 free(tname); 3355 free(curve); 3356 #ifdef WITH_OPENSSL 3357 BN_clear_free(exponent); 3358 BN_clear_free(dsa_p); 3359 BN_clear_free(dsa_q); 3360 BN_clear_free(dsa_g); 3361 BN_clear_free(dsa_pub_key); 3362 BN_clear_free(dsa_priv_key); 3363 BN_clear_free(rsa_n); 3364 BN_clear_free(rsa_e); 3365 BN_clear_free(rsa_d); 3366 BN_clear_free(rsa_p); 3367 BN_clear_free(rsa_q); 3368 BN_clear_free(rsa_iqmp); 3369 #endif /* WITH_OPENSSL */ 3370 sshkey_free(k); 3371 freezero(ed25519_pk, pklen); 3372 freezero(ed25519_sk, sklen); 3373 free(xmss_name); 3374 freezero(xmss_pk, pklen); 3375 freezero(xmss_sk, sklen); 3376 return r; 3377 } 3378 3379 #ifdef WITH_OPENSSL 3380 int 3381 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 3382 { 3383 BN_CTX *bnctx; 3384 EC_POINT *nq = NULL; 3385 BIGNUM *order, *x, *y, *tmp; 3386 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3387 3388 /* 3389 * NB. This assumes OpenSSL has already verified that the public 3390 * point lies on the curve. This is done by EC_POINT_oct2point() 3391 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 3392 * reachable with public points not unmarshalled using 3393 * EC_POINT_oct2point then the caller will need to explicitly check. 3394 */ 3395 3396 if ((bnctx = BN_CTX_new()) == NULL) 3397 return SSH_ERR_ALLOC_FAIL; 3398 BN_CTX_start(bnctx); 3399 3400 /* 3401 * We shouldn't ever hit this case because bignum_get_ecpoint() 3402 * refuses to load GF2m points. 3403 */ 3404 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3405 NID_X9_62_prime_field) 3406 goto out; 3407 3408 /* Q != infinity */ 3409 if (EC_POINT_is_at_infinity(group, public)) 3410 goto out; 3411 3412 if ((x = BN_CTX_get(bnctx)) == NULL || 3413 (y = BN_CTX_get(bnctx)) == NULL || 3414 (order = BN_CTX_get(bnctx)) == NULL || 3415 (tmp = BN_CTX_get(bnctx)) == NULL) { 3416 ret = SSH_ERR_ALLOC_FAIL; 3417 goto out; 3418 } 3419 3420 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 3421 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 3422 EC_POINT_get_affine_coordinates_GFp(group, public, 3423 x, y, bnctx) != 1) { 3424 ret = SSH_ERR_LIBCRYPTO_ERROR; 3425 goto out; 3426 } 3427 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 3428 BN_num_bits(y) <= BN_num_bits(order) / 2) 3429 goto out; 3430 3431 /* nQ == infinity (n == order of subgroup) */ 3432 if ((nq = EC_POINT_new(group)) == NULL) { 3433 ret = SSH_ERR_ALLOC_FAIL; 3434 goto out; 3435 } 3436 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 3437 ret = SSH_ERR_LIBCRYPTO_ERROR; 3438 goto out; 3439 } 3440 if (EC_POINT_is_at_infinity(group, nq) != 1) 3441 goto out; 3442 3443 /* x < order - 1, y < order - 1 */ 3444 if (!BN_sub(tmp, order, BN_value_one())) { 3445 ret = SSH_ERR_LIBCRYPTO_ERROR; 3446 goto out; 3447 } 3448 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 3449 goto out; 3450 ret = 0; 3451 out: 3452 BN_CTX_free(bnctx); 3453 EC_POINT_free(nq); 3454 return ret; 3455 } 3456 3457 int 3458 sshkey_ec_validate_private(const EC_KEY *key) 3459 { 3460 BN_CTX *bnctx; 3461 BIGNUM *order, *tmp; 3462 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3463 3464 if ((bnctx = BN_CTX_new()) == NULL) 3465 return SSH_ERR_ALLOC_FAIL; 3466 BN_CTX_start(bnctx); 3467 3468 if ((order = BN_CTX_get(bnctx)) == NULL || 3469 (tmp = BN_CTX_get(bnctx)) == NULL) { 3470 ret = SSH_ERR_ALLOC_FAIL; 3471 goto out; 3472 } 3473 3474 /* log2(private) > log2(order)/2 */ 3475 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 3476 ret = SSH_ERR_LIBCRYPTO_ERROR; 3477 goto out; 3478 } 3479 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 3480 BN_num_bits(order) / 2) 3481 goto out; 3482 3483 /* private < order - 1 */ 3484 if (!BN_sub(tmp, order, BN_value_one())) { 3485 ret = SSH_ERR_LIBCRYPTO_ERROR; 3486 goto out; 3487 } 3488 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 3489 goto out; 3490 ret = 0; 3491 out: 3492 BN_CTX_free(bnctx); 3493 return ret; 3494 } 3495 3496 void 3497 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 3498 { 3499 BIGNUM *x, *y; 3500 BN_CTX *bnctx; 3501 3502 if (point == NULL) { 3503 fputs("point=(NULL)\n", stderr); 3504 return; 3505 } 3506 if ((bnctx = BN_CTX_new()) == NULL) { 3507 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 3508 return; 3509 } 3510 BN_CTX_start(bnctx); 3511 if ((x = BN_CTX_get(bnctx)) == NULL || 3512 (y = BN_CTX_get(bnctx)) == NULL) { 3513 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 3514 return; 3515 } 3516 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3517 NID_X9_62_prime_field) { 3518 fprintf(stderr, "%s: group is not a prime field\n", __func__); 3519 return; 3520 } 3521 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 3522 bnctx) != 1) { 3523 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 3524 __func__); 3525 return; 3526 } 3527 fputs("x=", stderr); 3528 BN_print_fp(stderr, x); 3529 fputs("\ny=", stderr); 3530 BN_print_fp(stderr, y); 3531 fputs("\n", stderr); 3532 BN_CTX_free(bnctx); 3533 } 3534 3535 void 3536 sshkey_dump_ec_key(const EC_KEY *key) 3537 { 3538 const BIGNUM *exponent; 3539 3540 sshkey_dump_ec_point(EC_KEY_get0_group(key), 3541 EC_KEY_get0_public_key(key)); 3542 fputs("exponent=", stderr); 3543 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 3544 fputs("(NULL)", stderr); 3545 else 3546 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 3547 fputs("\n", stderr); 3548 } 3549 #endif /* WITH_OPENSSL */ 3550 3551 static int 3552 sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob, 3553 const char *passphrase, const char *comment, const char *ciphername, 3554 int rounds) 3555 { 3556 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3557 u_char salt[SALT_LEN]; 3558 char *b64 = NULL; 3559 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3560 u_int check; 3561 int r = SSH_ERR_INTERNAL_ERROR; 3562 struct sshcipher_ctx *ciphercontext = NULL; 3563 const struct sshcipher *cipher; 3564 const char *kdfname = KDFNAME; 3565 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3566 3567 if (rounds <= 0) 3568 rounds = DEFAULT_ROUNDS; 3569 if (passphrase == NULL || !strlen(passphrase)) { 3570 ciphername = "none"; 3571 kdfname = "none"; 3572 } else if (ciphername == NULL) 3573 ciphername = DEFAULT_CIPHERNAME; 3574 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3575 r = SSH_ERR_INVALID_ARGUMENT; 3576 goto out; 3577 } 3578 3579 if ((kdf = sshbuf_new()) == NULL || 3580 (encoded = sshbuf_new()) == NULL || 3581 (encrypted = sshbuf_new()) == NULL) { 3582 r = SSH_ERR_ALLOC_FAIL; 3583 goto out; 3584 } 3585 blocksize = cipher_blocksize(cipher); 3586 keylen = cipher_keylen(cipher); 3587 ivlen = cipher_ivlen(cipher); 3588 authlen = cipher_authlen(cipher); 3589 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3590 r = SSH_ERR_ALLOC_FAIL; 3591 goto out; 3592 } 3593 if (strcmp(kdfname, "bcrypt") == 0) { 3594 arc4random_buf(salt, SALT_LEN); 3595 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3596 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3597 r = SSH_ERR_INVALID_ARGUMENT; 3598 goto out; 3599 } 3600 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3601 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3602 goto out; 3603 } else if (strcmp(kdfname, "none") != 0) { 3604 /* Unsupported KDF type */ 3605 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3606 goto out; 3607 } 3608 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3609 key + keylen, ivlen, 1)) != 0) 3610 goto out; 3611 3612 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3613 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3614 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3615 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3616 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3617 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3618 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3619 goto out; 3620 3621 /* set up the buffer that will be encrypted */ 3622 3623 /* Random check bytes */ 3624 check = arc4random(); 3625 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3626 (r = sshbuf_put_u32(encrypted, check)) != 0) 3627 goto out; 3628 3629 /* append private key and comment*/ 3630 if ((r = sshkey_private_serialize_opt(prv, encrypted, 3631 SSHKEY_SERIALIZE_FULL)) != 0 || 3632 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3633 goto out; 3634 3635 /* padding */ 3636 i = 0; 3637 while (sshbuf_len(encrypted) % blocksize) { 3638 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3639 goto out; 3640 } 3641 3642 /* length in destination buffer */ 3643 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3644 goto out; 3645 3646 /* encrypt */ 3647 if ((r = sshbuf_reserve(encoded, 3648 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3649 goto out; 3650 if ((r = cipher_crypt(ciphercontext, 0, cp, 3651 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3652 goto out; 3653 3654 /* uuencode */ 3655 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3656 r = SSH_ERR_ALLOC_FAIL; 3657 goto out; 3658 } 3659 3660 sshbuf_reset(blob); 3661 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3662 goto out; 3663 for (i = 0; i < strlen(b64); i++) { 3664 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3665 goto out; 3666 /* insert line breaks */ 3667 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3668 goto out; 3669 } 3670 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3671 goto out; 3672 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3673 goto out; 3674 3675 /* success */ 3676 r = 0; 3677 3678 out: 3679 sshbuf_free(kdf); 3680 sshbuf_free(encoded); 3681 sshbuf_free(encrypted); 3682 cipher_free(ciphercontext); 3683 explicit_bzero(salt, sizeof(salt)); 3684 if (key != NULL) { 3685 explicit_bzero(key, keylen + ivlen); 3686 free(key); 3687 } 3688 if (pubkeyblob != NULL) { 3689 explicit_bzero(pubkeyblob, pubkeylen); 3690 free(pubkeyblob); 3691 } 3692 if (b64 != NULL) { 3693 explicit_bzero(b64, strlen(b64)); 3694 free(b64); 3695 } 3696 return r; 3697 } 3698 3699 static int 3700 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3701 struct sshkey **keyp, char **commentp) 3702 { 3703 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3704 const struct sshcipher *cipher = NULL; 3705 const u_char *cp; 3706 int r = SSH_ERR_INTERNAL_ERROR; 3707 size_t encoded_len; 3708 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3709 struct sshbuf *encoded = NULL, *decoded = NULL; 3710 struct sshbuf *kdf = NULL, *decrypted = NULL; 3711 struct sshcipher_ctx *ciphercontext = NULL; 3712 struct sshkey *k = NULL; 3713 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3714 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3715 3716 if (keyp != NULL) 3717 *keyp = NULL; 3718 if (commentp != NULL) 3719 *commentp = NULL; 3720 3721 if ((encoded = sshbuf_new()) == NULL || 3722 (decoded = sshbuf_new()) == NULL || 3723 (decrypted = sshbuf_new()) == NULL) { 3724 r = SSH_ERR_ALLOC_FAIL; 3725 goto out; 3726 } 3727 3728 /* check preamble */ 3729 cp = sshbuf_ptr(blob); 3730 encoded_len = sshbuf_len(blob); 3731 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3732 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3733 r = SSH_ERR_INVALID_FORMAT; 3734 goto out; 3735 } 3736 cp += MARK_BEGIN_LEN; 3737 encoded_len -= MARK_BEGIN_LEN; 3738 3739 /* Look for end marker, removing whitespace as we go */ 3740 while (encoded_len > 0) { 3741 if (*cp != '\n' && *cp != '\r') { 3742 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3743 goto out; 3744 } 3745 last = *cp; 3746 encoded_len--; 3747 cp++; 3748 if (last == '\n') { 3749 if (encoded_len >= MARK_END_LEN && 3750 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3751 /* \0 terminate */ 3752 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3753 goto out; 3754 break; 3755 } 3756 } 3757 } 3758 if (encoded_len == 0) { 3759 r = SSH_ERR_INVALID_FORMAT; 3760 goto out; 3761 } 3762 3763 /* decode base64 */ 3764 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3765 goto out; 3766 3767 /* check magic */ 3768 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3769 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3770 r = SSH_ERR_INVALID_FORMAT; 3771 goto out; 3772 } 3773 /* parse public portion of key */ 3774 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3775 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3776 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3777 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3778 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3779 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3780 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3781 goto out; 3782 3783 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3784 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3785 goto out; 3786 } 3787 if ((passphrase == NULL || strlen(passphrase) == 0) && 3788 strcmp(ciphername, "none") != 0) { 3789 /* passphrase required */ 3790 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3791 goto out; 3792 } 3793 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3794 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3795 goto out; 3796 } 3797 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3798 r = SSH_ERR_INVALID_FORMAT; 3799 goto out; 3800 } 3801 if (nkeys != 1) { 3802 /* XXX only one key supported */ 3803 r = SSH_ERR_INVALID_FORMAT; 3804 goto out; 3805 } 3806 3807 /* check size of encrypted key blob */ 3808 blocksize = cipher_blocksize(cipher); 3809 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3810 r = SSH_ERR_INVALID_FORMAT; 3811 goto out; 3812 } 3813 3814 /* setup key */ 3815 keylen = cipher_keylen(cipher); 3816 ivlen = cipher_ivlen(cipher); 3817 authlen = cipher_authlen(cipher); 3818 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3819 r = SSH_ERR_ALLOC_FAIL; 3820 goto out; 3821 } 3822 if (strcmp(kdfname, "bcrypt") == 0) { 3823 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3824 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3825 goto out; 3826 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3827 key, keylen + ivlen, rounds) < 0) { 3828 r = SSH_ERR_INVALID_FORMAT; 3829 goto out; 3830 } 3831 } 3832 3833 /* check that an appropriate amount of auth data is present */ 3834 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3835 r = SSH_ERR_INVALID_FORMAT; 3836 goto out; 3837 } 3838 3839 /* decrypt private portion of key */ 3840 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3841 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3842 key + keylen, ivlen, 0)) != 0) 3843 goto out; 3844 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3845 encrypted_len, 0, authlen)) != 0) { 3846 /* an integrity error here indicates an incorrect passphrase */ 3847 if (r == SSH_ERR_MAC_INVALID) 3848 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3849 goto out; 3850 } 3851 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3852 goto out; 3853 /* there should be no trailing data */ 3854 if (sshbuf_len(decoded) != 0) { 3855 r = SSH_ERR_INVALID_FORMAT; 3856 goto out; 3857 } 3858 3859 /* check check bytes */ 3860 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3861 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3862 goto out; 3863 if (check1 != check2) { 3864 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3865 goto out; 3866 } 3867 3868 /* Load the private key and comment */ 3869 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3870 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3871 goto out; 3872 3873 /* Check deterministic padding */ 3874 i = 0; 3875 while (sshbuf_len(decrypted)) { 3876 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3877 goto out; 3878 if (pad != (++i & 0xff)) { 3879 r = SSH_ERR_INVALID_FORMAT; 3880 goto out; 3881 } 3882 } 3883 3884 /* XXX decode pubkey and check against private */ 3885 3886 /* success */ 3887 r = 0; 3888 if (keyp != NULL) { 3889 *keyp = k; 3890 k = NULL; 3891 } 3892 if (commentp != NULL) { 3893 *commentp = comment; 3894 comment = NULL; 3895 } 3896 out: 3897 pad = 0; 3898 cipher_free(ciphercontext); 3899 free(ciphername); 3900 free(kdfname); 3901 free(comment); 3902 if (salt != NULL) { 3903 explicit_bzero(salt, slen); 3904 free(salt); 3905 } 3906 if (key != NULL) { 3907 explicit_bzero(key, keylen + ivlen); 3908 free(key); 3909 } 3910 sshbuf_free(encoded); 3911 sshbuf_free(decoded); 3912 sshbuf_free(kdf); 3913 sshbuf_free(decrypted); 3914 sshkey_free(k); 3915 return r; 3916 } 3917 3918 3919 #ifdef WITH_OPENSSL 3920 /* convert SSH v2 key in OpenSSL PEM format */ 3921 static int 3922 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf, 3923 const char *_passphrase, const char *comment) 3924 { 3925 int was_shielded = sshkey_is_shielded(key); 3926 int success, r; 3927 int blen, len = strlen(_passphrase); 3928 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3929 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3930 char *bptr; 3931 BIO *bio = NULL; 3932 struct sshbuf *blob; 3933 3934 if (len > 0 && len <= 4) 3935 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3936 if ((blob = sshbuf_new()) == NULL) 3937 return SSH_ERR_ALLOC_FAIL; 3938 if ((bio = BIO_new(BIO_s_mem())) == NULL) { 3939 sshbuf_free(blob); 3940 return SSH_ERR_ALLOC_FAIL; 3941 } 3942 if ((r = sshkey_unshield_private(key)) != 0) 3943 goto out; 3944 3945 switch (key->type) { 3946 case KEY_DSA: 3947 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3948 cipher, passphrase, len, NULL, NULL); 3949 break; 3950 case KEY_ECDSA: 3951 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3952 cipher, passphrase, len, NULL, NULL); 3953 break; 3954 case KEY_RSA: 3955 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3956 cipher, passphrase, len, NULL, NULL); 3957 break; 3958 default: 3959 success = 0; 3960 break; 3961 } 3962 if (success == 0) { 3963 r = SSH_ERR_LIBCRYPTO_ERROR; 3964 goto out; 3965 } 3966 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3967 r = SSH_ERR_INTERNAL_ERROR; 3968 goto out; 3969 } 3970 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3971 goto out; 3972 r = 0; 3973 out: 3974 if (was_shielded) 3975 r = sshkey_shield_private(key); 3976 if (r == 0) 3977 r = sshbuf_putb(buf, blob); 3978 sshbuf_free(blob); 3979 3980 BIO_free(bio); 3981 return r; 3982 } 3983 #endif /* WITH_OPENSSL */ 3984 3985 /* Serialise "key" to buffer "blob" */ 3986 int 3987 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3988 const char *passphrase, const char *comment, 3989 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3990 { 3991 switch (key->type) { 3992 #ifdef WITH_OPENSSL 3993 case KEY_DSA: 3994 case KEY_ECDSA: 3995 case KEY_RSA: 3996 if (force_new_format) { 3997 return sshkey_private_to_blob2(key, blob, passphrase, 3998 comment, new_format_cipher, new_format_rounds); 3999 } 4000 return sshkey_private_pem_to_blob(key, blob, 4001 passphrase, comment); 4002 #endif /* WITH_OPENSSL */ 4003 case KEY_ED25519: 4004 #ifdef WITH_XMSS 4005 case KEY_XMSS: 4006 #endif /* WITH_XMSS */ 4007 return sshkey_private_to_blob2(key, blob, passphrase, 4008 comment, new_format_cipher, new_format_rounds); 4009 default: 4010 return SSH_ERR_KEY_TYPE_UNKNOWN; 4011 } 4012 } 4013 4014 4015 #ifdef WITH_OPENSSL 4016 static int 4017 translate_libcrypto_error(unsigned long pem_err) 4018 { 4019 int pem_reason = ERR_GET_REASON(pem_err); 4020 4021 switch (ERR_GET_LIB(pem_err)) { 4022 case ERR_LIB_PEM: 4023 switch (pem_reason) { 4024 case PEM_R_BAD_PASSWORD_READ: 4025 case PEM_R_PROBLEMS_GETTING_PASSWORD: 4026 case PEM_R_BAD_DECRYPT: 4027 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4028 default: 4029 return SSH_ERR_INVALID_FORMAT; 4030 } 4031 case ERR_LIB_EVP: 4032 switch (pem_reason) { 4033 case EVP_R_BAD_DECRYPT: 4034 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4035 #ifdef EVP_R_BN_DECODE_ERROR 4036 case EVP_R_BN_DECODE_ERROR: 4037 #endif 4038 case EVP_R_DECODE_ERROR: 4039 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 4040 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 4041 #endif 4042 return SSH_ERR_INVALID_FORMAT; 4043 default: 4044 return SSH_ERR_LIBCRYPTO_ERROR; 4045 } 4046 case ERR_LIB_ASN1: 4047 return SSH_ERR_INVALID_FORMAT; 4048 } 4049 return SSH_ERR_LIBCRYPTO_ERROR; 4050 } 4051 4052 static void 4053 clear_libcrypto_errors(void) 4054 { 4055 while (ERR_get_error() != 0) 4056 ; 4057 } 4058 4059 /* 4060 * Translate OpenSSL error codes to determine whether 4061 * passphrase is required/incorrect. 4062 */ 4063 static int 4064 convert_libcrypto_error(void) 4065 { 4066 /* 4067 * Some password errors are reported at the beginning 4068 * of the error queue. 4069 */ 4070 if (translate_libcrypto_error(ERR_peek_error()) == 4071 SSH_ERR_KEY_WRONG_PASSPHRASE) 4072 return SSH_ERR_KEY_WRONG_PASSPHRASE; 4073 return translate_libcrypto_error(ERR_peek_last_error()); 4074 } 4075 4076 static int 4077 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 4078 const char *passphrase, struct sshkey **keyp) 4079 { 4080 EVP_PKEY *pk = NULL; 4081 struct sshkey *prv = NULL; 4082 BIO *bio = NULL; 4083 int r; 4084 4085 if (keyp != NULL) 4086 *keyp = NULL; 4087 4088 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 4089 return SSH_ERR_ALLOC_FAIL; 4090 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 4091 (int)sshbuf_len(blob)) { 4092 r = SSH_ERR_ALLOC_FAIL; 4093 goto out; 4094 } 4095 4096 clear_libcrypto_errors(); 4097 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 4098 (char *)passphrase)) == NULL) { 4099 /* 4100 * libcrypto may return various ASN.1 errors when attempting 4101 * to parse a key with an incorrect passphrase. 4102 * Treat all format errors as "incorrect passphrase" if a 4103 * passphrase was supplied. 4104 */ 4105 if (passphrase != NULL && *passphrase != '\0') 4106 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 4107 else 4108 r = convert_libcrypto_error(); 4109 goto out; 4110 } 4111 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && 4112 (type == KEY_UNSPEC || type == KEY_RSA)) { 4113 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4114 r = SSH_ERR_ALLOC_FAIL; 4115 goto out; 4116 } 4117 prv->rsa = EVP_PKEY_get1_RSA(pk); 4118 prv->type = KEY_RSA; 4119 #ifdef DEBUG_PK 4120 RSA_print_fp(stderr, prv->rsa, 8); 4121 #endif 4122 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 4123 r = SSH_ERR_LIBCRYPTO_ERROR; 4124 goto out; 4125 } 4126 if ((r = check_rsa_length(prv->rsa)) != 0) 4127 goto out; 4128 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && 4129 (type == KEY_UNSPEC || type == KEY_DSA)) { 4130 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4131 r = SSH_ERR_ALLOC_FAIL; 4132 goto out; 4133 } 4134 prv->dsa = EVP_PKEY_get1_DSA(pk); 4135 prv->type = KEY_DSA; 4136 #ifdef DEBUG_PK 4137 DSA_print_fp(stderr, prv->dsa, 8); 4138 #endif 4139 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && 4140 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 4141 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 4142 r = SSH_ERR_ALLOC_FAIL; 4143 goto out; 4144 } 4145 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 4146 prv->type = KEY_ECDSA; 4147 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 4148 if (prv->ecdsa_nid == -1 || 4149 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 4150 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 4151 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 4152 sshkey_ec_validate_private(prv->ecdsa) != 0) { 4153 r = SSH_ERR_INVALID_FORMAT; 4154 goto out; 4155 } 4156 #ifdef DEBUG_PK 4157 if (prv != NULL && prv->ecdsa != NULL) 4158 sshkey_dump_ec_key(prv->ecdsa); 4159 #endif 4160 } else { 4161 r = SSH_ERR_INVALID_FORMAT; 4162 goto out; 4163 } 4164 r = 0; 4165 if (keyp != NULL) { 4166 *keyp = prv; 4167 prv = NULL; 4168 } 4169 out: 4170 BIO_free(bio); 4171 EVP_PKEY_free(pk); 4172 sshkey_free(prv); 4173 return r; 4174 } 4175 #endif /* WITH_OPENSSL */ 4176 4177 int 4178 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 4179 const char *passphrase, struct sshkey **keyp, char **commentp) 4180 { 4181 int r = SSH_ERR_INTERNAL_ERROR; 4182 4183 if (keyp != NULL) 4184 *keyp = NULL; 4185 if (commentp != NULL) 4186 *commentp = NULL; 4187 4188 switch (type) { 4189 #ifdef WITH_OPENSSL 4190 case KEY_DSA: 4191 case KEY_ECDSA: 4192 case KEY_RSA: 4193 return sshkey_parse_private_pem_fileblob(blob, type, 4194 passphrase, keyp); 4195 #endif /* WITH_OPENSSL */ 4196 case KEY_ED25519: 4197 #ifdef WITH_XMSS 4198 case KEY_XMSS: 4199 #endif /* WITH_XMSS */ 4200 return sshkey_parse_private2(blob, type, passphrase, 4201 keyp, commentp); 4202 case KEY_UNSPEC: 4203 r = sshkey_parse_private2(blob, type, passphrase, keyp, 4204 commentp); 4205 /* Do not fallback to PEM parser if only passphrase is wrong. */ 4206 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE) 4207 return r; 4208 #ifdef WITH_OPENSSL 4209 return sshkey_parse_private_pem_fileblob(blob, type, 4210 passphrase, keyp); 4211 #else 4212 return SSH_ERR_INVALID_FORMAT; 4213 #endif /* WITH_OPENSSL */ 4214 default: 4215 return SSH_ERR_KEY_TYPE_UNKNOWN; 4216 } 4217 } 4218 4219 int 4220 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 4221 struct sshkey **keyp, char **commentp) 4222 { 4223 if (keyp != NULL) 4224 *keyp = NULL; 4225 if (commentp != NULL) 4226 *commentp = NULL; 4227 4228 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 4229 passphrase, keyp, commentp); 4230 } 4231 4232 #ifdef WITH_XMSS 4233 /* 4234 * serialize the key with the current state and forward the state 4235 * maxsign times. 4236 */ 4237 int 4238 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 4239 u_int32_t maxsign, sshkey_printfn *pr) 4240 { 4241 int r, rupdate; 4242 4243 if (maxsign == 0 || 4244 sshkey_type_plain(k->type) != KEY_XMSS) 4245 return sshkey_private_serialize_opt(k, b, 4246 SSHKEY_SERIALIZE_DEFAULT); 4247 if ((r = sshkey_xmss_get_state(k, pr)) != 0 || 4248 (r = sshkey_private_serialize_opt(k, b, 4249 SSHKEY_SERIALIZE_STATE)) != 0 || 4250 (r = sshkey_xmss_forward_state(k, maxsign)) != 0) 4251 goto out; 4252 r = 0; 4253 out: 4254 if ((rupdate = sshkey_xmss_update_state(k, pr)) != 0) { 4255 if (r == 0) 4256 r = rupdate; 4257 } 4258 return r; 4259 } 4260 4261 u_int32_t 4262 sshkey_signatures_left(const struct sshkey *k) 4263 { 4264 if (sshkey_type_plain(k->type) == KEY_XMSS) 4265 return sshkey_xmss_signatures_left(k); 4266 return 0; 4267 } 4268 4269 int 4270 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4271 { 4272 if (sshkey_type_plain(k->type) != KEY_XMSS) 4273 return SSH_ERR_INVALID_ARGUMENT; 4274 return sshkey_xmss_enable_maxsign(k, maxsign); 4275 } 4276 4277 int 4278 sshkey_set_filename(struct sshkey *k, const char *filename) 4279 { 4280 if (k == NULL) 4281 return SSH_ERR_INVALID_ARGUMENT; 4282 if (sshkey_type_plain(k->type) != KEY_XMSS) 4283 return 0; 4284 if (filename == NULL) 4285 return SSH_ERR_INVALID_ARGUMENT; 4286 if ((k->xmss_filename = strdup(filename)) == NULL) 4287 return SSH_ERR_ALLOC_FAIL; 4288 return 0; 4289 } 4290 #else 4291 int 4292 sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, 4293 u_int32_t maxsign, sshkey_printfn *pr) 4294 { 4295 return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); 4296 } 4297 4298 u_int32_t 4299 sshkey_signatures_left(const struct sshkey *k) 4300 { 4301 return 0; 4302 } 4303 4304 int 4305 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4306 { 4307 return SSH_ERR_INVALID_ARGUMENT; 4308 } 4309 4310 int 4311 sshkey_set_filename(struct sshkey *k, const char *filename) 4312 { 4313 if (k == NULL) 4314 return SSH_ERR_INVALID_ARGUMENT; 4315 return 0; 4316 } 4317 #endif /* WITH_XMSS */ 4318