1 /* $OpenBSD: sshkey.c,v 1.59 2017/12/18 02:25:15 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/types.h> 29 #include <netinet/in.h> 30 31 #ifdef WITH_OPENSSL 32 #include <openssl/evp.h> 33 #include <openssl/err.h> 34 #include <openssl/pem.h> 35 #endif 36 37 #include "crypto_api.h" 38 39 #include <errno.h> 40 #include <stdio.h> 41 #include <string.h> 42 #include <util.h> 43 #include <limits.h> 44 #include <resolv.h> 45 46 #include "ssh2.h" 47 #include "ssherr.h" 48 #include "misc.h" 49 #include "sshbuf.h" 50 #include "cipher.h" 51 #include "digest.h" 52 #define SSHKEY_INTERNAL 53 #include "sshkey.h" 54 #include "match.h" 55 56 /* openssh private key file format */ 57 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 58 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 59 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 60 #define MARK_END_LEN (sizeof(MARK_END) - 1) 61 #define KDFNAME "bcrypt" 62 #define AUTH_MAGIC "openssh-key-v1" 63 #define SALT_LEN 16 64 #define DEFAULT_CIPHERNAME "aes256-ctr" 65 #define DEFAULT_ROUNDS 16 66 67 /* Version identification string for SSH v1 identity files. */ 68 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 69 70 static int sshkey_from_blob_internal(struct sshbuf *buf, 71 struct sshkey **keyp, int allow_cert); 72 73 /* Supported key types */ 74 struct keytype { 75 const char *name; 76 const char *shortname; 77 int type; 78 int nid; 79 int cert; 80 int sigonly; 81 }; 82 static const struct keytype keytypes[] = { 83 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, 84 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 85 KEY_ED25519_CERT, 0, 1, 0 }, 86 #ifdef WITH_OPENSSL 87 { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, 88 { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, 89 { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, 90 { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, 91 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 92 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, 93 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, 94 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, 95 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, 96 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 97 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 98 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 99 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 100 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 101 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 102 #endif /* WITH_OPENSSL */ 103 { NULL, NULL, -1, -1, 0, 0 } 104 }; 105 106 const char * 107 sshkey_type(const struct sshkey *k) 108 { 109 const struct keytype *kt; 110 111 for (kt = keytypes; kt->type != -1; kt++) { 112 if (kt->type == k->type) 113 return kt->shortname; 114 } 115 return "unknown"; 116 } 117 118 static const char * 119 sshkey_ssh_name_from_type_nid(int type, int nid) 120 { 121 const struct keytype *kt; 122 123 for (kt = keytypes; kt->type != -1; kt++) { 124 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 125 return kt->name; 126 } 127 return "ssh-unknown"; 128 } 129 130 int 131 sshkey_type_is_cert(int type) 132 { 133 const struct keytype *kt; 134 135 for (kt = keytypes; kt->type != -1; kt++) { 136 if (kt->type == type) 137 return kt->cert; 138 } 139 return 0; 140 } 141 142 const char * 143 sshkey_ssh_name(const struct sshkey *k) 144 { 145 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 146 } 147 148 const char * 149 sshkey_ssh_name_plain(const struct sshkey *k) 150 { 151 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 152 k->ecdsa_nid); 153 } 154 155 int 156 sshkey_type_from_name(const char *name) 157 { 158 const struct keytype *kt; 159 160 for (kt = keytypes; kt->type != -1; kt++) { 161 /* Only allow shortname matches for plain key types */ 162 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 163 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 164 return kt->type; 165 } 166 return KEY_UNSPEC; 167 } 168 169 int 170 sshkey_ecdsa_nid_from_name(const char *name) 171 { 172 const struct keytype *kt; 173 174 for (kt = keytypes; kt->type != -1; kt++) { 175 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 176 continue; 177 if (kt->name != NULL && strcmp(name, kt->name) == 0) 178 return kt->nid; 179 } 180 return -1; 181 } 182 183 char * 184 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 185 { 186 char *tmp, *ret = NULL; 187 size_t nlen, rlen = 0; 188 const struct keytype *kt; 189 190 for (kt = keytypes; kt->type != -1; kt++) { 191 if (kt->name == NULL) 192 continue; 193 if (!include_sigonly && kt->sigonly) 194 continue; 195 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 196 continue; 197 if (ret != NULL) 198 ret[rlen++] = sep; 199 nlen = strlen(kt->name); 200 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 201 free(ret); 202 return NULL; 203 } 204 ret = tmp; 205 memcpy(ret + rlen, kt->name, nlen + 1); 206 rlen += nlen; 207 } 208 return ret; 209 } 210 211 int 212 sshkey_names_valid2(const char *names, int allow_wildcard) 213 { 214 char *s, *cp, *p; 215 const struct keytype *kt; 216 int type; 217 218 if (names == NULL || strcmp(names, "") == 0) 219 return 0; 220 if ((s = cp = strdup(names)) == NULL) 221 return 0; 222 for ((p = strsep(&cp, ",")); p && *p != '\0'; 223 (p = strsep(&cp, ","))) { 224 type = sshkey_type_from_name(p); 225 if (type == KEY_UNSPEC) { 226 if (allow_wildcard) { 227 /* 228 * Try matching key types against the string. 229 * If any has a positive or negative match then 230 * the component is accepted. 231 */ 232 for (kt = keytypes; kt->type != -1; kt++) { 233 if (match_pattern_list(kt->name, 234 p, 0) != 0) 235 break; 236 } 237 if (kt->type != -1) 238 continue; 239 } 240 free(s); 241 return 0; 242 } 243 } 244 free(s); 245 return 1; 246 } 247 248 u_int 249 sshkey_size(const struct sshkey *k) 250 { 251 switch (k->type) { 252 #ifdef WITH_OPENSSL 253 case KEY_RSA: 254 case KEY_RSA_CERT: 255 return BN_num_bits(k->rsa->n); 256 case KEY_DSA: 257 case KEY_DSA_CERT: 258 return BN_num_bits(k->dsa->p); 259 case KEY_ECDSA: 260 case KEY_ECDSA_CERT: 261 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 262 #endif /* WITH_OPENSSL */ 263 case KEY_ED25519: 264 case KEY_ED25519_CERT: 265 return 256; /* XXX */ 266 } 267 return 0; 268 } 269 270 static int 271 sshkey_type_is_valid_ca(int type) 272 { 273 switch (type) { 274 case KEY_RSA: 275 case KEY_DSA: 276 case KEY_ECDSA: 277 case KEY_ED25519: 278 return 1; 279 default: 280 return 0; 281 } 282 } 283 284 int 285 sshkey_is_cert(const struct sshkey *k) 286 { 287 if (k == NULL) 288 return 0; 289 return sshkey_type_is_cert(k->type); 290 } 291 292 /* Return the cert-less equivalent to a certified key type */ 293 int 294 sshkey_type_plain(int type) 295 { 296 switch (type) { 297 case KEY_RSA_CERT: 298 return KEY_RSA; 299 case KEY_DSA_CERT: 300 return KEY_DSA; 301 case KEY_ECDSA_CERT: 302 return KEY_ECDSA; 303 case KEY_ED25519_CERT: 304 return KEY_ED25519; 305 default: 306 return type; 307 } 308 } 309 310 #ifdef WITH_OPENSSL 311 /* XXX: these are really begging for a table-driven approach */ 312 int 313 sshkey_curve_name_to_nid(const char *name) 314 { 315 if (strcmp(name, "nistp256") == 0) 316 return NID_X9_62_prime256v1; 317 else if (strcmp(name, "nistp384") == 0) 318 return NID_secp384r1; 319 else if (strcmp(name, "nistp521") == 0) 320 return NID_secp521r1; 321 else 322 return -1; 323 } 324 325 u_int 326 sshkey_curve_nid_to_bits(int nid) 327 { 328 switch (nid) { 329 case NID_X9_62_prime256v1: 330 return 256; 331 case NID_secp384r1: 332 return 384; 333 case NID_secp521r1: 334 return 521; 335 default: 336 return 0; 337 } 338 } 339 340 int 341 sshkey_ecdsa_bits_to_nid(int bits) 342 { 343 switch (bits) { 344 case 256: 345 return NID_X9_62_prime256v1; 346 case 384: 347 return NID_secp384r1; 348 case 521: 349 return NID_secp521r1; 350 default: 351 return -1; 352 } 353 } 354 355 const char * 356 sshkey_curve_nid_to_name(int nid) 357 { 358 switch (nid) { 359 case NID_X9_62_prime256v1: 360 return "nistp256"; 361 case NID_secp384r1: 362 return "nistp384"; 363 case NID_secp521r1: 364 return "nistp521"; 365 default: 366 return NULL; 367 } 368 } 369 370 int 371 sshkey_ec_nid_to_hash_alg(int nid) 372 { 373 int kbits = sshkey_curve_nid_to_bits(nid); 374 375 if (kbits <= 0) 376 return -1; 377 378 /* RFC5656 section 6.2.1 */ 379 if (kbits <= 256) 380 return SSH_DIGEST_SHA256; 381 else if (kbits <= 384) 382 return SSH_DIGEST_SHA384; 383 else 384 return SSH_DIGEST_SHA512; 385 } 386 #endif /* WITH_OPENSSL */ 387 388 static void 389 cert_free(struct sshkey_cert *cert) 390 { 391 u_int i; 392 393 if (cert == NULL) 394 return; 395 sshbuf_free(cert->certblob); 396 sshbuf_free(cert->critical); 397 sshbuf_free(cert->extensions); 398 free(cert->key_id); 399 for (i = 0; i < cert->nprincipals; i++) 400 free(cert->principals[i]); 401 free(cert->principals); 402 sshkey_free(cert->signature_key); 403 explicit_bzero(cert, sizeof(*cert)); 404 free(cert); 405 } 406 407 static struct sshkey_cert * 408 cert_new(void) 409 { 410 struct sshkey_cert *cert; 411 412 if ((cert = calloc(1, sizeof(*cert))) == NULL) 413 return NULL; 414 if ((cert->certblob = sshbuf_new()) == NULL || 415 (cert->critical = sshbuf_new()) == NULL || 416 (cert->extensions = sshbuf_new()) == NULL) { 417 cert_free(cert); 418 return NULL; 419 } 420 cert->key_id = NULL; 421 cert->principals = NULL; 422 cert->signature_key = NULL; 423 return cert; 424 } 425 426 struct sshkey * 427 sshkey_new(int type) 428 { 429 struct sshkey *k; 430 #ifdef WITH_OPENSSL 431 RSA *rsa; 432 DSA *dsa; 433 #endif /* WITH_OPENSSL */ 434 435 if ((k = calloc(1, sizeof(*k))) == NULL) 436 return NULL; 437 k->type = type; 438 k->ecdsa = NULL; 439 k->ecdsa_nid = -1; 440 k->dsa = NULL; 441 k->rsa = NULL; 442 k->cert = NULL; 443 k->ed25519_sk = NULL; 444 k->ed25519_pk = NULL; 445 switch (k->type) { 446 #ifdef WITH_OPENSSL 447 case KEY_RSA: 448 case KEY_RSA_CERT: 449 if ((rsa = RSA_new()) == NULL || 450 (rsa->n = BN_new()) == NULL || 451 (rsa->e = BN_new()) == NULL) { 452 if (rsa != NULL) 453 RSA_free(rsa); 454 free(k); 455 return NULL; 456 } 457 k->rsa = rsa; 458 break; 459 case KEY_DSA: 460 case KEY_DSA_CERT: 461 if ((dsa = DSA_new()) == NULL || 462 (dsa->p = BN_new()) == NULL || 463 (dsa->q = BN_new()) == NULL || 464 (dsa->g = BN_new()) == NULL || 465 (dsa->pub_key = BN_new()) == NULL) { 466 if (dsa != NULL) 467 DSA_free(dsa); 468 free(k); 469 return NULL; 470 } 471 k->dsa = dsa; 472 break; 473 case KEY_ECDSA: 474 case KEY_ECDSA_CERT: 475 /* Cannot do anything until we know the group */ 476 break; 477 #endif /* WITH_OPENSSL */ 478 case KEY_ED25519: 479 case KEY_ED25519_CERT: 480 /* no need to prealloc */ 481 break; 482 case KEY_UNSPEC: 483 break; 484 default: 485 free(k); 486 return NULL; 487 } 488 489 if (sshkey_is_cert(k)) { 490 if ((k->cert = cert_new()) == NULL) { 491 sshkey_free(k); 492 return NULL; 493 } 494 } 495 496 return k; 497 } 498 499 int 500 sshkey_add_private(struct sshkey *k) 501 { 502 switch (k->type) { 503 #ifdef WITH_OPENSSL 504 case KEY_RSA: 505 case KEY_RSA_CERT: 506 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 507 if (bn_maybe_alloc_failed(k->rsa->d) || 508 bn_maybe_alloc_failed(k->rsa->iqmp) || 509 bn_maybe_alloc_failed(k->rsa->q) || 510 bn_maybe_alloc_failed(k->rsa->p) || 511 bn_maybe_alloc_failed(k->rsa->dmq1) || 512 bn_maybe_alloc_failed(k->rsa->dmp1)) 513 return SSH_ERR_ALLOC_FAIL; 514 break; 515 case KEY_DSA: 516 case KEY_DSA_CERT: 517 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 518 return SSH_ERR_ALLOC_FAIL; 519 break; 520 #undef bn_maybe_alloc_failed 521 case KEY_ECDSA: 522 case KEY_ECDSA_CERT: 523 /* Cannot do anything until we know the group */ 524 break; 525 #endif /* WITH_OPENSSL */ 526 case KEY_ED25519: 527 case KEY_ED25519_CERT: 528 /* no need to prealloc */ 529 break; 530 case KEY_UNSPEC: 531 break; 532 default: 533 return SSH_ERR_INVALID_ARGUMENT; 534 } 535 return 0; 536 } 537 538 struct sshkey * 539 sshkey_new_private(int type) 540 { 541 struct sshkey *k = sshkey_new(type); 542 543 if (k == NULL) 544 return NULL; 545 if (sshkey_add_private(k) != 0) { 546 sshkey_free(k); 547 return NULL; 548 } 549 return k; 550 } 551 552 void 553 sshkey_free(struct sshkey *k) 554 { 555 if (k == NULL) 556 return; 557 switch (k->type) { 558 #ifdef WITH_OPENSSL 559 case KEY_RSA: 560 case KEY_RSA_CERT: 561 if (k->rsa != NULL) 562 RSA_free(k->rsa); 563 k->rsa = NULL; 564 break; 565 case KEY_DSA: 566 case KEY_DSA_CERT: 567 if (k->dsa != NULL) 568 DSA_free(k->dsa); 569 k->dsa = NULL; 570 break; 571 case KEY_ECDSA: 572 case KEY_ECDSA_CERT: 573 if (k->ecdsa != NULL) 574 EC_KEY_free(k->ecdsa); 575 k->ecdsa = NULL; 576 break; 577 #endif /* WITH_OPENSSL */ 578 case KEY_ED25519: 579 case KEY_ED25519_CERT: 580 if (k->ed25519_pk) { 581 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 582 free(k->ed25519_pk); 583 k->ed25519_pk = NULL; 584 } 585 if (k->ed25519_sk) { 586 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 587 free(k->ed25519_sk); 588 k->ed25519_sk = NULL; 589 } 590 break; 591 case KEY_UNSPEC: 592 break; 593 default: 594 break; 595 } 596 if (sshkey_is_cert(k)) 597 cert_free(k->cert); 598 explicit_bzero(k, sizeof(*k)); 599 free(k); 600 } 601 602 static int 603 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 604 { 605 if (a == NULL && b == NULL) 606 return 1; 607 if (a == NULL || b == NULL) 608 return 0; 609 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 610 return 0; 611 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 612 sshbuf_len(a->certblob)) != 0) 613 return 0; 614 return 1; 615 } 616 617 /* 618 * Compare public portions of key only, allowing comparisons between 619 * certificates and plain keys too. 620 */ 621 int 622 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 623 { 624 #ifdef WITH_OPENSSL 625 BN_CTX *bnctx; 626 #endif /* WITH_OPENSSL */ 627 628 if (a == NULL || b == NULL || 629 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 630 return 0; 631 632 switch (a->type) { 633 #ifdef WITH_OPENSSL 634 case KEY_RSA_CERT: 635 case KEY_RSA: 636 return a->rsa != NULL && b->rsa != NULL && 637 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 638 BN_cmp(a->rsa->n, b->rsa->n) == 0; 639 case KEY_DSA_CERT: 640 case KEY_DSA: 641 return a->dsa != NULL && b->dsa != NULL && 642 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 643 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 644 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 645 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 646 case KEY_ECDSA_CERT: 647 case KEY_ECDSA: 648 if (a->ecdsa == NULL || b->ecdsa == NULL || 649 EC_KEY_get0_public_key(a->ecdsa) == NULL || 650 EC_KEY_get0_public_key(b->ecdsa) == NULL) 651 return 0; 652 if ((bnctx = BN_CTX_new()) == NULL) 653 return 0; 654 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 655 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 656 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 657 EC_KEY_get0_public_key(a->ecdsa), 658 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 659 BN_CTX_free(bnctx); 660 return 0; 661 } 662 BN_CTX_free(bnctx); 663 return 1; 664 #endif /* WITH_OPENSSL */ 665 case KEY_ED25519: 666 case KEY_ED25519_CERT: 667 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 668 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 669 default: 670 return 0; 671 } 672 /* NOTREACHED */ 673 } 674 675 int 676 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 677 { 678 if (a == NULL || b == NULL || a->type != b->type) 679 return 0; 680 if (sshkey_is_cert(a)) { 681 if (!cert_compare(a->cert, b->cert)) 682 return 0; 683 } 684 return sshkey_equal_public(a, b); 685 } 686 687 static int 688 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 689 { 690 int type, ret = SSH_ERR_INTERNAL_ERROR; 691 const char *typename; 692 693 if (key == NULL) 694 return SSH_ERR_INVALID_ARGUMENT; 695 696 if (sshkey_is_cert(key)) { 697 if (key->cert == NULL) 698 return SSH_ERR_EXPECTED_CERT; 699 if (sshbuf_len(key->cert->certblob) == 0) 700 return SSH_ERR_KEY_LACKS_CERTBLOB; 701 } 702 type = force_plain ? sshkey_type_plain(key->type) : key->type; 703 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 704 705 switch (type) { 706 #ifdef WITH_OPENSSL 707 case KEY_DSA_CERT: 708 case KEY_ECDSA_CERT: 709 case KEY_RSA_CERT: 710 #endif /* WITH_OPENSSL */ 711 case KEY_ED25519_CERT: 712 /* Use the existing blob */ 713 /* XXX modified flag? */ 714 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 715 return ret; 716 break; 717 #ifdef WITH_OPENSSL 718 case KEY_DSA: 719 if (key->dsa == NULL) 720 return SSH_ERR_INVALID_ARGUMENT; 721 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 722 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 723 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 724 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 725 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 726 return ret; 727 break; 728 case KEY_ECDSA: 729 if (key->ecdsa == NULL) 730 return SSH_ERR_INVALID_ARGUMENT; 731 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 732 (ret = sshbuf_put_cstring(b, 733 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 734 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 735 return ret; 736 break; 737 case KEY_RSA: 738 if (key->rsa == NULL) 739 return SSH_ERR_INVALID_ARGUMENT; 740 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 741 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 742 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 743 return ret; 744 break; 745 #endif /* WITH_OPENSSL */ 746 case KEY_ED25519: 747 if (key->ed25519_pk == NULL) 748 return SSH_ERR_INVALID_ARGUMENT; 749 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 750 (ret = sshbuf_put_string(b, 751 key->ed25519_pk, ED25519_PK_SZ)) != 0) 752 return ret; 753 break; 754 default: 755 return SSH_ERR_KEY_TYPE_UNKNOWN; 756 } 757 return 0; 758 } 759 760 int 761 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 762 { 763 return to_blob_buf(key, b, 0); 764 } 765 766 int 767 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 768 { 769 struct sshbuf *tmp; 770 int r; 771 772 if ((tmp = sshbuf_new()) == NULL) 773 return SSH_ERR_ALLOC_FAIL; 774 r = to_blob_buf(key, tmp, 0); 775 if (r == 0) 776 r = sshbuf_put_stringb(b, tmp); 777 sshbuf_free(tmp); 778 return r; 779 } 780 781 int 782 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 783 { 784 return to_blob_buf(key, b, 1); 785 } 786 787 static int 788 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 789 { 790 int ret = SSH_ERR_INTERNAL_ERROR; 791 size_t len; 792 struct sshbuf *b = NULL; 793 794 if (lenp != NULL) 795 *lenp = 0; 796 if (blobp != NULL) 797 *blobp = NULL; 798 if ((b = sshbuf_new()) == NULL) 799 return SSH_ERR_ALLOC_FAIL; 800 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 801 goto out; 802 len = sshbuf_len(b); 803 if (lenp != NULL) 804 *lenp = len; 805 if (blobp != NULL) { 806 if ((*blobp = malloc(len)) == NULL) { 807 ret = SSH_ERR_ALLOC_FAIL; 808 goto out; 809 } 810 memcpy(*blobp, sshbuf_ptr(b), len); 811 } 812 ret = 0; 813 out: 814 sshbuf_free(b); 815 return ret; 816 } 817 818 int 819 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 820 { 821 return to_blob(key, blobp, lenp, 0); 822 } 823 824 int 825 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 826 { 827 return to_blob(key, blobp, lenp, 1); 828 } 829 830 int 831 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 832 u_char **retp, size_t *lenp) 833 { 834 u_char *blob = NULL, *ret = NULL; 835 size_t blob_len = 0; 836 int r = SSH_ERR_INTERNAL_ERROR; 837 838 if (retp != NULL) 839 *retp = NULL; 840 if (lenp != NULL) 841 *lenp = 0; 842 if (ssh_digest_bytes(dgst_alg) == 0) { 843 r = SSH_ERR_INVALID_ARGUMENT; 844 goto out; 845 } 846 if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 847 goto out; 848 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 849 r = SSH_ERR_ALLOC_FAIL; 850 goto out; 851 } 852 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 853 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 854 goto out; 855 /* success */ 856 if (retp != NULL) { 857 *retp = ret; 858 ret = NULL; 859 } 860 if (lenp != NULL) 861 *lenp = ssh_digest_bytes(dgst_alg); 862 r = 0; 863 out: 864 free(ret); 865 if (blob != NULL) { 866 explicit_bzero(blob, blob_len); 867 free(blob); 868 } 869 return r; 870 } 871 872 static char * 873 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 874 { 875 char *ret; 876 size_t plen = strlen(alg) + 1; 877 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 878 int r; 879 880 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 881 return NULL; 882 strlcpy(ret, alg, rlen); 883 strlcat(ret, ":", rlen); 884 if (dgst_raw_len == 0) 885 return ret; 886 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 887 ret + plen, rlen - plen)) == -1) { 888 explicit_bzero(ret, rlen); 889 free(ret); 890 return NULL; 891 } 892 /* Trim padding characters from end */ 893 ret[strcspn(ret, "=")] = '\0'; 894 return ret; 895 } 896 897 static char * 898 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 899 { 900 char *retval, hex[5]; 901 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 902 903 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 904 return NULL; 905 strlcpy(retval, alg, rlen); 906 strlcat(retval, ":", rlen); 907 for (i = 0; i < dgst_raw_len; i++) { 908 snprintf(hex, sizeof(hex), "%s%02x", 909 i > 0 ? ":" : "", dgst_raw[i]); 910 strlcat(retval, hex, rlen); 911 } 912 return retval; 913 } 914 915 static char * 916 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 917 { 918 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 919 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 920 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 921 u_int i, j = 0, rounds, seed = 1; 922 char *retval; 923 924 rounds = (dgst_raw_len / 2) + 1; 925 if ((retval = calloc(rounds, 6)) == NULL) 926 return NULL; 927 retval[j++] = 'x'; 928 for (i = 0; i < rounds; i++) { 929 u_int idx0, idx1, idx2, idx3, idx4; 930 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 931 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 932 seed) % 6; 933 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 934 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 935 (seed / 6)) % 6; 936 retval[j++] = vowels[idx0]; 937 retval[j++] = consonants[idx1]; 938 retval[j++] = vowels[idx2]; 939 if ((i + 1) < rounds) { 940 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 941 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 942 retval[j++] = consonants[idx3]; 943 retval[j++] = '-'; 944 retval[j++] = consonants[idx4]; 945 seed = ((seed * 5) + 946 ((((u_int)(dgst_raw[2 * i])) * 7) + 947 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 948 } 949 } else { 950 idx0 = seed % 6; 951 idx1 = 16; 952 idx2 = seed / 6; 953 retval[j++] = vowels[idx0]; 954 retval[j++] = consonants[idx1]; 955 retval[j++] = vowels[idx2]; 956 } 957 } 958 retval[j++] = 'x'; 959 retval[j++] = '\0'; 960 return retval; 961 } 962 963 /* 964 * Draw an ASCII-Art representing the fingerprint so human brain can 965 * profit from its built-in pattern recognition ability. 966 * This technique is called "random art" and can be found in some 967 * scientific publications like this original paper: 968 * 969 * "Hash Visualization: a New Technique to improve Real-World Security", 970 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 971 * Techniques and E-Commerce (CrypTEC '99) 972 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 973 * 974 * The subject came up in a talk by Dan Kaminsky, too. 975 * 976 * If you see the picture is different, the key is different. 977 * If the picture looks the same, you still know nothing. 978 * 979 * The algorithm used here is a worm crawling over a discrete plane, 980 * leaving a trace (augmenting the field) everywhere it goes. 981 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 982 * makes the respective movement vector be ignored for this turn. 983 * Graphs are not unambiguous, because circles in graphs can be 984 * walked in either direction. 985 */ 986 987 /* 988 * Field sizes for the random art. Have to be odd, so the starting point 989 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 990 * Else pictures would be too dense, and drawing the frame would 991 * fail, too, because the key type would not fit in anymore. 992 */ 993 #define FLDBASE 8 994 #define FLDSIZE_Y (FLDBASE + 1) 995 #define FLDSIZE_X (FLDBASE * 2 + 1) 996 static char * 997 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 998 const struct sshkey *k) 999 { 1000 /* 1001 * Chars to be used after each other every time the worm 1002 * intersects with itself. Matter of taste. 1003 */ 1004 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1005 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1006 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1007 size_t i, tlen, hlen; 1008 u_int b; 1009 int x, y, r; 1010 size_t len = strlen(augmentation_string) - 1; 1011 1012 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1013 return NULL; 1014 1015 /* initialize field */ 1016 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1017 x = FLDSIZE_X / 2; 1018 y = FLDSIZE_Y / 2; 1019 1020 /* process raw key */ 1021 for (i = 0; i < dgst_raw_len; i++) { 1022 int input; 1023 /* each byte conveys four 2-bit move commands */ 1024 input = dgst_raw[i]; 1025 for (b = 0; b < 4; b++) { 1026 /* evaluate 2 bit, rest is shifted later */ 1027 x += (input & 0x1) ? 1 : -1; 1028 y += (input & 0x2) ? 1 : -1; 1029 1030 /* assure we are still in bounds */ 1031 x = MAXIMUM(x, 0); 1032 y = MAXIMUM(y, 0); 1033 x = MINIMUM(x, FLDSIZE_X - 1); 1034 y = MINIMUM(y, FLDSIZE_Y - 1); 1035 1036 /* augment the field */ 1037 if (field[x][y] < len - 2) 1038 field[x][y]++; 1039 input = input >> 2; 1040 } 1041 } 1042 1043 /* mark starting point and end point*/ 1044 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1045 field[x][y] = len; 1046 1047 /* assemble title */ 1048 r = snprintf(title, sizeof(title), "[%s %u]", 1049 sshkey_type(k), sshkey_size(k)); 1050 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1051 if (r < 0 || r > (int)sizeof(title)) 1052 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1053 tlen = (r <= 0) ? 0 : strlen(title); 1054 1055 /* assemble hash ID. */ 1056 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1057 hlen = (r <= 0) ? 0 : strlen(hash); 1058 1059 /* output upper border */ 1060 p = retval; 1061 *p++ = '+'; 1062 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1063 *p++ = '-'; 1064 memcpy(p, title, tlen); 1065 p += tlen; 1066 for (i += tlen; i < FLDSIZE_X; i++) 1067 *p++ = '-'; 1068 *p++ = '+'; 1069 *p++ = '\n'; 1070 1071 /* output content */ 1072 for (y = 0; y < FLDSIZE_Y; y++) { 1073 *p++ = '|'; 1074 for (x = 0; x < FLDSIZE_X; x++) 1075 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1076 *p++ = '|'; 1077 *p++ = '\n'; 1078 } 1079 1080 /* output lower border */ 1081 *p++ = '+'; 1082 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1083 *p++ = '-'; 1084 memcpy(p, hash, hlen); 1085 p += hlen; 1086 for (i += hlen; i < FLDSIZE_X; i++) 1087 *p++ = '-'; 1088 *p++ = '+'; 1089 1090 return retval; 1091 } 1092 1093 char * 1094 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1095 enum sshkey_fp_rep dgst_rep) 1096 { 1097 char *retval = NULL; 1098 u_char *dgst_raw; 1099 size_t dgst_raw_len; 1100 1101 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1102 return NULL; 1103 switch (dgst_rep) { 1104 case SSH_FP_DEFAULT: 1105 if (dgst_alg == SSH_DIGEST_MD5) { 1106 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1107 dgst_raw, dgst_raw_len); 1108 } else { 1109 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1110 dgst_raw, dgst_raw_len); 1111 } 1112 break; 1113 case SSH_FP_HEX: 1114 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1115 dgst_raw, dgst_raw_len); 1116 break; 1117 case SSH_FP_BASE64: 1118 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1119 dgst_raw, dgst_raw_len); 1120 break; 1121 case SSH_FP_BUBBLEBABBLE: 1122 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1123 break; 1124 case SSH_FP_RANDOMART: 1125 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1126 dgst_raw, dgst_raw_len, k); 1127 break; 1128 default: 1129 explicit_bzero(dgst_raw, dgst_raw_len); 1130 free(dgst_raw); 1131 return NULL; 1132 } 1133 explicit_bzero(dgst_raw, dgst_raw_len); 1134 free(dgst_raw); 1135 return retval; 1136 } 1137 1138 1139 /* returns 0 ok, and < 0 error */ 1140 int 1141 sshkey_read(struct sshkey *ret, char **cpp) 1142 { 1143 struct sshkey *k; 1144 int retval = SSH_ERR_INVALID_FORMAT; 1145 char *ep, *cp, *space; 1146 int r, type, curve_nid = -1; 1147 struct sshbuf *blob; 1148 1149 if (ret == NULL) 1150 return SSH_ERR_INVALID_ARGUMENT; 1151 1152 cp = *cpp; 1153 1154 switch (ret->type) { 1155 case KEY_UNSPEC: 1156 case KEY_RSA: 1157 case KEY_DSA: 1158 case KEY_ECDSA: 1159 case KEY_ED25519: 1160 case KEY_DSA_CERT: 1161 case KEY_ECDSA_CERT: 1162 case KEY_RSA_CERT: 1163 case KEY_ED25519_CERT: 1164 space = strchr(cp, ' '); 1165 if (space == NULL) 1166 return SSH_ERR_INVALID_FORMAT; 1167 *space = '\0'; 1168 type = sshkey_type_from_name(cp); 1169 if (sshkey_type_plain(type) == KEY_ECDSA && 1170 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1171 return SSH_ERR_EC_CURVE_INVALID; 1172 *space = ' '; 1173 if (type == KEY_UNSPEC) 1174 return SSH_ERR_INVALID_FORMAT; 1175 cp = space+1; 1176 if (*cp == '\0') 1177 return SSH_ERR_INVALID_FORMAT; 1178 if (ret->type != KEY_UNSPEC && ret->type != type) 1179 return SSH_ERR_KEY_TYPE_MISMATCH; 1180 if ((blob = sshbuf_new()) == NULL) 1181 return SSH_ERR_ALLOC_FAIL; 1182 /* trim comment */ 1183 space = strchr(cp, ' '); 1184 if (space) { 1185 /* advance 'space': skip whitespace */ 1186 *space++ = '\0'; 1187 while (*space == ' ' || *space == '\t') 1188 space++; 1189 ep = space; 1190 } else 1191 ep = cp + strlen(cp); 1192 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1193 sshbuf_free(blob); 1194 return r; 1195 } 1196 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1197 sshbuf_len(blob), &k)) != 0) { 1198 sshbuf_free(blob); 1199 return r; 1200 } 1201 sshbuf_free(blob); 1202 if (k->type != type) { 1203 sshkey_free(k); 1204 return SSH_ERR_KEY_TYPE_MISMATCH; 1205 } 1206 if (sshkey_type_plain(type) == KEY_ECDSA && 1207 curve_nid != k->ecdsa_nid) { 1208 sshkey_free(k); 1209 return SSH_ERR_EC_CURVE_MISMATCH; 1210 } 1211 ret->type = type; 1212 if (sshkey_is_cert(ret)) { 1213 if (!sshkey_is_cert(k)) { 1214 sshkey_free(k); 1215 return SSH_ERR_EXPECTED_CERT; 1216 } 1217 if (ret->cert != NULL) 1218 cert_free(ret->cert); 1219 ret->cert = k->cert; 1220 k->cert = NULL; 1221 } 1222 switch (sshkey_type_plain(ret->type)) { 1223 #ifdef WITH_OPENSSL 1224 case KEY_RSA: 1225 if (ret->rsa != NULL) 1226 RSA_free(ret->rsa); 1227 ret->rsa = k->rsa; 1228 k->rsa = NULL; 1229 #ifdef DEBUG_PK 1230 RSA_print_fp(stderr, ret->rsa, 8); 1231 #endif 1232 break; 1233 case KEY_DSA: 1234 if (ret->dsa != NULL) 1235 DSA_free(ret->dsa); 1236 ret->dsa = k->dsa; 1237 k->dsa = NULL; 1238 #ifdef DEBUG_PK 1239 DSA_print_fp(stderr, ret->dsa, 8); 1240 #endif 1241 break; 1242 case KEY_ECDSA: 1243 if (ret->ecdsa != NULL) 1244 EC_KEY_free(ret->ecdsa); 1245 ret->ecdsa = k->ecdsa; 1246 ret->ecdsa_nid = k->ecdsa_nid; 1247 k->ecdsa = NULL; 1248 k->ecdsa_nid = -1; 1249 #ifdef DEBUG_PK 1250 sshkey_dump_ec_key(ret->ecdsa); 1251 #endif 1252 break; 1253 #endif /* WITH_OPENSSL */ 1254 case KEY_ED25519: 1255 free(ret->ed25519_pk); 1256 ret->ed25519_pk = k->ed25519_pk; 1257 k->ed25519_pk = NULL; 1258 #ifdef DEBUG_PK 1259 /* XXX */ 1260 #endif 1261 break; 1262 } 1263 *cpp = ep; 1264 retval = 0; 1265 /*XXXX*/ 1266 sshkey_free(k); 1267 if (retval != 0) 1268 break; 1269 break; 1270 default: 1271 return SSH_ERR_INVALID_ARGUMENT; 1272 } 1273 return retval; 1274 } 1275 1276 int 1277 sshkey_to_base64(const struct sshkey *key, char **b64p) 1278 { 1279 int r = SSH_ERR_INTERNAL_ERROR; 1280 struct sshbuf *b = NULL; 1281 char *uu = NULL; 1282 1283 if (b64p != NULL) 1284 *b64p = NULL; 1285 if ((b = sshbuf_new()) == NULL) 1286 return SSH_ERR_ALLOC_FAIL; 1287 if ((r = sshkey_putb(key, b)) != 0) 1288 goto out; 1289 if ((uu = sshbuf_dtob64(b)) == NULL) { 1290 r = SSH_ERR_ALLOC_FAIL; 1291 goto out; 1292 } 1293 /* Success */ 1294 if (b64p != NULL) { 1295 *b64p = uu; 1296 uu = NULL; 1297 } 1298 r = 0; 1299 out: 1300 sshbuf_free(b); 1301 free(uu); 1302 return r; 1303 } 1304 1305 int 1306 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1307 { 1308 int r = SSH_ERR_INTERNAL_ERROR; 1309 char *uu = NULL; 1310 1311 if ((r = sshkey_to_base64(key, &uu)) != 0) 1312 goto out; 1313 if ((r = sshbuf_putf(b, "%s %s", 1314 sshkey_ssh_name(key), uu)) != 0) 1315 goto out; 1316 r = 0; 1317 out: 1318 free(uu); 1319 return r; 1320 } 1321 1322 int 1323 sshkey_write(const struct sshkey *key, FILE *f) 1324 { 1325 struct sshbuf *b = NULL; 1326 int r = SSH_ERR_INTERNAL_ERROR; 1327 1328 if ((b = sshbuf_new()) == NULL) 1329 return SSH_ERR_ALLOC_FAIL; 1330 if ((r = sshkey_format_text(key, b)) != 0) 1331 goto out; 1332 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1333 if (feof(f)) 1334 errno = EPIPE; 1335 r = SSH_ERR_SYSTEM_ERROR; 1336 goto out; 1337 } 1338 /* Success */ 1339 r = 0; 1340 out: 1341 sshbuf_free(b); 1342 return r; 1343 } 1344 1345 const char * 1346 sshkey_cert_type(const struct sshkey *k) 1347 { 1348 switch (k->cert->type) { 1349 case SSH2_CERT_TYPE_USER: 1350 return "user"; 1351 case SSH2_CERT_TYPE_HOST: 1352 return "host"; 1353 default: 1354 return "unknown"; 1355 } 1356 } 1357 1358 #ifdef WITH_OPENSSL 1359 static int 1360 rsa_generate_private_key(u_int bits, RSA **rsap) 1361 { 1362 RSA *private = NULL; 1363 BIGNUM *f4 = NULL; 1364 int ret = SSH_ERR_INTERNAL_ERROR; 1365 1366 if (rsap == NULL) 1367 return SSH_ERR_INVALID_ARGUMENT; 1368 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1369 bits > SSHBUF_MAX_BIGNUM * 8) 1370 return SSH_ERR_KEY_LENGTH; 1371 *rsap = NULL; 1372 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1373 ret = SSH_ERR_ALLOC_FAIL; 1374 goto out; 1375 } 1376 if (!BN_set_word(f4, RSA_F4) || 1377 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1378 ret = SSH_ERR_LIBCRYPTO_ERROR; 1379 goto out; 1380 } 1381 *rsap = private; 1382 private = NULL; 1383 ret = 0; 1384 out: 1385 if (private != NULL) 1386 RSA_free(private); 1387 if (f4 != NULL) 1388 BN_free(f4); 1389 return ret; 1390 } 1391 1392 static int 1393 dsa_generate_private_key(u_int bits, DSA **dsap) 1394 { 1395 DSA *private; 1396 int ret = SSH_ERR_INTERNAL_ERROR; 1397 1398 if (dsap == NULL) 1399 return SSH_ERR_INVALID_ARGUMENT; 1400 if (bits != 1024) 1401 return SSH_ERR_KEY_LENGTH; 1402 if ((private = DSA_new()) == NULL) { 1403 ret = SSH_ERR_ALLOC_FAIL; 1404 goto out; 1405 } 1406 *dsap = NULL; 1407 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1408 NULL, NULL) || !DSA_generate_key(private)) { 1409 ret = SSH_ERR_LIBCRYPTO_ERROR; 1410 goto out; 1411 } 1412 *dsap = private; 1413 private = NULL; 1414 ret = 0; 1415 out: 1416 if (private != NULL) 1417 DSA_free(private); 1418 return ret; 1419 } 1420 1421 int 1422 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1423 { 1424 EC_GROUP *eg; 1425 int nids[] = { 1426 NID_X9_62_prime256v1, 1427 NID_secp384r1, 1428 NID_secp521r1, 1429 -1 1430 }; 1431 int nid; 1432 u_int i; 1433 BN_CTX *bnctx; 1434 const EC_GROUP *g = EC_KEY_get0_group(k); 1435 1436 /* 1437 * The group may be stored in a ASN.1 encoded private key in one of two 1438 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1439 * or explicit group parameters encoded into the key blob. Only the 1440 * "named group" case sets the group NID for us, but we can figure 1441 * it out for the other case by comparing against all the groups that 1442 * are supported. 1443 */ 1444 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1445 return nid; 1446 if ((bnctx = BN_CTX_new()) == NULL) 1447 return -1; 1448 for (i = 0; nids[i] != -1; i++) { 1449 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1450 BN_CTX_free(bnctx); 1451 return -1; 1452 } 1453 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1454 break; 1455 EC_GROUP_free(eg); 1456 } 1457 BN_CTX_free(bnctx); 1458 if (nids[i] != -1) { 1459 /* Use the group with the NID attached */ 1460 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1461 if (EC_KEY_set_group(k, eg) != 1) { 1462 EC_GROUP_free(eg); 1463 return -1; 1464 } 1465 } 1466 return nids[i]; 1467 } 1468 1469 static int 1470 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1471 { 1472 EC_KEY *private; 1473 int ret = SSH_ERR_INTERNAL_ERROR; 1474 1475 if (nid == NULL || ecdsap == NULL) 1476 return SSH_ERR_INVALID_ARGUMENT; 1477 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1478 return SSH_ERR_KEY_LENGTH; 1479 *ecdsap = NULL; 1480 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1481 ret = SSH_ERR_ALLOC_FAIL; 1482 goto out; 1483 } 1484 if (EC_KEY_generate_key(private) != 1) { 1485 ret = SSH_ERR_LIBCRYPTO_ERROR; 1486 goto out; 1487 } 1488 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1489 *ecdsap = private; 1490 private = NULL; 1491 ret = 0; 1492 out: 1493 if (private != NULL) 1494 EC_KEY_free(private); 1495 return ret; 1496 } 1497 #endif /* WITH_OPENSSL */ 1498 1499 int 1500 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1501 { 1502 struct sshkey *k; 1503 int ret = SSH_ERR_INTERNAL_ERROR; 1504 1505 if (keyp == NULL) 1506 return SSH_ERR_INVALID_ARGUMENT; 1507 *keyp = NULL; 1508 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1509 return SSH_ERR_ALLOC_FAIL; 1510 switch (type) { 1511 case KEY_ED25519: 1512 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1513 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1514 ret = SSH_ERR_ALLOC_FAIL; 1515 break; 1516 } 1517 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1518 ret = 0; 1519 break; 1520 #ifdef WITH_OPENSSL 1521 case KEY_DSA: 1522 ret = dsa_generate_private_key(bits, &k->dsa); 1523 break; 1524 case KEY_ECDSA: 1525 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1526 &k->ecdsa); 1527 break; 1528 case KEY_RSA: 1529 ret = rsa_generate_private_key(bits, &k->rsa); 1530 break; 1531 #endif /* WITH_OPENSSL */ 1532 default: 1533 ret = SSH_ERR_INVALID_ARGUMENT; 1534 } 1535 if (ret == 0) { 1536 k->type = type; 1537 *keyp = k; 1538 } else 1539 sshkey_free(k); 1540 return ret; 1541 } 1542 1543 int 1544 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1545 { 1546 u_int i; 1547 const struct sshkey_cert *from; 1548 struct sshkey_cert *to; 1549 int ret = SSH_ERR_INTERNAL_ERROR; 1550 1551 if (to_key->cert != NULL) { 1552 cert_free(to_key->cert); 1553 to_key->cert = NULL; 1554 } 1555 1556 if ((from = from_key->cert) == NULL) 1557 return SSH_ERR_INVALID_ARGUMENT; 1558 1559 if ((to = to_key->cert = cert_new()) == NULL) 1560 return SSH_ERR_ALLOC_FAIL; 1561 1562 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1563 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1564 (ret = sshbuf_putb(to->extensions, from->extensions)) != 0) 1565 return ret; 1566 1567 to->serial = from->serial; 1568 to->type = from->type; 1569 if (from->key_id == NULL) 1570 to->key_id = NULL; 1571 else if ((to->key_id = strdup(from->key_id)) == NULL) 1572 return SSH_ERR_ALLOC_FAIL; 1573 to->valid_after = from->valid_after; 1574 to->valid_before = from->valid_before; 1575 if (from->signature_key == NULL) 1576 to->signature_key = NULL; 1577 else if ((ret = sshkey_from_private(from->signature_key, 1578 &to->signature_key)) != 0) 1579 return ret; 1580 1581 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1582 return SSH_ERR_INVALID_ARGUMENT; 1583 if (from->nprincipals > 0) { 1584 if ((to->principals = calloc(from->nprincipals, 1585 sizeof(*to->principals))) == NULL) 1586 return SSH_ERR_ALLOC_FAIL; 1587 for (i = 0; i < from->nprincipals; i++) { 1588 to->principals[i] = strdup(from->principals[i]); 1589 if (to->principals[i] == NULL) { 1590 to->nprincipals = i; 1591 return SSH_ERR_ALLOC_FAIL; 1592 } 1593 } 1594 } 1595 to->nprincipals = from->nprincipals; 1596 return 0; 1597 } 1598 1599 int 1600 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1601 { 1602 struct sshkey *n = NULL; 1603 int ret = SSH_ERR_INTERNAL_ERROR; 1604 1605 *pkp = NULL; 1606 switch (k->type) { 1607 #ifdef WITH_OPENSSL 1608 case KEY_DSA: 1609 case KEY_DSA_CERT: 1610 if ((n = sshkey_new(k->type)) == NULL) 1611 return SSH_ERR_ALLOC_FAIL; 1612 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1613 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1614 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1615 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1616 sshkey_free(n); 1617 return SSH_ERR_ALLOC_FAIL; 1618 } 1619 break; 1620 case KEY_ECDSA: 1621 case KEY_ECDSA_CERT: 1622 if ((n = sshkey_new(k->type)) == NULL) 1623 return SSH_ERR_ALLOC_FAIL; 1624 n->ecdsa_nid = k->ecdsa_nid; 1625 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1626 if (n->ecdsa == NULL) { 1627 sshkey_free(n); 1628 return SSH_ERR_ALLOC_FAIL; 1629 } 1630 if (EC_KEY_set_public_key(n->ecdsa, 1631 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1632 sshkey_free(n); 1633 return SSH_ERR_LIBCRYPTO_ERROR; 1634 } 1635 break; 1636 case KEY_RSA: 1637 case KEY_RSA_CERT: 1638 if ((n = sshkey_new(k->type)) == NULL) 1639 return SSH_ERR_ALLOC_FAIL; 1640 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1641 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1642 sshkey_free(n); 1643 return SSH_ERR_ALLOC_FAIL; 1644 } 1645 break; 1646 #endif /* WITH_OPENSSL */ 1647 case KEY_ED25519: 1648 case KEY_ED25519_CERT: 1649 if ((n = sshkey_new(k->type)) == NULL) 1650 return SSH_ERR_ALLOC_FAIL; 1651 if (k->ed25519_pk != NULL) { 1652 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1653 sshkey_free(n); 1654 return SSH_ERR_ALLOC_FAIL; 1655 } 1656 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1657 } 1658 break; 1659 default: 1660 return SSH_ERR_KEY_TYPE_UNKNOWN; 1661 } 1662 if (sshkey_is_cert(k)) { 1663 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1664 sshkey_free(n); 1665 return ret; 1666 } 1667 } 1668 *pkp = n; 1669 return 0; 1670 } 1671 1672 static int 1673 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1674 { 1675 struct sshbuf *principals = NULL, *crit = NULL; 1676 struct sshbuf *exts = NULL, *ca = NULL; 1677 u_char *sig = NULL; 1678 size_t signed_len = 0, slen = 0, kidlen = 0; 1679 int ret = SSH_ERR_INTERNAL_ERROR; 1680 1681 /* Copy the entire key blob for verification and later serialisation */ 1682 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1683 return ret; 1684 1685 /* Parse body of certificate up to signature */ 1686 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1687 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1688 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1689 (ret = sshbuf_froms(b, &principals)) != 0 || 1690 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1691 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1692 (ret = sshbuf_froms(b, &crit)) != 0 || 1693 (ret = sshbuf_froms(b, &exts)) != 0 || 1694 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1695 (ret = sshbuf_froms(b, &ca)) != 0) { 1696 /* XXX debug print error for ret */ 1697 ret = SSH_ERR_INVALID_FORMAT; 1698 goto out; 1699 } 1700 1701 /* Signature is left in the buffer so we can calculate this length */ 1702 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1703 1704 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1705 ret = SSH_ERR_INVALID_FORMAT; 1706 goto out; 1707 } 1708 1709 if (key->cert->type != SSH2_CERT_TYPE_USER && 1710 key->cert->type != SSH2_CERT_TYPE_HOST) { 1711 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1712 goto out; 1713 } 1714 1715 /* Parse principals section */ 1716 while (sshbuf_len(principals) > 0) { 1717 char *principal = NULL; 1718 char **oprincipals = NULL; 1719 1720 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1721 ret = SSH_ERR_INVALID_FORMAT; 1722 goto out; 1723 } 1724 if ((ret = sshbuf_get_cstring(principals, &principal, 1725 NULL)) != 0) { 1726 ret = SSH_ERR_INVALID_FORMAT; 1727 goto out; 1728 } 1729 oprincipals = key->cert->principals; 1730 key->cert->principals = recallocarray(key->cert->principals, 1731 key->cert->nprincipals, key->cert->nprincipals + 1, 1732 sizeof(*key->cert->principals)); 1733 if (key->cert->principals == NULL) { 1734 free(principal); 1735 key->cert->principals = oprincipals; 1736 ret = SSH_ERR_ALLOC_FAIL; 1737 goto out; 1738 } 1739 key->cert->principals[key->cert->nprincipals++] = principal; 1740 } 1741 1742 /* 1743 * Stash a copies of the critical options and extensions sections 1744 * for later use. 1745 */ 1746 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1747 (exts != NULL && 1748 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1749 goto out; 1750 1751 /* 1752 * Validate critical options and extensions sections format. 1753 */ 1754 while (sshbuf_len(crit) != 0) { 1755 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1756 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1757 sshbuf_reset(key->cert->critical); 1758 ret = SSH_ERR_INVALID_FORMAT; 1759 goto out; 1760 } 1761 } 1762 while (exts != NULL && sshbuf_len(exts) != 0) { 1763 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1764 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1765 sshbuf_reset(key->cert->extensions); 1766 ret = SSH_ERR_INVALID_FORMAT; 1767 goto out; 1768 } 1769 } 1770 1771 /* Parse CA key and check signature */ 1772 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1773 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1774 goto out; 1775 } 1776 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1777 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1778 goto out; 1779 } 1780 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1781 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0)) != 0) 1782 goto out; 1783 1784 /* Success */ 1785 ret = 0; 1786 out: 1787 sshbuf_free(ca); 1788 sshbuf_free(crit); 1789 sshbuf_free(exts); 1790 sshbuf_free(principals); 1791 free(sig); 1792 return ret; 1793 } 1794 1795 static int 1796 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1797 int allow_cert) 1798 { 1799 int type, ret = SSH_ERR_INTERNAL_ERROR; 1800 char *ktype = NULL, *curve = NULL; 1801 struct sshkey *key = NULL; 1802 size_t len; 1803 u_char *pk = NULL; 1804 struct sshbuf *copy; 1805 #ifdef WITH_OPENSSL 1806 EC_POINT *q = NULL; 1807 #endif /* WITH_OPENSSL */ 1808 1809 #ifdef DEBUG_PK /* XXX */ 1810 sshbuf_dump(b, stderr); 1811 #endif 1812 if (keyp != NULL) 1813 *keyp = NULL; 1814 if ((copy = sshbuf_fromb(b)) == NULL) { 1815 ret = SSH_ERR_ALLOC_FAIL; 1816 goto out; 1817 } 1818 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1819 ret = SSH_ERR_INVALID_FORMAT; 1820 goto out; 1821 } 1822 1823 type = sshkey_type_from_name(ktype); 1824 if (!allow_cert && sshkey_type_is_cert(type)) { 1825 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1826 goto out; 1827 } 1828 switch (type) { 1829 #ifdef WITH_OPENSSL 1830 case KEY_RSA_CERT: 1831 /* Skip nonce */ 1832 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1833 ret = SSH_ERR_INVALID_FORMAT; 1834 goto out; 1835 } 1836 /* FALLTHROUGH */ 1837 case KEY_RSA: 1838 if ((key = sshkey_new(type)) == NULL) { 1839 ret = SSH_ERR_ALLOC_FAIL; 1840 goto out; 1841 } 1842 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 || 1843 sshbuf_get_bignum2(b, key->rsa->n) != 0) { 1844 ret = SSH_ERR_INVALID_FORMAT; 1845 goto out; 1846 } 1847 if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 1848 ret = SSH_ERR_KEY_LENGTH; 1849 goto out; 1850 } 1851 #ifdef DEBUG_PK 1852 RSA_print_fp(stderr, key->rsa, 8); 1853 #endif 1854 break; 1855 case KEY_DSA_CERT: 1856 /* Skip nonce */ 1857 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1858 ret = SSH_ERR_INVALID_FORMAT; 1859 goto out; 1860 } 1861 /* FALLTHROUGH */ 1862 case KEY_DSA: 1863 if ((key = sshkey_new(type)) == NULL) { 1864 ret = SSH_ERR_ALLOC_FAIL; 1865 goto out; 1866 } 1867 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 || 1868 sshbuf_get_bignum2(b, key->dsa->q) != 0 || 1869 sshbuf_get_bignum2(b, key->dsa->g) != 0 || 1870 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) { 1871 ret = SSH_ERR_INVALID_FORMAT; 1872 goto out; 1873 } 1874 #ifdef DEBUG_PK 1875 DSA_print_fp(stderr, key->dsa, 8); 1876 #endif 1877 break; 1878 case KEY_ECDSA_CERT: 1879 /* Skip nonce */ 1880 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1881 ret = SSH_ERR_INVALID_FORMAT; 1882 goto out; 1883 } 1884 /* FALLTHROUGH */ 1885 case KEY_ECDSA: 1886 if ((key = sshkey_new(type)) == NULL) { 1887 ret = SSH_ERR_ALLOC_FAIL; 1888 goto out; 1889 } 1890 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 1891 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 1892 ret = SSH_ERR_INVALID_FORMAT; 1893 goto out; 1894 } 1895 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 1896 ret = SSH_ERR_EC_CURVE_MISMATCH; 1897 goto out; 1898 } 1899 if (key->ecdsa != NULL) 1900 EC_KEY_free(key->ecdsa); 1901 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 1902 == NULL) { 1903 ret = SSH_ERR_EC_CURVE_INVALID; 1904 goto out; 1905 } 1906 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 1907 ret = SSH_ERR_ALLOC_FAIL; 1908 goto out; 1909 } 1910 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 1911 ret = SSH_ERR_INVALID_FORMAT; 1912 goto out; 1913 } 1914 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 1915 q) != 0) { 1916 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 1917 goto out; 1918 } 1919 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 1920 /* XXX assume it is a allocation error */ 1921 ret = SSH_ERR_ALLOC_FAIL; 1922 goto out; 1923 } 1924 #ifdef DEBUG_PK 1925 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 1926 #endif 1927 break; 1928 #endif /* WITH_OPENSSL */ 1929 case KEY_ED25519_CERT: 1930 /* Skip nonce */ 1931 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1932 ret = SSH_ERR_INVALID_FORMAT; 1933 goto out; 1934 } 1935 /* FALLTHROUGH */ 1936 case KEY_ED25519: 1937 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 1938 goto out; 1939 if (len != ED25519_PK_SZ) { 1940 ret = SSH_ERR_INVALID_FORMAT; 1941 goto out; 1942 } 1943 if ((key = sshkey_new(type)) == NULL) { 1944 ret = SSH_ERR_ALLOC_FAIL; 1945 goto out; 1946 } 1947 key->ed25519_pk = pk; 1948 pk = NULL; 1949 break; 1950 case KEY_UNSPEC: 1951 default: 1952 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 1953 goto out; 1954 } 1955 1956 /* Parse certificate potion */ 1957 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 1958 goto out; 1959 1960 if (key != NULL && sshbuf_len(b) != 0) { 1961 ret = SSH_ERR_INVALID_FORMAT; 1962 goto out; 1963 } 1964 ret = 0; 1965 if (keyp != NULL) { 1966 *keyp = key; 1967 key = NULL; 1968 } 1969 out: 1970 sshbuf_free(copy); 1971 sshkey_free(key); 1972 free(ktype); 1973 free(curve); 1974 free(pk); 1975 #ifdef WITH_OPENSSL 1976 if (q != NULL) 1977 EC_POINT_free(q); 1978 #endif /* WITH_OPENSSL */ 1979 return ret; 1980 } 1981 1982 int 1983 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 1984 { 1985 struct sshbuf *b; 1986 int r; 1987 1988 if ((b = sshbuf_from(blob, blen)) == NULL) 1989 return SSH_ERR_ALLOC_FAIL; 1990 r = sshkey_from_blob_internal(b, keyp, 1); 1991 sshbuf_free(b); 1992 return r; 1993 } 1994 1995 int 1996 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 1997 { 1998 return sshkey_from_blob_internal(b, keyp, 1); 1999 } 2000 2001 int 2002 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2003 { 2004 struct sshbuf *b; 2005 int r; 2006 2007 if ((r = sshbuf_froms(buf, &b)) != 0) 2008 return r; 2009 r = sshkey_from_blob_internal(b, keyp, 1); 2010 sshbuf_free(b); 2011 return r; 2012 } 2013 2014 int 2015 sshkey_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2016 { 2017 int r; 2018 struct sshbuf *b = NULL; 2019 char *sigtype = NULL; 2020 2021 if (sigtypep != NULL) 2022 *sigtypep = NULL; 2023 if ((b = sshbuf_from(sig, siglen)) == NULL) 2024 return SSH_ERR_ALLOC_FAIL; 2025 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2026 goto out; 2027 /* success */ 2028 if (sigtypep != NULL) { 2029 *sigtypep = sigtype; 2030 sigtype = NULL; 2031 } 2032 r = 0; 2033 out: 2034 free(sigtype); 2035 sshbuf_free(b); 2036 return r; 2037 } 2038 2039 int 2040 sshkey_sign(const struct sshkey *key, 2041 u_char **sigp, size_t *lenp, 2042 const u_char *data, size_t datalen, const char *alg, u_int compat) 2043 { 2044 if (sigp != NULL) 2045 *sigp = NULL; 2046 if (lenp != NULL) 2047 *lenp = 0; 2048 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2049 return SSH_ERR_INVALID_ARGUMENT; 2050 switch (key->type) { 2051 #ifdef WITH_OPENSSL 2052 case KEY_DSA_CERT: 2053 case KEY_DSA: 2054 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2055 case KEY_ECDSA_CERT: 2056 case KEY_ECDSA: 2057 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2058 case KEY_RSA_CERT: 2059 case KEY_RSA: 2060 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2061 #endif /* WITH_OPENSSL */ 2062 case KEY_ED25519: 2063 case KEY_ED25519_CERT: 2064 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2065 default: 2066 return SSH_ERR_KEY_TYPE_UNKNOWN; 2067 } 2068 } 2069 2070 /* 2071 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2072 * If "alg" specified, then the signature must use that algorithm. 2073 */ 2074 int 2075 sshkey_verify(const struct sshkey *key, 2076 const u_char *sig, size_t siglen, 2077 const u_char *data, size_t dlen, const char *alg, u_int compat) 2078 { 2079 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2080 return SSH_ERR_INVALID_ARGUMENT; 2081 switch (key->type) { 2082 #ifdef WITH_OPENSSL 2083 case KEY_DSA_CERT: 2084 case KEY_DSA: 2085 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2086 case KEY_ECDSA_CERT: 2087 case KEY_ECDSA: 2088 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2089 case KEY_RSA_CERT: 2090 case KEY_RSA: 2091 return ssh_rsa_verify(key, sig, siglen, data, dlen, alg); 2092 #endif /* WITH_OPENSSL */ 2093 case KEY_ED25519: 2094 case KEY_ED25519_CERT: 2095 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2096 default: 2097 return SSH_ERR_KEY_TYPE_UNKNOWN; 2098 } 2099 } 2100 2101 /* Converts a private to a public key */ 2102 int 2103 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2104 { 2105 struct sshkey *pk; 2106 int ret = SSH_ERR_INTERNAL_ERROR; 2107 2108 *dkp = NULL; 2109 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2110 return SSH_ERR_ALLOC_FAIL; 2111 pk->type = k->type; 2112 pk->flags = k->flags; 2113 pk->ecdsa_nid = k->ecdsa_nid; 2114 pk->dsa = NULL; 2115 pk->ecdsa = NULL; 2116 pk->rsa = NULL; 2117 pk->ed25519_pk = NULL; 2118 pk->ed25519_sk = NULL; 2119 2120 switch (k->type) { 2121 #ifdef WITH_OPENSSL 2122 case KEY_RSA_CERT: 2123 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2124 goto fail; 2125 /* FALLTHROUGH */ 2126 case KEY_RSA: 2127 if ((pk->rsa = RSA_new()) == NULL || 2128 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2129 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2130 ret = SSH_ERR_ALLOC_FAIL; 2131 goto fail; 2132 } 2133 break; 2134 case KEY_DSA_CERT: 2135 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2136 goto fail; 2137 /* FALLTHROUGH */ 2138 case KEY_DSA: 2139 if ((pk->dsa = DSA_new()) == NULL || 2140 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2141 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2142 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2143 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2144 ret = SSH_ERR_ALLOC_FAIL; 2145 goto fail; 2146 } 2147 break; 2148 case KEY_ECDSA_CERT: 2149 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2150 goto fail; 2151 /* FALLTHROUGH */ 2152 case KEY_ECDSA: 2153 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2154 if (pk->ecdsa == NULL) { 2155 ret = SSH_ERR_ALLOC_FAIL; 2156 goto fail; 2157 } 2158 if (EC_KEY_set_public_key(pk->ecdsa, 2159 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2160 ret = SSH_ERR_LIBCRYPTO_ERROR; 2161 goto fail; 2162 } 2163 break; 2164 #endif /* WITH_OPENSSL */ 2165 case KEY_ED25519_CERT: 2166 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2167 goto fail; 2168 /* FALLTHROUGH */ 2169 case KEY_ED25519: 2170 if (k->ed25519_pk != NULL) { 2171 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2172 ret = SSH_ERR_ALLOC_FAIL; 2173 goto fail; 2174 } 2175 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2176 } 2177 break; 2178 default: 2179 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2180 fail: 2181 sshkey_free(pk); 2182 return ret; 2183 } 2184 *dkp = pk; 2185 return 0; 2186 } 2187 2188 /* Convert a plain key to their _CERT equivalent */ 2189 int 2190 sshkey_to_certified(struct sshkey *k) 2191 { 2192 int newtype; 2193 2194 switch (k->type) { 2195 #ifdef WITH_OPENSSL 2196 case KEY_RSA: 2197 newtype = KEY_RSA_CERT; 2198 break; 2199 case KEY_DSA: 2200 newtype = KEY_DSA_CERT; 2201 break; 2202 case KEY_ECDSA: 2203 newtype = KEY_ECDSA_CERT; 2204 break; 2205 #endif /* WITH_OPENSSL */ 2206 case KEY_ED25519: 2207 newtype = KEY_ED25519_CERT; 2208 break; 2209 default: 2210 return SSH_ERR_INVALID_ARGUMENT; 2211 } 2212 if ((k->cert = cert_new()) == NULL) 2213 return SSH_ERR_ALLOC_FAIL; 2214 k->type = newtype; 2215 return 0; 2216 } 2217 2218 /* Convert a certificate to its raw key equivalent */ 2219 int 2220 sshkey_drop_cert(struct sshkey *k) 2221 { 2222 if (!sshkey_type_is_cert(k->type)) 2223 return SSH_ERR_KEY_TYPE_UNKNOWN; 2224 cert_free(k->cert); 2225 k->cert = NULL; 2226 k->type = sshkey_type_plain(k->type); 2227 return 0; 2228 } 2229 2230 /* Sign a certified key, (re-)generating the signed certblob. */ 2231 int 2232 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2233 sshkey_certify_signer *signer, void *signer_ctx) 2234 { 2235 struct sshbuf *principals = NULL; 2236 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2237 size_t i, ca_len, sig_len; 2238 int ret = SSH_ERR_INTERNAL_ERROR; 2239 struct sshbuf *cert; 2240 2241 if (k == NULL || k->cert == NULL || 2242 k->cert->certblob == NULL || ca == NULL) 2243 return SSH_ERR_INVALID_ARGUMENT; 2244 if (!sshkey_is_cert(k)) 2245 return SSH_ERR_KEY_TYPE_UNKNOWN; 2246 if (!sshkey_type_is_valid_ca(ca->type)) 2247 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2248 2249 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2250 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2251 2252 cert = k->cert->certblob; /* for readability */ 2253 sshbuf_reset(cert); 2254 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2255 goto out; 2256 2257 /* -v01 certs put nonce first */ 2258 arc4random_buf(&nonce, sizeof(nonce)); 2259 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2260 goto out; 2261 2262 /* XXX this substantially duplicates to_blob(); refactor */ 2263 switch (k->type) { 2264 #ifdef WITH_OPENSSL 2265 case KEY_DSA_CERT: 2266 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2267 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2268 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2269 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2270 goto out; 2271 break; 2272 case KEY_ECDSA_CERT: 2273 if ((ret = sshbuf_put_cstring(cert, 2274 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2275 (ret = sshbuf_put_ec(cert, 2276 EC_KEY_get0_public_key(k->ecdsa), 2277 EC_KEY_get0_group(k->ecdsa))) != 0) 2278 goto out; 2279 break; 2280 case KEY_RSA_CERT: 2281 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2282 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2283 goto out; 2284 break; 2285 #endif /* WITH_OPENSSL */ 2286 case KEY_ED25519_CERT: 2287 if ((ret = sshbuf_put_string(cert, 2288 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2289 goto out; 2290 break; 2291 default: 2292 ret = SSH_ERR_INVALID_ARGUMENT; 2293 goto out; 2294 } 2295 2296 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2297 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2298 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2299 goto out; 2300 2301 if ((principals = sshbuf_new()) == NULL) { 2302 ret = SSH_ERR_ALLOC_FAIL; 2303 goto out; 2304 } 2305 for (i = 0; i < k->cert->nprincipals; i++) { 2306 if ((ret = sshbuf_put_cstring(principals, 2307 k->cert->principals[i])) != 0) 2308 goto out; 2309 } 2310 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2311 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2312 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2313 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2314 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2315 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2316 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2317 goto out; 2318 2319 /* Sign the whole mess */ 2320 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2321 sshbuf_len(cert), alg, 0, signer_ctx)) != 0) 2322 goto out; 2323 2324 /* Append signature and we are done */ 2325 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2326 goto out; 2327 ret = 0; 2328 out: 2329 if (ret != 0) 2330 sshbuf_reset(cert); 2331 free(sig_blob); 2332 free(ca_blob); 2333 sshbuf_free(principals); 2334 return ret; 2335 } 2336 2337 static int 2338 default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 2339 const u_char *data, size_t datalen, 2340 const char *alg, u_int compat, void *ctx) 2341 { 2342 if (ctx != NULL) 2343 return SSH_ERR_INVALID_ARGUMENT; 2344 return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat); 2345 } 2346 2347 int 2348 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2349 { 2350 return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL); 2351 } 2352 2353 int 2354 sshkey_cert_check_authority(const struct sshkey *k, 2355 int want_host, int require_principal, 2356 const char *name, const char **reason) 2357 { 2358 u_int i, principal_matches; 2359 time_t now = time(NULL); 2360 2361 if (reason != NULL) 2362 *reason = NULL; 2363 2364 if (want_host) { 2365 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2366 *reason = "Certificate invalid: not a host certificate"; 2367 return SSH_ERR_KEY_CERT_INVALID; 2368 } 2369 } else { 2370 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2371 *reason = "Certificate invalid: not a user certificate"; 2372 return SSH_ERR_KEY_CERT_INVALID; 2373 } 2374 } 2375 if (now < 0) { 2376 /* yikes - system clock before epoch! */ 2377 *reason = "Certificate invalid: not yet valid"; 2378 return SSH_ERR_KEY_CERT_INVALID; 2379 } 2380 if ((u_int64_t)now < k->cert->valid_after) { 2381 *reason = "Certificate invalid: not yet valid"; 2382 return SSH_ERR_KEY_CERT_INVALID; 2383 } 2384 if ((u_int64_t)now >= k->cert->valid_before) { 2385 *reason = "Certificate invalid: expired"; 2386 return SSH_ERR_KEY_CERT_INVALID; 2387 } 2388 if (k->cert->nprincipals == 0) { 2389 if (require_principal) { 2390 *reason = "Certificate lacks principal list"; 2391 return SSH_ERR_KEY_CERT_INVALID; 2392 } 2393 } else if (name != NULL) { 2394 principal_matches = 0; 2395 for (i = 0; i < k->cert->nprincipals; i++) { 2396 if (strcmp(name, k->cert->principals[i]) == 0) { 2397 principal_matches = 1; 2398 break; 2399 } 2400 } 2401 if (!principal_matches) { 2402 *reason = "Certificate invalid: name is not a listed " 2403 "principal"; 2404 return SSH_ERR_KEY_CERT_INVALID; 2405 } 2406 } 2407 return 0; 2408 } 2409 2410 size_t 2411 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2412 { 2413 char from[32], to[32], ret[64]; 2414 time_t tt; 2415 struct tm *tm; 2416 2417 *from = *to = '\0'; 2418 if (cert->valid_after == 0 && 2419 cert->valid_before == 0xffffffffffffffffULL) 2420 return strlcpy(s, "forever", l); 2421 2422 if (cert->valid_after != 0) { 2423 /* XXX revisit INT_MAX in 2038 :) */ 2424 tt = cert->valid_after > INT_MAX ? 2425 INT_MAX : cert->valid_after; 2426 tm = localtime(&tt); 2427 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2428 } 2429 if (cert->valid_before != 0xffffffffffffffffULL) { 2430 /* XXX revisit INT_MAX in 2038 :) */ 2431 tt = cert->valid_before > INT_MAX ? 2432 INT_MAX : cert->valid_before; 2433 tm = localtime(&tt); 2434 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2435 } 2436 2437 if (cert->valid_after == 0) 2438 snprintf(ret, sizeof(ret), "before %s", to); 2439 else if (cert->valid_before == 0xffffffffffffffffULL) 2440 snprintf(ret, sizeof(ret), "after %s", from); 2441 else 2442 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2443 2444 return strlcpy(s, ret, l); 2445 } 2446 2447 int 2448 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2449 { 2450 int r = SSH_ERR_INTERNAL_ERROR; 2451 2452 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2453 goto out; 2454 switch (key->type) { 2455 #ifdef WITH_OPENSSL 2456 case KEY_RSA: 2457 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2458 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2459 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2460 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2461 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2462 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2463 goto out; 2464 break; 2465 case KEY_RSA_CERT: 2466 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2467 r = SSH_ERR_INVALID_ARGUMENT; 2468 goto out; 2469 } 2470 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2471 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2472 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2473 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2474 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2475 goto out; 2476 break; 2477 case KEY_DSA: 2478 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2479 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2480 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2481 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2482 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2483 goto out; 2484 break; 2485 case KEY_DSA_CERT: 2486 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2487 r = SSH_ERR_INVALID_ARGUMENT; 2488 goto out; 2489 } 2490 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2491 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2492 goto out; 2493 break; 2494 case KEY_ECDSA: 2495 if ((r = sshbuf_put_cstring(b, 2496 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2497 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2498 (r = sshbuf_put_bignum2(b, 2499 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2500 goto out; 2501 break; 2502 case KEY_ECDSA_CERT: 2503 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2504 r = SSH_ERR_INVALID_ARGUMENT; 2505 goto out; 2506 } 2507 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2508 (r = sshbuf_put_bignum2(b, 2509 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2510 goto out; 2511 break; 2512 #endif /* WITH_OPENSSL */ 2513 case KEY_ED25519: 2514 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2515 ED25519_PK_SZ)) != 0 || 2516 (r = sshbuf_put_string(b, key->ed25519_sk, 2517 ED25519_SK_SZ)) != 0) 2518 goto out; 2519 break; 2520 case KEY_ED25519_CERT: 2521 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2522 r = SSH_ERR_INVALID_ARGUMENT; 2523 goto out; 2524 } 2525 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2526 (r = sshbuf_put_string(b, key->ed25519_pk, 2527 ED25519_PK_SZ)) != 0 || 2528 (r = sshbuf_put_string(b, key->ed25519_sk, 2529 ED25519_SK_SZ)) != 0) 2530 goto out; 2531 break; 2532 default: 2533 r = SSH_ERR_INVALID_ARGUMENT; 2534 goto out; 2535 } 2536 /* success */ 2537 r = 0; 2538 out: 2539 return r; 2540 } 2541 2542 int 2543 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2544 { 2545 char *tname = NULL, *curve = NULL; 2546 struct sshkey *k = NULL; 2547 size_t pklen = 0, sklen = 0; 2548 int type, r = SSH_ERR_INTERNAL_ERROR; 2549 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2550 #ifdef WITH_OPENSSL 2551 BIGNUM *exponent = NULL; 2552 #endif /* WITH_OPENSSL */ 2553 2554 if (kp != NULL) 2555 *kp = NULL; 2556 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2557 goto out; 2558 type = sshkey_type_from_name(tname); 2559 switch (type) { 2560 #ifdef WITH_OPENSSL 2561 case KEY_DSA: 2562 if ((k = sshkey_new_private(type)) == NULL) { 2563 r = SSH_ERR_ALLOC_FAIL; 2564 goto out; 2565 } 2566 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2567 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2568 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2569 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2570 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2571 goto out; 2572 break; 2573 case KEY_DSA_CERT: 2574 if ((r = sshkey_froms(buf, &k)) != 0 || 2575 (r = sshkey_add_private(k)) != 0 || 2576 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2577 goto out; 2578 break; 2579 case KEY_ECDSA: 2580 if ((k = sshkey_new_private(type)) == NULL) { 2581 r = SSH_ERR_ALLOC_FAIL; 2582 goto out; 2583 } 2584 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2585 r = SSH_ERR_INVALID_ARGUMENT; 2586 goto out; 2587 } 2588 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2589 goto out; 2590 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2591 r = SSH_ERR_EC_CURVE_MISMATCH; 2592 goto out; 2593 } 2594 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2595 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2596 r = SSH_ERR_LIBCRYPTO_ERROR; 2597 goto out; 2598 } 2599 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2600 (r = sshbuf_get_bignum2(buf, exponent))) 2601 goto out; 2602 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2603 r = SSH_ERR_LIBCRYPTO_ERROR; 2604 goto out; 2605 } 2606 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2607 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2608 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2609 goto out; 2610 break; 2611 case KEY_ECDSA_CERT: 2612 if ((exponent = BN_new()) == NULL) { 2613 r = SSH_ERR_LIBCRYPTO_ERROR; 2614 goto out; 2615 } 2616 if ((r = sshkey_froms(buf, &k)) != 0 || 2617 (r = sshkey_add_private(k)) != 0 || 2618 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2619 goto out; 2620 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2621 r = SSH_ERR_LIBCRYPTO_ERROR; 2622 goto out; 2623 } 2624 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2625 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2626 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2627 goto out; 2628 break; 2629 case KEY_RSA: 2630 if ((k = sshkey_new_private(type)) == NULL) { 2631 r = SSH_ERR_ALLOC_FAIL; 2632 goto out; 2633 } 2634 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2635 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2636 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2637 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2638 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2639 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2640 (r = ssh_rsa_generate_additional_parameters(k)) != 0) 2641 goto out; 2642 if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 2643 r = SSH_ERR_KEY_LENGTH; 2644 goto out; 2645 } 2646 break; 2647 case KEY_RSA_CERT: 2648 if ((r = sshkey_froms(buf, &k)) != 0 || 2649 (r = sshkey_add_private(k)) != 0 || 2650 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2651 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2652 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2653 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2654 (r = ssh_rsa_generate_additional_parameters(k)) != 0) 2655 goto out; 2656 if (BN_num_bits(k->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 2657 r = SSH_ERR_KEY_LENGTH; 2658 goto out; 2659 } 2660 break; 2661 #endif /* WITH_OPENSSL */ 2662 case KEY_ED25519: 2663 if ((k = sshkey_new_private(type)) == NULL) { 2664 r = SSH_ERR_ALLOC_FAIL; 2665 goto out; 2666 } 2667 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2668 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2669 goto out; 2670 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2671 r = SSH_ERR_INVALID_FORMAT; 2672 goto out; 2673 } 2674 k->ed25519_pk = ed25519_pk; 2675 k->ed25519_sk = ed25519_sk; 2676 ed25519_pk = ed25519_sk = NULL; 2677 break; 2678 case KEY_ED25519_CERT: 2679 if ((r = sshkey_froms(buf, &k)) != 0 || 2680 (r = sshkey_add_private(k)) != 0 || 2681 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2682 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2683 goto out; 2684 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2685 r = SSH_ERR_INVALID_FORMAT; 2686 goto out; 2687 } 2688 k->ed25519_pk = ed25519_pk; 2689 k->ed25519_sk = ed25519_sk; 2690 ed25519_pk = ed25519_sk = NULL; 2691 break; 2692 default: 2693 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2694 goto out; 2695 } 2696 #ifdef WITH_OPENSSL 2697 /* enable blinding */ 2698 switch (k->type) { 2699 case KEY_RSA: 2700 case KEY_RSA_CERT: 2701 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2702 r = SSH_ERR_LIBCRYPTO_ERROR; 2703 goto out; 2704 } 2705 break; 2706 } 2707 #endif /* WITH_OPENSSL */ 2708 /* success */ 2709 r = 0; 2710 if (kp != NULL) { 2711 *kp = k; 2712 k = NULL; 2713 } 2714 out: 2715 free(tname); 2716 free(curve); 2717 #ifdef WITH_OPENSSL 2718 if (exponent != NULL) 2719 BN_clear_free(exponent); 2720 #endif /* WITH_OPENSSL */ 2721 sshkey_free(k); 2722 if (ed25519_pk != NULL) { 2723 explicit_bzero(ed25519_pk, pklen); 2724 free(ed25519_pk); 2725 } 2726 if (ed25519_sk != NULL) { 2727 explicit_bzero(ed25519_sk, sklen); 2728 free(ed25519_sk); 2729 } 2730 return r; 2731 } 2732 2733 #ifdef WITH_OPENSSL 2734 int 2735 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2736 { 2737 BN_CTX *bnctx; 2738 EC_POINT *nq = NULL; 2739 BIGNUM *order, *x, *y, *tmp; 2740 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2741 2742 /* 2743 * NB. This assumes OpenSSL has already verified that the public 2744 * point lies on the curve. This is done by EC_POINT_oct2point() 2745 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 2746 * reachable with public points not unmarshalled using 2747 * EC_POINT_oct2point then the caller will need to explicitly check. 2748 */ 2749 2750 if ((bnctx = BN_CTX_new()) == NULL) 2751 return SSH_ERR_ALLOC_FAIL; 2752 BN_CTX_start(bnctx); 2753 2754 /* 2755 * We shouldn't ever hit this case because bignum_get_ecpoint() 2756 * refuses to load GF2m points. 2757 */ 2758 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2759 NID_X9_62_prime_field) 2760 goto out; 2761 2762 /* Q != infinity */ 2763 if (EC_POINT_is_at_infinity(group, public)) 2764 goto out; 2765 2766 if ((x = BN_CTX_get(bnctx)) == NULL || 2767 (y = BN_CTX_get(bnctx)) == NULL || 2768 (order = BN_CTX_get(bnctx)) == NULL || 2769 (tmp = BN_CTX_get(bnctx)) == NULL) { 2770 ret = SSH_ERR_ALLOC_FAIL; 2771 goto out; 2772 } 2773 2774 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2775 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2776 EC_POINT_get_affine_coordinates_GFp(group, public, 2777 x, y, bnctx) != 1) { 2778 ret = SSH_ERR_LIBCRYPTO_ERROR; 2779 goto out; 2780 } 2781 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2782 BN_num_bits(y) <= BN_num_bits(order) / 2) 2783 goto out; 2784 2785 /* nQ == infinity (n == order of subgroup) */ 2786 if ((nq = EC_POINT_new(group)) == NULL) { 2787 ret = SSH_ERR_ALLOC_FAIL; 2788 goto out; 2789 } 2790 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2791 ret = SSH_ERR_LIBCRYPTO_ERROR; 2792 goto out; 2793 } 2794 if (EC_POINT_is_at_infinity(group, nq) != 1) 2795 goto out; 2796 2797 /* x < order - 1, y < order - 1 */ 2798 if (!BN_sub(tmp, order, BN_value_one())) { 2799 ret = SSH_ERR_LIBCRYPTO_ERROR; 2800 goto out; 2801 } 2802 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2803 goto out; 2804 ret = 0; 2805 out: 2806 BN_CTX_free(bnctx); 2807 if (nq != NULL) 2808 EC_POINT_free(nq); 2809 return ret; 2810 } 2811 2812 int 2813 sshkey_ec_validate_private(const EC_KEY *key) 2814 { 2815 BN_CTX *bnctx; 2816 BIGNUM *order, *tmp; 2817 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2818 2819 if ((bnctx = BN_CTX_new()) == NULL) 2820 return SSH_ERR_ALLOC_FAIL; 2821 BN_CTX_start(bnctx); 2822 2823 if ((order = BN_CTX_get(bnctx)) == NULL || 2824 (tmp = BN_CTX_get(bnctx)) == NULL) { 2825 ret = SSH_ERR_ALLOC_FAIL; 2826 goto out; 2827 } 2828 2829 /* log2(private) > log2(order)/2 */ 2830 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2831 ret = SSH_ERR_LIBCRYPTO_ERROR; 2832 goto out; 2833 } 2834 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2835 BN_num_bits(order) / 2) 2836 goto out; 2837 2838 /* private < order - 1 */ 2839 if (!BN_sub(tmp, order, BN_value_one())) { 2840 ret = SSH_ERR_LIBCRYPTO_ERROR; 2841 goto out; 2842 } 2843 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2844 goto out; 2845 ret = 0; 2846 out: 2847 BN_CTX_free(bnctx); 2848 return ret; 2849 } 2850 2851 void 2852 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2853 { 2854 BIGNUM *x, *y; 2855 BN_CTX *bnctx; 2856 2857 if (point == NULL) { 2858 fputs("point=(NULL)\n", stderr); 2859 return; 2860 } 2861 if ((bnctx = BN_CTX_new()) == NULL) { 2862 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2863 return; 2864 } 2865 BN_CTX_start(bnctx); 2866 if ((x = BN_CTX_get(bnctx)) == NULL || 2867 (y = BN_CTX_get(bnctx)) == NULL) { 2868 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 2869 return; 2870 } 2871 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2872 NID_X9_62_prime_field) { 2873 fprintf(stderr, "%s: group is not a prime field\n", __func__); 2874 return; 2875 } 2876 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 2877 bnctx) != 1) { 2878 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2879 __func__); 2880 return; 2881 } 2882 fputs("x=", stderr); 2883 BN_print_fp(stderr, x); 2884 fputs("\ny=", stderr); 2885 BN_print_fp(stderr, y); 2886 fputs("\n", stderr); 2887 BN_CTX_free(bnctx); 2888 } 2889 2890 void 2891 sshkey_dump_ec_key(const EC_KEY *key) 2892 { 2893 const BIGNUM *exponent; 2894 2895 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2896 EC_KEY_get0_public_key(key)); 2897 fputs("exponent=", stderr); 2898 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2899 fputs("(NULL)", stderr); 2900 else 2901 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2902 fputs("\n", stderr); 2903 } 2904 #endif /* WITH_OPENSSL */ 2905 2906 static int 2907 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 2908 const char *passphrase, const char *comment, const char *ciphername, 2909 int rounds) 2910 { 2911 u_char *cp, *key = NULL, *pubkeyblob = NULL; 2912 u_char salt[SALT_LEN]; 2913 char *b64 = NULL; 2914 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 2915 u_int check; 2916 int r = SSH_ERR_INTERNAL_ERROR; 2917 struct sshcipher_ctx *ciphercontext = NULL; 2918 const struct sshcipher *cipher; 2919 const char *kdfname = KDFNAME; 2920 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 2921 2922 if (rounds <= 0) 2923 rounds = DEFAULT_ROUNDS; 2924 if (passphrase == NULL || !strlen(passphrase)) { 2925 ciphername = "none"; 2926 kdfname = "none"; 2927 } else if (ciphername == NULL) 2928 ciphername = DEFAULT_CIPHERNAME; 2929 if ((cipher = cipher_by_name(ciphername)) == NULL) { 2930 r = SSH_ERR_INVALID_ARGUMENT; 2931 goto out; 2932 } 2933 2934 if ((kdf = sshbuf_new()) == NULL || 2935 (encoded = sshbuf_new()) == NULL || 2936 (encrypted = sshbuf_new()) == NULL) { 2937 r = SSH_ERR_ALLOC_FAIL; 2938 goto out; 2939 } 2940 blocksize = cipher_blocksize(cipher); 2941 keylen = cipher_keylen(cipher); 2942 ivlen = cipher_ivlen(cipher); 2943 authlen = cipher_authlen(cipher); 2944 if ((key = calloc(1, keylen + ivlen)) == NULL) { 2945 r = SSH_ERR_ALLOC_FAIL; 2946 goto out; 2947 } 2948 if (strcmp(kdfname, "bcrypt") == 0) { 2949 arc4random_buf(salt, SALT_LEN); 2950 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 2951 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 2952 r = SSH_ERR_INVALID_ARGUMENT; 2953 goto out; 2954 } 2955 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 2956 (r = sshbuf_put_u32(kdf, rounds)) != 0) 2957 goto out; 2958 } else if (strcmp(kdfname, "none") != 0) { 2959 /* Unsupported KDF type */ 2960 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 2961 goto out; 2962 } 2963 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 2964 key + keylen, ivlen, 1)) != 0) 2965 goto out; 2966 2967 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 2968 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 2969 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 2970 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 2971 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 2972 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 2973 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 2974 goto out; 2975 2976 /* set up the buffer that will be encrypted */ 2977 2978 /* Random check bytes */ 2979 check = arc4random(); 2980 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 2981 (r = sshbuf_put_u32(encrypted, check)) != 0) 2982 goto out; 2983 2984 /* append private key and comment*/ 2985 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 2986 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 2987 goto out; 2988 2989 /* padding */ 2990 i = 0; 2991 while (sshbuf_len(encrypted) % blocksize) { 2992 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 2993 goto out; 2994 } 2995 2996 /* length in destination buffer */ 2997 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 2998 goto out; 2999 3000 /* encrypt */ 3001 if ((r = sshbuf_reserve(encoded, 3002 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3003 goto out; 3004 if ((r = cipher_crypt(ciphercontext, 0, cp, 3005 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3006 goto out; 3007 3008 /* uuencode */ 3009 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3010 r = SSH_ERR_ALLOC_FAIL; 3011 goto out; 3012 } 3013 3014 sshbuf_reset(blob); 3015 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3016 goto out; 3017 for (i = 0; i < strlen(b64); i++) { 3018 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3019 goto out; 3020 /* insert line breaks */ 3021 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3022 goto out; 3023 } 3024 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3025 goto out; 3026 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3027 goto out; 3028 3029 /* success */ 3030 r = 0; 3031 3032 out: 3033 sshbuf_free(kdf); 3034 sshbuf_free(encoded); 3035 sshbuf_free(encrypted); 3036 cipher_free(ciphercontext); 3037 explicit_bzero(salt, sizeof(salt)); 3038 if (key != NULL) { 3039 explicit_bzero(key, keylen + ivlen); 3040 free(key); 3041 } 3042 if (pubkeyblob != NULL) { 3043 explicit_bzero(pubkeyblob, pubkeylen); 3044 free(pubkeyblob); 3045 } 3046 if (b64 != NULL) { 3047 explicit_bzero(b64, strlen(b64)); 3048 free(b64); 3049 } 3050 return r; 3051 } 3052 3053 static int 3054 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3055 struct sshkey **keyp, char **commentp) 3056 { 3057 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3058 const struct sshcipher *cipher = NULL; 3059 const u_char *cp; 3060 int r = SSH_ERR_INTERNAL_ERROR; 3061 size_t encoded_len; 3062 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3063 struct sshbuf *encoded = NULL, *decoded = NULL; 3064 struct sshbuf *kdf = NULL, *decrypted = NULL; 3065 struct sshcipher_ctx *ciphercontext = NULL; 3066 struct sshkey *k = NULL; 3067 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3068 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3069 3070 if (keyp != NULL) 3071 *keyp = NULL; 3072 if (commentp != NULL) 3073 *commentp = NULL; 3074 3075 if ((encoded = sshbuf_new()) == NULL || 3076 (decoded = sshbuf_new()) == NULL || 3077 (decrypted = sshbuf_new()) == NULL) { 3078 r = SSH_ERR_ALLOC_FAIL; 3079 goto out; 3080 } 3081 3082 /* check preamble */ 3083 cp = sshbuf_ptr(blob); 3084 encoded_len = sshbuf_len(blob); 3085 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3086 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3087 r = SSH_ERR_INVALID_FORMAT; 3088 goto out; 3089 } 3090 cp += MARK_BEGIN_LEN; 3091 encoded_len -= MARK_BEGIN_LEN; 3092 3093 /* Look for end marker, removing whitespace as we go */ 3094 while (encoded_len > 0) { 3095 if (*cp != '\n' && *cp != '\r') { 3096 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3097 goto out; 3098 } 3099 last = *cp; 3100 encoded_len--; 3101 cp++; 3102 if (last == '\n') { 3103 if (encoded_len >= MARK_END_LEN && 3104 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3105 /* \0 terminate */ 3106 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3107 goto out; 3108 break; 3109 } 3110 } 3111 } 3112 if (encoded_len == 0) { 3113 r = SSH_ERR_INVALID_FORMAT; 3114 goto out; 3115 } 3116 3117 /* decode base64 */ 3118 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3119 goto out; 3120 3121 /* check magic */ 3122 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3123 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3124 r = SSH_ERR_INVALID_FORMAT; 3125 goto out; 3126 } 3127 /* parse public portion of key */ 3128 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3129 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3130 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3131 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3132 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3133 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3134 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3135 goto out; 3136 3137 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3138 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3139 goto out; 3140 } 3141 if ((passphrase == NULL || strlen(passphrase) == 0) && 3142 strcmp(ciphername, "none") != 0) { 3143 /* passphrase required */ 3144 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3145 goto out; 3146 } 3147 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3148 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3149 goto out; 3150 } 3151 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3152 r = SSH_ERR_INVALID_FORMAT; 3153 goto out; 3154 } 3155 if (nkeys != 1) { 3156 /* XXX only one key supported */ 3157 r = SSH_ERR_INVALID_FORMAT; 3158 goto out; 3159 } 3160 3161 /* check size of encrypted key blob */ 3162 blocksize = cipher_blocksize(cipher); 3163 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3164 r = SSH_ERR_INVALID_FORMAT; 3165 goto out; 3166 } 3167 3168 /* setup key */ 3169 keylen = cipher_keylen(cipher); 3170 ivlen = cipher_ivlen(cipher); 3171 authlen = cipher_authlen(cipher); 3172 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3173 r = SSH_ERR_ALLOC_FAIL; 3174 goto out; 3175 } 3176 if (strcmp(kdfname, "bcrypt") == 0) { 3177 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3178 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3179 goto out; 3180 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3181 key, keylen + ivlen, rounds) < 0) { 3182 r = SSH_ERR_INVALID_FORMAT; 3183 goto out; 3184 } 3185 } 3186 3187 /* check that an appropriate amount of auth data is present */ 3188 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3189 r = SSH_ERR_INVALID_FORMAT; 3190 goto out; 3191 } 3192 3193 /* decrypt private portion of key */ 3194 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3195 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3196 key + keylen, ivlen, 0)) != 0) 3197 goto out; 3198 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3199 encrypted_len, 0, authlen)) != 0) { 3200 /* an integrity error here indicates an incorrect passphrase */ 3201 if (r == SSH_ERR_MAC_INVALID) 3202 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3203 goto out; 3204 } 3205 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3206 goto out; 3207 /* there should be no trailing data */ 3208 if (sshbuf_len(decoded) != 0) { 3209 r = SSH_ERR_INVALID_FORMAT; 3210 goto out; 3211 } 3212 3213 /* check check bytes */ 3214 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3215 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3216 goto out; 3217 if (check1 != check2) { 3218 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3219 goto out; 3220 } 3221 3222 /* Load the private key and comment */ 3223 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3224 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3225 goto out; 3226 3227 /* Check deterministic padding */ 3228 i = 0; 3229 while (sshbuf_len(decrypted)) { 3230 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3231 goto out; 3232 if (pad != (++i & 0xff)) { 3233 r = SSH_ERR_INVALID_FORMAT; 3234 goto out; 3235 } 3236 } 3237 3238 /* XXX decode pubkey and check against private */ 3239 3240 /* success */ 3241 r = 0; 3242 if (keyp != NULL) { 3243 *keyp = k; 3244 k = NULL; 3245 } 3246 if (commentp != NULL) { 3247 *commentp = comment; 3248 comment = NULL; 3249 } 3250 out: 3251 pad = 0; 3252 cipher_free(ciphercontext); 3253 free(ciphername); 3254 free(kdfname); 3255 free(comment); 3256 if (salt != NULL) { 3257 explicit_bzero(salt, slen); 3258 free(salt); 3259 } 3260 if (key != NULL) { 3261 explicit_bzero(key, keylen + ivlen); 3262 free(key); 3263 } 3264 sshbuf_free(encoded); 3265 sshbuf_free(decoded); 3266 sshbuf_free(kdf); 3267 sshbuf_free(decrypted); 3268 sshkey_free(k); 3269 return r; 3270 } 3271 3272 3273 #ifdef WITH_OPENSSL 3274 /* convert SSH v2 key in OpenSSL PEM format */ 3275 static int 3276 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3277 const char *_passphrase, const char *comment) 3278 { 3279 int success, r; 3280 int blen, len = strlen(_passphrase); 3281 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3282 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3283 char *bptr; 3284 BIO *bio = NULL; 3285 3286 if (len > 0 && len <= 4) 3287 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3288 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3289 return SSH_ERR_ALLOC_FAIL; 3290 3291 switch (key->type) { 3292 case KEY_DSA: 3293 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3294 cipher, passphrase, len, NULL, NULL); 3295 break; 3296 case KEY_ECDSA: 3297 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3298 cipher, passphrase, len, NULL, NULL); 3299 break; 3300 case KEY_RSA: 3301 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3302 cipher, passphrase, len, NULL, NULL); 3303 break; 3304 default: 3305 success = 0; 3306 break; 3307 } 3308 if (success == 0) { 3309 r = SSH_ERR_LIBCRYPTO_ERROR; 3310 goto out; 3311 } 3312 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3313 r = SSH_ERR_INTERNAL_ERROR; 3314 goto out; 3315 } 3316 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3317 goto out; 3318 r = 0; 3319 out: 3320 BIO_free(bio); 3321 return r; 3322 } 3323 #endif /* WITH_OPENSSL */ 3324 3325 /* Serialise "key" to buffer "blob" */ 3326 int 3327 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3328 const char *passphrase, const char *comment, 3329 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3330 { 3331 switch (key->type) { 3332 #ifdef WITH_OPENSSL 3333 case KEY_DSA: 3334 case KEY_ECDSA: 3335 case KEY_RSA: 3336 if (force_new_format) { 3337 return sshkey_private_to_blob2(key, blob, passphrase, 3338 comment, new_format_cipher, new_format_rounds); 3339 } 3340 return sshkey_private_pem_to_blob(key, blob, 3341 passphrase, comment); 3342 #endif /* WITH_OPENSSL */ 3343 case KEY_ED25519: 3344 return sshkey_private_to_blob2(key, blob, passphrase, 3345 comment, new_format_cipher, new_format_rounds); 3346 default: 3347 return SSH_ERR_KEY_TYPE_UNKNOWN; 3348 } 3349 } 3350 3351 3352 #ifdef WITH_OPENSSL 3353 static int 3354 translate_libcrypto_error(unsigned long pem_err) 3355 { 3356 int pem_reason = ERR_GET_REASON(pem_err); 3357 3358 switch (ERR_GET_LIB(pem_err)) { 3359 case ERR_LIB_PEM: 3360 switch (pem_reason) { 3361 case PEM_R_BAD_PASSWORD_READ: 3362 case PEM_R_PROBLEMS_GETTING_PASSWORD: 3363 case PEM_R_BAD_DECRYPT: 3364 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3365 default: 3366 return SSH_ERR_INVALID_FORMAT; 3367 } 3368 case ERR_LIB_EVP: 3369 switch (pem_reason) { 3370 case EVP_R_BAD_DECRYPT: 3371 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3372 case EVP_R_BN_DECODE_ERROR: 3373 case EVP_R_DECODE_ERROR: 3374 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 3375 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 3376 #endif 3377 return SSH_ERR_INVALID_FORMAT; 3378 default: 3379 return SSH_ERR_LIBCRYPTO_ERROR; 3380 } 3381 case ERR_LIB_ASN1: 3382 return SSH_ERR_INVALID_FORMAT; 3383 } 3384 return SSH_ERR_LIBCRYPTO_ERROR; 3385 } 3386 3387 static void 3388 clear_libcrypto_errors(void) 3389 { 3390 while (ERR_get_error() != 0) 3391 ; 3392 } 3393 3394 /* 3395 * Translate OpenSSL error codes to determine whether 3396 * passphrase is required/incorrect. 3397 */ 3398 static int 3399 convert_libcrypto_error(void) 3400 { 3401 /* 3402 * Some password errors are reported at the beginning 3403 * of the error queue. 3404 */ 3405 if (translate_libcrypto_error(ERR_peek_error()) == 3406 SSH_ERR_KEY_WRONG_PASSPHRASE) 3407 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3408 return translate_libcrypto_error(ERR_peek_last_error()); 3409 } 3410 3411 static int 3412 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3413 const char *passphrase, struct sshkey **keyp) 3414 { 3415 EVP_PKEY *pk = NULL; 3416 struct sshkey *prv = NULL; 3417 BIO *bio = NULL; 3418 int r; 3419 3420 if (keyp != NULL) 3421 *keyp = NULL; 3422 3423 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3424 return SSH_ERR_ALLOC_FAIL; 3425 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3426 (int)sshbuf_len(blob)) { 3427 r = SSH_ERR_ALLOC_FAIL; 3428 goto out; 3429 } 3430 3431 clear_libcrypto_errors(); 3432 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3433 (char *)passphrase)) == NULL) { 3434 r = convert_libcrypto_error(); 3435 goto out; 3436 } 3437 if (pk->type == EVP_PKEY_RSA && 3438 (type == KEY_UNSPEC || type == KEY_RSA)) { 3439 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3440 r = SSH_ERR_ALLOC_FAIL; 3441 goto out; 3442 } 3443 prv->rsa = EVP_PKEY_get1_RSA(pk); 3444 prv->type = KEY_RSA; 3445 #ifdef DEBUG_PK 3446 RSA_print_fp(stderr, prv->rsa, 8); 3447 #endif 3448 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3449 r = SSH_ERR_LIBCRYPTO_ERROR; 3450 goto out; 3451 } 3452 if (BN_num_bits(prv->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 3453 r = SSH_ERR_KEY_LENGTH; 3454 goto out; 3455 } 3456 } else if (pk->type == EVP_PKEY_DSA && 3457 (type == KEY_UNSPEC || type == KEY_DSA)) { 3458 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3459 r = SSH_ERR_ALLOC_FAIL; 3460 goto out; 3461 } 3462 prv->dsa = EVP_PKEY_get1_DSA(pk); 3463 prv->type = KEY_DSA; 3464 #ifdef DEBUG_PK 3465 DSA_print_fp(stderr, prv->dsa, 8); 3466 #endif 3467 } else if (pk->type == EVP_PKEY_EC && 3468 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3469 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3470 r = SSH_ERR_ALLOC_FAIL; 3471 goto out; 3472 } 3473 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3474 prv->type = KEY_ECDSA; 3475 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3476 if (prv->ecdsa_nid == -1 || 3477 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3478 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3479 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3480 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3481 r = SSH_ERR_INVALID_FORMAT; 3482 goto out; 3483 } 3484 #ifdef DEBUG_PK 3485 if (prv != NULL && prv->ecdsa != NULL) 3486 sshkey_dump_ec_key(prv->ecdsa); 3487 #endif 3488 } else { 3489 r = SSH_ERR_INVALID_FORMAT; 3490 goto out; 3491 } 3492 r = 0; 3493 if (keyp != NULL) { 3494 *keyp = prv; 3495 prv = NULL; 3496 } 3497 out: 3498 BIO_free(bio); 3499 if (pk != NULL) 3500 EVP_PKEY_free(pk); 3501 sshkey_free(prv); 3502 return r; 3503 } 3504 #endif /* WITH_OPENSSL */ 3505 3506 int 3507 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3508 const char *passphrase, struct sshkey **keyp, char **commentp) 3509 { 3510 int r = SSH_ERR_INTERNAL_ERROR; 3511 3512 if (keyp != NULL) 3513 *keyp = NULL; 3514 if (commentp != NULL) 3515 *commentp = NULL; 3516 3517 switch (type) { 3518 #ifdef WITH_OPENSSL 3519 case KEY_DSA: 3520 case KEY_ECDSA: 3521 case KEY_RSA: 3522 return sshkey_parse_private_pem_fileblob(blob, type, 3523 passphrase, keyp); 3524 #endif /* WITH_OPENSSL */ 3525 case KEY_ED25519: 3526 return sshkey_parse_private2(blob, type, passphrase, 3527 keyp, commentp); 3528 case KEY_UNSPEC: 3529 r = sshkey_parse_private2(blob, type, passphrase, keyp, 3530 commentp); 3531 /* Do not fallback to PEM parser if only passphrase is wrong. */ 3532 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE) 3533 return r; 3534 #ifdef WITH_OPENSSL 3535 return sshkey_parse_private_pem_fileblob(blob, type, 3536 passphrase, keyp); 3537 #else 3538 return SSH_ERR_INVALID_FORMAT; 3539 #endif /* WITH_OPENSSL */ 3540 default: 3541 return SSH_ERR_KEY_TYPE_UNKNOWN; 3542 } 3543 } 3544 3545 int 3546 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3547 struct sshkey **keyp, char **commentp) 3548 { 3549 if (keyp != NULL) 3550 *keyp = NULL; 3551 if (commentp != NULL) 3552 *commentp = NULL; 3553 3554 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3555 passphrase, keyp, commentp); 3556 } 3557