1 /* $OpenBSD: sshkey.c,v 1.4 2014/10/08 21:45:48 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/param.h> 29 #include <sys/types.h> 30 31 #include <openssl/evp.h> 32 #include <openssl/err.h> 33 #include <openssl/pem.h> 34 35 #include "crypto_api.h" 36 37 #include <errno.h> 38 #include <stdio.h> 39 #include <string.h> 40 #include <util.h> 41 42 #include "ssh2.h" 43 #include "ssherr.h" 44 #include "misc.h" 45 #include "sshbuf.h" 46 #include "rsa.h" 47 #include "cipher.h" 48 #include "digest.h" 49 #define SSHKEY_INTERNAL 50 #include "sshkey.h" 51 52 /* openssh private key file format */ 53 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 54 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 55 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 56 #define MARK_END_LEN (sizeof(MARK_END) - 1) 57 #define KDFNAME "bcrypt" 58 #define AUTH_MAGIC "openssh-key-v1" 59 #define SALT_LEN 16 60 #define DEFAULT_CIPHERNAME "aes256-cbc" 61 #define DEFAULT_ROUNDS 16 62 63 /* Version identification string for SSH v1 identity files. */ 64 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 65 66 static int sshkey_from_blob_internal(const u_char *blob, size_t blen, 67 struct sshkey **keyp, int allow_cert); 68 69 /* Supported key types */ 70 struct keytype { 71 const char *name; 72 const char *shortname; 73 int type; 74 int nid; 75 int cert; 76 }; 77 static const struct keytype keytypes[] = { 78 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, 79 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 80 KEY_ED25519_CERT, 0, 1 }, 81 #ifdef WITH_OPENSSL 82 { NULL, "RSA1", KEY_RSA1, 0, 0 }, 83 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, 84 { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, 85 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, 86 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, 87 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, 88 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, 89 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, 90 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 91 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 92 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 93 KEY_ECDSA_CERT, NID_secp384r1, 1 }, 94 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 95 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 96 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", 97 KEY_RSA_CERT_V00, 0, 1 }, 98 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", 99 KEY_DSA_CERT_V00, 0, 1 }, 100 #endif /* WITH_OPENSSL */ 101 { NULL, NULL, -1, -1, 0 } 102 }; 103 104 const char * 105 sshkey_type(const struct sshkey *k) 106 { 107 const struct keytype *kt; 108 109 for (kt = keytypes; kt->type != -1; kt++) { 110 if (kt->type == k->type) 111 return kt->shortname; 112 } 113 return "unknown"; 114 } 115 116 static const char * 117 sshkey_ssh_name_from_type_nid(int type, int nid) 118 { 119 const struct keytype *kt; 120 121 for (kt = keytypes; kt->type != -1; kt++) { 122 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 123 return kt->name; 124 } 125 return "ssh-unknown"; 126 } 127 128 int 129 sshkey_type_is_cert(int type) 130 { 131 const struct keytype *kt; 132 133 for (kt = keytypes; kt->type != -1; kt++) { 134 if (kt->type == type) 135 return kt->cert; 136 } 137 return 0; 138 } 139 140 const char * 141 sshkey_ssh_name(const struct sshkey *k) 142 { 143 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 144 } 145 146 const char * 147 sshkey_ssh_name_plain(const struct sshkey *k) 148 { 149 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 150 k->ecdsa_nid); 151 } 152 153 int 154 sshkey_type_from_name(const char *name) 155 { 156 const struct keytype *kt; 157 158 for (kt = keytypes; kt->type != -1; kt++) { 159 /* Only allow shortname matches for plain key types */ 160 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 161 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 162 return kt->type; 163 } 164 return KEY_UNSPEC; 165 } 166 167 int 168 sshkey_ecdsa_nid_from_name(const char *name) 169 { 170 const struct keytype *kt; 171 172 for (kt = keytypes; kt->type != -1; kt++) { 173 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 174 continue; 175 if (kt->name != NULL && strcmp(name, kt->name) == 0) 176 return kt->nid; 177 } 178 return -1; 179 } 180 181 char * 182 key_alg_list(int certs_only, int plain_only) 183 { 184 char *tmp, *ret = NULL; 185 size_t nlen, rlen = 0; 186 const struct keytype *kt; 187 188 for (kt = keytypes; kt->type != -1; kt++) { 189 if (kt->name == NULL) 190 continue; 191 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 192 continue; 193 if (ret != NULL) 194 ret[rlen++] = '\n'; 195 nlen = strlen(kt->name); 196 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 197 free(ret); 198 return NULL; 199 } 200 ret = tmp; 201 memcpy(ret + rlen, kt->name, nlen + 1); 202 rlen += nlen; 203 } 204 return ret; 205 } 206 207 int 208 sshkey_names_valid2(const char *names) 209 { 210 char *s, *cp, *p; 211 212 if (names == NULL || strcmp(names, "") == 0) 213 return 0; 214 if ((s = cp = strdup(names)) == NULL) 215 return 0; 216 for ((p = strsep(&cp, ",")); p && *p != '\0'; 217 (p = strsep(&cp, ","))) { 218 switch (sshkey_type_from_name(p)) { 219 case KEY_RSA1: 220 case KEY_UNSPEC: 221 free(s); 222 return 0; 223 } 224 } 225 free(s); 226 return 1; 227 } 228 229 u_int 230 sshkey_size(const struct sshkey *k) 231 { 232 switch (k->type) { 233 #ifdef WITH_OPENSSL 234 case KEY_RSA1: 235 case KEY_RSA: 236 case KEY_RSA_CERT_V00: 237 case KEY_RSA_CERT: 238 return BN_num_bits(k->rsa->n); 239 case KEY_DSA: 240 case KEY_DSA_CERT_V00: 241 case KEY_DSA_CERT: 242 return BN_num_bits(k->dsa->p); 243 case KEY_ECDSA: 244 case KEY_ECDSA_CERT: 245 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 246 #endif /* WITH_OPENSSL */ 247 case KEY_ED25519: 248 case KEY_ED25519_CERT: 249 return 256; /* XXX */ 250 } 251 return 0; 252 } 253 254 int 255 sshkey_cert_is_legacy(const struct sshkey *k) 256 { 257 switch (k->type) { 258 case KEY_DSA_CERT_V00: 259 case KEY_RSA_CERT_V00: 260 return 1; 261 default: 262 return 0; 263 } 264 } 265 266 static int 267 sshkey_type_is_valid_ca(int type) 268 { 269 switch (type) { 270 case KEY_RSA: 271 case KEY_DSA: 272 case KEY_ECDSA: 273 case KEY_ED25519: 274 return 1; 275 default: 276 return 0; 277 } 278 } 279 280 int 281 sshkey_is_cert(const struct sshkey *k) 282 { 283 if (k == NULL) 284 return 0; 285 return sshkey_type_is_cert(k->type); 286 } 287 288 /* Return the cert-less equivalent to a certified key type */ 289 int 290 sshkey_type_plain(int type) 291 { 292 switch (type) { 293 case KEY_RSA_CERT_V00: 294 case KEY_RSA_CERT: 295 return KEY_RSA; 296 case KEY_DSA_CERT_V00: 297 case KEY_DSA_CERT: 298 return KEY_DSA; 299 case KEY_ECDSA_CERT: 300 return KEY_ECDSA; 301 case KEY_ED25519_CERT: 302 return KEY_ED25519; 303 default: 304 return type; 305 } 306 } 307 308 #ifdef WITH_OPENSSL 309 /* XXX: these are really begging for a table-driven approach */ 310 int 311 sshkey_curve_name_to_nid(const char *name) 312 { 313 if (strcmp(name, "nistp256") == 0) 314 return NID_X9_62_prime256v1; 315 else if (strcmp(name, "nistp384") == 0) 316 return NID_secp384r1; 317 else if (strcmp(name, "nistp521") == 0) 318 return NID_secp521r1; 319 else 320 return -1; 321 } 322 323 u_int 324 sshkey_curve_nid_to_bits(int nid) 325 { 326 switch (nid) { 327 case NID_X9_62_prime256v1: 328 return 256; 329 case NID_secp384r1: 330 return 384; 331 case NID_secp521r1: 332 return 521; 333 default: 334 return 0; 335 } 336 } 337 338 int 339 sshkey_ecdsa_bits_to_nid(int bits) 340 { 341 switch (bits) { 342 case 256: 343 return NID_X9_62_prime256v1; 344 case 384: 345 return NID_secp384r1; 346 case 521: 347 return NID_secp521r1; 348 default: 349 return -1; 350 } 351 } 352 353 const char * 354 sshkey_curve_nid_to_name(int nid) 355 { 356 switch (nid) { 357 case NID_X9_62_prime256v1: 358 return "nistp256"; 359 case NID_secp384r1: 360 return "nistp384"; 361 case NID_secp521r1: 362 return "nistp521"; 363 default: 364 return NULL; 365 } 366 } 367 368 int 369 sshkey_ec_nid_to_hash_alg(int nid) 370 { 371 int kbits = sshkey_curve_nid_to_bits(nid); 372 373 if (kbits <= 0) 374 return -1; 375 376 /* RFC5656 section 6.2.1 */ 377 if (kbits <= 256) 378 return SSH_DIGEST_SHA256; 379 else if (kbits <= 384) 380 return SSH_DIGEST_SHA384; 381 else 382 return SSH_DIGEST_SHA512; 383 } 384 #endif /* WITH_OPENSSL */ 385 386 static void 387 cert_free(struct sshkey_cert *cert) 388 { 389 u_int i; 390 391 if (cert == NULL) 392 return; 393 if (cert->certblob != NULL) 394 sshbuf_free(cert->certblob); 395 if (cert->critical != NULL) 396 sshbuf_free(cert->critical); 397 if (cert->extensions != NULL) 398 sshbuf_free(cert->extensions); 399 if (cert->key_id != NULL) 400 free(cert->key_id); 401 for (i = 0; i < cert->nprincipals; i++) 402 free(cert->principals[i]); 403 if (cert->principals != NULL) 404 free(cert->principals); 405 if (cert->signature_key != NULL) 406 sshkey_free(cert->signature_key); 407 explicit_bzero(cert, sizeof(*cert)); 408 free(cert); 409 } 410 411 static struct sshkey_cert * 412 cert_new(void) 413 { 414 struct sshkey_cert *cert; 415 416 if ((cert = calloc(1, sizeof(*cert))) == NULL) 417 return NULL; 418 if ((cert->certblob = sshbuf_new()) == NULL || 419 (cert->critical = sshbuf_new()) == NULL || 420 (cert->extensions = sshbuf_new()) == NULL) { 421 cert_free(cert); 422 return NULL; 423 } 424 cert->key_id = NULL; 425 cert->principals = NULL; 426 cert->signature_key = NULL; 427 return cert; 428 } 429 430 struct sshkey * 431 sshkey_new(int type) 432 { 433 struct sshkey *k; 434 #ifdef WITH_OPENSSL 435 RSA *rsa; 436 DSA *dsa; 437 #endif /* WITH_OPENSSL */ 438 439 if ((k = calloc(1, sizeof(*k))) == NULL) 440 return NULL; 441 k->type = type; 442 k->ecdsa = NULL; 443 k->ecdsa_nid = -1; 444 k->dsa = NULL; 445 k->rsa = NULL; 446 k->cert = NULL; 447 k->ed25519_sk = NULL; 448 k->ed25519_pk = NULL; 449 switch (k->type) { 450 #ifdef WITH_OPENSSL 451 case KEY_RSA1: 452 case KEY_RSA: 453 case KEY_RSA_CERT_V00: 454 case KEY_RSA_CERT: 455 if ((rsa = RSA_new()) == NULL || 456 (rsa->n = BN_new()) == NULL || 457 (rsa->e = BN_new()) == NULL) { 458 if (rsa != NULL) 459 RSA_free(rsa); 460 free(k); 461 return NULL; 462 } 463 k->rsa = rsa; 464 break; 465 case KEY_DSA: 466 case KEY_DSA_CERT_V00: 467 case KEY_DSA_CERT: 468 if ((dsa = DSA_new()) == NULL || 469 (dsa->p = BN_new()) == NULL || 470 (dsa->q = BN_new()) == NULL || 471 (dsa->g = BN_new()) == NULL || 472 (dsa->pub_key = BN_new()) == NULL) { 473 if (dsa != NULL) 474 DSA_free(dsa); 475 free(k); 476 return NULL; 477 } 478 k->dsa = dsa; 479 break; 480 case KEY_ECDSA: 481 case KEY_ECDSA_CERT: 482 /* Cannot do anything until we know the group */ 483 break; 484 #endif /* WITH_OPENSSL */ 485 case KEY_ED25519: 486 case KEY_ED25519_CERT: 487 /* no need to prealloc */ 488 break; 489 case KEY_UNSPEC: 490 break; 491 default: 492 free(k); 493 return NULL; 494 break; 495 } 496 497 if (sshkey_is_cert(k)) { 498 if ((k->cert = cert_new()) == NULL) { 499 sshkey_free(k); 500 return NULL; 501 } 502 } 503 504 return k; 505 } 506 507 int 508 sshkey_add_private(struct sshkey *k) 509 { 510 switch (k->type) { 511 #ifdef WITH_OPENSSL 512 case KEY_RSA1: 513 case KEY_RSA: 514 case KEY_RSA_CERT_V00: 515 case KEY_RSA_CERT: 516 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 517 if (bn_maybe_alloc_failed(k->rsa->d) || 518 bn_maybe_alloc_failed(k->rsa->iqmp) || 519 bn_maybe_alloc_failed(k->rsa->q) || 520 bn_maybe_alloc_failed(k->rsa->p) || 521 bn_maybe_alloc_failed(k->rsa->dmq1) || 522 bn_maybe_alloc_failed(k->rsa->dmp1)) 523 return SSH_ERR_ALLOC_FAIL; 524 break; 525 case KEY_DSA: 526 case KEY_DSA_CERT_V00: 527 case KEY_DSA_CERT: 528 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 529 return SSH_ERR_ALLOC_FAIL; 530 break; 531 #undef bn_maybe_alloc_failed 532 case KEY_ECDSA: 533 case KEY_ECDSA_CERT: 534 /* Cannot do anything until we know the group */ 535 break; 536 #endif /* WITH_OPENSSL */ 537 case KEY_ED25519: 538 case KEY_ED25519_CERT: 539 /* no need to prealloc */ 540 break; 541 case KEY_UNSPEC: 542 break; 543 default: 544 return SSH_ERR_INVALID_ARGUMENT; 545 } 546 return 0; 547 } 548 549 struct sshkey * 550 sshkey_new_private(int type) 551 { 552 struct sshkey *k = sshkey_new(type); 553 554 if (k == NULL) 555 return NULL; 556 if (sshkey_add_private(k) != 0) { 557 sshkey_free(k); 558 return NULL; 559 } 560 return k; 561 } 562 563 void 564 sshkey_free(struct sshkey *k) 565 { 566 if (k == NULL) 567 return; 568 switch (k->type) { 569 #ifdef WITH_OPENSSL 570 case KEY_RSA1: 571 case KEY_RSA: 572 case KEY_RSA_CERT_V00: 573 case KEY_RSA_CERT: 574 if (k->rsa != NULL) 575 RSA_free(k->rsa); 576 k->rsa = NULL; 577 break; 578 case KEY_DSA: 579 case KEY_DSA_CERT_V00: 580 case KEY_DSA_CERT: 581 if (k->dsa != NULL) 582 DSA_free(k->dsa); 583 k->dsa = NULL; 584 break; 585 case KEY_ECDSA: 586 case KEY_ECDSA_CERT: 587 if (k->ecdsa != NULL) 588 EC_KEY_free(k->ecdsa); 589 k->ecdsa = NULL; 590 break; 591 #endif /* WITH_OPENSSL */ 592 case KEY_ED25519: 593 case KEY_ED25519_CERT: 594 if (k->ed25519_pk) { 595 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 596 free(k->ed25519_pk); 597 k->ed25519_pk = NULL; 598 } 599 if (k->ed25519_sk) { 600 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 601 free(k->ed25519_sk); 602 k->ed25519_sk = NULL; 603 } 604 break; 605 case KEY_UNSPEC: 606 break; 607 default: 608 break; 609 } 610 if (sshkey_is_cert(k)) 611 cert_free(k->cert); 612 explicit_bzero(k, sizeof(*k)); 613 free(k); 614 } 615 616 static int 617 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 618 { 619 if (a == NULL && b == NULL) 620 return 1; 621 if (a == NULL || b == NULL) 622 return 0; 623 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 624 return 0; 625 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 626 sshbuf_len(a->certblob)) != 0) 627 return 0; 628 return 1; 629 } 630 631 /* 632 * Compare public portions of key only, allowing comparisons between 633 * certificates and plain keys too. 634 */ 635 int 636 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 637 { 638 #ifdef WITH_OPENSSL 639 BN_CTX *bnctx; 640 #endif /* WITH_OPENSSL */ 641 642 if (a == NULL || b == NULL || 643 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 644 return 0; 645 646 switch (a->type) { 647 #ifdef WITH_OPENSSL 648 case KEY_RSA1: 649 case KEY_RSA_CERT_V00: 650 case KEY_RSA_CERT: 651 case KEY_RSA: 652 return a->rsa != NULL && b->rsa != NULL && 653 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 654 BN_cmp(a->rsa->n, b->rsa->n) == 0; 655 case KEY_DSA_CERT_V00: 656 case KEY_DSA_CERT: 657 case KEY_DSA: 658 return a->dsa != NULL && b->dsa != NULL && 659 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 660 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 661 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 662 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 663 case KEY_ECDSA_CERT: 664 case KEY_ECDSA: 665 if (a->ecdsa == NULL || b->ecdsa == NULL || 666 EC_KEY_get0_public_key(a->ecdsa) == NULL || 667 EC_KEY_get0_public_key(b->ecdsa) == NULL) 668 return 0; 669 if ((bnctx = BN_CTX_new()) == NULL) 670 return 0; 671 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 672 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 673 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 674 EC_KEY_get0_public_key(a->ecdsa), 675 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 676 BN_CTX_free(bnctx); 677 return 0; 678 } 679 BN_CTX_free(bnctx); 680 return 1; 681 #endif /* WITH_OPENSSL */ 682 case KEY_ED25519: 683 case KEY_ED25519_CERT: 684 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 685 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 686 default: 687 return 0; 688 } 689 /* NOTREACHED */ 690 } 691 692 int 693 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 694 { 695 if (a == NULL || b == NULL || a->type != b->type) 696 return 0; 697 if (sshkey_is_cert(a)) { 698 if (!cert_compare(a->cert, b->cert)) 699 return 0; 700 } 701 return sshkey_equal_public(a, b); 702 } 703 704 static int 705 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 706 { 707 int type, ret = SSH_ERR_INTERNAL_ERROR; 708 const char *typename; 709 710 if (key == NULL) 711 return SSH_ERR_INVALID_ARGUMENT; 712 713 type = force_plain ? sshkey_type_plain(key->type) : key->type; 714 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 715 716 switch (type) { 717 #ifdef WITH_OPENSSL 718 case KEY_DSA_CERT_V00: 719 case KEY_RSA_CERT_V00: 720 case KEY_DSA_CERT: 721 case KEY_ECDSA_CERT: 722 case KEY_RSA_CERT: 723 #endif /* WITH_OPENSSL */ 724 case KEY_ED25519_CERT: 725 /* Use the existing blob */ 726 /* XXX modified flag? */ 727 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 728 return ret; 729 break; 730 #ifdef WITH_OPENSSL 731 case KEY_DSA: 732 if (key->dsa == NULL) 733 return SSH_ERR_INVALID_ARGUMENT; 734 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 735 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 736 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 737 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 738 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 739 return ret; 740 break; 741 case KEY_ECDSA: 742 if (key->ecdsa == NULL) 743 return SSH_ERR_INVALID_ARGUMENT; 744 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 745 (ret = sshbuf_put_cstring(b, 746 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 747 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 748 return ret; 749 break; 750 case KEY_RSA: 751 if (key->rsa == NULL) 752 return SSH_ERR_INVALID_ARGUMENT; 753 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 754 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 755 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 756 return ret; 757 break; 758 #endif /* WITH_OPENSSL */ 759 case KEY_ED25519: 760 if (key->ed25519_pk == NULL) 761 return SSH_ERR_INVALID_ARGUMENT; 762 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 763 (ret = sshbuf_put_string(b, 764 key->ed25519_pk, ED25519_PK_SZ)) != 0) 765 return ret; 766 break; 767 default: 768 return SSH_ERR_KEY_TYPE_UNKNOWN; 769 } 770 return 0; 771 } 772 773 int 774 sshkey_to_blob_buf(const struct sshkey *key, struct sshbuf *b) 775 { 776 return to_blob_buf(key, b, 0); 777 } 778 779 int 780 sshkey_plain_to_blob_buf(const struct sshkey *key, struct sshbuf *b) 781 { 782 return to_blob_buf(key, b, 1); 783 } 784 785 static int 786 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 787 { 788 int ret = SSH_ERR_INTERNAL_ERROR; 789 size_t len; 790 struct sshbuf *b = NULL; 791 792 if (lenp != NULL) 793 *lenp = 0; 794 if (blobp != NULL) 795 *blobp = NULL; 796 if ((b = sshbuf_new()) == NULL) 797 return SSH_ERR_ALLOC_FAIL; 798 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 799 goto out; 800 len = sshbuf_len(b); 801 if (lenp != NULL) 802 *lenp = len; 803 if (blobp != NULL) { 804 if ((*blobp = malloc(len)) == NULL) { 805 ret = SSH_ERR_ALLOC_FAIL; 806 goto out; 807 } 808 memcpy(*blobp, sshbuf_ptr(b), len); 809 } 810 ret = 0; 811 out: 812 sshbuf_free(b); 813 return ret; 814 } 815 816 int 817 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 818 { 819 return to_blob(key, blobp, lenp, 0); 820 } 821 822 int 823 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 824 { 825 return to_blob(key, blobp, lenp, 1); 826 } 827 828 int 829 sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, 830 u_char **retp, size_t *lenp) 831 { 832 u_char *blob = NULL, *ret = NULL; 833 size_t blob_len = 0; 834 int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR; 835 836 if (retp != NULL) 837 *retp = NULL; 838 if (lenp != NULL) 839 *lenp = 0; 840 841 switch (dgst_type) { 842 case SSH_FP_MD5: 843 hash_alg = SSH_DIGEST_MD5; 844 break; 845 case SSH_FP_SHA1: 846 hash_alg = SSH_DIGEST_SHA1; 847 break; 848 case SSH_FP_SHA256: 849 hash_alg = SSH_DIGEST_SHA256; 850 break; 851 default: 852 r = SSH_ERR_INVALID_ARGUMENT; 853 goto out; 854 } 855 856 if (k->type == KEY_RSA1) { 857 #ifdef WITH_OPENSSL 858 int nlen = BN_num_bytes(k->rsa->n); 859 int elen = BN_num_bytes(k->rsa->e); 860 861 blob_len = nlen + elen; 862 if (nlen >= INT_MAX - elen || 863 (blob = malloc(blob_len)) == NULL) { 864 r = SSH_ERR_ALLOC_FAIL; 865 goto out; 866 } 867 BN_bn2bin(k->rsa->n, blob); 868 BN_bn2bin(k->rsa->e, blob + nlen); 869 #endif /* WITH_OPENSSL */ 870 } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 871 goto out; 872 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 873 r = SSH_ERR_ALLOC_FAIL; 874 goto out; 875 } 876 if ((r = ssh_digest_memory(hash_alg, blob, blob_len, 877 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 878 goto out; 879 /* success */ 880 if (retp != NULL) { 881 *retp = ret; 882 ret = NULL; 883 } 884 if (lenp != NULL) 885 *lenp = ssh_digest_bytes(hash_alg); 886 r = 0; 887 out: 888 free(ret); 889 if (blob != NULL) { 890 explicit_bzero(blob, blob_len); 891 free(blob); 892 } 893 return r; 894 } 895 896 static char * 897 fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len) 898 { 899 char *retval; 900 size_t i; 901 902 if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL) 903 return NULL; 904 for (i = 0; i < dgst_raw_len; i++) { 905 char hex[4]; 906 snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); 907 strlcat(retval, hex, dgst_raw_len * 3 + 1); 908 } 909 910 /* Remove the trailing ':' character */ 911 retval[(dgst_raw_len * 3) - 1] = '\0'; 912 return retval; 913 } 914 915 static char * 916 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 917 { 918 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 919 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 920 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 921 u_int i, j = 0, rounds, seed = 1; 922 char *retval; 923 924 rounds = (dgst_raw_len / 2) + 1; 925 if ((retval = calloc(rounds, 6)) == NULL) 926 return NULL; 927 retval[j++] = 'x'; 928 for (i = 0; i < rounds; i++) { 929 u_int idx0, idx1, idx2, idx3, idx4; 930 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 931 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 932 seed) % 6; 933 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 934 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 935 (seed / 6)) % 6; 936 retval[j++] = vowels[idx0]; 937 retval[j++] = consonants[idx1]; 938 retval[j++] = vowels[idx2]; 939 if ((i + 1) < rounds) { 940 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 941 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 942 retval[j++] = consonants[idx3]; 943 retval[j++] = '-'; 944 retval[j++] = consonants[idx4]; 945 seed = ((seed * 5) + 946 ((((u_int)(dgst_raw[2 * i])) * 7) + 947 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 948 } 949 } else { 950 idx0 = seed % 6; 951 idx1 = 16; 952 idx2 = seed / 6; 953 retval[j++] = vowels[idx0]; 954 retval[j++] = consonants[idx1]; 955 retval[j++] = vowels[idx2]; 956 } 957 } 958 retval[j++] = 'x'; 959 retval[j++] = '\0'; 960 return retval; 961 } 962 963 /* 964 * Draw an ASCII-Art representing the fingerprint so human brain can 965 * profit from its built-in pattern recognition ability. 966 * This technique is called "random art" and can be found in some 967 * scientific publications like this original paper: 968 * 969 * "Hash Visualization: a New Technique to improve Real-World Security", 970 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 971 * Techniques and E-Commerce (CrypTEC '99) 972 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 973 * 974 * The subject came up in a talk by Dan Kaminsky, too. 975 * 976 * If you see the picture is different, the key is different. 977 * If the picture looks the same, you still know nothing. 978 * 979 * The algorithm used here is a worm crawling over a discrete plane, 980 * leaving a trace (augmenting the field) everywhere it goes. 981 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 982 * makes the respective movement vector be ignored for this turn. 983 * Graphs are not unambiguous, because circles in graphs can be 984 * walked in either direction. 985 */ 986 987 /* 988 * Field sizes for the random art. Have to be odd, so the starting point 989 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 990 * Else pictures would be too dense, and drawing the frame would 991 * fail, too, because the key type would not fit in anymore. 992 */ 993 #define FLDBASE 8 994 #define FLDSIZE_Y (FLDBASE + 1) 995 #define FLDSIZE_X (FLDBASE * 2 + 1) 996 static char * 997 fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, 998 const struct sshkey *k) 999 { 1000 /* 1001 * Chars to be used after each other every time the worm 1002 * intersects with itself. Matter of taste. 1003 */ 1004 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1005 char *retval, *p, title[FLDSIZE_X]; 1006 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1007 size_t i, tlen; 1008 u_int b; 1009 int x, y, r; 1010 size_t len = strlen(augmentation_string) - 1; 1011 1012 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1013 return NULL; 1014 1015 /* initialize field */ 1016 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1017 x = FLDSIZE_X / 2; 1018 y = FLDSIZE_Y / 2; 1019 1020 /* process raw key */ 1021 for (i = 0; i < dgst_raw_len; i++) { 1022 int input; 1023 /* each byte conveys four 2-bit move commands */ 1024 input = dgst_raw[i]; 1025 for (b = 0; b < 4; b++) { 1026 /* evaluate 2 bit, rest is shifted later */ 1027 x += (input & 0x1) ? 1 : -1; 1028 y += (input & 0x2) ? 1 : -1; 1029 1030 /* assure we are still in bounds */ 1031 x = MAX(x, 0); 1032 y = MAX(y, 0); 1033 x = MIN(x, FLDSIZE_X - 1); 1034 y = MIN(y, FLDSIZE_Y - 1); 1035 1036 /* augment the field */ 1037 if (field[x][y] < len - 2) 1038 field[x][y]++; 1039 input = input >> 2; 1040 } 1041 } 1042 1043 /* mark starting point and end point*/ 1044 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1045 field[x][y] = len; 1046 1047 /* assemble title */ 1048 r = snprintf(title, sizeof(title), "[%s %u]", 1049 sshkey_type(k), sshkey_size(k)); 1050 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1051 if (r < 0 || r > (int)sizeof(title)) 1052 snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1053 tlen = strlen(title); 1054 1055 /* output upper border */ 1056 p = retval; 1057 *p++ = '+'; 1058 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1059 *p++ = '-'; 1060 memcpy(p, title, tlen); 1061 p += tlen; 1062 for (i = p - retval - 1; i < FLDSIZE_X; i++) 1063 *p++ = '-'; 1064 *p++ = '+'; 1065 *p++ = '\n'; 1066 1067 /* output content */ 1068 for (y = 0; y < FLDSIZE_Y; y++) { 1069 *p++ = '|'; 1070 for (x = 0; x < FLDSIZE_X; x++) 1071 *p++ = augmentation_string[MIN(field[x][y], len)]; 1072 *p++ = '|'; 1073 *p++ = '\n'; 1074 } 1075 1076 /* output lower border */ 1077 *p++ = '+'; 1078 for (i = 0; i < FLDSIZE_X; i++) 1079 *p++ = '-'; 1080 *p++ = '+'; 1081 1082 return retval; 1083 } 1084 1085 char * 1086 sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type, 1087 enum sshkey_fp_rep dgst_rep) 1088 { 1089 char *retval = NULL; 1090 u_char *dgst_raw; 1091 size_t dgst_raw_len; 1092 1093 if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0) 1094 return NULL; 1095 switch (dgst_rep) { 1096 case SSH_FP_HEX: 1097 retval = fingerprint_hex(dgst_raw, dgst_raw_len); 1098 break; 1099 case SSH_FP_BUBBLEBABBLE: 1100 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1101 break; 1102 case SSH_FP_RANDOMART: 1103 retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k); 1104 break; 1105 default: 1106 explicit_bzero(dgst_raw, dgst_raw_len); 1107 free(dgst_raw); 1108 return NULL; 1109 } 1110 explicit_bzero(dgst_raw, dgst_raw_len); 1111 free(dgst_raw); 1112 return retval; 1113 } 1114 1115 #ifdef WITH_SSH1 1116 /* 1117 * Reads a multiple-precision integer in decimal from the buffer, and advances 1118 * the pointer. The integer must already be initialized. This function is 1119 * permitted to modify the buffer. This leaves *cpp to point just beyond the 1120 * last processed character. 1121 */ 1122 static int 1123 read_decimal_bignum(char **cpp, BIGNUM *v) 1124 { 1125 char *cp; 1126 size_t e; 1127 int skip = 1; /* skip white space */ 1128 1129 cp = *cpp; 1130 while (*cp == ' ' || *cp == '\t') 1131 cp++; 1132 e = strspn(cp, "0123456789"); 1133 if (e == 0) 1134 return SSH_ERR_INVALID_FORMAT; 1135 if (e > SSHBUF_MAX_BIGNUM * 3) 1136 return SSH_ERR_BIGNUM_TOO_LARGE; 1137 if (cp[e] == '\0') 1138 skip = 0; 1139 else if (index(" \t\r\n", cp[e]) == NULL) 1140 return SSH_ERR_INVALID_FORMAT; 1141 cp[e] = '\0'; 1142 if (BN_dec2bn(&v, cp) <= 0) 1143 return SSH_ERR_INVALID_FORMAT; 1144 *cpp = cp + e + skip; 1145 return 0; 1146 } 1147 #endif /* WITH_SSH1 */ 1148 1149 /* returns 0 ok, and < 0 error */ 1150 int 1151 sshkey_read(struct sshkey *ret, char **cpp) 1152 { 1153 struct sshkey *k; 1154 int retval = SSH_ERR_INVALID_FORMAT; 1155 char *cp, *space; 1156 int r, type, curve_nid = -1; 1157 struct sshbuf *blob; 1158 #ifdef WITH_SSH1 1159 char *ep; 1160 u_long bits; 1161 #endif /* WITH_SSH1 */ 1162 1163 cp = *cpp; 1164 1165 switch (ret->type) { 1166 case KEY_RSA1: 1167 #ifdef WITH_SSH1 1168 /* Get number of bits. */ 1169 bits = strtoul(cp, &ep, 10); 1170 if (*cp == '\0' || index(" \t\r\n", *ep) == NULL || 1171 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) 1172 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ 1173 /* Get public exponent, public modulus. */ 1174 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0) 1175 return r; 1176 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) 1177 return r; 1178 *cpp = ep; 1179 /* validate the claimed number of bits */ 1180 if (BN_num_bits(ret->rsa->n) != (int)bits) 1181 return SSH_ERR_KEY_BITS_MISMATCH; 1182 retval = 0; 1183 #endif /* WITH_SSH1 */ 1184 break; 1185 case KEY_UNSPEC: 1186 case KEY_RSA: 1187 case KEY_DSA: 1188 case KEY_ECDSA: 1189 case KEY_ED25519: 1190 case KEY_DSA_CERT_V00: 1191 case KEY_RSA_CERT_V00: 1192 case KEY_DSA_CERT: 1193 case KEY_ECDSA_CERT: 1194 case KEY_RSA_CERT: 1195 case KEY_ED25519_CERT: 1196 space = strchr(cp, ' '); 1197 if (space == NULL) 1198 return SSH_ERR_INVALID_FORMAT; 1199 *space = '\0'; 1200 type = sshkey_type_from_name(cp); 1201 if (sshkey_type_plain(type) == KEY_ECDSA && 1202 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1203 return SSH_ERR_EC_CURVE_INVALID; 1204 *space = ' '; 1205 if (type == KEY_UNSPEC) 1206 return SSH_ERR_INVALID_FORMAT; 1207 cp = space+1; 1208 if (*cp == '\0') 1209 return SSH_ERR_INVALID_FORMAT; 1210 if (ret->type == KEY_UNSPEC) { 1211 ret->type = type; 1212 } else if (ret->type != type) 1213 return SSH_ERR_KEY_TYPE_MISMATCH; 1214 if ((blob = sshbuf_new()) == NULL) 1215 return SSH_ERR_ALLOC_FAIL; 1216 /* trim comment */ 1217 space = strchr(cp, ' '); 1218 if (space) 1219 *space = '\0'; 1220 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1221 sshbuf_free(blob); 1222 return r; 1223 } 1224 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1225 sshbuf_len(blob), &k)) != 0) { 1226 sshbuf_free(blob); 1227 return r; 1228 } 1229 sshbuf_free(blob); 1230 if (k->type != type) { 1231 sshkey_free(k); 1232 return SSH_ERR_KEY_TYPE_MISMATCH; 1233 } 1234 if (sshkey_type_plain(type) == KEY_ECDSA && 1235 curve_nid != k->ecdsa_nid) { 1236 sshkey_free(k); 1237 return SSH_ERR_EC_CURVE_MISMATCH; 1238 } 1239 /*XXXX*/ 1240 if (sshkey_is_cert(ret)) { 1241 if (!sshkey_is_cert(k)) { 1242 sshkey_free(k); 1243 return SSH_ERR_EXPECTED_CERT; 1244 } 1245 if (ret->cert != NULL) 1246 cert_free(ret->cert); 1247 ret->cert = k->cert; 1248 k->cert = NULL; 1249 } 1250 #ifdef WITH_OPENSSL 1251 if (sshkey_type_plain(ret->type) == KEY_RSA) { 1252 if (ret->rsa != NULL) 1253 RSA_free(ret->rsa); 1254 ret->rsa = k->rsa; 1255 k->rsa = NULL; 1256 #ifdef DEBUG_PK 1257 RSA_print_fp(stderr, ret->rsa, 8); 1258 #endif 1259 } 1260 if (sshkey_type_plain(ret->type) == KEY_DSA) { 1261 if (ret->dsa != NULL) 1262 DSA_free(ret->dsa); 1263 ret->dsa = k->dsa; 1264 k->dsa = NULL; 1265 #ifdef DEBUG_PK 1266 DSA_print_fp(stderr, ret->dsa, 8); 1267 #endif 1268 } 1269 if (sshkey_type_plain(ret->type) == KEY_ECDSA) { 1270 if (ret->ecdsa != NULL) 1271 EC_KEY_free(ret->ecdsa); 1272 ret->ecdsa = k->ecdsa; 1273 ret->ecdsa_nid = k->ecdsa_nid; 1274 k->ecdsa = NULL; 1275 k->ecdsa_nid = -1; 1276 #ifdef DEBUG_PK 1277 sshkey_dump_ec_key(ret->ecdsa); 1278 #endif 1279 } 1280 #endif /* WITH_OPENSSL */ 1281 if (sshkey_type_plain(ret->type) == KEY_ED25519) { 1282 free(ret->ed25519_pk); 1283 ret->ed25519_pk = k->ed25519_pk; 1284 k->ed25519_pk = NULL; 1285 #ifdef DEBUG_PK 1286 /* XXX */ 1287 #endif 1288 } 1289 retval = 0; 1290 /*XXXX*/ 1291 sshkey_free(k); 1292 if (retval != 0) 1293 break; 1294 /* advance cp: skip whitespace and data */ 1295 while (*cp == ' ' || *cp == '\t') 1296 cp++; 1297 while (*cp != '\0' && *cp != ' ' && *cp != '\t') 1298 cp++; 1299 *cpp = cp; 1300 break; 1301 default: 1302 return SSH_ERR_INVALID_ARGUMENT; 1303 } 1304 return retval; 1305 } 1306 1307 int 1308 sshkey_write(const struct sshkey *key, FILE *f) 1309 { 1310 int ret = SSH_ERR_INTERNAL_ERROR; 1311 struct sshbuf *b = NULL, *bb = NULL; 1312 char *uu = NULL; 1313 #ifdef WITH_SSH1 1314 u_int bits = 0; 1315 char *dec_e = NULL, *dec_n = NULL; 1316 #endif /* WITH_SSH1 */ 1317 1318 if (sshkey_is_cert(key)) { 1319 if (key->cert == NULL) 1320 return SSH_ERR_EXPECTED_CERT; 1321 if (sshbuf_len(key->cert->certblob) == 0) 1322 return SSH_ERR_KEY_LACKS_CERTBLOB; 1323 } 1324 if ((b = sshbuf_new()) == NULL) 1325 return SSH_ERR_ALLOC_FAIL; 1326 switch (key->type) { 1327 #ifdef WITH_SSH1 1328 case KEY_RSA1: 1329 if (key->rsa == NULL || key->rsa->e == NULL || 1330 key->rsa->n == NULL) { 1331 ret = SSH_ERR_INVALID_ARGUMENT; 1332 goto out; 1333 } 1334 if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || 1335 (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { 1336 ret = SSH_ERR_ALLOC_FAIL; 1337 goto out; 1338 } 1339 /* size of modulus 'n' */ 1340 if ((bits = BN_num_bits(key->rsa->n)) <= 0) { 1341 ret = SSH_ERR_INVALID_ARGUMENT; 1342 goto out; 1343 } 1344 if ((ret = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) 1345 goto out; 1346 #endif /* WITH_SSH1 */ 1347 break; 1348 #ifdef WITH_OPENSSL 1349 case KEY_DSA: 1350 case KEY_DSA_CERT_V00: 1351 case KEY_DSA_CERT: 1352 case KEY_ECDSA: 1353 case KEY_ECDSA_CERT: 1354 case KEY_RSA: 1355 case KEY_RSA_CERT_V00: 1356 case KEY_RSA_CERT: 1357 #endif /* WITH_OPENSSL */ 1358 case KEY_ED25519: 1359 case KEY_ED25519_CERT: 1360 if ((bb = sshbuf_new()) == NULL) { 1361 ret = SSH_ERR_ALLOC_FAIL; 1362 goto out; 1363 } 1364 if ((ret = sshkey_to_blob_buf(key, bb)) != 0) 1365 goto out; 1366 if ((uu = sshbuf_dtob64(bb)) == NULL) { 1367 ret = SSH_ERR_ALLOC_FAIL; 1368 goto out; 1369 } 1370 if ((ret = sshbuf_putf(b, "%s ", sshkey_ssh_name(key))) != 0) 1371 goto out; 1372 if ((ret = sshbuf_put(b, uu, strlen(uu))) != 0) 1373 goto out; 1374 break; 1375 default: 1376 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 1377 goto out; 1378 } 1379 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1380 if (feof(f)) 1381 errno = EPIPE; 1382 ret = SSH_ERR_SYSTEM_ERROR; 1383 goto out; 1384 } 1385 ret = 0; 1386 out: 1387 if (b != NULL) 1388 sshbuf_free(b); 1389 if (bb != NULL) 1390 sshbuf_free(bb); 1391 if (uu != NULL) 1392 free(uu); 1393 #ifdef WITH_SSH1 1394 if (dec_e != NULL) 1395 OPENSSL_free(dec_e); 1396 if (dec_n != NULL) 1397 OPENSSL_free(dec_n); 1398 #endif /* WITH_SSH1 */ 1399 return ret; 1400 } 1401 1402 const char * 1403 sshkey_cert_type(const struct sshkey *k) 1404 { 1405 switch (k->cert->type) { 1406 case SSH2_CERT_TYPE_USER: 1407 return "user"; 1408 case SSH2_CERT_TYPE_HOST: 1409 return "host"; 1410 default: 1411 return "unknown"; 1412 } 1413 } 1414 1415 #ifdef WITH_OPENSSL 1416 static int 1417 rsa_generate_private_key(u_int bits, RSA **rsap) 1418 { 1419 RSA *private = NULL; 1420 BIGNUM *f4 = NULL; 1421 int ret = SSH_ERR_INTERNAL_ERROR; 1422 1423 if (rsap == NULL || 1424 bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1425 bits > SSHBUF_MAX_BIGNUM * 8) 1426 return SSH_ERR_INVALID_ARGUMENT; 1427 *rsap = NULL; 1428 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1429 ret = SSH_ERR_ALLOC_FAIL; 1430 goto out; 1431 } 1432 if (!BN_set_word(f4, RSA_F4) || 1433 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1434 ret = SSH_ERR_LIBCRYPTO_ERROR; 1435 goto out; 1436 } 1437 *rsap = private; 1438 private = NULL; 1439 ret = 0; 1440 out: 1441 if (private != NULL) 1442 RSA_free(private); 1443 if (f4 != NULL) 1444 BN_free(f4); 1445 return ret; 1446 } 1447 1448 static int 1449 dsa_generate_private_key(u_int bits, DSA **dsap) 1450 { 1451 DSA *private; 1452 int ret = SSH_ERR_INTERNAL_ERROR; 1453 1454 if (dsap == NULL || bits != 1024) 1455 return SSH_ERR_INVALID_ARGUMENT; 1456 if ((private = DSA_new()) == NULL) { 1457 ret = SSH_ERR_ALLOC_FAIL; 1458 goto out; 1459 } 1460 *dsap = NULL; 1461 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1462 NULL, NULL) || !DSA_generate_key(private)) { 1463 DSA_free(private); 1464 ret = SSH_ERR_LIBCRYPTO_ERROR; 1465 goto out; 1466 } 1467 *dsap = private; 1468 private = NULL; 1469 ret = 0; 1470 out: 1471 if (private != NULL) 1472 DSA_free(private); 1473 return ret; 1474 } 1475 1476 int 1477 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1478 { 1479 EC_GROUP *eg; 1480 int nids[] = { 1481 NID_X9_62_prime256v1, 1482 NID_secp384r1, 1483 NID_secp521r1, 1484 -1 1485 }; 1486 int nid; 1487 u_int i; 1488 BN_CTX *bnctx; 1489 const EC_GROUP *g = EC_KEY_get0_group(k); 1490 1491 /* 1492 * The group may be stored in a ASN.1 encoded private key in one of two 1493 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1494 * or explicit group parameters encoded into the key blob. Only the 1495 * "named group" case sets the group NID for us, but we can figure 1496 * it out for the other case by comparing against all the groups that 1497 * are supported. 1498 */ 1499 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1500 return nid; 1501 if ((bnctx = BN_CTX_new()) == NULL) 1502 return -1; 1503 for (i = 0; nids[i] != -1; i++) { 1504 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1505 BN_CTX_free(bnctx); 1506 return -1; 1507 } 1508 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1509 break; 1510 EC_GROUP_free(eg); 1511 } 1512 BN_CTX_free(bnctx); 1513 if (nids[i] != -1) { 1514 /* Use the group with the NID attached */ 1515 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1516 if (EC_KEY_set_group(k, eg) != 1) { 1517 EC_GROUP_free(eg); 1518 return -1; 1519 } 1520 } 1521 return nids[i]; 1522 } 1523 1524 static int 1525 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1526 { 1527 EC_KEY *private; 1528 int ret = SSH_ERR_INTERNAL_ERROR; 1529 1530 if (nid == NULL || ecdsap == NULL || 1531 (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1532 return SSH_ERR_INVALID_ARGUMENT; 1533 *ecdsap = NULL; 1534 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1535 ret = SSH_ERR_ALLOC_FAIL; 1536 goto out; 1537 } 1538 if (EC_KEY_generate_key(private) != 1) { 1539 ret = SSH_ERR_LIBCRYPTO_ERROR; 1540 goto out; 1541 } 1542 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1543 *ecdsap = private; 1544 private = NULL; 1545 ret = 0; 1546 out: 1547 if (private != NULL) 1548 EC_KEY_free(private); 1549 return ret; 1550 } 1551 #endif /* WITH_OPENSSL */ 1552 1553 int 1554 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1555 { 1556 struct sshkey *k; 1557 int ret = SSH_ERR_INTERNAL_ERROR; 1558 1559 if (keyp == NULL) 1560 return SSH_ERR_INVALID_ARGUMENT; 1561 *keyp = NULL; 1562 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1563 return SSH_ERR_ALLOC_FAIL; 1564 switch (type) { 1565 case KEY_ED25519: 1566 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1567 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1568 ret = SSH_ERR_ALLOC_FAIL; 1569 break; 1570 } 1571 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1572 ret = 0; 1573 break; 1574 #ifdef WITH_OPENSSL 1575 case KEY_DSA: 1576 ret = dsa_generate_private_key(bits, &k->dsa); 1577 break; 1578 case KEY_ECDSA: 1579 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1580 &k->ecdsa); 1581 break; 1582 case KEY_RSA: 1583 case KEY_RSA1: 1584 ret = rsa_generate_private_key(bits, &k->rsa); 1585 break; 1586 #endif /* WITH_OPENSSL */ 1587 default: 1588 ret = SSH_ERR_INVALID_ARGUMENT; 1589 } 1590 if (ret == 0) { 1591 k->type = type; 1592 *keyp = k; 1593 } else 1594 sshkey_free(k); 1595 return ret; 1596 } 1597 1598 int 1599 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1600 { 1601 u_int i; 1602 const struct sshkey_cert *from; 1603 struct sshkey_cert *to; 1604 int ret = SSH_ERR_INTERNAL_ERROR; 1605 1606 if (to_key->cert != NULL) { 1607 cert_free(to_key->cert); 1608 to_key->cert = NULL; 1609 } 1610 1611 if ((from = from_key->cert) == NULL) 1612 return SSH_ERR_INVALID_ARGUMENT; 1613 1614 if ((to = to_key->cert = cert_new()) == NULL) 1615 return SSH_ERR_ALLOC_FAIL; 1616 1617 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1618 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1619 (ret = sshbuf_putb(to->extensions, from->extensions) != 0)) 1620 return ret; 1621 1622 to->serial = from->serial; 1623 to->type = from->type; 1624 if (from->key_id == NULL) 1625 to->key_id = NULL; 1626 else if ((to->key_id = strdup(from->key_id)) == NULL) 1627 return SSH_ERR_ALLOC_FAIL; 1628 to->valid_after = from->valid_after; 1629 to->valid_before = from->valid_before; 1630 if (from->signature_key == NULL) 1631 to->signature_key = NULL; 1632 else if ((ret = sshkey_from_private(from->signature_key, 1633 &to->signature_key)) != 0) 1634 return ret; 1635 1636 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1637 return SSH_ERR_INVALID_ARGUMENT; 1638 if (from->nprincipals > 0) { 1639 if ((to->principals = calloc(from->nprincipals, 1640 sizeof(*to->principals))) == NULL) 1641 return SSH_ERR_ALLOC_FAIL; 1642 for (i = 0; i < from->nprincipals; i++) { 1643 to->principals[i] = strdup(from->principals[i]); 1644 if (to->principals[i] == NULL) { 1645 to->nprincipals = i; 1646 return SSH_ERR_ALLOC_FAIL; 1647 } 1648 } 1649 } 1650 to->nprincipals = from->nprincipals; 1651 return 0; 1652 } 1653 1654 int 1655 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1656 { 1657 struct sshkey *n = NULL; 1658 int ret = SSH_ERR_INTERNAL_ERROR; 1659 1660 if (pkp != NULL) 1661 *pkp = NULL; 1662 1663 switch (k->type) { 1664 #ifdef WITH_OPENSSL 1665 case KEY_DSA: 1666 case KEY_DSA_CERT_V00: 1667 case KEY_DSA_CERT: 1668 if ((n = sshkey_new(k->type)) == NULL) 1669 return SSH_ERR_ALLOC_FAIL; 1670 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1671 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1672 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1673 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1674 sshkey_free(n); 1675 return SSH_ERR_ALLOC_FAIL; 1676 } 1677 break; 1678 case KEY_ECDSA: 1679 case KEY_ECDSA_CERT: 1680 if ((n = sshkey_new(k->type)) == NULL) 1681 return SSH_ERR_ALLOC_FAIL; 1682 n->ecdsa_nid = k->ecdsa_nid; 1683 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1684 if (n->ecdsa == NULL) { 1685 sshkey_free(n); 1686 return SSH_ERR_ALLOC_FAIL; 1687 } 1688 if (EC_KEY_set_public_key(n->ecdsa, 1689 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1690 sshkey_free(n); 1691 return SSH_ERR_LIBCRYPTO_ERROR; 1692 } 1693 break; 1694 case KEY_RSA: 1695 case KEY_RSA1: 1696 case KEY_RSA_CERT_V00: 1697 case KEY_RSA_CERT: 1698 if ((n = sshkey_new(k->type)) == NULL) 1699 return SSH_ERR_ALLOC_FAIL; 1700 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1701 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1702 sshkey_free(n); 1703 return SSH_ERR_ALLOC_FAIL; 1704 } 1705 break; 1706 #endif /* WITH_OPENSSL */ 1707 case KEY_ED25519: 1708 case KEY_ED25519_CERT: 1709 if ((n = sshkey_new(k->type)) == NULL) 1710 return SSH_ERR_ALLOC_FAIL; 1711 if (k->ed25519_pk != NULL) { 1712 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1713 sshkey_free(n); 1714 return SSH_ERR_ALLOC_FAIL; 1715 } 1716 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1717 } 1718 break; 1719 default: 1720 return SSH_ERR_KEY_TYPE_UNKNOWN; 1721 } 1722 if (sshkey_is_cert(k)) { 1723 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1724 sshkey_free(n); 1725 return ret; 1726 } 1727 } 1728 *pkp = n; 1729 return 0; 1730 } 1731 1732 static int 1733 cert_parse(struct sshbuf *b, struct sshkey *key, const u_char *blob, 1734 size_t blen) 1735 { 1736 struct sshbuf *principals = NULL, *crit = NULL, *exts = NULL; 1737 u_char *sig_key = NULL, *sig = NULL; 1738 size_t signed_len = 0, sklen = 0, slen = 0, kidlen = 0; 1739 int ret = SSH_ERR_INTERNAL_ERROR; 1740 int v00 = sshkey_cert_is_legacy(key); 1741 1742 /* Copy the entire key blob for verification and later serialisation */ 1743 if ((ret = sshbuf_put(key->cert->certblob, blob, blen)) != 0) 1744 return ret; 1745 1746 if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || 1747 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1748 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1749 (ret = sshbuf_froms(b, &principals)) != 0 || 1750 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1751 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1752 (ret = sshbuf_froms(b, &crit)) != 0 || 1753 (!v00 && (ret = sshbuf_froms(b, &exts)) != 0) || 1754 (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) || 1755 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1756 (ret = sshbuf_get_string(b, &sig_key, &sklen)) != 0) { 1757 /* XXX debug print error for ret */ 1758 ret = SSH_ERR_INVALID_FORMAT; 1759 goto out; 1760 } 1761 1762 /* Signature is left in the buffer so we can calculate this length */ 1763 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1764 1765 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1766 ret = SSH_ERR_INVALID_FORMAT; 1767 goto out; 1768 } 1769 1770 if (key->cert->type != SSH2_CERT_TYPE_USER && 1771 key->cert->type != SSH2_CERT_TYPE_HOST) { 1772 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1773 goto out; 1774 } 1775 1776 /* Parse principals section */ 1777 while (sshbuf_len(principals) > 0) { 1778 char *principal = NULL; 1779 char **oprincipals = NULL; 1780 1781 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1782 ret = SSH_ERR_INVALID_FORMAT; 1783 goto out; 1784 } 1785 if ((ret = sshbuf_get_cstring(principals, &principal, 1786 NULL)) != 0) { 1787 ret = SSH_ERR_INVALID_FORMAT; 1788 goto out; 1789 } 1790 oprincipals = key->cert->principals; 1791 key->cert->principals = realloc(key->cert->principals, 1792 (key->cert->nprincipals + 1) * 1793 sizeof(*key->cert->principals)); 1794 if (key->cert->principals == NULL) { 1795 free(principal); 1796 key->cert->principals = oprincipals; 1797 ret = SSH_ERR_ALLOC_FAIL; 1798 goto out; 1799 } 1800 key->cert->principals[key->cert->nprincipals++] = principal; 1801 } 1802 1803 /* 1804 * Stash a copies of the critical options and extensions sections 1805 * for later use. 1806 */ 1807 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1808 (exts != NULL && 1809 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1810 goto out; 1811 1812 /* 1813 * Validate critical options and extensions sections format. 1814 * NB. extensions are not present in v00 certs. 1815 */ 1816 while (sshbuf_len(crit) != 0) { 1817 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1818 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1819 sshbuf_reset(key->cert->critical); 1820 ret = SSH_ERR_INVALID_FORMAT; 1821 goto out; 1822 } 1823 } 1824 while (exts != NULL && sshbuf_len(exts) != 0) { 1825 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1826 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1827 sshbuf_reset(key->cert->extensions); 1828 ret = SSH_ERR_INVALID_FORMAT; 1829 goto out; 1830 } 1831 } 1832 1833 /* Parse CA key and check signature */ 1834 if (sshkey_from_blob_internal(sig_key, sklen, 1835 &key->cert->signature_key, 0) != 0) { 1836 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1837 goto out; 1838 } 1839 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1840 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1841 goto out; 1842 } 1843 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1844 sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) 1845 goto out; 1846 1847 /* Success */ 1848 ret = 0; 1849 out: 1850 sshbuf_free(crit); 1851 sshbuf_free(exts); 1852 sshbuf_free(principals); 1853 free(sig_key); 1854 free(sig); 1855 return ret; 1856 } 1857 1858 static int 1859 sshkey_from_blob_internal(const u_char *blob, size_t blen, 1860 struct sshkey **keyp, int allow_cert) 1861 { 1862 struct sshbuf *b = NULL; 1863 int type, nid = -1, ret = SSH_ERR_INTERNAL_ERROR; 1864 char *ktype = NULL, *curve = NULL; 1865 struct sshkey *key = NULL; 1866 size_t len; 1867 u_char *pk = NULL; 1868 #ifdef WITH_OPENSSL 1869 EC_POINT *q = NULL; 1870 #endif /* WITH_OPENSSL */ 1871 1872 #ifdef DEBUG_PK /* XXX */ 1873 dump_base64(stderr, blob, blen); 1874 #endif 1875 *keyp = NULL; 1876 if ((b = sshbuf_from(blob, blen)) == NULL) 1877 return SSH_ERR_ALLOC_FAIL; 1878 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1879 ret = SSH_ERR_INVALID_FORMAT; 1880 goto out; 1881 } 1882 1883 type = sshkey_type_from_name(ktype); 1884 if (sshkey_type_plain(type) == KEY_ECDSA) 1885 nid = sshkey_ecdsa_nid_from_name(ktype); 1886 if (!allow_cert && sshkey_type_is_cert(type)) { 1887 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1888 goto out; 1889 } 1890 switch (type) { 1891 #ifdef WITH_OPENSSL 1892 case KEY_RSA_CERT: 1893 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1894 ret = SSH_ERR_INVALID_FORMAT; 1895 goto out; 1896 } 1897 /* FALLTHROUGH */ 1898 case KEY_RSA: 1899 case KEY_RSA_CERT_V00: 1900 if ((key = sshkey_new(type)) == NULL) { 1901 ret = SSH_ERR_ALLOC_FAIL; 1902 goto out; 1903 } 1904 if (sshbuf_get_bignum2(b, key->rsa->e) == -1 || 1905 sshbuf_get_bignum2(b, key->rsa->n) == -1) { 1906 ret = SSH_ERR_INVALID_FORMAT; 1907 goto out; 1908 } 1909 #ifdef DEBUG_PK 1910 RSA_print_fp(stderr, key->rsa, 8); 1911 #endif 1912 break; 1913 case KEY_DSA_CERT: 1914 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1915 ret = SSH_ERR_INVALID_FORMAT; 1916 goto out; 1917 } 1918 /* FALLTHROUGH */ 1919 case KEY_DSA: 1920 case KEY_DSA_CERT_V00: 1921 if ((key = sshkey_new(type)) == NULL) { 1922 ret = SSH_ERR_ALLOC_FAIL; 1923 goto out; 1924 } 1925 if (sshbuf_get_bignum2(b, key->dsa->p) == -1 || 1926 sshbuf_get_bignum2(b, key->dsa->q) == -1 || 1927 sshbuf_get_bignum2(b, key->dsa->g) == -1 || 1928 sshbuf_get_bignum2(b, key->dsa->pub_key) == -1) { 1929 ret = SSH_ERR_INVALID_FORMAT; 1930 goto out; 1931 } 1932 #ifdef DEBUG_PK 1933 DSA_print_fp(stderr, key->dsa, 8); 1934 #endif 1935 break; 1936 case KEY_ECDSA_CERT: 1937 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1938 ret = SSH_ERR_INVALID_FORMAT; 1939 goto out; 1940 } 1941 /* FALLTHROUGH */ 1942 case KEY_ECDSA: 1943 if ((key = sshkey_new(type)) == NULL) { 1944 ret = SSH_ERR_ALLOC_FAIL; 1945 goto out; 1946 } 1947 key->ecdsa_nid = nid; 1948 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 1949 ret = SSH_ERR_INVALID_FORMAT; 1950 goto out; 1951 } 1952 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 1953 ret = SSH_ERR_EC_CURVE_MISMATCH; 1954 goto out; 1955 } 1956 if (key->ecdsa != NULL) 1957 EC_KEY_free(key->ecdsa); 1958 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 1959 == NULL) { 1960 ret = SSH_ERR_EC_CURVE_INVALID; 1961 goto out; 1962 } 1963 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 1964 ret = SSH_ERR_ALLOC_FAIL; 1965 goto out; 1966 } 1967 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 1968 ret = SSH_ERR_INVALID_FORMAT; 1969 goto out; 1970 } 1971 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 1972 q) != 0) { 1973 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 1974 goto out; 1975 } 1976 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 1977 /* XXX assume it is a allocation error */ 1978 ret = SSH_ERR_ALLOC_FAIL; 1979 goto out; 1980 } 1981 #ifdef DEBUG_PK 1982 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 1983 #endif 1984 break; 1985 #endif /* WITH_OPENSSL */ 1986 case KEY_ED25519_CERT: 1987 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1988 ret = SSH_ERR_INVALID_FORMAT; 1989 goto out; 1990 } 1991 /* FALLTHROUGH */ 1992 case KEY_ED25519: 1993 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 1994 goto out; 1995 if (len != ED25519_PK_SZ) { 1996 ret = SSH_ERR_INVALID_FORMAT; 1997 goto out; 1998 } 1999 if ((key = sshkey_new(type)) == NULL) { 2000 ret = SSH_ERR_ALLOC_FAIL; 2001 goto out; 2002 } 2003 key->ed25519_pk = pk; 2004 pk = NULL; 2005 break; 2006 case KEY_UNSPEC: 2007 if ((key = sshkey_new(type)) == NULL) { 2008 ret = SSH_ERR_ALLOC_FAIL; 2009 goto out; 2010 } 2011 break; 2012 default: 2013 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2014 goto out; 2015 } 2016 2017 /* Parse certificate potion */ 2018 if (sshkey_is_cert(key) && 2019 (ret = cert_parse(b, key, blob, blen)) != 0) 2020 goto out; 2021 2022 if (key != NULL && sshbuf_len(b) != 0) { 2023 ret = SSH_ERR_INVALID_FORMAT; 2024 goto out; 2025 } 2026 ret = 0; 2027 *keyp = key; 2028 key = NULL; 2029 out: 2030 sshbuf_free(b); 2031 sshkey_free(key); 2032 free(ktype); 2033 free(curve); 2034 free(pk); 2035 #ifdef WITH_OPENSSL 2036 if (q != NULL) 2037 EC_POINT_free(q); 2038 #endif /* WITH_OPENSSL */ 2039 return ret; 2040 } 2041 2042 int 2043 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2044 { 2045 return sshkey_from_blob_internal(blob, blen, keyp, 1); 2046 } 2047 2048 int 2049 sshkey_sign(const struct sshkey *key, 2050 u_char **sigp, size_t *lenp, 2051 const u_char *data, size_t datalen, u_int compat) 2052 { 2053 if (sigp != NULL) 2054 *sigp = NULL; 2055 if (lenp != NULL) 2056 *lenp = 0; 2057 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2058 return SSH_ERR_INVALID_ARGUMENT; 2059 switch (key->type) { 2060 #ifdef WITH_OPENSSL 2061 case KEY_DSA_CERT_V00: 2062 case KEY_DSA_CERT: 2063 case KEY_DSA: 2064 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2065 case KEY_ECDSA_CERT: 2066 case KEY_ECDSA: 2067 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2068 case KEY_RSA_CERT_V00: 2069 case KEY_RSA_CERT: 2070 case KEY_RSA: 2071 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2072 #endif /* WITH_OPENSSL */ 2073 case KEY_ED25519: 2074 case KEY_ED25519_CERT: 2075 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2076 default: 2077 return SSH_ERR_KEY_TYPE_UNKNOWN; 2078 } 2079 } 2080 2081 /* 2082 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2083 */ 2084 int 2085 sshkey_verify(const struct sshkey *key, 2086 const u_char *sig, size_t siglen, 2087 const u_char *data, size_t dlen, u_int compat) 2088 { 2089 if (siglen == 0) 2090 return -1; 2091 2092 if (dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2093 return SSH_ERR_INVALID_ARGUMENT; 2094 switch (key->type) { 2095 #ifdef WITH_OPENSSL 2096 case KEY_DSA_CERT_V00: 2097 case KEY_DSA_CERT: 2098 case KEY_DSA: 2099 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2100 case KEY_ECDSA_CERT: 2101 case KEY_ECDSA: 2102 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2103 case KEY_RSA_CERT_V00: 2104 case KEY_RSA_CERT: 2105 case KEY_RSA: 2106 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2107 #endif /* WITH_OPENSSL */ 2108 case KEY_ED25519: 2109 case KEY_ED25519_CERT: 2110 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2111 default: 2112 return SSH_ERR_KEY_TYPE_UNKNOWN; 2113 } 2114 } 2115 2116 /* Converts a private to a public key */ 2117 int 2118 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2119 { 2120 struct sshkey *pk; 2121 int ret = SSH_ERR_INTERNAL_ERROR; 2122 2123 if (dkp != NULL) 2124 *dkp = NULL; 2125 2126 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2127 return SSH_ERR_ALLOC_FAIL; 2128 pk->type = k->type; 2129 pk->flags = k->flags; 2130 pk->ecdsa_nid = k->ecdsa_nid; 2131 pk->dsa = NULL; 2132 pk->ecdsa = NULL; 2133 pk->rsa = NULL; 2134 pk->ed25519_pk = NULL; 2135 pk->ed25519_sk = NULL; 2136 2137 switch (k->type) { 2138 #ifdef WITH_OPENSSL 2139 case KEY_RSA_CERT_V00: 2140 case KEY_RSA_CERT: 2141 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2142 goto fail; 2143 /* FALLTHROUGH */ 2144 case KEY_RSA1: 2145 case KEY_RSA: 2146 if ((pk->rsa = RSA_new()) == NULL || 2147 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2148 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2149 ret = SSH_ERR_ALLOC_FAIL; 2150 goto fail; 2151 } 2152 break; 2153 case KEY_DSA_CERT_V00: 2154 case KEY_DSA_CERT: 2155 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2156 goto fail; 2157 /* FALLTHROUGH */ 2158 case KEY_DSA: 2159 if ((pk->dsa = DSA_new()) == NULL || 2160 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2161 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2162 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2163 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2164 ret = SSH_ERR_ALLOC_FAIL; 2165 goto fail; 2166 } 2167 break; 2168 case KEY_ECDSA_CERT: 2169 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2170 goto fail; 2171 /* FALLTHROUGH */ 2172 case KEY_ECDSA: 2173 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2174 if (pk->ecdsa == NULL) { 2175 ret = SSH_ERR_ALLOC_FAIL; 2176 goto fail; 2177 } 2178 if (EC_KEY_set_public_key(pk->ecdsa, 2179 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2180 ret = SSH_ERR_LIBCRYPTO_ERROR; 2181 goto fail; 2182 } 2183 break; 2184 #endif /* WITH_OPENSSL */ 2185 case KEY_ED25519_CERT: 2186 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2187 goto fail; 2188 /* FALLTHROUGH */ 2189 case KEY_ED25519: 2190 if (k->ed25519_pk != NULL) { 2191 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2192 ret = SSH_ERR_ALLOC_FAIL; 2193 goto fail; 2194 } 2195 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2196 } 2197 break; 2198 default: 2199 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2200 fail: 2201 sshkey_free(pk); 2202 return ret; 2203 } 2204 *dkp = pk; 2205 return 0; 2206 } 2207 2208 /* Convert a plain key to their _CERT equivalent */ 2209 int 2210 sshkey_to_certified(struct sshkey *k, int legacy) 2211 { 2212 int newtype; 2213 2214 switch (k->type) { 2215 #ifdef WITH_OPENSSL 2216 case KEY_RSA: 2217 newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; 2218 break; 2219 case KEY_DSA: 2220 newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; 2221 break; 2222 case KEY_ECDSA: 2223 if (legacy) 2224 return SSH_ERR_INVALID_ARGUMENT; 2225 newtype = KEY_ECDSA_CERT; 2226 break; 2227 #endif /* WITH_OPENSSL */ 2228 case KEY_ED25519: 2229 if (legacy) 2230 return SSH_ERR_INVALID_ARGUMENT; 2231 newtype = KEY_ED25519_CERT; 2232 break; 2233 default: 2234 return SSH_ERR_INVALID_ARGUMENT; 2235 } 2236 if ((k->cert = cert_new()) == NULL) 2237 return SSH_ERR_ALLOC_FAIL; 2238 k->type = newtype; 2239 return 0; 2240 } 2241 2242 /* Convert a certificate to its raw key equivalent */ 2243 int 2244 sshkey_drop_cert(struct sshkey *k) 2245 { 2246 if (!sshkey_type_is_cert(k->type)) 2247 return SSH_ERR_KEY_TYPE_UNKNOWN; 2248 cert_free(k->cert); 2249 k->cert = NULL; 2250 k->type = sshkey_type_plain(k->type); 2251 return 0; 2252 } 2253 2254 /* Sign a certified key, (re-)generating the signed certblob. */ 2255 int 2256 sshkey_certify(struct sshkey *k, struct sshkey *ca) 2257 { 2258 struct sshbuf *principals = NULL; 2259 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2260 size_t i, ca_len, sig_len; 2261 int ret = SSH_ERR_INTERNAL_ERROR; 2262 struct sshbuf *cert; 2263 2264 if (k == NULL || k->cert == NULL || 2265 k->cert->certblob == NULL || ca == NULL) 2266 return SSH_ERR_INVALID_ARGUMENT; 2267 if (!sshkey_is_cert(k)) 2268 return SSH_ERR_KEY_TYPE_UNKNOWN; 2269 if (!sshkey_type_is_valid_ca(ca->type)) 2270 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2271 2272 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2273 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2274 2275 cert = k->cert->certblob; /* for readability */ 2276 sshbuf_reset(cert); 2277 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2278 goto out; 2279 2280 /* -v01 certs put nonce first */ 2281 arc4random_buf(&nonce, sizeof(nonce)); 2282 if (!sshkey_cert_is_legacy(k)) { 2283 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2284 goto out; 2285 } 2286 2287 /* XXX this substantially duplicates to_blob(); refactor */ 2288 switch (k->type) { 2289 #ifdef WITH_OPENSSL 2290 case KEY_DSA_CERT_V00: 2291 case KEY_DSA_CERT: 2292 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2293 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2294 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2295 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2296 goto out; 2297 break; 2298 case KEY_ECDSA_CERT: 2299 if ((ret = sshbuf_put_cstring(cert, 2300 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2301 (ret = sshbuf_put_ec(cert, 2302 EC_KEY_get0_public_key(k->ecdsa), 2303 EC_KEY_get0_group(k->ecdsa))) != 0) 2304 goto out; 2305 break; 2306 case KEY_RSA_CERT_V00: 2307 case KEY_RSA_CERT: 2308 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2309 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2310 goto out; 2311 break; 2312 #endif /* WITH_OPENSSL */ 2313 case KEY_ED25519_CERT: 2314 if ((ret = sshbuf_put_string(cert, 2315 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2316 goto out; 2317 break; 2318 default: 2319 ret = SSH_ERR_INVALID_ARGUMENT; 2320 } 2321 2322 /* -v01 certs have a serial number next */ 2323 if (!sshkey_cert_is_legacy(k)) { 2324 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0) 2325 goto out; 2326 } 2327 2328 if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2329 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2330 goto out; 2331 2332 if ((principals = sshbuf_new()) == NULL) { 2333 ret = SSH_ERR_ALLOC_FAIL; 2334 goto out; 2335 } 2336 for (i = 0; i < k->cert->nprincipals; i++) { 2337 if ((ret = sshbuf_put_cstring(principals, 2338 k->cert->principals[i])) != 0) 2339 goto out; 2340 } 2341 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2342 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2343 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2344 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) 2345 goto out; 2346 2347 /* -v01 certs have non-critical options here */ 2348 if (!sshkey_cert_is_legacy(k)) { 2349 if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0) 2350 goto out; 2351 } 2352 2353 /* -v00 certs put the nonce at the end */ 2354 if (sshkey_cert_is_legacy(k)) { 2355 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2356 goto out; 2357 } 2358 2359 if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2360 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2361 goto out; 2362 2363 /* Sign the whole mess */ 2364 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2365 sshbuf_len(cert), 0)) != 0) 2366 goto out; 2367 2368 /* Append signature and we are done */ 2369 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2370 goto out; 2371 ret = 0; 2372 out: 2373 if (ret != 0) 2374 sshbuf_reset(cert); 2375 if (sig_blob != NULL) 2376 free(sig_blob); 2377 if (ca_blob != NULL) 2378 free(ca_blob); 2379 if (principals != NULL) 2380 sshbuf_free(principals); 2381 return ret; 2382 } 2383 2384 int 2385 sshkey_cert_check_authority(const struct sshkey *k, 2386 int want_host, int require_principal, 2387 const char *name, const char **reason) 2388 { 2389 u_int i, principal_matches; 2390 time_t now = time(NULL); 2391 2392 if (reason != NULL) 2393 *reason = NULL; 2394 2395 if (want_host) { 2396 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2397 *reason = "Certificate invalid: not a host certificate"; 2398 return SSH_ERR_KEY_CERT_INVALID; 2399 } 2400 } else { 2401 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2402 *reason = "Certificate invalid: not a user certificate"; 2403 return SSH_ERR_KEY_CERT_INVALID; 2404 } 2405 } 2406 if (now < 0) { 2407 /* yikes - system clock before epoch! */ 2408 *reason = "Certificate invalid: not yet valid"; 2409 return SSH_ERR_KEY_CERT_INVALID; 2410 } 2411 if ((u_int64_t)now < k->cert->valid_after) { 2412 *reason = "Certificate invalid: not yet valid"; 2413 return SSH_ERR_KEY_CERT_INVALID; 2414 } 2415 if ((u_int64_t)now >= k->cert->valid_before) { 2416 *reason = "Certificate invalid: expired"; 2417 return SSH_ERR_KEY_CERT_INVALID; 2418 } 2419 if (k->cert->nprincipals == 0) { 2420 if (require_principal) { 2421 *reason = "Certificate lacks principal list"; 2422 return SSH_ERR_KEY_CERT_INVALID; 2423 } 2424 } else if (name != NULL) { 2425 principal_matches = 0; 2426 for (i = 0; i < k->cert->nprincipals; i++) { 2427 if (strcmp(name, k->cert->principals[i]) == 0) { 2428 principal_matches = 1; 2429 break; 2430 } 2431 } 2432 if (!principal_matches) { 2433 *reason = "Certificate invalid: name is not a listed " 2434 "principal"; 2435 return SSH_ERR_KEY_CERT_INVALID; 2436 } 2437 } 2438 return 0; 2439 } 2440 2441 int 2442 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2443 { 2444 int r = SSH_ERR_INTERNAL_ERROR; 2445 2446 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2447 goto out; 2448 switch (key->type) { 2449 #ifdef WITH_OPENSSL 2450 case KEY_RSA: 2451 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2452 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2453 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2454 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2455 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2456 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2457 goto out; 2458 break; 2459 case KEY_RSA_CERT_V00: 2460 case KEY_RSA_CERT: 2461 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2462 r = SSH_ERR_INVALID_ARGUMENT; 2463 goto out; 2464 } 2465 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2466 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2467 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2468 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2469 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2470 goto out; 2471 break; 2472 case KEY_DSA: 2473 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2474 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2475 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2476 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2477 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2478 goto out; 2479 break; 2480 case KEY_DSA_CERT_V00: 2481 case KEY_DSA_CERT: 2482 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2483 r = SSH_ERR_INVALID_ARGUMENT; 2484 goto out; 2485 } 2486 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2487 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2488 goto out; 2489 break; 2490 case KEY_ECDSA: 2491 if ((r = sshbuf_put_cstring(b, 2492 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2493 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2494 (r = sshbuf_put_bignum2(b, 2495 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2496 goto out; 2497 break; 2498 case KEY_ECDSA_CERT: 2499 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2500 r = SSH_ERR_INVALID_ARGUMENT; 2501 goto out; 2502 } 2503 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2504 (r = sshbuf_put_bignum2(b, 2505 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2506 goto out; 2507 break; 2508 #endif /* WITH_OPENSSL */ 2509 case KEY_ED25519: 2510 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2511 ED25519_PK_SZ)) != 0 || 2512 (r = sshbuf_put_string(b, key->ed25519_sk, 2513 ED25519_SK_SZ)) != 0) 2514 goto out; 2515 break; 2516 case KEY_ED25519_CERT: 2517 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2518 r = SSH_ERR_INVALID_ARGUMENT; 2519 goto out; 2520 } 2521 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2522 (r = sshbuf_put_string(b, key->ed25519_pk, 2523 ED25519_PK_SZ)) != 0 || 2524 (r = sshbuf_put_string(b, key->ed25519_sk, 2525 ED25519_SK_SZ)) != 0) 2526 goto out; 2527 break; 2528 default: 2529 r = SSH_ERR_INVALID_ARGUMENT; 2530 goto out; 2531 } 2532 /* success */ 2533 r = 0; 2534 out: 2535 return r; 2536 } 2537 2538 int 2539 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2540 { 2541 char *tname = NULL, *curve = NULL; 2542 struct sshkey *k = NULL; 2543 const u_char *cert; 2544 size_t len, pklen = 0, sklen = 0; 2545 int type, r = SSH_ERR_INTERNAL_ERROR; 2546 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2547 #ifdef WITH_OPENSSL 2548 BIGNUM *exponent = NULL; 2549 #endif /* WITH_OPENSSL */ 2550 2551 if (kp != NULL) 2552 *kp = NULL; 2553 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2554 goto out; 2555 type = sshkey_type_from_name(tname); 2556 switch (type) { 2557 #ifdef WITH_OPENSSL 2558 case KEY_DSA: 2559 if ((k = sshkey_new_private(type)) == NULL) { 2560 r = SSH_ERR_ALLOC_FAIL; 2561 goto out; 2562 } 2563 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2564 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2565 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2566 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2567 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2568 goto out; 2569 break; 2570 case KEY_DSA_CERT_V00: 2571 case KEY_DSA_CERT: 2572 if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || 2573 (r = sshkey_from_blob(cert, len, &k)) != 0 || 2574 (r = sshkey_add_private(k)) != 0 || 2575 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2576 goto out; 2577 break; 2578 case KEY_ECDSA: 2579 if ((k = sshkey_new_private(type)) == NULL) { 2580 r = SSH_ERR_ALLOC_FAIL; 2581 goto out; 2582 } 2583 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2584 r = SSH_ERR_INVALID_ARGUMENT; 2585 goto out; 2586 } 2587 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2588 goto out; 2589 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2590 r = SSH_ERR_EC_CURVE_MISMATCH; 2591 goto out; 2592 } 2593 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2594 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2595 r = SSH_ERR_LIBCRYPTO_ERROR; 2596 goto out; 2597 } 2598 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2599 (r = sshbuf_get_bignum2(buf, exponent))) 2600 goto out; 2601 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2602 r = SSH_ERR_LIBCRYPTO_ERROR; 2603 goto out; 2604 } 2605 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2606 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2607 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2608 goto out; 2609 break; 2610 case KEY_ECDSA_CERT: 2611 if ((exponent = BN_new()) == NULL) { 2612 r = SSH_ERR_LIBCRYPTO_ERROR; 2613 goto out; 2614 } 2615 if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || 2616 (r = sshkey_from_blob(cert, len, &k)) != 0 || 2617 (r = sshkey_add_private(k)) != 0 || 2618 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2619 goto out; 2620 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2621 r = SSH_ERR_LIBCRYPTO_ERROR; 2622 goto out; 2623 } 2624 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2625 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2626 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2627 goto out; 2628 break; 2629 case KEY_RSA: 2630 if ((k = sshkey_new_private(type)) == NULL) { 2631 r = SSH_ERR_ALLOC_FAIL; 2632 goto out; 2633 } 2634 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2635 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2636 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2637 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2638 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2639 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2640 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2641 goto out; 2642 break; 2643 case KEY_RSA_CERT_V00: 2644 case KEY_RSA_CERT: 2645 if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || 2646 (r = sshkey_from_blob(cert, len, &k)) != 0 || 2647 (r = sshkey_add_private(k)) != 0 || 2648 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || 2649 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || 2650 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || 2651 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || 2652 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2653 goto out; 2654 break; 2655 #endif /* WITH_OPENSSL */ 2656 case KEY_ED25519: 2657 if ((k = sshkey_new_private(type)) == NULL) { 2658 r = SSH_ERR_ALLOC_FAIL; 2659 goto out; 2660 } 2661 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2662 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2663 goto out; 2664 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2665 r = SSH_ERR_INVALID_FORMAT; 2666 goto out; 2667 } 2668 k->ed25519_pk = ed25519_pk; 2669 k->ed25519_sk = ed25519_sk; 2670 ed25519_pk = ed25519_sk = NULL; 2671 break; 2672 case KEY_ED25519_CERT: 2673 if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || 2674 (r = sshkey_from_blob(cert, len, &k)) != 0 || 2675 (r = sshkey_add_private(k)) != 0 || 2676 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2677 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2678 goto out; 2679 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2680 r = SSH_ERR_INVALID_FORMAT; 2681 goto out; 2682 } 2683 k->ed25519_pk = ed25519_pk; 2684 k->ed25519_sk = ed25519_sk; 2685 ed25519_pk = ed25519_sk = NULL; 2686 break; 2687 default: 2688 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2689 goto out; 2690 } 2691 #ifdef WITH_OPENSSL 2692 /* enable blinding */ 2693 switch (k->type) { 2694 case KEY_RSA: 2695 case KEY_RSA_CERT_V00: 2696 case KEY_RSA_CERT: 2697 case KEY_RSA1: 2698 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2699 r = SSH_ERR_LIBCRYPTO_ERROR; 2700 goto out; 2701 } 2702 break; 2703 } 2704 #endif /* WITH_OPENSSL */ 2705 /* success */ 2706 r = 0; 2707 if (kp != NULL) { 2708 *kp = k; 2709 k = NULL; 2710 } 2711 out: 2712 free(tname); 2713 free(curve); 2714 #ifdef WITH_OPENSSL 2715 if (exponent != NULL) 2716 BN_clear_free(exponent); 2717 #endif /* WITH_OPENSSL */ 2718 sshkey_free(k); 2719 if (ed25519_pk != NULL) { 2720 explicit_bzero(ed25519_pk, pklen); 2721 free(ed25519_pk); 2722 } 2723 if (ed25519_sk != NULL) { 2724 explicit_bzero(ed25519_sk, sklen); 2725 free(ed25519_sk); 2726 } 2727 return r; 2728 } 2729 2730 #ifdef WITH_OPENSSL 2731 int 2732 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2733 { 2734 BN_CTX *bnctx; 2735 EC_POINT *nq = NULL; 2736 BIGNUM *order, *x, *y, *tmp; 2737 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2738 2739 if ((bnctx = BN_CTX_new()) == NULL) 2740 return SSH_ERR_ALLOC_FAIL; 2741 BN_CTX_start(bnctx); 2742 2743 /* 2744 * We shouldn't ever hit this case because bignum_get_ecpoint() 2745 * refuses to load GF2m points. 2746 */ 2747 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2748 NID_X9_62_prime_field) 2749 goto out; 2750 2751 /* Q != infinity */ 2752 if (EC_POINT_is_at_infinity(group, public)) 2753 goto out; 2754 2755 if ((x = BN_CTX_get(bnctx)) == NULL || 2756 (y = BN_CTX_get(bnctx)) == NULL || 2757 (order = BN_CTX_get(bnctx)) == NULL || 2758 (tmp = BN_CTX_get(bnctx)) == NULL) { 2759 ret = SSH_ERR_ALLOC_FAIL; 2760 goto out; 2761 } 2762 2763 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2764 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2765 EC_POINT_get_affine_coordinates_GFp(group, public, 2766 x, y, bnctx) != 1) { 2767 ret = SSH_ERR_LIBCRYPTO_ERROR; 2768 goto out; 2769 } 2770 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2771 BN_num_bits(y) <= BN_num_bits(order) / 2) 2772 goto out; 2773 2774 /* nQ == infinity (n == order of subgroup) */ 2775 if ((nq = EC_POINT_new(group)) == NULL) { 2776 ret = SSH_ERR_ALLOC_FAIL; 2777 goto out; 2778 } 2779 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2780 ret = SSH_ERR_LIBCRYPTO_ERROR; 2781 goto out; 2782 } 2783 if (EC_POINT_is_at_infinity(group, nq) != 1) 2784 goto out; 2785 2786 /* x < order - 1, y < order - 1 */ 2787 if (!BN_sub(tmp, order, BN_value_one())) { 2788 ret = SSH_ERR_LIBCRYPTO_ERROR; 2789 goto out; 2790 } 2791 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2792 goto out; 2793 ret = 0; 2794 out: 2795 BN_CTX_free(bnctx); 2796 if (nq != NULL) 2797 EC_POINT_free(nq); 2798 return ret; 2799 } 2800 2801 int 2802 sshkey_ec_validate_private(const EC_KEY *key) 2803 { 2804 BN_CTX *bnctx; 2805 BIGNUM *order, *tmp; 2806 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2807 2808 if ((bnctx = BN_CTX_new()) == NULL) 2809 return SSH_ERR_ALLOC_FAIL; 2810 BN_CTX_start(bnctx); 2811 2812 if ((order = BN_CTX_get(bnctx)) == NULL || 2813 (tmp = BN_CTX_get(bnctx)) == NULL) { 2814 ret = SSH_ERR_ALLOC_FAIL; 2815 goto out; 2816 } 2817 2818 /* log2(private) > log2(order)/2 */ 2819 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2820 ret = SSH_ERR_LIBCRYPTO_ERROR; 2821 goto out; 2822 } 2823 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2824 BN_num_bits(order) / 2) 2825 goto out; 2826 2827 /* private < order - 1 */ 2828 if (!BN_sub(tmp, order, BN_value_one())) { 2829 ret = SSH_ERR_LIBCRYPTO_ERROR; 2830 goto out; 2831 } 2832 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2833 goto out; 2834 ret = 0; 2835 out: 2836 BN_CTX_free(bnctx); 2837 return ret; 2838 } 2839 2840 void 2841 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2842 { 2843 BIGNUM *x, *y; 2844 BN_CTX *bnctx; 2845 2846 if (point == NULL) { 2847 fputs("point=(NULL)\n", stderr); 2848 return; 2849 } 2850 if ((bnctx = BN_CTX_new()) == NULL) { 2851 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2852 return; 2853 } 2854 BN_CTX_start(bnctx); 2855 if ((x = BN_CTX_get(bnctx)) == NULL || 2856 (y = BN_CTX_get(bnctx)) == NULL) { 2857 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 2858 return; 2859 } 2860 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2861 NID_X9_62_prime_field) { 2862 fprintf(stderr, "%s: group is not a prime field\n", __func__); 2863 return; 2864 } 2865 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 2866 bnctx) != 1) { 2867 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2868 __func__); 2869 return; 2870 } 2871 fputs("x=", stderr); 2872 BN_print_fp(stderr, x); 2873 fputs("\ny=", stderr); 2874 BN_print_fp(stderr, y); 2875 fputs("\n", stderr); 2876 BN_CTX_free(bnctx); 2877 } 2878 2879 void 2880 sshkey_dump_ec_key(const EC_KEY *key) 2881 { 2882 const BIGNUM *exponent; 2883 2884 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2885 EC_KEY_get0_public_key(key)); 2886 fputs("exponent=", stderr); 2887 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2888 fputs("(NULL)", stderr); 2889 else 2890 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2891 fputs("\n", stderr); 2892 } 2893 #endif /* WITH_OPENSSL */ 2894 2895 static int 2896 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 2897 const char *passphrase, const char *comment, const char *ciphername, 2898 int rounds) 2899 { 2900 u_char *cp, *key = NULL, *pubkeyblob = NULL; 2901 u_char salt[SALT_LEN]; 2902 char *b64 = NULL; 2903 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 2904 u_int check; 2905 int r = SSH_ERR_INTERNAL_ERROR; 2906 struct sshcipher_ctx ciphercontext; 2907 const struct sshcipher *cipher; 2908 const char *kdfname = KDFNAME; 2909 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 2910 2911 memset(&ciphercontext, 0, sizeof(ciphercontext)); 2912 2913 if (rounds <= 0) 2914 rounds = DEFAULT_ROUNDS; 2915 if (passphrase == NULL || !strlen(passphrase)) { 2916 ciphername = "none"; 2917 kdfname = "none"; 2918 } else if (ciphername == NULL) 2919 ciphername = DEFAULT_CIPHERNAME; 2920 else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) { 2921 r = SSH_ERR_INVALID_ARGUMENT; 2922 goto out; 2923 } 2924 if ((cipher = cipher_by_name(ciphername)) == NULL) { 2925 r = SSH_ERR_INTERNAL_ERROR; 2926 goto out; 2927 } 2928 2929 if ((kdf = sshbuf_new()) == NULL || 2930 (encoded = sshbuf_new()) == NULL || 2931 (encrypted = sshbuf_new()) == NULL) { 2932 r = SSH_ERR_ALLOC_FAIL; 2933 goto out; 2934 } 2935 blocksize = cipher_blocksize(cipher); 2936 keylen = cipher_keylen(cipher); 2937 ivlen = cipher_ivlen(cipher); 2938 authlen = cipher_authlen(cipher); 2939 if ((key = calloc(1, keylen + ivlen)) == NULL) { 2940 r = SSH_ERR_ALLOC_FAIL; 2941 goto out; 2942 } 2943 if (strcmp(kdfname, "bcrypt") == 0) { 2944 arc4random_buf(salt, SALT_LEN); 2945 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 2946 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 2947 r = SSH_ERR_INVALID_ARGUMENT; 2948 goto out; 2949 } 2950 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 2951 (r = sshbuf_put_u32(kdf, rounds)) != 0) 2952 goto out; 2953 } else if (strcmp(kdfname, "none") != 0) { 2954 /* Unsupported KDF type */ 2955 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 2956 goto out; 2957 } 2958 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 2959 key + keylen, ivlen, 1)) != 0) 2960 goto out; 2961 2962 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 2963 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 2964 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 2965 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 2966 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 2967 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 2968 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 2969 goto out; 2970 2971 /* set up the buffer that will be encrypted */ 2972 2973 /* Random check bytes */ 2974 check = arc4random(); 2975 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 2976 (r = sshbuf_put_u32(encrypted, check)) != 0) 2977 goto out; 2978 2979 /* append private key and comment*/ 2980 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 2981 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 2982 goto out; 2983 2984 /* padding */ 2985 i = 0; 2986 while (sshbuf_len(encrypted) % blocksize) { 2987 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 2988 goto out; 2989 } 2990 2991 /* length in destination buffer */ 2992 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 2993 goto out; 2994 2995 /* encrypt */ 2996 if ((r = sshbuf_reserve(encoded, 2997 sshbuf_len(encrypted) + authlen, &cp)) != 0) 2998 goto out; 2999 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3000 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3001 goto out; 3002 3003 /* uuencode */ 3004 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3005 r = SSH_ERR_ALLOC_FAIL; 3006 goto out; 3007 } 3008 3009 sshbuf_reset(blob); 3010 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3011 goto out; 3012 for (i = 0; i < strlen(b64); i++) { 3013 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3014 goto out; 3015 /* insert line breaks */ 3016 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3017 goto out; 3018 } 3019 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3020 goto out; 3021 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3022 goto out; 3023 3024 /* success */ 3025 r = 0; 3026 3027 out: 3028 sshbuf_free(kdf); 3029 sshbuf_free(encoded); 3030 sshbuf_free(encrypted); 3031 cipher_cleanup(&ciphercontext); 3032 explicit_bzero(salt, sizeof(salt)); 3033 if (key != NULL) { 3034 explicit_bzero(key, keylen + ivlen); 3035 free(key); 3036 } 3037 if (pubkeyblob != NULL) { 3038 explicit_bzero(pubkeyblob, pubkeylen); 3039 free(pubkeyblob); 3040 } 3041 if (b64 != NULL) { 3042 explicit_bzero(b64, strlen(b64)); 3043 free(b64); 3044 } 3045 return r; 3046 } 3047 3048 static int 3049 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3050 struct sshkey **keyp, char **commentp) 3051 { 3052 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3053 const struct sshcipher *cipher = NULL; 3054 const u_char *cp; 3055 int r = SSH_ERR_INTERNAL_ERROR; 3056 size_t encoded_len; 3057 size_t i, keylen = 0, ivlen = 0, slen = 0; 3058 struct sshbuf *encoded = NULL, *decoded = NULL; 3059 struct sshbuf *kdf = NULL, *decrypted = NULL; 3060 struct sshcipher_ctx ciphercontext; 3061 struct sshkey *k = NULL; 3062 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3063 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3064 3065 memset(&ciphercontext, 0, sizeof(ciphercontext)); 3066 if (keyp != NULL) 3067 *keyp = NULL; 3068 if (commentp != NULL) 3069 *commentp = NULL; 3070 3071 if ((encoded = sshbuf_new()) == NULL || 3072 (decoded = sshbuf_new()) == NULL || 3073 (decrypted = sshbuf_new()) == NULL) { 3074 r = SSH_ERR_ALLOC_FAIL; 3075 goto out; 3076 } 3077 3078 /* check preamble */ 3079 cp = sshbuf_ptr(blob); 3080 encoded_len = sshbuf_len(blob); 3081 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3082 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3083 r = SSH_ERR_INVALID_FORMAT; 3084 goto out; 3085 } 3086 cp += MARK_BEGIN_LEN; 3087 encoded_len -= MARK_BEGIN_LEN; 3088 3089 /* Look for end marker, removing whitespace as we go */ 3090 while (encoded_len > 0) { 3091 if (*cp != '\n' && *cp != '\r') { 3092 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3093 goto out; 3094 } 3095 last = *cp; 3096 encoded_len--; 3097 cp++; 3098 if (last == '\n') { 3099 if (encoded_len >= MARK_END_LEN && 3100 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3101 /* \0 terminate */ 3102 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3103 goto out; 3104 break; 3105 } 3106 } 3107 } 3108 if (encoded_len == 0) { 3109 r = SSH_ERR_INVALID_FORMAT; 3110 goto out; 3111 } 3112 3113 /* decode base64 */ 3114 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3115 goto out; 3116 3117 /* check magic */ 3118 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3119 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3120 r = SSH_ERR_INVALID_FORMAT; 3121 goto out; 3122 } 3123 /* parse public portion of key */ 3124 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3125 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3126 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3127 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3128 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3129 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3130 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3131 goto out; 3132 3133 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3134 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3135 goto out; 3136 } 3137 if ((passphrase == NULL || strlen(passphrase) == 0) && 3138 strcmp(ciphername, "none") != 0) { 3139 /* passphrase required */ 3140 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3141 goto out; 3142 } 3143 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3144 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3145 goto out; 3146 } 3147 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3148 r = SSH_ERR_INVALID_FORMAT; 3149 goto out; 3150 } 3151 if (nkeys != 1) { 3152 /* XXX only one key supported */ 3153 r = SSH_ERR_INVALID_FORMAT; 3154 goto out; 3155 } 3156 3157 /* check size of encrypted key blob */ 3158 blocksize = cipher_blocksize(cipher); 3159 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3160 r = SSH_ERR_INVALID_FORMAT; 3161 goto out; 3162 } 3163 3164 /* setup key */ 3165 keylen = cipher_keylen(cipher); 3166 ivlen = cipher_ivlen(cipher); 3167 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3168 r = SSH_ERR_ALLOC_FAIL; 3169 goto out; 3170 } 3171 if (strcmp(kdfname, "bcrypt") == 0) { 3172 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3173 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3174 goto out; 3175 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3176 key, keylen + ivlen, rounds) < 0) { 3177 r = SSH_ERR_INVALID_FORMAT; 3178 goto out; 3179 } 3180 } 3181 3182 /* decrypt private portion of key */ 3183 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3184 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3185 key + keylen, ivlen, 0)) != 0) 3186 goto out; 3187 if ((r = cipher_crypt(&ciphercontext, 0, dp, sshbuf_ptr(decoded), 3188 sshbuf_len(decoded), 0, cipher_authlen(cipher))) != 0) { 3189 /* an integrity error here indicates an incorrect passphrase */ 3190 if (r == SSH_ERR_MAC_INVALID) 3191 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3192 goto out; 3193 } 3194 if ((r = sshbuf_consume(decoded, encrypted_len)) != 0) 3195 goto out; 3196 /* there should be no trailing data */ 3197 if (sshbuf_len(decoded) != 0) { 3198 r = SSH_ERR_INVALID_FORMAT; 3199 goto out; 3200 } 3201 3202 /* check check bytes */ 3203 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3204 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3205 goto out; 3206 if (check1 != check2) { 3207 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3208 goto out; 3209 } 3210 3211 /* Load the private key and comment */ 3212 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3213 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3214 goto out; 3215 3216 /* Check deterministic padding */ 3217 i = 0; 3218 while (sshbuf_len(decrypted)) { 3219 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3220 goto out; 3221 if (pad != (++i & 0xff)) { 3222 r = SSH_ERR_INVALID_FORMAT; 3223 goto out; 3224 } 3225 } 3226 3227 /* XXX decode pubkey and check against private */ 3228 3229 /* success */ 3230 r = 0; 3231 if (keyp != NULL) { 3232 *keyp = k; 3233 k = NULL; 3234 } 3235 if (commentp != NULL) { 3236 *commentp = comment; 3237 comment = NULL; 3238 } 3239 out: 3240 pad = 0; 3241 cipher_cleanup(&ciphercontext); 3242 free(ciphername); 3243 free(kdfname); 3244 free(comment); 3245 if (salt != NULL) { 3246 explicit_bzero(salt, slen); 3247 free(salt); 3248 } 3249 if (key != NULL) { 3250 explicit_bzero(key, keylen + ivlen); 3251 free(key); 3252 } 3253 sshbuf_free(encoded); 3254 sshbuf_free(decoded); 3255 sshbuf_free(kdf); 3256 sshbuf_free(decrypted); 3257 sshkey_free(k); 3258 return r; 3259 } 3260 3261 #if WITH_SSH1 3262 /* 3263 * Serialises the authentication (private) key to a blob, encrypting it with 3264 * passphrase. The identification of the blob (lowest 64 bits of n) will 3265 * precede the key to provide identification of the key without needing a 3266 * passphrase. 3267 */ 3268 static int 3269 sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, 3270 const char *passphrase, const char *comment) 3271 { 3272 struct sshbuf *buffer = NULL, *encrypted = NULL; 3273 u_char buf[8]; 3274 int r, cipher_num; 3275 struct sshcipher_ctx ciphercontext; 3276 const struct sshcipher *cipher; 3277 u_char *cp; 3278 3279 /* 3280 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting 3281 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. 3282 */ 3283 cipher_num = (strcmp(passphrase, "") == 0) ? 3284 SSH_CIPHER_NONE : SSH_CIPHER_3DES; 3285 if ((cipher = cipher_by_number(cipher_num)) == NULL) 3286 return SSH_ERR_INTERNAL_ERROR; 3287 3288 /* This buffer is used to build the secret part of the private key. */ 3289 if ((buffer = sshbuf_new()) == NULL) 3290 return SSH_ERR_ALLOC_FAIL; 3291 3292 /* Put checkbytes for checking passphrase validity. */ 3293 if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0) 3294 goto out; 3295 arc4random_buf(cp, 2); 3296 memcpy(cp + 2, cp, 2); 3297 3298 /* 3299 * Store the private key (n and e will not be stored because they 3300 * will be stored in plain text, and storing them also in encrypted 3301 * format would just give known plaintext). 3302 * Note: q and p are stored in reverse order to SSL. 3303 */ 3304 if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 || 3305 (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 || 3306 (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 || 3307 (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0) 3308 goto out; 3309 3310 /* Pad the part to be encrypted to a size that is a multiple of 8. */ 3311 explicit_bzero(buf, 8); 3312 if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0) 3313 goto out; 3314 3315 /* This buffer will be used to contain the data in the file. */ 3316 if ((encrypted = sshbuf_new()) == NULL) { 3317 r = SSH_ERR_ALLOC_FAIL; 3318 goto out; 3319 } 3320 3321 /* First store keyfile id string. */ 3322 if ((r = sshbuf_put(encrypted, LEGACY_BEGIN, 3323 sizeof(LEGACY_BEGIN))) != 0) 3324 goto out; 3325 3326 /* Store cipher type and "reserved" field. */ 3327 if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 || 3328 (r = sshbuf_put_u32(encrypted, 0)) != 0) 3329 goto out; 3330 3331 /* Store public key. This will be in plain text. */ 3332 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || 3333 (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) || 3334 (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) || 3335 (r = sshbuf_put_cstring(encrypted, comment) != 0)) 3336 goto out; 3337 3338 /* Allocate space for the private part of the key in the buffer. */ 3339 if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0) 3340 goto out; 3341 3342 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3343 CIPHER_ENCRYPT)) != 0) 3344 goto out; 3345 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3346 sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0) 3347 goto out; 3348 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3349 goto out; 3350 3351 r = sshbuf_putb(blob, encrypted); 3352 3353 out: 3354 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3355 explicit_bzero(buf, sizeof(buf)); 3356 if (buffer != NULL) 3357 sshbuf_free(buffer); 3358 if (encrypted != NULL) 3359 sshbuf_free(encrypted); 3360 3361 return r; 3362 } 3363 #endif /* WITH_SSH1 */ 3364 3365 #ifdef WITH_OPENSSL 3366 /* convert SSH v2 key in OpenSSL PEM format */ 3367 static int 3368 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3369 const char *_passphrase, const char *comment) 3370 { 3371 int success, r; 3372 int blen, len = strlen(_passphrase); 3373 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3374 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3375 const u_char *bptr; 3376 BIO *bio = NULL; 3377 3378 if (len > 0 && len <= 4) 3379 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3380 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3381 return SSH_ERR_ALLOC_FAIL; 3382 3383 switch (key->type) { 3384 case KEY_DSA: 3385 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3386 cipher, passphrase, len, NULL, NULL); 3387 break; 3388 case KEY_ECDSA: 3389 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3390 cipher, passphrase, len, NULL, NULL); 3391 break; 3392 case KEY_RSA: 3393 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3394 cipher, passphrase, len, NULL, NULL); 3395 break; 3396 default: 3397 success = 0; 3398 break; 3399 } 3400 if (success == 0) { 3401 r = SSH_ERR_LIBCRYPTO_ERROR; 3402 goto out; 3403 } 3404 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3405 r = SSH_ERR_INTERNAL_ERROR; 3406 goto out; 3407 } 3408 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3409 goto out; 3410 r = 0; 3411 out: 3412 BIO_free(bio); 3413 return r; 3414 } 3415 #endif /* WITH_OPENSSL */ 3416 3417 /* Serialise "key" to buffer "blob" */ 3418 int 3419 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3420 const char *passphrase, const char *comment, 3421 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3422 { 3423 switch (key->type) { 3424 #ifdef WITH_OPENSSL 3425 case KEY_RSA1: 3426 return sshkey_private_rsa1_to_blob(key, blob, 3427 passphrase, comment); 3428 case KEY_DSA: 3429 case KEY_ECDSA: 3430 case KEY_RSA: 3431 if (force_new_format) { 3432 return sshkey_private_to_blob2(key, blob, passphrase, 3433 comment, new_format_cipher, new_format_rounds); 3434 } 3435 return sshkey_private_pem_to_blob(key, blob, 3436 passphrase, comment); 3437 #endif /* WITH_OPENSSL */ 3438 case KEY_ED25519: 3439 return sshkey_private_to_blob2(key, blob, passphrase, 3440 comment, new_format_cipher, new_format_rounds); 3441 default: 3442 return SSH_ERR_KEY_TYPE_UNKNOWN; 3443 } 3444 } 3445 3446 #ifdef WITH_SSH1 3447 /* 3448 * Parse the public, unencrypted portion of a RSA1 key. 3449 */ 3450 int 3451 sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, 3452 struct sshkey **keyp, char **commentp) 3453 { 3454 int r; 3455 struct sshkey *pub = NULL; 3456 struct sshbuf *copy = NULL; 3457 3458 if (keyp != NULL) 3459 *keyp = NULL; 3460 if (commentp != NULL) 3461 *commentp = NULL; 3462 3463 /* Check that it is at least big enough to contain the ID string. */ 3464 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3465 return SSH_ERR_INVALID_FORMAT; 3466 3467 /* 3468 * Make sure it begins with the id string. Consume the id string 3469 * from the buffer. 3470 */ 3471 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3472 return SSH_ERR_INVALID_FORMAT; 3473 /* Make a working copy of the keyblob and skip past the magic */ 3474 if ((copy = sshbuf_fromb(blob)) == NULL) 3475 return SSH_ERR_ALLOC_FAIL; 3476 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3477 goto out; 3478 3479 /* Skip cipher type, reserved data and key bits. */ 3480 if ((r = sshbuf_get_u8(copy, NULL)) != 0 || /* cipher type */ 3481 (r = sshbuf_get_u32(copy, NULL)) != 0 || /* reserved */ 3482 (r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */ 3483 goto out; 3484 3485 /* Read the public key from the buffer. */ 3486 if ((pub = sshkey_new(KEY_RSA1)) == NULL || 3487 (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 || 3488 (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0) 3489 goto out; 3490 3491 /* Finally, the comment */ 3492 if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0) 3493 goto out; 3494 3495 /* The encrypted private part is not parsed by this function. */ 3496 3497 r = 0; 3498 if (keyp != NULL) 3499 *keyp = pub; 3500 else 3501 sshkey_free(pub); 3502 pub = NULL; 3503 3504 out: 3505 if (copy != NULL) 3506 sshbuf_free(copy); 3507 if (pub != NULL) 3508 sshkey_free(pub); 3509 return r; 3510 } 3511 3512 static int 3513 sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, 3514 struct sshkey **keyp, char **commentp) 3515 { 3516 int r; 3517 u_int16_t check1, check2; 3518 u_int8_t cipher_type; 3519 struct sshbuf *decrypted = NULL, *copy = NULL; 3520 u_char *cp; 3521 char *comment = NULL; 3522 struct sshcipher_ctx ciphercontext; 3523 const struct sshcipher *cipher; 3524 struct sshkey *prv = NULL; 3525 3526 *keyp = NULL; 3527 if (commentp != NULL) 3528 *commentp = NULL; 3529 3530 /* Check that it is at least big enough to contain the ID string. */ 3531 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3532 return SSH_ERR_INVALID_FORMAT; 3533 3534 /* 3535 * Make sure it begins with the id string. Consume the id string 3536 * from the buffer. 3537 */ 3538 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3539 return SSH_ERR_INVALID_FORMAT; 3540 3541 if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) { 3542 r = SSH_ERR_ALLOC_FAIL; 3543 goto out; 3544 } 3545 if ((copy = sshbuf_fromb(blob)) == NULL || 3546 (decrypted = sshbuf_new()) == NULL) { 3547 r = SSH_ERR_ALLOC_FAIL; 3548 goto out; 3549 } 3550 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3551 goto out; 3552 3553 /* Read cipher type. */ 3554 if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 || 3555 (r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */ 3556 goto out; 3557 3558 /* Read the public key and comment from the buffer. */ 3559 if ((r = sshbuf_get_u32(copy, NULL)) != 0 || /* key bits */ 3560 (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 || 3561 (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 || 3562 (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0) 3563 goto out; 3564 3565 /* Check that it is a supported cipher. */ 3566 cipher = cipher_by_number(cipher_type); 3567 if (cipher == NULL) { 3568 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3569 goto out; 3570 } 3571 /* Initialize space for decrypted data. */ 3572 if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0) 3573 goto out; 3574 3575 /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ 3576 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3577 CIPHER_DECRYPT)) != 0) 3578 goto out; 3579 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3580 sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) { 3581 cipher_cleanup(&ciphercontext); 3582 goto out; 3583 } 3584 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3585 goto out; 3586 3587 if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 || 3588 (r = sshbuf_get_u16(decrypted, &check2)) != 0) 3589 goto out; 3590 if (check1 != check2) { 3591 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3592 goto out; 3593 } 3594 3595 /* Read the rest of the private key. */ 3596 if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 || 3597 (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 || 3598 (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 || 3599 (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0) 3600 goto out; 3601 3602 /* calculate p-1 and q-1 */ 3603 if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0) 3604 goto out; 3605 3606 /* enable blinding */ 3607 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3608 r = SSH_ERR_LIBCRYPTO_ERROR; 3609 goto out; 3610 } 3611 r = 0; 3612 *keyp = prv; 3613 prv = NULL; 3614 if (commentp != NULL) { 3615 *commentp = comment; 3616 comment = NULL; 3617 } 3618 out: 3619 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3620 if (comment != NULL) 3621 free(comment); 3622 if (prv != NULL) 3623 sshkey_free(prv); 3624 if (copy != NULL) 3625 sshbuf_free(copy); 3626 if (decrypted != NULL) 3627 sshbuf_free(decrypted); 3628 return r; 3629 } 3630 #endif /* WITH_SSH1 */ 3631 3632 #ifdef WITH_OPENSSL 3633 /* XXX make private once ssh-keysign.c fixed */ 3634 int 3635 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3636 const char *passphrase, struct sshkey **keyp, char **commentp) 3637 { 3638 EVP_PKEY *pk = NULL; 3639 struct sshkey *prv = NULL; 3640 char *name = "<no key>"; 3641 BIO *bio = NULL; 3642 int r; 3643 3644 *keyp = NULL; 3645 if (commentp != NULL) 3646 *commentp = NULL; 3647 3648 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3649 return SSH_ERR_ALLOC_FAIL; 3650 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3651 (int)sshbuf_len(blob)) { 3652 r = SSH_ERR_ALLOC_FAIL; 3653 goto out; 3654 } 3655 3656 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3657 (char *)passphrase)) == NULL) { 3658 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3659 goto out; 3660 } 3661 if (pk->type == EVP_PKEY_RSA && 3662 (type == KEY_UNSPEC || type == KEY_RSA)) { 3663 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3664 r = SSH_ERR_ALLOC_FAIL; 3665 goto out; 3666 } 3667 prv->rsa = EVP_PKEY_get1_RSA(pk); 3668 prv->type = KEY_RSA; 3669 name = "rsa w/o comment"; 3670 #ifdef DEBUG_PK 3671 RSA_print_fp(stderr, prv->rsa, 8); 3672 #endif 3673 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3674 r = SSH_ERR_LIBCRYPTO_ERROR; 3675 goto out; 3676 } 3677 } else if (pk->type == EVP_PKEY_DSA && 3678 (type == KEY_UNSPEC || type == KEY_DSA)) { 3679 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3680 r = SSH_ERR_ALLOC_FAIL; 3681 goto out; 3682 } 3683 prv->dsa = EVP_PKEY_get1_DSA(pk); 3684 prv->type = KEY_DSA; 3685 name = "dsa w/o comment"; 3686 #ifdef DEBUG_PK 3687 DSA_print_fp(stderr, prv->dsa, 8); 3688 #endif 3689 } else if (pk->type == EVP_PKEY_EC && 3690 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3691 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3692 r = SSH_ERR_ALLOC_FAIL; 3693 goto out; 3694 } 3695 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3696 prv->type = KEY_ECDSA; 3697 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3698 if (prv->ecdsa_nid == -1 || 3699 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3700 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3701 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3702 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3703 r = SSH_ERR_INVALID_FORMAT; 3704 goto out; 3705 } 3706 name = "ecdsa w/o comment"; 3707 #ifdef DEBUG_PK 3708 if (prv != NULL && prv->ecdsa != NULL) 3709 sshkey_dump_ec_key(prv->ecdsa); 3710 #endif 3711 } else { 3712 r = SSH_ERR_INVALID_FORMAT; 3713 goto out; 3714 } 3715 if (commentp != NULL && 3716 (*commentp = strdup(name)) == NULL) { 3717 r = SSH_ERR_ALLOC_FAIL; 3718 goto out; 3719 } 3720 r = 0; 3721 *keyp = prv; 3722 prv = NULL; 3723 out: 3724 BIO_free(bio); 3725 if (pk != NULL) 3726 EVP_PKEY_free(pk); 3727 if (prv != NULL) 3728 sshkey_free(prv); 3729 return r; 3730 } 3731 #endif /* WITH_OPENSSL */ 3732 3733 int 3734 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3735 const char *passphrase, struct sshkey **keyp, char **commentp) 3736 { 3737 int r; 3738 3739 *keyp = NULL; 3740 if (commentp != NULL) 3741 *commentp = NULL; 3742 3743 switch (type) { 3744 #ifdef WITH_OPENSSL 3745 case KEY_RSA1: 3746 return sshkey_parse_private_rsa1(blob, passphrase, 3747 keyp, commentp); 3748 case KEY_DSA: 3749 case KEY_ECDSA: 3750 case KEY_RSA: 3751 return sshkey_parse_private_pem_fileblob(blob, type, passphrase, 3752 keyp, commentp); 3753 #endif /* WITH_OPENSSL */ 3754 case KEY_ED25519: 3755 return sshkey_parse_private2(blob, type, passphrase, 3756 keyp, commentp); 3757 case KEY_UNSPEC: 3758 if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, 3759 commentp)) == 0) 3760 return 0; 3761 #ifdef WITH_OPENSSL 3762 return sshkey_parse_private_pem_fileblob(blob, type, passphrase, 3763 keyp, commentp); 3764 #else 3765 return SSH_ERR_INVALID_FORMAT; 3766 #endif /* WITH_OPENSSL */ 3767 default: 3768 return SSH_ERR_KEY_TYPE_UNKNOWN; 3769 } 3770 } 3771 3772 int 3773 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3774 const char *filename, struct sshkey **keyp, char **commentp) 3775 { 3776 int r; 3777 3778 if (keyp != NULL) 3779 *keyp = NULL; 3780 if (commentp != NULL) 3781 *commentp = NULL; 3782 3783 #ifdef WITH_SSH1 3784 /* it's a SSH v1 key if the public key part is readable */ 3785 if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) { 3786 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, 3787 passphrase, keyp, commentp); 3788 } 3789 #endif /* WITH_SSH1 */ 3790 if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3791 passphrase, keyp, commentp)) == 0) 3792 return 0; 3793 return r; 3794 } 3795