1 /* $OpenBSD: sshkey.c,v 1.75 2019/05/20 00:20:35 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include <sys/types.h> 29 #include <netinet/in.h> 30 31 #ifdef WITH_OPENSSL 32 #include <openssl/evp.h> 33 #include <openssl/err.h> 34 #include <openssl/pem.h> 35 #endif 36 37 #include "crypto_api.h" 38 39 #include <errno.h> 40 #include <stdio.h> 41 #include <string.h> 42 #include <util.h> 43 #include <limits.h> 44 #include <resolv.h> 45 46 #include "ssh2.h" 47 #include "ssherr.h" 48 #include "misc.h" 49 #include "sshbuf.h" 50 #include "cipher.h" 51 #include "digest.h" 52 #define SSHKEY_INTERNAL 53 #include "sshkey.h" 54 #include "match.h" 55 56 #ifdef WITH_XMSS 57 #include "sshkey-xmss.h" 58 #include "xmss_fast.h" 59 #endif 60 61 /* openssh private key file format */ 62 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 63 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 64 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 65 #define MARK_END_LEN (sizeof(MARK_END) - 1) 66 #define KDFNAME "bcrypt" 67 #define AUTH_MAGIC "openssh-key-v1" 68 #define SALT_LEN 16 69 #define DEFAULT_CIPHERNAME "aes256-ctr" 70 #define DEFAULT_ROUNDS 16 71 72 /* Version identification string for SSH v1 identity files. */ 73 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 74 75 int sshkey_private_serialize_opt(const struct sshkey *key, 76 struct sshbuf *buf, enum sshkey_serialize_rep); 77 static int sshkey_from_blob_internal(struct sshbuf *buf, 78 struct sshkey **keyp, int allow_cert); 79 static int get_sigtype(const u_char *sig, size_t siglen, char **sigtypep); 80 81 /* Supported key types */ 82 struct keytype { 83 const char *name; 84 const char *shortname; 85 const char *sigalg; 86 int type; 87 int nid; 88 int cert; 89 int sigonly; 90 }; 91 static const struct keytype keytypes[] = { 92 { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 }, 93 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL, 94 KEY_ED25519_CERT, 0, 1, 0 }, 95 #ifdef WITH_XMSS 96 { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 }, 97 { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL, 98 KEY_XMSS_CERT, 0, 1, 0 }, 99 #endif /* WITH_XMSS */ 100 #ifdef WITH_OPENSSL 101 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 }, 102 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 103 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 }, 104 { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 }, 105 { "ecdsa-sha2-nistp256", "ECDSA", NULL, 106 KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 107 { "ecdsa-sha2-nistp384", "ECDSA", NULL, 108 KEY_ECDSA, NID_secp384r1, 0, 0 }, 109 { "ecdsa-sha2-nistp521", "ECDSA", NULL, 110 KEY_ECDSA, NID_secp521r1, 0, 0 }, 111 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, 112 KEY_RSA_CERT, 0, 1, 0 }, 113 { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT", 114 "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, 115 { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT", 116 "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, 117 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL, 118 KEY_DSA_CERT, 0, 1, 0 }, 119 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL, 120 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 121 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL, 122 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 123 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL, 124 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 125 #endif /* WITH_OPENSSL */ 126 { NULL, NULL, NULL, -1, -1, 0, 0 } 127 }; 128 129 const char * 130 sshkey_type(const struct sshkey *k) 131 { 132 const struct keytype *kt; 133 134 for (kt = keytypes; kt->type != -1; kt++) { 135 if (kt->type == k->type) 136 return kt->shortname; 137 } 138 return "unknown"; 139 } 140 141 static const char * 142 sshkey_ssh_name_from_type_nid(int type, int nid) 143 { 144 const struct keytype *kt; 145 146 for (kt = keytypes; kt->type != -1; kt++) { 147 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 148 return kt->name; 149 } 150 return "ssh-unknown"; 151 } 152 153 int 154 sshkey_type_is_cert(int type) 155 { 156 const struct keytype *kt; 157 158 for (kt = keytypes; kt->type != -1; kt++) { 159 if (kt->type == type) 160 return kt->cert; 161 } 162 return 0; 163 } 164 165 const char * 166 sshkey_ssh_name(const struct sshkey *k) 167 { 168 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 169 } 170 171 const char * 172 sshkey_ssh_name_plain(const struct sshkey *k) 173 { 174 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 175 k->ecdsa_nid); 176 } 177 178 int 179 sshkey_type_from_name(const char *name) 180 { 181 const struct keytype *kt; 182 183 for (kt = keytypes; kt->type != -1; kt++) { 184 /* Only allow shortname matches for plain key types */ 185 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 186 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 187 return kt->type; 188 } 189 return KEY_UNSPEC; 190 } 191 192 int 193 sshkey_ecdsa_nid_from_name(const char *name) 194 { 195 const struct keytype *kt; 196 197 for (kt = keytypes; kt->type != -1; kt++) { 198 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 199 continue; 200 if (kt->name != NULL && strcmp(name, kt->name) == 0) 201 return kt->nid; 202 } 203 return -1; 204 } 205 206 char * 207 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 208 { 209 char *tmp, *ret = NULL; 210 size_t nlen, rlen = 0; 211 const struct keytype *kt; 212 213 for (kt = keytypes; kt->type != -1; kt++) { 214 if (kt->name == NULL) 215 continue; 216 if (!include_sigonly && kt->sigonly) 217 continue; 218 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 219 continue; 220 if (ret != NULL) 221 ret[rlen++] = sep; 222 nlen = strlen(kt->name); 223 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 224 free(ret); 225 return NULL; 226 } 227 ret = tmp; 228 memcpy(ret + rlen, kt->name, nlen + 1); 229 rlen += nlen; 230 } 231 return ret; 232 } 233 234 int 235 sshkey_names_valid2(const char *names, int allow_wildcard) 236 { 237 char *s, *cp, *p; 238 const struct keytype *kt; 239 int type; 240 241 if (names == NULL || strcmp(names, "") == 0) 242 return 0; 243 if ((s = cp = strdup(names)) == NULL) 244 return 0; 245 for ((p = strsep(&cp, ",")); p && *p != '\0'; 246 (p = strsep(&cp, ","))) { 247 type = sshkey_type_from_name(p); 248 if (type == KEY_UNSPEC) { 249 if (allow_wildcard) { 250 /* 251 * Try matching key types against the string. 252 * If any has a positive or negative match then 253 * the component is accepted. 254 */ 255 for (kt = keytypes; kt->type != -1; kt++) { 256 if (match_pattern_list(kt->name, 257 p, 0) != 0) 258 break; 259 } 260 if (kt->type != -1) 261 continue; 262 } 263 free(s); 264 return 0; 265 } 266 } 267 free(s); 268 return 1; 269 } 270 271 u_int 272 sshkey_size(const struct sshkey *k) 273 { 274 #ifdef WITH_OPENSSL 275 const BIGNUM *rsa_n, *dsa_p; 276 #endif /* WITH_OPENSSL */ 277 278 switch (k->type) { 279 #ifdef WITH_OPENSSL 280 case KEY_RSA: 281 case KEY_RSA_CERT: 282 if (k->rsa == NULL) 283 return 0; 284 RSA_get0_key(k->rsa, &rsa_n, NULL, NULL); 285 return BN_num_bits(rsa_n); 286 case KEY_DSA: 287 case KEY_DSA_CERT: 288 if (k->dsa == NULL) 289 return 0; 290 DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL); 291 return BN_num_bits(dsa_p); 292 case KEY_ECDSA: 293 case KEY_ECDSA_CERT: 294 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 295 #endif /* WITH_OPENSSL */ 296 case KEY_ED25519: 297 case KEY_ED25519_CERT: 298 case KEY_XMSS: 299 case KEY_XMSS_CERT: 300 return 256; /* XXX */ 301 } 302 return 0; 303 } 304 305 static int 306 sshkey_type_is_valid_ca(int type) 307 { 308 switch (type) { 309 case KEY_RSA: 310 case KEY_DSA: 311 case KEY_ECDSA: 312 case KEY_ED25519: 313 case KEY_XMSS: 314 return 1; 315 default: 316 return 0; 317 } 318 } 319 320 int 321 sshkey_is_cert(const struct sshkey *k) 322 { 323 if (k == NULL) 324 return 0; 325 return sshkey_type_is_cert(k->type); 326 } 327 328 /* Return the cert-less equivalent to a certified key type */ 329 int 330 sshkey_type_plain(int type) 331 { 332 switch (type) { 333 case KEY_RSA_CERT: 334 return KEY_RSA; 335 case KEY_DSA_CERT: 336 return KEY_DSA; 337 case KEY_ECDSA_CERT: 338 return KEY_ECDSA; 339 case KEY_ED25519_CERT: 340 return KEY_ED25519; 341 case KEY_XMSS_CERT: 342 return KEY_XMSS; 343 default: 344 return type; 345 } 346 } 347 348 #ifdef WITH_OPENSSL 349 /* XXX: these are really begging for a table-driven approach */ 350 int 351 sshkey_curve_name_to_nid(const char *name) 352 { 353 if (strcmp(name, "nistp256") == 0) 354 return NID_X9_62_prime256v1; 355 else if (strcmp(name, "nistp384") == 0) 356 return NID_secp384r1; 357 else if (strcmp(name, "nistp521") == 0) 358 return NID_secp521r1; 359 else 360 return -1; 361 } 362 363 u_int 364 sshkey_curve_nid_to_bits(int nid) 365 { 366 switch (nid) { 367 case NID_X9_62_prime256v1: 368 return 256; 369 case NID_secp384r1: 370 return 384; 371 case NID_secp521r1: 372 return 521; 373 default: 374 return 0; 375 } 376 } 377 378 int 379 sshkey_ecdsa_bits_to_nid(int bits) 380 { 381 switch (bits) { 382 case 256: 383 return NID_X9_62_prime256v1; 384 case 384: 385 return NID_secp384r1; 386 case 521: 387 return NID_secp521r1; 388 default: 389 return -1; 390 } 391 } 392 393 const char * 394 sshkey_curve_nid_to_name(int nid) 395 { 396 switch (nid) { 397 case NID_X9_62_prime256v1: 398 return "nistp256"; 399 case NID_secp384r1: 400 return "nistp384"; 401 case NID_secp521r1: 402 return "nistp521"; 403 default: 404 return NULL; 405 } 406 } 407 408 int 409 sshkey_ec_nid_to_hash_alg(int nid) 410 { 411 int kbits = sshkey_curve_nid_to_bits(nid); 412 413 if (kbits <= 0) 414 return -1; 415 416 /* RFC5656 section 6.2.1 */ 417 if (kbits <= 256) 418 return SSH_DIGEST_SHA256; 419 else if (kbits <= 384) 420 return SSH_DIGEST_SHA384; 421 else 422 return SSH_DIGEST_SHA512; 423 } 424 #endif /* WITH_OPENSSL */ 425 426 static void 427 cert_free(struct sshkey_cert *cert) 428 { 429 u_int i; 430 431 if (cert == NULL) 432 return; 433 sshbuf_free(cert->certblob); 434 sshbuf_free(cert->critical); 435 sshbuf_free(cert->extensions); 436 free(cert->key_id); 437 for (i = 0; i < cert->nprincipals; i++) 438 free(cert->principals[i]); 439 free(cert->principals); 440 sshkey_free(cert->signature_key); 441 free(cert->signature_type); 442 freezero(cert, sizeof(*cert)); 443 } 444 445 static struct sshkey_cert * 446 cert_new(void) 447 { 448 struct sshkey_cert *cert; 449 450 if ((cert = calloc(1, sizeof(*cert))) == NULL) 451 return NULL; 452 if ((cert->certblob = sshbuf_new()) == NULL || 453 (cert->critical = sshbuf_new()) == NULL || 454 (cert->extensions = sshbuf_new()) == NULL) { 455 cert_free(cert); 456 return NULL; 457 } 458 cert->key_id = NULL; 459 cert->principals = NULL; 460 cert->signature_key = NULL; 461 cert->signature_type = NULL; 462 return cert; 463 } 464 465 struct sshkey * 466 sshkey_new(int type) 467 { 468 struct sshkey *k; 469 #ifdef WITH_OPENSSL 470 RSA *rsa; 471 DSA *dsa; 472 #endif /* WITH_OPENSSL */ 473 474 if ((k = calloc(1, sizeof(*k))) == NULL) 475 return NULL; 476 k->type = type; 477 k->ecdsa = NULL; 478 k->ecdsa_nid = -1; 479 k->dsa = NULL; 480 k->rsa = NULL; 481 k->cert = NULL; 482 k->ed25519_sk = NULL; 483 k->ed25519_pk = NULL; 484 k->xmss_sk = NULL; 485 k->xmss_pk = NULL; 486 switch (k->type) { 487 #ifdef WITH_OPENSSL 488 case KEY_RSA: 489 case KEY_RSA_CERT: 490 if ((rsa = RSA_new()) == NULL) { 491 free(k); 492 return NULL; 493 } 494 k->rsa = rsa; 495 break; 496 case KEY_DSA: 497 case KEY_DSA_CERT: 498 if ((dsa = DSA_new()) == NULL) { 499 free(k); 500 return NULL; 501 } 502 k->dsa = dsa; 503 break; 504 case KEY_ECDSA: 505 case KEY_ECDSA_CERT: 506 /* Cannot do anything until we know the group */ 507 break; 508 #endif /* WITH_OPENSSL */ 509 case KEY_ED25519: 510 case KEY_ED25519_CERT: 511 case KEY_XMSS: 512 case KEY_XMSS_CERT: 513 /* no need to prealloc */ 514 break; 515 case KEY_UNSPEC: 516 break; 517 default: 518 free(k); 519 return NULL; 520 } 521 522 if (sshkey_is_cert(k)) { 523 if ((k->cert = cert_new()) == NULL) { 524 sshkey_free(k); 525 return NULL; 526 } 527 } 528 529 return k; 530 } 531 532 void 533 sshkey_free(struct sshkey *k) 534 { 535 if (k == NULL) 536 return; 537 switch (k->type) { 538 #ifdef WITH_OPENSSL 539 case KEY_RSA: 540 case KEY_RSA_CERT: 541 RSA_free(k->rsa); 542 k->rsa = NULL; 543 break; 544 case KEY_DSA: 545 case KEY_DSA_CERT: 546 DSA_free(k->dsa); 547 k->dsa = NULL; 548 break; 549 case KEY_ECDSA: 550 case KEY_ECDSA_CERT: 551 EC_KEY_free(k->ecdsa); 552 k->ecdsa = NULL; 553 break; 554 #endif /* WITH_OPENSSL */ 555 case KEY_ED25519: 556 case KEY_ED25519_CERT: 557 freezero(k->ed25519_pk, ED25519_PK_SZ); 558 k->ed25519_pk = NULL; 559 freezero(k->ed25519_sk, ED25519_SK_SZ); 560 k->ed25519_sk = NULL; 561 break; 562 #ifdef WITH_XMSS 563 case KEY_XMSS: 564 case KEY_XMSS_CERT: 565 freezero(k->xmss_pk, sshkey_xmss_pklen(k)); 566 k->xmss_pk = NULL; 567 freezero(k->xmss_sk, sshkey_xmss_sklen(k)); 568 k->xmss_sk = NULL; 569 sshkey_xmss_free_state(k); 570 free(k->xmss_name); 571 k->xmss_name = NULL; 572 free(k->xmss_filename); 573 k->xmss_filename = NULL; 574 break; 575 #endif /* WITH_XMSS */ 576 case KEY_UNSPEC: 577 break; 578 default: 579 break; 580 } 581 if (sshkey_is_cert(k)) 582 cert_free(k->cert); 583 freezero(k, sizeof(*k)); 584 } 585 586 static int 587 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 588 { 589 if (a == NULL && b == NULL) 590 return 1; 591 if (a == NULL || b == NULL) 592 return 0; 593 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 594 return 0; 595 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 596 sshbuf_len(a->certblob)) != 0) 597 return 0; 598 return 1; 599 } 600 601 /* 602 * Compare public portions of key only, allowing comparisons between 603 * certificates and plain keys too. 604 */ 605 int 606 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 607 { 608 #ifdef WITH_OPENSSL 609 BN_CTX *bnctx; 610 const BIGNUM *rsa_e_a, *rsa_n_a; 611 const BIGNUM *rsa_e_b, *rsa_n_b; 612 const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a; 613 const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b; 614 #endif /* WITH_OPENSSL */ 615 616 if (a == NULL || b == NULL || 617 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 618 return 0; 619 620 switch (a->type) { 621 #ifdef WITH_OPENSSL 622 case KEY_RSA_CERT: 623 case KEY_RSA: 624 if (a->rsa == NULL || b->rsa == NULL) 625 return 0; 626 RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL); 627 RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL); 628 return BN_cmp(rsa_e_a, rsa_e_b) == 0 && 629 BN_cmp(rsa_n_a, rsa_n_b) == 0; 630 case KEY_DSA_CERT: 631 case KEY_DSA: 632 if (a->dsa == NULL || b->dsa == NULL) 633 return 0; 634 DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a); 635 DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b); 636 DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL); 637 DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL); 638 return BN_cmp(dsa_p_a, dsa_p_b) == 0 && 639 BN_cmp(dsa_q_a, dsa_q_b) == 0 && 640 BN_cmp(dsa_g_a, dsa_g_b) == 0 && 641 BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0; 642 case KEY_ECDSA_CERT: 643 case KEY_ECDSA: 644 if (a->ecdsa == NULL || b->ecdsa == NULL || 645 EC_KEY_get0_public_key(a->ecdsa) == NULL || 646 EC_KEY_get0_public_key(b->ecdsa) == NULL) 647 return 0; 648 if ((bnctx = BN_CTX_new()) == NULL) 649 return 0; 650 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 651 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 652 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 653 EC_KEY_get0_public_key(a->ecdsa), 654 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 655 BN_CTX_free(bnctx); 656 return 0; 657 } 658 BN_CTX_free(bnctx); 659 return 1; 660 #endif /* WITH_OPENSSL */ 661 case KEY_ED25519: 662 case KEY_ED25519_CERT: 663 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 664 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 665 #ifdef WITH_XMSS 666 case KEY_XMSS: 667 case KEY_XMSS_CERT: 668 return a->xmss_pk != NULL && b->xmss_pk != NULL && 669 sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) && 670 memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0; 671 #endif /* WITH_XMSS */ 672 default: 673 return 0; 674 } 675 /* NOTREACHED */ 676 } 677 678 int 679 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 680 { 681 if (a == NULL || b == NULL || a->type != b->type) 682 return 0; 683 if (sshkey_is_cert(a)) { 684 if (!cert_compare(a->cert, b->cert)) 685 return 0; 686 } 687 return sshkey_equal_public(a, b); 688 } 689 690 static int 691 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, 692 enum sshkey_serialize_rep opts) 693 { 694 int type, ret = SSH_ERR_INTERNAL_ERROR; 695 const char *typename; 696 #ifdef WITH_OPENSSL 697 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 698 #endif /* WITH_OPENSSL */ 699 700 if (key == NULL) 701 return SSH_ERR_INVALID_ARGUMENT; 702 703 if (sshkey_is_cert(key)) { 704 if (key->cert == NULL) 705 return SSH_ERR_EXPECTED_CERT; 706 if (sshbuf_len(key->cert->certblob) == 0) 707 return SSH_ERR_KEY_LACKS_CERTBLOB; 708 } 709 type = force_plain ? sshkey_type_plain(key->type) : key->type; 710 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 711 712 switch (type) { 713 #ifdef WITH_OPENSSL 714 case KEY_DSA_CERT: 715 case KEY_ECDSA_CERT: 716 case KEY_RSA_CERT: 717 #endif /* WITH_OPENSSL */ 718 case KEY_ED25519_CERT: 719 #ifdef WITH_XMSS 720 case KEY_XMSS_CERT: 721 #endif /* WITH_XMSS */ 722 /* Use the existing blob */ 723 /* XXX modified flag? */ 724 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 725 return ret; 726 break; 727 #ifdef WITH_OPENSSL 728 case KEY_DSA: 729 if (key->dsa == NULL) 730 return SSH_ERR_INVALID_ARGUMENT; 731 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 732 DSA_get0_key(key->dsa, &dsa_pub_key, NULL); 733 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 734 (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 || 735 (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 || 736 (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 || 737 (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0) 738 return ret; 739 break; 740 case KEY_ECDSA: 741 if (key->ecdsa == NULL) 742 return SSH_ERR_INVALID_ARGUMENT; 743 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 744 (ret = sshbuf_put_cstring(b, 745 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 746 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 747 return ret; 748 break; 749 case KEY_RSA: 750 if (key->rsa == NULL) 751 return SSH_ERR_INVALID_ARGUMENT; 752 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL); 753 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 754 (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 || 755 (ret = sshbuf_put_bignum2(b, rsa_n)) != 0) 756 return ret; 757 break; 758 #endif /* WITH_OPENSSL */ 759 case KEY_ED25519: 760 if (key->ed25519_pk == NULL) 761 return SSH_ERR_INVALID_ARGUMENT; 762 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 763 (ret = sshbuf_put_string(b, 764 key->ed25519_pk, ED25519_PK_SZ)) != 0) 765 return ret; 766 break; 767 #ifdef WITH_XMSS 768 case KEY_XMSS: 769 if (key->xmss_name == NULL || key->xmss_pk == NULL || 770 sshkey_xmss_pklen(key) == 0) 771 return SSH_ERR_INVALID_ARGUMENT; 772 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 773 (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 774 (ret = sshbuf_put_string(b, 775 key->xmss_pk, sshkey_xmss_pklen(key))) != 0 || 776 (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0) 777 return ret; 778 break; 779 #endif /* WITH_XMSS */ 780 default: 781 return SSH_ERR_KEY_TYPE_UNKNOWN; 782 } 783 return 0; 784 } 785 786 int 787 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 788 { 789 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); 790 } 791 792 int 793 sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, 794 enum sshkey_serialize_rep opts) 795 { 796 struct sshbuf *tmp; 797 int r; 798 799 if ((tmp = sshbuf_new()) == NULL) 800 return SSH_ERR_ALLOC_FAIL; 801 r = to_blob_buf(key, tmp, 0, opts); 802 if (r == 0) 803 r = sshbuf_put_stringb(b, tmp); 804 sshbuf_free(tmp); 805 return r; 806 } 807 808 int 809 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 810 { 811 return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); 812 } 813 814 int 815 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 816 { 817 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); 818 } 819 820 static int 821 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, 822 enum sshkey_serialize_rep opts) 823 { 824 int ret = SSH_ERR_INTERNAL_ERROR; 825 size_t len; 826 struct sshbuf *b = NULL; 827 828 if (lenp != NULL) 829 *lenp = 0; 830 if (blobp != NULL) 831 *blobp = NULL; 832 if ((b = sshbuf_new()) == NULL) 833 return SSH_ERR_ALLOC_FAIL; 834 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) 835 goto out; 836 len = sshbuf_len(b); 837 if (lenp != NULL) 838 *lenp = len; 839 if (blobp != NULL) { 840 if ((*blobp = malloc(len)) == NULL) { 841 ret = SSH_ERR_ALLOC_FAIL; 842 goto out; 843 } 844 memcpy(*blobp, sshbuf_ptr(b), len); 845 } 846 ret = 0; 847 out: 848 sshbuf_free(b); 849 return ret; 850 } 851 852 int 853 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 854 { 855 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); 856 } 857 858 int 859 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 860 { 861 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); 862 } 863 864 int 865 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 866 u_char **retp, size_t *lenp) 867 { 868 u_char *blob = NULL, *ret = NULL; 869 size_t blob_len = 0; 870 int r = SSH_ERR_INTERNAL_ERROR; 871 872 if (retp != NULL) 873 *retp = NULL; 874 if (lenp != NULL) 875 *lenp = 0; 876 if (ssh_digest_bytes(dgst_alg) == 0) { 877 r = SSH_ERR_INVALID_ARGUMENT; 878 goto out; 879 } 880 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) 881 != 0) 882 goto out; 883 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 884 r = SSH_ERR_ALLOC_FAIL; 885 goto out; 886 } 887 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 888 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 889 goto out; 890 /* success */ 891 if (retp != NULL) { 892 *retp = ret; 893 ret = NULL; 894 } 895 if (lenp != NULL) 896 *lenp = ssh_digest_bytes(dgst_alg); 897 r = 0; 898 out: 899 free(ret); 900 if (blob != NULL) { 901 explicit_bzero(blob, blob_len); 902 free(blob); 903 } 904 return r; 905 } 906 907 static char * 908 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 909 { 910 char *ret; 911 size_t plen = strlen(alg) + 1; 912 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 913 int r; 914 915 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 916 return NULL; 917 strlcpy(ret, alg, rlen); 918 strlcat(ret, ":", rlen); 919 if (dgst_raw_len == 0) 920 return ret; 921 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 922 ret + plen, rlen - plen)) == -1) { 923 freezero(ret, rlen); 924 return NULL; 925 } 926 /* Trim padding characters from end */ 927 ret[strcspn(ret, "=")] = '\0'; 928 return ret; 929 } 930 931 static char * 932 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 933 { 934 char *retval, hex[5]; 935 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 936 937 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 938 return NULL; 939 strlcpy(retval, alg, rlen); 940 strlcat(retval, ":", rlen); 941 for (i = 0; i < dgst_raw_len; i++) { 942 snprintf(hex, sizeof(hex), "%s%02x", 943 i > 0 ? ":" : "", dgst_raw[i]); 944 strlcat(retval, hex, rlen); 945 } 946 return retval; 947 } 948 949 static char * 950 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 951 { 952 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 953 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 954 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 955 u_int i, j = 0, rounds, seed = 1; 956 char *retval; 957 958 rounds = (dgst_raw_len / 2) + 1; 959 if ((retval = calloc(rounds, 6)) == NULL) 960 return NULL; 961 retval[j++] = 'x'; 962 for (i = 0; i < rounds; i++) { 963 u_int idx0, idx1, idx2, idx3, idx4; 964 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 965 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 966 seed) % 6; 967 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 968 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 969 (seed / 6)) % 6; 970 retval[j++] = vowels[idx0]; 971 retval[j++] = consonants[idx1]; 972 retval[j++] = vowels[idx2]; 973 if ((i + 1) < rounds) { 974 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 975 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 976 retval[j++] = consonants[idx3]; 977 retval[j++] = '-'; 978 retval[j++] = consonants[idx4]; 979 seed = ((seed * 5) + 980 ((((u_int)(dgst_raw[2 * i])) * 7) + 981 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 982 } 983 } else { 984 idx0 = seed % 6; 985 idx1 = 16; 986 idx2 = seed / 6; 987 retval[j++] = vowels[idx0]; 988 retval[j++] = consonants[idx1]; 989 retval[j++] = vowels[idx2]; 990 } 991 } 992 retval[j++] = 'x'; 993 retval[j++] = '\0'; 994 return retval; 995 } 996 997 /* 998 * Draw an ASCII-Art representing the fingerprint so human brain can 999 * profit from its built-in pattern recognition ability. 1000 * This technique is called "random art" and can be found in some 1001 * scientific publications like this original paper: 1002 * 1003 * "Hash Visualization: a New Technique to improve Real-World Security", 1004 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1005 * Techniques and E-Commerce (CrypTEC '99) 1006 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1007 * 1008 * The subject came up in a talk by Dan Kaminsky, too. 1009 * 1010 * If you see the picture is different, the key is different. 1011 * If the picture looks the same, you still know nothing. 1012 * 1013 * The algorithm used here is a worm crawling over a discrete plane, 1014 * leaving a trace (augmenting the field) everywhere it goes. 1015 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1016 * makes the respective movement vector be ignored for this turn. 1017 * Graphs are not unambiguous, because circles in graphs can be 1018 * walked in either direction. 1019 */ 1020 1021 /* 1022 * Field sizes for the random art. Have to be odd, so the starting point 1023 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1024 * Else pictures would be too dense, and drawing the frame would 1025 * fail, too, because the key type would not fit in anymore. 1026 */ 1027 #define FLDBASE 8 1028 #define FLDSIZE_Y (FLDBASE + 1) 1029 #define FLDSIZE_X (FLDBASE * 2 + 1) 1030 static char * 1031 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1032 const struct sshkey *k) 1033 { 1034 /* 1035 * Chars to be used after each other every time the worm 1036 * intersects with itself. Matter of taste. 1037 */ 1038 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1039 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1040 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1041 size_t i, tlen, hlen; 1042 u_int b; 1043 int x, y, r; 1044 size_t len = strlen(augmentation_string) - 1; 1045 1046 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1047 return NULL; 1048 1049 /* initialize field */ 1050 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1051 x = FLDSIZE_X / 2; 1052 y = FLDSIZE_Y / 2; 1053 1054 /* process raw key */ 1055 for (i = 0; i < dgst_raw_len; i++) { 1056 int input; 1057 /* each byte conveys four 2-bit move commands */ 1058 input = dgst_raw[i]; 1059 for (b = 0; b < 4; b++) { 1060 /* evaluate 2 bit, rest is shifted later */ 1061 x += (input & 0x1) ? 1 : -1; 1062 y += (input & 0x2) ? 1 : -1; 1063 1064 /* assure we are still in bounds */ 1065 x = MAXIMUM(x, 0); 1066 y = MAXIMUM(y, 0); 1067 x = MINIMUM(x, FLDSIZE_X - 1); 1068 y = MINIMUM(y, FLDSIZE_Y - 1); 1069 1070 /* augment the field */ 1071 if (field[x][y] < len - 2) 1072 field[x][y]++; 1073 input = input >> 2; 1074 } 1075 } 1076 1077 /* mark starting point and end point*/ 1078 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1079 field[x][y] = len; 1080 1081 /* assemble title */ 1082 r = snprintf(title, sizeof(title), "[%s %u]", 1083 sshkey_type(k), sshkey_size(k)); 1084 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1085 if (r < 0 || r > (int)sizeof(title)) 1086 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1087 tlen = (r <= 0) ? 0 : strlen(title); 1088 1089 /* assemble hash ID. */ 1090 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1091 hlen = (r <= 0) ? 0 : strlen(hash); 1092 1093 /* output upper border */ 1094 p = retval; 1095 *p++ = '+'; 1096 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1097 *p++ = '-'; 1098 memcpy(p, title, tlen); 1099 p += tlen; 1100 for (i += tlen; i < FLDSIZE_X; i++) 1101 *p++ = '-'; 1102 *p++ = '+'; 1103 *p++ = '\n'; 1104 1105 /* output content */ 1106 for (y = 0; y < FLDSIZE_Y; y++) { 1107 *p++ = '|'; 1108 for (x = 0; x < FLDSIZE_X; x++) 1109 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1110 *p++ = '|'; 1111 *p++ = '\n'; 1112 } 1113 1114 /* output lower border */ 1115 *p++ = '+'; 1116 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1117 *p++ = '-'; 1118 memcpy(p, hash, hlen); 1119 p += hlen; 1120 for (i += hlen; i < FLDSIZE_X; i++) 1121 *p++ = '-'; 1122 *p++ = '+'; 1123 1124 return retval; 1125 } 1126 1127 char * 1128 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1129 enum sshkey_fp_rep dgst_rep) 1130 { 1131 char *retval = NULL; 1132 u_char *dgst_raw; 1133 size_t dgst_raw_len; 1134 1135 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1136 return NULL; 1137 switch (dgst_rep) { 1138 case SSH_FP_DEFAULT: 1139 if (dgst_alg == SSH_DIGEST_MD5) { 1140 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1141 dgst_raw, dgst_raw_len); 1142 } else { 1143 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1144 dgst_raw, dgst_raw_len); 1145 } 1146 break; 1147 case SSH_FP_HEX: 1148 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1149 dgst_raw, dgst_raw_len); 1150 break; 1151 case SSH_FP_BASE64: 1152 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1153 dgst_raw, dgst_raw_len); 1154 break; 1155 case SSH_FP_BUBBLEBABBLE: 1156 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1157 break; 1158 case SSH_FP_RANDOMART: 1159 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1160 dgst_raw, dgst_raw_len, k); 1161 break; 1162 default: 1163 explicit_bzero(dgst_raw, dgst_raw_len); 1164 free(dgst_raw); 1165 return NULL; 1166 } 1167 explicit_bzero(dgst_raw, dgst_raw_len); 1168 free(dgst_raw); 1169 return retval; 1170 } 1171 1172 static int 1173 peek_type_nid(const char *s, size_t l, int *nid) 1174 { 1175 const struct keytype *kt; 1176 1177 for (kt = keytypes; kt->type != -1; kt++) { 1178 if (kt->name == NULL || strlen(kt->name) != l) 1179 continue; 1180 if (memcmp(s, kt->name, l) == 0) { 1181 *nid = -1; 1182 if (kt->type == KEY_ECDSA || kt->type == KEY_ECDSA_CERT) 1183 *nid = kt->nid; 1184 return kt->type; 1185 } 1186 } 1187 return KEY_UNSPEC; 1188 } 1189 1190 1191 /* XXX this can now be made const char * */ 1192 int 1193 sshkey_read(struct sshkey *ret, char **cpp) 1194 { 1195 struct sshkey *k; 1196 char *cp, *blobcopy; 1197 size_t space; 1198 int r, type, curve_nid = -1; 1199 struct sshbuf *blob; 1200 1201 if (ret == NULL) 1202 return SSH_ERR_INVALID_ARGUMENT; 1203 1204 switch (ret->type) { 1205 case KEY_UNSPEC: 1206 case KEY_RSA: 1207 case KEY_DSA: 1208 case KEY_ECDSA: 1209 case KEY_ED25519: 1210 case KEY_DSA_CERT: 1211 case KEY_ECDSA_CERT: 1212 case KEY_RSA_CERT: 1213 case KEY_ED25519_CERT: 1214 #ifdef WITH_XMSS 1215 case KEY_XMSS: 1216 case KEY_XMSS_CERT: 1217 #endif /* WITH_XMSS */ 1218 break; /* ok */ 1219 default: 1220 return SSH_ERR_INVALID_ARGUMENT; 1221 } 1222 1223 /* Decode type */ 1224 cp = *cpp; 1225 space = strcspn(cp, " \t"); 1226 if (space == strlen(cp)) 1227 return SSH_ERR_INVALID_FORMAT; 1228 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) 1229 return SSH_ERR_INVALID_FORMAT; 1230 1231 /* skip whitespace */ 1232 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1233 ; 1234 if (*cp == '\0') 1235 return SSH_ERR_INVALID_FORMAT; 1236 if (ret->type != KEY_UNSPEC && ret->type != type) 1237 return SSH_ERR_KEY_TYPE_MISMATCH; 1238 if ((blob = sshbuf_new()) == NULL) 1239 return SSH_ERR_ALLOC_FAIL; 1240 1241 /* find end of keyblob and decode */ 1242 space = strcspn(cp, " \t"); 1243 if ((blobcopy = strndup(cp, space)) == NULL) { 1244 sshbuf_free(blob); 1245 return SSH_ERR_ALLOC_FAIL; 1246 } 1247 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { 1248 free(blobcopy); 1249 sshbuf_free(blob); 1250 return r; 1251 } 1252 free(blobcopy); 1253 if ((r = sshkey_fromb(blob, &k)) != 0) { 1254 sshbuf_free(blob); 1255 return r; 1256 } 1257 sshbuf_free(blob); 1258 1259 /* skip whitespace and leave cp at start of comment */ 1260 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1261 ; 1262 1263 /* ensure type of blob matches type at start of line */ 1264 if (k->type != type) { 1265 sshkey_free(k); 1266 return SSH_ERR_KEY_TYPE_MISMATCH; 1267 } 1268 if (sshkey_type_plain(type) == KEY_ECDSA && curve_nid != k->ecdsa_nid) { 1269 sshkey_free(k); 1270 return SSH_ERR_EC_CURVE_MISMATCH; 1271 } 1272 1273 /* Fill in ret from parsed key */ 1274 ret->type = type; 1275 if (sshkey_is_cert(ret)) { 1276 if (!sshkey_is_cert(k)) { 1277 sshkey_free(k); 1278 return SSH_ERR_EXPECTED_CERT; 1279 } 1280 if (ret->cert != NULL) 1281 cert_free(ret->cert); 1282 ret->cert = k->cert; 1283 k->cert = NULL; 1284 } 1285 switch (sshkey_type_plain(ret->type)) { 1286 #ifdef WITH_OPENSSL 1287 case KEY_RSA: 1288 RSA_free(ret->rsa); 1289 ret->rsa = k->rsa; 1290 k->rsa = NULL; 1291 #ifdef DEBUG_PK 1292 RSA_print_fp(stderr, ret->rsa, 8); 1293 #endif 1294 break; 1295 case KEY_DSA: 1296 DSA_free(ret->dsa); 1297 ret->dsa = k->dsa; 1298 k->dsa = NULL; 1299 #ifdef DEBUG_PK 1300 DSA_print_fp(stderr, ret->dsa, 8); 1301 #endif 1302 break; 1303 case KEY_ECDSA: 1304 EC_KEY_free(ret->ecdsa); 1305 ret->ecdsa = k->ecdsa; 1306 ret->ecdsa_nid = k->ecdsa_nid; 1307 k->ecdsa = NULL; 1308 k->ecdsa_nid = -1; 1309 #ifdef DEBUG_PK 1310 sshkey_dump_ec_key(ret->ecdsa); 1311 #endif 1312 break; 1313 #endif /* WITH_OPENSSL */ 1314 case KEY_ED25519: 1315 freezero(ret->ed25519_pk, ED25519_PK_SZ); 1316 ret->ed25519_pk = k->ed25519_pk; 1317 k->ed25519_pk = NULL; 1318 #ifdef DEBUG_PK 1319 /* XXX */ 1320 #endif 1321 break; 1322 #ifdef WITH_XMSS 1323 case KEY_XMSS: 1324 free(ret->xmss_pk); 1325 ret->xmss_pk = k->xmss_pk; 1326 k->xmss_pk = NULL; 1327 free(ret->xmss_state); 1328 ret->xmss_state = k->xmss_state; 1329 k->xmss_state = NULL; 1330 free(ret->xmss_name); 1331 ret->xmss_name = k->xmss_name; 1332 k->xmss_name = NULL; 1333 free(ret->xmss_filename); 1334 ret->xmss_filename = k->xmss_filename; 1335 k->xmss_filename = NULL; 1336 #ifdef DEBUG_PK 1337 /* XXX */ 1338 #endif 1339 break; 1340 #endif /* WITH_XMSS */ 1341 default: 1342 sshkey_free(k); 1343 return SSH_ERR_INTERNAL_ERROR; 1344 } 1345 sshkey_free(k); 1346 1347 /* success */ 1348 *cpp = cp; 1349 return 0; 1350 } 1351 1352 int 1353 sshkey_to_base64(const struct sshkey *key, char **b64p) 1354 { 1355 int r = SSH_ERR_INTERNAL_ERROR; 1356 struct sshbuf *b = NULL; 1357 char *uu = NULL; 1358 1359 if (b64p != NULL) 1360 *b64p = NULL; 1361 if ((b = sshbuf_new()) == NULL) 1362 return SSH_ERR_ALLOC_FAIL; 1363 if ((r = sshkey_putb(key, b)) != 0) 1364 goto out; 1365 if ((uu = sshbuf_dtob64(b)) == NULL) { 1366 r = SSH_ERR_ALLOC_FAIL; 1367 goto out; 1368 } 1369 /* Success */ 1370 if (b64p != NULL) { 1371 *b64p = uu; 1372 uu = NULL; 1373 } 1374 r = 0; 1375 out: 1376 sshbuf_free(b); 1377 free(uu); 1378 return r; 1379 } 1380 1381 int 1382 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1383 { 1384 int r = SSH_ERR_INTERNAL_ERROR; 1385 char *uu = NULL; 1386 1387 if ((r = sshkey_to_base64(key, &uu)) != 0) 1388 goto out; 1389 if ((r = sshbuf_putf(b, "%s %s", 1390 sshkey_ssh_name(key), uu)) != 0) 1391 goto out; 1392 r = 0; 1393 out: 1394 free(uu); 1395 return r; 1396 } 1397 1398 int 1399 sshkey_write(const struct sshkey *key, FILE *f) 1400 { 1401 struct sshbuf *b = NULL; 1402 int r = SSH_ERR_INTERNAL_ERROR; 1403 1404 if ((b = sshbuf_new()) == NULL) 1405 return SSH_ERR_ALLOC_FAIL; 1406 if ((r = sshkey_format_text(key, b)) != 0) 1407 goto out; 1408 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1409 if (feof(f)) 1410 errno = EPIPE; 1411 r = SSH_ERR_SYSTEM_ERROR; 1412 goto out; 1413 } 1414 /* Success */ 1415 r = 0; 1416 out: 1417 sshbuf_free(b); 1418 return r; 1419 } 1420 1421 const char * 1422 sshkey_cert_type(const struct sshkey *k) 1423 { 1424 switch (k->cert->type) { 1425 case SSH2_CERT_TYPE_USER: 1426 return "user"; 1427 case SSH2_CERT_TYPE_HOST: 1428 return "host"; 1429 default: 1430 return "unknown"; 1431 } 1432 } 1433 1434 #ifdef WITH_OPENSSL 1435 static int 1436 rsa_generate_private_key(u_int bits, RSA **rsap) 1437 { 1438 RSA *private = NULL; 1439 BIGNUM *f4 = NULL; 1440 int ret = SSH_ERR_INTERNAL_ERROR; 1441 1442 if (rsap == NULL) 1443 return SSH_ERR_INVALID_ARGUMENT; 1444 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1445 bits > SSHBUF_MAX_BIGNUM * 8) 1446 return SSH_ERR_KEY_LENGTH; 1447 *rsap = NULL; 1448 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1449 ret = SSH_ERR_ALLOC_FAIL; 1450 goto out; 1451 } 1452 if (!BN_set_word(f4, RSA_F4) || 1453 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1454 ret = SSH_ERR_LIBCRYPTO_ERROR; 1455 goto out; 1456 } 1457 *rsap = private; 1458 private = NULL; 1459 ret = 0; 1460 out: 1461 RSA_free(private); 1462 BN_free(f4); 1463 return ret; 1464 } 1465 1466 static int 1467 dsa_generate_private_key(u_int bits, DSA **dsap) 1468 { 1469 DSA *private; 1470 int ret = SSH_ERR_INTERNAL_ERROR; 1471 1472 if (dsap == NULL) 1473 return SSH_ERR_INVALID_ARGUMENT; 1474 if (bits != 1024) 1475 return SSH_ERR_KEY_LENGTH; 1476 if ((private = DSA_new()) == NULL) { 1477 ret = SSH_ERR_ALLOC_FAIL; 1478 goto out; 1479 } 1480 *dsap = NULL; 1481 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1482 NULL, NULL) || !DSA_generate_key(private)) { 1483 ret = SSH_ERR_LIBCRYPTO_ERROR; 1484 goto out; 1485 } 1486 *dsap = private; 1487 private = NULL; 1488 ret = 0; 1489 out: 1490 DSA_free(private); 1491 return ret; 1492 } 1493 1494 int 1495 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1496 { 1497 EC_GROUP *eg; 1498 int nids[] = { 1499 NID_X9_62_prime256v1, 1500 NID_secp384r1, 1501 NID_secp521r1, 1502 -1 1503 }; 1504 int nid; 1505 u_int i; 1506 BN_CTX *bnctx; 1507 const EC_GROUP *g = EC_KEY_get0_group(k); 1508 1509 /* 1510 * The group may be stored in a ASN.1 encoded private key in one of two 1511 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1512 * or explicit group parameters encoded into the key blob. Only the 1513 * "named group" case sets the group NID for us, but we can figure 1514 * it out for the other case by comparing against all the groups that 1515 * are supported. 1516 */ 1517 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1518 return nid; 1519 if ((bnctx = BN_CTX_new()) == NULL) 1520 return -1; 1521 for (i = 0; nids[i] != -1; i++) { 1522 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1523 BN_CTX_free(bnctx); 1524 return -1; 1525 } 1526 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1527 break; 1528 EC_GROUP_free(eg); 1529 } 1530 BN_CTX_free(bnctx); 1531 if (nids[i] != -1) { 1532 /* Use the group with the NID attached */ 1533 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1534 if (EC_KEY_set_group(k, eg) != 1) { 1535 EC_GROUP_free(eg); 1536 return -1; 1537 } 1538 } 1539 return nids[i]; 1540 } 1541 1542 static int 1543 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1544 { 1545 EC_KEY *private; 1546 int ret = SSH_ERR_INTERNAL_ERROR; 1547 1548 if (nid == NULL || ecdsap == NULL) 1549 return SSH_ERR_INVALID_ARGUMENT; 1550 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1551 return SSH_ERR_KEY_LENGTH; 1552 *ecdsap = NULL; 1553 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1554 ret = SSH_ERR_ALLOC_FAIL; 1555 goto out; 1556 } 1557 if (EC_KEY_generate_key(private) != 1) { 1558 ret = SSH_ERR_LIBCRYPTO_ERROR; 1559 goto out; 1560 } 1561 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1562 *ecdsap = private; 1563 private = NULL; 1564 ret = 0; 1565 out: 1566 EC_KEY_free(private); 1567 return ret; 1568 } 1569 #endif /* WITH_OPENSSL */ 1570 1571 int 1572 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1573 { 1574 struct sshkey *k; 1575 int ret = SSH_ERR_INTERNAL_ERROR; 1576 1577 if (keyp == NULL) 1578 return SSH_ERR_INVALID_ARGUMENT; 1579 *keyp = NULL; 1580 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1581 return SSH_ERR_ALLOC_FAIL; 1582 switch (type) { 1583 case KEY_ED25519: 1584 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1585 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1586 ret = SSH_ERR_ALLOC_FAIL; 1587 break; 1588 } 1589 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1590 ret = 0; 1591 break; 1592 #ifdef WITH_XMSS 1593 case KEY_XMSS: 1594 ret = sshkey_xmss_generate_private_key(k, bits); 1595 break; 1596 #endif /* WITH_XMSS */ 1597 #ifdef WITH_OPENSSL 1598 case KEY_DSA: 1599 ret = dsa_generate_private_key(bits, &k->dsa); 1600 break; 1601 case KEY_ECDSA: 1602 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1603 &k->ecdsa); 1604 break; 1605 case KEY_RSA: 1606 ret = rsa_generate_private_key(bits, &k->rsa); 1607 break; 1608 #endif /* WITH_OPENSSL */ 1609 default: 1610 ret = SSH_ERR_INVALID_ARGUMENT; 1611 } 1612 if (ret == 0) { 1613 k->type = type; 1614 *keyp = k; 1615 } else 1616 sshkey_free(k); 1617 return ret; 1618 } 1619 1620 int 1621 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1622 { 1623 u_int i; 1624 const struct sshkey_cert *from; 1625 struct sshkey_cert *to; 1626 int r = SSH_ERR_INTERNAL_ERROR; 1627 1628 if (to_key == NULL || (from = from_key->cert) == NULL) 1629 return SSH_ERR_INVALID_ARGUMENT; 1630 1631 if ((to = cert_new()) == NULL) 1632 return SSH_ERR_ALLOC_FAIL; 1633 1634 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1635 (r = sshbuf_putb(to->critical, from->critical)) != 0 || 1636 (r = sshbuf_putb(to->extensions, from->extensions)) != 0) 1637 goto out; 1638 1639 to->serial = from->serial; 1640 to->type = from->type; 1641 if (from->key_id == NULL) 1642 to->key_id = NULL; 1643 else if ((to->key_id = strdup(from->key_id)) == NULL) { 1644 r = SSH_ERR_ALLOC_FAIL; 1645 goto out; 1646 } 1647 to->valid_after = from->valid_after; 1648 to->valid_before = from->valid_before; 1649 if (from->signature_key == NULL) 1650 to->signature_key = NULL; 1651 else if ((r = sshkey_from_private(from->signature_key, 1652 &to->signature_key)) != 0) 1653 goto out; 1654 if (from->signature_type != NULL && 1655 (to->signature_type = strdup(from->signature_type)) == NULL) { 1656 r = SSH_ERR_ALLOC_FAIL; 1657 goto out; 1658 } 1659 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { 1660 r = SSH_ERR_INVALID_ARGUMENT; 1661 goto out; 1662 } 1663 if (from->nprincipals > 0) { 1664 if ((to->principals = calloc(from->nprincipals, 1665 sizeof(*to->principals))) == NULL) { 1666 r = SSH_ERR_ALLOC_FAIL; 1667 goto out; 1668 } 1669 for (i = 0; i < from->nprincipals; i++) { 1670 to->principals[i] = strdup(from->principals[i]); 1671 if (to->principals[i] == NULL) { 1672 to->nprincipals = i; 1673 r = SSH_ERR_ALLOC_FAIL; 1674 goto out; 1675 } 1676 } 1677 } 1678 to->nprincipals = from->nprincipals; 1679 1680 /* success */ 1681 cert_free(to_key->cert); 1682 to_key->cert = to; 1683 to = NULL; 1684 r = 0; 1685 out: 1686 cert_free(to); 1687 return r; 1688 } 1689 1690 int 1691 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1692 { 1693 struct sshkey *n = NULL; 1694 int r = SSH_ERR_INTERNAL_ERROR; 1695 #ifdef WITH_OPENSSL 1696 const BIGNUM *rsa_n, *rsa_e; 1697 BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL; 1698 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 1699 BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL; 1700 BIGNUM *dsa_pub_key_dup = NULL; 1701 #endif /* WITH_OPENSSL */ 1702 1703 *pkp = NULL; 1704 switch (k->type) { 1705 #ifdef WITH_OPENSSL 1706 case KEY_DSA: 1707 case KEY_DSA_CERT: 1708 if ((n = sshkey_new(k->type)) == NULL) { 1709 r = SSH_ERR_ALLOC_FAIL; 1710 goto out; 1711 } 1712 1713 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 1714 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 1715 if ((dsa_p_dup = BN_dup(dsa_p)) == NULL || 1716 (dsa_q_dup = BN_dup(dsa_q)) == NULL || 1717 (dsa_g_dup = BN_dup(dsa_g)) == NULL || 1718 (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) { 1719 r = SSH_ERR_ALLOC_FAIL; 1720 goto out; 1721 } 1722 if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) { 1723 r = SSH_ERR_LIBCRYPTO_ERROR; 1724 goto out; 1725 } 1726 dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */ 1727 if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) { 1728 r = SSH_ERR_LIBCRYPTO_ERROR; 1729 goto out; 1730 } 1731 dsa_pub_key_dup = NULL; /* transferred */ 1732 1733 break; 1734 case KEY_ECDSA: 1735 case KEY_ECDSA_CERT: 1736 if ((n = sshkey_new(k->type)) == NULL) { 1737 r = SSH_ERR_ALLOC_FAIL; 1738 goto out; 1739 } 1740 n->ecdsa_nid = k->ecdsa_nid; 1741 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1742 if (n->ecdsa == NULL) { 1743 r = SSH_ERR_ALLOC_FAIL; 1744 goto out; 1745 } 1746 if (EC_KEY_set_public_key(n->ecdsa, 1747 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1748 r = SSH_ERR_LIBCRYPTO_ERROR; 1749 goto out; 1750 } 1751 break; 1752 case KEY_RSA: 1753 case KEY_RSA_CERT: 1754 if ((n = sshkey_new(k->type)) == NULL) { 1755 r = SSH_ERR_ALLOC_FAIL; 1756 goto out; 1757 } 1758 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 1759 if ((rsa_n_dup = BN_dup(rsa_n)) == NULL || 1760 (rsa_e_dup = BN_dup(rsa_e)) == NULL) { 1761 r = SSH_ERR_ALLOC_FAIL; 1762 goto out; 1763 } 1764 if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) { 1765 r = SSH_ERR_LIBCRYPTO_ERROR; 1766 goto out; 1767 } 1768 rsa_n_dup = rsa_e_dup = NULL; /* transferred */ 1769 break; 1770 #endif /* WITH_OPENSSL */ 1771 case KEY_ED25519: 1772 case KEY_ED25519_CERT: 1773 if ((n = sshkey_new(k->type)) == NULL) { 1774 r = SSH_ERR_ALLOC_FAIL; 1775 goto out; 1776 } 1777 if (k->ed25519_pk != NULL) { 1778 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1779 r = SSH_ERR_ALLOC_FAIL; 1780 goto out; 1781 } 1782 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1783 } 1784 break; 1785 #ifdef WITH_XMSS 1786 case KEY_XMSS: 1787 case KEY_XMSS_CERT: 1788 if ((n = sshkey_new(k->type)) == NULL) { 1789 r = SSH_ERR_ALLOC_FAIL; 1790 goto out; 1791 } 1792 if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0) 1793 goto out; 1794 if (k->xmss_pk != NULL) { 1795 size_t pklen = sshkey_xmss_pklen(k); 1796 if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) { 1797 r = SSH_ERR_INTERNAL_ERROR; 1798 goto out; 1799 } 1800 if ((n->xmss_pk = malloc(pklen)) == NULL) { 1801 r = SSH_ERR_ALLOC_FAIL; 1802 goto out; 1803 } 1804 memcpy(n->xmss_pk, k->xmss_pk, pklen); 1805 } 1806 break; 1807 #endif /* WITH_XMSS */ 1808 default: 1809 r = SSH_ERR_KEY_TYPE_UNKNOWN; 1810 goto out; 1811 } 1812 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) 1813 goto out; 1814 /* success */ 1815 *pkp = n; 1816 n = NULL; 1817 r = 0; 1818 out: 1819 sshkey_free(n); 1820 BN_clear_free(rsa_n_dup); 1821 BN_clear_free(rsa_e_dup); 1822 BN_clear_free(dsa_p_dup); 1823 BN_clear_free(dsa_q_dup); 1824 BN_clear_free(dsa_g_dup); 1825 BN_clear_free(dsa_pub_key_dup); 1826 1827 return r; 1828 } 1829 1830 static int 1831 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1832 { 1833 struct sshbuf *principals = NULL, *crit = NULL; 1834 struct sshbuf *exts = NULL, *ca = NULL; 1835 u_char *sig = NULL; 1836 size_t signed_len = 0, slen = 0, kidlen = 0; 1837 int ret = SSH_ERR_INTERNAL_ERROR; 1838 1839 /* Copy the entire key blob for verification and later serialisation */ 1840 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1841 return ret; 1842 1843 /* Parse body of certificate up to signature */ 1844 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1845 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1846 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1847 (ret = sshbuf_froms(b, &principals)) != 0 || 1848 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1849 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1850 (ret = sshbuf_froms(b, &crit)) != 0 || 1851 (ret = sshbuf_froms(b, &exts)) != 0 || 1852 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1853 (ret = sshbuf_froms(b, &ca)) != 0) { 1854 /* XXX debug print error for ret */ 1855 ret = SSH_ERR_INVALID_FORMAT; 1856 goto out; 1857 } 1858 1859 /* Signature is left in the buffer so we can calculate this length */ 1860 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1861 1862 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1863 ret = SSH_ERR_INVALID_FORMAT; 1864 goto out; 1865 } 1866 1867 if (key->cert->type != SSH2_CERT_TYPE_USER && 1868 key->cert->type != SSH2_CERT_TYPE_HOST) { 1869 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1870 goto out; 1871 } 1872 1873 /* Parse principals section */ 1874 while (sshbuf_len(principals) > 0) { 1875 char *principal = NULL; 1876 char **oprincipals = NULL; 1877 1878 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1879 ret = SSH_ERR_INVALID_FORMAT; 1880 goto out; 1881 } 1882 if ((ret = sshbuf_get_cstring(principals, &principal, 1883 NULL)) != 0) { 1884 ret = SSH_ERR_INVALID_FORMAT; 1885 goto out; 1886 } 1887 oprincipals = key->cert->principals; 1888 key->cert->principals = recallocarray(key->cert->principals, 1889 key->cert->nprincipals, key->cert->nprincipals + 1, 1890 sizeof(*key->cert->principals)); 1891 if (key->cert->principals == NULL) { 1892 free(principal); 1893 key->cert->principals = oprincipals; 1894 ret = SSH_ERR_ALLOC_FAIL; 1895 goto out; 1896 } 1897 key->cert->principals[key->cert->nprincipals++] = principal; 1898 } 1899 1900 /* 1901 * Stash a copies of the critical options and extensions sections 1902 * for later use. 1903 */ 1904 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1905 (exts != NULL && 1906 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1907 goto out; 1908 1909 /* 1910 * Validate critical options and extensions sections format. 1911 */ 1912 while (sshbuf_len(crit) != 0) { 1913 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1914 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1915 sshbuf_reset(key->cert->critical); 1916 ret = SSH_ERR_INVALID_FORMAT; 1917 goto out; 1918 } 1919 } 1920 while (exts != NULL && sshbuf_len(exts) != 0) { 1921 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1922 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1923 sshbuf_reset(key->cert->extensions); 1924 ret = SSH_ERR_INVALID_FORMAT; 1925 goto out; 1926 } 1927 } 1928 1929 /* Parse CA key and check signature */ 1930 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1931 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1932 goto out; 1933 } 1934 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1935 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1936 goto out; 1937 } 1938 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1939 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0)) != 0) 1940 goto out; 1941 if ((ret = get_sigtype(sig, slen, &key->cert->signature_type)) != 0) 1942 goto out; 1943 1944 /* Success */ 1945 ret = 0; 1946 out: 1947 sshbuf_free(ca); 1948 sshbuf_free(crit); 1949 sshbuf_free(exts); 1950 sshbuf_free(principals); 1951 free(sig); 1952 return ret; 1953 } 1954 1955 static int 1956 check_rsa_length(const RSA *rsa) 1957 { 1958 const BIGNUM *rsa_n; 1959 1960 RSA_get0_key(rsa, &rsa_n, NULL, NULL); 1961 if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE) 1962 return SSH_ERR_KEY_LENGTH; 1963 return 0; 1964 } 1965 1966 static int 1967 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1968 int allow_cert) 1969 { 1970 int type, ret = SSH_ERR_INTERNAL_ERROR; 1971 char *ktype = NULL, *curve = NULL, *xmss_name = NULL; 1972 struct sshkey *key = NULL; 1973 size_t len; 1974 u_char *pk = NULL; 1975 struct sshbuf *copy; 1976 #ifdef WITH_OPENSSL 1977 EC_POINT *q = NULL; 1978 BIGNUM *rsa_n = NULL, *rsa_e = NULL; 1979 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL; 1980 #endif /* WITH_OPENSSL */ 1981 1982 #ifdef DEBUG_PK /* XXX */ 1983 sshbuf_dump(b, stderr); 1984 #endif 1985 if (keyp != NULL) 1986 *keyp = NULL; 1987 if ((copy = sshbuf_fromb(b)) == NULL) { 1988 ret = SSH_ERR_ALLOC_FAIL; 1989 goto out; 1990 } 1991 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1992 ret = SSH_ERR_INVALID_FORMAT; 1993 goto out; 1994 } 1995 1996 type = sshkey_type_from_name(ktype); 1997 if (!allow_cert && sshkey_type_is_cert(type)) { 1998 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1999 goto out; 2000 } 2001 switch (type) { 2002 #ifdef WITH_OPENSSL 2003 case KEY_RSA_CERT: 2004 /* Skip nonce */ 2005 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2006 ret = SSH_ERR_INVALID_FORMAT; 2007 goto out; 2008 } 2009 /* FALLTHROUGH */ 2010 case KEY_RSA: 2011 if ((key = sshkey_new(type)) == NULL) { 2012 ret = SSH_ERR_ALLOC_FAIL; 2013 goto out; 2014 } 2015 if (sshbuf_get_bignum2(b, &rsa_e) != 0 || 2016 sshbuf_get_bignum2(b, &rsa_n) != 0) { 2017 ret = SSH_ERR_INVALID_FORMAT; 2018 goto out; 2019 } 2020 if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) { 2021 ret = SSH_ERR_LIBCRYPTO_ERROR; 2022 goto out; 2023 } 2024 rsa_n = rsa_e = NULL; /* transferred */ 2025 if ((ret = check_rsa_length(key->rsa)) != 0) 2026 goto out; 2027 #ifdef DEBUG_PK 2028 RSA_print_fp(stderr, key->rsa, 8); 2029 #endif 2030 break; 2031 case KEY_DSA_CERT: 2032 /* Skip nonce */ 2033 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2034 ret = SSH_ERR_INVALID_FORMAT; 2035 goto out; 2036 } 2037 /* FALLTHROUGH */ 2038 case KEY_DSA: 2039 if ((key = sshkey_new(type)) == NULL) { 2040 ret = SSH_ERR_ALLOC_FAIL; 2041 goto out; 2042 } 2043 if (sshbuf_get_bignum2(b, &dsa_p) != 0 || 2044 sshbuf_get_bignum2(b, &dsa_q) != 0 || 2045 sshbuf_get_bignum2(b, &dsa_g) != 0 || 2046 sshbuf_get_bignum2(b, &dsa_pub_key) != 0) { 2047 ret = SSH_ERR_INVALID_FORMAT; 2048 goto out; 2049 } 2050 if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) { 2051 ret = SSH_ERR_LIBCRYPTO_ERROR; 2052 goto out; 2053 } 2054 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2055 if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) { 2056 ret = SSH_ERR_LIBCRYPTO_ERROR; 2057 goto out; 2058 } 2059 dsa_pub_key = NULL; /* transferred */ 2060 #ifdef DEBUG_PK 2061 DSA_print_fp(stderr, key->dsa, 8); 2062 #endif 2063 break; 2064 case KEY_ECDSA_CERT: 2065 /* Skip nonce */ 2066 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2067 ret = SSH_ERR_INVALID_FORMAT; 2068 goto out; 2069 } 2070 /* FALLTHROUGH */ 2071 case KEY_ECDSA: 2072 if ((key = sshkey_new(type)) == NULL) { 2073 ret = SSH_ERR_ALLOC_FAIL; 2074 goto out; 2075 } 2076 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2077 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2078 ret = SSH_ERR_INVALID_FORMAT; 2079 goto out; 2080 } 2081 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2082 ret = SSH_ERR_EC_CURVE_MISMATCH; 2083 goto out; 2084 } 2085 EC_KEY_free(key->ecdsa); 2086 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2087 == NULL) { 2088 ret = SSH_ERR_EC_CURVE_INVALID; 2089 goto out; 2090 } 2091 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2092 ret = SSH_ERR_ALLOC_FAIL; 2093 goto out; 2094 } 2095 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 2096 ret = SSH_ERR_INVALID_FORMAT; 2097 goto out; 2098 } 2099 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2100 q) != 0) { 2101 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2102 goto out; 2103 } 2104 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 2105 /* XXX assume it is a allocation error */ 2106 ret = SSH_ERR_ALLOC_FAIL; 2107 goto out; 2108 } 2109 #ifdef DEBUG_PK 2110 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 2111 #endif 2112 break; 2113 #endif /* WITH_OPENSSL */ 2114 case KEY_ED25519_CERT: 2115 /* Skip nonce */ 2116 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2117 ret = SSH_ERR_INVALID_FORMAT; 2118 goto out; 2119 } 2120 /* FALLTHROUGH */ 2121 case KEY_ED25519: 2122 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2123 goto out; 2124 if (len != ED25519_PK_SZ) { 2125 ret = SSH_ERR_INVALID_FORMAT; 2126 goto out; 2127 } 2128 if ((key = sshkey_new(type)) == NULL) { 2129 ret = SSH_ERR_ALLOC_FAIL; 2130 goto out; 2131 } 2132 key->ed25519_pk = pk; 2133 pk = NULL; 2134 break; 2135 #ifdef WITH_XMSS 2136 case KEY_XMSS_CERT: 2137 /* Skip nonce */ 2138 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2139 ret = SSH_ERR_INVALID_FORMAT; 2140 goto out; 2141 } 2142 /* FALLTHROUGH */ 2143 case KEY_XMSS: 2144 if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0) 2145 goto out; 2146 if ((key = sshkey_new(type)) == NULL) { 2147 ret = SSH_ERR_ALLOC_FAIL; 2148 goto out; 2149 } 2150 if ((ret = sshkey_xmss_init(key, xmss_name)) != 0) 2151 goto out; 2152 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2153 goto out; 2154 if (len == 0 || len != sshkey_xmss_pklen(key)) { 2155 ret = SSH_ERR_INVALID_FORMAT; 2156 goto out; 2157 } 2158 key->xmss_pk = pk; 2159 pk = NULL; 2160 if (type != KEY_XMSS_CERT && 2161 (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0) 2162 goto out; 2163 break; 2164 #endif /* WITH_XMSS */ 2165 case KEY_UNSPEC: 2166 default: 2167 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2168 goto out; 2169 } 2170 2171 /* Parse certificate potion */ 2172 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2173 goto out; 2174 2175 if (key != NULL && sshbuf_len(b) != 0) { 2176 ret = SSH_ERR_INVALID_FORMAT; 2177 goto out; 2178 } 2179 ret = 0; 2180 if (keyp != NULL) { 2181 *keyp = key; 2182 key = NULL; 2183 } 2184 out: 2185 sshbuf_free(copy); 2186 sshkey_free(key); 2187 free(xmss_name); 2188 free(ktype); 2189 free(curve); 2190 free(pk); 2191 #ifdef WITH_OPENSSL 2192 EC_POINT_free(q); 2193 BN_clear_free(rsa_n); 2194 BN_clear_free(rsa_e); 2195 BN_clear_free(dsa_p); 2196 BN_clear_free(dsa_q); 2197 BN_clear_free(dsa_g); 2198 BN_clear_free(dsa_pub_key); 2199 #endif /* WITH_OPENSSL */ 2200 return ret; 2201 } 2202 2203 int 2204 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2205 { 2206 struct sshbuf *b; 2207 int r; 2208 2209 if ((b = sshbuf_from(blob, blen)) == NULL) 2210 return SSH_ERR_ALLOC_FAIL; 2211 r = sshkey_from_blob_internal(b, keyp, 1); 2212 sshbuf_free(b); 2213 return r; 2214 } 2215 2216 int 2217 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2218 { 2219 return sshkey_from_blob_internal(b, keyp, 1); 2220 } 2221 2222 int 2223 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2224 { 2225 struct sshbuf *b; 2226 int r; 2227 2228 if ((r = sshbuf_froms(buf, &b)) != 0) 2229 return r; 2230 r = sshkey_from_blob_internal(b, keyp, 1); 2231 sshbuf_free(b); 2232 return r; 2233 } 2234 2235 static int 2236 get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2237 { 2238 int r; 2239 struct sshbuf *b = NULL; 2240 char *sigtype = NULL; 2241 2242 if (sigtypep != NULL) 2243 *sigtypep = NULL; 2244 if ((b = sshbuf_from(sig, siglen)) == NULL) 2245 return SSH_ERR_ALLOC_FAIL; 2246 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2247 goto out; 2248 /* success */ 2249 if (sigtypep != NULL) { 2250 *sigtypep = sigtype; 2251 sigtype = NULL; 2252 } 2253 r = 0; 2254 out: 2255 free(sigtype); 2256 sshbuf_free(b); 2257 return r; 2258 } 2259 2260 /* 2261 * 2262 * Checks whether a certificate's signature type is allowed. 2263 * Returns 0 (success) if the certificate signature type appears in the 2264 * "allowed" pattern-list, or the key is not a certificate to begin with. 2265 * Otherwise returns a ssherr.h code. 2266 */ 2267 int 2268 sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) 2269 { 2270 if (key == NULL || allowed == NULL) 2271 return SSH_ERR_INVALID_ARGUMENT; 2272 if (!sshkey_type_is_cert(key->type)) 2273 return 0; 2274 if (key->cert == NULL || key->cert->signature_type == NULL) 2275 return SSH_ERR_INVALID_ARGUMENT; 2276 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) 2277 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 2278 return 0; 2279 } 2280 2281 /* 2282 * Returns the expected signature algorithm for a given public key algorithm. 2283 */ 2284 const char * 2285 sshkey_sigalg_by_name(const char *name) 2286 { 2287 const struct keytype *kt; 2288 2289 for (kt = keytypes; kt->type != -1; kt++) { 2290 if (strcmp(kt->name, name) != 0) 2291 continue; 2292 if (kt->sigalg != NULL) 2293 return kt->sigalg; 2294 if (!kt->cert) 2295 return kt->name; 2296 return sshkey_ssh_name_from_type_nid( 2297 sshkey_type_plain(kt->type), kt->nid); 2298 } 2299 return NULL; 2300 } 2301 2302 /* 2303 * Verifies that the signature algorithm appearing inside the signature blob 2304 * matches that which was requested. 2305 */ 2306 int 2307 sshkey_check_sigtype(const u_char *sig, size_t siglen, 2308 const char *requested_alg) 2309 { 2310 const char *expected_alg; 2311 char *sigtype = NULL; 2312 int r; 2313 2314 if (requested_alg == NULL) 2315 return 0; 2316 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) 2317 return SSH_ERR_INVALID_ARGUMENT; 2318 if ((r = get_sigtype(sig, siglen, &sigtype)) != 0) 2319 return r; 2320 r = strcmp(expected_alg, sigtype) == 0; 2321 free(sigtype); 2322 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; 2323 } 2324 2325 int 2326 sshkey_sign(const struct sshkey *key, 2327 u_char **sigp, size_t *lenp, 2328 const u_char *data, size_t datalen, const char *alg, u_int compat) 2329 { 2330 if (sigp != NULL) 2331 *sigp = NULL; 2332 if (lenp != NULL) 2333 *lenp = 0; 2334 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2335 return SSH_ERR_INVALID_ARGUMENT; 2336 switch (key->type) { 2337 #ifdef WITH_OPENSSL 2338 case KEY_DSA_CERT: 2339 case KEY_DSA: 2340 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2341 case KEY_ECDSA_CERT: 2342 case KEY_ECDSA: 2343 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2344 case KEY_RSA_CERT: 2345 case KEY_RSA: 2346 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2347 #endif /* WITH_OPENSSL */ 2348 case KEY_ED25519: 2349 case KEY_ED25519_CERT: 2350 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2351 #ifdef WITH_XMSS 2352 case KEY_XMSS: 2353 case KEY_XMSS_CERT: 2354 return ssh_xmss_sign(key, sigp, lenp, data, datalen, compat); 2355 #endif /* WITH_XMSS */ 2356 default: 2357 return SSH_ERR_KEY_TYPE_UNKNOWN; 2358 } 2359 } 2360 2361 /* 2362 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2363 * If "alg" specified, then the signature must use that algorithm. 2364 */ 2365 int 2366 sshkey_verify(const struct sshkey *key, 2367 const u_char *sig, size_t siglen, 2368 const u_char *data, size_t dlen, const char *alg, u_int compat) 2369 { 2370 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2371 return SSH_ERR_INVALID_ARGUMENT; 2372 switch (key->type) { 2373 #ifdef WITH_OPENSSL 2374 case KEY_DSA_CERT: 2375 case KEY_DSA: 2376 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2377 case KEY_ECDSA_CERT: 2378 case KEY_ECDSA: 2379 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2380 case KEY_RSA_CERT: 2381 case KEY_RSA: 2382 return ssh_rsa_verify(key, sig, siglen, data, dlen, alg); 2383 #endif /* WITH_OPENSSL */ 2384 case KEY_ED25519: 2385 case KEY_ED25519_CERT: 2386 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2387 #ifdef WITH_XMSS 2388 case KEY_XMSS: 2389 case KEY_XMSS_CERT: 2390 return ssh_xmss_verify(key, sig, siglen, data, dlen, compat); 2391 #endif /* WITH_XMSS */ 2392 default: 2393 return SSH_ERR_KEY_TYPE_UNKNOWN; 2394 } 2395 } 2396 2397 /* Convert a plain key to their _CERT equivalent */ 2398 int 2399 sshkey_to_certified(struct sshkey *k) 2400 { 2401 int newtype; 2402 2403 switch (k->type) { 2404 #ifdef WITH_OPENSSL 2405 case KEY_RSA: 2406 newtype = KEY_RSA_CERT; 2407 break; 2408 case KEY_DSA: 2409 newtype = KEY_DSA_CERT; 2410 break; 2411 case KEY_ECDSA: 2412 newtype = KEY_ECDSA_CERT; 2413 break; 2414 #endif /* WITH_OPENSSL */ 2415 case KEY_ED25519: 2416 newtype = KEY_ED25519_CERT; 2417 break; 2418 #ifdef WITH_XMSS 2419 case KEY_XMSS: 2420 newtype = KEY_XMSS_CERT; 2421 break; 2422 #endif /* WITH_XMSS */ 2423 default: 2424 return SSH_ERR_INVALID_ARGUMENT; 2425 } 2426 if ((k->cert = cert_new()) == NULL) 2427 return SSH_ERR_ALLOC_FAIL; 2428 k->type = newtype; 2429 return 0; 2430 } 2431 2432 /* Convert a certificate to its raw key equivalent */ 2433 int 2434 sshkey_drop_cert(struct sshkey *k) 2435 { 2436 if (!sshkey_type_is_cert(k->type)) 2437 return SSH_ERR_KEY_TYPE_UNKNOWN; 2438 cert_free(k->cert); 2439 k->cert = NULL; 2440 k->type = sshkey_type_plain(k->type); 2441 return 0; 2442 } 2443 2444 /* Sign a certified key, (re-)generating the signed certblob. */ 2445 int 2446 sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2447 sshkey_certify_signer *signer, void *signer_ctx) 2448 { 2449 struct sshbuf *principals = NULL; 2450 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2451 size_t i, ca_len, sig_len; 2452 int ret = SSH_ERR_INTERNAL_ERROR; 2453 struct sshbuf *cert = NULL; 2454 char *sigtype = NULL; 2455 #ifdef WITH_OPENSSL 2456 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; 2457 #endif /* WITH_OPENSSL */ 2458 2459 if (k == NULL || k->cert == NULL || 2460 k->cert->certblob == NULL || ca == NULL) 2461 return SSH_ERR_INVALID_ARGUMENT; 2462 if (!sshkey_is_cert(k)) 2463 return SSH_ERR_KEY_TYPE_UNKNOWN; 2464 if (!sshkey_type_is_valid_ca(ca->type)) 2465 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2466 2467 /* 2468 * If no alg specified as argument but a signature_type was set, 2469 * then prefer that. If both were specified, then they must match. 2470 */ 2471 if (alg == NULL) 2472 alg = k->cert->signature_type; 2473 else if (k->cert->signature_type != NULL && 2474 strcmp(alg, k->cert->signature_type) != 0) 2475 return SSH_ERR_INVALID_ARGUMENT; 2476 2477 /* 2478 * If no signing algorithm or signature_type was specified and we're 2479 * using a RSA key, then default to a good signature algorithm. 2480 */ 2481 if (alg == NULL && ca->type == KEY_RSA) 2482 alg = "rsa-sha2-512"; 2483 2484 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2485 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2486 2487 cert = k->cert->certblob; /* for readability */ 2488 sshbuf_reset(cert); 2489 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2490 goto out; 2491 2492 /* -v01 certs put nonce first */ 2493 arc4random_buf(&nonce, sizeof(nonce)); 2494 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2495 goto out; 2496 2497 /* XXX this substantially duplicates to_blob(); refactor */ 2498 switch (k->type) { 2499 #ifdef WITH_OPENSSL 2500 case KEY_DSA_CERT: 2501 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); 2502 DSA_get0_key(k->dsa, &dsa_pub_key, NULL); 2503 if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 || 2504 (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 || 2505 (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 || 2506 (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0) 2507 goto out; 2508 break; 2509 case KEY_ECDSA_CERT: 2510 if ((ret = sshbuf_put_cstring(cert, 2511 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2512 (ret = sshbuf_put_ec(cert, 2513 EC_KEY_get0_public_key(k->ecdsa), 2514 EC_KEY_get0_group(k->ecdsa))) != 0) 2515 goto out; 2516 break; 2517 case KEY_RSA_CERT: 2518 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL); 2519 if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 || 2520 (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0) 2521 goto out; 2522 break; 2523 #endif /* WITH_OPENSSL */ 2524 case KEY_ED25519_CERT: 2525 if ((ret = sshbuf_put_string(cert, 2526 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2527 goto out; 2528 break; 2529 #ifdef WITH_XMSS 2530 case KEY_XMSS_CERT: 2531 if (k->xmss_name == NULL) { 2532 ret = SSH_ERR_INVALID_ARGUMENT; 2533 goto out; 2534 } 2535 if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) || 2536 (ret = sshbuf_put_string(cert, 2537 k->xmss_pk, sshkey_xmss_pklen(k))) != 0) 2538 goto out; 2539 break; 2540 #endif /* WITH_XMSS */ 2541 default: 2542 ret = SSH_ERR_INVALID_ARGUMENT; 2543 goto out; 2544 } 2545 2546 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2547 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2548 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2549 goto out; 2550 2551 if ((principals = sshbuf_new()) == NULL) { 2552 ret = SSH_ERR_ALLOC_FAIL; 2553 goto out; 2554 } 2555 for (i = 0; i < k->cert->nprincipals; i++) { 2556 if ((ret = sshbuf_put_cstring(principals, 2557 k->cert->principals[i])) != 0) 2558 goto out; 2559 } 2560 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2561 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2562 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2563 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2564 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2565 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2566 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2567 goto out; 2568 2569 /* Sign the whole mess */ 2570 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2571 sshbuf_len(cert), alg, 0, signer_ctx)) != 0) 2572 goto out; 2573 /* Check and update signature_type against what was actually used */ 2574 if ((ret = get_sigtype(sig_blob, sig_len, &sigtype)) != 0) 2575 goto out; 2576 if (alg != NULL && strcmp(alg, sigtype) != 0) { 2577 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2578 goto out; 2579 } 2580 if (k->cert->signature_type == NULL) { 2581 k->cert->signature_type = sigtype; 2582 sigtype = NULL; 2583 } 2584 /* Append signature and we are done */ 2585 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2586 goto out; 2587 ret = 0; 2588 out: 2589 if (ret != 0) 2590 sshbuf_reset(cert); 2591 free(sig_blob); 2592 free(ca_blob); 2593 free(sigtype); 2594 sshbuf_free(principals); 2595 return ret; 2596 } 2597 2598 static int 2599 default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 2600 const u_char *data, size_t datalen, 2601 const char *alg, u_int compat, void *ctx) 2602 { 2603 if (ctx != NULL) 2604 return SSH_ERR_INVALID_ARGUMENT; 2605 return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat); 2606 } 2607 2608 int 2609 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2610 { 2611 return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL); 2612 } 2613 2614 int 2615 sshkey_cert_check_authority(const struct sshkey *k, 2616 int want_host, int require_principal, 2617 const char *name, const char **reason) 2618 { 2619 u_int i, principal_matches; 2620 time_t now = time(NULL); 2621 2622 if (reason != NULL) 2623 *reason = NULL; 2624 2625 if (want_host) { 2626 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2627 *reason = "Certificate invalid: not a host certificate"; 2628 return SSH_ERR_KEY_CERT_INVALID; 2629 } 2630 } else { 2631 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2632 *reason = "Certificate invalid: not a user certificate"; 2633 return SSH_ERR_KEY_CERT_INVALID; 2634 } 2635 } 2636 if (now < 0) { 2637 /* yikes - system clock before epoch! */ 2638 *reason = "Certificate invalid: not yet valid"; 2639 return SSH_ERR_KEY_CERT_INVALID; 2640 } 2641 if ((u_int64_t)now < k->cert->valid_after) { 2642 *reason = "Certificate invalid: not yet valid"; 2643 return SSH_ERR_KEY_CERT_INVALID; 2644 } 2645 if ((u_int64_t)now >= k->cert->valid_before) { 2646 *reason = "Certificate invalid: expired"; 2647 return SSH_ERR_KEY_CERT_INVALID; 2648 } 2649 if (k->cert->nprincipals == 0) { 2650 if (require_principal) { 2651 *reason = "Certificate lacks principal list"; 2652 return SSH_ERR_KEY_CERT_INVALID; 2653 } 2654 } else if (name != NULL) { 2655 principal_matches = 0; 2656 for (i = 0; i < k->cert->nprincipals; i++) { 2657 if (strcmp(name, k->cert->principals[i]) == 0) { 2658 principal_matches = 1; 2659 break; 2660 } 2661 } 2662 if (!principal_matches) { 2663 *reason = "Certificate invalid: name is not a listed " 2664 "principal"; 2665 return SSH_ERR_KEY_CERT_INVALID; 2666 } 2667 } 2668 return 0; 2669 } 2670 2671 size_t 2672 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2673 { 2674 char from[32], to[32], ret[64]; 2675 time_t tt; 2676 struct tm *tm; 2677 2678 *from = *to = '\0'; 2679 if (cert->valid_after == 0 && 2680 cert->valid_before == 0xffffffffffffffffULL) 2681 return strlcpy(s, "forever", l); 2682 2683 if (cert->valid_after != 0) { 2684 /* XXX revisit INT_MAX in 2038 :) */ 2685 tt = cert->valid_after > INT_MAX ? 2686 INT_MAX : cert->valid_after; 2687 tm = localtime(&tt); 2688 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2689 } 2690 if (cert->valid_before != 0xffffffffffffffffULL) { 2691 /* XXX revisit INT_MAX in 2038 :) */ 2692 tt = cert->valid_before > INT_MAX ? 2693 INT_MAX : cert->valid_before; 2694 tm = localtime(&tt); 2695 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2696 } 2697 2698 if (cert->valid_after == 0) 2699 snprintf(ret, sizeof(ret), "before %s", to); 2700 else if (cert->valid_before == 0xffffffffffffffffULL) 2701 snprintf(ret, sizeof(ret), "after %s", from); 2702 else 2703 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2704 2705 return strlcpy(s, ret, l); 2706 } 2707 2708 int 2709 sshkey_private_serialize_opt(const struct sshkey *key, struct sshbuf *b, 2710 enum sshkey_serialize_rep opts) 2711 { 2712 int r = SSH_ERR_INTERNAL_ERROR; 2713 #ifdef WITH_OPENSSL 2714 const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q; 2715 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key; 2716 #endif /* WITH_OPENSSL */ 2717 2718 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2719 goto out; 2720 switch (key->type) { 2721 #ifdef WITH_OPENSSL 2722 case KEY_RSA: 2723 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d); 2724 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 2725 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 2726 if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 || 2727 (r = sshbuf_put_bignum2(b, rsa_e)) != 0 || 2728 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 2729 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 2730 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 2731 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 2732 goto out; 2733 break; 2734 case KEY_RSA_CERT: 2735 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2736 r = SSH_ERR_INVALID_ARGUMENT; 2737 goto out; 2738 } 2739 RSA_get0_key(key->rsa, NULL, NULL, &rsa_d); 2740 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); 2741 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp); 2742 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2743 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || 2744 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || 2745 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || 2746 (r = sshbuf_put_bignum2(b, rsa_q)) != 0) 2747 goto out; 2748 break; 2749 case KEY_DSA: 2750 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); 2751 DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key); 2752 if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 || 2753 (r = sshbuf_put_bignum2(b, dsa_q)) != 0 || 2754 (r = sshbuf_put_bignum2(b, dsa_g)) != 0 || 2755 (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 || 2756 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 2757 goto out; 2758 break; 2759 case KEY_DSA_CERT: 2760 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2761 r = SSH_ERR_INVALID_ARGUMENT; 2762 goto out; 2763 } 2764 DSA_get0_key(key->dsa, NULL, &dsa_priv_key); 2765 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2766 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) 2767 goto out; 2768 break; 2769 case KEY_ECDSA: 2770 if ((r = sshbuf_put_cstring(b, 2771 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2772 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2773 (r = sshbuf_put_bignum2(b, 2774 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2775 goto out; 2776 break; 2777 case KEY_ECDSA_CERT: 2778 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2779 r = SSH_ERR_INVALID_ARGUMENT; 2780 goto out; 2781 } 2782 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2783 (r = sshbuf_put_bignum2(b, 2784 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2785 goto out; 2786 break; 2787 #endif /* WITH_OPENSSL */ 2788 case KEY_ED25519: 2789 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2790 ED25519_PK_SZ)) != 0 || 2791 (r = sshbuf_put_string(b, key->ed25519_sk, 2792 ED25519_SK_SZ)) != 0) 2793 goto out; 2794 break; 2795 case KEY_ED25519_CERT: 2796 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2797 r = SSH_ERR_INVALID_ARGUMENT; 2798 goto out; 2799 } 2800 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2801 (r = sshbuf_put_string(b, key->ed25519_pk, 2802 ED25519_PK_SZ)) != 0 || 2803 (r = sshbuf_put_string(b, key->ed25519_sk, 2804 ED25519_SK_SZ)) != 0) 2805 goto out; 2806 break; 2807 #ifdef WITH_XMSS 2808 case KEY_XMSS: 2809 if (key->xmss_name == NULL) { 2810 r = SSH_ERR_INVALID_ARGUMENT; 2811 goto out; 2812 } 2813 if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 2814 (r = sshbuf_put_string(b, key->xmss_pk, 2815 sshkey_xmss_pklen(key))) != 0 || 2816 (r = sshbuf_put_string(b, key->xmss_sk, 2817 sshkey_xmss_sklen(key))) != 0 || 2818 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 2819 goto out; 2820 break; 2821 case KEY_XMSS_CERT: 2822 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 || 2823 key->xmss_name == NULL) { 2824 r = SSH_ERR_INVALID_ARGUMENT; 2825 goto out; 2826 } 2827 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2828 (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || 2829 (r = sshbuf_put_string(b, key->xmss_pk, 2830 sshkey_xmss_pklen(key))) != 0 || 2831 (r = sshbuf_put_string(b, key->xmss_sk, 2832 sshkey_xmss_sklen(key))) != 0 || 2833 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) 2834 goto out; 2835 break; 2836 #endif /* WITH_XMSS */ 2837 default: 2838 r = SSH_ERR_INVALID_ARGUMENT; 2839 goto out; 2840 } 2841 /* success */ 2842 r = 0; 2843 out: 2844 return r; 2845 } 2846 2847 int 2848 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2849 { 2850 return sshkey_private_serialize_opt(key, b, 2851 SSHKEY_SERIALIZE_DEFAULT); 2852 } 2853 2854 int 2855 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2856 { 2857 char *tname = NULL, *curve = NULL, *xmss_name = NULL; 2858 struct sshkey *k = NULL; 2859 size_t pklen = 0, sklen = 0; 2860 int type, r = SSH_ERR_INTERNAL_ERROR; 2861 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2862 u_char *xmss_pk = NULL, *xmss_sk = NULL; 2863 #ifdef WITH_OPENSSL 2864 BIGNUM *exponent = NULL; 2865 BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; 2866 BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL; 2867 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL; 2868 BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; 2869 #endif /* WITH_OPENSSL */ 2870 2871 if (kp != NULL) 2872 *kp = NULL; 2873 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2874 goto out; 2875 type = sshkey_type_from_name(tname); 2876 switch (type) { 2877 #ifdef WITH_OPENSSL 2878 case KEY_DSA: 2879 if ((k = sshkey_new(type)) == NULL) { 2880 r = SSH_ERR_ALLOC_FAIL; 2881 goto out; 2882 } 2883 if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 || 2884 (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 || 2885 (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 || 2886 (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0 || 2887 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 2888 goto out; 2889 if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) { 2890 r = SSH_ERR_LIBCRYPTO_ERROR; 2891 goto out; 2892 } 2893 dsa_p = dsa_q = dsa_g = NULL; /* transferred */ 2894 if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) { 2895 r = SSH_ERR_LIBCRYPTO_ERROR; 2896 goto out; 2897 } 2898 dsa_pub_key = dsa_priv_key = NULL; /* transferred */ 2899 break; 2900 case KEY_DSA_CERT: 2901 if ((r = sshkey_froms(buf, &k)) != 0 || 2902 (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) 2903 goto out; 2904 if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { 2905 r = SSH_ERR_LIBCRYPTO_ERROR; 2906 goto out; 2907 } 2908 dsa_priv_key = NULL; /* transferred */ 2909 break; 2910 case KEY_ECDSA: 2911 if ((k = sshkey_new(type)) == NULL) { 2912 r = SSH_ERR_ALLOC_FAIL; 2913 goto out; 2914 } 2915 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2916 r = SSH_ERR_INVALID_ARGUMENT; 2917 goto out; 2918 } 2919 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2920 goto out; 2921 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2922 r = SSH_ERR_EC_CURVE_MISMATCH; 2923 goto out; 2924 } 2925 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2926 if (k->ecdsa == NULL) { 2927 r = SSH_ERR_LIBCRYPTO_ERROR; 2928 goto out; 2929 } 2930 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2931 (r = sshbuf_get_bignum2(buf, &exponent))) 2932 goto out; 2933 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2934 r = SSH_ERR_LIBCRYPTO_ERROR; 2935 goto out; 2936 } 2937 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2938 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2939 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2940 goto out; 2941 break; 2942 case KEY_ECDSA_CERT: 2943 if ((r = sshkey_froms(buf, &k)) != 0 || 2944 (r = sshbuf_get_bignum2(buf, &exponent)) != 0) 2945 goto out; 2946 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2947 r = SSH_ERR_LIBCRYPTO_ERROR; 2948 goto out; 2949 } 2950 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2951 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2952 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2953 goto out; 2954 break; 2955 case KEY_RSA: 2956 if ((k = sshkey_new(type)) == NULL) { 2957 r = SSH_ERR_ALLOC_FAIL; 2958 goto out; 2959 } 2960 if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 || 2961 (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0 || 2962 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 2963 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 2964 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 2965 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 2966 goto out; 2967 if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) { 2968 r = SSH_ERR_LIBCRYPTO_ERROR; 2969 goto out; 2970 } 2971 rsa_n = rsa_e = rsa_d = NULL; /* transferred */ 2972 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 2973 r = SSH_ERR_LIBCRYPTO_ERROR; 2974 goto out; 2975 } 2976 rsa_p = rsa_q = NULL; /* transferred */ 2977 if ((r = check_rsa_length(k->rsa)) != 0) 2978 goto out; 2979 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 2980 goto out; 2981 break; 2982 case KEY_RSA_CERT: 2983 if ((r = sshkey_froms(buf, &k)) != 0 || 2984 (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || 2985 (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || 2986 (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || 2987 (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) 2988 goto out; 2989 if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { 2990 r = SSH_ERR_LIBCRYPTO_ERROR; 2991 goto out; 2992 } 2993 rsa_d = NULL; /* transferred */ 2994 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { 2995 r = SSH_ERR_LIBCRYPTO_ERROR; 2996 goto out; 2997 } 2998 rsa_p = rsa_q = NULL; /* transferred */ 2999 if ((r = check_rsa_length(k->rsa)) != 0) 3000 goto out; 3001 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) 3002 goto out; 3003 break; 3004 #endif /* WITH_OPENSSL */ 3005 case KEY_ED25519: 3006 if ((k = sshkey_new(type)) == NULL) { 3007 r = SSH_ERR_ALLOC_FAIL; 3008 goto out; 3009 } 3010 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3011 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3012 goto out; 3013 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3014 r = SSH_ERR_INVALID_FORMAT; 3015 goto out; 3016 } 3017 k->ed25519_pk = ed25519_pk; 3018 k->ed25519_sk = ed25519_sk; 3019 ed25519_pk = ed25519_sk = NULL; 3020 break; 3021 case KEY_ED25519_CERT: 3022 if ((r = sshkey_froms(buf, &k)) != 0 || 3023 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 3024 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 3025 goto out; 3026 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 3027 r = SSH_ERR_INVALID_FORMAT; 3028 goto out; 3029 } 3030 k->ed25519_pk = ed25519_pk; 3031 k->ed25519_sk = ed25519_sk; 3032 ed25519_pk = ed25519_sk = NULL; 3033 break; 3034 #ifdef WITH_XMSS 3035 case KEY_XMSS: 3036 if ((k = sshkey_new(type)) == NULL) { 3037 r = SSH_ERR_ALLOC_FAIL; 3038 goto out; 3039 } 3040 if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3041 (r = sshkey_xmss_init(k, xmss_name)) != 0 || 3042 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3043 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3044 goto out; 3045 if (pklen != sshkey_xmss_pklen(k) || 3046 sklen != sshkey_xmss_sklen(k)) { 3047 r = SSH_ERR_INVALID_FORMAT; 3048 goto out; 3049 } 3050 k->xmss_pk = xmss_pk; 3051 k->xmss_sk = xmss_sk; 3052 xmss_pk = xmss_sk = NULL; 3053 /* optional internal state */ 3054 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3055 goto out; 3056 break; 3057 case KEY_XMSS_CERT: 3058 if ((r = sshkey_froms(buf, &k)) != 0 || 3059 (r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || 3060 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || 3061 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) 3062 goto out; 3063 if (strcmp(xmss_name, k->xmss_name)) { 3064 r = SSH_ERR_INVALID_FORMAT; 3065 goto out; 3066 } 3067 if (pklen != sshkey_xmss_pklen(k) || 3068 sklen != sshkey_xmss_sklen(k)) { 3069 r = SSH_ERR_INVALID_FORMAT; 3070 goto out; 3071 } 3072 k->xmss_pk = xmss_pk; 3073 k->xmss_sk = xmss_sk; 3074 xmss_pk = xmss_sk = NULL; 3075 /* optional internal state */ 3076 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) 3077 goto out; 3078 break; 3079 #endif /* WITH_XMSS */ 3080 default: 3081 r = SSH_ERR_KEY_TYPE_UNKNOWN; 3082 goto out; 3083 } 3084 #ifdef WITH_OPENSSL 3085 /* enable blinding */ 3086 switch (k->type) { 3087 case KEY_RSA: 3088 case KEY_RSA_CERT: 3089 if (RSA_blinding_on(k->rsa, NULL) != 1) { 3090 r = SSH_ERR_LIBCRYPTO_ERROR; 3091 goto out; 3092 } 3093 break; 3094 } 3095 #endif /* WITH_OPENSSL */ 3096 /* success */ 3097 r = 0; 3098 if (kp != NULL) { 3099 *kp = k; 3100 k = NULL; 3101 } 3102 out: 3103 free(tname); 3104 free(curve); 3105 #ifdef WITH_OPENSSL 3106 BN_clear_free(exponent); 3107 BN_clear_free(dsa_p); 3108 BN_clear_free(dsa_q); 3109 BN_clear_free(dsa_g); 3110 BN_clear_free(dsa_pub_key); 3111 BN_clear_free(dsa_priv_key); 3112 BN_clear_free(rsa_n); 3113 BN_clear_free(rsa_e); 3114 BN_clear_free(rsa_d); 3115 BN_clear_free(rsa_p); 3116 BN_clear_free(rsa_q); 3117 BN_clear_free(rsa_iqmp); 3118 #endif /* WITH_OPENSSL */ 3119 sshkey_free(k); 3120 freezero(ed25519_pk, pklen); 3121 freezero(ed25519_sk, sklen); 3122 free(xmss_name); 3123 freezero(xmss_pk, pklen); 3124 freezero(xmss_sk, sklen); 3125 return r; 3126 } 3127 3128 #ifdef WITH_OPENSSL 3129 int 3130 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 3131 { 3132 BN_CTX *bnctx; 3133 EC_POINT *nq = NULL; 3134 BIGNUM *order, *x, *y, *tmp; 3135 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3136 3137 /* 3138 * NB. This assumes OpenSSL has already verified that the public 3139 * point lies on the curve. This is done by EC_POINT_oct2point() 3140 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 3141 * reachable with public points not unmarshalled using 3142 * EC_POINT_oct2point then the caller will need to explicitly check. 3143 */ 3144 3145 if ((bnctx = BN_CTX_new()) == NULL) 3146 return SSH_ERR_ALLOC_FAIL; 3147 BN_CTX_start(bnctx); 3148 3149 /* 3150 * We shouldn't ever hit this case because bignum_get_ecpoint() 3151 * refuses to load GF2m points. 3152 */ 3153 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3154 NID_X9_62_prime_field) 3155 goto out; 3156 3157 /* Q != infinity */ 3158 if (EC_POINT_is_at_infinity(group, public)) 3159 goto out; 3160 3161 if ((x = BN_CTX_get(bnctx)) == NULL || 3162 (y = BN_CTX_get(bnctx)) == NULL || 3163 (order = BN_CTX_get(bnctx)) == NULL || 3164 (tmp = BN_CTX_get(bnctx)) == NULL) { 3165 ret = SSH_ERR_ALLOC_FAIL; 3166 goto out; 3167 } 3168 3169 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 3170 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 3171 EC_POINT_get_affine_coordinates_GFp(group, public, 3172 x, y, bnctx) != 1) { 3173 ret = SSH_ERR_LIBCRYPTO_ERROR; 3174 goto out; 3175 } 3176 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 3177 BN_num_bits(y) <= BN_num_bits(order) / 2) 3178 goto out; 3179 3180 /* nQ == infinity (n == order of subgroup) */ 3181 if ((nq = EC_POINT_new(group)) == NULL) { 3182 ret = SSH_ERR_ALLOC_FAIL; 3183 goto out; 3184 } 3185 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 3186 ret = SSH_ERR_LIBCRYPTO_ERROR; 3187 goto out; 3188 } 3189 if (EC_POINT_is_at_infinity(group, nq) != 1) 3190 goto out; 3191 3192 /* x < order - 1, y < order - 1 */ 3193 if (!BN_sub(tmp, order, BN_value_one())) { 3194 ret = SSH_ERR_LIBCRYPTO_ERROR; 3195 goto out; 3196 } 3197 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 3198 goto out; 3199 ret = 0; 3200 out: 3201 BN_CTX_free(bnctx); 3202 EC_POINT_free(nq); 3203 return ret; 3204 } 3205 3206 int 3207 sshkey_ec_validate_private(const EC_KEY *key) 3208 { 3209 BN_CTX *bnctx; 3210 BIGNUM *order, *tmp; 3211 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 3212 3213 if ((bnctx = BN_CTX_new()) == NULL) 3214 return SSH_ERR_ALLOC_FAIL; 3215 BN_CTX_start(bnctx); 3216 3217 if ((order = BN_CTX_get(bnctx)) == NULL || 3218 (tmp = BN_CTX_get(bnctx)) == NULL) { 3219 ret = SSH_ERR_ALLOC_FAIL; 3220 goto out; 3221 } 3222 3223 /* log2(private) > log2(order)/2 */ 3224 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 3225 ret = SSH_ERR_LIBCRYPTO_ERROR; 3226 goto out; 3227 } 3228 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 3229 BN_num_bits(order) / 2) 3230 goto out; 3231 3232 /* private < order - 1 */ 3233 if (!BN_sub(tmp, order, BN_value_one())) { 3234 ret = SSH_ERR_LIBCRYPTO_ERROR; 3235 goto out; 3236 } 3237 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 3238 goto out; 3239 ret = 0; 3240 out: 3241 BN_CTX_free(bnctx); 3242 return ret; 3243 } 3244 3245 void 3246 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 3247 { 3248 BIGNUM *x, *y; 3249 BN_CTX *bnctx; 3250 3251 if (point == NULL) { 3252 fputs("point=(NULL)\n", stderr); 3253 return; 3254 } 3255 if ((bnctx = BN_CTX_new()) == NULL) { 3256 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 3257 return; 3258 } 3259 BN_CTX_start(bnctx); 3260 if ((x = BN_CTX_get(bnctx)) == NULL || 3261 (y = BN_CTX_get(bnctx)) == NULL) { 3262 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 3263 return; 3264 } 3265 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3266 NID_X9_62_prime_field) { 3267 fprintf(stderr, "%s: group is not a prime field\n", __func__); 3268 return; 3269 } 3270 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 3271 bnctx) != 1) { 3272 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 3273 __func__); 3274 return; 3275 } 3276 fputs("x=", stderr); 3277 BN_print_fp(stderr, x); 3278 fputs("\ny=", stderr); 3279 BN_print_fp(stderr, y); 3280 fputs("\n", stderr); 3281 BN_CTX_free(bnctx); 3282 } 3283 3284 void 3285 sshkey_dump_ec_key(const EC_KEY *key) 3286 { 3287 const BIGNUM *exponent; 3288 3289 sshkey_dump_ec_point(EC_KEY_get0_group(key), 3290 EC_KEY_get0_public_key(key)); 3291 fputs("exponent=", stderr); 3292 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 3293 fputs("(NULL)", stderr); 3294 else 3295 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 3296 fputs("\n", stderr); 3297 } 3298 #endif /* WITH_OPENSSL */ 3299 3300 static int 3301 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 3302 const char *passphrase, const char *comment, const char *ciphername, 3303 int rounds) 3304 { 3305 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3306 u_char salt[SALT_LEN]; 3307 char *b64 = NULL; 3308 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3309 u_int check; 3310 int r = SSH_ERR_INTERNAL_ERROR; 3311 struct sshcipher_ctx *ciphercontext = NULL; 3312 const struct sshcipher *cipher; 3313 const char *kdfname = KDFNAME; 3314 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3315 3316 if (rounds <= 0) 3317 rounds = DEFAULT_ROUNDS; 3318 if (passphrase == NULL || !strlen(passphrase)) { 3319 ciphername = "none"; 3320 kdfname = "none"; 3321 } else if (ciphername == NULL) 3322 ciphername = DEFAULT_CIPHERNAME; 3323 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3324 r = SSH_ERR_INVALID_ARGUMENT; 3325 goto out; 3326 } 3327 3328 if ((kdf = sshbuf_new()) == NULL || 3329 (encoded = sshbuf_new()) == NULL || 3330 (encrypted = sshbuf_new()) == NULL) { 3331 r = SSH_ERR_ALLOC_FAIL; 3332 goto out; 3333 } 3334 blocksize = cipher_blocksize(cipher); 3335 keylen = cipher_keylen(cipher); 3336 ivlen = cipher_ivlen(cipher); 3337 authlen = cipher_authlen(cipher); 3338 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3339 r = SSH_ERR_ALLOC_FAIL; 3340 goto out; 3341 } 3342 if (strcmp(kdfname, "bcrypt") == 0) { 3343 arc4random_buf(salt, SALT_LEN); 3344 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3345 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3346 r = SSH_ERR_INVALID_ARGUMENT; 3347 goto out; 3348 } 3349 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3350 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3351 goto out; 3352 } else if (strcmp(kdfname, "none") != 0) { 3353 /* Unsupported KDF type */ 3354 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3355 goto out; 3356 } 3357 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3358 key + keylen, ivlen, 1)) != 0) 3359 goto out; 3360 3361 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3362 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3363 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3364 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3365 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3366 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3367 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3368 goto out; 3369 3370 /* set up the buffer that will be encrypted */ 3371 3372 /* Random check bytes */ 3373 check = arc4random(); 3374 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3375 (r = sshbuf_put_u32(encrypted, check)) != 0) 3376 goto out; 3377 3378 /* append private key and comment*/ 3379 if ((r = sshkey_private_serialize_opt(prv, encrypted, 3380 SSHKEY_SERIALIZE_FULL)) != 0 || 3381 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3382 goto out; 3383 3384 /* padding */ 3385 i = 0; 3386 while (sshbuf_len(encrypted) % blocksize) { 3387 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3388 goto out; 3389 } 3390 3391 /* length in destination buffer */ 3392 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3393 goto out; 3394 3395 /* encrypt */ 3396 if ((r = sshbuf_reserve(encoded, 3397 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3398 goto out; 3399 if ((r = cipher_crypt(ciphercontext, 0, cp, 3400 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3401 goto out; 3402 3403 /* uuencode */ 3404 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3405 r = SSH_ERR_ALLOC_FAIL; 3406 goto out; 3407 } 3408 3409 sshbuf_reset(blob); 3410 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3411 goto out; 3412 for (i = 0; i < strlen(b64); i++) { 3413 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3414 goto out; 3415 /* insert line breaks */ 3416 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3417 goto out; 3418 } 3419 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3420 goto out; 3421 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3422 goto out; 3423 3424 /* success */ 3425 r = 0; 3426 3427 out: 3428 sshbuf_free(kdf); 3429 sshbuf_free(encoded); 3430 sshbuf_free(encrypted); 3431 cipher_free(ciphercontext); 3432 explicit_bzero(salt, sizeof(salt)); 3433 if (key != NULL) { 3434 explicit_bzero(key, keylen + ivlen); 3435 free(key); 3436 } 3437 if (pubkeyblob != NULL) { 3438 explicit_bzero(pubkeyblob, pubkeylen); 3439 free(pubkeyblob); 3440 } 3441 if (b64 != NULL) { 3442 explicit_bzero(b64, strlen(b64)); 3443 free(b64); 3444 } 3445 return r; 3446 } 3447 3448 static int 3449 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3450 struct sshkey **keyp, char **commentp) 3451 { 3452 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3453 const struct sshcipher *cipher = NULL; 3454 const u_char *cp; 3455 int r = SSH_ERR_INTERNAL_ERROR; 3456 size_t encoded_len; 3457 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3458 struct sshbuf *encoded = NULL, *decoded = NULL; 3459 struct sshbuf *kdf = NULL, *decrypted = NULL; 3460 struct sshcipher_ctx *ciphercontext = NULL; 3461 struct sshkey *k = NULL; 3462 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3463 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3464 3465 if (keyp != NULL) 3466 *keyp = NULL; 3467 if (commentp != NULL) 3468 *commentp = NULL; 3469 3470 if ((encoded = sshbuf_new()) == NULL || 3471 (decoded = sshbuf_new()) == NULL || 3472 (decrypted = sshbuf_new()) == NULL) { 3473 r = SSH_ERR_ALLOC_FAIL; 3474 goto out; 3475 } 3476 3477 /* check preamble */ 3478 cp = sshbuf_ptr(blob); 3479 encoded_len = sshbuf_len(blob); 3480 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3481 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3482 r = SSH_ERR_INVALID_FORMAT; 3483 goto out; 3484 } 3485 cp += MARK_BEGIN_LEN; 3486 encoded_len -= MARK_BEGIN_LEN; 3487 3488 /* Look for end marker, removing whitespace as we go */ 3489 while (encoded_len > 0) { 3490 if (*cp != '\n' && *cp != '\r') { 3491 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3492 goto out; 3493 } 3494 last = *cp; 3495 encoded_len--; 3496 cp++; 3497 if (last == '\n') { 3498 if (encoded_len >= MARK_END_LEN && 3499 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3500 /* \0 terminate */ 3501 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3502 goto out; 3503 break; 3504 } 3505 } 3506 } 3507 if (encoded_len == 0) { 3508 r = SSH_ERR_INVALID_FORMAT; 3509 goto out; 3510 } 3511 3512 /* decode base64 */ 3513 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3514 goto out; 3515 3516 /* check magic */ 3517 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3518 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3519 r = SSH_ERR_INVALID_FORMAT; 3520 goto out; 3521 } 3522 /* parse public portion of key */ 3523 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3524 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3525 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3526 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3527 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3528 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3529 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3530 goto out; 3531 3532 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3533 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3534 goto out; 3535 } 3536 if ((passphrase == NULL || strlen(passphrase) == 0) && 3537 strcmp(ciphername, "none") != 0) { 3538 /* passphrase required */ 3539 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3540 goto out; 3541 } 3542 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3543 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3544 goto out; 3545 } 3546 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3547 r = SSH_ERR_INVALID_FORMAT; 3548 goto out; 3549 } 3550 if (nkeys != 1) { 3551 /* XXX only one key supported */ 3552 r = SSH_ERR_INVALID_FORMAT; 3553 goto out; 3554 } 3555 3556 /* check size of encrypted key blob */ 3557 blocksize = cipher_blocksize(cipher); 3558 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3559 r = SSH_ERR_INVALID_FORMAT; 3560 goto out; 3561 } 3562 3563 /* setup key */ 3564 keylen = cipher_keylen(cipher); 3565 ivlen = cipher_ivlen(cipher); 3566 authlen = cipher_authlen(cipher); 3567 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3568 r = SSH_ERR_ALLOC_FAIL; 3569 goto out; 3570 } 3571 if (strcmp(kdfname, "bcrypt") == 0) { 3572 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3573 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3574 goto out; 3575 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3576 key, keylen + ivlen, rounds) < 0) { 3577 r = SSH_ERR_INVALID_FORMAT; 3578 goto out; 3579 } 3580 } 3581 3582 /* check that an appropriate amount of auth data is present */ 3583 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3584 r = SSH_ERR_INVALID_FORMAT; 3585 goto out; 3586 } 3587 3588 /* decrypt private portion of key */ 3589 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3590 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3591 key + keylen, ivlen, 0)) != 0) 3592 goto out; 3593 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3594 encrypted_len, 0, authlen)) != 0) { 3595 /* an integrity error here indicates an incorrect passphrase */ 3596 if (r == SSH_ERR_MAC_INVALID) 3597 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3598 goto out; 3599 } 3600 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3601 goto out; 3602 /* there should be no trailing data */ 3603 if (sshbuf_len(decoded) != 0) { 3604 r = SSH_ERR_INVALID_FORMAT; 3605 goto out; 3606 } 3607 3608 /* check check bytes */ 3609 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3610 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3611 goto out; 3612 if (check1 != check2) { 3613 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3614 goto out; 3615 } 3616 3617 /* Load the private key and comment */ 3618 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3619 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3620 goto out; 3621 3622 /* Check deterministic padding */ 3623 i = 0; 3624 while (sshbuf_len(decrypted)) { 3625 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3626 goto out; 3627 if (pad != (++i & 0xff)) { 3628 r = SSH_ERR_INVALID_FORMAT; 3629 goto out; 3630 } 3631 } 3632 3633 /* XXX decode pubkey and check against private */ 3634 3635 /* success */ 3636 r = 0; 3637 if (keyp != NULL) { 3638 *keyp = k; 3639 k = NULL; 3640 } 3641 if (commentp != NULL) { 3642 *commentp = comment; 3643 comment = NULL; 3644 } 3645 out: 3646 pad = 0; 3647 cipher_free(ciphercontext); 3648 free(ciphername); 3649 free(kdfname); 3650 free(comment); 3651 if (salt != NULL) { 3652 explicit_bzero(salt, slen); 3653 free(salt); 3654 } 3655 if (key != NULL) { 3656 explicit_bzero(key, keylen + ivlen); 3657 free(key); 3658 } 3659 sshbuf_free(encoded); 3660 sshbuf_free(decoded); 3661 sshbuf_free(kdf); 3662 sshbuf_free(decrypted); 3663 sshkey_free(k); 3664 return r; 3665 } 3666 3667 3668 #ifdef WITH_OPENSSL 3669 /* convert SSH v2 key in OpenSSL PEM format */ 3670 static int 3671 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3672 const char *_passphrase, const char *comment) 3673 { 3674 int success, r; 3675 int blen, len = strlen(_passphrase); 3676 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3677 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3678 char *bptr; 3679 BIO *bio = NULL; 3680 3681 if (len > 0 && len <= 4) 3682 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3683 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3684 return SSH_ERR_ALLOC_FAIL; 3685 3686 switch (key->type) { 3687 case KEY_DSA: 3688 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3689 cipher, passphrase, len, NULL, NULL); 3690 break; 3691 case KEY_ECDSA: 3692 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3693 cipher, passphrase, len, NULL, NULL); 3694 break; 3695 case KEY_RSA: 3696 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3697 cipher, passphrase, len, NULL, NULL); 3698 break; 3699 default: 3700 success = 0; 3701 break; 3702 } 3703 if (success == 0) { 3704 r = SSH_ERR_LIBCRYPTO_ERROR; 3705 goto out; 3706 } 3707 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3708 r = SSH_ERR_INTERNAL_ERROR; 3709 goto out; 3710 } 3711 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3712 goto out; 3713 r = 0; 3714 out: 3715 BIO_free(bio); 3716 return r; 3717 } 3718 #endif /* WITH_OPENSSL */ 3719 3720 /* Serialise "key" to buffer "blob" */ 3721 int 3722 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3723 const char *passphrase, const char *comment, 3724 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3725 { 3726 switch (key->type) { 3727 #ifdef WITH_OPENSSL 3728 case KEY_DSA: 3729 case KEY_ECDSA: 3730 case KEY_RSA: 3731 if (force_new_format) { 3732 return sshkey_private_to_blob2(key, blob, passphrase, 3733 comment, new_format_cipher, new_format_rounds); 3734 } 3735 return sshkey_private_pem_to_blob(key, blob, 3736 passphrase, comment); 3737 #endif /* WITH_OPENSSL */ 3738 case KEY_ED25519: 3739 #ifdef WITH_XMSS 3740 case KEY_XMSS: 3741 #endif /* WITH_XMSS */ 3742 return sshkey_private_to_blob2(key, blob, passphrase, 3743 comment, new_format_cipher, new_format_rounds); 3744 default: 3745 return SSH_ERR_KEY_TYPE_UNKNOWN; 3746 } 3747 } 3748 3749 3750 #ifdef WITH_OPENSSL 3751 static int 3752 translate_libcrypto_error(unsigned long pem_err) 3753 { 3754 int pem_reason = ERR_GET_REASON(pem_err); 3755 3756 switch (ERR_GET_LIB(pem_err)) { 3757 case ERR_LIB_PEM: 3758 switch (pem_reason) { 3759 case PEM_R_BAD_PASSWORD_READ: 3760 case PEM_R_PROBLEMS_GETTING_PASSWORD: 3761 case PEM_R_BAD_DECRYPT: 3762 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3763 default: 3764 return SSH_ERR_INVALID_FORMAT; 3765 } 3766 case ERR_LIB_EVP: 3767 switch (pem_reason) { 3768 case EVP_R_BAD_DECRYPT: 3769 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3770 #ifdef EVP_R_BN_DECODE_ERROR 3771 case EVP_R_BN_DECODE_ERROR: 3772 #endif 3773 case EVP_R_DECODE_ERROR: 3774 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 3775 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 3776 #endif 3777 return SSH_ERR_INVALID_FORMAT; 3778 default: 3779 return SSH_ERR_LIBCRYPTO_ERROR; 3780 } 3781 case ERR_LIB_ASN1: 3782 return SSH_ERR_INVALID_FORMAT; 3783 } 3784 return SSH_ERR_LIBCRYPTO_ERROR; 3785 } 3786 3787 static void 3788 clear_libcrypto_errors(void) 3789 { 3790 while (ERR_get_error() != 0) 3791 ; 3792 } 3793 3794 /* 3795 * Translate OpenSSL error codes to determine whether 3796 * passphrase is required/incorrect. 3797 */ 3798 static int 3799 convert_libcrypto_error(void) 3800 { 3801 /* 3802 * Some password errors are reported at the beginning 3803 * of the error queue. 3804 */ 3805 if (translate_libcrypto_error(ERR_peek_error()) == 3806 SSH_ERR_KEY_WRONG_PASSPHRASE) 3807 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3808 return translate_libcrypto_error(ERR_peek_last_error()); 3809 } 3810 3811 static int 3812 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3813 const char *passphrase, struct sshkey **keyp) 3814 { 3815 EVP_PKEY *pk = NULL; 3816 struct sshkey *prv = NULL; 3817 BIO *bio = NULL; 3818 int r; 3819 3820 if (keyp != NULL) 3821 *keyp = NULL; 3822 3823 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3824 return SSH_ERR_ALLOC_FAIL; 3825 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3826 (int)sshbuf_len(blob)) { 3827 r = SSH_ERR_ALLOC_FAIL; 3828 goto out; 3829 } 3830 3831 clear_libcrypto_errors(); 3832 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3833 (char *)passphrase)) == NULL) { 3834 /* 3835 * libcrypto may return various ASN.1 errors when attempting 3836 * to parse a key with an incorrect passphrase. 3837 * Treat all format errors as "incorrect passphrase" if a 3838 * passphrase was supplied. 3839 */ 3840 if (passphrase != NULL && *passphrase != '\0') 3841 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3842 else 3843 r = convert_libcrypto_error(); 3844 goto out; 3845 } 3846 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && 3847 (type == KEY_UNSPEC || type == KEY_RSA)) { 3848 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3849 r = SSH_ERR_ALLOC_FAIL; 3850 goto out; 3851 } 3852 prv->rsa = EVP_PKEY_get1_RSA(pk); 3853 prv->type = KEY_RSA; 3854 #ifdef DEBUG_PK 3855 RSA_print_fp(stderr, prv->rsa, 8); 3856 #endif 3857 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3858 r = SSH_ERR_LIBCRYPTO_ERROR; 3859 goto out; 3860 } 3861 if ((r = check_rsa_length(prv->rsa)) != 0) 3862 goto out; 3863 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && 3864 (type == KEY_UNSPEC || type == KEY_DSA)) { 3865 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3866 r = SSH_ERR_ALLOC_FAIL; 3867 goto out; 3868 } 3869 prv->dsa = EVP_PKEY_get1_DSA(pk); 3870 prv->type = KEY_DSA; 3871 #ifdef DEBUG_PK 3872 DSA_print_fp(stderr, prv->dsa, 8); 3873 #endif 3874 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && 3875 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3876 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3877 r = SSH_ERR_ALLOC_FAIL; 3878 goto out; 3879 } 3880 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3881 prv->type = KEY_ECDSA; 3882 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3883 if (prv->ecdsa_nid == -1 || 3884 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3885 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3886 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3887 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3888 r = SSH_ERR_INVALID_FORMAT; 3889 goto out; 3890 } 3891 #ifdef DEBUG_PK 3892 if (prv != NULL && prv->ecdsa != NULL) 3893 sshkey_dump_ec_key(prv->ecdsa); 3894 #endif 3895 } else { 3896 r = SSH_ERR_INVALID_FORMAT; 3897 goto out; 3898 } 3899 r = 0; 3900 if (keyp != NULL) { 3901 *keyp = prv; 3902 prv = NULL; 3903 } 3904 out: 3905 BIO_free(bio); 3906 EVP_PKEY_free(pk); 3907 sshkey_free(prv); 3908 return r; 3909 } 3910 #endif /* WITH_OPENSSL */ 3911 3912 int 3913 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3914 const char *passphrase, struct sshkey **keyp, char **commentp) 3915 { 3916 int r = SSH_ERR_INTERNAL_ERROR; 3917 3918 if (keyp != NULL) 3919 *keyp = NULL; 3920 if (commentp != NULL) 3921 *commentp = NULL; 3922 3923 switch (type) { 3924 #ifdef WITH_OPENSSL 3925 case KEY_DSA: 3926 case KEY_ECDSA: 3927 case KEY_RSA: 3928 return sshkey_parse_private_pem_fileblob(blob, type, 3929 passphrase, keyp); 3930 #endif /* WITH_OPENSSL */ 3931 case KEY_ED25519: 3932 #ifdef WITH_XMSS 3933 case KEY_XMSS: 3934 #endif /* WITH_XMSS */ 3935 return sshkey_parse_private2(blob, type, passphrase, 3936 keyp, commentp); 3937 case KEY_UNSPEC: 3938 r = sshkey_parse_private2(blob, type, passphrase, keyp, 3939 commentp); 3940 /* Do not fallback to PEM parser if only passphrase is wrong. */ 3941 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE) 3942 return r; 3943 #ifdef WITH_OPENSSL 3944 return sshkey_parse_private_pem_fileblob(blob, type, 3945 passphrase, keyp); 3946 #else 3947 return SSH_ERR_INVALID_FORMAT; 3948 #endif /* WITH_OPENSSL */ 3949 default: 3950 return SSH_ERR_KEY_TYPE_UNKNOWN; 3951 } 3952 } 3953 3954 int 3955 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3956 struct sshkey **keyp, char **commentp) 3957 { 3958 if (keyp != NULL) 3959 *keyp = NULL; 3960 if (commentp != NULL) 3961 *commentp = NULL; 3962 3963 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3964 passphrase, keyp, commentp); 3965 } 3966 3967 #ifdef WITH_XMSS 3968 /* 3969 * serialize the key with the current state and forward the state 3970 * maxsign times. 3971 */ 3972 int 3973 sshkey_private_serialize_maxsign(const struct sshkey *k, struct sshbuf *b, 3974 u_int32_t maxsign, sshkey_printfn *pr) 3975 { 3976 int r, rupdate; 3977 3978 if (maxsign == 0 || 3979 sshkey_type_plain(k->type) != KEY_XMSS) 3980 return sshkey_private_serialize_opt(k, b, 3981 SSHKEY_SERIALIZE_DEFAULT); 3982 if ((r = sshkey_xmss_get_state(k, pr)) != 0 || 3983 (r = sshkey_private_serialize_opt(k, b, 3984 SSHKEY_SERIALIZE_STATE)) != 0 || 3985 (r = sshkey_xmss_forward_state(k, maxsign)) != 0) 3986 goto out; 3987 r = 0; 3988 out: 3989 if ((rupdate = sshkey_xmss_update_state(k, pr)) != 0) { 3990 if (r == 0) 3991 r = rupdate; 3992 } 3993 return r; 3994 } 3995 3996 u_int32_t 3997 sshkey_signatures_left(const struct sshkey *k) 3998 { 3999 if (sshkey_type_plain(k->type) == KEY_XMSS) 4000 return sshkey_xmss_signatures_left(k); 4001 return 0; 4002 } 4003 4004 int 4005 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4006 { 4007 if (sshkey_type_plain(k->type) != KEY_XMSS) 4008 return SSH_ERR_INVALID_ARGUMENT; 4009 return sshkey_xmss_enable_maxsign(k, maxsign); 4010 } 4011 4012 int 4013 sshkey_set_filename(struct sshkey *k, const char *filename) 4014 { 4015 if (k == NULL) 4016 return SSH_ERR_INVALID_ARGUMENT; 4017 if (sshkey_type_plain(k->type) != KEY_XMSS) 4018 return 0; 4019 if (filename == NULL) 4020 return SSH_ERR_INVALID_ARGUMENT; 4021 if ((k->xmss_filename = strdup(filename)) == NULL) 4022 return SSH_ERR_ALLOC_FAIL; 4023 return 0; 4024 } 4025 #else 4026 int 4027 sshkey_private_serialize_maxsign(const struct sshkey *k, struct sshbuf *b, 4028 u_int32_t maxsign, sshkey_printfn *pr) 4029 { 4030 return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); 4031 } 4032 4033 u_int32_t 4034 sshkey_signatures_left(const struct sshkey *k) 4035 { 4036 return 0; 4037 } 4038 4039 int 4040 sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) 4041 { 4042 return SSH_ERR_INVALID_ARGUMENT; 4043 } 4044 4045 int 4046 sshkey_set_filename(struct sshkey *k, const char *filename) 4047 { 4048 if (k == NULL) 4049 return SSH_ERR_INVALID_ARGUMENT; 4050 return 0; 4051 } 4052 #endif /* WITH_XMSS */ 4053