1 /* $OpenBSD: sshkey.c,v 1.45 2017/03/10 04:07:20 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include "includes.h" 29 30 #include <sys/types.h> 31 #include <netinet/in.h> 32 33 #ifdef WITH_OPENSSL 34 #include <openssl/evp.h> 35 #include <openssl/err.h> 36 #include <openssl/pem.h> 37 #endif 38 39 #include "crypto_api.h" 40 41 #include <errno.h> 42 #include <limits.h> 43 #include <stdio.h> 44 #include <string.h> 45 #include <resolv.h> 46 #ifdef HAVE_UTIL_H 47 #include <util.h> 48 #endif /* HAVE_UTIL_H */ 49 50 #include "ssh2.h" 51 #include "ssherr.h" 52 #include "misc.h" 53 #include "sshbuf.h" 54 #include "rsa.h" 55 #include "cipher.h" 56 #include "digest.h" 57 #define SSHKEY_INTERNAL 58 #include "sshkey.h" 59 #include "match.h" 60 61 /* openssh private key file format */ 62 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 63 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 64 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 65 #define MARK_END_LEN (sizeof(MARK_END) - 1) 66 #define KDFNAME "bcrypt" 67 #define AUTH_MAGIC "openssh-key-v1" 68 #define SALT_LEN 16 69 #define DEFAULT_CIPHERNAME "aes256-cbc" 70 #define DEFAULT_ROUNDS 16 71 72 /* Version identification string for SSH v1 identity files. */ 73 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 74 75 static int sshkey_from_blob_internal(struct sshbuf *buf, 76 struct sshkey **keyp, int allow_cert); 77 78 /* Supported key types */ 79 struct keytype { 80 const char *name; 81 const char *shortname; 82 int type; 83 int nid; 84 int cert; 85 int sigonly; 86 }; 87 static const struct keytype keytypes[] = { 88 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, 89 { "ssh-ed25519-cert-v01 (at) openssh.com", "ED25519-CERT", 90 KEY_ED25519_CERT, 0, 1, 0 }, 91 #ifdef WITH_OPENSSL 92 # ifdef WITH_SSH1 93 { NULL, "RSA1", KEY_RSA1, 0, 0, 0 }, 94 # endif 95 { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, 96 { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, 97 { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, 98 { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, 99 # ifdef OPENSSL_HAS_ECC 100 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 101 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, 102 # ifdef OPENSSL_HAS_NISTP521 103 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, 104 # endif /* OPENSSL_HAS_NISTP521 */ 105 # endif /* OPENSSL_HAS_ECC */ 106 { "ssh-rsa-cert-v01 (at) openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, 107 { "ssh-dss-cert-v01 (at) openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, 108 # ifdef OPENSSL_HAS_ECC 109 { "ecdsa-sha2-nistp256-cert-v01 (at) openssh.com", "ECDSA-CERT", 110 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 111 { "ecdsa-sha2-nistp384-cert-v01 (at) openssh.com", "ECDSA-CERT", 112 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 113 # ifdef OPENSSL_HAS_NISTP521 114 { "ecdsa-sha2-nistp521-cert-v01 (at) openssh.com", "ECDSA-CERT", 115 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 116 # endif /* OPENSSL_HAS_NISTP521 */ 117 # endif /* OPENSSL_HAS_ECC */ 118 #endif /* WITH_OPENSSL */ 119 { NULL, NULL, -1, -1, 0, 0 } 120 }; 121 122 const char * 123 sshkey_type(const struct sshkey *k) 124 { 125 const struct keytype *kt; 126 127 for (kt = keytypes; kt->type != -1; kt++) { 128 if (kt->type == k->type) 129 return kt->shortname; 130 } 131 return "unknown"; 132 } 133 134 static const char * 135 sshkey_ssh_name_from_type_nid(int type, int nid) 136 { 137 const struct keytype *kt; 138 139 for (kt = keytypes; kt->type != -1; kt++) { 140 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 141 return kt->name; 142 } 143 return "ssh-unknown"; 144 } 145 146 int 147 sshkey_type_is_cert(int type) 148 { 149 const struct keytype *kt; 150 151 for (kt = keytypes; kt->type != -1; kt++) { 152 if (kt->type == type) 153 return kt->cert; 154 } 155 return 0; 156 } 157 158 const char * 159 sshkey_ssh_name(const struct sshkey *k) 160 { 161 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 162 } 163 164 const char * 165 sshkey_ssh_name_plain(const struct sshkey *k) 166 { 167 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 168 k->ecdsa_nid); 169 } 170 171 int 172 sshkey_type_from_name(const char *name) 173 { 174 const struct keytype *kt; 175 176 for (kt = keytypes; kt->type != -1; kt++) { 177 /* Only allow shortname matches for plain key types */ 178 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 179 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 180 return kt->type; 181 } 182 return KEY_UNSPEC; 183 } 184 185 int 186 sshkey_ecdsa_nid_from_name(const char *name) 187 { 188 const struct keytype *kt; 189 190 for (kt = keytypes; kt->type != -1; kt++) { 191 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 192 continue; 193 if (kt->name != NULL && strcmp(name, kt->name) == 0) 194 return kt->nid; 195 } 196 return -1; 197 } 198 199 char * 200 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 201 { 202 char *tmp, *ret = NULL; 203 size_t nlen, rlen = 0; 204 const struct keytype *kt; 205 206 for (kt = keytypes; kt->type != -1; kt++) { 207 if (kt->name == NULL) 208 continue; 209 if (!include_sigonly && kt->sigonly) 210 continue; 211 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 212 continue; 213 if (ret != NULL) 214 ret[rlen++] = sep; 215 nlen = strlen(kt->name); 216 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 217 free(ret); 218 return NULL; 219 } 220 ret = tmp; 221 memcpy(ret + rlen, kt->name, nlen + 1); 222 rlen += nlen; 223 } 224 return ret; 225 } 226 227 int 228 sshkey_names_valid2(const char *names, int allow_wildcard) 229 { 230 char *s, *cp, *p; 231 const struct keytype *kt; 232 int type; 233 234 if (names == NULL || strcmp(names, "") == 0) 235 return 0; 236 if ((s = cp = strdup(names)) == NULL) 237 return 0; 238 for ((p = strsep(&cp, ",")); p && *p != '\0'; 239 (p = strsep(&cp, ","))) { 240 type = sshkey_type_from_name(p); 241 if (type == KEY_RSA1) { 242 free(s); 243 return 0; 244 } 245 if (type == KEY_UNSPEC) { 246 if (allow_wildcard) { 247 /* 248 * Try matching key types against the string. 249 * If any has a positive or negative match then 250 * the component is accepted. 251 */ 252 for (kt = keytypes; kt->type != -1; kt++) { 253 if (kt->type == KEY_RSA1) 254 continue; 255 if (match_pattern_list(kt->name, 256 p, 0) != 0) 257 break; 258 } 259 if (kt->type != -1) 260 continue; 261 } 262 free(s); 263 return 0; 264 } 265 } 266 free(s); 267 return 1; 268 } 269 270 u_int 271 sshkey_size(const struct sshkey *k) 272 { 273 switch (k->type) { 274 #ifdef WITH_OPENSSL 275 case KEY_RSA1: 276 case KEY_RSA: 277 case KEY_RSA_CERT: 278 return BN_num_bits(k->rsa->n); 279 case KEY_DSA: 280 case KEY_DSA_CERT: 281 return BN_num_bits(k->dsa->p); 282 case KEY_ECDSA: 283 case KEY_ECDSA_CERT: 284 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 285 #endif /* WITH_OPENSSL */ 286 case KEY_ED25519: 287 case KEY_ED25519_CERT: 288 return 256; /* XXX */ 289 } 290 return 0; 291 } 292 293 static int 294 sshkey_type_is_valid_ca(int type) 295 { 296 switch (type) { 297 case KEY_RSA: 298 case KEY_DSA: 299 case KEY_ECDSA: 300 case KEY_ED25519: 301 return 1; 302 default: 303 return 0; 304 } 305 } 306 307 int 308 sshkey_is_cert(const struct sshkey *k) 309 { 310 if (k == NULL) 311 return 0; 312 return sshkey_type_is_cert(k->type); 313 } 314 315 /* Return the cert-less equivalent to a certified key type */ 316 int 317 sshkey_type_plain(int type) 318 { 319 switch (type) { 320 case KEY_RSA_CERT: 321 return KEY_RSA; 322 case KEY_DSA_CERT: 323 return KEY_DSA; 324 case KEY_ECDSA_CERT: 325 return KEY_ECDSA; 326 case KEY_ED25519_CERT: 327 return KEY_ED25519; 328 default: 329 return type; 330 } 331 } 332 333 #ifdef WITH_OPENSSL 334 /* XXX: these are really begging for a table-driven approach */ 335 int 336 sshkey_curve_name_to_nid(const char *name) 337 { 338 if (strcmp(name, "nistp256") == 0) 339 return NID_X9_62_prime256v1; 340 else if (strcmp(name, "nistp384") == 0) 341 return NID_secp384r1; 342 # ifdef OPENSSL_HAS_NISTP521 343 else if (strcmp(name, "nistp521") == 0) 344 return NID_secp521r1; 345 # endif /* OPENSSL_HAS_NISTP521 */ 346 else 347 return -1; 348 } 349 350 u_int 351 sshkey_curve_nid_to_bits(int nid) 352 { 353 switch (nid) { 354 case NID_X9_62_prime256v1: 355 return 256; 356 case NID_secp384r1: 357 return 384; 358 # ifdef OPENSSL_HAS_NISTP521 359 case NID_secp521r1: 360 return 521; 361 # endif /* OPENSSL_HAS_NISTP521 */ 362 default: 363 return 0; 364 } 365 } 366 367 int 368 sshkey_ecdsa_bits_to_nid(int bits) 369 { 370 switch (bits) { 371 case 256: 372 return NID_X9_62_prime256v1; 373 case 384: 374 return NID_secp384r1; 375 # ifdef OPENSSL_HAS_NISTP521 376 case 521: 377 return NID_secp521r1; 378 # endif /* OPENSSL_HAS_NISTP521 */ 379 default: 380 return -1; 381 } 382 } 383 384 const char * 385 sshkey_curve_nid_to_name(int nid) 386 { 387 switch (nid) { 388 case NID_X9_62_prime256v1: 389 return "nistp256"; 390 case NID_secp384r1: 391 return "nistp384"; 392 # ifdef OPENSSL_HAS_NISTP521 393 case NID_secp521r1: 394 return "nistp521"; 395 # endif /* OPENSSL_HAS_NISTP521 */ 396 default: 397 return NULL; 398 } 399 } 400 401 int 402 sshkey_ec_nid_to_hash_alg(int nid) 403 { 404 int kbits = sshkey_curve_nid_to_bits(nid); 405 406 if (kbits <= 0) 407 return -1; 408 409 /* RFC5656 section 6.2.1 */ 410 if (kbits <= 256) 411 return SSH_DIGEST_SHA256; 412 else if (kbits <= 384) 413 return SSH_DIGEST_SHA384; 414 else 415 return SSH_DIGEST_SHA512; 416 } 417 #endif /* WITH_OPENSSL */ 418 419 static void 420 cert_free(struct sshkey_cert *cert) 421 { 422 u_int i; 423 424 if (cert == NULL) 425 return; 426 sshbuf_free(cert->certblob); 427 sshbuf_free(cert->critical); 428 sshbuf_free(cert->extensions); 429 free(cert->key_id); 430 for (i = 0; i < cert->nprincipals; i++) 431 free(cert->principals[i]); 432 free(cert->principals); 433 sshkey_free(cert->signature_key); 434 explicit_bzero(cert, sizeof(*cert)); 435 free(cert); 436 } 437 438 static struct sshkey_cert * 439 cert_new(void) 440 { 441 struct sshkey_cert *cert; 442 443 if ((cert = calloc(1, sizeof(*cert))) == NULL) 444 return NULL; 445 if ((cert->certblob = sshbuf_new()) == NULL || 446 (cert->critical = sshbuf_new()) == NULL || 447 (cert->extensions = sshbuf_new()) == NULL) { 448 cert_free(cert); 449 return NULL; 450 } 451 cert->key_id = NULL; 452 cert->principals = NULL; 453 cert->signature_key = NULL; 454 return cert; 455 } 456 457 struct sshkey * 458 sshkey_new(int type) 459 { 460 struct sshkey *k; 461 #ifdef WITH_OPENSSL 462 RSA *rsa; 463 DSA *dsa; 464 #endif /* WITH_OPENSSL */ 465 466 if ((k = calloc(1, sizeof(*k))) == NULL) 467 return NULL; 468 k->type = type; 469 k->ecdsa = NULL; 470 k->ecdsa_nid = -1; 471 k->dsa = NULL; 472 k->rsa = NULL; 473 k->cert = NULL; 474 k->ed25519_sk = NULL; 475 k->ed25519_pk = NULL; 476 switch (k->type) { 477 #ifdef WITH_OPENSSL 478 case KEY_RSA1: 479 case KEY_RSA: 480 case KEY_RSA_CERT: 481 if ((rsa = RSA_new()) == NULL || 482 (rsa->n = BN_new()) == NULL || 483 (rsa->e = BN_new()) == NULL) { 484 if (rsa != NULL) 485 RSA_free(rsa); 486 free(k); 487 return NULL; 488 } 489 k->rsa = rsa; 490 break; 491 case KEY_DSA: 492 case KEY_DSA_CERT: 493 if ((dsa = DSA_new()) == NULL || 494 (dsa->p = BN_new()) == NULL || 495 (dsa->q = BN_new()) == NULL || 496 (dsa->g = BN_new()) == NULL || 497 (dsa->pub_key = BN_new()) == NULL) { 498 if (dsa != NULL) 499 DSA_free(dsa); 500 free(k); 501 return NULL; 502 } 503 k->dsa = dsa; 504 break; 505 case KEY_ECDSA: 506 case KEY_ECDSA_CERT: 507 /* Cannot do anything until we know the group */ 508 break; 509 #endif /* WITH_OPENSSL */ 510 case KEY_ED25519: 511 case KEY_ED25519_CERT: 512 /* no need to prealloc */ 513 break; 514 case KEY_UNSPEC: 515 break; 516 default: 517 free(k); 518 return NULL; 519 } 520 521 if (sshkey_is_cert(k)) { 522 if ((k->cert = cert_new()) == NULL) { 523 sshkey_free(k); 524 return NULL; 525 } 526 } 527 528 return k; 529 } 530 531 int 532 sshkey_add_private(struct sshkey *k) 533 { 534 switch (k->type) { 535 #ifdef WITH_OPENSSL 536 case KEY_RSA1: 537 case KEY_RSA: 538 case KEY_RSA_CERT: 539 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 540 if (bn_maybe_alloc_failed(k->rsa->d) || 541 bn_maybe_alloc_failed(k->rsa->iqmp) || 542 bn_maybe_alloc_failed(k->rsa->q) || 543 bn_maybe_alloc_failed(k->rsa->p) || 544 bn_maybe_alloc_failed(k->rsa->dmq1) || 545 bn_maybe_alloc_failed(k->rsa->dmp1)) 546 return SSH_ERR_ALLOC_FAIL; 547 break; 548 case KEY_DSA: 549 case KEY_DSA_CERT: 550 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 551 return SSH_ERR_ALLOC_FAIL; 552 break; 553 #undef bn_maybe_alloc_failed 554 case KEY_ECDSA: 555 case KEY_ECDSA_CERT: 556 /* Cannot do anything until we know the group */ 557 break; 558 #endif /* WITH_OPENSSL */ 559 case KEY_ED25519: 560 case KEY_ED25519_CERT: 561 /* no need to prealloc */ 562 break; 563 case KEY_UNSPEC: 564 break; 565 default: 566 return SSH_ERR_INVALID_ARGUMENT; 567 } 568 return 0; 569 } 570 571 struct sshkey * 572 sshkey_new_private(int type) 573 { 574 struct sshkey *k = sshkey_new(type); 575 576 if (k == NULL) 577 return NULL; 578 if (sshkey_add_private(k) != 0) { 579 sshkey_free(k); 580 return NULL; 581 } 582 return k; 583 } 584 585 void 586 sshkey_free(struct sshkey *k) 587 { 588 if (k == NULL) 589 return; 590 switch (k->type) { 591 #ifdef WITH_OPENSSL 592 case KEY_RSA1: 593 case KEY_RSA: 594 case KEY_RSA_CERT: 595 if (k->rsa != NULL) 596 RSA_free(k->rsa); 597 k->rsa = NULL; 598 break; 599 case KEY_DSA: 600 case KEY_DSA_CERT: 601 if (k->dsa != NULL) 602 DSA_free(k->dsa); 603 k->dsa = NULL; 604 break; 605 # ifdef OPENSSL_HAS_ECC 606 case KEY_ECDSA: 607 case KEY_ECDSA_CERT: 608 if (k->ecdsa != NULL) 609 EC_KEY_free(k->ecdsa); 610 k->ecdsa = NULL; 611 break; 612 # endif /* OPENSSL_HAS_ECC */ 613 #endif /* WITH_OPENSSL */ 614 case KEY_ED25519: 615 case KEY_ED25519_CERT: 616 if (k->ed25519_pk) { 617 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 618 free(k->ed25519_pk); 619 k->ed25519_pk = NULL; 620 } 621 if (k->ed25519_sk) { 622 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 623 free(k->ed25519_sk); 624 k->ed25519_sk = NULL; 625 } 626 break; 627 case KEY_UNSPEC: 628 break; 629 default: 630 break; 631 } 632 if (sshkey_is_cert(k)) 633 cert_free(k->cert); 634 explicit_bzero(k, sizeof(*k)); 635 free(k); 636 } 637 638 static int 639 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 640 { 641 if (a == NULL && b == NULL) 642 return 1; 643 if (a == NULL || b == NULL) 644 return 0; 645 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 646 return 0; 647 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 648 sshbuf_len(a->certblob)) != 0) 649 return 0; 650 return 1; 651 } 652 653 /* 654 * Compare public portions of key only, allowing comparisons between 655 * certificates and plain keys too. 656 */ 657 int 658 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 659 { 660 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 661 BN_CTX *bnctx; 662 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 663 664 if (a == NULL || b == NULL || 665 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 666 return 0; 667 668 switch (a->type) { 669 #ifdef WITH_OPENSSL 670 case KEY_RSA1: 671 case KEY_RSA_CERT: 672 case KEY_RSA: 673 return a->rsa != NULL && b->rsa != NULL && 674 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 675 BN_cmp(a->rsa->n, b->rsa->n) == 0; 676 case KEY_DSA_CERT: 677 case KEY_DSA: 678 return a->dsa != NULL && b->dsa != NULL && 679 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 680 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 681 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 682 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 683 # ifdef OPENSSL_HAS_ECC 684 case KEY_ECDSA_CERT: 685 case KEY_ECDSA: 686 if (a->ecdsa == NULL || b->ecdsa == NULL || 687 EC_KEY_get0_public_key(a->ecdsa) == NULL || 688 EC_KEY_get0_public_key(b->ecdsa) == NULL) 689 return 0; 690 if ((bnctx = BN_CTX_new()) == NULL) 691 return 0; 692 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 693 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 694 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 695 EC_KEY_get0_public_key(a->ecdsa), 696 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 697 BN_CTX_free(bnctx); 698 return 0; 699 } 700 BN_CTX_free(bnctx); 701 return 1; 702 # endif /* OPENSSL_HAS_ECC */ 703 #endif /* WITH_OPENSSL */ 704 case KEY_ED25519: 705 case KEY_ED25519_CERT: 706 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 707 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 708 default: 709 return 0; 710 } 711 /* NOTREACHED */ 712 } 713 714 int 715 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 716 { 717 if (a == NULL || b == NULL || a->type != b->type) 718 return 0; 719 if (sshkey_is_cert(a)) { 720 if (!cert_compare(a->cert, b->cert)) 721 return 0; 722 } 723 return sshkey_equal_public(a, b); 724 } 725 726 static int 727 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 728 { 729 int type, ret = SSH_ERR_INTERNAL_ERROR; 730 const char *typename; 731 732 if (key == NULL) 733 return SSH_ERR_INVALID_ARGUMENT; 734 735 if (sshkey_is_cert(key)) { 736 if (key->cert == NULL) 737 return SSH_ERR_EXPECTED_CERT; 738 if (sshbuf_len(key->cert->certblob) == 0) 739 return SSH_ERR_KEY_LACKS_CERTBLOB; 740 } 741 type = force_plain ? sshkey_type_plain(key->type) : key->type; 742 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 743 744 switch (type) { 745 #ifdef WITH_OPENSSL 746 case KEY_DSA_CERT: 747 case KEY_ECDSA_CERT: 748 case KEY_RSA_CERT: 749 #endif /* WITH_OPENSSL */ 750 case KEY_ED25519_CERT: 751 /* Use the existing blob */ 752 /* XXX modified flag? */ 753 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 754 return ret; 755 break; 756 #ifdef WITH_OPENSSL 757 case KEY_DSA: 758 if (key->dsa == NULL) 759 return SSH_ERR_INVALID_ARGUMENT; 760 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 761 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 762 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 763 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 764 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 765 return ret; 766 break; 767 # ifdef OPENSSL_HAS_ECC 768 case KEY_ECDSA: 769 if (key->ecdsa == NULL) 770 return SSH_ERR_INVALID_ARGUMENT; 771 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 772 (ret = sshbuf_put_cstring(b, 773 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 774 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 775 return ret; 776 break; 777 # endif 778 case KEY_RSA: 779 if (key->rsa == NULL) 780 return SSH_ERR_INVALID_ARGUMENT; 781 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 782 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 783 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 784 return ret; 785 break; 786 #endif /* WITH_OPENSSL */ 787 case KEY_ED25519: 788 if (key->ed25519_pk == NULL) 789 return SSH_ERR_INVALID_ARGUMENT; 790 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 791 (ret = sshbuf_put_string(b, 792 key->ed25519_pk, ED25519_PK_SZ)) != 0) 793 return ret; 794 break; 795 default: 796 return SSH_ERR_KEY_TYPE_UNKNOWN; 797 } 798 return 0; 799 } 800 801 int 802 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 803 { 804 return to_blob_buf(key, b, 0); 805 } 806 807 int 808 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 809 { 810 struct sshbuf *tmp; 811 int r; 812 813 if ((tmp = sshbuf_new()) == NULL) 814 return SSH_ERR_ALLOC_FAIL; 815 r = to_blob_buf(key, tmp, 0); 816 if (r == 0) 817 r = sshbuf_put_stringb(b, tmp); 818 sshbuf_free(tmp); 819 return r; 820 } 821 822 int 823 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 824 { 825 return to_blob_buf(key, b, 1); 826 } 827 828 static int 829 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 830 { 831 int ret = SSH_ERR_INTERNAL_ERROR; 832 size_t len; 833 struct sshbuf *b = NULL; 834 835 if (lenp != NULL) 836 *lenp = 0; 837 if (blobp != NULL) 838 *blobp = NULL; 839 if ((b = sshbuf_new()) == NULL) 840 return SSH_ERR_ALLOC_FAIL; 841 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 842 goto out; 843 len = sshbuf_len(b); 844 if (lenp != NULL) 845 *lenp = len; 846 if (blobp != NULL) { 847 if ((*blobp = malloc(len)) == NULL) { 848 ret = SSH_ERR_ALLOC_FAIL; 849 goto out; 850 } 851 memcpy(*blobp, sshbuf_ptr(b), len); 852 } 853 ret = 0; 854 out: 855 sshbuf_free(b); 856 return ret; 857 } 858 859 int 860 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 861 { 862 return to_blob(key, blobp, lenp, 0); 863 } 864 865 int 866 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 867 { 868 return to_blob(key, blobp, lenp, 1); 869 } 870 871 int 872 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 873 u_char **retp, size_t *lenp) 874 { 875 u_char *blob = NULL, *ret = NULL; 876 size_t blob_len = 0; 877 int r = SSH_ERR_INTERNAL_ERROR; 878 879 if (retp != NULL) 880 *retp = NULL; 881 if (lenp != NULL) 882 *lenp = 0; 883 if (ssh_digest_bytes(dgst_alg) == 0) { 884 r = SSH_ERR_INVALID_ARGUMENT; 885 goto out; 886 } 887 888 if (k->type == KEY_RSA1) { 889 #ifdef WITH_OPENSSL 890 int nlen = BN_num_bytes(k->rsa->n); 891 int elen = BN_num_bytes(k->rsa->e); 892 893 if (nlen < 0 || elen < 0 || nlen >= INT_MAX - elen) { 894 r = SSH_ERR_INVALID_FORMAT; 895 goto out; 896 } 897 blob_len = nlen + elen; 898 if ((blob = malloc(blob_len)) == NULL) { 899 r = SSH_ERR_ALLOC_FAIL; 900 goto out; 901 } 902 BN_bn2bin(k->rsa->n, blob); 903 BN_bn2bin(k->rsa->e, blob + nlen); 904 #endif /* WITH_OPENSSL */ 905 } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 906 goto out; 907 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 908 r = SSH_ERR_ALLOC_FAIL; 909 goto out; 910 } 911 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 912 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 913 goto out; 914 /* success */ 915 if (retp != NULL) { 916 *retp = ret; 917 ret = NULL; 918 } 919 if (lenp != NULL) 920 *lenp = ssh_digest_bytes(dgst_alg); 921 r = 0; 922 out: 923 free(ret); 924 if (blob != NULL) { 925 explicit_bzero(blob, blob_len); 926 free(blob); 927 } 928 return r; 929 } 930 931 static char * 932 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 933 { 934 char *ret; 935 size_t plen = strlen(alg) + 1; 936 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 937 int r; 938 939 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 940 return NULL; 941 strlcpy(ret, alg, rlen); 942 strlcat(ret, ":", rlen); 943 if (dgst_raw_len == 0) 944 return ret; 945 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 946 ret + plen, rlen - plen)) == -1) { 947 explicit_bzero(ret, rlen); 948 free(ret); 949 return NULL; 950 } 951 /* Trim padding characters from end */ 952 ret[strcspn(ret, "=")] = '\0'; 953 return ret; 954 } 955 956 static char * 957 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 958 { 959 char *retval, hex[5]; 960 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 961 962 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 963 return NULL; 964 strlcpy(retval, alg, rlen); 965 strlcat(retval, ":", rlen); 966 for (i = 0; i < dgst_raw_len; i++) { 967 snprintf(hex, sizeof(hex), "%s%02x", 968 i > 0 ? ":" : "", dgst_raw[i]); 969 strlcat(retval, hex, rlen); 970 } 971 return retval; 972 } 973 974 static char * 975 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 976 { 977 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 978 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 979 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 980 u_int i, j = 0, rounds, seed = 1; 981 char *retval; 982 983 rounds = (dgst_raw_len / 2) + 1; 984 if ((retval = calloc(rounds, 6)) == NULL) 985 return NULL; 986 retval[j++] = 'x'; 987 for (i = 0; i < rounds; i++) { 988 u_int idx0, idx1, idx2, idx3, idx4; 989 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 990 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 991 seed) % 6; 992 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 993 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 994 (seed / 6)) % 6; 995 retval[j++] = vowels[idx0]; 996 retval[j++] = consonants[idx1]; 997 retval[j++] = vowels[idx2]; 998 if ((i + 1) < rounds) { 999 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 1000 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 1001 retval[j++] = consonants[idx3]; 1002 retval[j++] = '-'; 1003 retval[j++] = consonants[idx4]; 1004 seed = ((seed * 5) + 1005 ((((u_int)(dgst_raw[2 * i])) * 7) + 1006 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 1007 } 1008 } else { 1009 idx0 = seed % 6; 1010 idx1 = 16; 1011 idx2 = seed / 6; 1012 retval[j++] = vowels[idx0]; 1013 retval[j++] = consonants[idx1]; 1014 retval[j++] = vowels[idx2]; 1015 } 1016 } 1017 retval[j++] = 'x'; 1018 retval[j++] = '\0'; 1019 return retval; 1020 } 1021 1022 /* 1023 * Draw an ASCII-Art representing the fingerprint so human brain can 1024 * profit from its built-in pattern recognition ability. 1025 * This technique is called "random art" and can be found in some 1026 * scientific publications like this original paper: 1027 * 1028 * "Hash Visualization: a New Technique to improve Real-World Security", 1029 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1030 * Techniques and E-Commerce (CrypTEC '99) 1031 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1032 * 1033 * The subject came up in a talk by Dan Kaminsky, too. 1034 * 1035 * If you see the picture is different, the key is different. 1036 * If the picture looks the same, you still know nothing. 1037 * 1038 * The algorithm used here is a worm crawling over a discrete plane, 1039 * leaving a trace (augmenting the field) everywhere it goes. 1040 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1041 * makes the respective movement vector be ignored for this turn. 1042 * Graphs are not unambiguous, because circles in graphs can be 1043 * walked in either direction. 1044 */ 1045 1046 /* 1047 * Field sizes for the random art. Have to be odd, so the starting point 1048 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1049 * Else pictures would be too dense, and drawing the frame would 1050 * fail, too, because the key type would not fit in anymore. 1051 */ 1052 #define FLDBASE 8 1053 #define FLDSIZE_Y (FLDBASE + 1) 1054 #define FLDSIZE_X (FLDBASE * 2 + 1) 1055 static char * 1056 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1057 const struct sshkey *k) 1058 { 1059 /* 1060 * Chars to be used after each other every time the worm 1061 * intersects with itself. Matter of taste. 1062 */ 1063 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1064 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1065 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1066 size_t i, tlen, hlen; 1067 u_int b; 1068 int x, y, r; 1069 size_t len = strlen(augmentation_string) - 1; 1070 1071 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1072 return NULL; 1073 1074 /* initialize field */ 1075 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1076 x = FLDSIZE_X / 2; 1077 y = FLDSIZE_Y / 2; 1078 1079 /* process raw key */ 1080 for (i = 0; i < dgst_raw_len; i++) { 1081 int input; 1082 /* each byte conveys four 2-bit move commands */ 1083 input = dgst_raw[i]; 1084 for (b = 0; b < 4; b++) { 1085 /* evaluate 2 bit, rest is shifted later */ 1086 x += (input & 0x1) ? 1 : -1; 1087 y += (input & 0x2) ? 1 : -1; 1088 1089 /* assure we are still in bounds */ 1090 x = MAXIMUM(x, 0); 1091 y = MAXIMUM(y, 0); 1092 x = MINIMUM(x, FLDSIZE_X - 1); 1093 y = MINIMUM(y, FLDSIZE_Y - 1); 1094 1095 /* augment the field */ 1096 if (field[x][y] < len - 2) 1097 field[x][y]++; 1098 input = input >> 2; 1099 } 1100 } 1101 1102 /* mark starting point and end point*/ 1103 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1104 field[x][y] = len; 1105 1106 /* assemble title */ 1107 r = snprintf(title, sizeof(title), "[%s %u]", 1108 sshkey_type(k), sshkey_size(k)); 1109 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1110 if (r < 0 || r > (int)sizeof(title)) 1111 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1112 tlen = (r <= 0) ? 0 : strlen(title); 1113 1114 /* assemble hash ID. */ 1115 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1116 hlen = (r <= 0) ? 0 : strlen(hash); 1117 1118 /* output upper border */ 1119 p = retval; 1120 *p++ = '+'; 1121 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1122 *p++ = '-'; 1123 memcpy(p, title, tlen); 1124 p += tlen; 1125 for (i += tlen; i < FLDSIZE_X; i++) 1126 *p++ = '-'; 1127 *p++ = '+'; 1128 *p++ = '\n'; 1129 1130 /* output content */ 1131 for (y = 0; y < FLDSIZE_Y; y++) { 1132 *p++ = '|'; 1133 for (x = 0; x < FLDSIZE_X; x++) 1134 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1135 *p++ = '|'; 1136 *p++ = '\n'; 1137 } 1138 1139 /* output lower border */ 1140 *p++ = '+'; 1141 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1142 *p++ = '-'; 1143 memcpy(p, hash, hlen); 1144 p += hlen; 1145 for (i += hlen; i < FLDSIZE_X; i++) 1146 *p++ = '-'; 1147 *p++ = '+'; 1148 1149 return retval; 1150 } 1151 1152 char * 1153 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1154 enum sshkey_fp_rep dgst_rep) 1155 { 1156 char *retval = NULL; 1157 u_char *dgst_raw; 1158 size_t dgst_raw_len; 1159 1160 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1161 return NULL; 1162 switch (dgst_rep) { 1163 case SSH_FP_DEFAULT: 1164 if (dgst_alg == SSH_DIGEST_MD5) { 1165 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1166 dgst_raw, dgst_raw_len); 1167 } else { 1168 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1169 dgst_raw, dgst_raw_len); 1170 } 1171 break; 1172 case SSH_FP_HEX: 1173 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1174 dgst_raw, dgst_raw_len); 1175 break; 1176 case SSH_FP_BASE64: 1177 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1178 dgst_raw, dgst_raw_len); 1179 break; 1180 case SSH_FP_BUBBLEBABBLE: 1181 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1182 break; 1183 case SSH_FP_RANDOMART: 1184 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1185 dgst_raw, dgst_raw_len, k); 1186 break; 1187 default: 1188 explicit_bzero(dgst_raw, dgst_raw_len); 1189 free(dgst_raw); 1190 return NULL; 1191 } 1192 explicit_bzero(dgst_raw, dgst_raw_len); 1193 free(dgst_raw); 1194 return retval; 1195 } 1196 1197 #ifdef WITH_SSH1 1198 /* 1199 * Reads a multiple-precision integer in decimal from the buffer, and advances 1200 * the pointer. The integer must already be initialized. This function is 1201 * permitted to modify the buffer. This leaves *cpp to point just beyond the 1202 * last processed character. 1203 */ 1204 static int 1205 read_decimal_bignum(char **cpp, BIGNUM *v) 1206 { 1207 char *cp; 1208 size_t e; 1209 int skip = 1; /* skip white space */ 1210 1211 cp = *cpp; 1212 while (*cp == ' ' || *cp == '\t') 1213 cp++; 1214 e = strspn(cp, "0123456789"); 1215 if (e == 0) 1216 return SSH_ERR_INVALID_FORMAT; 1217 if (e > SSHBUF_MAX_BIGNUM * 3) 1218 return SSH_ERR_BIGNUM_TOO_LARGE; 1219 if (cp[e] == '\0') 1220 skip = 0; 1221 else if (strchr(" \t\r\n", cp[e]) == NULL) 1222 return SSH_ERR_INVALID_FORMAT; 1223 cp[e] = '\0'; 1224 if (BN_dec2bn(&v, cp) <= 0) 1225 return SSH_ERR_INVALID_FORMAT; 1226 *cpp = cp + e + skip; 1227 return 0; 1228 } 1229 #endif /* WITH_SSH1 */ 1230 1231 /* returns 0 ok, and < 0 error */ 1232 int 1233 sshkey_read(struct sshkey *ret, char **cpp) 1234 { 1235 struct sshkey *k; 1236 int retval = SSH_ERR_INVALID_FORMAT; 1237 char *ep, *cp, *space; 1238 int r, type, curve_nid = -1; 1239 struct sshbuf *blob; 1240 #ifdef WITH_SSH1 1241 u_long bits; 1242 #endif /* WITH_SSH1 */ 1243 1244 if (ret == NULL) 1245 return SSH_ERR_INVALID_ARGUMENT; 1246 1247 cp = *cpp; 1248 1249 switch (ret->type) { 1250 case KEY_RSA1: 1251 #ifdef WITH_SSH1 1252 /* Get number of bits. */ 1253 bits = strtoul(cp, &ep, 10); 1254 if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL || 1255 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) 1256 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ 1257 /* Get public exponent, public modulus. */ 1258 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0) 1259 return r; 1260 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) 1261 return r; 1262 /* validate the claimed number of bits */ 1263 if (BN_num_bits(ret->rsa->n) != (int)bits) 1264 return SSH_ERR_KEY_BITS_MISMATCH; 1265 *cpp = ep; 1266 retval = 0; 1267 #endif /* WITH_SSH1 */ 1268 break; 1269 case KEY_UNSPEC: 1270 case KEY_RSA: 1271 case KEY_DSA: 1272 case KEY_ECDSA: 1273 case KEY_ED25519: 1274 case KEY_DSA_CERT: 1275 case KEY_ECDSA_CERT: 1276 case KEY_RSA_CERT: 1277 case KEY_ED25519_CERT: 1278 space = strchr(cp, ' '); 1279 if (space == NULL) 1280 return SSH_ERR_INVALID_FORMAT; 1281 *space = '\0'; 1282 type = sshkey_type_from_name(cp); 1283 if (sshkey_type_plain(type) == KEY_ECDSA && 1284 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1285 return SSH_ERR_EC_CURVE_INVALID; 1286 *space = ' '; 1287 if (type == KEY_UNSPEC) 1288 return SSH_ERR_INVALID_FORMAT; 1289 cp = space+1; 1290 if (*cp == '\0') 1291 return SSH_ERR_INVALID_FORMAT; 1292 if (ret->type != KEY_UNSPEC && ret->type != type) 1293 return SSH_ERR_KEY_TYPE_MISMATCH; 1294 if ((blob = sshbuf_new()) == NULL) 1295 return SSH_ERR_ALLOC_FAIL; 1296 /* trim comment */ 1297 space = strchr(cp, ' '); 1298 if (space) { 1299 /* advance 'space': skip whitespace */ 1300 *space++ = '\0'; 1301 while (*space == ' ' || *space == '\t') 1302 space++; 1303 ep = space; 1304 } else 1305 ep = cp + strlen(cp); 1306 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1307 sshbuf_free(blob); 1308 return r; 1309 } 1310 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1311 sshbuf_len(blob), &k)) != 0) { 1312 sshbuf_free(blob); 1313 return r; 1314 } 1315 sshbuf_free(blob); 1316 if (k->type != type) { 1317 sshkey_free(k); 1318 return SSH_ERR_KEY_TYPE_MISMATCH; 1319 } 1320 if (sshkey_type_plain(type) == KEY_ECDSA && 1321 curve_nid != k->ecdsa_nid) { 1322 sshkey_free(k); 1323 return SSH_ERR_EC_CURVE_MISMATCH; 1324 } 1325 ret->type = type; 1326 if (sshkey_is_cert(ret)) { 1327 if (!sshkey_is_cert(k)) { 1328 sshkey_free(k); 1329 return SSH_ERR_EXPECTED_CERT; 1330 } 1331 if (ret->cert != NULL) 1332 cert_free(ret->cert); 1333 ret->cert = k->cert; 1334 k->cert = NULL; 1335 } 1336 switch (sshkey_type_plain(ret->type)) { 1337 #ifdef WITH_OPENSSL 1338 case KEY_RSA: 1339 if (ret->rsa != NULL) 1340 RSA_free(ret->rsa); 1341 ret->rsa = k->rsa; 1342 k->rsa = NULL; 1343 #ifdef DEBUG_PK 1344 RSA_print_fp(stderr, ret->rsa, 8); 1345 #endif 1346 break; 1347 case KEY_DSA: 1348 if (ret->dsa != NULL) 1349 DSA_free(ret->dsa); 1350 ret->dsa = k->dsa; 1351 k->dsa = NULL; 1352 #ifdef DEBUG_PK 1353 DSA_print_fp(stderr, ret->dsa, 8); 1354 #endif 1355 break; 1356 # ifdef OPENSSL_HAS_ECC 1357 case KEY_ECDSA: 1358 if (ret->ecdsa != NULL) 1359 EC_KEY_free(ret->ecdsa); 1360 ret->ecdsa = k->ecdsa; 1361 ret->ecdsa_nid = k->ecdsa_nid; 1362 k->ecdsa = NULL; 1363 k->ecdsa_nid = -1; 1364 #ifdef DEBUG_PK 1365 sshkey_dump_ec_key(ret->ecdsa); 1366 #endif 1367 break; 1368 # endif /* OPENSSL_HAS_ECC */ 1369 #endif /* WITH_OPENSSL */ 1370 case KEY_ED25519: 1371 free(ret->ed25519_pk); 1372 ret->ed25519_pk = k->ed25519_pk; 1373 k->ed25519_pk = NULL; 1374 #ifdef DEBUG_PK 1375 /* XXX */ 1376 #endif 1377 break; 1378 } 1379 *cpp = ep; 1380 retval = 0; 1381 /*XXXX*/ 1382 sshkey_free(k); 1383 if (retval != 0) 1384 break; 1385 break; 1386 default: 1387 return SSH_ERR_INVALID_ARGUMENT; 1388 } 1389 return retval; 1390 } 1391 1392 int 1393 sshkey_to_base64(const struct sshkey *key, char **b64p) 1394 { 1395 int r = SSH_ERR_INTERNAL_ERROR; 1396 struct sshbuf *b = NULL; 1397 char *uu = NULL; 1398 1399 if (b64p != NULL) 1400 *b64p = NULL; 1401 if ((b = sshbuf_new()) == NULL) 1402 return SSH_ERR_ALLOC_FAIL; 1403 if ((r = sshkey_putb(key, b)) != 0) 1404 goto out; 1405 if ((uu = sshbuf_dtob64(b)) == NULL) { 1406 r = SSH_ERR_ALLOC_FAIL; 1407 goto out; 1408 } 1409 /* Success */ 1410 if (b64p != NULL) { 1411 *b64p = uu; 1412 uu = NULL; 1413 } 1414 r = 0; 1415 out: 1416 sshbuf_free(b); 1417 free(uu); 1418 return r; 1419 } 1420 1421 static int 1422 sshkey_format_rsa1(const struct sshkey *key, struct sshbuf *b) 1423 { 1424 int r = SSH_ERR_INTERNAL_ERROR; 1425 #ifdef WITH_SSH1 1426 u_int bits = 0; 1427 char *dec_e = NULL, *dec_n = NULL; 1428 1429 if (key->rsa == NULL || key->rsa->e == NULL || 1430 key->rsa->n == NULL) { 1431 r = SSH_ERR_INVALID_ARGUMENT; 1432 goto out; 1433 } 1434 if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || 1435 (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { 1436 r = SSH_ERR_ALLOC_FAIL; 1437 goto out; 1438 } 1439 /* size of modulus 'n' */ 1440 if ((bits = BN_num_bits(key->rsa->n)) <= 0) { 1441 r = SSH_ERR_INVALID_ARGUMENT; 1442 goto out; 1443 } 1444 if ((r = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) 1445 goto out; 1446 1447 /* Success */ 1448 r = 0; 1449 out: 1450 if (dec_e != NULL) 1451 OPENSSL_free(dec_e); 1452 if (dec_n != NULL) 1453 OPENSSL_free(dec_n); 1454 #endif /* WITH_SSH1 */ 1455 1456 return r; 1457 } 1458 1459 static int 1460 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1461 { 1462 int r = SSH_ERR_INTERNAL_ERROR; 1463 char *uu = NULL; 1464 1465 if (key->type == KEY_RSA1) { 1466 if ((r = sshkey_format_rsa1(key, b)) != 0) 1467 goto out; 1468 } else { 1469 /* Unsupported key types handled in sshkey_to_base64() */ 1470 if ((r = sshkey_to_base64(key, &uu)) != 0) 1471 goto out; 1472 if ((r = sshbuf_putf(b, "%s %s", 1473 sshkey_ssh_name(key), uu)) != 0) 1474 goto out; 1475 } 1476 r = 0; 1477 out: 1478 free(uu); 1479 return r; 1480 } 1481 1482 int 1483 sshkey_write(const struct sshkey *key, FILE *f) 1484 { 1485 struct sshbuf *b = NULL; 1486 int r = SSH_ERR_INTERNAL_ERROR; 1487 1488 if ((b = sshbuf_new()) == NULL) 1489 return SSH_ERR_ALLOC_FAIL; 1490 if ((r = sshkey_format_text(key, b)) != 0) 1491 goto out; 1492 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1493 if (feof(f)) 1494 errno = EPIPE; 1495 r = SSH_ERR_SYSTEM_ERROR; 1496 goto out; 1497 } 1498 /* Success */ 1499 r = 0; 1500 out: 1501 sshbuf_free(b); 1502 return r; 1503 } 1504 1505 const char * 1506 sshkey_cert_type(const struct sshkey *k) 1507 { 1508 switch (k->cert->type) { 1509 case SSH2_CERT_TYPE_USER: 1510 return "user"; 1511 case SSH2_CERT_TYPE_HOST: 1512 return "host"; 1513 default: 1514 return "unknown"; 1515 } 1516 } 1517 1518 #ifdef WITH_OPENSSL 1519 static int 1520 rsa_generate_private_key(u_int bits, RSA **rsap) 1521 { 1522 RSA *private = NULL; 1523 BIGNUM *f4 = NULL; 1524 int ret = SSH_ERR_INTERNAL_ERROR; 1525 1526 if (rsap == NULL || 1527 bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1528 bits > SSHBUF_MAX_BIGNUM * 8) 1529 return SSH_ERR_INVALID_ARGUMENT; 1530 *rsap = NULL; 1531 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1532 ret = SSH_ERR_ALLOC_FAIL; 1533 goto out; 1534 } 1535 if (!BN_set_word(f4, RSA_F4) || 1536 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1537 ret = SSH_ERR_LIBCRYPTO_ERROR; 1538 goto out; 1539 } 1540 *rsap = private; 1541 private = NULL; 1542 ret = 0; 1543 out: 1544 if (private != NULL) 1545 RSA_free(private); 1546 if (f4 != NULL) 1547 BN_free(f4); 1548 return ret; 1549 } 1550 1551 static int 1552 dsa_generate_private_key(u_int bits, DSA **dsap) 1553 { 1554 DSA *private; 1555 int ret = SSH_ERR_INTERNAL_ERROR; 1556 1557 if (dsap == NULL || bits != 1024) 1558 return SSH_ERR_INVALID_ARGUMENT; 1559 if ((private = DSA_new()) == NULL) { 1560 ret = SSH_ERR_ALLOC_FAIL; 1561 goto out; 1562 } 1563 *dsap = NULL; 1564 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1565 NULL, NULL) || !DSA_generate_key(private)) { 1566 ret = SSH_ERR_LIBCRYPTO_ERROR; 1567 goto out; 1568 } 1569 *dsap = private; 1570 private = NULL; 1571 ret = 0; 1572 out: 1573 if (private != NULL) 1574 DSA_free(private); 1575 return ret; 1576 } 1577 1578 # ifdef OPENSSL_HAS_ECC 1579 int 1580 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1581 { 1582 EC_GROUP *eg; 1583 int nids[] = { 1584 NID_X9_62_prime256v1, 1585 NID_secp384r1, 1586 # ifdef OPENSSL_HAS_NISTP521 1587 NID_secp521r1, 1588 # endif /* OPENSSL_HAS_NISTP521 */ 1589 -1 1590 }; 1591 int nid; 1592 u_int i; 1593 BN_CTX *bnctx; 1594 const EC_GROUP *g = EC_KEY_get0_group(k); 1595 1596 /* 1597 * The group may be stored in a ASN.1 encoded private key in one of two 1598 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1599 * or explicit group parameters encoded into the key blob. Only the 1600 * "named group" case sets the group NID for us, but we can figure 1601 * it out for the other case by comparing against all the groups that 1602 * are supported. 1603 */ 1604 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1605 return nid; 1606 if ((bnctx = BN_CTX_new()) == NULL) 1607 return -1; 1608 for (i = 0; nids[i] != -1; i++) { 1609 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1610 BN_CTX_free(bnctx); 1611 return -1; 1612 } 1613 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1614 break; 1615 EC_GROUP_free(eg); 1616 } 1617 BN_CTX_free(bnctx); 1618 if (nids[i] != -1) { 1619 /* Use the group with the NID attached */ 1620 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1621 if (EC_KEY_set_group(k, eg) != 1) { 1622 EC_GROUP_free(eg); 1623 return -1; 1624 } 1625 } 1626 return nids[i]; 1627 } 1628 1629 static int 1630 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1631 { 1632 EC_KEY *private; 1633 int ret = SSH_ERR_INTERNAL_ERROR; 1634 1635 if (nid == NULL || ecdsap == NULL || 1636 (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1637 return SSH_ERR_INVALID_ARGUMENT; 1638 *ecdsap = NULL; 1639 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1640 ret = SSH_ERR_ALLOC_FAIL; 1641 goto out; 1642 } 1643 if (EC_KEY_generate_key(private) != 1) { 1644 ret = SSH_ERR_LIBCRYPTO_ERROR; 1645 goto out; 1646 } 1647 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1648 *ecdsap = private; 1649 private = NULL; 1650 ret = 0; 1651 out: 1652 if (private != NULL) 1653 EC_KEY_free(private); 1654 return ret; 1655 } 1656 # endif /* OPENSSL_HAS_ECC */ 1657 #endif /* WITH_OPENSSL */ 1658 1659 int 1660 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1661 { 1662 struct sshkey *k; 1663 int ret = SSH_ERR_INTERNAL_ERROR; 1664 1665 if (keyp == NULL) 1666 return SSH_ERR_INVALID_ARGUMENT; 1667 *keyp = NULL; 1668 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1669 return SSH_ERR_ALLOC_FAIL; 1670 switch (type) { 1671 case KEY_ED25519: 1672 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1673 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1674 ret = SSH_ERR_ALLOC_FAIL; 1675 break; 1676 } 1677 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1678 ret = 0; 1679 break; 1680 #ifdef WITH_OPENSSL 1681 case KEY_DSA: 1682 ret = dsa_generate_private_key(bits, &k->dsa); 1683 break; 1684 # ifdef OPENSSL_HAS_ECC 1685 case KEY_ECDSA: 1686 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1687 &k->ecdsa); 1688 break; 1689 # endif /* OPENSSL_HAS_ECC */ 1690 case KEY_RSA: 1691 case KEY_RSA1: 1692 ret = rsa_generate_private_key(bits, &k->rsa); 1693 break; 1694 #endif /* WITH_OPENSSL */ 1695 default: 1696 ret = SSH_ERR_INVALID_ARGUMENT; 1697 } 1698 if (ret == 0) { 1699 k->type = type; 1700 *keyp = k; 1701 } else 1702 sshkey_free(k); 1703 return ret; 1704 } 1705 1706 int 1707 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1708 { 1709 u_int i; 1710 const struct sshkey_cert *from; 1711 struct sshkey_cert *to; 1712 int ret = SSH_ERR_INTERNAL_ERROR; 1713 1714 if (to_key->cert != NULL) { 1715 cert_free(to_key->cert); 1716 to_key->cert = NULL; 1717 } 1718 1719 if ((from = from_key->cert) == NULL) 1720 return SSH_ERR_INVALID_ARGUMENT; 1721 1722 if ((to = to_key->cert = cert_new()) == NULL) 1723 return SSH_ERR_ALLOC_FAIL; 1724 1725 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1726 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1727 (ret = sshbuf_putb(to->extensions, from->extensions)) != 0) 1728 return ret; 1729 1730 to->serial = from->serial; 1731 to->type = from->type; 1732 if (from->key_id == NULL) 1733 to->key_id = NULL; 1734 else if ((to->key_id = strdup(from->key_id)) == NULL) 1735 return SSH_ERR_ALLOC_FAIL; 1736 to->valid_after = from->valid_after; 1737 to->valid_before = from->valid_before; 1738 if (from->signature_key == NULL) 1739 to->signature_key = NULL; 1740 else if ((ret = sshkey_from_private(from->signature_key, 1741 &to->signature_key)) != 0) 1742 return ret; 1743 1744 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1745 return SSH_ERR_INVALID_ARGUMENT; 1746 if (from->nprincipals > 0) { 1747 if ((to->principals = calloc(from->nprincipals, 1748 sizeof(*to->principals))) == NULL) 1749 return SSH_ERR_ALLOC_FAIL; 1750 for (i = 0; i < from->nprincipals; i++) { 1751 to->principals[i] = strdup(from->principals[i]); 1752 if (to->principals[i] == NULL) { 1753 to->nprincipals = i; 1754 return SSH_ERR_ALLOC_FAIL; 1755 } 1756 } 1757 } 1758 to->nprincipals = from->nprincipals; 1759 return 0; 1760 } 1761 1762 int 1763 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1764 { 1765 struct sshkey *n = NULL; 1766 int ret = SSH_ERR_INTERNAL_ERROR; 1767 1768 *pkp = NULL; 1769 switch (k->type) { 1770 #ifdef WITH_OPENSSL 1771 case KEY_DSA: 1772 case KEY_DSA_CERT: 1773 if ((n = sshkey_new(k->type)) == NULL) 1774 return SSH_ERR_ALLOC_FAIL; 1775 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1776 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1777 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1778 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1779 sshkey_free(n); 1780 return SSH_ERR_ALLOC_FAIL; 1781 } 1782 break; 1783 # ifdef OPENSSL_HAS_ECC 1784 case KEY_ECDSA: 1785 case KEY_ECDSA_CERT: 1786 if ((n = sshkey_new(k->type)) == NULL) 1787 return SSH_ERR_ALLOC_FAIL; 1788 n->ecdsa_nid = k->ecdsa_nid; 1789 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1790 if (n->ecdsa == NULL) { 1791 sshkey_free(n); 1792 return SSH_ERR_ALLOC_FAIL; 1793 } 1794 if (EC_KEY_set_public_key(n->ecdsa, 1795 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1796 sshkey_free(n); 1797 return SSH_ERR_LIBCRYPTO_ERROR; 1798 } 1799 break; 1800 # endif /* OPENSSL_HAS_ECC */ 1801 case KEY_RSA: 1802 case KEY_RSA1: 1803 case KEY_RSA_CERT: 1804 if ((n = sshkey_new(k->type)) == NULL) 1805 return SSH_ERR_ALLOC_FAIL; 1806 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1807 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1808 sshkey_free(n); 1809 return SSH_ERR_ALLOC_FAIL; 1810 } 1811 break; 1812 #endif /* WITH_OPENSSL */ 1813 case KEY_ED25519: 1814 case KEY_ED25519_CERT: 1815 if ((n = sshkey_new(k->type)) == NULL) 1816 return SSH_ERR_ALLOC_FAIL; 1817 if (k->ed25519_pk != NULL) { 1818 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1819 sshkey_free(n); 1820 return SSH_ERR_ALLOC_FAIL; 1821 } 1822 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1823 } 1824 break; 1825 default: 1826 return SSH_ERR_KEY_TYPE_UNKNOWN; 1827 } 1828 if (sshkey_is_cert(k)) { 1829 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1830 sshkey_free(n); 1831 return ret; 1832 } 1833 } 1834 *pkp = n; 1835 return 0; 1836 } 1837 1838 static int 1839 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1840 { 1841 struct sshbuf *principals = NULL, *crit = NULL; 1842 struct sshbuf *exts = NULL, *ca = NULL; 1843 u_char *sig = NULL; 1844 size_t signed_len = 0, slen = 0, kidlen = 0; 1845 int ret = SSH_ERR_INTERNAL_ERROR; 1846 1847 /* Copy the entire key blob for verification and later serialisation */ 1848 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1849 return ret; 1850 1851 /* Parse body of certificate up to signature */ 1852 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1853 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1854 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1855 (ret = sshbuf_froms(b, &principals)) != 0 || 1856 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1857 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1858 (ret = sshbuf_froms(b, &crit)) != 0 || 1859 (ret = sshbuf_froms(b, &exts)) != 0 || 1860 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1861 (ret = sshbuf_froms(b, &ca)) != 0) { 1862 /* XXX debug print error for ret */ 1863 ret = SSH_ERR_INVALID_FORMAT; 1864 goto out; 1865 } 1866 1867 /* Signature is left in the buffer so we can calculate this length */ 1868 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1869 1870 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1871 ret = SSH_ERR_INVALID_FORMAT; 1872 goto out; 1873 } 1874 1875 if (key->cert->type != SSH2_CERT_TYPE_USER && 1876 key->cert->type != SSH2_CERT_TYPE_HOST) { 1877 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1878 goto out; 1879 } 1880 1881 /* Parse principals section */ 1882 while (sshbuf_len(principals) > 0) { 1883 char *principal = NULL; 1884 char **oprincipals = NULL; 1885 1886 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1887 ret = SSH_ERR_INVALID_FORMAT; 1888 goto out; 1889 } 1890 if ((ret = sshbuf_get_cstring(principals, &principal, 1891 NULL)) != 0) { 1892 ret = SSH_ERR_INVALID_FORMAT; 1893 goto out; 1894 } 1895 oprincipals = key->cert->principals; 1896 key->cert->principals = reallocarray(key->cert->principals, 1897 key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1898 if (key->cert->principals == NULL) { 1899 free(principal); 1900 key->cert->principals = oprincipals; 1901 ret = SSH_ERR_ALLOC_FAIL; 1902 goto out; 1903 } 1904 key->cert->principals[key->cert->nprincipals++] = principal; 1905 } 1906 1907 /* 1908 * Stash a copies of the critical options and extensions sections 1909 * for later use. 1910 */ 1911 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1912 (exts != NULL && 1913 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1914 goto out; 1915 1916 /* 1917 * Validate critical options and extensions sections format. 1918 */ 1919 while (sshbuf_len(crit) != 0) { 1920 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1921 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1922 sshbuf_reset(key->cert->critical); 1923 ret = SSH_ERR_INVALID_FORMAT; 1924 goto out; 1925 } 1926 } 1927 while (exts != NULL && sshbuf_len(exts) != 0) { 1928 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1929 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1930 sshbuf_reset(key->cert->extensions); 1931 ret = SSH_ERR_INVALID_FORMAT; 1932 goto out; 1933 } 1934 } 1935 1936 /* Parse CA key and check signature */ 1937 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1938 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1939 goto out; 1940 } 1941 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1942 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1943 goto out; 1944 } 1945 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1946 sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) 1947 goto out; 1948 1949 /* Success */ 1950 ret = 0; 1951 out: 1952 sshbuf_free(ca); 1953 sshbuf_free(crit); 1954 sshbuf_free(exts); 1955 sshbuf_free(principals); 1956 free(sig); 1957 return ret; 1958 } 1959 1960 static int 1961 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1962 int allow_cert) 1963 { 1964 int type, ret = SSH_ERR_INTERNAL_ERROR; 1965 char *ktype = NULL, *curve = NULL; 1966 struct sshkey *key = NULL; 1967 size_t len; 1968 u_char *pk = NULL; 1969 struct sshbuf *copy; 1970 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 1971 EC_POINT *q = NULL; 1972 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 1973 1974 #ifdef DEBUG_PK /* XXX */ 1975 sshbuf_dump(b, stderr); 1976 #endif 1977 if (keyp != NULL) 1978 *keyp = NULL; 1979 if ((copy = sshbuf_fromb(b)) == NULL) { 1980 ret = SSH_ERR_ALLOC_FAIL; 1981 goto out; 1982 } 1983 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1984 ret = SSH_ERR_INVALID_FORMAT; 1985 goto out; 1986 } 1987 1988 type = sshkey_type_from_name(ktype); 1989 if (!allow_cert && sshkey_type_is_cert(type)) { 1990 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1991 goto out; 1992 } 1993 switch (type) { 1994 #ifdef WITH_OPENSSL 1995 case KEY_RSA_CERT: 1996 /* Skip nonce */ 1997 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1998 ret = SSH_ERR_INVALID_FORMAT; 1999 goto out; 2000 } 2001 /* FALLTHROUGH */ 2002 case KEY_RSA: 2003 if ((key = sshkey_new(type)) == NULL) { 2004 ret = SSH_ERR_ALLOC_FAIL; 2005 goto out; 2006 } 2007 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 || 2008 sshbuf_get_bignum2(b, key->rsa->n) != 0) { 2009 ret = SSH_ERR_INVALID_FORMAT; 2010 goto out; 2011 } 2012 #ifdef DEBUG_PK 2013 RSA_print_fp(stderr, key->rsa, 8); 2014 #endif 2015 break; 2016 case KEY_DSA_CERT: 2017 /* Skip nonce */ 2018 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2019 ret = SSH_ERR_INVALID_FORMAT; 2020 goto out; 2021 } 2022 /* FALLTHROUGH */ 2023 case KEY_DSA: 2024 if ((key = sshkey_new(type)) == NULL) { 2025 ret = SSH_ERR_ALLOC_FAIL; 2026 goto out; 2027 } 2028 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 || 2029 sshbuf_get_bignum2(b, key->dsa->q) != 0 || 2030 sshbuf_get_bignum2(b, key->dsa->g) != 0 || 2031 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) { 2032 ret = SSH_ERR_INVALID_FORMAT; 2033 goto out; 2034 } 2035 #ifdef DEBUG_PK 2036 DSA_print_fp(stderr, key->dsa, 8); 2037 #endif 2038 break; 2039 case KEY_ECDSA_CERT: 2040 /* Skip nonce */ 2041 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2042 ret = SSH_ERR_INVALID_FORMAT; 2043 goto out; 2044 } 2045 /* FALLTHROUGH */ 2046 # ifdef OPENSSL_HAS_ECC 2047 case KEY_ECDSA: 2048 if ((key = sshkey_new(type)) == NULL) { 2049 ret = SSH_ERR_ALLOC_FAIL; 2050 goto out; 2051 } 2052 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2053 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2054 ret = SSH_ERR_INVALID_FORMAT; 2055 goto out; 2056 } 2057 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2058 ret = SSH_ERR_EC_CURVE_MISMATCH; 2059 goto out; 2060 } 2061 if (key->ecdsa != NULL) 2062 EC_KEY_free(key->ecdsa); 2063 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2064 == NULL) { 2065 ret = SSH_ERR_EC_CURVE_INVALID; 2066 goto out; 2067 } 2068 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2069 ret = SSH_ERR_ALLOC_FAIL; 2070 goto out; 2071 } 2072 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 2073 ret = SSH_ERR_INVALID_FORMAT; 2074 goto out; 2075 } 2076 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2077 q) != 0) { 2078 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2079 goto out; 2080 } 2081 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 2082 /* XXX assume it is a allocation error */ 2083 ret = SSH_ERR_ALLOC_FAIL; 2084 goto out; 2085 } 2086 #ifdef DEBUG_PK 2087 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 2088 #endif 2089 break; 2090 # endif /* OPENSSL_HAS_ECC */ 2091 #endif /* WITH_OPENSSL */ 2092 case KEY_ED25519_CERT: 2093 /* Skip nonce */ 2094 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2095 ret = SSH_ERR_INVALID_FORMAT; 2096 goto out; 2097 } 2098 /* FALLTHROUGH */ 2099 case KEY_ED25519: 2100 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2101 goto out; 2102 if (len != ED25519_PK_SZ) { 2103 ret = SSH_ERR_INVALID_FORMAT; 2104 goto out; 2105 } 2106 if ((key = sshkey_new(type)) == NULL) { 2107 ret = SSH_ERR_ALLOC_FAIL; 2108 goto out; 2109 } 2110 key->ed25519_pk = pk; 2111 pk = NULL; 2112 break; 2113 case KEY_UNSPEC: 2114 if ((key = sshkey_new(type)) == NULL) { 2115 ret = SSH_ERR_ALLOC_FAIL; 2116 goto out; 2117 } 2118 break; 2119 default: 2120 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2121 goto out; 2122 } 2123 2124 /* Parse certificate potion */ 2125 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2126 goto out; 2127 2128 if (key != NULL && sshbuf_len(b) != 0) { 2129 ret = SSH_ERR_INVALID_FORMAT; 2130 goto out; 2131 } 2132 ret = 0; 2133 if (keyp != NULL) { 2134 *keyp = key; 2135 key = NULL; 2136 } 2137 out: 2138 sshbuf_free(copy); 2139 sshkey_free(key); 2140 free(ktype); 2141 free(curve); 2142 free(pk); 2143 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 2144 if (q != NULL) 2145 EC_POINT_free(q); 2146 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 2147 return ret; 2148 } 2149 2150 int 2151 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2152 { 2153 struct sshbuf *b; 2154 int r; 2155 2156 if ((b = sshbuf_from(blob, blen)) == NULL) 2157 return SSH_ERR_ALLOC_FAIL; 2158 r = sshkey_from_blob_internal(b, keyp, 1); 2159 sshbuf_free(b); 2160 return r; 2161 } 2162 2163 int 2164 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2165 { 2166 return sshkey_from_blob_internal(b, keyp, 1); 2167 } 2168 2169 int 2170 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2171 { 2172 struct sshbuf *b; 2173 int r; 2174 2175 if ((r = sshbuf_froms(buf, &b)) != 0) 2176 return r; 2177 r = sshkey_from_blob_internal(b, keyp, 1); 2178 sshbuf_free(b); 2179 return r; 2180 } 2181 2182 int 2183 sshkey_sign(const struct sshkey *key, 2184 u_char **sigp, size_t *lenp, 2185 const u_char *data, size_t datalen, const char *alg, u_int compat) 2186 { 2187 if (sigp != NULL) 2188 *sigp = NULL; 2189 if (lenp != NULL) 2190 *lenp = 0; 2191 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2192 return SSH_ERR_INVALID_ARGUMENT; 2193 switch (key->type) { 2194 #ifdef WITH_OPENSSL 2195 case KEY_DSA_CERT: 2196 case KEY_DSA: 2197 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2198 # ifdef OPENSSL_HAS_ECC 2199 case KEY_ECDSA_CERT: 2200 case KEY_ECDSA: 2201 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2202 # endif /* OPENSSL_HAS_ECC */ 2203 case KEY_RSA_CERT: 2204 case KEY_RSA: 2205 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2206 #endif /* WITH_OPENSSL */ 2207 case KEY_ED25519: 2208 case KEY_ED25519_CERT: 2209 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2210 default: 2211 return SSH_ERR_KEY_TYPE_UNKNOWN; 2212 } 2213 } 2214 2215 /* 2216 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2217 */ 2218 int 2219 sshkey_verify(const struct sshkey *key, 2220 const u_char *sig, size_t siglen, 2221 const u_char *data, size_t dlen, u_int compat) 2222 { 2223 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2224 return SSH_ERR_INVALID_ARGUMENT; 2225 switch (key->type) { 2226 #ifdef WITH_OPENSSL 2227 case KEY_DSA_CERT: 2228 case KEY_DSA: 2229 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2230 # ifdef OPENSSL_HAS_ECC 2231 case KEY_ECDSA_CERT: 2232 case KEY_ECDSA: 2233 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2234 # endif /* OPENSSL_HAS_ECC */ 2235 case KEY_RSA_CERT: 2236 case KEY_RSA: 2237 return ssh_rsa_verify(key, sig, siglen, data, dlen); 2238 #endif /* WITH_OPENSSL */ 2239 case KEY_ED25519: 2240 case KEY_ED25519_CERT: 2241 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2242 default: 2243 return SSH_ERR_KEY_TYPE_UNKNOWN; 2244 } 2245 } 2246 2247 /* Converts a private to a public key */ 2248 int 2249 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2250 { 2251 struct sshkey *pk; 2252 int ret = SSH_ERR_INTERNAL_ERROR; 2253 2254 *dkp = NULL; 2255 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2256 return SSH_ERR_ALLOC_FAIL; 2257 pk->type = k->type; 2258 pk->flags = k->flags; 2259 pk->ecdsa_nid = k->ecdsa_nid; 2260 pk->dsa = NULL; 2261 pk->ecdsa = NULL; 2262 pk->rsa = NULL; 2263 pk->ed25519_pk = NULL; 2264 pk->ed25519_sk = NULL; 2265 2266 switch (k->type) { 2267 #ifdef WITH_OPENSSL 2268 case KEY_RSA_CERT: 2269 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2270 goto fail; 2271 /* FALLTHROUGH */ 2272 case KEY_RSA1: 2273 case KEY_RSA: 2274 if ((pk->rsa = RSA_new()) == NULL || 2275 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2276 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2277 ret = SSH_ERR_ALLOC_FAIL; 2278 goto fail; 2279 } 2280 break; 2281 case KEY_DSA_CERT: 2282 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2283 goto fail; 2284 /* FALLTHROUGH */ 2285 case KEY_DSA: 2286 if ((pk->dsa = DSA_new()) == NULL || 2287 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2288 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2289 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2290 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2291 ret = SSH_ERR_ALLOC_FAIL; 2292 goto fail; 2293 } 2294 break; 2295 case KEY_ECDSA_CERT: 2296 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2297 goto fail; 2298 /* FALLTHROUGH */ 2299 # ifdef OPENSSL_HAS_ECC 2300 case KEY_ECDSA: 2301 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2302 if (pk->ecdsa == NULL) { 2303 ret = SSH_ERR_ALLOC_FAIL; 2304 goto fail; 2305 } 2306 if (EC_KEY_set_public_key(pk->ecdsa, 2307 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2308 ret = SSH_ERR_LIBCRYPTO_ERROR; 2309 goto fail; 2310 } 2311 break; 2312 # endif /* OPENSSL_HAS_ECC */ 2313 #endif /* WITH_OPENSSL */ 2314 case KEY_ED25519_CERT: 2315 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2316 goto fail; 2317 /* FALLTHROUGH */ 2318 case KEY_ED25519: 2319 if (k->ed25519_pk != NULL) { 2320 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2321 ret = SSH_ERR_ALLOC_FAIL; 2322 goto fail; 2323 } 2324 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2325 } 2326 break; 2327 default: 2328 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2329 fail: 2330 sshkey_free(pk); 2331 return ret; 2332 } 2333 *dkp = pk; 2334 return 0; 2335 } 2336 2337 /* Convert a plain key to their _CERT equivalent */ 2338 int 2339 sshkey_to_certified(struct sshkey *k) 2340 { 2341 int newtype; 2342 2343 switch (k->type) { 2344 #ifdef WITH_OPENSSL 2345 case KEY_RSA: 2346 newtype = KEY_RSA_CERT; 2347 break; 2348 case KEY_DSA: 2349 newtype = KEY_DSA_CERT; 2350 break; 2351 case KEY_ECDSA: 2352 newtype = KEY_ECDSA_CERT; 2353 break; 2354 #endif /* WITH_OPENSSL */ 2355 case KEY_ED25519: 2356 newtype = KEY_ED25519_CERT; 2357 break; 2358 default: 2359 return SSH_ERR_INVALID_ARGUMENT; 2360 } 2361 if ((k->cert = cert_new()) == NULL) 2362 return SSH_ERR_ALLOC_FAIL; 2363 k->type = newtype; 2364 return 0; 2365 } 2366 2367 /* Convert a certificate to its raw key equivalent */ 2368 int 2369 sshkey_drop_cert(struct sshkey *k) 2370 { 2371 if (!sshkey_type_is_cert(k->type)) 2372 return SSH_ERR_KEY_TYPE_UNKNOWN; 2373 cert_free(k->cert); 2374 k->cert = NULL; 2375 k->type = sshkey_type_plain(k->type); 2376 return 0; 2377 } 2378 2379 /* Sign a certified key, (re-)generating the signed certblob. */ 2380 int 2381 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2382 { 2383 struct sshbuf *principals = NULL; 2384 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2385 size_t i, ca_len, sig_len; 2386 int ret = SSH_ERR_INTERNAL_ERROR; 2387 struct sshbuf *cert; 2388 2389 if (k == NULL || k->cert == NULL || 2390 k->cert->certblob == NULL || ca == NULL) 2391 return SSH_ERR_INVALID_ARGUMENT; 2392 if (!sshkey_is_cert(k)) 2393 return SSH_ERR_KEY_TYPE_UNKNOWN; 2394 if (!sshkey_type_is_valid_ca(ca->type)) 2395 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2396 2397 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2398 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2399 2400 cert = k->cert->certblob; /* for readability */ 2401 sshbuf_reset(cert); 2402 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2403 goto out; 2404 2405 /* -v01 certs put nonce first */ 2406 arc4random_buf(&nonce, sizeof(nonce)); 2407 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2408 goto out; 2409 2410 /* XXX this substantially duplicates to_blob(); refactor */ 2411 switch (k->type) { 2412 #ifdef WITH_OPENSSL 2413 case KEY_DSA_CERT: 2414 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2415 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2416 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2417 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2418 goto out; 2419 break; 2420 # ifdef OPENSSL_HAS_ECC 2421 case KEY_ECDSA_CERT: 2422 if ((ret = sshbuf_put_cstring(cert, 2423 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2424 (ret = sshbuf_put_ec(cert, 2425 EC_KEY_get0_public_key(k->ecdsa), 2426 EC_KEY_get0_group(k->ecdsa))) != 0) 2427 goto out; 2428 break; 2429 # endif /* OPENSSL_HAS_ECC */ 2430 case KEY_RSA_CERT: 2431 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2432 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2433 goto out; 2434 break; 2435 #endif /* WITH_OPENSSL */ 2436 case KEY_ED25519_CERT: 2437 if ((ret = sshbuf_put_string(cert, 2438 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2439 goto out; 2440 break; 2441 default: 2442 ret = SSH_ERR_INVALID_ARGUMENT; 2443 goto out; 2444 } 2445 2446 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2447 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2448 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2449 goto out; 2450 2451 if ((principals = sshbuf_new()) == NULL) { 2452 ret = SSH_ERR_ALLOC_FAIL; 2453 goto out; 2454 } 2455 for (i = 0; i < k->cert->nprincipals; i++) { 2456 if ((ret = sshbuf_put_cstring(principals, 2457 k->cert->principals[i])) != 0) 2458 goto out; 2459 } 2460 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2461 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2462 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2463 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2464 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2465 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2466 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2467 goto out; 2468 2469 /* Sign the whole mess */ 2470 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2471 sshbuf_len(cert), alg, 0)) != 0) 2472 goto out; 2473 2474 /* Append signature and we are done */ 2475 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2476 goto out; 2477 ret = 0; 2478 out: 2479 if (ret != 0) 2480 sshbuf_reset(cert); 2481 free(sig_blob); 2482 free(ca_blob); 2483 sshbuf_free(principals); 2484 return ret; 2485 } 2486 2487 int 2488 sshkey_cert_check_authority(const struct sshkey *k, 2489 int want_host, int require_principal, 2490 const char *name, const char **reason) 2491 { 2492 u_int i, principal_matches; 2493 time_t now = time(NULL); 2494 2495 if (reason != NULL) 2496 *reason = NULL; 2497 2498 if (want_host) { 2499 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2500 *reason = "Certificate invalid: not a host certificate"; 2501 return SSH_ERR_KEY_CERT_INVALID; 2502 } 2503 } else { 2504 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2505 *reason = "Certificate invalid: not a user certificate"; 2506 return SSH_ERR_KEY_CERT_INVALID; 2507 } 2508 } 2509 if (now < 0) { 2510 /* yikes - system clock before epoch! */ 2511 *reason = "Certificate invalid: not yet valid"; 2512 return SSH_ERR_KEY_CERT_INVALID; 2513 } 2514 if ((u_int64_t)now < k->cert->valid_after) { 2515 *reason = "Certificate invalid: not yet valid"; 2516 return SSH_ERR_KEY_CERT_INVALID; 2517 } 2518 if ((u_int64_t)now >= k->cert->valid_before) { 2519 *reason = "Certificate invalid: expired"; 2520 return SSH_ERR_KEY_CERT_INVALID; 2521 } 2522 if (k->cert->nprincipals == 0) { 2523 if (require_principal) { 2524 *reason = "Certificate lacks principal list"; 2525 return SSH_ERR_KEY_CERT_INVALID; 2526 } 2527 } else if (name != NULL) { 2528 principal_matches = 0; 2529 for (i = 0; i < k->cert->nprincipals; i++) { 2530 if (strcmp(name, k->cert->principals[i]) == 0) { 2531 principal_matches = 1; 2532 break; 2533 } 2534 } 2535 if (!principal_matches) { 2536 *reason = "Certificate invalid: name is not a listed " 2537 "principal"; 2538 return SSH_ERR_KEY_CERT_INVALID; 2539 } 2540 } 2541 return 0; 2542 } 2543 2544 size_t 2545 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2546 { 2547 char from[32], to[32], ret[64]; 2548 time_t tt; 2549 struct tm *tm; 2550 2551 *from = *to = '\0'; 2552 if (cert->valid_after == 0 && 2553 cert->valid_before == 0xffffffffffffffffULL) 2554 return strlcpy(s, "forever", l); 2555 2556 if (cert->valid_after != 0) { 2557 /* XXX revisit INT_MAX in 2038 :) */ 2558 tt = cert->valid_after > INT_MAX ? 2559 INT_MAX : cert->valid_after; 2560 tm = localtime(&tt); 2561 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2562 } 2563 if (cert->valid_before != 0xffffffffffffffffULL) { 2564 /* XXX revisit INT_MAX in 2038 :) */ 2565 tt = cert->valid_before > INT_MAX ? 2566 INT_MAX : cert->valid_before; 2567 tm = localtime(&tt); 2568 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2569 } 2570 2571 if (cert->valid_after == 0) 2572 snprintf(ret, sizeof(ret), "before %s", to); 2573 else if (cert->valid_before == 0xffffffffffffffffULL) 2574 snprintf(ret, sizeof(ret), "after %s", from); 2575 else 2576 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2577 2578 return strlcpy(s, ret, l); 2579 } 2580 2581 int 2582 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2583 { 2584 int r = SSH_ERR_INTERNAL_ERROR; 2585 2586 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2587 goto out; 2588 switch (key->type) { 2589 #ifdef WITH_OPENSSL 2590 case KEY_RSA: 2591 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2592 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2593 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2594 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2595 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2596 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2597 goto out; 2598 break; 2599 case KEY_RSA_CERT: 2600 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2601 r = SSH_ERR_INVALID_ARGUMENT; 2602 goto out; 2603 } 2604 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2605 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2606 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2607 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2608 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2609 goto out; 2610 break; 2611 case KEY_DSA: 2612 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2613 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2614 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2615 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2616 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2617 goto out; 2618 break; 2619 case KEY_DSA_CERT: 2620 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2621 r = SSH_ERR_INVALID_ARGUMENT; 2622 goto out; 2623 } 2624 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2625 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2626 goto out; 2627 break; 2628 # ifdef OPENSSL_HAS_ECC 2629 case KEY_ECDSA: 2630 if ((r = sshbuf_put_cstring(b, 2631 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2632 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2633 (r = sshbuf_put_bignum2(b, 2634 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2635 goto out; 2636 break; 2637 case KEY_ECDSA_CERT: 2638 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2639 r = SSH_ERR_INVALID_ARGUMENT; 2640 goto out; 2641 } 2642 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2643 (r = sshbuf_put_bignum2(b, 2644 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2645 goto out; 2646 break; 2647 # endif /* OPENSSL_HAS_ECC */ 2648 #endif /* WITH_OPENSSL */ 2649 case KEY_ED25519: 2650 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2651 ED25519_PK_SZ)) != 0 || 2652 (r = sshbuf_put_string(b, key->ed25519_sk, 2653 ED25519_SK_SZ)) != 0) 2654 goto out; 2655 break; 2656 case KEY_ED25519_CERT: 2657 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2658 r = SSH_ERR_INVALID_ARGUMENT; 2659 goto out; 2660 } 2661 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2662 (r = sshbuf_put_string(b, key->ed25519_pk, 2663 ED25519_PK_SZ)) != 0 || 2664 (r = sshbuf_put_string(b, key->ed25519_sk, 2665 ED25519_SK_SZ)) != 0) 2666 goto out; 2667 break; 2668 default: 2669 r = SSH_ERR_INVALID_ARGUMENT; 2670 goto out; 2671 } 2672 /* success */ 2673 r = 0; 2674 out: 2675 return r; 2676 } 2677 2678 int 2679 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2680 { 2681 char *tname = NULL, *curve = NULL; 2682 struct sshkey *k = NULL; 2683 size_t pklen = 0, sklen = 0; 2684 int type, r = SSH_ERR_INTERNAL_ERROR; 2685 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2686 #ifdef WITH_OPENSSL 2687 BIGNUM *exponent = NULL; 2688 #endif /* WITH_OPENSSL */ 2689 2690 if (kp != NULL) 2691 *kp = NULL; 2692 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2693 goto out; 2694 type = sshkey_type_from_name(tname); 2695 switch (type) { 2696 #ifdef WITH_OPENSSL 2697 case KEY_DSA: 2698 if ((k = sshkey_new_private(type)) == NULL) { 2699 r = SSH_ERR_ALLOC_FAIL; 2700 goto out; 2701 } 2702 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2703 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2704 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2705 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2706 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2707 goto out; 2708 break; 2709 case KEY_DSA_CERT: 2710 if ((r = sshkey_froms(buf, &k)) != 0 || 2711 (r = sshkey_add_private(k)) != 0 || 2712 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2713 goto out; 2714 break; 2715 # ifdef OPENSSL_HAS_ECC 2716 case KEY_ECDSA: 2717 if ((k = sshkey_new_private(type)) == NULL) { 2718 r = SSH_ERR_ALLOC_FAIL; 2719 goto out; 2720 } 2721 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2722 r = SSH_ERR_INVALID_ARGUMENT; 2723 goto out; 2724 } 2725 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2726 goto out; 2727 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2728 r = SSH_ERR_EC_CURVE_MISMATCH; 2729 goto out; 2730 } 2731 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2732 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2733 r = SSH_ERR_LIBCRYPTO_ERROR; 2734 goto out; 2735 } 2736 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2737 (r = sshbuf_get_bignum2(buf, exponent))) 2738 goto out; 2739 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2740 r = SSH_ERR_LIBCRYPTO_ERROR; 2741 goto out; 2742 } 2743 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2744 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2745 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2746 goto out; 2747 break; 2748 case KEY_ECDSA_CERT: 2749 if ((exponent = BN_new()) == NULL) { 2750 r = SSH_ERR_LIBCRYPTO_ERROR; 2751 goto out; 2752 } 2753 if ((r = sshkey_froms(buf, &k)) != 0 || 2754 (r = sshkey_add_private(k)) != 0 || 2755 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2756 goto out; 2757 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2758 r = SSH_ERR_LIBCRYPTO_ERROR; 2759 goto out; 2760 } 2761 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2762 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2763 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2764 goto out; 2765 break; 2766 # endif /* OPENSSL_HAS_ECC */ 2767 case KEY_RSA: 2768 if ((k = sshkey_new_private(type)) == NULL) { 2769 r = SSH_ERR_ALLOC_FAIL; 2770 goto out; 2771 } 2772 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2773 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2774 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2775 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2776 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2777 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2778 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2779 goto out; 2780 break; 2781 case KEY_RSA_CERT: 2782 if ((r = sshkey_froms(buf, &k)) != 0 || 2783 (r = sshkey_add_private(k)) != 0 || 2784 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2785 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2786 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2787 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2788 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2789 goto out; 2790 break; 2791 #endif /* WITH_OPENSSL */ 2792 case KEY_ED25519: 2793 if ((k = sshkey_new_private(type)) == NULL) { 2794 r = SSH_ERR_ALLOC_FAIL; 2795 goto out; 2796 } 2797 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2798 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2799 goto out; 2800 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2801 r = SSH_ERR_INVALID_FORMAT; 2802 goto out; 2803 } 2804 k->ed25519_pk = ed25519_pk; 2805 k->ed25519_sk = ed25519_sk; 2806 ed25519_pk = ed25519_sk = NULL; 2807 break; 2808 case KEY_ED25519_CERT: 2809 if ((r = sshkey_froms(buf, &k)) != 0 || 2810 (r = sshkey_add_private(k)) != 0 || 2811 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2812 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2813 goto out; 2814 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2815 r = SSH_ERR_INVALID_FORMAT; 2816 goto out; 2817 } 2818 k->ed25519_pk = ed25519_pk; 2819 k->ed25519_sk = ed25519_sk; 2820 ed25519_pk = ed25519_sk = NULL; 2821 break; 2822 default: 2823 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2824 goto out; 2825 } 2826 #ifdef WITH_OPENSSL 2827 /* enable blinding */ 2828 switch (k->type) { 2829 case KEY_RSA: 2830 case KEY_RSA_CERT: 2831 case KEY_RSA1: 2832 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2833 r = SSH_ERR_LIBCRYPTO_ERROR; 2834 goto out; 2835 } 2836 break; 2837 } 2838 #endif /* WITH_OPENSSL */ 2839 /* success */ 2840 r = 0; 2841 if (kp != NULL) { 2842 *kp = k; 2843 k = NULL; 2844 } 2845 out: 2846 free(tname); 2847 free(curve); 2848 #ifdef WITH_OPENSSL 2849 if (exponent != NULL) 2850 BN_clear_free(exponent); 2851 #endif /* WITH_OPENSSL */ 2852 sshkey_free(k); 2853 if (ed25519_pk != NULL) { 2854 explicit_bzero(ed25519_pk, pklen); 2855 free(ed25519_pk); 2856 } 2857 if (ed25519_sk != NULL) { 2858 explicit_bzero(ed25519_sk, sklen); 2859 free(ed25519_sk); 2860 } 2861 return r; 2862 } 2863 2864 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 2865 int 2866 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2867 { 2868 BN_CTX *bnctx; 2869 EC_POINT *nq = NULL; 2870 BIGNUM *order, *x, *y, *tmp; 2871 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2872 2873 /* 2874 * NB. This assumes OpenSSL has already verified that the public 2875 * point lies on the curve. This is done by EC_POINT_oct2point() 2876 * implicitly calling EC_POINT_is_on_curve(). If this code is ever 2877 * reachable with public points not unmarshalled using 2878 * EC_POINT_oct2point then the caller will need to explicitly check. 2879 */ 2880 2881 if ((bnctx = BN_CTX_new()) == NULL) 2882 return SSH_ERR_ALLOC_FAIL; 2883 BN_CTX_start(bnctx); 2884 2885 /* 2886 * We shouldn't ever hit this case because bignum_get_ecpoint() 2887 * refuses to load GF2m points. 2888 */ 2889 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2890 NID_X9_62_prime_field) 2891 goto out; 2892 2893 /* Q != infinity */ 2894 if (EC_POINT_is_at_infinity(group, public)) 2895 goto out; 2896 2897 if ((x = BN_CTX_get(bnctx)) == NULL || 2898 (y = BN_CTX_get(bnctx)) == NULL || 2899 (order = BN_CTX_get(bnctx)) == NULL || 2900 (tmp = BN_CTX_get(bnctx)) == NULL) { 2901 ret = SSH_ERR_ALLOC_FAIL; 2902 goto out; 2903 } 2904 2905 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2906 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2907 EC_POINT_get_affine_coordinates_GFp(group, public, 2908 x, y, bnctx) != 1) { 2909 ret = SSH_ERR_LIBCRYPTO_ERROR; 2910 goto out; 2911 } 2912 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2913 BN_num_bits(y) <= BN_num_bits(order) / 2) 2914 goto out; 2915 2916 /* nQ == infinity (n == order of subgroup) */ 2917 if ((nq = EC_POINT_new(group)) == NULL) { 2918 ret = SSH_ERR_ALLOC_FAIL; 2919 goto out; 2920 } 2921 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2922 ret = SSH_ERR_LIBCRYPTO_ERROR; 2923 goto out; 2924 } 2925 if (EC_POINT_is_at_infinity(group, nq) != 1) 2926 goto out; 2927 2928 /* x < order - 1, y < order - 1 */ 2929 if (!BN_sub(tmp, order, BN_value_one())) { 2930 ret = SSH_ERR_LIBCRYPTO_ERROR; 2931 goto out; 2932 } 2933 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2934 goto out; 2935 ret = 0; 2936 out: 2937 BN_CTX_free(bnctx); 2938 if (nq != NULL) 2939 EC_POINT_free(nq); 2940 return ret; 2941 } 2942 2943 int 2944 sshkey_ec_validate_private(const EC_KEY *key) 2945 { 2946 BN_CTX *bnctx; 2947 BIGNUM *order, *tmp; 2948 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2949 2950 if ((bnctx = BN_CTX_new()) == NULL) 2951 return SSH_ERR_ALLOC_FAIL; 2952 BN_CTX_start(bnctx); 2953 2954 if ((order = BN_CTX_get(bnctx)) == NULL || 2955 (tmp = BN_CTX_get(bnctx)) == NULL) { 2956 ret = SSH_ERR_ALLOC_FAIL; 2957 goto out; 2958 } 2959 2960 /* log2(private) > log2(order)/2 */ 2961 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2962 ret = SSH_ERR_LIBCRYPTO_ERROR; 2963 goto out; 2964 } 2965 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2966 BN_num_bits(order) / 2) 2967 goto out; 2968 2969 /* private < order - 1 */ 2970 if (!BN_sub(tmp, order, BN_value_one())) { 2971 ret = SSH_ERR_LIBCRYPTO_ERROR; 2972 goto out; 2973 } 2974 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2975 goto out; 2976 ret = 0; 2977 out: 2978 BN_CTX_free(bnctx); 2979 return ret; 2980 } 2981 2982 void 2983 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2984 { 2985 BIGNUM *x, *y; 2986 BN_CTX *bnctx; 2987 2988 if (point == NULL) { 2989 fputs("point=(NULL)\n", stderr); 2990 return; 2991 } 2992 if ((bnctx = BN_CTX_new()) == NULL) { 2993 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2994 return; 2995 } 2996 BN_CTX_start(bnctx); 2997 if ((x = BN_CTX_get(bnctx)) == NULL || 2998 (y = BN_CTX_get(bnctx)) == NULL) { 2999 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 3000 return; 3001 } 3002 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 3003 NID_X9_62_prime_field) { 3004 fprintf(stderr, "%s: group is not a prime field\n", __func__); 3005 return; 3006 } 3007 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 3008 bnctx) != 1) { 3009 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 3010 __func__); 3011 return; 3012 } 3013 fputs("x=", stderr); 3014 BN_print_fp(stderr, x); 3015 fputs("\ny=", stderr); 3016 BN_print_fp(stderr, y); 3017 fputs("\n", stderr); 3018 BN_CTX_free(bnctx); 3019 } 3020 3021 void 3022 sshkey_dump_ec_key(const EC_KEY *key) 3023 { 3024 const BIGNUM *exponent; 3025 3026 sshkey_dump_ec_point(EC_KEY_get0_group(key), 3027 EC_KEY_get0_public_key(key)); 3028 fputs("exponent=", stderr); 3029 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 3030 fputs("(NULL)", stderr); 3031 else 3032 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 3033 fputs("\n", stderr); 3034 } 3035 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 3036 3037 static int 3038 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 3039 const char *passphrase, const char *comment, const char *ciphername, 3040 int rounds) 3041 { 3042 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3043 u_char salt[SALT_LEN]; 3044 char *b64 = NULL; 3045 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3046 u_int check; 3047 int r = SSH_ERR_INTERNAL_ERROR; 3048 struct sshcipher_ctx *ciphercontext = NULL; 3049 const struct sshcipher *cipher; 3050 const char *kdfname = KDFNAME; 3051 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3052 3053 if (rounds <= 0) 3054 rounds = DEFAULT_ROUNDS; 3055 if (passphrase == NULL || !strlen(passphrase)) { 3056 ciphername = "none"; 3057 kdfname = "none"; 3058 } else if (ciphername == NULL) 3059 ciphername = DEFAULT_CIPHERNAME; 3060 else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) { 3061 r = SSH_ERR_INVALID_ARGUMENT; 3062 goto out; 3063 } 3064 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3065 r = SSH_ERR_INTERNAL_ERROR; 3066 goto out; 3067 } 3068 3069 if ((kdf = sshbuf_new()) == NULL || 3070 (encoded = sshbuf_new()) == NULL || 3071 (encrypted = sshbuf_new()) == NULL) { 3072 r = SSH_ERR_ALLOC_FAIL; 3073 goto out; 3074 } 3075 blocksize = cipher_blocksize(cipher); 3076 keylen = cipher_keylen(cipher); 3077 ivlen = cipher_ivlen(cipher); 3078 authlen = cipher_authlen(cipher); 3079 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3080 r = SSH_ERR_ALLOC_FAIL; 3081 goto out; 3082 } 3083 if (strcmp(kdfname, "bcrypt") == 0) { 3084 arc4random_buf(salt, SALT_LEN); 3085 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3086 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3087 r = SSH_ERR_INVALID_ARGUMENT; 3088 goto out; 3089 } 3090 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3091 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3092 goto out; 3093 } else if (strcmp(kdfname, "none") != 0) { 3094 /* Unsupported KDF type */ 3095 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3096 goto out; 3097 } 3098 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3099 key + keylen, ivlen, 1)) != 0) 3100 goto out; 3101 3102 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3103 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3104 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3105 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3106 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3107 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3108 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3109 goto out; 3110 3111 /* set up the buffer that will be encrypted */ 3112 3113 /* Random check bytes */ 3114 check = arc4random(); 3115 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3116 (r = sshbuf_put_u32(encrypted, check)) != 0) 3117 goto out; 3118 3119 /* append private key and comment*/ 3120 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 3121 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3122 goto out; 3123 3124 /* padding */ 3125 i = 0; 3126 while (sshbuf_len(encrypted) % blocksize) { 3127 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3128 goto out; 3129 } 3130 3131 /* length in destination buffer */ 3132 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3133 goto out; 3134 3135 /* encrypt */ 3136 if ((r = sshbuf_reserve(encoded, 3137 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3138 goto out; 3139 if ((r = cipher_crypt(ciphercontext, 0, cp, 3140 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3141 goto out; 3142 3143 /* uuencode */ 3144 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3145 r = SSH_ERR_ALLOC_FAIL; 3146 goto out; 3147 } 3148 3149 sshbuf_reset(blob); 3150 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3151 goto out; 3152 for (i = 0; i < strlen(b64); i++) { 3153 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3154 goto out; 3155 /* insert line breaks */ 3156 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3157 goto out; 3158 } 3159 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3160 goto out; 3161 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3162 goto out; 3163 3164 /* success */ 3165 r = 0; 3166 3167 out: 3168 sshbuf_free(kdf); 3169 sshbuf_free(encoded); 3170 sshbuf_free(encrypted); 3171 cipher_free(ciphercontext); 3172 explicit_bzero(salt, sizeof(salt)); 3173 if (key != NULL) { 3174 explicit_bzero(key, keylen + ivlen); 3175 free(key); 3176 } 3177 if (pubkeyblob != NULL) { 3178 explicit_bzero(pubkeyblob, pubkeylen); 3179 free(pubkeyblob); 3180 } 3181 if (b64 != NULL) { 3182 explicit_bzero(b64, strlen(b64)); 3183 free(b64); 3184 } 3185 return r; 3186 } 3187 3188 static int 3189 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3190 struct sshkey **keyp, char **commentp) 3191 { 3192 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3193 const struct sshcipher *cipher = NULL; 3194 const u_char *cp; 3195 int r = SSH_ERR_INTERNAL_ERROR; 3196 size_t encoded_len; 3197 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3198 struct sshbuf *encoded = NULL, *decoded = NULL; 3199 struct sshbuf *kdf = NULL, *decrypted = NULL; 3200 struct sshcipher_ctx *ciphercontext = NULL; 3201 struct sshkey *k = NULL; 3202 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3203 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3204 3205 if (keyp != NULL) 3206 *keyp = NULL; 3207 if (commentp != NULL) 3208 *commentp = NULL; 3209 3210 if ((encoded = sshbuf_new()) == NULL || 3211 (decoded = sshbuf_new()) == NULL || 3212 (decrypted = sshbuf_new()) == NULL) { 3213 r = SSH_ERR_ALLOC_FAIL; 3214 goto out; 3215 } 3216 3217 /* check preamble */ 3218 cp = sshbuf_ptr(blob); 3219 encoded_len = sshbuf_len(blob); 3220 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3221 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3222 r = SSH_ERR_INVALID_FORMAT; 3223 goto out; 3224 } 3225 cp += MARK_BEGIN_LEN; 3226 encoded_len -= MARK_BEGIN_LEN; 3227 3228 /* Look for end marker, removing whitespace as we go */ 3229 while (encoded_len > 0) { 3230 if (*cp != '\n' && *cp != '\r') { 3231 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3232 goto out; 3233 } 3234 last = *cp; 3235 encoded_len--; 3236 cp++; 3237 if (last == '\n') { 3238 if (encoded_len >= MARK_END_LEN && 3239 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3240 /* \0 terminate */ 3241 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3242 goto out; 3243 break; 3244 } 3245 } 3246 } 3247 if (encoded_len == 0) { 3248 r = SSH_ERR_INVALID_FORMAT; 3249 goto out; 3250 } 3251 3252 /* decode base64 */ 3253 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3254 goto out; 3255 3256 /* check magic */ 3257 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3258 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3259 r = SSH_ERR_INVALID_FORMAT; 3260 goto out; 3261 } 3262 /* parse public portion of key */ 3263 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3264 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3265 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3266 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3267 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3268 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3269 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3270 goto out; 3271 3272 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3273 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3274 goto out; 3275 } 3276 if ((passphrase == NULL || strlen(passphrase) == 0) && 3277 strcmp(ciphername, "none") != 0) { 3278 /* passphrase required */ 3279 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3280 goto out; 3281 } 3282 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3283 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3284 goto out; 3285 } 3286 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3287 r = SSH_ERR_INVALID_FORMAT; 3288 goto out; 3289 } 3290 if (nkeys != 1) { 3291 /* XXX only one key supported */ 3292 r = SSH_ERR_INVALID_FORMAT; 3293 goto out; 3294 } 3295 3296 /* check size of encrypted key blob */ 3297 blocksize = cipher_blocksize(cipher); 3298 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3299 r = SSH_ERR_INVALID_FORMAT; 3300 goto out; 3301 } 3302 3303 /* setup key */ 3304 keylen = cipher_keylen(cipher); 3305 ivlen = cipher_ivlen(cipher); 3306 authlen = cipher_authlen(cipher); 3307 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3308 r = SSH_ERR_ALLOC_FAIL; 3309 goto out; 3310 } 3311 if (strcmp(kdfname, "bcrypt") == 0) { 3312 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3313 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3314 goto out; 3315 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3316 key, keylen + ivlen, rounds) < 0) { 3317 r = SSH_ERR_INVALID_FORMAT; 3318 goto out; 3319 } 3320 } 3321 3322 /* check that an appropriate amount of auth data is present */ 3323 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3324 r = SSH_ERR_INVALID_FORMAT; 3325 goto out; 3326 } 3327 3328 /* decrypt private portion of key */ 3329 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3330 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3331 key + keylen, ivlen, 0)) != 0) 3332 goto out; 3333 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3334 encrypted_len, 0, authlen)) != 0) { 3335 /* an integrity error here indicates an incorrect passphrase */ 3336 if (r == SSH_ERR_MAC_INVALID) 3337 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3338 goto out; 3339 } 3340 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3341 goto out; 3342 /* there should be no trailing data */ 3343 if (sshbuf_len(decoded) != 0) { 3344 r = SSH_ERR_INVALID_FORMAT; 3345 goto out; 3346 } 3347 3348 /* check check bytes */ 3349 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3350 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3351 goto out; 3352 if (check1 != check2) { 3353 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3354 goto out; 3355 } 3356 3357 /* Load the private key and comment */ 3358 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3359 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3360 goto out; 3361 3362 /* Check deterministic padding */ 3363 i = 0; 3364 while (sshbuf_len(decrypted)) { 3365 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3366 goto out; 3367 if (pad != (++i & 0xff)) { 3368 r = SSH_ERR_INVALID_FORMAT; 3369 goto out; 3370 } 3371 } 3372 3373 /* XXX decode pubkey and check against private */ 3374 3375 /* success */ 3376 r = 0; 3377 if (keyp != NULL) { 3378 *keyp = k; 3379 k = NULL; 3380 } 3381 if (commentp != NULL) { 3382 *commentp = comment; 3383 comment = NULL; 3384 } 3385 out: 3386 pad = 0; 3387 cipher_free(ciphercontext); 3388 free(ciphername); 3389 free(kdfname); 3390 free(comment); 3391 if (salt != NULL) { 3392 explicit_bzero(salt, slen); 3393 free(salt); 3394 } 3395 if (key != NULL) { 3396 explicit_bzero(key, keylen + ivlen); 3397 free(key); 3398 } 3399 sshbuf_free(encoded); 3400 sshbuf_free(decoded); 3401 sshbuf_free(kdf); 3402 sshbuf_free(decrypted); 3403 sshkey_free(k); 3404 return r; 3405 } 3406 3407 #if WITH_SSH1 3408 /* 3409 * Serialises the authentication (private) key to a blob, encrypting it with 3410 * passphrase. The identification of the blob (lowest 64 bits of n) will 3411 * precede the key to provide identification of the key without needing a 3412 * passphrase. 3413 */ 3414 static int 3415 sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, 3416 const char *passphrase, const char *comment) 3417 { 3418 struct sshbuf *buffer = NULL, *encrypted = NULL; 3419 u_char buf[8]; 3420 int r, cipher_num; 3421 struct sshcipher_ctx *ciphercontext = NULL; 3422 const struct sshcipher *cipher; 3423 u_char *cp; 3424 3425 /* 3426 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting 3427 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. 3428 */ 3429 cipher_num = (strcmp(passphrase, "") == 0) ? 3430 SSH_CIPHER_NONE : SSH_CIPHER_3DES; 3431 if ((cipher = cipher_by_number(cipher_num)) == NULL) 3432 return SSH_ERR_INTERNAL_ERROR; 3433 3434 /* This buffer is used to build the secret part of the private key. */ 3435 if ((buffer = sshbuf_new()) == NULL) 3436 return SSH_ERR_ALLOC_FAIL; 3437 3438 /* Put checkbytes for checking passphrase validity. */ 3439 if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0) 3440 goto out; 3441 arc4random_buf(cp, 2); 3442 memcpy(cp + 2, cp, 2); 3443 3444 /* 3445 * Store the private key (n and e will not be stored because they 3446 * will be stored in plain text, and storing them also in encrypted 3447 * format would just give known plaintext). 3448 * Note: q and p are stored in reverse order to SSL. 3449 */ 3450 if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 || 3451 (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 || 3452 (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 || 3453 (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0) 3454 goto out; 3455 3456 /* Pad the part to be encrypted to a size that is a multiple of 8. */ 3457 explicit_bzero(buf, 8); 3458 if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0) 3459 goto out; 3460 3461 /* This buffer will be used to contain the data in the file. */ 3462 if ((encrypted = sshbuf_new()) == NULL) { 3463 r = SSH_ERR_ALLOC_FAIL; 3464 goto out; 3465 } 3466 3467 /* First store keyfile id string. */ 3468 if ((r = sshbuf_put(encrypted, LEGACY_BEGIN, 3469 sizeof(LEGACY_BEGIN))) != 0) 3470 goto out; 3471 3472 /* Store cipher type and "reserved" field. */ 3473 if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 || 3474 (r = sshbuf_put_u32(encrypted, 0)) != 0) 3475 goto out; 3476 3477 /* Store public key. This will be in plain text. */ 3478 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || 3479 (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 || 3480 (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 || 3481 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3482 goto out; 3483 3484 /* Allocate space for the private part of the key in the buffer. */ 3485 if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0) 3486 goto out; 3487 3488 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3489 CIPHER_ENCRYPT)) != 0) 3490 goto out; 3491 if ((r = cipher_crypt(ciphercontext, 0, cp, 3492 sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0) 3493 goto out; 3494 3495 r = sshbuf_putb(blob, encrypted); 3496 3497 out: 3498 cipher_free(ciphercontext); 3499 explicit_bzero(buf, sizeof(buf)); 3500 sshbuf_free(buffer); 3501 sshbuf_free(encrypted); 3502 3503 return r; 3504 } 3505 #endif /* WITH_SSH1 */ 3506 3507 #ifdef WITH_OPENSSL 3508 /* convert SSH v2 key in OpenSSL PEM format */ 3509 static int 3510 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3511 const char *_passphrase, const char *comment) 3512 { 3513 int success, r; 3514 int blen, len = strlen(_passphrase); 3515 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3516 #if (OPENSSL_VERSION_NUMBER < 0x00907000L) 3517 const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL; 3518 #else 3519 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3520 #endif 3521 const u_char *bptr; 3522 BIO *bio = NULL; 3523 3524 if (len > 0 && len <= 4) 3525 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3526 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3527 return SSH_ERR_ALLOC_FAIL; 3528 3529 switch (key->type) { 3530 case KEY_DSA: 3531 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3532 cipher, passphrase, len, NULL, NULL); 3533 break; 3534 #ifdef OPENSSL_HAS_ECC 3535 case KEY_ECDSA: 3536 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3537 cipher, passphrase, len, NULL, NULL); 3538 break; 3539 #endif 3540 case KEY_RSA: 3541 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3542 cipher, passphrase, len, NULL, NULL); 3543 break; 3544 default: 3545 success = 0; 3546 break; 3547 } 3548 if (success == 0) { 3549 r = SSH_ERR_LIBCRYPTO_ERROR; 3550 goto out; 3551 } 3552 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3553 r = SSH_ERR_INTERNAL_ERROR; 3554 goto out; 3555 } 3556 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3557 goto out; 3558 r = 0; 3559 out: 3560 BIO_free(bio); 3561 return r; 3562 } 3563 #endif /* WITH_OPENSSL */ 3564 3565 /* Serialise "key" to buffer "blob" */ 3566 int 3567 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3568 const char *passphrase, const char *comment, 3569 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3570 { 3571 switch (key->type) { 3572 #ifdef WITH_SSH1 3573 case KEY_RSA1: 3574 return sshkey_private_rsa1_to_blob(key, blob, 3575 passphrase, comment); 3576 #endif /* WITH_SSH1 */ 3577 #ifdef WITH_OPENSSL 3578 case KEY_DSA: 3579 case KEY_ECDSA: 3580 case KEY_RSA: 3581 if (force_new_format) { 3582 return sshkey_private_to_blob2(key, blob, passphrase, 3583 comment, new_format_cipher, new_format_rounds); 3584 } 3585 return sshkey_private_pem_to_blob(key, blob, 3586 passphrase, comment); 3587 #endif /* WITH_OPENSSL */ 3588 case KEY_ED25519: 3589 return sshkey_private_to_blob2(key, blob, passphrase, 3590 comment, new_format_cipher, new_format_rounds); 3591 default: 3592 return SSH_ERR_KEY_TYPE_UNKNOWN; 3593 } 3594 } 3595 3596 #ifdef WITH_SSH1 3597 /* 3598 * Parse the public, unencrypted portion of a RSA1 key. 3599 */ 3600 int 3601 sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, 3602 struct sshkey **keyp, char **commentp) 3603 { 3604 int r; 3605 struct sshkey *pub = NULL; 3606 struct sshbuf *copy = NULL; 3607 3608 if (keyp != NULL) 3609 *keyp = NULL; 3610 if (commentp != NULL) 3611 *commentp = NULL; 3612 3613 /* Check that it is at least big enough to contain the ID string. */ 3614 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3615 return SSH_ERR_INVALID_FORMAT; 3616 3617 /* 3618 * Make sure it begins with the id string. Consume the id string 3619 * from the buffer. 3620 */ 3621 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3622 return SSH_ERR_INVALID_FORMAT; 3623 /* Make a working copy of the keyblob and skip past the magic */ 3624 if ((copy = sshbuf_fromb(blob)) == NULL) 3625 return SSH_ERR_ALLOC_FAIL; 3626 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3627 goto out; 3628 3629 /* Skip cipher type, reserved data and key bits. */ 3630 if ((r = sshbuf_get_u8(copy, NULL)) != 0 || /* cipher type */ 3631 (r = sshbuf_get_u32(copy, NULL)) != 0 || /* reserved */ 3632 (r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */ 3633 goto out; 3634 3635 /* Read the public key from the buffer. */ 3636 if ((pub = sshkey_new(KEY_RSA1)) == NULL || 3637 (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 || 3638 (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0) 3639 goto out; 3640 3641 /* Finally, the comment */ 3642 if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0) 3643 goto out; 3644 3645 /* The encrypted private part is not parsed by this function. */ 3646 3647 r = 0; 3648 if (keyp != NULL) { 3649 *keyp = pub; 3650 pub = NULL; 3651 } 3652 out: 3653 sshbuf_free(copy); 3654 sshkey_free(pub); 3655 return r; 3656 } 3657 3658 static int 3659 sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, 3660 struct sshkey **keyp, char **commentp) 3661 { 3662 int r; 3663 u_int16_t check1, check2; 3664 u_int8_t cipher_type; 3665 struct sshbuf *decrypted = NULL, *copy = NULL; 3666 u_char *cp; 3667 char *comment = NULL; 3668 struct sshcipher_ctx *ciphercontext = NULL; 3669 const struct sshcipher *cipher; 3670 struct sshkey *prv = NULL; 3671 3672 if (keyp != NULL) 3673 *keyp = NULL; 3674 if (commentp != NULL) 3675 *commentp = NULL; 3676 3677 /* Check that it is at least big enough to contain the ID string. */ 3678 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3679 return SSH_ERR_INVALID_FORMAT; 3680 3681 /* 3682 * Make sure it begins with the id string. Consume the id string 3683 * from the buffer. 3684 */ 3685 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3686 return SSH_ERR_INVALID_FORMAT; 3687 3688 if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) { 3689 r = SSH_ERR_ALLOC_FAIL; 3690 goto out; 3691 } 3692 if ((copy = sshbuf_fromb(blob)) == NULL || 3693 (decrypted = sshbuf_new()) == NULL) { 3694 r = SSH_ERR_ALLOC_FAIL; 3695 goto out; 3696 } 3697 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3698 goto out; 3699 3700 /* Read cipher type. */ 3701 if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 || 3702 (r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */ 3703 goto out; 3704 3705 /* Read the public key and comment from the buffer. */ 3706 if ((r = sshbuf_get_u32(copy, NULL)) != 0 || /* key bits */ 3707 (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 || 3708 (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 || 3709 (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0) 3710 goto out; 3711 3712 /* Check that it is a supported cipher. */ 3713 cipher = cipher_by_number(cipher_type); 3714 if (cipher == NULL) { 3715 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3716 goto out; 3717 } 3718 /* Initialize space for decrypted data. */ 3719 if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0) 3720 goto out; 3721 3722 /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ 3723 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3724 CIPHER_DECRYPT)) != 0) 3725 goto out; 3726 if ((r = cipher_crypt(ciphercontext, 0, cp, 3727 sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) 3728 goto out; 3729 3730 if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 || 3731 (r = sshbuf_get_u16(decrypted, &check2)) != 0) 3732 goto out; 3733 if (check1 != check2) { 3734 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3735 goto out; 3736 } 3737 3738 /* Read the rest of the private key. */ 3739 if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 || 3740 (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 || 3741 (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 || 3742 (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0) 3743 goto out; 3744 3745 /* calculate p-1 and q-1 */ 3746 if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0) 3747 goto out; 3748 3749 /* enable blinding */ 3750 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3751 r = SSH_ERR_LIBCRYPTO_ERROR; 3752 goto out; 3753 } 3754 r = 0; 3755 if (keyp != NULL) { 3756 *keyp = prv; 3757 prv = NULL; 3758 } 3759 if (commentp != NULL) { 3760 *commentp = comment; 3761 comment = NULL; 3762 } 3763 out: 3764 cipher_free(ciphercontext); 3765 free(comment); 3766 sshkey_free(prv); 3767 sshbuf_free(copy); 3768 sshbuf_free(decrypted); 3769 return r; 3770 } 3771 #endif /* WITH_SSH1 */ 3772 3773 #ifdef WITH_OPENSSL 3774 static int 3775 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3776 const char *passphrase, struct sshkey **keyp) 3777 { 3778 EVP_PKEY *pk = NULL; 3779 struct sshkey *prv = NULL; 3780 BIO *bio = NULL; 3781 int r; 3782 3783 if (keyp != NULL) 3784 *keyp = NULL; 3785 3786 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3787 return SSH_ERR_ALLOC_FAIL; 3788 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3789 (int)sshbuf_len(blob)) { 3790 r = SSH_ERR_ALLOC_FAIL; 3791 goto out; 3792 } 3793 3794 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3795 (char *)passphrase)) == NULL) { 3796 unsigned long pem_err = ERR_peek_last_error(); 3797 int pem_reason = ERR_GET_REASON(pem_err); 3798 3799 /* 3800 * Translate OpenSSL error codes to determine whether 3801 * passphrase is required/incorrect. 3802 */ 3803 switch (ERR_GET_LIB(pem_err)) { 3804 case ERR_LIB_PEM: 3805 switch (pem_reason) { 3806 case PEM_R_BAD_PASSWORD_READ: 3807 #if !defined(ANDROID) || defined(PEM_R_PROBLEMS_GETTING_PASSWORD) 3808 case PEM_R_PROBLEMS_GETTING_PASSWORD: 3809 #endif 3810 case PEM_R_BAD_DECRYPT: 3811 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3812 goto out; 3813 default: 3814 r = SSH_ERR_INVALID_FORMAT; 3815 goto out; 3816 } 3817 case ERR_LIB_EVP: 3818 switch (pem_reason) { 3819 #if !defined(ANDROID) || defined(EVP_R_BAD_DECRYPT) 3820 case EVP_R_BAD_DECRYPT: 3821 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3822 goto out; 3823 #endif 3824 #if !defined(ANDROID) || defined(EVP_R_BN_DECODE_ERROR) 3825 case EVP_R_BN_DECODE_ERROR: 3826 #endif 3827 case EVP_R_DECODE_ERROR: 3828 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 3829 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 3830 #endif 3831 r = SSH_ERR_INVALID_FORMAT; 3832 goto out; 3833 default: 3834 r = SSH_ERR_LIBCRYPTO_ERROR; 3835 goto out; 3836 } 3837 case ERR_LIB_ASN1: 3838 r = SSH_ERR_INVALID_FORMAT; 3839 goto out; 3840 } 3841 r = SSH_ERR_LIBCRYPTO_ERROR; 3842 goto out; 3843 } 3844 if (pk->type == EVP_PKEY_RSA && 3845 (type == KEY_UNSPEC || type == KEY_RSA)) { 3846 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3847 r = SSH_ERR_ALLOC_FAIL; 3848 goto out; 3849 } 3850 prv->rsa = EVP_PKEY_get1_RSA(pk); 3851 prv->type = KEY_RSA; 3852 #ifdef DEBUG_PK 3853 RSA_print_fp(stderr, prv->rsa, 8); 3854 #endif 3855 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3856 r = SSH_ERR_LIBCRYPTO_ERROR; 3857 goto out; 3858 } 3859 } else if (pk->type == EVP_PKEY_DSA && 3860 (type == KEY_UNSPEC || type == KEY_DSA)) { 3861 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3862 r = SSH_ERR_ALLOC_FAIL; 3863 goto out; 3864 } 3865 prv->dsa = EVP_PKEY_get1_DSA(pk); 3866 prv->type = KEY_DSA; 3867 #ifdef DEBUG_PK 3868 DSA_print_fp(stderr, prv->dsa, 8); 3869 #endif 3870 #ifdef OPENSSL_HAS_ECC 3871 } else if (pk->type == EVP_PKEY_EC && 3872 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3873 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3874 r = SSH_ERR_ALLOC_FAIL; 3875 goto out; 3876 } 3877 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3878 prv->type = KEY_ECDSA; 3879 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3880 if (prv->ecdsa_nid == -1 || 3881 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3882 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3883 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3884 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3885 r = SSH_ERR_INVALID_FORMAT; 3886 goto out; 3887 } 3888 # ifdef DEBUG_PK 3889 if (prv != NULL && prv->ecdsa != NULL) 3890 sshkey_dump_ec_key(prv->ecdsa); 3891 # endif 3892 #endif /* OPENSSL_HAS_ECC */ 3893 } else { 3894 r = SSH_ERR_INVALID_FORMAT; 3895 goto out; 3896 } 3897 r = 0; 3898 if (keyp != NULL) { 3899 *keyp = prv; 3900 prv = NULL; 3901 } 3902 out: 3903 BIO_free(bio); 3904 if (pk != NULL) 3905 EVP_PKEY_free(pk); 3906 sshkey_free(prv); 3907 return r; 3908 } 3909 #endif /* WITH_OPENSSL */ 3910 3911 int 3912 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3913 const char *passphrase, struct sshkey **keyp, char **commentp) 3914 { 3915 int r = SSH_ERR_INTERNAL_ERROR; 3916 3917 if (keyp != NULL) 3918 *keyp = NULL; 3919 if (commentp != NULL) 3920 *commentp = NULL; 3921 3922 switch (type) { 3923 #ifdef WITH_SSH1 3924 case KEY_RSA1: 3925 return sshkey_parse_private_rsa1(blob, passphrase, 3926 keyp, commentp); 3927 #endif /* WITH_SSH1 */ 3928 #ifdef WITH_OPENSSL 3929 case KEY_DSA: 3930 case KEY_ECDSA: 3931 case KEY_RSA: 3932 return sshkey_parse_private_pem_fileblob(blob, type, 3933 passphrase, keyp); 3934 #endif /* WITH_OPENSSL */ 3935 case KEY_ED25519: 3936 return sshkey_parse_private2(blob, type, passphrase, 3937 keyp, commentp); 3938 case KEY_UNSPEC: 3939 r = sshkey_parse_private2(blob, type, passphrase, keyp, 3940 commentp); 3941 /* Do not fallback to PEM parser if only passphrase is wrong. */ 3942 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE) 3943 return r; 3944 #ifdef WITH_OPENSSL 3945 return sshkey_parse_private_pem_fileblob(blob, type, 3946 passphrase, keyp); 3947 #else 3948 return SSH_ERR_INVALID_FORMAT; 3949 #endif /* WITH_OPENSSL */ 3950 default: 3951 return SSH_ERR_KEY_TYPE_UNKNOWN; 3952 } 3953 } 3954 3955 int 3956 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3957 struct sshkey **keyp, char **commentp) 3958 { 3959 if (keyp != NULL) 3960 *keyp = NULL; 3961 if (commentp != NULL) 3962 *commentp = NULL; 3963 3964 #ifdef WITH_SSH1 3965 /* it's a SSH v1 key if the public key part is readable */ 3966 if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) { 3967 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, 3968 passphrase, keyp, commentp); 3969 } 3970 #endif /* WITH_SSH1 */ 3971 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3972 passphrase, keyp, commentp); 3973 } 3974
