1 /* $OpenBSD: sshkey.c,v 1.35 2016/06/19 07:48:02 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include "includes.h" 29 30 #include <sys/param.h> /* MIN MAX */ 31 #include <sys/types.h> 32 #include <netinet/in.h> 33 34 #ifdef WITH_OPENSSL 35 #include <openssl/evp.h> 36 #include <openssl/err.h> 37 #include <openssl/pem.h> 38 #endif 39 40 #include "crypto_api.h" 41 42 #include <errno.h> 43 #include <limits.h> 44 #include <stdio.h> 45 #include <string.h> 46 #include <resolv.h> 47 #ifdef HAVE_UTIL_H 48 #include <util.h> 49 #endif /* HAVE_UTIL_H */ 50 51 #include "ssh2.h" 52 #include "ssherr.h" 53 #include "misc.h" 54 #include "sshbuf.h" 55 #include "rsa.h" 56 #include "cipher.h" 57 #include "digest.h" 58 #define SSHKEY_INTERNAL 59 #include "sshkey.h" 60 #include "match.h" 61 62 /* openssh private key file format */ 63 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 64 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 65 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 66 #define MARK_END_LEN (sizeof(MARK_END) - 1) 67 #define KDFNAME "bcrypt" 68 #define AUTH_MAGIC "openssh-key-v1" 69 #define SALT_LEN 16 70 #define DEFAULT_CIPHERNAME "aes256-cbc" 71 #define DEFAULT_ROUNDS 16 72 73 /* Version identification string for SSH v1 identity files. */ 74 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 75 76 static int sshkey_from_blob_internal(struct sshbuf *buf, 77 struct sshkey **keyp, int allow_cert); 78 79 /* Supported key types */ 80 struct keytype { 81 const char *name; 82 const char *shortname; 83 int type; 84 int nid; 85 int cert; 86 int sigonly; 87 }; 88 static const struct keytype keytypes[] = { 89 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 }, 90 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 91 KEY_ED25519_CERT, 0, 1, 0 }, 92 #ifdef WITH_OPENSSL 93 { NULL, "RSA1", KEY_RSA1, 0, 0, 0 }, 94 { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 }, 95 { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 }, 96 { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 }, 97 { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 }, 98 # ifdef OPENSSL_HAS_ECC 99 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 }, 100 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 }, 101 # ifdef OPENSSL_HAS_NISTP521 102 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 }, 103 # endif /* OPENSSL_HAS_NISTP521 */ 104 # endif /* OPENSSL_HAS_ECC */ 105 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 }, 106 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 }, 107 # ifdef OPENSSL_HAS_ECC 108 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 109 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 }, 110 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 111 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 }, 112 # ifdef OPENSSL_HAS_NISTP521 113 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 114 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 }, 115 # endif /* OPENSSL_HAS_NISTP521 */ 116 # endif /* OPENSSL_HAS_ECC */ 117 #endif /* WITH_OPENSSL */ 118 { NULL, NULL, -1, -1, 0, 0 } 119 }; 120 121 const char * 122 sshkey_type(const struct sshkey *k) 123 { 124 const struct keytype *kt; 125 126 for (kt = keytypes; kt->type != -1; kt++) { 127 if (kt->type == k->type) 128 return kt->shortname; 129 } 130 return "unknown"; 131 } 132 133 static const char * 134 sshkey_ssh_name_from_type_nid(int type, int nid) 135 { 136 const struct keytype *kt; 137 138 for (kt = keytypes; kt->type != -1; kt++) { 139 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 140 return kt->name; 141 } 142 return "ssh-unknown"; 143 } 144 145 int 146 sshkey_type_is_cert(int type) 147 { 148 const struct keytype *kt; 149 150 for (kt = keytypes; kt->type != -1; kt++) { 151 if (kt->type == type) 152 return kt->cert; 153 } 154 return 0; 155 } 156 157 const char * 158 sshkey_ssh_name(const struct sshkey *k) 159 { 160 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 161 } 162 163 const char * 164 sshkey_ssh_name_plain(const struct sshkey *k) 165 { 166 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 167 k->ecdsa_nid); 168 } 169 170 int 171 sshkey_type_from_name(const char *name) 172 { 173 const struct keytype *kt; 174 175 for (kt = keytypes; kt->type != -1; kt++) { 176 /* Only allow shortname matches for plain key types */ 177 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 178 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 179 return kt->type; 180 } 181 return KEY_UNSPEC; 182 } 183 184 int 185 sshkey_ecdsa_nid_from_name(const char *name) 186 { 187 const struct keytype *kt; 188 189 for (kt = keytypes; kt->type != -1; kt++) { 190 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 191 continue; 192 if (kt->name != NULL && strcmp(name, kt->name) == 0) 193 return kt->nid; 194 } 195 return -1; 196 } 197 198 char * 199 key_alg_list(int certs_only, int plain_only) 200 { 201 char *tmp, *ret = NULL; 202 size_t nlen, rlen = 0; 203 const struct keytype *kt; 204 205 for (kt = keytypes; kt->type != -1; kt++) { 206 if (kt->name == NULL || kt->sigonly) 207 continue; 208 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 209 continue; 210 if (ret != NULL) 211 ret[rlen++] = '\n'; 212 nlen = strlen(kt->name); 213 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 214 free(ret); 215 return NULL; 216 } 217 ret = tmp; 218 memcpy(ret + rlen, kt->name, nlen + 1); 219 rlen += nlen; 220 } 221 return ret; 222 } 223 224 int 225 sshkey_names_valid2(const char *names, int allow_wildcard) 226 { 227 char *s, *cp, *p; 228 const struct keytype *kt; 229 int type; 230 231 if (names == NULL || strcmp(names, "") == 0) 232 return 0; 233 if ((s = cp = strdup(names)) == NULL) 234 return 0; 235 for ((p = strsep(&cp, ",")); p && *p != '\0'; 236 (p = strsep(&cp, ","))) { 237 type = sshkey_type_from_name(p); 238 if (type == KEY_RSA1) { 239 free(s); 240 return 0; 241 } 242 if (type == KEY_UNSPEC) { 243 if (allow_wildcard) { 244 /* 245 * Try matching key types against the string. 246 * If any has a positive or negative match then 247 * the component is accepted. 248 */ 249 for (kt = keytypes; kt->type != -1; kt++) { 250 if (kt->type == KEY_RSA1) 251 continue; 252 if (match_pattern_list(kt->name, 253 p, 0) != 0) 254 break; 255 } 256 if (kt->type != -1) 257 continue; 258 } 259 free(s); 260 return 0; 261 } 262 } 263 free(s); 264 return 1; 265 } 266 267 u_int 268 sshkey_size(const struct sshkey *k) 269 { 270 switch (k->type) { 271 #ifdef WITH_OPENSSL 272 case KEY_RSA1: 273 case KEY_RSA: 274 case KEY_RSA_CERT: 275 return BN_num_bits(k->rsa->n); 276 case KEY_DSA: 277 case KEY_DSA_CERT: 278 return BN_num_bits(k->dsa->p); 279 case KEY_ECDSA: 280 case KEY_ECDSA_CERT: 281 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 282 #endif /* WITH_OPENSSL */ 283 case KEY_ED25519: 284 case KEY_ED25519_CERT: 285 return 256; /* XXX */ 286 } 287 return 0; 288 } 289 290 static int 291 sshkey_type_is_valid_ca(int type) 292 { 293 switch (type) { 294 case KEY_RSA: 295 case KEY_DSA: 296 case KEY_ECDSA: 297 case KEY_ED25519: 298 return 1; 299 default: 300 return 0; 301 } 302 } 303 304 int 305 sshkey_is_cert(const struct sshkey *k) 306 { 307 if (k == NULL) 308 return 0; 309 return sshkey_type_is_cert(k->type); 310 } 311 312 /* Return the cert-less equivalent to a certified key type */ 313 int 314 sshkey_type_plain(int type) 315 { 316 switch (type) { 317 case KEY_RSA_CERT: 318 return KEY_RSA; 319 case KEY_DSA_CERT: 320 return KEY_DSA; 321 case KEY_ECDSA_CERT: 322 return KEY_ECDSA; 323 case KEY_ED25519_CERT: 324 return KEY_ED25519; 325 default: 326 return type; 327 } 328 } 329 330 #ifdef WITH_OPENSSL 331 /* XXX: these are really begging for a table-driven approach */ 332 int 333 sshkey_curve_name_to_nid(const char *name) 334 { 335 if (strcmp(name, "nistp256") == 0) 336 return NID_X9_62_prime256v1; 337 else if (strcmp(name, "nistp384") == 0) 338 return NID_secp384r1; 339 # ifdef OPENSSL_HAS_NISTP521 340 else if (strcmp(name, "nistp521") == 0) 341 return NID_secp521r1; 342 # endif /* OPENSSL_HAS_NISTP521 */ 343 else 344 return -1; 345 } 346 347 u_int 348 sshkey_curve_nid_to_bits(int nid) 349 { 350 switch (nid) { 351 case NID_X9_62_prime256v1: 352 return 256; 353 case NID_secp384r1: 354 return 384; 355 # ifdef OPENSSL_HAS_NISTP521 356 case NID_secp521r1: 357 return 521; 358 # endif /* OPENSSL_HAS_NISTP521 */ 359 default: 360 return 0; 361 } 362 } 363 364 int 365 sshkey_ecdsa_bits_to_nid(int bits) 366 { 367 switch (bits) { 368 case 256: 369 return NID_X9_62_prime256v1; 370 case 384: 371 return NID_secp384r1; 372 # ifdef OPENSSL_HAS_NISTP521 373 case 521: 374 return NID_secp521r1; 375 # endif /* OPENSSL_HAS_NISTP521 */ 376 default: 377 return -1; 378 } 379 } 380 381 const char * 382 sshkey_curve_nid_to_name(int nid) 383 { 384 switch (nid) { 385 case NID_X9_62_prime256v1: 386 return "nistp256"; 387 case NID_secp384r1: 388 return "nistp384"; 389 # ifdef OPENSSL_HAS_NISTP521 390 case NID_secp521r1: 391 return "nistp521"; 392 # endif /* OPENSSL_HAS_NISTP521 */ 393 default: 394 return NULL; 395 } 396 } 397 398 int 399 sshkey_ec_nid_to_hash_alg(int nid) 400 { 401 int kbits = sshkey_curve_nid_to_bits(nid); 402 403 if (kbits <= 0) 404 return -1; 405 406 /* RFC5656 section 6.2.1 */ 407 if (kbits <= 256) 408 return SSH_DIGEST_SHA256; 409 else if (kbits <= 384) 410 return SSH_DIGEST_SHA384; 411 else 412 return SSH_DIGEST_SHA512; 413 } 414 #endif /* WITH_OPENSSL */ 415 416 static void 417 cert_free(struct sshkey_cert *cert) 418 { 419 u_int i; 420 421 if (cert == NULL) 422 return; 423 sshbuf_free(cert->certblob); 424 sshbuf_free(cert->critical); 425 sshbuf_free(cert->extensions); 426 free(cert->key_id); 427 for (i = 0; i < cert->nprincipals; i++) 428 free(cert->principals[i]); 429 free(cert->principals); 430 sshkey_free(cert->signature_key); 431 explicit_bzero(cert, sizeof(*cert)); 432 free(cert); 433 } 434 435 static struct sshkey_cert * 436 cert_new(void) 437 { 438 struct sshkey_cert *cert; 439 440 if ((cert = calloc(1, sizeof(*cert))) == NULL) 441 return NULL; 442 if ((cert->certblob = sshbuf_new()) == NULL || 443 (cert->critical = sshbuf_new()) == NULL || 444 (cert->extensions = sshbuf_new()) == NULL) { 445 cert_free(cert); 446 return NULL; 447 } 448 cert->key_id = NULL; 449 cert->principals = NULL; 450 cert->signature_key = NULL; 451 return cert; 452 } 453 454 struct sshkey * 455 sshkey_new(int type) 456 { 457 struct sshkey *k; 458 #ifdef WITH_OPENSSL 459 RSA *rsa; 460 DSA *dsa; 461 #endif /* WITH_OPENSSL */ 462 463 if ((k = calloc(1, sizeof(*k))) == NULL) 464 return NULL; 465 k->type = type; 466 k->ecdsa = NULL; 467 k->ecdsa_nid = -1; 468 k->dsa = NULL; 469 k->rsa = NULL; 470 k->cert = NULL; 471 k->ed25519_sk = NULL; 472 k->ed25519_pk = NULL; 473 switch (k->type) { 474 #ifdef WITH_OPENSSL 475 case KEY_RSA1: 476 case KEY_RSA: 477 case KEY_RSA_CERT: 478 if ((rsa = RSA_new()) == NULL || 479 (rsa->n = BN_new()) == NULL || 480 (rsa->e = BN_new()) == NULL) { 481 if (rsa != NULL) 482 RSA_free(rsa); 483 free(k); 484 return NULL; 485 } 486 k->rsa = rsa; 487 break; 488 case KEY_DSA: 489 case KEY_DSA_CERT: 490 if ((dsa = DSA_new()) == NULL || 491 (dsa->p = BN_new()) == NULL || 492 (dsa->q = BN_new()) == NULL || 493 (dsa->g = BN_new()) == NULL || 494 (dsa->pub_key = BN_new()) == NULL) { 495 if (dsa != NULL) 496 DSA_free(dsa); 497 free(k); 498 return NULL; 499 } 500 k->dsa = dsa; 501 break; 502 case KEY_ECDSA: 503 case KEY_ECDSA_CERT: 504 /* Cannot do anything until we know the group */ 505 break; 506 #endif /* WITH_OPENSSL */ 507 case KEY_ED25519: 508 case KEY_ED25519_CERT: 509 /* no need to prealloc */ 510 break; 511 case KEY_UNSPEC: 512 break; 513 default: 514 free(k); 515 return NULL; 516 break; 517 } 518 519 if (sshkey_is_cert(k)) { 520 if ((k->cert = cert_new()) == NULL) { 521 sshkey_free(k); 522 return NULL; 523 } 524 } 525 526 return k; 527 } 528 529 int 530 sshkey_add_private(struct sshkey *k) 531 { 532 switch (k->type) { 533 #ifdef WITH_OPENSSL 534 case KEY_RSA1: 535 case KEY_RSA: 536 case KEY_RSA_CERT: 537 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 538 if (bn_maybe_alloc_failed(k->rsa->d) || 539 bn_maybe_alloc_failed(k->rsa->iqmp) || 540 bn_maybe_alloc_failed(k->rsa->q) || 541 bn_maybe_alloc_failed(k->rsa->p) || 542 bn_maybe_alloc_failed(k->rsa->dmq1) || 543 bn_maybe_alloc_failed(k->rsa->dmp1)) 544 return SSH_ERR_ALLOC_FAIL; 545 break; 546 case KEY_DSA: 547 case KEY_DSA_CERT: 548 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 549 return SSH_ERR_ALLOC_FAIL; 550 break; 551 #undef bn_maybe_alloc_failed 552 case KEY_ECDSA: 553 case KEY_ECDSA_CERT: 554 /* Cannot do anything until we know the group */ 555 break; 556 #endif /* WITH_OPENSSL */ 557 case KEY_ED25519: 558 case KEY_ED25519_CERT: 559 /* no need to prealloc */ 560 break; 561 case KEY_UNSPEC: 562 break; 563 default: 564 return SSH_ERR_INVALID_ARGUMENT; 565 } 566 return 0; 567 } 568 569 struct sshkey * 570 sshkey_new_private(int type) 571 { 572 struct sshkey *k = sshkey_new(type); 573 574 if (k == NULL) 575 return NULL; 576 if (sshkey_add_private(k) != 0) { 577 sshkey_free(k); 578 return NULL; 579 } 580 return k; 581 } 582 583 void 584 sshkey_free(struct sshkey *k) 585 { 586 if (k == NULL) 587 return; 588 switch (k->type) { 589 #ifdef WITH_OPENSSL 590 case KEY_RSA1: 591 case KEY_RSA: 592 case KEY_RSA_CERT: 593 if (k->rsa != NULL) 594 RSA_free(k->rsa); 595 k->rsa = NULL; 596 break; 597 case KEY_DSA: 598 case KEY_DSA_CERT: 599 if (k->dsa != NULL) 600 DSA_free(k->dsa); 601 k->dsa = NULL; 602 break; 603 # ifdef OPENSSL_HAS_ECC 604 case KEY_ECDSA: 605 case KEY_ECDSA_CERT: 606 if (k->ecdsa != NULL) 607 EC_KEY_free(k->ecdsa); 608 k->ecdsa = NULL; 609 break; 610 # endif /* OPENSSL_HAS_ECC */ 611 #endif /* WITH_OPENSSL */ 612 case KEY_ED25519: 613 case KEY_ED25519_CERT: 614 if (k->ed25519_pk) { 615 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 616 free(k->ed25519_pk); 617 k->ed25519_pk = NULL; 618 } 619 if (k->ed25519_sk) { 620 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 621 free(k->ed25519_sk); 622 k->ed25519_sk = NULL; 623 } 624 break; 625 case KEY_UNSPEC: 626 break; 627 default: 628 break; 629 } 630 if (sshkey_is_cert(k)) 631 cert_free(k->cert); 632 explicit_bzero(k, sizeof(*k)); 633 free(k); 634 } 635 636 static int 637 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 638 { 639 if (a == NULL && b == NULL) 640 return 1; 641 if (a == NULL || b == NULL) 642 return 0; 643 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 644 return 0; 645 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 646 sshbuf_len(a->certblob)) != 0) 647 return 0; 648 return 1; 649 } 650 651 /* 652 * Compare public portions of key only, allowing comparisons between 653 * certificates and plain keys too. 654 */ 655 int 656 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 657 { 658 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 659 BN_CTX *bnctx; 660 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 661 662 if (a == NULL || b == NULL || 663 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 664 return 0; 665 666 switch (a->type) { 667 #ifdef WITH_OPENSSL 668 case KEY_RSA1: 669 case KEY_RSA_CERT: 670 case KEY_RSA: 671 return a->rsa != NULL && b->rsa != NULL && 672 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 673 BN_cmp(a->rsa->n, b->rsa->n) == 0; 674 case KEY_DSA_CERT: 675 case KEY_DSA: 676 return a->dsa != NULL && b->dsa != NULL && 677 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 678 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 679 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 680 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 681 # ifdef OPENSSL_HAS_ECC 682 case KEY_ECDSA_CERT: 683 case KEY_ECDSA: 684 if (a->ecdsa == NULL || b->ecdsa == NULL || 685 EC_KEY_get0_public_key(a->ecdsa) == NULL || 686 EC_KEY_get0_public_key(b->ecdsa) == NULL) 687 return 0; 688 if ((bnctx = BN_CTX_new()) == NULL) 689 return 0; 690 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 691 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 692 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 693 EC_KEY_get0_public_key(a->ecdsa), 694 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 695 BN_CTX_free(bnctx); 696 return 0; 697 } 698 BN_CTX_free(bnctx); 699 return 1; 700 # endif /* OPENSSL_HAS_ECC */ 701 #endif /* WITH_OPENSSL */ 702 case KEY_ED25519: 703 case KEY_ED25519_CERT: 704 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 705 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 706 default: 707 return 0; 708 } 709 /* NOTREACHED */ 710 } 711 712 int 713 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 714 { 715 if (a == NULL || b == NULL || a->type != b->type) 716 return 0; 717 if (sshkey_is_cert(a)) { 718 if (!cert_compare(a->cert, b->cert)) 719 return 0; 720 } 721 return sshkey_equal_public(a, b); 722 } 723 724 static int 725 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 726 { 727 int type, ret = SSH_ERR_INTERNAL_ERROR; 728 const char *typename; 729 730 if (key == NULL) 731 return SSH_ERR_INVALID_ARGUMENT; 732 733 if (sshkey_is_cert(key)) { 734 if (key->cert == NULL) 735 return SSH_ERR_EXPECTED_CERT; 736 if (sshbuf_len(key->cert->certblob) == 0) 737 return SSH_ERR_KEY_LACKS_CERTBLOB; 738 } 739 type = force_plain ? sshkey_type_plain(key->type) : key->type; 740 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 741 742 switch (type) { 743 #ifdef WITH_OPENSSL 744 case KEY_DSA_CERT: 745 case KEY_ECDSA_CERT: 746 case KEY_RSA_CERT: 747 #endif /* WITH_OPENSSL */ 748 case KEY_ED25519_CERT: 749 /* Use the existing blob */ 750 /* XXX modified flag? */ 751 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 752 return ret; 753 break; 754 #ifdef WITH_OPENSSL 755 case KEY_DSA: 756 if (key->dsa == NULL) 757 return SSH_ERR_INVALID_ARGUMENT; 758 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 759 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 760 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 761 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 762 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 763 return ret; 764 break; 765 # ifdef OPENSSL_HAS_ECC 766 case KEY_ECDSA: 767 if (key->ecdsa == NULL) 768 return SSH_ERR_INVALID_ARGUMENT; 769 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 770 (ret = sshbuf_put_cstring(b, 771 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 772 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 773 return ret; 774 break; 775 # endif 776 case KEY_RSA: 777 if (key->rsa == NULL) 778 return SSH_ERR_INVALID_ARGUMENT; 779 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 780 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 781 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 782 return ret; 783 break; 784 #endif /* WITH_OPENSSL */ 785 case KEY_ED25519: 786 if (key->ed25519_pk == NULL) 787 return SSH_ERR_INVALID_ARGUMENT; 788 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 789 (ret = sshbuf_put_string(b, 790 key->ed25519_pk, ED25519_PK_SZ)) != 0) 791 return ret; 792 break; 793 default: 794 return SSH_ERR_KEY_TYPE_UNKNOWN; 795 } 796 return 0; 797 } 798 799 int 800 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 801 { 802 return to_blob_buf(key, b, 0); 803 } 804 805 int 806 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 807 { 808 struct sshbuf *tmp; 809 int r; 810 811 if ((tmp = sshbuf_new()) == NULL) 812 return SSH_ERR_ALLOC_FAIL; 813 r = to_blob_buf(key, tmp, 0); 814 if (r == 0) 815 r = sshbuf_put_stringb(b, tmp); 816 sshbuf_free(tmp); 817 return r; 818 } 819 820 int 821 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 822 { 823 return to_blob_buf(key, b, 1); 824 } 825 826 static int 827 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 828 { 829 int ret = SSH_ERR_INTERNAL_ERROR; 830 size_t len; 831 struct sshbuf *b = NULL; 832 833 if (lenp != NULL) 834 *lenp = 0; 835 if (blobp != NULL) 836 *blobp = NULL; 837 if ((b = sshbuf_new()) == NULL) 838 return SSH_ERR_ALLOC_FAIL; 839 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 840 goto out; 841 len = sshbuf_len(b); 842 if (lenp != NULL) 843 *lenp = len; 844 if (blobp != NULL) { 845 if ((*blobp = malloc(len)) == NULL) { 846 ret = SSH_ERR_ALLOC_FAIL; 847 goto out; 848 } 849 memcpy(*blobp, sshbuf_ptr(b), len); 850 } 851 ret = 0; 852 out: 853 sshbuf_free(b); 854 return ret; 855 } 856 857 int 858 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 859 { 860 return to_blob(key, blobp, lenp, 0); 861 } 862 863 int 864 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 865 { 866 return to_blob(key, blobp, lenp, 1); 867 } 868 869 int 870 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 871 u_char **retp, size_t *lenp) 872 { 873 u_char *blob = NULL, *ret = NULL; 874 size_t blob_len = 0; 875 int r = SSH_ERR_INTERNAL_ERROR; 876 877 if (retp != NULL) 878 *retp = NULL; 879 if (lenp != NULL) 880 *lenp = 0; 881 if (ssh_digest_bytes(dgst_alg) == 0) { 882 r = SSH_ERR_INVALID_ARGUMENT; 883 goto out; 884 } 885 886 if (k->type == KEY_RSA1) { 887 #ifdef WITH_OPENSSL 888 int nlen = BN_num_bytes(k->rsa->n); 889 int elen = BN_num_bytes(k->rsa->e); 890 891 blob_len = nlen + elen; 892 if (nlen >= INT_MAX - elen || 893 (blob = malloc(blob_len)) == NULL) { 894 r = SSH_ERR_ALLOC_FAIL; 895 goto out; 896 } 897 BN_bn2bin(k->rsa->n, blob); 898 BN_bn2bin(k->rsa->e, blob + nlen); 899 #endif /* WITH_OPENSSL */ 900 } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 901 goto out; 902 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 903 r = SSH_ERR_ALLOC_FAIL; 904 goto out; 905 } 906 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 907 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 908 goto out; 909 /* success */ 910 if (retp != NULL) { 911 *retp = ret; 912 ret = NULL; 913 } 914 if (lenp != NULL) 915 *lenp = ssh_digest_bytes(dgst_alg); 916 r = 0; 917 out: 918 free(ret); 919 if (blob != NULL) { 920 explicit_bzero(blob, blob_len); 921 free(blob); 922 } 923 return r; 924 } 925 926 static char * 927 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 928 { 929 char *ret; 930 size_t plen = strlen(alg) + 1; 931 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 932 int r; 933 934 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 935 return NULL; 936 strlcpy(ret, alg, rlen); 937 strlcat(ret, ":", rlen); 938 if (dgst_raw_len == 0) 939 return ret; 940 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 941 ret + plen, rlen - plen)) == -1) { 942 explicit_bzero(ret, rlen); 943 free(ret); 944 return NULL; 945 } 946 /* Trim padding characters from end */ 947 ret[strcspn(ret, "=")] = '\0'; 948 return ret; 949 } 950 951 static char * 952 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 953 { 954 char *retval, hex[5]; 955 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 956 957 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 958 return NULL; 959 strlcpy(retval, alg, rlen); 960 strlcat(retval, ":", rlen); 961 for (i = 0; i < dgst_raw_len; i++) { 962 snprintf(hex, sizeof(hex), "%s%02x", 963 i > 0 ? ":" : "", dgst_raw[i]); 964 strlcat(retval, hex, rlen); 965 } 966 return retval; 967 } 968 969 static char * 970 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 971 { 972 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 973 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 974 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 975 u_int i, j = 0, rounds, seed = 1; 976 char *retval; 977 978 rounds = (dgst_raw_len / 2) + 1; 979 if ((retval = calloc(rounds, 6)) == NULL) 980 return NULL; 981 retval[j++] = 'x'; 982 for (i = 0; i < rounds; i++) { 983 u_int idx0, idx1, idx2, idx3, idx4; 984 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 985 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 986 seed) % 6; 987 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 988 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 989 (seed / 6)) % 6; 990 retval[j++] = vowels[idx0]; 991 retval[j++] = consonants[idx1]; 992 retval[j++] = vowels[idx2]; 993 if ((i + 1) < rounds) { 994 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 995 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 996 retval[j++] = consonants[idx3]; 997 retval[j++] = '-'; 998 retval[j++] = consonants[idx4]; 999 seed = ((seed * 5) + 1000 ((((u_int)(dgst_raw[2 * i])) * 7) + 1001 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 1002 } 1003 } else { 1004 idx0 = seed % 6; 1005 idx1 = 16; 1006 idx2 = seed / 6; 1007 retval[j++] = vowels[idx0]; 1008 retval[j++] = consonants[idx1]; 1009 retval[j++] = vowels[idx2]; 1010 } 1011 } 1012 retval[j++] = 'x'; 1013 retval[j++] = '\0'; 1014 return retval; 1015 } 1016 1017 /* 1018 * Draw an ASCII-Art representing the fingerprint so human brain can 1019 * profit from its built-in pattern recognition ability. 1020 * This technique is called "random art" and can be found in some 1021 * scientific publications like this original paper: 1022 * 1023 * "Hash Visualization: a New Technique to improve Real-World Security", 1024 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1025 * Techniques and E-Commerce (CrypTEC '99) 1026 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1027 * 1028 * The subject came up in a talk by Dan Kaminsky, too. 1029 * 1030 * If you see the picture is different, the key is different. 1031 * If the picture looks the same, you still know nothing. 1032 * 1033 * The algorithm used here is a worm crawling over a discrete plane, 1034 * leaving a trace (augmenting the field) everywhere it goes. 1035 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1036 * makes the respective movement vector be ignored for this turn. 1037 * Graphs are not unambiguous, because circles in graphs can be 1038 * walked in either direction. 1039 */ 1040 1041 /* 1042 * Field sizes for the random art. Have to be odd, so the starting point 1043 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1044 * Else pictures would be too dense, and drawing the frame would 1045 * fail, too, because the key type would not fit in anymore. 1046 */ 1047 #define FLDBASE 8 1048 #define FLDSIZE_Y (FLDBASE + 1) 1049 #define FLDSIZE_X (FLDBASE * 2 + 1) 1050 static char * 1051 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1052 const struct sshkey *k) 1053 { 1054 /* 1055 * Chars to be used after each other every time the worm 1056 * intersects with itself. Matter of taste. 1057 */ 1058 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1059 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1060 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1061 size_t i, tlen, hlen; 1062 u_int b; 1063 int x, y, r; 1064 size_t len = strlen(augmentation_string) - 1; 1065 1066 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1067 return NULL; 1068 1069 /* initialize field */ 1070 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1071 x = FLDSIZE_X / 2; 1072 y = FLDSIZE_Y / 2; 1073 1074 /* process raw key */ 1075 for (i = 0; i < dgst_raw_len; i++) { 1076 int input; 1077 /* each byte conveys four 2-bit move commands */ 1078 input = dgst_raw[i]; 1079 for (b = 0; b < 4; b++) { 1080 /* evaluate 2 bit, rest is shifted later */ 1081 x += (input & 0x1) ? 1 : -1; 1082 y += (input & 0x2) ? 1 : -1; 1083 1084 /* assure we are still in bounds */ 1085 x = MAX(x, 0); 1086 y = MAX(y, 0); 1087 x = MIN(x, FLDSIZE_X - 1); 1088 y = MIN(y, FLDSIZE_Y - 1); 1089 1090 /* augment the field */ 1091 if (field[x][y] < len - 2) 1092 field[x][y]++; 1093 input = input >> 2; 1094 } 1095 } 1096 1097 /* mark starting point and end point*/ 1098 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1099 field[x][y] = len; 1100 1101 /* assemble title */ 1102 r = snprintf(title, sizeof(title), "[%s %u]", 1103 sshkey_type(k), sshkey_size(k)); 1104 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1105 if (r < 0 || r > (int)sizeof(title)) 1106 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1107 tlen = (r <= 0) ? 0 : strlen(title); 1108 1109 /* assemble hash ID. */ 1110 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1111 hlen = (r <= 0) ? 0 : strlen(hash); 1112 1113 /* output upper border */ 1114 p = retval; 1115 *p++ = '+'; 1116 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1117 *p++ = '-'; 1118 memcpy(p, title, tlen); 1119 p += tlen; 1120 for (i += tlen; i < FLDSIZE_X; i++) 1121 *p++ = '-'; 1122 *p++ = '+'; 1123 *p++ = '\n'; 1124 1125 /* output content */ 1126 for (y = 0; y < FLDSIZE_Y; y++) { 1127 *p++ = '|'; 1128 for (x = 0; x < FLDSIZE_X; x++) 1129 *p++ = augmentation_string[MIN(field[x][y], len)]; 1130 *p++ = '|'; 1131 *p++ = '\n'; 1132 } 1133 1134 /* output lower border */ 1135 *p++ = '+'; 1136 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1137 *p++ = '-'; 1138 memcpy(p, hash, hlen); 1139 p += hlen; 1140 for (i += hlen; i < FLDSIZE_X; i++) 1141 *p++ = '-'; 1142 *p++ = '+'; 1143 1144 return retval; 1145 } 1146 1147 char * 1148 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1149 enum sshkey_fp_rep dgst_rep) 1150 { 1151 char *retval = NULL; 1152 u_char *dgst_raw; 1153 size_t dgst_raw_len; 1154 1155 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1156 return NULL; 1157 switch (dgst_rep) { 1158 case SSH_FP_DEFAULT: 1159 if (dgst_alg == SSH_DIGEST_MD5) { 1160 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1161 dgst_raw, dgst_raw_len); 1162 } else { 1163 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1164 dgst_raw, dgst_raw_len); 1165 } 1166 break; 1167 case SSH_FP_HEX: 1168 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1169 dgst_raw, dgst_raw_len); 1170 break; 1171 case SSH_FP_BASE64: 1172 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1173 dgst_raw, dgst_raw_len); 1174 break; 1175 case SSH_FP_BUBBLEBABBLE: 1176 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1177 break; 1178 case SSH_FP_RANDOMART: 1179 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1180 dgst_raw, dgst_raw_len, k); 1181 break; 1182 default: 1183 explicit_bzero(dgst_raw, dgst_raw_len); 1184 free(dgst_raw); 1185 return NULL; 1186 } 1187 explicit_bzero(dgst_raw, dgst_raw_len); 1188 free(dgst_raw); 1189 return retval; 1190 } 1191 1192 #ifdef WITH_SSH1 1193 /* 1194 * Reads a multiple-precision integer in decimal from the buffer, and advances 1195 * the pointer. The integer must already be initialized. This function is 1196 * permitted to modify the buffer. This leaves *cpp to point just beyond the 1197 * last processed character. 1198 */ 1199 static int 1200 read_decimal_bignum(char **cpp, BIGNUM *v) 1201 { 1202 char *cp; 1203 size_t e; 1204 int skip = 1; /* skip white space */ 1205 1206 cp = *cpp; 1207 while (*cp == ' ' || *cp == '\t') 1208 cp++; 1209 e = strspn(cp, "0123456789"); 1210 if (e == 0) 1211 return SSH_ERR_INVALID_FORMAT; 1212 if (e > SSHBUF_MAX_BIGNUM * 3) 1213 return SSH_ERR_BIGNUM_TOO_LARGE; 1214 if (cp[e] == '\0') 1215 skip = 0; 1216 else if (strchr(" \t\r\n", cp[e]) == NULL) 1217 return SSH_ERR_INVALID_FORMAT; 1218 cp[e] = '\0'; 1219 if (BN_dec2bn(&v, cp) <= 0) 1220 return SSH_ERR_INVALID_FORMAT; 1221 *cpp = cp + e + skip; 1222 return 0; 1223 } 1224 #endif /* WITH_SSH1 */ 1225 1226 /* returns 0 ok, and < 0 error */ 1227 int 1228 sshkey_read(struct sshkey *ret, char **cpp) 1229 { 1230 struct sshkey *k; 1231 int retval = SSH_ERR_INVALID_FORMAT; 1232 char *ep, *cp, *space; 1233 int r, type, curve_nid = -1; 1234 struct sshbuf *blob; 1235 #ifdef WITH_SSH1 1236 u_long bits; 1237 #endif /* WITH_SSH1 */ 1238 1239 cp = *cpp; 1240 1241 switch (ret->type) { 1242 case KEY_RSA1: 1243 #ifdef WITH_SSH1 1244 /* Get number of bits. */ 1245 bits = strtoul(cp, &ep, 10); 1246 if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL || 1247 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) 1248 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ 1249 /* Get public exponent, public modulus. */ 1250 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0) 1251 return r; 1252 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) 1253 return r; 1254 /* validate the claimed number of bits */ 1255 if (BN_num_bits(ret->rsa->n) != (int)bits) 1256 return SSH_ERR_KEY_BITS_MISMATCH; 1257 *cpp = ep; 1258 retval = 0; 1259 #endif /* WITH_SSH1 */ 1260 break; 1261 case KEY_UNSPEC: 1262 case KEY_RSA: 1263 case KEY_DSA: 1264 case KEY_ECDSA: 1265 case KEY_ED25519: 1266 case KEY_DSA_CERT: 1267 case KEY_ECDSA_CERT: 1268 case KEY_RSA_CERT: 1269 case KEY_ED25519_CERT: 1270 space = strchr(cp, ' '); 1271 if (space == NULL) 1272 return SSH_ERR_INVALID_FORMAT; 1273 *space = '\0'; 1274 type = sshkey_type_from_name(cp); 1275 if (sshkey_type_plain(type) == KEY_ECDSA && 1276 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1277 return SSH_ERR_EC_CURVE_INVALID; 1278 *space = ' '; 1279 if (type == KEY_UNSPEC) 1280 return SSH_ERR_INVALID_FORMAT; 1281 cp = space+1; 1282 if (*cp == '\0') 1283 return SSH_ERR_INVALID_FORMAT; 1284 if (ret->type != KEY_UNSPEC && ret->type != type) 1285 return SSH_ERR_KEY_TYPE_MISMATCH; 1286 if ((blob = sshbuf_new()) == NULL) 1287 return SSH_ERR_ALLOC_FAIL; 1288 /* trim comment */ 1289 space = strchr(cp, ' '); 1290 if (space) { 1291 /* advance 'space': skip whitespace */ 1292 *space++ = '\0'; 1293 while (*space == ' ' || *space == '\t') 1294 space++; 1295 ep = space; 1296 } else 1297 ep = cp + strlen(cp); 1298 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1299 sshbuf_free(blob); 1300 return r; 1301 } 1302 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1303 sshbuf_len(blob), &k)) != 0) { 1304 sshbuf_free(blob); 1305 return r; 1306 } 1307 sshbuf_free(blob); 1308 if (k->type != type) { 1309 sshkey_free(k); 1310 return SSH_ERR_KEY_TYPE_MISMATCH; 1311 } 1312 if (sshkey_type_plain(type) == KEY_ECDSA && 1313 curve_nid != k->ecdsa_nid) { 1314 sshkey_free(k); 1315 return SSH_ERR_EC_CURVE_MISMATCH; 1316 } 1317 ret->type = type; 1318 if (sshkey_is_cert(ret)) { 1319 if (!sshkey_is_cert(k)) { 1320 sshkey_free(k); 1321 return SSH_ERR_EXPECTED_CERT; 1322 } 1323 if (ret->cert != NULL) 1324 cert_free(ret->cert); 1325 ret->cert = k->cert; 1326 k->cert = NULL; 1327 } 1328 switch (sshkey_type_plain(ret->type)) { 1329 #ifdef WITH_OPENSSL 1330 case KEY_RSA: 1331 if (ret->rsa != NULL) 1332 RSA_free(ret->rsa); 1333 ret->rsa = k->rsa; 1334 k->rsa = NULL; 1335 #ifdef DEBUG_PK 1336 RSA_print_fp(stderr, ret->rsa, 8); 1337 #endif 1338 break; 1339 case KEY_DSA: 1340 if (ret->dsa != NULL) 1341 DSA_free(ret->dsa); 1342 ret->dsa = k->dsa; 1343 k->dsa = NULL; 1344 #ifdef DEBUG_PK 1345 DSA_print_fp(stderr, ret->dsa, 8); 1346 #endif 1347 break; 1348 # ifdef OPENSSL_HAS_ECC 1349 case KEY_ECDSA: 1350 if (ret->ecdsa != NULL) 1351 EC_KEY_free(ret->ecdsa); 1352 ret->ecdsa = k->ecdsa; 1353 ret->ecdsa_nid = k->ecdsa_nid; 1354 k->ecdsa = NULL; 1355 k->ecdsa_nid = -1; 1356 #ifdef DEBUG_PK 1357 sshkey_dump_ec_key(ret->ecdsa); 1358 #endif 1359 break; 1360 # endif /* OPENSSL_HAS_ECC */ 1361 #endif /* WITH_OPENSSL */ 1362 case KEY_ED25519: 1363 free(ret->ed25519_pk); 1364 ret->ed25519_pk = k->ed25519_pk; 1365 k->ed25519_pk = NULL; 1366 #ifdef DEBUG_PK 1367 /* XXX */ 1368 #endif 1369 break; 1370 } 1371 *cpp = ep; 1372 retval = 0; 1373 /*XXXX*/ 1374 sshkey_free(k); 1375 if (retval != 0) 1376 break; 1377 break; 1378 default: 1379 return SSH_ERR_INVALID_ARGUMENT; 1380 } 1381 return retval; 1382 } 1383 1384 int 1385 sshkey_to_base64(const struct sshkey *key, char **b64p) 1386 { 1387 int r = SSH_ERR_INTERNAL_ERROR; 1388 struct sshbuf *b = NULL; 1389 char *uu = NULL; 1390 1391 if (b64p != NULL) 1392 *b64p = NULL; 1393 if ((b = sshbuf_new()) == NULL) 1394 return SSH_ERR_ALLOC_FAIL; 1395 if ((r = sshkey_putb(key, b)) != 0) 1396 goto out; 1397 if ((uu = sshbuf_dtob64(b)) == NULL) { 1398 r = SSH_ERR_ALLOC_FAIL; 1399 goto out; 1400 } 1401 /* Success */ 1402 if (b64p != NULL) { 1403 *b64p = uu; 1404 uu = NULL; 1405 } 1406 r = 0; 1407 out: 1408 sshbuf_free(b); 1409 free(uu); 1410 return r; 1411 } 1412 1413 static int 1414 sshkey_format_rsa1(const struct sshkey *key, struct sshbuf *b) 1415 { 1416 int r = SSH_ERR_INTERNAL_ERROR; 1417 #ifdef WITH_SSH1 1418 u_int bits = 0; 1419 char *dec_e = NULL, *dec_n = NULL; 1420 1421 if (key->rsa == NULL || key->rsa->e == NULL || 1422 key->rsa->n == NULL) { 1423 r = SSH_ERR_INVALID_ARGUMENT; 1424 goto out; 1425 } 1426 if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || 1427 (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { 1428 r = SSH_ERR_ALLOC_FAIL; 1429 goto out; 1430 } 1431 /* size of modulus 'n' */ 1432 if ((bits = BN_num_bits(key->rsa->n)) <= 0) { 1433 r = SSH_ERR_INVALID_ARGUMENT; 1434 goto out; 1435 } 1436 if ((r = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) 1437 goto out; 1438 1439 /* Success */ 1440 r = 0; 1441 out: 1442 if (dec_e != NULL) 1443 OPENSSL_free(dec_e); 1444 if (dec_n != NULL) 1445 OPENSSL_free(dec_n); 1446 #endif /* WITH_SSH1 */ 1447 1448 return r; 1449 } 1450 1451 static int 1452 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1453 { 1454 int r = SSH_ERR_INTERNAL_ERROR; 1455 char *uu = NULL; 1456 1457 if (key->type == KEY_RSA1) { 1458 if ((r = sshkey_format_rsa1(key, b)) != 0) 1459 goto out; 1460 } else { 1461 /* Unsupported key types handled in sshkey_to_base64() */ 1462 if ((r = sshkey_to_base64(key, &uu)) != 0) 1463 goto out; 1464 if ((r = sshbuf_putf(b, "%s %s", 1465 sshkey_ssh_name(key), uu)) != 0) 1466 goto out; 1467 } 1468 r = 0; 1469 out: 1470 free(uu); 1471 return r; 1472 } 1473 1474 int 1475 sshkey_write(const struct sshkey *key, FILE *f) 1476 { 1477 struct sshbuf *b = NULL; 1478 int r = SSH_ERR_INTERNAL_ERROR; 1479 1480 if ((b = sshbuf_new()) == NULL) 1481 return SSH_ERR_ALLOC_FAIL; 1482 if ((r = sshkey_format_text(key, b)) != 0) 1483 goto out; 1484 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1485 if (feof(f)) 1486 errno = EPIPE; 1487 r = SSH_ERR_SYSTEM_ERROR; 1488 goto out; 1489 } 1490 /* Success */ 1491 r = 0; 1492 out: 1493 sshbuf_free(b); 1494 return r; 1495 } 1496 1497 const char * 1498 sshkey_cert_type(const struct sshkey *k) 1499 { 1500 switch (k->cert->type) { 1501 case SSH2_CERT_TYPE_USER: 1502 return "user"; 1503 case SSH2_CERT_TYPE_HOST: 1504 return "host"; 1505 default: 1506 return "unknown"; 1507 } 1508 } 1509 1510 #ifdef WITH_OPENSSL 1511 static int 1512 rsa_generate_private_key(u_int bits, RSA **rsap) 1513 { 1514 RSA *private = NULL; 1515 BIGNUM *f4 = NULL; 1516 int ret = SSH_ERR_INTERNAL_ERROR; 1517 1518 if (rsap == NULL || 1519 bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1520 bits > SSHBUF_MAX_BIGNUM * 8) 1521 return SSH_ERR_INVALID_ARGUMENT; 1522 *rsap = NULL; 1523 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1524 ret = SSH_ERR_ALLOC_FAIL; 1525 goto out; 1526 } 1527 if (!BN_set_word(f4, RSA_F4) || 1528 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1529 ret = SSH_ERR_LIBCRYPTO_ERROR; 1530 goto out; 1531 } 1532 *rsap = private; 1533 private = NULL; 1534 ret = 0; 1535 out: 1536 if (private != NULL) 1537 RSA_free(private); 1538 if (f4 != NULL) 1539 BN_free(f4); 1540 return ret; 1541 } 1542 1543 static int 1544 dsa_generate_private_key(u_int bits, DSA **dsap) 1545 { 1546 DSA *private; 1547 int ret = SSH_ERR_INTERNAL_ERROR; 1548 1549 if (dsap == NULL || bits != 1024) 1550 return SSH_ERR_INVALID_ARGUMENT; 1551 if ((private = DSA_new()) == NULL) { 1552 ret = SSH_ERR_ALLOC_FAIL; 1553 goto out; 1554 } 1555 *dsap = NULL; 1556 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1557 NULL, NULL) || !DSA_generate_key(private)) { 1558 ret = SSH_ERR_LIBCRYPTO_ERROR; 1559 goto out; 1560 } 1561 *dsap = private; 1562 private = NULL; 1563 ret = 0; 1564 out: 1565 if (private != NULL) 1566 DSA_free(private); 1567 return ret; 1568 } 1569 1570 # ifdef OPENSSL_HAS_ECC 1571 int 1572 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1573 { 1574 EC_GROUP *eg; 1575 int nids[] = { 1576 NID_X9_62_prime256v1, 1577 NID_secp384r1, 1578 # ifdef OPENSSL_HAS_NISTP521 1579 NID_secp521r1, 1580 # endif /* OPENSSL_HAS_NISTP521 */ 1581 -1 1582 }; 1583 int nid; 1584 u_int i; 1585 BN_CTX *bnctx; 1586 const EC_GROUP *g = EC_KEY_get0_group(k); 1587 1588 /* 1589 * The group may be stored in a ASN.1 encoded private key in one of two 1590 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1591 * or explicit group parameters encoded into the key blob. Only the 1592 * "named group" case sets the group NID for us, but we can figure 1593 * it out for the other case by comparing against all the groups that 1594 * are supported. 1595 */ 1596 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1597 return nid; 1598 if ((bnctx = BN_CTX_new()) == NULL) 1599 return -1; 1600 for (i = 0; nids[i] != -1; i++) { 1601 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1602 BN_CTX_free(bnctx); 1603 return -1; 1604 } 1605 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1606 break; 1607 EC_GROUP_free(eg); 1608 } 1609 BN_CTX_free(bnctx); 1610 if (nids[i] != -1) { 1611 /* Use the group with the NID attached */ 1612 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1613 if (EC_KEY_set_group(k, eg) != 1) { 1614 EC_GROUP_free(eg); 1615 return -1; 1616 } 1617 } 1618 return nids[i]; 1619 } 1620 1621 static int 1622 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1623 { 1624 EC_KEY *private; 1625 int ret = SSH_ERR_INTERNAL_ERROR; 1626 1627 if (nid == NULL || ecdsap == NULL || 1628 (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1629 return SSH_ERR_INVALID_ARGUMENT; 1630 *ecdsap = NULL; 1631 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1632 ret = SSH_ERR_ALLOC_FAIL; 1633 goto out; 1634 } 1635 if (EC_KEY_generate_key(private) != 1) { 1636 ret = SSH_ERR_LIBCRYPTO_ERROR; 1637 goto out; 1638 } 1639 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1640 *ecdsap = private; 1641 private = NULL; 1642 ret = 0; 1643 out: 1644 if (private != NULL) 1645 EC_KEY_free(private); 1646 return ret; 1647 } 1648 # endif /* OPENSSL_HAS_ECC */ 1649 #endif /* WITH_OPENSSL */ 1650 1651 int 1652 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1653 { 1654 struct sshkey *k; 1655 int ret = SSH_ERR_INTERNAL_ERROR; 1656 1657 if (keyp == NULL) 1658 return SSH_ERR_INVALID_ARGUMENT; 1659 *keyp = NULL; 1660 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1661 return SSH_ERR_ALLOC_FAIL; 1662 switch (type) { 1663 case KEY_ED25519: 1664 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1665 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1666 ret = SSH_ERR_ALLOC_FAIL; 1667 break; 1668 } 1669 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1670 ret = 0; 1671 break; 1672 #ifdef WITH_OPENSSL 1673 case KEY_DSA: 1674 ret = dsa_generate_private_key(bits, &k->dsa); 1675 break; 1676 # ifdef OPENSSL_HAS_ECC 1677 case KEY_ECDSA: 1678 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1679 &k->ecdsa); 1680 break; 1681 # endif /* OPENSSL_HAS_ECC */ 1682 case KEY_RSA: 1683 case KEY_RSA1: 1684 ret = rsa_generate_private_key(bits, &k->rsa); 1685 break; 1686 #endif /* WITH_OPENSSL */ 1687 default: 1688 ret = SSH_ERR_INVALID_ARGUMENT; 1689 } 1690 if (ret == 0) { 1691 k->type = type; 1692 *keyp = k; 1693 } else 1694 sshkey_free(k); 1695 return ret; 1696 } 1697 1698 int 1699 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1700 { 1701 u_int i; 1702 const struct sshkey_cert *from; 1703 struct sshkey_cert *to; 1704 int ret = SSH_ERR_INTERNAL_ERROR; 1705 1706 if (to_key->cert != NULL) { 1707 cert_free(to_key->cert); 1708 to_key->cert = NULL; 1709 } 1710 1711 if ((from = from_key->cert) == NULL) 1712 return SSH_ERR_INVALID_ARGUMENT; 1713 1714 if ((to = to_key->cert = cert_new()) == NULL) 1715 return SSH_ERR_ALLOC_FAIL; 1716 1717 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1718 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1719 (ret = sshbuf_putb(to->extensions, from->extensions)) != 0) 1720 return ret; 1721 1722 to->serial = from->serial; 1723 to->type = from->type; 1724 if (from->key_id == NULL) 1725 to->key_id = NULL; 1726 else if ((to->key_id = strdup(from->key_id)) == NULL) 1727 return SSH_ERR_ALLOC_FAIL; 1728 to->valid_after = from->valid_after; 1729 to->valid_before = from->valid_before; 1730 if (from->signature_key == NULL) 1731 to->signature_key = NULL; 1732 else if ((ret = sshkey_from_private(from->signature_key, 1733 &to->signature_key)) != 0) 1734 return ret; 1735 1736 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1737 return SSH_ERR_INVALID_ARGUMENT; 1738 if (from->nprincipals > 0) { 1739 if ((to->principals = calloc(from->nprincipals, 1740 sizeof(*to->principals))) == NULL) 1741 return SSH_ERR_ALLOC_FAIL; 1742 for (i = 0; i < from->nprincipals; i++) { 1743 to->principals[i] = strdup(from->principals[i]); 1744 if (to->principals[i] == NULL) { 1745 to->nprincipals = i; 1746 return SSH_ERR_ALLOC_FAIL; 1747 } 1748 } 1749 } 1750 to->nprincipals = from->nprincipals; 1751 return 0; 1752 } 1753 1754 int 1755 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1756 { 1757 struct sshkey *n = NULL; 1758 int ret = SSH_ERR_INTERNAL_ERROR; 1759 1760 *pkp = NULL; 1761 switch (k->type) { 1762 #ifdef WITH_OPENSSL 1763 case KEY_DSA: 1764 case KEY_DSA_CERT: 1765 if ((n = sshkey_new(k->type)) == NULL) 1766 return SSH_ERR_ALLOC_FAIL; 1767 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1768 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1769 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1770 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1771 sshkey_free(n); 1772 return SSH_ERR_ALLOC_FAIL; 1773 } 1774 break; 1775 # ifdef OPENSSL_HAS_ECC 1776 case KEY_ECDSA: 1777 case KEY_ECDSA_CERT: 1778 if ((n = sshkey_new(k->type)) == NULL) 1779 return SSH_ERR_ALLOC_FAIL; 1780 n->ecdsa_nid = k->ecdsa_nid; 1781 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1782 if (n->ecdsa == NULL) { 1783 sshkey_free(n); 1784 return SSH_ERR_ALLOC_FAIL; 1785 } 1786 if (EC_KEY_set_public_key(n->ecdsa, 1787 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1788 sshkey_free(n); 1789 return SSH_ERR_LIBCRYPTO_ERROR; 1790 } 1791 break; 1792 # endif /* OPENSSL_HAS_ECC */ 1793 case KEY_RSA: 1794 case KEY_RSA1: 1795 case KEY_RSA_CERT: 1796 if ((n = sshkey_new(k->type)) == NULL) 1797 return SSH_ERR_ALLOC_FAIL; 1798 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1799 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1800 sshkey_free(n); 1801 return SSH_ERR_ALLOC_FAIL; 1802 } 1803 break; 1804 #endif /* WITH_OPENSSL */ 1805 case KEY_ED25519: 1806 case KEY_ED25519_CERT: 1807 if ((n = sshkey_new(k->type)) == NULL) 1808 return SSH_ERR_ALLOC_FAIL; 1809 if (k->ed25519_pk != NULL) { 1810 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1811 sshkey_free(n); 1812 return SSH_ERR_ALLOC_FAIL; 1813 } 1814 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1815 } 1816 break; 1817 default: 1818 return SSH_ERR_KEY_TYPE_UNKNOWN; 1819 } 1820 if (sshkey_is_cert(k)) { 1821 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1822 sshkey_free(n); 1823 return ret; 1824 } 1825 } 1826 *pkp = n; 1827 return 0; 1828 } 1829 1830 static int 1831 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1832 { 1833 struct sshbuf *principals = NULL, *crit = NULL; 1834 struct sshbuf *exts = NULL, *ca = NULL; 1835 u_char *sig = NULL; 1836 size_t signed_len = 0, slen = 0, kidlen = 0; 1837 int ret = SSH_ERR_INTERNAL_ERROR; 1838 1839 /* Copy the entire key blob for verification and later serialisation */ 1840 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1841 return ret; 1842 1843 /* Parse body of certificate up to signature */ 1844 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1845 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1846 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1847 (ret = sshbuf_froms(b, &principals)) != 0 || 1848 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1849 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1850 (ret = sshbuf_froms(b, &crit)) != 0 || 1851 (ret = sshbuf_froms(b, &exts)) != 0 || 1852 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1853 (ret = sshbuf_froms(b, &ca)) != 0) { 1854 /* XXX debug print error for ret */ 1855 ret = SSH_ERR_INVALID_FORMAT; 1856 goto out; 1857 } 1858 1859 /* Signature is left in the buffer so we can calculate this length */ 1860 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1861 1862 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1863 ret = SSH_ERR_INVALID_FORMAT; 1864 goto out; 1865 } 1866 1867 if (key->cert->type != SSH2_CERT_TYPE_USER && 1868 key->cert->type != SSH2_CERT_TYPE_HOST) { 1869 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1870 goto out; 1871 } 1872 1873 /* Parse principals section */ 1874 while (sshbuf_len(principals) > 0) { 1875 char *principal = NULL; 1876 char **oprincipals = NULL; 1877 1878 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1879 ret = SSH_ERR_INVALID_FORMAT; 1880 goto out; 1881 } 1882 if ((ret = sshbuf_get_cstring(principals, &principal, 1883 NULL)) != 0) { 1884 ret = SSH_ERR_INVALID_FORMAT; 1885 goto out; 1886 } 1887 oprincipals = key->cert->principals; 1888 key->cert->principals = reallocarray(key->cert->principals, 1889 key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1890 if (key->cert->principals == NULL) { 1891 free(principal); 1892 key->cert->principals = oprincipals; 1893 ret = SSH_ERR_ALLOC_FAIL; 1894 goto out; 1895 } 1896 key->cert->principals[key->cert->nprincipals++] = principal; 1897 } 1898 1899 /* 1900 * Stash a copies of the critical options and extensions sections 1901 * for later use. 1902 */ 1903 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1904 (exts != NULL && 1905 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1906 goto out; 1907 1908 /* 1909 * Validate critical options and extensions sections format. 1910 */ 1911 while (sshbuf_len(crit) != 0) { 1912 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1913 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1914 sshbuf_reset(key->cert->critical); 1915 ret = SSH_ERR_INVALID_FORMAT; 1916 goto out; 1917 } 1918 } 1919 while (exts != NULL && sshbuf_len(exts) != 0) { 1920 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1921 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1922 sshbuf_reset(key->cert->extensions); 1923 ret = SSH_ERR_INVALID_FORMAT; 1924 goto out; 1925 } 1926 } 1927 1928 /* Parse CA key and check signature */ 1929 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1930 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1931 goto out; 1932 } 1933 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1934 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1935 goto out; 1936 } 1937 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1938 sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) 1939 goto out; 1940 1941 /* Success */ 1942 ret = 0; 1943 out: 1944 sshbuf_free(ca); 1945 sshbuf_free(crit); 1946 sshbuf_free(exts); 1947 sshbuf_free(principals); 1948 free(sig); 1949 return ret; 1950 } 1951 1952 static int 1953 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1954 int allow_cert) 1955 { 1956 int type, ret = SSH_ERR_INTERNAL_ERROR; 1957 char *ktype = NULL, *curve = NULL; 1958 struct sshkey *key = NULL; 1959 size_t len; 1960 u_char *pk = NULL; 1961 struct sshbuf *copy; 1962 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 1963 EC_POINT *q = NULL; 1964 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 1965 1966 #ifdef DEBUG_PK /* XXX */ 1967 sshbuf_dump(b, stderr); 1968 #endif 1969 if (keyp != NULL) 1970 *keyp = NULL; 1971 if ((copy = sshbuf_fromb(b)) == NULL) { 1972 ret = SSH_ERR_ALLOC_FAIL; 1973 goto out; 1974 } 1975 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1976 ret = SSH_ERR_INVALID_FORMAT; 1977 goto out; 1978 } 1979 1980 type = sshkey_type_from_name(ktype); 1981 if (!allow_cert && sshkey_type_is_cert(type)) { 1982 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1983 goto out; 1984 } 1985 switch (type) { 1986 #ifdef WITH_OPENSSL 1987 case KEY_RSA_CERT: 1988 /* Skip nonce */ 1989 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1990 ret = SSH_ERR_INVALID_FORMAT; 1991 goto out; 1992 } 1993 /* FALLTHROUGH */ 1994 case KEY_RSA: 1995 if ((key = sshkey_new(type)) == NULL) { 1996 ret = SSH_ERR_ALLOC_FAIL; 1997 goto out; 1998 } 1999 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 || 2000 sshbuf_get_bignum2(b, key->rsa->n) != 0) { 2001 ret = SSH_ERR_INVALID_FORMAT; 2002 goto out; 2003 } 2004 #ifdef DEBUG_PK 2005 RSA_print_fp(stderr, key->rsa, 8); 2006 #endif 2007 break; 2008 case KEY_DSA_CERT: 2009 /* Skip nonce */ 2010 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2011 ret = SSH_ERR_INVALID_FORMAT; 2012 goto out; 2013 } 2014 /* FALLTHROUGH */ 2015 case KEY_DSA: 2016 if ((key = sshkey_new(type)) == NULL) { 2017 ret = SSH_ERR_ALLOC_FAIL; 2018 goto out; 2019 } 2020 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 || 2021 sshbuf_get_bignum2(b, key->dsa->q) != 0 || 2022 sshbuf_get_bignum2(b, key->dsa->g) != 0 || 2023 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) { 2024 ret = SSH_ERR_INVALID_FORMAT; 2025 goto out; 2026 } 2027 #ifdef DEBUG_PK 2028 DSA_print_fp(stderr, key->dsa, 8); 2029 #endif 2030 break; 2031 case KEY_ECDSA_CERT: 2032 /* Skip nonce */ 2033 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2034 ret = SSH_ERR_INVALID_FORMAT; 2035 goto out; 2036 } 2037 /* FALLTHROUGH */ 2038 # ifdef OPENSSL_HAS_ECC 2039 case KEY_ECDSA: 2040 if ((key = sshkey_new(type)) == NULL) { 2041 ret = SSH_ERR_ALLOC_FAIL; 2042 goto out; 2043 } 2044 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2045 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2046 ret = SSH_ERR_INVALID_FORMAT; 2047 goto out; 2048 } 2049 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2050 ret = SSH_ERR_EC_CURVE_MISMATCH; 2051 goto out; 2052 } 2053 if (key->ecdsa != NULL) 2054 EC_KEY_free(key->ecdsa); 2055 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2056 == NULL) { 2057 ret = SSH_ERR_EC_CURVE_INVALID; 2058 goto out; 2059 } 2060 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2061 ret = SSH_ERR_ALLOC_FAIL; 2062 goto out; 2063 } 2064 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 2065 ret = SSH_ERR_INVALID_FORMAT; 2066 goto out; 2067 } 2068 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2069 q) != 0) { 2070 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2071 goto out; 2072 } 2073 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 2074 /* XXX assume it is a allocation error */ 2075 ret = SSH_ERR_ALLOC_FAIL; 2076 goto out; 2077 } 2078 #ifdef DEBUG_PK 2079 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 2080 #endif 2081 break; 2082 # endif /* OPENSSL_HAS_ECC */ 2083 #endif /* WITH_OPENSSL */ 2084 case KEY_ED25519_CERT: 2085 /* Skip nonce */ 2086 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2087 ret = SSH_ERR_INVALID_FORMAT; 2088 goto out; 2089 } 2090 /* FALLTHROUGH */ 2091 case KEY_ED25519: 2092 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2093 goto out; 2094 if (len != ED25519_PK_SZ) { 2095 ret = SSH_ERR_INVALID_FORMAT; 2096 goto out; 2097 } 2098 if ((key = sshkey_new(type)) == NULL) { 2099 ret = SSH_ERR_ALLOC_FAIL; 2100 goto out; 2101 } 2102 key->ed25519_pk = pk; 2103 pk = NULL; 2104 break; 2105 case KEY_UNSPEC: 2106 if ((key = sshkey_new(type)) == NULL) { 2107 ret = SSH_ERR_ALLOC_FAIL; 2108 goto out; 2109 } 2110 break; 2111 default: 2112 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2113 goto out; 2114 } 2115 2116 /* Parse certificate potion */ 2117 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2118 goto out; 2119 2120 if (key != NULL && sshbuf_len(b) != 0) { 2121 ret = SSH_ERR_INVALID_FORMAT; 2122 goto out; 2123 } 2124 ret = 0; 2125 if (keyp != NULL) { 2126 *keyp = key; 2127 key = NULL; 2128 } 2129 out: 2130 sshbuf_free(copy); 2131 sshkey_free(key); 2132 free(ktype); 2133 free(curve); 2134 free(pk); 2135 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 2136 if (q != NULL) 2137 EC_POINT_free(q); 2138 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 2139 return ret; 2140 } 2141 2142 int 2143 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2144 { 2145 struct sshbuf *b; 2146 int r; 2147 2148 if ((b = sshbuf_from(blob, blen)) == NULL) 2149 return SSH_ERR_ALLOC_FAIL; 2150 r = sshkey_from_blob_internal(b, keyp, 1); 2151 sshbuf_free(b); 2152 return r; 2153 } 2154 2155 int 2156 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2157 { 2158 return sshkey_from_blob_internal(b, keyp, 1); 2159 } 2160 2161 int 2162 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2163 { 2164 struct sshbuf *b; 2165 int r; 2166 2167 if ((r = sshbuf_froms(buf, &b)) != 0) 2168 return r; 2169 r = sshkey_from_blob_internal(b, keyp, 1); 2170 sshbuf_free(b); 2171 return r; 2172 } 2173 2174 int 2175 sshkey_sign(const struct sshkey *key, 2176 u_char **sigp, size_t *lenp, 2177 const u_char *data, size_t datalen, const char *alg, u_int compat) 2178 { 2179 if (sigp != NULL) 2180 *sigp = NULL; 2181 if (lenp != NULL) 2182 *lenp = 0; 2183 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2184 return SSH_ERR_INVALID_ARGUMENT; 2185 switch (key->type) { 2186 #ifdef WITH_OPENSSL 2187 case KEY_DSA_CERT: 2188 case KEY_DSA: 2189 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2190 # ifdef OPENSSL_HAS_ECC 2191 case KEY_ECDSA_CERT: 2192 case KEY_ECDSA: 2193 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2194 # endif /* OPENSSL_HAS_ECC */ 2195 case KEY_RSA_CERT: 2196 case KEY_RSA: 2197 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); 2198 #endif /* WITH_OPENSSL */ 2199 case KEY_ED25519: 2200 case KEY_ED25519_CERT: 2201 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2202 default: 2203 return SSH_ERR_KEY_TYPE_UNKNOWN; 2204 } 2205 } 2206 2207 /* 2208 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2209 */ 2210 int 2211 sshkey_verify(const struct sshkey *key, 2212 const u_char *sig, size_t siglen, 2213 const u_char *data, size_t dlen, u_int compat) 2214 { 2215 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2216 return SSH_ERR_INVALID_ARGUMENT; 2217 switch (key->type) { 2218 #ifdef WITH_OPENSSL 2219 case KEY_DSA_CERT: 2220 case KEY_DSA: 2221 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2222 # ifdef OPENSSL_HAS_ECC 2223 case KEY_ECDSA_CERT: 2224 case KEY_ECDSA: 2225 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2226 # endif /* OPENSSL_HAS_ECC */ 2227 case KEY_RSA_CERT: 2228 case KEY_RSA: 2229 return ssh_rsa_verify(key, sig, siglen, data, dlen); 2230 #endif /* WITH_OPENSSL */ 2231 case KEY_ED25519: 2232 case KEY_ED25519_CERT: 2233 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2234 default: 2235 return SSH_ERR_KEY_TYPE_UNKNOWN; 2236 } 2237 } 2238 2239 /* Converts a private to a public key */ 2240 int 2241 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2242 { 2243 struct sshkey *pk; 2244 int ret = SSH_ERR_INTERNAL_ERROR; 2245 2246 *dkp = NULL; 2247 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2248 return SSH_ERR_ALLOC_FAIL; 2249 pk->type = k->type; 2250 pk->flags = k->flags; 2251 pk->ecdsa_nid = k->ecdsa_nid; 2252 pk->dsa = NULL; 2253 pk->ecdsa = NULL; 2254 pk->rsa = NULL; 2255 pk->ed25519_pk = NULL; 2256 pk->ed25519_sk = NULL; 2257 2258 switch (k->type) { 2259 #ifdef WITH_OPENSSL 2260 case KEY_RSA_CERT: 2261 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2262 goto fail; 2263 /* FALLTHROUGH */ 2264 case KEY_RSA1: 2265 case KEY_RSA: 2266 if ((pk->rsa = RSA_new()) == NULL || 2267 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2268 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2269 ret = SSH_ERR_ALLOC_FAIL; 2270 goto fail; 2271 } 2272 break; 2273 case KEY_DSA_CERT: 2274 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2275 goto fail; 2276 /* FALLTHROUGH */ 2277 case KEY_DSA: 2278 if ((pk->dsa = DSA_new()) == NULL || 2279 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2280 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2281 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2282 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2283 ret = SSH_ERR_ALLOC_FAIL; 2284 goto fail; 2285 } 2286 break; 2287 case KEY_ECDSA_CERT: 2288 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2289 goto fail; 2290 /* FALLTHROUGH */ 2291 # ifdef OPENSSL_HAS_ECC 2292 case KEY_ECDSA: 2293 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2294 if (pk->ecdsa == NULL) { 2295 ret = SSH_ERR_ALLOC_FAIL; 2296 goto fail; 2297 } 2298 if (EC_KEY_set_public_key(pk->ecdsa, 2299 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2300 ret = SSH_ERR_LIBCRYPTO_ERROR; 2301 goto fail; 2302 } 2303 break; 2304 # endif /* OPENSSL_HAS_ECC */ 2305 #endif /* WITH_OPENSSL */ 2306 case KEY_ED25519_CERT: 2307 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2308 goto fail; 2309 /* FALLTHROUGH */ 2310 case KEY_ED25519: 2311 if (k->ed25519_pk != NULL) { 2312 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2313 ret = SSH_ERR_ALLOC_FAIL; 2314 goto fail; 2315 } 2316 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2317 } 2318 break; 2319 default: 2320 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2321 fail: 2322 sshkey_free(pk); 2323 return ret; 2324 } 2325 *dkp = pk; 2326 return 0; 2327 } 2328 2329 /* Convert a plain key to their _CERT equivalent */ 2330 int 2331 sshkey_to_certified(struct sshkey *k) 2332 { 2333 int newtype; 2334 2335 switch (k->type) { 2336 #ifdef WITH_OPENSSL 2337 case KEY_RSA: 2338 newtype = KEY_RSA_CERT; 2339 break; 2340 case KEY_DSA: 2341 newtype = KEY_DSA_CERT; 2342 break; 2343 case KEY_ECDSA: 2344 newtype = KEY_ECDSA_CERT; 2345 break; 2346 #endif /* WITH_OPENSSL */ 2347 case KEY_ED25519: 2348 newtype = KEY_ED25519_CERT; 2349 break; 2350 default: 2351 return SSH_ERR_INVALID_ARGUMENT; 2352 } 2353 if ((k->cert = cert_new()) == NULL) 2354 return SSH_ERR_ALLOC_FAIL; 2355 k->type = newtype; 2356 return 0; 2357 } 2358 2359 /* Convert a certificate to its raw key equivalent */ 2360 int 2361 sshkey_drop_cert(struct sshkey *k) 2362 { 2363 if (!sshkey_type_is_cert(k->type)) 2364 return SSH_ERR_KEY_TYPE_UNKNOWN; 2365 cert_free(k->cert); 2366 k->cert = NULL; 2367 k->type = sshkey_type_plain(k->type); 2368 return 0; 2369 } 2370 2371 /* Sign a certified key, (re-)generating the signed certblob. */ 2372 int 2373 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg) 2374 { 2375 struct sshbuf *principals = NULL; 2376 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2377 size_t i, ca_len, sig_len; 2378 int ret = SSH_ERR_INTERNAL_ERROR; 2379 struct sshbuf *cert; 2380 2381 if (k == NULL || k->cert == NULL || 2382 k->cert->certblob == NULL || ca == NULL) 2383 return SSH_ERR_INVALID_ARGUMENT; 2384 if (!sshkey_is_cert(k)) 2385 return SSH_ERR_KEY_TYPE_UNKNOWN; 2386 if (!sshkey_type_is_valid_ca(ca->type)) 2387 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2388 2389 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2390 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2391 2392 cert = k->cert->certblob; /* for readability */ 2393 sshbuf_reset(cert); 2394 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2395 goto out; 2396 2397 /* -v01 certs put nonce first */ 2398 arc4random_buf(&nonce, sizeof(nonce)); 2399 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2400 goto out; 2401 2402 /* XXX this substantially duplicates to_blob(); refactor */ 2403 switch (k->type) { 2404 #ifdef WITH_OPENSSL 2405 case KEY_DSA_CERT: 2406 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2407 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2408 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2409 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2410 goto out; 2411 break; 2412 # ifdef OPENSSL_HAS_ECC 2413 case KEY_ECDSA_CERT: 2414 if ((ret = sshbuf_put_cstring(cert, 2415 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2416 (ret = sshbuf_put_ec(cert, 2417 EC_KEY_get0_public_key(k->ecdsa), 2418 EC_KEY_get0_group(k->ecdsa))) != 0) 2419 goto out; 2420 break; 2421 # endif /* OPENSSL_HAS_ECC */ 2422 case KEY_RSA_CERT: 2423 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2424 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2425 goto out; 2426 break; 2427 #endif /* WITH_OPENSSL */ 2428 case KEY_ED25519_CERT: 2429 if ((ret = sshbuf_put_string(cert, 2430 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2431 goto out; 2432 break; 2433 default: 2434 ret = SSH_ERR_INVALID_ARGUMENT; 2435 goto out; 2436 } 2437 2438 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2439 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2440 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2441 goto out; 2442 2443 if ((principals = sshbuf_new()) == NULL) { 2444 ret = SSH_ERR_ALLOC_FAIL; 2445 goto out; 2446 } 2447 for (i = 0; i < k->cert->nprincipals; i++) { 2448 if ((ret = sshbuf_put_cstring(principals, 2449 k->cert->principals[i])) != 0) 2450 goto out; 2451 } 2452 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2453 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2454 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2455 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2456 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2457 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2458 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2459 goto out; 2460 2461 /* Sign the whole mess */ 2462 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2463 sshbuf_len(cert), alg, 0)) != 0) 2464 goto out; 2465 2466 /* Append signature and we are done */ 2467 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2468 goto out; 2469 ret = 0; 2470 out: 2471 if (ret != 0) 2472 sshbuf_reset(cert); 2473 free(sig_blob); 2474 free(ca_blob); 2475 sshbuf_free(principals); 2476 return ret; 2477 } 2478 2479 int 2480 sshkey_cert_check_authority(const struct sshkey *k, 2481 int want_host, int require_principal, 2482 const char *name, const char **reason) 2483 { 2484 u_int i, principal_matches; 2485 time_t now = time(NULL); 2486 2487 if (reason != NULL) 2488 *reason = NULL; 2489 2490 if (want_host) { 2491 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2492 *reason = "Certificate invalid: not a host certificate"; 2493 return SSH_ERR_KEY_CERT_INVALID; 2494 } 2495 } else { 2496 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2497 *reason = "Certificate invalid: not a user certificate"; 2498 return SSH_ERR_KEY_CERT_INVALID; 2499 } 2500 } 2501 if (now < 0) { 2502 /* yikes - system clock before epoch! */ 2503 *reason = "Certificate invalid: not yet valid"; 2504 return SSH_ERR_KEY_CERT_INVALID; 2505 } 2506 if ((u_int64_t)now < k->cert->valid_after) { 2507 *reason = "Certificate invalid: not yet valid"; 2508 return SSH_ERR_KEY_CERT_INVALID; 2509 } 2510 if ((u_int64_t)now >= k->cert->valid_before) { 2511 *reason = "Certificate invalid: expired"; 2512 return SSH_ERR_KEY_CERT_INVALID; 2513 } 2514 if (k->cert->nprincipals == 0) { 2515 if (require_principal) { 2516 *reason = "Certificate lacks principal list"; 2517 return SSH_ERR_KEY_CERT_INVALID; 2518 } 2519 } else if (name != NULL) { 2520 principal_matches = 0; 2521 for (i = 0; i < k->cert->nprincipals; i++) { 2522 if (strcmp(name, k->cert->principals[i]) == 0) { 2523 principal_matches = 1; 2524 break; 2525 } 2526 } 2527 if (!principal_matches) { 2528 *reason = "Certificate invalid: name is not a listed " 2529 "principal"; 2530 return SSH_ERR_KEY_CERT_INVALID; 2531 } 2532 } 2533 return 0; 2534 } 2535 2536 size_t 2537 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2538 { 2539 char from[32], to[32], ret[64]; 2540 time_t tt; 2541 struct tm *tm; 2542 2543 *from = *to = '\0'; 2544 if (cert->valid_after == 0 && 2545 cert->valid_before == 0xffffffffffffffffULL) 2546 return strlcpy(s, "forever", l); 2547 2548 if (cert->valid_after != 0) { 2549 /* XXX revisit INT_MAX in 2038 :) */ 2550 tt = cert->valid_after > INT_MAX ? 2551 INT_MAX : cert->valid_after; 2552 tm = localtime(&tt); 2553 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm); 2554 } 2555 if (cert->valid_before != 0xffffffffffffffffULL) { 2556 /* XXX revisit INT_MAX in 2038 :) */ 2557 tt = cert->valid_before > INT_MAX ? 2558 INT_MAX : cert->valid_before; 2559 tm = localtime(&tt); 2560 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm); 2561 } 2562 2563 if (cert->valid_after == 0) 2564 snprintf(ret, sizeof(ret), "before %s", to); 2565 else if (cert->valid_before == 0xffffffffffffffffULL) 2566 snprintf(ret, sizeof(ret), "after %s", from); 2567 else 2568 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2569 2570 return strlcpy(s, ret, l); 2571 } 2572 2573 int 2574 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2575 { 2576 int r = SSH_ERR_INTERNAL_ERROR; 2577 2578 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2579 goto out; 2580 switch (key->type) { 2581 #ifdef WITH_OPENSSL 2582 case KEY_RSA: 2583 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2584 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2585 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2586 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2587 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2588 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2589 goto out; 2590 break; 2591 case KEY_RSA_CERT: 2592 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2593 r = SSH_ERR_INVALID_ARGUMENT; 2594 goto out; 2595 } 2596 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2597 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2598 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2599 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2600 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2601 goto out; 2602 break; 2603 case KEY_DSA: 2604 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2605 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2606 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2607 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2608 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2609 goto out; 2610 break; 2611 case KEY_DSA_CERT: 2612 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2613 r = SSH_ERR_INVALID_ARGUMENT; 2614 goto out; 2615 } 2616 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2617 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2618 goto out; 2619 break; 2620 # ifdef OPENSSL_HAS_ECC 2621 case KEY_ECDSA: 2622 if ((r = sshbuf_put_cstring(b, 2623 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2624 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2625 (r = sshbuf_put_bignum2(b, 2626 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2627 goto out; 2628 break; 2629 case KEY_ECDSA_CERT: 2630 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2631 r = SSH_ERR_INVALID_ARGUMENT; 2632 goto out; 2633 } 2634 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2635 (r = sshbuf_put_bignum2(b, 2636 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2637 goto out; 2638 break; 2639 # endif /* OPENSSL_HAS_ECC */ 2640 #endif /* WITH_OPENSSL */ 2641 case KEY_ED25519: 2642 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2643 ED25519_PK_SZ)) != 0 || 2644 (r = sshbuf_put_string(b, key->ed25519_sk, 2645 ED25519_SK_SZ)) != 0) 2646 goto out; 2647 break; 2648 case KEY_ED25519_CERT: 2649 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2650 r = SSH_ERR_INVALID_ARGUMENT; 2651 goto out; 2652 } 2653 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2654 (r = sshbuf_put_string(b, key->ed25519_pk, 2655 ED25519_PK_SZ)) != 0 || 2656 (r = sshbuf_put_string(b, key->ed25519_sk, 2657 ED25519_SK_SZ)) != 0) 2658 goto out; 2659 break; 2660 default: 2661 r = SSH_ERR_INVALID_ARGUMENT; 2662 goto out; 2663 } 2664 /* success */ 2665 r = 0; 2666 out: 2667 return r; 2668 } 2669 2670 int 2671 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2672 { 2673 char *tname = NULL, *curve = NULL; 2674 struct sshkey *k = NULL; 2675 size_t pklen = 0, sklen = 0; 2676 int type, r = SSH_ERR_INTERNAL_ERROR; 2677 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2678 #ifdef WITH_OPENSSL 2679 BIGNUM *exponent = NULL; 2680 #endif /* WITH_OPENSSL */ 2681 2682 if (kp != NULL) 2683 *kp = NULL; 2684 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2685 goto out; 2686 type = sshkey_type_from_name(tname); 2687 switch (type) { 2688 #ifdef WITH_OPENSSL 2689 case KEY_DSA: 2690 if ((k = sshkey_new_private(type)) == NULL) { 2691 r = SSH_ERR_ALLOC_FAIL; 2692 goto out; 2693 } 2694 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2695 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2696 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2697 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2698 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2699 goto out; 2700 break; 2701 case KEY_DSA_CERT: 2702 if ((r = sshkey_froms(buf, &k)) != 0 || 2703 (r = sshkey_add_private(k)) != 0 || 2704 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2705 goto out; 2706 break; 2707 # ifdef OPENSSL_HAS_ECC 2708 case KEY_ECDSA: 2709 if ((k = sshkey_new_private(type)) == NULL) { 2710 r = SSH_ERR_ALLOC_FAIL; 2711 goto out; 2712 } 2713 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2714 r = SSH_ERR_INVALID_ARGUMENT; 2715 goto out; 2716 } 2717 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2718 goto out; 2719 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2720 r = SSH_ERR_EC_CURVE_MISMATCH; 2721 goto out; 2722 } 2723 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2724 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2725 r = SSH_ERR_LIBCRYPTO_ERROR; 2726 goto out; 2727 } 2728 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2729 (r = sshbuf_get_bignum2(buf, exponent))) 2730 goto out; 2731 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2732 r = SSH_ERR_LIBCRYPTO_ERROR; 2733 goto out; 2734 } 2735 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2736 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2737 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2738 goto out; 2739 break; 2740 case KEY_ECDSA_CERT: 2741 if ((exponent = BN_new()) == NULL) { 2742 r = SSH_ERR_LIBCRYPTO_ERROR; 2743 goto out; 2744 } 2745 if ((r = sshkey_froms(buf, &k)) != 0 || 2746 (r = sshkey_add_private(k)) != 0 || 2747 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2748 goto out; 2749 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2750 r = SSH_ERR_LIBCRYPTO_ERROR; 2751 goto out; 2752 } 2753 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2754 EC_KEY_get0_public_key(k->ecdsa))) != 0 || 2755 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2756 goto out; 2757 break; 2758 # endif /* OPENSSL_HAS_ECC */ 2759 case KEY_RSA: 2760 if ((k = sshkey_new_private(type)) == NULL) { 2761 r = SSH_ERR_ALLOC_FAIL; 2762 goto out; 2763 } 2764 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2765 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2766 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2767 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2768 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2769 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2770 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2771 goto out; 2772 break; 2773 case KEY_RSA_CERT: 2774 if ((r = sshkey_froms(buf, &k)) != 0 || 2775 (r = sshkey_add_private(k)) != 0 || 2776 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2777 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2778 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2779 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2780 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2781 goto out; 2782 break; 2783 #endif /* WITH_OPENSSL */ 2784 case KEY_ED25519: 2785 if ((k = sshkey_new_private(type)) == NULL) { 2786 r = SSH_ERR_ALLOC_FAIL; 2787 goto out; 2788 } 2789 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2790 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2791 goto out; 2792 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2793 r = SSH_ERR_INVALID_FORMAT; 2794 goto out; 2795 } 2796 k->ed25519_pk = ed25519_pk; 2797 k->ed25519_sk = ed25519_sk; 2798 ed25519_pk = ed25519_sk = NULL; 2799 break; 2800 case KEY_ED25519_CERT: 2801 if ((r = sshkey_froms(buf, &k)) != 0 || 2802 (r = sshkey_add_private(k)) != 0 || 2803 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2804 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2805 goto out; 2806 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2807 r = SSH_ERR_INVALID_FORMAT; 2808 goto out; 2809 } 2810 k->ed25519_pk = ed25519_pk; 2811 k->ed25519_sk = ed25519_sk; 2812 ed25519_pk = ed25519_sk = NULL; 2813 break; 2814 default: 2815 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2816 goto out; 2817 } 2818 #ifdef WITH_OPENSSL 2819 /* enable blinding */ 2820 switch (k->type) { 2821 case KEY_RSA: 2822 case KEY_RSA_CERT: 2823 case KEY_RSA1: 2824 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2825 r = SSH_ERR_LIBCRYPTO_ERROR; 2826 goto out; 2827 } 2828 break; 2829 } 2830 #endif /* WITH_OPENSSL */ 2831 /* success */ 2832 r = 0; 2833 if (kp != NULL) { 2834 *kp = k; 2835 k = NULL; 2836 } 2837 out: 2838 free(tname); 2839 free(curve); 2840 #ifdef WITH_OPENSSL 2841 if (exponent != NULL) 2842 BN_clear_free(exponent); 2843 #endif /* WITH_OPENSSL */ 2844 sshkey_free(k); 2845 if (ed25519_pk != NULL) { 2846 explicit_bzero(ed25519_pk, pklen); 2847 free(ed25519_pk); 2848 } 2849 if (ed25519_sk != NULL) { 2850 explicit_bzero(ed25519_sk, sklen); 2851 free(ed25519_sk); 2852 } 2853 return r; 2854 } 2855 2856 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 2857 int 2858 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2859 { 2860 BN_CTX *bnctx; 2861 EC_POINT *nq = NULL; 2862 BIGNUM *order, *x, *y, *tmp; 2863 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2864 2865 if ((bnctx = BN_CTX_new()) == NULL) 2866 return SSH_ERR_ALLOC_FAIL; 2867 BN_CTX_start(bnctx); 2868 2869 /* 2870 * We shouldn't ever hit this case because bignum_get_ecpoint() 2871 * refuses to load GF2m points. 2872 */ 2873 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2874 NID_X9_62_prime_field) 2875 goto out; 2876 2877 /* Q != infinity */ 2878 if (EC_POINT_is_at_infinity(group, public)) 2879 goto out; 2880 2881 if ((x = BN_CTX_get(bnctx)) == NULL || 2882 (y = BN_CTX_get(bnctx)) == NULL || 2883 (order = BN_CTX_get(bnctx)) == NULL || 2884 (tmp = BN_CTX_get(bnctx)) == NULL) { 2885 ret = SSH_ERR_ALLOC_FAIL; 2886 goto out; 2887 } 2888 2889 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2890 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2891 EC_POINT_get_affine_coordinates_GFp(group, public, 2892 x, y, bnctx) != 1) { 2893 ret = SSH_ERR_LIBCRYPTO_ERROR; 2894 goto out; 2895 } 2896 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2897 BN_num_bits(y) <= BN_num_bits(order) / 2) 2898 goto out; 2899 2900 /* nQ == infinity (n == order of subgroup) */ 2901 if ((nq = EC_POINT_new(group)) == NULL) { 2902 ret = SSH_ERR_ALLOC_FAIL; 2903 goto out; 2904 } 2905 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2906 ret = SSH_ERR_LIBCRYPTO_ERROR; 2907 goto out; 2908 } 2909 if (EC_POINT_is_at_infinity(group, nq) != 1) 2910 goto out; 2911 2912 /* x < order - 1, y < order - 1 */ 2913 if (!BN_sub(tmp, order, BN_value_one())) { 2914 ret = SSH_ERR_LIBCRYPTO_ERROR; 2915 goto out; 2916 } 2917 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2918 goto out; 2919 ret = 0; 2920 out: 2921 BN_CTX_free(bnctx); 2922 if (nq != NULL) 2923 EC_POINT_free(nq); 2924 return ret; 2925 } 2926 2927 int 2928 sshkey_ec_validate_private(const EC_KEY *key) 2929 { 2930 BN_CTX *bnctx; 2931 BIGNUM *order, *tmp; 2932 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2933 2934 if ((bnctx = BN_CTX_new()) == NULL) 2935 return SSH_ERR_ALLOC_FAIL; 2936 BN_CTX_start(bnctx); 2937 2938 if ((order = BN_CTX_get(bnctx)) == NULL || 2939 (tmp = BN_CTX_get(bnctx)) == NULL) { 2940 ret = SSH_ERR_ALLOC_FAIL; 2941 goto out; 2942 } 2943 2944 /* log2(private) > log2(order)/2 */ 2945 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2946 ret = SSH_ERR_LIBCRYPTO_ERROR; 2947 goto out; 2948 } 2949 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2950 BN_num_bits(order) / 2) 2951 goto out; 2952 2953 /* private < order - 1 */ 2954 if (!BN_sub(tmp, order, BN_value_one())) { 2955 ret = SSH_ERR_LIBCRYPTO_ERROR; 2956 goto out; 2957 } 2958 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2959 goto out; 2960 ret = 0; 2961 out: 2962 BN_CTX_free(bnctx); 2963 return ret; 2964 } 2965 2966 void 2967 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2968 { 2969 BIGNUM *x, *y; 2970 BN_CTX *bnctx; 2971 2972 if (point == NULL) { 2973 fputs("point=(NULL)\n", stderr); 2974 return; 2975 } 2976 if ((bnctx = BN_CTX_new()) == NULL) { 2977 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2978 return; 2979 } 2980 BN_CTX_start(bnctx); 2981 if ((x = BN_CTX_get(bnctx)) == NULL || 2982 (y = BN_CTX_get(bnctx)) == NULL) { 2983 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 2984 return; 2985 } 2986 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2987 NID_X9_62_prime_field) { 2988 fprintf(stderr, "%s: group is not a prime field\n", __func__); 2989 return; 2990 } 2991 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 2992 bnctx) != 1) { 2993 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2994 __func__); 2995 return; 2996 } 2997 fputs("x=", stderr); 2998 BN_print_fp(stderr, x); 2999 fputs("\ny=", stderr); 3000 BN_print_fp(stderr, y); 3001 fputs("\n", stderr); 3002 BN_CTX_free(bnctx); 3003 } 3004 3005 void 3006 sshkey_dump_ec_key(const EC_KEY *key) 3007 { 3008 const BIGNUM *exponent; 3009 3010 sshkey_dump_ec_point(EC_KEY_get0_group(key), 3011 EC_KEY_get0_public_key(key)); 3012 fputs("exponent=", stderr); 3013 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 3014 fputs("(NULL)", stderr); 3015 else 3016 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 3017 fputs("\n", stderr); 3018 } 3019 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 3020 3021 static int 3022 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 3023 const char *passphrase, const char *comment, const char *ciphername, 3024 int rounds) 3025 { 3026 u_char *cp, *key = NULL, *pubkeyblob = NULL; 3027 u_char salt[SALT_LEN]; 3028 char *b64 = NULL; 3029 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 3030 u_int check; 3031 int r = SSH_ERR_INTERNAL_ERROR; 3032 struct sshcipher_ctx ciphercontext; 3033 const struct sshcipher *cipher; 3034 const char *kdfname = KDFNAME; 3035 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3036 3037 memset(&ciphercontext, 0, sizeof(ciphercontext)); 3038 3039 if (rounds <= 0) 3040 rounds = DEFAULT_ROUNDS; 3041 if (passphrase == NULL || !strlen(passphrase)) { 3042 ciphername = "none"; 3043 kdfname = "none"; 3044 } else if (ciphername == NULL) 3045 ciphername = DEFAULT_CIPHERNAME; 3046 else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) { 3047 r = SSH_ERR_INVALID_ARGUMENT; 3048 goto out; 3049 } 3050 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3051 r = SSH_ERR_INTERNAL_ERROR; 3052 goto out; 3053 } 3054 3055 if ((kdf = sshbuf_new()) == NULL || 3056 (encoded = sshbuf_new()) == NULL || 3057 (encrypted = sshbuf_new()) == NULL) { 3058 r = SSH_ERR_ALLOC_FAIL; 3059 goto out; 3060 } 3061 blocksize = cipher_blocksize(cipher); 3062 keylen = cipher_keylen(cipher); 3063 ivlen = cipher_ivlen(cipher); 3064 authlen = cipher_authlen(cipher); 3065 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3066 r = SSH_ERR_ALLOC_FAIL; 3067 goto out; 3068 } 3069 if (strcmp(kdfname, "bcrypt") == 0) { 3070 arc4random_buf(salt, SALT_LEN); 3071 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3072 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3073 r = SSH_ERR_INVALID_ARGUMENT; 3074 goto out; 3075 } 3076 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3077 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3078 goto out; 3079 } else if (strcmp(kdfname, "none") != 0) { 3080 /* Unsupported KDF type */ 3081 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3082 goto out; 3083 } 3084 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3085 key + keylen, ivlen, 1)) != 0) 3086 goto out; 3087 3088 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3089 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3090 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3091 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3092 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3093 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3094 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3095 goto out; 3096 3097 /* set up the buffer that will be encrypted */ 3098 3099 /* Random check bytes */ 3100 check = arc4random(); 3101 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3102 (r = sshbuf_put_u32(encrypted, check)) != 0) 3103 goto out; 3104 3105 /* append private key and comment*/ 3106 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 3107 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3108 goto out; 3109 3110 /* padding */ 3111 i = 0; 3112 while (sshbuf_len(encrypted) % blocksize) { 3113 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3114 goto out; 3115 } 3116 3117 /* length in destination buffer */ 3118 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3119 goto out; 3120 3121 /* encrypt */ 3122 if ((r = sshbuf_reserve(encoded, 3123 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3124 goto out; 3125 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3126 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3127 goto out; 3128 3129 /* uuencode */ 3130 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3131 r = SSH_ERR_ALLOC_FAIL; 3132 goto out; 3133 } 3134 3135 sshbuf_reset(blob); 3136 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3137 goto out; 3138 for (i = 0; i < strlen(b64); i++) { 3139 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3140 goto out; 3141 /* insert line breaks */ 3142 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3143 goto out; 3144 } 3145 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3146 goto out; 3147 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3148 goto out; 3149 3150 /* success */ 3151 r = 0; 3152 3153 out: 3154 sshbuf_free(kdf); 3155 sshbuf_free(encoded); 3156 sshbuf_free(encrypted); 3157 cipher_cleanup(&ciphercontext); 3158 explicit_bzero(salt, sizeof(salt)); 3159 if (key != NULL) { 3160 explicit_bzero(key, keylen + ivlen); 3161 free(key); 3162 } 3163 if (pubkeyblob != NULL) { 3164 explicit_bzero(pubkeyblob, pubkeylen); 3165 free(pubkeyblob); 3166 } 3167 if (b64 != NULL) { 3168 explicit_bzero(b64, strlen(b64)); 3169 free(b64); 3170 } 3171 return r; 3172 } 3173 3174 static int 3175 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3176 struct sshkey **keyp, char **commentp) 3177 { 3178 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3179 const struct sshcipher *cipher = NULL; 3180 const u_char *cp; 3181 int r = SSH_ERR_INTERNAL_ERROR; 3182 size_t encoded_len; 3183 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3184 struct sshbuf *encoded = NULL, *decoded = NULL; 3185 struct sshbuf *kdf = NULL, *decrypted = NULL; 3186 struct sshcipher_ctx ciphercontext; 3187 struct sshkey *k = NULL; 3188 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3189 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3190 3191 memset(&ciphercontext, 0, sizeof(ciphercontext)); 3192 if (keyp != NULL) 3193 *keyp = NULL; 3194 if (commentp != NULL) 3195 *commentp = NULL; 3196 3197 if ((encoded = sshbuf_new()) == NULL || 3198 (decoded = sshbuf_new()) == NULL || 3199 (decrypted = sshbuf_new()) == NULL) { 3200 r = SSH_ERR_ALLOC_FAIL; 3201 goto out; 3202 } 3203 3204 /* check preamble */ 3205 cp = sshbuf_ptr(blob); 3206 encoded_len = sshbuf_len(blob); 3207 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3208 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3209 r = SSH_ERR_INVALID_FORMAT; 3210 goto out; 3211 } 3212 cp += MARK_BEGIN_LEN; 3213 encoded_len -= MARK_BEGIN_LEN; 3214 3215 /* Look for end marker, removing whitespace as we go */ 3216 while (encoded_len > 0) { 3217 if (*cp != '\n' && *cp != '\r') { 3218 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3219 goto out; 3220 } 3221 last = *cp; 3222 encoded_len--; 3223 cp++; 3224 if (last == '\n') { 3225 if (encoded_len >= MARK_END_LEN && 3226 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3227 /* \0 terminate */ 3228 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3229 goto out; 3230 break; 3231 } 3232 } 3233 } 3234 if (encoded_len == 0) { 3235 r = SSH_ERR_INVALID_FORMAT; 3236 goto out; 3237 } 3238 3239 /* decode base64 */ 3240 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3241 goto out; 3242 3243 /* check magic */ 3244 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3245 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3246 r = SSH_ERR_INVALID_FORMAT; 3247 goto out; 3248 } 3249 /* parse public portion of key */ 3250 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3251 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3252 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3253 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3254 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3255 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3256 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3257 goto out; 3258 3259 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3260 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3261 goto out; 3262 } 3263 if ((passphrase == NULL || strlen(passphrase) == 0) && 3264 strcmp(ciphername, "none") != 0) { 3265 /* passphrase required */ 3266 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3267 goto out; 3268 } 3269 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3270 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3271 goto out; 3272 } 3273 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3274 r = SSH_ERR_INVALID_FORMAT; 3275 goto out; 3276 } 3277 if (nkeys != 1) { 3278 /* XXX only one key supported */ 3279 r = SSH_ERR_INVALID_FORMAT; 3280 goto out; 3281 } 3282 3283 /* check size of encrypted key blob */ 3284 blocksize = cipher_blocksize(cipher); 3285 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3286 r = SSH_ERR_INVALID_FORMAT; 3287 goto out; 3288 } 3289 3290 /* setup key */ 3291 keylen = cipher_keylen(cipher); 3292 ivlen = cipher_ivlen(cipher); 3293 authlen = cipher_authlen(cipher); 3294 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3295 r = SSH_ERR_ALLOC_FAIL; 3296 goto out; 3297 } 3298 if (strcmp(kdfname, "bcrypt") == 0) { 3299 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3300 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3301 goto out; 3302 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3303 key, keylen + ivlen, rounds) < 0) { 3304 r = SSH_ERR_INVALID_FORMAT; 3305 goto out; 3306 } 3307 } 3308 3309 /* check that an appropriate amount of auth data is present */ 3310 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3311 r = SSH_ERR_INVALID_FORMAT; 3312 goto out; 3313 } 3314 3315 /* decrypt private portion of key */ 3316 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3317 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3318 key + keylen, ivlen, 0)) != 0) 3319 goto out; 3320 if ((r = cipher_crypt(&ciphercontext, 0, dp, sshbuf_ptr(decoded), 3321 encrypted_len, 0, authlen)) != 0) { 3322 /* an integrity error here indicates an incorrect passphrase */ 3323 if (r == SSH_ERR_MAC_INVALID) 3324 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3325 goto out; 3326 } 3327 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3328 goto out; 3329 /* there should be no trailing data */ 3330 if (sshbuf_len(decoded) != 0) { 3331 r = SSH_ERR_INVALID_FORMAT; 3332 goto out; 3333 } 3334 3335 /* check check bytes */ 3336 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3337 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3338 goto out; 3339 if (check1 != check2) { 3340 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3341 goto out; 3342 } 3343 3344 /* Load the private key and comment */ 3345 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3346 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3347 goto out; 3348 3349 /* Check deterministic padding */ 3350 i = 0; 3351 while (sshbuf_len(decrypted)) { 3352 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3353 goto out; 3354 if (pad != (++i & 0xff)) { 3355 r = SSH_ERR_INVALID_FORMAT; 3356 goto out; 3357 } 3358 } 3359 3360 /* XXX decode pubkey and check against private */ 3361 3362 /* success */ 3363 r = 0; 3364 if (keyp != NULL) { 3365 *keyp = k; 3366 k = NULL; 3367 } 3368 if (commentp != NULL) { 3369 *commentp = comment; 3370 comment = NULL; 3371 } 3372 out: 3373 pad = 0; 3374 cipher_cleanup(&ciphercontext); 3375 free(ciphername); 3376 free(kdfname); 3377 free(comment); 3378 if (salt != NULL) { 3379 explicit_bzero(salt, slen); 3380 free(salt); 3381 } 3382 if (key != NULL) { 3383 explicit_bzero(key, keylen + ivlen); 3384 free(key); 3385 } 3386 sshbuf_free(encoded); 3387 sshbuf_free(decoded); 3388 sshbuf_free(kdf); 3389 sshbuf_free(decrypted); 3390 sshkey_free(k); 3391 return r; 3392 } 3393 3394 #if WITH_SSH1 3395 /* 3396 * Serialises the authentication (private) key to a blob, encrypting it with 3397 * passphrase. The identification of the blob (lowest 64 bits of n) will 3398 * precede the key to provide identification of the key without needing a 3399 * passphrase. 3400 */ 3401 static int 3402 sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, 3403 const char *passphrase, const char *comment) 3404 { 3405 struct sshbuf *buffer = NULL, *encrypted = NULL; 3406 u_char buf[8]; 3407 int r, cipher_num; 3408 struct sshcipher_ctx ciphercontext; 3409 const struct sshcipher *cipher; 3410 u_char *cp; 3411 3412 /* 3413 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting 3414 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. 3415 */ 3416 cipher_num = (strcmp(passphrase, "") == 0) ? 3417 SSH_CIPHER_NONE : SSH_CIPHER_3DES; 3418 if ((cipher = cipher_by_number(cipher_num)) == NULL) 3419 return SSH_ERR_INTERNAL_ERROR; 3420 3421 /* This buffer is used to build the secret part of the private key. */ 3422 if ((buffer = sshbuf_new()) == NULL) 3423 return SSH_ERR_ALLOC_FAIL; 3424 3425 /* Put checkbytes for checking passphrase validity. */ 3426 if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0) 3427 goto out; 3428 arc4random_buf(cp, 2); 3429 memcpy(cp + 2, cp, 2); 3430 3431 /* 3432 * Store the private key (n and e will not be stored because they 3433 * will be stored in plain text, and storing them also in encrypted 3434 * format would just give known plaintext). 3435 * Note: q and p are stored in reverse order to SSL. 3436 */ 3437 if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 || 3438 (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 || 3439 (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 || 3440 (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0) 3441 goto out; 3442 3443 /* Pad the part to be encrypted to a size that is a multiple of 8. */ 3444 explicit_bzero(buf, 8); 3445 if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0) 3446 goto out; 3447 3448 /* This buffer will be used to contain the data in the file. */ 3449 if ((encrypted = sshbuf_new()) == NULL) { 3450 r = SSH_ERR_ALLOC_FAIL; 3451 goto out; 3452 } 3453 3454 /* First store keyfile id string. */ 3455 if ((r = sshbuf_put(encrypted, LEGACY_BEGIN, 3456 sizeof(LEGACY_BEGIN))) != 0) 3457 goto out; 3458 3459 /* Store cipher type and "reserved" field. */ 3460 if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 || 3461 (r = sshbuf_put_u32(encrypted, 0)) != 0) 3462 goto out; 3463 3464 /* Store public key. This will be in plain text. */ 3465 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || 3466 (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 || 3467 (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 || 3468 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3469 goto out; 3470 3471 /* Allocate space for the private part of the key in the buffer. */ 3472 if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0) 3473 goto out; 3474 3475 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3476 CIPHER_ENCRYPT)) != 0) 3477 goto out; 3478 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3479 sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0) 3480 goto out; 3481 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3482 goto out; 3483 3484 r = sshbuf_putb(blob, encrypted); 3485 3486 out: 3487 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3488 explicit_bzero(buf, sizeof(buf)); 3489 sshbuf_free(buffer); 3490 sshbuf_free(encrypted); 3491 3492 return r; 3493 } 3494 #endif /* WITH_SSH1 */ 3495 3496 #ifdef WITH_OPENSSL 3497 /* convert SSH v2 key in OpenSSL PEM format */ 3498 static int 3499 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3500 const char *_passphrase, const char *comment) 3501 { 3502 int success, r; 3503 int blen, len = strlen(_passphrase); 3504 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3505 #if (OPENSSL_VERSION_NUMBER < 0x00907000L) 3506 const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL; 3507 #else 3508 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3509 #endif 3510 const u_char *bptr; 3511 BIO *bio = NULL; 3512 3513 if (len > 0 && len <= 4) 3514 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3515 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3516 return SSH_ERR_ALLOC_FAIL; 3517 3518 switch (key->type) { 3519 case KEY_DSA: 3520 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3521 cipher, passphrase, len, NULL, NULL); 3522 break; 3523 #ifdef OPENSSL_HAS_ECC 3524 case KEY_ECDSA: 3525 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3526 cipher, passphrase, len, NULL, NULL); 3527 break; 3528 #endif 3529 case KEY_RSA: 3530 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3531 cipher, passphrase, len, NULL, NULL); 3532 break; 3533 default: 3534 success = 0; 3535 break; 3536 } 3537 if (success == 0) { 3538 r = SSH_ERR_LIBCRYPTO_ERROR; 3539 goto out; 3540 } 3541 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3542 r = SSH_ERR_INTERNAL_ERROR; 3543 goto out; 3544 } 3545 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3546 goto out; 3547 r = 0; 3548 out: 3549 BIO_free(bio); 3550 return r; 3551 } 3552 #endif /* WITH_OPENSSL */ 3553 3554 /* Serialise "key" to buffer "blob" */ 3555 int 3556 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3557 const char *passphrase, const char *comment, 3558 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3559 { 3560 switch (key->type) { 3561 #ifdef WITH_SSH1 3562 case KEY_RSA1: 3563 return sshkey_private_rsa1_to_blob(key, blob, 3564 passphrase, comment); 3565 #endif /* WITH_SSH1 */ 3566 #ifdef WITH_OPENSSL 3567 case KEY_DSA: 3568 case KEY_ECDSA: 3569 case KEY_RSA: 3570 if (force_new_format) { 3571 return sshkey_private_to_blob2(key, blob, passphrase, 3572 comment, new_format_cipher, new_format_rounds); 3573 } 3574 return sshkey_private_pem_to_blob(key, blob, 3575 passphrase, comment); 3576 #endif /* WITH_OPENSSL */ 3577 case KEY_ED25519: 3578 return sshkey_private_to_blob2(key, blob, passphrase, 3579 comment, new_format_cipher, new_format_rounds); 3580 default: 3581 return SSH_ERR_KEY_TYPE_UNKNOWN; 3582 } 3583 } 3584 3585 #ifdef WITH_SSH1 3586 /* 3587 * Parse the public, unencrypted portion of a RSA1 key. 3588 */ 3589 int 3590 sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, 3591 struct sshkey **keyp, char **commentp) 3592 { 3593 int r; 3594 struct sshkey *pub = NULL; 3595 struct sshbuf *copy = NULL; 3596 3597 if (keyp != NULL) 3598 *keyp = NULL; 3599 if (commentp != NULL) 3600 *commentp = NULL; 3601 3602 /* Check that it is at least big enough to contain the ID string. */ 3603 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3604 return SSH_ERR_INVALID_FORMAT; 3605 3606 /* 3607 * Make sure it begins with the id string. Consume the id string 3608 * from the buffer. 3609 */ 3610 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3611 return SSH_ERR_INVALID_FORMAT; 3612 /* Make a working copy of the keyblob and skip past the magic */ 3613 if ((copy = sshbuf_fromb(blob)) == NULL) 3614 return SSH_ERR_ALLOC_FAIL; 3615 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3616 goto out; 3617 3618 /* Skip cipher type, reserved data and key bits. */ 3619 if ((r = sshbuf_get_u8(copy, NULL)) != 0 || /* cipher type */ 3620 (r = sshbuf_get_u32(copy, NULL)) != 0 || /* reserved */ 3621 (r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */ 3622 goto out; 3623 3624 /* Read the public key from the buffer. */ 3625 if ((pub = sshkey_new(KEY_RSA1)) == NULL || 3626 (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 || 3627 (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0) 3628 goto out; 3629 3630 /* Finally, the comment */ 3631 if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0) 3632 goto out; 3633 3634 /* The encrypted private part is not parsed by this function. */ 3635 3636 r = 0; 3637 if (keyp != NULL) { 3638 *keyp = pub; 3639 pub = NULL; 3640 } 3641 out: 3642 sshbuf_free(copy); 3643 sshkey_free(pub); 3644 return r; 3645 } 3646 3647 static int 3648 sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, 3649 struct sshkey **keyp, char **commentp) 3650 { 3651 int r; 3652 u_int16_t check1, check2; 3653 u_int8_t cipher_type; 3654 struct sshbuf *decrypted = NULL, *copy = NULL; 3655 u_char *cp; 3656 char *comment = NULL; 3657 struct sshcipher_ctx ciphercontext; 3658 const struct sshcipher *cipher; 3659 struct sshkey *prv = NULL; 3660 3661 if (keyp != NULL) 3662 *keyp = NULL; 3663 if (commentp != NULL) 3664 *commentp = NULL; 3665 3666 /* Check that it is at least big enough to contain the ID string. */ 3667 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3668 return SSH_ERR_INVALID_FORMAT; 3669 3670 /* 3671 * Make sure it begins with the id string. Consume the id string 3672 * from the buffer. 3673 */ 3674 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3675 return SSH_ERR_INVALID_FORMAT; 3676 3677 if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) { 3678 r = SSH_ERR_ALLOC_FAIL; 3679 goto out; 3680 } 3681 if ((copy = sshbuf_fromb(blob)) == NULL || 3682 (decrypted = sshbuf_new()) == NULL) { 3683 r = SSH_ERR_ALLOC_FAIL; 3684 goto out; 3685 } 3686 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3687 goto out; 3688 3689 /* Read cipher type. */ 3690 if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 || 3691 (r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */ 3692 goto out; 3693 3694 /* Read the public key and comment from the buffer. */ 3695 if ((r = sshbuf_get_u32(copy, NULL)) != 0 || /* key bits */ 3696 (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 || 3697 (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 || 3698 (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0) 3699 goto out; 3700 3701 /* Check that it is a supported cipher. */ 3702 cipher = cipher_by_number(cipher_type); 3703 if (cipher == NULL) { 3704 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3705 goto out; 3706 } 3707 /* Initialize space for decrypted data. */ 3708 if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0) 3709 goto out; 3710 3711 /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ 3712 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3713 CIPHER_DECRYPT)) != 0) 3714 goto out; 3715 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3716 sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) { 3717 cipher_cleanup(&ciphercontext); 3718 goto out; 3719 } 3720 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3721 goto out; 3722 3723 if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 || 3724 (r = sshbuf_get_u16(decrypted, &check2)) != 0) 3725 goto out; 3726 if (check1 != check2) { 3727 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3728 goto out; 3729 } 3730 3731 /* Read the rest of the private key. */ 3732 if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 || 3733 (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 || 3734 (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 || 3735 (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0) 3736 goto out; 3737 3738 /* calculate p-1 and q-1 */ 3739 if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0) 3740 goto out; 3741 3742 /* enable blinding */ 3743 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3744 r = SSH_ERR_LIBCRYPTO_ERROR; 3745 goto out; 3746 } 3747 r = 0; 3748 if (keyp != NULL) { 3749 *keyp = prv; 3750 prv = NULL; 3751 } 3752 if (commentp != NULL) { 3753 *commentp = comment; 3754 comment = NULL; 3755 } 3756 out: 3757 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3758 free(comment); 3759 sshkey_free(prv); 3760 sshbuf_free(copy); 3761 sshbuf_free(decrypted); 3762 return r; 3763 } 3764 #endif /* WITH_SSH1 */ 3765 3766 #ifdef WITH_OPENSSL 3767 static int 3768 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3769 const char *passphrase, struct sshkey **keyp) 3770 { 3771 EVP_PKEY *pk = NULL; 3772 struct sshkey *prv = NULL; 3773 BIO *bio = NULL; 3774 int r; 3775 3776 if (keyp != NULL) 3777 *keyp = NULL; 3778 3779 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3780 return SSH_ERR_ALLOC_FAIL; 3781 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3782 (int)sshbuf_len(blob)) { 3783 r = SSH_ERR_ALLOC_FAIL; 3784 goto out; 3785 } 3786 3787 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3788 (char *)passphrase)) == NULL) { 3789 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3790 goto out; 3791 } 3792 if (pk->type == EVP_PKEY_RSA && 3793 (type == KEY_UNSPEC || type == KEY_RSA)) { 3794 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3795 r = SSH_ERR_ALLOC_FAIL; 3796 goto out; 3797 } 3798 prv->rsa = EVP_PKEY_get1_RSA(pk); 3799 prv->type = KEY_RSA; 3800 #ifdef DEBUG_PK 3801 RSA_print_fp(stderr, prv->rsa, 8); 3802 #endif 3803 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3804 r = SSH_ERR_LIBCRYPTO_ERROR; 3805 goto out; 3806 } 3807 } else if (pk->type == EVP_PKEY_DSA && 3808 (type == KEY_UNSPEC || type == KEY_DSA)) { 3809 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3810 r = SSH_ERR_ALLOC_FAIL; 3811 goto out; 3812 } 3813 prv->dsa = EVP_PKEY_get1_DSA(pk); 3814 prv->type = KEY_DSA; 3815 #ifdef DEBUG_PK 3816 DSA_print_fp(stderr, prv->dsa, 8); 3817 #endif 3818 #ifdef OPENSSL_HAS_ECC 3819 } else if (pk->type == EVP_PKEY_EC && 3820 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3821 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3822 r = SSH_ERR_ALLOC_FAIL; 3823 goto out; 3824 } 3825 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3826 prv->type = KEY_ECDSA; 3827 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3828 if (prv->ecdsa_nid == -1 || 3829 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3830 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3831 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3832 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3833 r = SSH_ERR_INVALID_FORMAT; 3834 goto out; 3835 } 3836 # ifdef DEBUG_PK 3837 if (prv != NULL && prv->ecdsa != NULL) 3838 sshkey_dump_ec_key(prv->ecdsa); 3839 # endif 3840 #endif /* OPENSSL_HAS_ECC */ 3841 } else { 3842 r = SSH_ERR_INVALID_FORMAT; 3843 goto out; 3844 } 3845 r = 0; 3846 if (keyp != NULL) { 3847 *keyp = prv; 3848 prv = NULL; 3849 } 3850 out: 3851 BIO_free(bio); 3852 if (pk != NULL) 3853 EVP_PKEY_free(pk); 3854 sshkey_free(prv); 3855 return r; 3856 } 3857 #endif /* WITH_OPENSSL */ 3858 3859 int 3860 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3861 const char *passphrase, struct sshkey **keyp, char **commentp) 3862 { 3863 if (keyp != NULL) 3864 *keyp = NULL; 3865 if (commentp != NULL) 3866 *commentp = NULL; 3867 3868 switch (type) { 3869 #ifdef WITH_SSH1 3870 case KEY_RSA1: 3871 return sshkey_parse_private_rsa1(blob, passphrase, 3872 keyp, commentp); 3873 #endif /* WITH_SSH1 */ 3874 #ifdef WITH_OPENSSL 3875 case KEY_DSA: 3876 case KEY_ECDSA: 3877 case KEY_RSA: 3878 return sshkey_parse_private_pem_fileblob(blob, type, 3879 passphrase, keyp); 3880 #endif /* WITH_OPENSSL */ 3881 case KEY_ED25519: 3882 return sshkey_parse_private2(blob, type, passphrase, 3883 keyp, commentp); 3884 case KEY_UNSPEC: 3885 if (sshkey_parse_private2(blob, type, passphrase, keyp, 3886 commentp) == 0) 3887 return 0; 3888 #ifdef WITH_OPENSSL 3889 return sshkey_parse_private_pem_fileblob(blob, type, 3890 passphrase, keyp); 3891 #else 3892 return SSH_ERR_INVALID_FORMAT; 3893 #endif /* WITH_OPENSSL */ 3894 default: 3895 return SSH_ERR_KEY_TYPE_UNKNOWN; 3896 } 3897 } 3898 3899 int 3900 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3901 struct sshkey **keyp, char **commentp) 3902 { 3903 if (keyp != NULL) 3904 *keyp = NULL; 3905 if (commentp != NULL) 3906 *commentp = NULL; 3907 3908 #ifdef WITH_SSH1 3909 /* it's a SSH v1 key if the public key part is readable */ 3910 if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) { 3911 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, 3912 passphrase, keyp, commentp); 3913 } 3914 #endif /* WITH_SSH1 */ 3915 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3916 passphrase, keyp, commentp); 3917 } 3918