1 /* $OpenBSD: sshsig.c,v 1.26 2021/11/28 07:21:26 djm Exp $ */ 2 /* 3 * Copyright (c) 2019 Google LLC 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <stdio.h> 19 #include <stdlib.h> 20 #include <stdarg.h> 21 #include <errno.h> 22 #include <string.h> 23 #include <unistd.h> 24 25 #include "authfd.h" 26 #include "authfile.h" 27 #include "log.h" 28 #include "misc.h" 29 #include "sshbuf.h" 30 #include "sshsig.h" 31 #include "ssherr.h" 32 #include "sshkey.h" 33 #include "match.h" 34 #include "digest.h" 35 36 #define SIG_VERSION 0x01 37 #define MAGIC_PREAMBLE "SSHSIG" 38 #define MAGIC_PREAMBLE_LEN (sizeof(MAGIC_PREAMBLE) - 1) 39 #define BEGIN_SIGNATURE "-----BEGIN SSH SIGNATURE-----\n" 40 #define END_SIGNATURE "-----END SSH SIGNATURE-----" 41 #define RSA_SIGN_ALG "rsa-sha2-512" /* XXX maybe make configurable */ 42 #define RSA_SIGN_ALLOWED "rsa-sha2-512,rsa-sha2-256" 43 #define HASHALG_DEFAULT "sha512" /* XXX maybe make configurable */ 44 #define HASHALG_ALLOWED "sha256,sha512" 45 46 int 47 sshsig_armor(const struct sshbuf *blob, struct sshbuf **out) 48 { 49 struct sshbuf *buf = NULL; 50 int r = SSH_ERR_INTERNAL_ERROR; 51 52 *out = NULL; 53 54 if ((buf = sshbuf_new()) == NULL) { 55 error_f("sshbuf_new failed"); 56 r = SSH_ERR_ALLOC_FAIL; 57 goto out; 58 } 59 60 if ((r = sshbuf_put(buf, BEGIN_SIGNATURE, 61 sizeof(BEGIN_SIGNATURE)-1)) != 0) { 62 error_fr(r, "sshbuf_putf"); 63 goto out; 64 } 65 66 if ((r = sshbuf_dtob64(blob, buf, 1)) != 0) { 67 error_fr(r, "base64 encode signature"); 68 goto out; 69 } 70 71 if ((r = sshbuf_put(buf, END_SIGNATURE, 72 sizeof(END_SIGNATURE)-1)) != 0 || 73 (r = sshbuf_put_u8(buf, '\n')) != 0) { 74 error_fr(r, "sshbuf_put"); 75 goto out; 76 } 77 /* success */ 78 *out = buf; 79 buf = NULL; /* transferred */ 80 r = 0; 81 out: 82 sshbuf_free(buf); 83 return r; 84 } 85 86 int 87 sshsig_dearmor(struct sshbuf *sig, struct sshbuf **out) 88 { 89 int r; 90 size_t eoffset = 0; 91 struct sshbuf *buf = NULL; 92 struct sshbuf *sbuf = NULL; 93 char *b64 = NULL; 94 95 if ((sbuf = sshbuf_fromb(sig)) == NULL) { 96 error_f("sshbuf_fromb failed"); 97 return SSH_ERR_ALLOC_FAIL; 98 } 99 100 if ((r = sshbuf_cmp(sbuf, 0, 101 BEGIN_SIGNATURE, sizeof(BEGIN_SIGNATURE)-1)) != 0) { 102 error("Couldn't parse signature: missing header"); 103 goto done; 104 } 105 106 if ((r = sshbuf_consume(sbuf, sizeof(BEGIN_SIGNATURE)-1)) != 0) { 107 error_fr(r, "consume"); 108 goto done; 109 } 110 111 if ((r = sshbuf_find(sbuf, 0, "\n" END_SIGNATURE, 112 sizeof("\n" END_SIGNATURE)-1, &eoffset)) != 0) { 113 error("Couldn't parse signature: missing footer"); 114 goto done; 115 } 116 117 if ((r = sshbuf_consume_end(sbuf, sshbuf_len(sbuf)-eoffset)) != 0) { 118 error_fr(r, "consume"); 119 goto done; 120 } 121 122 if ((b64 = sshbuf_dup_string(sbuf)) == NULL) { 123 error_f("sshbuf_dup_string failed"); 124 r = SSH_ERR_ALLOC_FAIL; 125 goto done; 126 } 127 128 if ((buf = sshbuf_new()) == NULL) { 129 error_f("sshbuf_new() failed"); 130 r = SSH_ERR_ALLOC_FAIL; 131 goto done; 132 } 133 134 if ((r = sshbuf_b64tod(buf, b64)) != 0) { 135 error_fr(r, "decode base64"); 136 goto done; 137 } 138 139 /* success */ 140 *out = buf; 141 r = 0; 142 buf = NULL; /* transferred */ 143 done: 144 sshbuf_free(buf); 145 sshbuf_free(sbuf); 146 free(b64); 147 return r; 148 } 149 150 static int 151 sshsig_wrap_sign(struct sshkey *key, const char *hashalg, 152 const char *sk_provider, const char *sk_pin, const struct sshbuf *h_message, 153 const char *sig_namespace, struct sshbuf **out, 154 sshsig_signer *signer, void *signer_ctx) 155 { 156 int r; 157 size_t slen = 0; 158 u_char *sig = NULL; 159 struct sshbuf *blob = NULL; 160 struct sshbuf *tosign = NULL; 161 const char *sign_alg = NULL; 162 163 if ((tosign = sshbuf_new()) == NULL || 164 (blob = sshbuf_new()) == NULL) { 165 error_f("sshbuf_new failed"); 166 r = SSH_ERR_ALLOC_FAIL; 167 goto done; 168 } 169 170 if ((r = sshbuf_put(tosign, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 || 171 (r = sshbuf_put_cstring(tosign, sig_namespace)) != 0 || 172 (r = sshbuf_put_string(tosign, NULL, 0)) != 0 || /* reserved */ 173 (r = sshbuf_put_cstring(tosign, hashalg)) != 0 || 174 (r = sshbuf_put_stringb(tosign, h_message)) != 0) { 175 error_fr(r, "assemble message to sign"); 176 goto done; 177 } 178 179 /* If using RSA keys then default to a good signature algorithm */ 180 if (sshkey_type_plain(key->type) == KEY_RSA) 181 sign_alg = RSA_SIGN_ALG; 182 183 if (signer != NULL) { 184 if ((r = signer(key, &sig, &slen, 185 sshbuf_ptr(tosign), sshbuf_len(tosign), 186 sign_alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) { 187 error_r(r, "Couldn't sign message (signer)"); 188 goto done; 189 } 190 } else { 191 if ((r = sshkey_sign(key, &sig, &slen, 192 sshbuf_ptr(tosign), sshbuf_len(tosign), 193 sign_alg, sk_provider, sk_pin, 0)) != 0) { 194 error_r(r, "Couldn't sign message"); 195 goto done; 196 } 197 } 198 199 if ((r = sshbuf_put(blob, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 || 200 (r = sshbuf_put_u32(blob, SIG_VERSION)) != 0 || 201 (r = sshkey_puts(key, blob)) != 0 || 202 (r = sshbuf_put_cstring(blob, sig_namespace)) != 0 || 203 (r = sshbuf_put_string(blob, NULL, 0)) != 0 || /* reserved */ 204 (r = sshbuf_put_cstring(blob, hashalg)) != 0 || 205 (r = sshbuf_put_string(blob, sig, slen)) != 0) { 206 error_fr(r, "assemble signature object"); 207 goto done; 208 } 209 210 if (out != NULL) { 211 *out = blob; 212 blob = NULL; 213 } 214 r = 0; 215 done: 216 free(sig); 217 sshbuf_free(blob); 218 sshbuf_free(tosign); 219 return r; 220 } 221 222 /* Check preamble and version. */ 223 static int 224 sshsig_parse_preamble(struct sshbuf *buf) 225 { 226 int r = SSH_ERR_INTERNAL_ERROR; 227 uint32_t sversion; 228 229 if ((r = sshbuf_cmp(buf, 0, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 || 230 (r = sshbuf_consume(buf, (sizeof(MAGIC_PREAMBLE)-1))) != 0 || 231 (r = sshbuf_get_u32(buf, &sversion)) != 0) { 232 error("Couldn't verify signature: invalid format"); 233 return r; 234 } 235 236 if (sversion > SIG_VERSION) { 237 error("Signature version %lu is larger than supported " 238 "version %u", (unsigned long)sversion, SIG_VERSION); 239 return SSH_ERR_INVALID_FORMAT; 240 } 241 return 0; 242 } 243 244 static int 245 sshsig_check_hashalg(const char *hashalg) 246 { 247 if (hashalg == NULL || 248 match_pattern_list(hashalg, HASHALG_ALLOWED, 0) == 1) 249 return 0; 250 error_f("unsupported hash algorithm \"%.100s\"", hashalg); 251 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 252 } 253 254 static int 255 sshsig_peek_hashalg(struct sshbuf *signature, char **hashalgp) 256 { 257 struct sshbuf *buf = NULL; 258 char *hashalg = NULL; 259 int r = SSH_ERR_INTERNAL_ERROR; 260 261 if (hashalgp != NULL) 262 *hashalgp = NULL; 263 if ((buf = sshbuf_fromb(signature)) == NULL) 264 return SSH_ERR_ALLOC_FAIL; 265 if ((r = sshsig_parse_preamble(buf)) != 0) 266 goto done; 267 if ((r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 || 268 (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 || 269 (r = sshbuf_get_string(buf, NULL, NULL)) != 0 || 270 (r = sshbuf_get_cstring(buf, &hashalg, NULL)) != 0 || 271 (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0) { 272 error_fr(r, "parse signature object"); 273 goto done; 274 } 275 276 /* success */ 277 r = 0; 278 *hashalgp = hashalg; 279 hashalg = NULL; 280 done: 281 free(hashalg); 282 sshbuf_free(buf); 283 return r; 284 } 285 286 static int 287 sshsig_wrap_verify(struct sshbuf *signature, const char *hashalg, 288 const struct sshbuf *h_message, const char *expect_namespace, 289 struct sshkey **sign_keyp, struct sshkey_sig_details **sig_details) 290 { 291 int r = SSH_ERR_INTERNAL_ERROR; 292 struct sshbuf *buf = NULL, *toverify = NULL; 293 struct sshkey *key = NULL; 294 const u_char *sig; 295 char *got_namespace = NULL, *sigtype = NULL, *sig_hashalg = NULL; 296 size_t siglen; 297 298 debug_f("verify message length %zu", sshbuf_len(h_message)); 299 if (sig_details != NULL) 300 *sig_details = NULL; 301 if (sign_keyp != NULL) 302 *sign_keyp = NULL; 303 304 if ((toverify = sshbuf_new()) == NULL) { 305 error_f("sshbuf_new failed"); 306 r = SSH_ERR_ALLOC_FAIL; 307 goto done; 308 } 309 if ((r = sshbuf_put(toverify, MAGIC_PREAMBLE, 310 MAGIC_PREAMBLE_LEN)) != 0 || 311 (r = sshbuf_put_cstring(toverify, expect_namespace)) != 0 || 312 (r = sshbuf_put_string(toverify, NULL, 0)) != 0 || /* reserved */ 313 (r = sshbuf_put_cstring(toverify, hashalg)) != 0 || 314 (r = sshbuf_put_stringb(toverify, h_message)) != 0) { 315 error_fr(r, "assemble message to verify"); 316 goto done; 317 } 318 319 if ((r = sshsig_parse_preamble(signature)) != 0) 320 goto done; 321 322 if ((r = sshkey_froms(signature, &key)) != 0 || 323 (r = sshbuf_get_cstring(signature, &got_namespace, NULL)) != 0 || 324 (r = sshbuf_get_string(signature, NULL, NULL)) != 0 || 325 (r = sshbuf_get_cstring(signature, &sig_hashalg, NULL)) != 0 || 326 (r = sshbuf_get_string_direct(signature, &sig, &siglen)) != 0) { 327 error_fr(r, "parse signature object"); 328 goto done; 329 } 330 331 if (sshbuf_len(signature) != 0) { 332 error("Signature contains trailing data"); 333 r = SSH_ERR_INVALID_FORMAT; 334 goto done; 335 } 336 337 if (strcmp(expect_namespace, got_namespace) != 0) { 338 error("Couldn't verify signature: namespace does not match"); 339 debug_f("expected namespace \"%s\" received \"%s\"", 340 expect_namespace, got_namespace); 341 r = SSH_ERR_SIGNATURE_INVALID; 342 goto done; 343 } 344 if (strcmp(hashalg, sig_hashalg) != 0) { 345 error("Couldn't verify signature: hash algorithm mismatch"); 346 debug_f("expected algorithm \"%s\" received \"%s\"", 347 hashalg, sig_hashalg); 348 r = SSH_ERR_SIGNATURE_INVALID; 349 goto done; 350 } 351 /* Ensure that RSA keys use an acceptable signature algorithm */ 352 if (sshkey_type_plain(key->type) == KEY_RSA) { 353 if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) { 354 error_r(r, "Couldn't verify signature: unable to get " 355 "signature type"); 356 goto done; 357 } 358 if (match_pattern_list(sigtype, RSA_SIGN_ALLOWED, 0) != 1) { 359 error("Couldn't verify signature: unsupported RSA " 360 "signature algorithm %s", sigtype); 361 r = SSH_ERR_SIGN_ALG_UNSUPPORTED; 362 goto done; 363 } 364 } 365 if ((r = sshkey_verify(key, sig, siglen, sshbuf_ptr(toverify), 366 sshbuf_len(toverify), NULL, 0, sig_details)) != 0) { 367 error_r(r, "Signature verification failed"); 368 goto done; 369 } 370 371 /* success */ 372 r = 0; 373 if (sign_keyp != NULL) { 374 *sign_keyp = key; 375 key = NULL; /* transferred */ 376 } 377 done: 378 free(got_namespace); 379 free(sigtype); 380 free(sig_hashalg); 381 sshbuf_free(buf); 382 sshbuf_free(toverify); 383 sshkey_free(key); 384 return r; 385 } 386 387 static int 388 hash_buffer(const struct sshbuf *m, const char *hashalg, struct sshbuf **bp) 389 { 390 char *hex, hash[SSH_DIGEST_MAX_LENGTH]; 391 int alg, r = SSH_ERR_INTERNAL_ERROR; 392 struct sshbuf *b = NULL; 393 394 *bp = NULL; 395 memset(hash, 0, sizeof(hash)); 396 397 if ((r = sshsig_check_hashalg(hashalg)) != 0) 398 return r; 399 if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) { 400 error_f("can't look up hash algorithm %s", hashalg); 401 return SSH_ERR_INTERNAL_ERROR; 402 } 403 if ((r = ssh_digest_buffer(alg, m, hash, sizeof(hash))) != 0) { 404 error_fr(r, "ssh_digest_buffer"); 405 return r; 406 } 407 if ((hex = tohex(hash, ssh_digest_bytes(alg))) != NULL) { 408 debug3_f("final hash: %s", hex); 409 freezero(hex, strlen(hex)); 410 } 411 if ((b = sshbuf_new()) == NULL) { 412 r = SSH_ERR_ALLOC_FAIL; 413 goto out; 414 } 415 if ((r = sshbuf_put(b, hash, ssh_digest_bytes(alg))) != 0) { 416 error_fr(r, "sshbuf_put"); 417 goto out; 418 } 419 *bp = b; 420 b = NULL; /* transferred */ 421 /* success */ 422 r = 0; 423 out: 424 sshbuf_free(b); 425 explicit_bzero(hash, sizeof(hash)); 426 return r; 427 } 428 429 int 430 sshsig_signb(struct sshkey *key, const char *hashalg, 431 const char *sk_provider, const char *sk_pin, 432 const struct sshbuf *message, const char *sig_namespace, 433 struct sshbuf **out, sshsig_signer *signer, void *signer_ctx) 434 { 435 struct sshbuf *b = NULL; 436 int r = SSH_ERR_INTERNAL_ERROR; 437 438 if (hashalg == NULL) 439 hashalg = HASHALG_DEFAULT; 440 if (out != NULL) 441 *out = NULL; 442 if ((r = hash_buffer(message, hashalg, &b)) != 0) { 443 error_fr(r, "hash buffer"); 444 goto out; 445 } 446 if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, sk_pin, b, 447 sig_namespace, out, signer, signer_ctx)) != 0) 448 goto out; 449 /* success */ 450 r = 0; 451 out: 452 sshbuf_free(b); 453 return r; 454 } 455 456 int 457 sshsig_verifyb(struct sshbuf *signature, const struct sshbuf *message, 458 const char *expect_namespace, struct sshkey **sign_keyp, 459 struct sshkey_sig_details **sig_details) 460 { 461 struct sshbuf *b = NULL; 462 int r = SSH_ERR_INTERNAL_ERROR; 463 char *hashalg = NULL; 464 465 if (sig_details != NULL) 466 *sig_details = NULL; 467 if (sign_keyp != NULL) 468 *sign_keyp = NULL; 469 if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0) 470 return r; 471 debug_f("signature made with hash \"%s\"", hashalg); 472 if ((r = hash_buffer(message, hashalg, &b)) != 0) { 473 error_fr(r, "hash buffer"); 474 goto out; 475 } 476 if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace, 477 sign_keyp, sig_details)) != 0) 478 goto out; 479 /* success */ 480 r = 0; 481 out: 482 sshbuf_free(b); 483 free(hashalg); 484 return r; 485 } 486 487 static int 488 hash_file(int fd, const char *hashalg, struct sshbuf **bp) 489 { 490 char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH]; 491 ssize_t n, total = 0; 492 struct ssh_digest_ctx *ctx; 493 int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR; 494 struct sshbuf *b = NULL; 495 496 *bp = NULL; 497 memset(hash, 0, sizeof(hash)); 498 499 if ((r = sshsig_check_hashalg(hashalg)) != 0) 500 return r; 501 if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) { 502 error_f("can't look up hash algorithm %s", hashalg); 503 return SSH_ERR_INTERNAL_ERROR; 504 } 505 if ((ctx = ssh_digest_start(alg)) == NULL) { 506 error_f("ssh_digest_start failed"); 507 return SSH_ERR_INTERNAL_ERROR; 508 } 509 for (;;) { 510 if ((n = read(fd, rbuf, sizeof(rbuf))) == -1) { 511 if (errno == EINTR || errno == EAGAIN) 512 continue; 513 oerrno = errno; 514 error_f("read: %s", strerror(errno)); 515 ssh_digest_free(ctx); 516 errno = oerrno; 517 r = SSH_ERR_SYSTEM_ERROR; 518 goto out; 519 } else if (n == 0) { 520 debug2_f("hashed %zu bytes", total); 521 break; /* EOF */ 522 } 523 total += (size_t)n; 524 if ((r = ssh_digest_update(ctx, rbuf, (size_t)n)) != 0) { 525 error_fr(r, "ssh_digest_update"); 526 goto out; 527 } 528 } 529 if ((r = ssh_digest_final(ctx, hash, sizeof(hash))) != 0) { 530 error_fr(r, "ssh_digest_final"); 531 goto out; 532 } 533 if ((hex = tohex(hash, ssh_digest_bytes(alg))) != NULL) { 534 debug3_f("final hash: %s", hex); 535 freezero(hex, strlen(hex)); 536 } 537 if ((b = sshbuf_new()) == NULL) { 538 r = SSH_ERR_ALLOC_FAIL; 539 goto out; 540 } 541 if ((r = sshbuf_put(b, hash, ssh_digest_bytes(alg))) != 0) { 542 error_fr(r, "sshbuf_put"); 543 goto out; 544 } 545 *bp = b; 546 b = NULL; /* transferred */ 547 /* success */ 548 r = 0; 549 out: 550 sshbuf_free(b); 551 ssh_digest_free(ctx); 552 explicit_bzero(hash, sizeof(hash)); 553 return r; 554 } 555 556 int 557 sshsig_sign_fd(struct sshkey *key, const char *hashalg, 558 const char *sk_provider, const char *sk_pin, 559 int fd, const char *sig_namespace, struct sshbuf **out, 560 sshsig_signer *signer, void *signer_ctx) 561 { 562 struct sshbuf *b = NULL; 563 int r = SSH_ERR_INTERNAL_ERROR; 564 565 if (hashalg == NULL) 566 hashalg = HASHALG_DEFAULT; 567 if (out != NULL) 568 *out = NULL; 569 if ((r = hash_file(fd, hashalg, &b)) != 0) { 570 error_fr(r, "hash_file"); 571 return r; 572 } 573 if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, sk_pin, b, 574 sig_namespace, out, signer, signer_ctx)) != 0) 575 goto out; 576 /* success */ 577 r = 0; 578 out: 579 sshbuf_free(b); 580 return r; 581 } 582 583 int 584 sshsig_verify_fd(struct sshbuf *signature, int fd, 585 const char *expect_namespace, struct sshkey **sign_keyp, 586 struct sshkey_sig_details **sig_details) 587 { 588 struct sshbuf *b = NULL; 589 int r = SSH_ERR_INTERNAL_ERROR; 590 char *hashalg = NULL; 591 592 if (sig_details != NULL) 593 *sig_details = NULL; 594 if (sign_keyp != NULL) 595 *sign_keyp = NULL; 596 if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0) 597 return r; 598 debug_f("signature made with hash \"%s\"", hashalg); 599 if ((r = hash_file(fd, hashalg, &b)) != 0) { 600 error_fr(r, "hash_file"); 601 goto out; 602 } 603 if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace, 604 sign_keyp, sig_details)) != 0) 605 goto out; 606 /* success */ 607 r = 0; 608 out: 609 sshbuf_free(b); 610 free(hashalg); 611 return r; 612 } 613 614 struct sshsigopt { 615 int ca; 616 char *namespaces; 617 uint64_t valid_after, valid_before; 618 }; 619 620 struct sshsigopt * 621 sshsigopt_parse(const char *opts, const char *path, u_long linenum, 622 const char **errstrp) 623 { 624 struct sshsigopt *ret; 625 int r; 626 char *opt; 627 const char *errstr = NULL; 628 629 if ((ret = calloc(1, sizeof(*ret))) == NULL) 630 return NULL; 631 if (opts == NULL || *opts == '\0') 632 return ret; /* Empty options yields empty options :) */ 633 634 while (*opts && *opts != ' ' && *opts != '\t') { 635 /* flag options */ 636 if ((r = opt_flag("cert-authority", 0, &opts)) != -1) { 637 ret->ca = 1; 638 } else if (opt_match(&opts, "namespaces")) { 639 if (ret->namespaces != NULL) { 640 errstr = "multiple \"namespaces\" clauses"; 641 goto fail; 642 } 643 ret->namespaces = opt_dequote(&opts, &errstr); 644 if (ret->namespaces == NULL) 645 goto fail; 646 } else if (opt_match(&opts, "valid-after")) { 647 if (ret->valid_after != 0) { 648 errstr = "multiple \"valid-after\" clauses"; 649 goto fail; 650 } 651 if ((opt = opt_dequote(&opts, &errstr)) == NULL) 652 goto fail; 653 if (parse_absolute_time(opt, &ret->valid_after) != 0 || 654 ret->valid_after == 0) { 655 free(opt); 656 errstr = "invalid \"valid-after\" time"; 657 goto fail; 658 } 659 free(opt); 660 } else if (opt_match(&opts, "valid-before")) { 661 if (ret->valid_before != 0) { 662 errstr = "multiple \"valid-before\" clauses"; 663 goto fail; 664 } 665 if ((opt = opt_dequote(&opts, &errstr)) == NULL) 666 goto fail; 667 if (parse_absolute_time(opt, &ret->valid_before) != 0 || 668 ret->valid_before == 0) { 669 free(opt); 670 errstr = "invalid \"valid-before\" time"; 671 goto fail; 672 } 673 free(opt); 674 } 675 /* 676 * Skip the comma, and move to the next option 677 * (or break out if there are no more). 678 */ 679 if (*opts == '\0' || *opts == ' ' || *opts == '\t') 680 break; /* End of options. */ 681 /* Anything other than a comma is an unknown option */ 682 if (*opts != ',') { 683 errstr = "unknown key option"; 684 goto fail; 685 } 686 opts++; 687 if (*opts == '\0') { 688 errstr = "unexpected end-of-options"; 689 goto fail; 690 } 691 } 692 /* final consistency check */ 693 if (ret->valid_after != 0 && ret->valid_before != 0 && 694 ret->valid_before <= ret->valid_after) { 695 errstr = "\"valid-before\" time is before \"valid-after\""; 696 goto fail; 697 } 698 /* success */ 699 return ret; 700 fail: 701 if (errstrp != NULL) 702 *errstrp = errstr; 703 sshsigopt_free(ret); 704 return NULL; 705 } 706 707 void 708 sshsigopt_free(struct sshsigopt *opts) 709 { 710 if (opts == NULL) 711 return; 712 free(opts->namespaces); 713 free(opts); 714 } 715 716 static int 717 parse_principals_key_and_options(const char *path, u_long linenum, char *line, 718 const char *required_principal, char **principalsp, struct sshkey **keyp, 719 struct sshsigopt **sigoptsp) 720 { 721 char *opts = NULL, *tmp, *cp, *principals = NULL; 722 const char *reason = NULL; 723 struct sshsigopt *sigopts = NULL; 724 struct sshkey *key = NULL; 725 int r = SSH_ERR_INTERNAL_ERROR; 726 727 if (principalsp != NULL) 728 *principalsp = NULL; 729 if (sigoptsp != NULL) 730 *sigoptsp = NULL; 731 if (keyp != NULL) 732 *keyp = NULL; 733 734 cp = line; 735 cp = cp + strspn(cp, " \t"); /* skip leading whitespace */ 736 if (*cp == '#' || *cp == '\0') 737 return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */ 738 739 /* format: identity[,identity...] [option[,option...]] key */ 740 if ((tmp = strdelimw(&cp)) == NULL) { 741 error("%s:%lu: invalid line", path, linenum); 742 r = SSH_ERR_INVALID_FORMAT; 743 goto out; 744 } 745 if ((principals = strdup(tmp)) == NULL) { 746 error_f("strdup failed"); 747 r = SSH_ERR_ALLOC_FAIL; 748 goto out; 749 } 750 /* 751 * Bail out early if we're looking for a particular principal and this 752 * line does not list it. 753 */ 754 if (required_principal != NULL) { 755 if (match_pattern_list(required_principal, 756 principals, 0) != 1) { 757 /* principal didn't match */ 758 r = SSH_ERR_KEY_NOT_FOUND; 759 goto out; 760 } 761 debug_f("%s:%lu: matched principal \"%s\"", 762 path, linenum, required_principal); 763 } 764 765 if ((key = sshkey_new(KEY_UNSPEC)) == NULL) { 766 error_f("sshkey_new failed"); 767 r = SSH_ERR_ALLOC_FAIL; 768 goto out; 769 } 770 if (sshkey_read(key, &cp) != 0) { 771 /* no key? Check for options */ 772 opts = cp; 773 if (sshkey_advance_past_options(&cp) != 0) { 774 error("%s:%lu: invalid options", path, linenum); 775 r = SSH_ERR_INVALID_FORMAT; 776 goto out; 777 } 778 *cp++ = '\0'; 779 skip_space(&cp); 780 if (sshkey_read(key, &cp) != 0) { 781 error("%s:%lu: invalid key", path, linenum); 782 r = SSH_ERR_INVALID_FORMAT; 783 goto out; 784 } 785 } 786 debug3("%s:%lu: options %s", path, linenum, opts == NULL ? "" : opts); 787 if ((sigopts = sshsigopt_parse(opts, path, linenum, &reason)) == NULL) { 788 error("%s:%lu: bad options: %s", path, linenum, reason); 789 r = SSH_ERR_INVALID_FORMAT; 790 goto out; 791 } 792 /* success */ 793 if (principalsp != NULL) { 794 *principalsp = principals; 795 principals = NULL; /* transferred */ 796 } 797 if (sigoptsp != NULL) { 798 *sigoptsp = sigopts; 799 sigopts = NULL; /* transferred */ 800 } 801 if (keyp != NULL) { 802 *keyp = key; 803 key = NULL; /* transferred */ 804 } 805 r = 0; 806 out: 807 free(principals); 808 sshsigopt_free(sigopts); 809 sshkey_free(key); 810 return r; 811 } 812 813 static int 814 cert_filter_principals(const char *path, u_long linenum, 815 char **principalsp, const struct sshkey *cert, uint64_t verify_time) 816 { 817 char *cp, *oprincipals, *principals; 818 const char *reason; 819 struct sshbuf *nprincipals; 820 int r = SSH_ERR_INTERNAL_ERROR, success = 0; 821 822 oprincipals = principals = *principalsp; 823 *principalsp = NULL; 824 825 if ((nprincipals = sshbuf_new()) == NULL) { 826 r = SSH_ERR_ALLOC_FAIL; 827 goto out; 828 } 829 830 while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') { 831 if (strcspn(cp, "!?*") != strlen(cp)) { 832 debug("%s:%lu: principal \"%s\" not authorized: " 833 "contains wildcards", path, linenum, cp); 834 continue; 835 } 836 /* Check against principals list in certificate */ 837 if ((r = sshkey_cert_check_authority(cert, 0, 1, 0, 838 verify_time, cp, &reason)) != 0) { 839 debug("%s:%lu: principal \"%s\" not authorized: %s", 840 path, linenum, cp, reason); 841 continue; 842 } 843 if ((r = sshbuf_putf(nprincipals, "%s%s", 844 sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) { 845 error_f("buffer error"); 846 goto out; 847 } 848 } 849 if (sshbuf_len(nprincipals) == 0) { 850 error("%s:%lu: no valid principals found", path, linenum); 851 r = SSH_ERR_KEY_CERT_INVALID; 852 goto out; 853 } 854 if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { 855 error_f("buffer error"); 856 goto out; 857 } 858 /* success */ 859 success = 1; 860 *principalsp = principals; 861 out: 862 sshbuf_free(nprincipals); 863 free(oprincipals); 864 return success ? 0 : r; 865 } 866 867 static int 868 check_allowed_keys_line(const char *path, u_long linenum, char *line, 869 const struct sshkey *sign_key, const char *principal, 870 const char *sig_namespace, uint64_t verify_time, char **principalsp) 871 { 872 struct sshkey *found_key = NULL; 873 char *principals = NULL; 874 int r, success = 0; 875 const char *reason = NULL; 876 struct sshsigopt *sigopts = NULL; 877 char tvalid[64], tverify[64]; 878 879 if (principalsp != NULL) 880 *principalsp = NULL; 881 882 /* Parse the line */ 883 if ((r = parse_principals_key_and_options(path, linenum, line, 884 principal, &principals, &found_key, &sigopts)) != 0) { 885 /* error already logged */ 886 goto done; 887 } 888 889 if (!sigopts->ca && sshkey_equal(found_key, sign_key)) { 890 /* Exact match of key */ 891 debug("%s:%lu: matched key", path, linenum); 892 } else if (sigopts->ca && sshkey_is_cert(sign_key) && 893 sshkey_equal_public(sign_key->cert->signature_key, found_key)) { 894 if (principal) { 895 /* Match certificate CA key with specified principal */ 896 if ((r = sshkey_cert_check_authority(sign_key, 0, 1, 0, 897 verify_time, principal, &reason)) != 0) { 898 error("%s:%lu: certificate not authorized: %s", 899 path, linenum, reason); 900 goto done; 901 } 902 debug("%s:%lu: matched certificate CA key", 903 path, linenum); 904 } else { 905 /* No principal specified - find all matching ones */ 906 if ((r = cert_filter_principals(path, linenum, 907 &principals, sign_key, verify_time)) != 0) { 908 /* error already displayed */ 909 debug_r(r, "%s:%lu: cert_filter_principals", 910 path, linenum); 911 goto done; 912 } 913 debug("%s:%lu: matched certificate CA key", 914 path, linenum); 915 } 916 } else { 917 /* Didn't match key */ 918 goto done; 919 } 920 921 /* Check whether options preclude the use of this key */ 922 if (sigopts->namespaces != NULL && 923 match_pattern_list(sig_namespace, sigopts->namespaces, 0) != 1) { 924 error("%s:%lu: key is not permitted for use in signature " 925 "namespace \"%s\"", path, linenum, sig_namespace); 926 goto done; 927 } 928 929 /* check key time validity */ 930 format_absolute_time((uint64_t)verify_time, tverify, sizeof(tverify)); 931 if (sigopts->valid_after != 0 && 932 (uint64_t)verify_time < sigopts->valid_after) { 933 format_absolute_time(sigopts->valid_after, 934 tvalid, sizeof(tvalid)); 935 error("%s:%lu: key is not yet valid: " 936 "verify time %s < valid-after %s", path, linenum, 937 tverify, tvalid); 938 goto done; 939 } 940 if (sigopts->valid_before != 0 && 941 (uint64_t)verify_time > sigopts->valid_before) { 942 format_absolute_time(sigopts->valid_before, 943 tvalid, sizeof(tvalid)); 944 error("%s:%lu: key has expired: " 945 "verify time %s > valid-before %s", path, linenum, 946 tverify, tvalid); 947 goto done; 948 } 949 success = 1; 950 951 done: 952 if (success && principalsp != NULL) { 953 *principalsp = principals; 954 principals = NULL; /* transferred */ 955 } 956 free(principals); 957 sshkey_free(found_key); 958 sshsigopt_free(sigopts); 959 return success ? 0 : SSH_ERR_KEY_NOT_FOUND; 960 } 961 962 int 963 sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key, 964 const char *principal, const char *sig_namespace, uint64_t verify_time) 965 { 966 FILE *f = NULL; 967 char *line = NULL; 968 size_t linesize = 0; 969 u_long linenum = 0; 970 int r = SSH_ERR_INTERNAL_ERROR, oerrno; 971 972 /* Check key and principal against file */ 973 if ((f = fopen(path, "r")) == NULL) { 974 oerrno = errno; 975 error("Unable to open allowed keys file \"%s\": %s", 976 path, strerror(errno)); 977 errno = oerrno; 978 return SSH_ERR_SYSTEM_ERROR; 979 } 980 981 while (getline(&line, &linesize, f) != -1) { 982 linenum++; 983 r = check_allowed_keys_line(path, linenum, line, sign_key, 984 principal, sig_namespace, verify_time, NULL); 985 free(line); 986 line = NULL; 987 linesize = 0; 988 if (r == SSH_ERR_KEY_NOT_FOUND) 989 continue; 990 else if (r == 0) { 991 /* success */ 992 fclose(f); 993 return 0; 994 } else 995 break; 996 } 997 /* Either we hit an error parsing or we simply didn't find the key */ 998 fclose(f); 999 free(line); 1000 return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r; 1001 } 1002 1003 int 1004 sshsig_find_principals(const char *path, const struct sshkey *sign_key, 1005 uint64_t verify_time, char **principals) 1006 { 1007 FILE *f = NULL; 1008 char *line = NULL; 1009 size_t linesize = 0; 1010 u_long linenum = 0; 1011 int r = SSH_ERR_INTERNAL_ERROR, oerrno; 1012 1013 if ((f = fopen(path, "r")) == NULL) { 1014 oerrno = errno; 1015 error("Unable to open allowed keys file \"%s\": %s", 1016 path, strerror(errno)); 1017 errno = oerrno; 1018 return SSH_ERR_SYSTEM_ERROR; 1019 } 1020 1021 r = SSH_ERR_KEY_NOT_FOUND; 1022 while (getline(&line, &linesize, f) != -1) { 1023 linenum++; 1024 r = check_allowed_keys_line(path, linenum, line, 1025 sign_key, NULL, NULL, verify_time, principals); 1026 free(line); 1027 line = NULL; 1028 linesize = 0; 1029 if (r == SSH_ERR_KEY_NOT_FOUND) 1030 continue; 1031 else if (r == 0) { 1032 /* success */ 1033 fclose(f); 1034 return 0; 1035 } else 1036 break; 1037 } 1038 free(line); 1039 /* Either we hit an error parsing or we simply didn't find the key */ 1040 if (ferror(f) != 0) { 1041 oerrno = errno; 1042 fclose(f); 1043 error("Unable to read allowed keys file \"%s\": %s", 1044 path, strerror(errno)); 1045 errno = oerrno; 1046 return SSH_ERR_SYSTEM_ERROR; 1047 } 1048 fclose(f); 1049 return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r; 1050 } 1051 1052 int 1053 sshsig_match_principals(const char *path, const char *principal, 1054 char ***principalsp, size_t *nprincipalsp) 1055 { 1056 FILE *f = NULL; 1057 char *found, *line = NULL, **principals = NULL, **tmp; 1058 size_t i, nprincipals = 0, linesize = 0; 1059 u_long linenum = 0; 1060 int oerrno = 0, r, ret = 0; 1061 1062 if (principalsp != NULL) 1063 *principalsp = NULL; 1064 if (nprincipalsp != NULL) 1065 *nprincipalsp = 0; 1066 1067 /* Check key and principal against file */ 1068 if ((f = fopen(path, "r")) == NULL) { 1069 oerrno = errno; 1070 error("Unable to open allowed keys file \"%s\": %s", 1071 path, strerror(errno)); 1072 errno = oerrno; 1073 return SSH_ERR_SYSTEM_ERROR; 1074 } 1075 1076 while (getline(&line, &linesize, f) != -1) { 1077 linenum++; 1078 /* Parse the line */ 1079 if ((r = parse_principals_key_and_options(path, linenum, line, 1080 principal, &found, NULL, NULL)) != 0) { 1081 if (r == SSH_ERR_KEY_NOT_FOUND) 1082 continue; 1083 ret = r; 1084 oerrno = errno; 1085 break; /* unexpected error */ 1086 } 1087 if ((tmp = recallocarray(principals, nprincipals, 1088 nprincipals + 1, sizeof(*principals))) == NULL) { 1089 ret = SSH_ERR_ALLOC_FAIL; 1090 free(found); 1091 break; 1092 } 1093 principals = tmp; 1094 principals[nprincipals++] = found; /* transferred */ 1095 free(line); 1096 line = NULL; 1097 linesize = 0; 1098 } 1099 fclose(f); 1100 1101 if (ret == 0) { 1102 if (nprincipals == 0) 1103 ret = SSH_ERR_KEY_NOT_FOUND; 1104 if (principalsp != NULL) { 1105 *principalsp = principals; 1106 principals = NULL; /* transferred */ 1107 } 1108 if (nprincipalsp != 0) { 1109 *nprincipalsp = nprincipals; 1110 nprincipals = 0; 1111 } 1112 } 1113 1114 for (i = 0; i < nprincipals; i++) 1115 free(principals[i]); 1116 free(principals); 1117 1118 errno = oerrno; 1119 return ret; 1120 } 1121 1122 int 1123 sshsig_get_pubkey(struct sshbuf *signature, struct sshkey **pubkey) 1124 { 1125 struct sshkey *pk = NULL; 1126 int r = SSH_ERR_SIGNATURE_INVALID; 1127 1128 if (pubkey == NULL) 1129 return SSH_ERR_INTERNAL_ERROR; 1130 if ((r = sshsig_parse_preamble(signature)) != 0) 1131 return r; 1132 if ((r = sshkey_froms(signature, &pk)) != 0) 1133 return r; 1134 1135 *pubkey = pk; 1136 pk = NULL; 1137 return 0; 1138 } 1139