1 /* $OpenBSD: sshkey.c,v 1.20 2015/07/03 03:43:18 djm Exp $ */ 2 /* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 #include "includes.h" 29 30 #include <sys/param.h> /* MIN MAX */ 31 #include <sys/types.h> 32 #include <netinet/in.h> 33 34 #ifdef WITH_OPENSSL 35 #include <openssl/evp.h> 36 #include <openssl/err.h> 37 #include <openssl/pem.h> 38 #endif 39 40 #include "crypto_api.h" 41 42 #include <errno.h> 43 #include <limits.h> 44 #include <stdio.h> 45 #include <string.h> 46 #include <resolv.h> 47 #ifdef HAVE_UTIL_H 48 #include <util.h> 49 #endif /* HAVE_UTIL_H */ 50 51 #include "ssh2.h" 52 #include "ssherr.h" 53 #include "misc.h" 54 #include "sshbuf.h" 55 #include "rsa.h" 56 #include "cipher.h" 57 #include "digest.h" 58 #define SSHKEY_INTERNAL 59 #include "sshkey.h" 60 #include "match.h" 61 62 /* openssh private key file format */ 63 #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 64 #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 65 #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 66 #define MARK_END_LEN (sizeof(MARK_END) - 1) 67 #define KDFNAME "bcrypt" 68 #define AUTH_MAGIC "openssh-key-v1" 69 #define SALT_LEN 16 70 #define DEFAULT_CIPHERNAME "aes256-cbc" 71 #define DEFAULT_ROUNDS 16 72 73 /* Version identification string for SSH v1 identity files. */ 74 #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" 75 76 static int sshkey_from_blob_internal(struct sshbuf *buf, 77 struct sshkey **keyp, int allow_cert); 78 79 /* Supported key types */ 80 struct keytype { 81 const char *name; 82 const char *shortname; 83 int type; 84 int nid; 85 int cert; 86 }; 87 static const struct keytype keytypes[] = { 88 { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, 89 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 90 KEY_ED25519_CERT, 0, 1 }, 91 #ifdef WITH_OPENSSL 92 { NULL, "RSA1", KEY_RSA1, 0, 0 }, 93 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, 94 { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, 95 # ifdef OPENSSL_HAS_ECC 96 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, 97 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, 98 # ifdef OPENSSL_HAS_NISTP521 99 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, 100 # endif /* OPENSSL_HAS_NISTP521 */ 101 # endif /* OPENSSL_HAS_ECC */ 102 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, 103 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, 104 # ifdef OPENSSL_HAS_ECC 105 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 106 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 107 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 108 KEY_ECDSA_CERT, NID_secp384r1, 1 }, 109 # ifdef OPENSSL_HAS_NISTP521 110 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 111 KEY_ECDSA_CERT, NID_secp521r1, 1 }, 112 # endif /* OPENSSL_HAS_NISTP521 */ 113 # endif /* OPENSSL_HAS_ECC */ 114 #endif /* WITH_OPENSSL */ 115 { NULL, NULL, -1, -1, 0 } 116 }; 117 118 const char * 119 sshkey_type(const struct sshkey *k) 120 { 121 const struct keytype *kt; 122 123 for (kt = keytypes; kt->type != -1; kt++) { 124 if (kt->type == k->type) 125 return kt->shortname; 126 } 127 return "unknown"; 128 } 129 130 static const char * 131 sshkey_ssh_name_from_type_nid(int type, int nid) 132 { 133 const struct keytype *kt; 134 135 for (kt = keytypes; kt->type != -1; kt++) { 136 if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 137 return kt->name; 138 } 139 return "ssh-unknown"; 140 } 141 142 int 143 sshkey_type_is_cert(int type) 144 { 145 const struct keytype *kt; 146 147 for (kt = keytypes; kt->type != -1; kt++) { 148 if (kt->type == type) 149 return kt->cert; 150 } 151 return 0; 152 } 153 154 const char * 155 sshkey_ssh_name(const struct sshkey *k) 156 { 157 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 158 } 159 160 const char * 161 sshkey_ssh_name_plain(const struct sshkey *k) 162 { 163 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 164 k->ecdsa_nid); 165 } 166 167 int 168 sshkey_type_from_name(const char *name) 169 { 170 const struct keytype *kt; 171 172 for (kt = keytypes; kt->type != -1; kt++) { 173 /* Only allow shortname matches for plain key types */ 174 if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 175 (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 176 return kt->type; 177 } 178 return KEY_UNSPEC; 179 } 180 181 int 182 sshkey_ecdsa_nid_from_name(const char *name) 183 { 184 const struct keytype *kt; 185 186 for (kt = keytypes; kt->type != -1; kt++) { 187 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 188 continue; 189 if (kt->name != NULL && strcmp(name, kt->name) == 0) 190 return kt->nid; 191 } 192 return -1; 193 } 194 195 char * 196 key_alg_list(int certs_only, int plain_only) 197 { 198 char *tmp, *ret = NULL; 199 size_t nlen, rlen = 0; 200 const struct keytype *kt; 201 202 for (kt = keytypes; kt->type != -1; kt++) { 203 if (kt->name == NULL) 204 continue; 205 if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 206 continue; 207 if (ret != NULL) 208 ret[rlen++] = '\n'; 209 nlen = strlen(kt->name); 210 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { 211 free(ret); 212 return NULL; 213 } 214 ret = tmp; 215 memcpy(ret + rlen, kt->name, nlen + 1); 216 rlen += nlen; 217 } 218 return ret; 219 } 220 221 int 222 sshkey_names_valid2(const char *names, int allow_wildcard) 223 { 224 char *s, *cp, *p; 225 const struct keytype *kt; 226 int type; 227 228 if (names == NULL || strcmp(names, "") == 0) 229 return 0; 230 if ((s = cp = strdup(names)) == NULL) 231 return 0; 232 for ((p = strsep(&cp, ",")); p && *p != '\0'; 233 (p = strsep(&cp, ","))) { 234 type = sshkey_type_from_name(p); 235 if (type == KEY_RSA1) { 236 free(s); 237 return 0; 238 } 239 if (type == KEY_UNSPEC) { 240 if (allow_wildcard) { 241 /* 242 * Try matching key types against the string. 243 * If any has a positive or negative match then 244 * the component is accepted. 245 */ 246 for (kt = keytypes; kt->type != -1; kt++) { 247 if (kt->type == KEY_RSA1) 248 continue; 249 if (match_pattern_list(kt->name, 250 p, 0) != 0) 251 break; 252 } 253 if (kt->type != -1) 254 continue; 255 } 256 free(s); 257 return 0; 258 } 259 } 260 free(s); 261 return 1; 262 } 263 264 u_int 265 sshkey_size(const struct sshkey *k) 266 { 267 switch (k->type) { 268 #ifdef WITH_OPENSSL 269 case KEY_RSA1: 270 case KEY_RSA: 271 case KEY_RSA_CERT: 272 return BN_num_bits(k->rsa->n); 273 case KEY_DSA: 274 case KEY_DSA_CERT: 275 return BN_num_bits(k->dsa->p); 276 case KEY_ECDSA: 277 case KEY_ECDSA_CERT: 278 return sshkey_curve_nid_to_bits(k->ecdsa_nid); 279 #endif /* WITH_OPENSSL */ 280 case KEY_ED25519: 281 case KEY_ED25519_CERT: 282 return 256; /* XXX */ 283 } 284 return 0; 285 } 286 287 static int 288 sshkey_type_is_valid_ca(int type) 289 { 290 switch (type) { 291 case KEY_RSA: 292 case KEY_DSA: 293 case KEY_ECDSA: 294 case KEY_ED25519: 295 return 1; 296 default: 297 return 0; 298 } 299 } 300 301 int 302 sshkey_is_cert(const struct sshkey *k) 303 { 304 if (k == NULL) 305 return 0; 306 return sshkey_type_is_cert(k->type); 307 } 308 309 /* Return the cert-less equivalent to a certified key type */ 310 int 311 sshkey_type_plain(int type) 312 { 313 switch (type) { 314 case KEY_RSA_CERT: 315 return KEY_RSA; 316 case KEY_DSA_CERT: 317 return KEY_DSA; 318 case KEY_ECDSA_CERT: 319 return KEY_ECDSA; 320 case KEY_ED25519_CERT: 321 return KEY_ED25519; 322 default: 323 return type; 324 } 325 } 326 327 #ifdef WITH_OPENSSL 328 /* XXX: these are really begging for a table-driven approach */ 329 int 330 sshkey_curve_name_to_nid(const char *name) 331 { 332 if (strcmp(name, "nistp256") == 0) 333 return NID_X9_62_prime256v1; 334 else if (strcmp(name, "nistp384") == 0) 335 return NID_secp384r1; 336 # ifdef OPENSSL_HAS_NISTP521 337 else if (strcmp(name, "nistp521") == 0) 338 return NID_secp521r1; 339 # endif /* OPENSSL_HAS_NISTP521 */ 340 else 341 return -1; 342 } 343 344 u_int 345 sshkey_curve_nid_to_bits(int nid) 346 { 347 switch (nid) { 348 case NID_X9_62_prime256v1: 349 return 256; 350 case NID_secp384r1: 351 return 384; 352 # ifdef OPENSSL_HAS_NISTP521 353 case NID_secp521r1: 354 return 521; 355 # endif /* OPENSSL_HAS_NISTP521 */ 356 default: 357 return 0; 358 } 359 } 360 361 int 362 sshkey_ecdsa_bits_to_nid(int bits) 363 { 364 switch (bits) { 365 case 256: 366 return NID_X9_62_prime256v1; 367 case 384: 368 return NID_secp384r1; 369 # ifdef OPENSSL_HAS_NISTP521 370 case 521: 371 return NID_secp521r1; 372 # endif /* OPENSSL_HAS_NISTP521 */ 373 default: 374 return -1; 375 } 376 } 377 378 const char * 379 sshkey_curve_nid_to_name(int nid) 380 { 381 switch (nid) { 382 case NID_X9_62_prime256v1: 383 return "nistp256"; 384 case NID_secp384r1: 385 return "nistp384"; 386 # ifdef OPENSSL_HAS_NISTP521 387 case NID_secp521r1: 388 return "nistp521"; 389 # endif /* OPENSSL_HAS_NISTP521 */ 390 default: 391 return NULL; 392 } 393 } 394 395 int 396 sshkey_ec_nid_to_hash_alg(int nid) 397 { 398 int kbits = sshkey_curve_nid_to_bits(nid); 399 400 if (kbits <= 0) 401 return -1; 402 403 /* RFC5656 section 6.2.1 */ 404 if (kbits <= 256) 405 return SSH_DIGEST_SHA256; 406 else if (kbits <= 384) 407 return SSH_DIGEST_SHA384; 408 else 409 return SSH_DIGEST_SHA512; 410 } 411 #endif /* WITH_OPENSSL */ 412 413 static void 414 cert_free(struct sshkey_cert *cert) 415 { 416 u_int i; 417 418 if (cert == NULL) 419 return; 420 if (cert->certblob != NULL) 421 sshbuf_free(cert->certblob); 422 if (cert->critical != NULL) 423 sshbuf_free(cert->critical); 424 if (cert->extensions != NULL) 425 sshbuf_free(cert->extensions); 426 if (cert->key_id != NULL) 427 free(cert->key_id); 428 for (i = 0; i < cert->nprincipals; i++) 429 free(cert->principals[i]); 430 if (cert->principals != NULL) 431 free(cert->principals); 432 if (cert->signature_key != NULL) 433 sshkey_free(cert->signature_key); 434 explicit_bzero(cert, sizeof(*cert)); 435 free(cert); 436 } 437 438 static struct sshkey_cert * 439 cert_new(void) 440 { 441 struct sshkey_cert *cert; 442 443 if ((cert = calloc(1, sizeof(*cert))) == NULL) 444 return NULL; 445 if ((cert->certblob = sshbuf_new()) == NULL || 446 (cert->critical = sshbuf_new()) == NULL || 447 (cert->extensions = sshbuf_new()) == NULL) { 448 cert_free(cert); 449 return NULL; 450 } 451 cert->key_id = NULL; 452 cert->principals = NULL; 453 cert->signature_key = NULL; 454 return cert; 455 } 456 457 struct sshkey * 458 sshkey_new(int type) 459 { 460 struct sshkey *k; 461 #ifdef WITH_OPENSSL 462 RSA *rsa; 463 DSA *dsa; 464 #endif /* WITH_OPENSSL */ 465 466 if ((k = calloc(1, sizeof(*k))) == NULL) 467 return NULL; 468 k->type = type; 469 k->ecdsa = NULL; 470 k->ecdsa_nid = -1; 471 k->dsa = NULL; 472 k->rsa = NULL; 473 k->cert = NULL; 474 k->ed25519_sk = NULL; 475 k->ed25519_pk = NULL; 476 switch (k->type) { 477 #ifdef WITH_OPENSSL 478 case KEY_RSA1: 479 case KEY_RSA: 480 case KEY_RSA_CERT: 481 if ((rsa = RSA_new()) == NULL || 482 (rsa->n = BN_new()) == NULL || 483 (rsa->e = BN_new()) == NULL) { 484 if (rsa != NULL) 485 RSA_free(rsa); 486 free(k); 487 return NULL; 488 } 489 k->rsa = rsa; 490 break; 491 case KEY_DSA: 492 case KEY_DSA_CERT: 493 if ((dsa = DSA_new()) == NULL || 494 (dsa->p = BN_new()) == NULL || 495 (dsa->q = BN_new()) == NULL || 496 (dsa->g = BN_new()) == NULL || 497 (dsa->pub_key = BN_new()) == NULL) { 498 if (dsa != NULL) 499 DSA_free(dsa); 500 free(k); 501 return NULL; 502 } 503 k->dsa = dsa; 504 break; 505 case KEY_ECDSA: 506 case KEY_ECDSA_CERT: 507 /* Cannot do anything until we know the group */ 508 break; 509 #endif /* WITH_OPENSSL */ 510 case KEY_ED25519: 511 case KEY_ED25519_CERT: 512 /* no need to prealloc */ 513 break; 514 case KEY_UNSPEC: 515 break; 516 default: 517 free(k); 518 return NULL; 519 break; 520 } 521 522 if (sshkey_is_cert(k)) { 523 if ((k->cert = cert_new()) == NULL) { 524 sshkey_free(k); 525 return NULL; 526 } 527 } 528 529 return k; 530 } 531 532 int 533 sshkey_add_private(struct sshkey *k) 534 { 535 switch (k->type) { 536 #ifdef WITH_OPENSSL 537 case KEY_RSA1: 538 case KEY_RSA: 539 case KEY_RSA_CERT: 540 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 541 if (bn_maybe_alloc_failed(k->rsa->d) || 542 bn_maybe_alloc_failed(k->rsa->iqmp) || 543 bn_maybe_alloc_failed(k->rsa->q) || 544 bn_maybe_alloc_failed(k->rsa->p) || 545 bn_maybe_alloc_failed(k->rsa->dmq1) || 546 bn_maybe_alloc_failed(k->rsa->dmp1)) 547 return SSH_ERR_ALLOC_FAIL; 548 break; 549 case KEY_DSA: 550 case KEY_DSA_CERT: 551 if (bn_maybe_alloc_failed(k->dsa->priv_key)) 552 return SSH_ERR_ALLOC_FAIL; 553 break; 554 #undef bn_maybe_alloc_failed 555 case KEY_ECDSA: 556 case KEY_ECDSA_CERT: 557 /* Cannot do anything until we know the group */ 558 break; 559 #endif /* WITH_OPENSSL */ 560 case KEY_ED25519: 561 case KEY_ED25519_CERT: 562 /* no need to prealloc */ 563 break; 564 case KEY_UNSPEC: 565 break; 566 default: 567 return SSH_ERR_INVALID_ARGUMENT; 568 } 569 return 0; 570 } 571 572 struct sshkey * 573 sshkey_new_private(int type) 574 { 575 struct sshkey *k = sshkey_new(type); 576 577 if (k == NULL) 578 return NULL; 579 if (sshkey_add_private(k) != 0) { 580 sshkey_free(k); 581 return NULL; 582 } 583 return k; 584 } 585 586 void 587 sshkey_free(struct sshkey *k) 588 { 589 if (k == NULL) 590 return; 591 switch (k->type) { 592 #ifdef WITH_OPENSSL 593 case KEY_RSA1: 594 case KEY_RSA: 595 case KEY_RSA_CERT: 596 if (k->rsa != NULL) 597 RSA_free(k->rsa); 598 k->rsa = NULL; 599 break; 600 case KEY_DSA: 601 case KEY_DSA_CERT: 602 if (k->dsa != NULL) 603 DSA_free(k->dsa); 604 k->dsa = NULL; 605 break; 606 # ifdef OPENSSL_HAS_ECC 607 case KEY_ECDSA: 608 case KEY_ECDSA_CERT: 609 if (k->ecdsa != NULL) 610 EC_KEY_free(k->ecdsa); 611 k->ecdsa = NULL; 612 break; 613 # endif /* OPENSSL_HAS_ECC */ 614 #endif /* WITH_OPENSSL */ 615 case KEY_ED25519: 616 case KEY_ED25519_CERT: 617 if (k->ed25519_pk) { 618 explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 619 free(k->ed25519_pk); 620 k->ed25519_pk = NULL; 621 } 622 if (k->ed25519_sk) { 623 explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 624 free(k->ed25519_sk); 625 k->ed25519_sk = NULL; 626 } 627 break; 628 case KEY_UNSPEC: 629 break; 630 default: 631 break; 632 } 633 if (sshkey_is_cert(k)) 634 cert_free(k->cert); 635 explicit_bzero(k, sizeof(*k)); 636 free(k); 637 } 638 639 static int 640 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 641 { 642 if (a == NULL && b == NULL) 643 return 1; 644 if (a == NULL || b == NULL) 645 return 0; 646 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 647 return 0; 648 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 649 sshbuf_len(a->certblob)) != 0) 650 return 0; 651 return 1; 652 } 653 654 /* 655 * Compare public portions of key only, allowing comparisons between 656 * certificates and plain keys too. 657 */ 658 int 659 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 660 { 661 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 662 BN_CTX *bnctx; 663 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 664 665 if (a == NULL || b == NULL || 666 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 667 return 0; 668 669 switch (a->type) { 670 #ifdef WITH_OPENSSL 671 case KEY_RSA1: 672 case KEY_RSA_CERT: 673 case KEY_RSA: 674 return a->rsa != NULL && b->rsa != NULL && 675 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 676 BN_cmp(a->rsa->n, b->rsa->n) == 0; 677 case KEY_DSA_CERT: 678 case KEY_DSA: 679 return a->dsa != NULL && b->dsa != NULL && 680 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 681 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 682 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 683 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 684 # ifdef OPENSSL_HAS_ECC 685 case KEY_ECDSA_CERT: 686 case KEY_ECDSA: 687 if (a->ecdsa == NULL || b->ecdsa == NULL || 688 EC_KEY_get0_public_key(a->ecdsa) == NULL || 689 EC_KEY_get0_public_key(b->ecdsa) == NULL) 690 return 0; 691 if ((bnctx = BN_CTX_new()) == NULL) 692 return 0; 693 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 694 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 695 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 696 EC_KEY_get0_public_key(a->ecdsa), 697 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 698 BN_CTX_free(bnctx); 699 return 0; 700 } 701 BN_CTX_free(bnctx); 702 return 1; 703 # endif /* OPENSSL_HAS_ECC */ 704 #endif /* WITH_OPENSSL */ 705 case KEY_ED25519: 706 case KEY_ED25519_CERT: 707 return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 708 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 709 default: 710 return 0; 711 } 712 /* NOTREACHED */ 713 } 714 715 int 716 sshkey_equal(const struct sshkey *a, const struct sshkey *b) 717 { 718 if (a == NULL || b == NULL || a->type != b->type) 719 return 0; 720 if (sshkey_is_cert(a)) { 721 if (!cert_compare(a->cert, b->cert)) 722 return 0; 723 } 724 return sshkey_equal_public(a, b); 725 } 726 727 static int 728 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) 729 { 730 int type, ret = SSH_ERR_INTERNAL_ERROR; 731 const char *typename; 732 733 if (key == NULL) 734 return SSH_ERR_INVALID_ARGUMENT; 735 736 if (sshkey_is_cert(key)) { 737 if (key->cert == NULL) 738 return SSH_ERR_EXPECTED_CERT; 739 if (sshbuf_len(key->cert->certblob) == 0) 740 return SSH_ERR_KEY_LACKS_CERTBLOB; 741 } 742 type = force_plain ? sshkey_type_plain(key->type) : key->type; 743 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 744 745 switch (type) { 746 #ifdef WITH_OPENSSL 747 case KEY_DSA_CERT: 748 case KEY_ECDSA_CERT: 749 case KEY_RSA_CERT: 750 #endif /* WITH_OPENSSL */ 751 case KEY_ED25519_CERT: 752 /* Use the existing blob */ 753 /* XXX modified flag? */ 754 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 755 return ret; 756 break; 757 #ifdef WITH_OPENSSL 758 case KEY_DSA: 759 if (key->dsa == NULL) 760 return SSH_ERR_INVALID_ARGUMENT; 761 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 762 (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 763 (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 764 (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 765 (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) 766 return ret; 767 break; 768 # ifdef OPENSSL_HAS_ECC 769 case KEY_ECDSA: 770 if (key->ecdsa == NULL) 771 return SSH_ERR_INVALID_ARGUMENT; 772 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 773 (ret = sshbuf_put_cstring(b, 774 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 775 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) 776 return ret; 777 break; 778 # endif 779 case KEY_RSA: 780 if (key->rsa == NULL) 781 return SSH_ERR_INVALID_ARGUMENT; 782 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 783 (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 784 (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) 785 return ret; 786 break; 787 #endif /* WITH_OPENSSL */ 788 case KEY_ED25519: 789 if (key->ed25519_pk == NULL) 790 return SSH_ERR_INVALID_ARGUMENT; 791 if ((ret = sshbuf_put_cstring(b, typename)) != 0 || 792 (ret = sshbuf_put_string(b, 793 key->ed25519_pk, ED25519_PK_SZ)) != 0) 794 return ret; 795 break; 796 default: 797 return SSH_ERR_KEY_TYPE_UNKNOWN; 798 } 799 return 0; 800 } 801 802 int 803 sshkey_putb(const struct sshkey *key, struct sshbuf *b) 804 { 805 return to_blob_buf(key, b, 0); 806 } 807 808 int 809 sshkey_puts(const struct sshkey *key, struct sshbuf *b) 810 { 811 struct sshbuf *tmp; 812 int r; 813 814 if ((tmp = sshbuf_new()) == NULL) 815 return SSH_ERR_ALLOC_FAIL; 816 r = to_blob_buf(key, tmp, 0); 817 if (r == 0) 818 r = sshbuf_put_stringb(b, tmp); 819 sshbuf_free(tmp); 820 return r; 821 } 822 823 int 824 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 825 { 826 return to_blob_buf(key, b, 1); 827 } 828 829 static int 830 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) 831 { 832 int ret = SSH_ERR_INTERNAL_ERROR; 833 size_t len; 834 struct sshbuf *b = NULL; 835 836 if (lenp != NULL) 837 *lenp = 0; 838 if (blobp != NULL) 839 *blobp = NULL; 840 if ((b = sshbuf_new()) == NULL) 841 return SSH_ERR_ALLOC_FAIL; 842 if ((ret = to_blob_buf(key, b, force_plain)) != 0) 843 goto out; 844 len = sshbuf_len(b); 845 if (lenp != NULL) 846 *lenp = len; 847 if (blobp != NULL) { 848 if ((*blobp = malloc(len)) == NULL) { 849 ret = SSH_ERR_ALLOC_FAIL; 850 goto out; 851 } 852 memcpy(*blobp, sshbuf_ptr(b), len); 853 } 854 ret = 0; 855 out: 856 sshbuf_free(b); 857 return ret; 858 } 859 860 int 861 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 862 { 863 return to_blob(key, blobp, lenp, 0); 864 } 865 866 int 867 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 868 { 869 return to_blob(key, blobp, lenp, 1); 870 } 871 872 int 873 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 874 u_char **retp, size_t *lenp) 875 { 876 u_char *blob = NULL, *ret = NULL; 877 size_t blob_len = 0; 878 int r = SSH_ERR_INTERNAL_ERROR; 879 880 if (retp != NULL) 881 *retp = NULL; 882 if (lenp != NULL) 883 *lenp = 0; 884 if (ssh_digest_bytes(dgst_alg) == 0) { 885 r = SSH_ERR_INVALID_ARGUMENT; 886 goto out; 887 } 888 889 if (k->type == KEY_RSA1) { 890 #ifdef WITH_OPENSSL 891 int nlen = BN_num_bytes(k->rsa->n); 892 int elen = BN_num_bytes(k->rsa->e); 893 894 blob_len = nlen + elen; 895 if (nlen >= INT_MAX - elen || 896 (blob = malloc(blob_len)) == NULL) { 897 r = SSH_ERR_ALLOC_FAIL; 898 goto out; 899 } 900 BN_bn2bin(k->rsa->n, blob); 901 BN_bn2bin(k->rsa->e, blob + nlen); 902 #endif /* WITH_OPENSSL */ 903 } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) 904 goto out; 905 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 906 r = SSH_ERR_ALLOC_FAIL; 907 goto out; 908 } 909 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 910 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 911 goto out; 912 /* success */ 913 if (retp != NULL) { 914 *retp = ret; 915 ret = NULL; 916 } 917 if (lenp != NULL) 918 *lenp = ssh_digest_bytes(dgst_alg); 919 r = 0; 920 out: 921 free(ret); 922 if (blob != NULL) { 923 explicit_bzero(blob, blob_len); 924 free(blob); 925 } 926 return r; 927 } 928 929 static char * 930 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 931 { 932 char *ret; 933 size_t plen = strlen(alg) + 1; 934 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 935 int r; 936 937 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 938 return NULL; 939 strlcpy(ret, alg, rlen); 940 strlcat(ret, ":", rlen); 941 if (dgst_raw_len == 0) 942 return ret; 943 if ((r = b64_ntop(dgst_raw, dgst_raw_len, 944 ret + plen, rlen - plen)) == -1) { 945 explicit_bzero(ret, rlen); 946 free(ret); 947 return NULL; 948 } 949 /* Trim padding characters from end */ 950 ret[strcspn(ret, "=")] = '\0'; 951 return ret; 952 } 953 954 static char * 955 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 956 { 957 char *retval, hex[5]; 958 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 959 960 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 961 return NULL; 962 strlcpy(retval, alg, rlen); 963 strlcat(retval, ":", rlen); 964 for (i = 0; i < dgst_raw_len; i++) { 965 snprintf(hex, sizeof(hex), "%s%02x", 966 i > 0 ? ":" : "", dgst_raw[i]); 967 strlcat(retval, hex, rlen); 968 } 969 return retval; 970 } 971 972 static char * 973 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 974 { 975 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 976 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 977 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 978 u_int i, j = 0, rounds, seed = 1; 979 char *retval; 980 981 rounds = (dgst_raw_len / 2) + 1; 982 if ((retval = calloc(rounds, 6)) == NULL) 983 return NULL; 984 retval[j++] = 'x'; 985 for (i = 0; i < rounds; i++) { 986 u_int idx0, idx1, idx2, idx3, idx4; 987 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 988 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 989 seed) % 6; 990 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 991 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 992 (seed / 6)) % 6; 993 retval[j++] = vowels[idx0]; 994 retval[j++] = consonants[idx1]; 995 retval[j++] = vowels[idx2]; 996 if ((i + 1) < rounds) { 997 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 998 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 999 retval[j++] = consonants[idx3]; 1000 retval[j++] = '-'; 1001 retval[j++] = consonants[idx4]; 1002 seed = ((seed * 5) + 1003 ((((u_int)(dgst_raw[2 * i])) * 7) + 1004 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 1005 } 1006 } else { 1007 idx0 = seed % 6; 1008 idx1 = 16; 1009 idx2 = seed / 6; 1010 retval[j++] = vowels[idx0]; 1011 retval[j++] = consonants[idx1]; 1012 retval[j++] = vowels[idx2]; 1013 } 1014 } 1015 retval[j++] = 'x'; 1016 retval[j++] = '\0'; 1017 return retval; 1018 } 1019 1020 /* 1021 * Draw an ASCII-Art representing the fingerprint so human brain can 1022 * profit from its built-in pattern recognition ability. 1023 * This technique is called "random art" and can be found in some 1024 * scientific publications like this original paper: 1025 * 1026 * "Hash Visualization: a New Technique to improve Real-World Security", 1027 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1028 * Techniques and E-Commerce (CrypTEC '99) 1029 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1030 * 1031 * The subject came up in a talk by Dan Kaminsky, too. 1032 * 1033 * If you see the picture is different, the key is different. 1034 * If the picture looks the same, you still know nothing. 1035 * 1036 * The algorithm used here is a worm crawling over a discrete plane, 1037 * leaving a trace (augmenting the field) everywhere it goes. 1038 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1039 * makes the respective movement vector be ignored for this turn. 1040 * Graphs are not unambiguous, because circles in graphs can be 1041 * walked in either direction. 1042 */ 1043 1044 /* 1045 * Field sizes for the random art. Have to be odd, so the starting point 1046 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1047 * Else pictures would be too dense, and drawing the frame would 1048 * fail, too, because the key type would not fit in anymore. 1049 */ 1050 #define FLDBASE 8 1051 #define FLDSIZE_Y (FLDBASE + 1) 1052 #define FLDSIZE_X (FLDBASE * 2 + 1) 1053 static char * 1054 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1055 const struct sshkey *k) 1056 { 1057 /* 1058 * Chars to be used after each other every time the worm 1059 * intersects with itself. Matter of taste. 1060 */ 1061 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1062 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1063 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1064 size_t i, tlen, hlen; 1065 u_int b; 1066 int x, y, r; 1067 size_t len = strlen(augmentation_string) - 1; 1068 1069 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1070 return NULL; 1071 1072 /* initialize field */ 1073 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1074 x = FLDSIZE_X / 2; 1075 y = FLDSIZE_Y / 2; 1076 1077 /* process raw key */ 1078 for (i = 0; i < dgst_raw_len; i++) { 1079 int input; 1080 /* each byte conveys four 2-bit move commands */ 1081 input = dgst_raw[i]; 1082 for (b = 0; b < 4; b++) { 1083 /* evaluate 2 bit, rest is shifted later */ 1084 x += (input & 0x1) ? 1 : -1; 1085 y += (input & 0x2) ? 1 : -1; 1086 1087 /* assure we are still in bounds */ 1088 x = MAX(x, 0); 1089 y = MAX(y, 0); 1090 x = MIN(x, FLDSIZE_X - 1); 1091 y = MIN(y, FLDSIZE_Y - 1); 1092 1093 /* augment the field */ 1094 if (field[x][y] < len - 2) 1095 field[x][y]++; 1096 input = input >> 2; 1097 } 1098 } 1099 1100 /* mark starting point and end point*/ 1101 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1102 field[x][y] = len; 1103 1104 /* assemble title */ 1105 r = snprintf(title, sizeof(title), "[%s %u]", 1106 sshkey_type(k), sshkey_size(k)); 1107 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1108 if (r < 0 || r > (int)sizeof(title)) 1109 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1110 tlen = (r <= 0) ? 0 : strlen(title); 1111 1112 /* assemble hash ID. */ 1113 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1114 hlen = (r <= 0) ? 0 : strlen(hash); 1115 1116 /* output upper border */ 1117 p = retval; 1118 *p++ = '+'; 1119 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1120 *p++ = '-'; 1121 memcpy(p, title, tlen); 1122 p += tlen; 1123 for (i += tlen; i < FLDSIZE_X; i++) 1124 *p++ = '-'; 1125 *p++ = '+'; 1126 *p++ = '\n'; 1127 1128 /* output content */ 1129 for (y = 0; y < FLDSIZE_Y; y++) { 1130 *p++ = '|'; 1131 for (x = 0; x < FLDSIZE_X; x++) 1132 *p++ = augmentation_string[MIN(field[x][y], len)]; 1133 *p++ = '|'; 1134 *p++ = '\n'; 1135 } 1136 1137 /* output lower border */ 1138 *p++ = '+'; 1139 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1140 *p++ = '-'; 1141 memcpy(p, hash, hlen); 1142 p += hlen; 1143 for (i += hlen; i < FLDSIZE_X; i++) 1144 *p++ = '-'; 1145 *p++ = '+'; 1146 1147 return retval; 1148 } 1149 1150 char * 1151 sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1152 enum sshkey_fp_rep dgst_rep) 1153 { 1154 char *retval = NULL; 1155 u_char *dgst_raw; 1156 size_t dgst_raw_len; 1157 1158 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1159 return NULL; 1160 switch (dgst_rep) { 1161 case SSH_FP_DEFAULT: 1162 if (dgst_alg == SSH_DIGEST_MD5) { 1163 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1164 dgst_raw, dgst_raw_len); 1165 } else { 1166 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1167 dgst_raw, dgst_raw_len); 1168 } 1169 break; 1170 case SSH_FP_HEX: 1171 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1172 dgst_raw, dgst_raw_len); 1173 break; 1174 case SSH_FP_BASE64: 1175 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1176 dgst_raw, dgst_raw_len); 1177 break; 1178 case SSH_FP_BUBBLEBABBLE: 1179 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1180 break; 1181 case SSH_FP_RANDOMART: 1182 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1183 dgst_raw, dgst_raw_len, k); 1184 break; 1185 default: 1186 explicit_bzero(dgst_raw, dgst_raw_len); 1187 free(dgst_raw); 1188 return NULL; 1189 } 1190 explicit_bzero(dgst_raw, dgst_raw_len); 1191 free(dgst_raw); 1192 return retval; 1193 } 1194 1195 #ifdef WITH_SSH1 1196 /* 1197 * Reads a multiple-precision integer in decimal from the buffer, and advances 1198 * the pointer. The integer must already be initialized. This function is 1199 * permitted to modify the buffer. This leaves *cpp to point just beyond the 1200 * last processed character. 1201 */ 1202 static int 1203 read_decimal_bignum(char **cpp, BIGNUM *v) 1204 { 1205 char *cp; 1206 size_t e; 1207 int skip = 1; /* skip white space */ 1208 1209 cp = *cpp; 1210 while (*cp == ' ' || *cp == '\t') 1211 cp++; 1212 e = strspn(cp, "0123456789"); 1213 if (e == 0) 1214 return SSH_ERR_INVALID_FORMAT; 1215 if (e > SSHBUF_MAX_BIGNUM * 3) 1216 return SSH_ERR_BIGNUM_TOO_LARGE; 1217 if (cp[e] == '\0') 1218 skip = 0; 1219 else if (index(" \t\r\n", cp[e]) == NULL) 1220 return SSH_ERR_INVALID_FORMAT; 1221 cp[e] = '\0'; 1222 if (BN_dec2bn(&v, cp) <= 0) 1223 return SSH_ERR_INVALID_FORMAT; 1224 *cpp = cp + e + skip; 1225 return 0; 1226 } 1227 #endif /* WITH_SSH1 */ 1228 1229 /* returns 0 ok, and < 0 error */ 1230 int 1231 sshkey_read(struct sshkey *ret, char **cpp) 1232 { 1233 struct sshkey *k; 1234 int retval = SSH_ERR_INVALID_FORMAT; 1235 char *cp, *space; 1236 int r, type, curve_nid = -1; 1237 struct sshbuf *blob; 1238 #ifdef WITH_SSH1 1239 char *ep; 1240 u_long bits; 1241 #endif /* WITH_SSH1 */ 1242 1243 cp = *cpp; 1244 1245 switch (ret->type) { 1246 case KEY_RSA1: 1247 #ifdef WITH_SSH1 1248 /* Get number of bits. */ 1249 bits = strtoul(cp, &ep, 10); 1250 if (*cp == '\0' || index(" \t\r\n", *ep) == NULL || 1251 bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) 1252 return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ 1253 /* Get public exponent, public modulus. */ 1254 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0) 1255 return r; 1256 if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) 1257 return r; 1258 *cpp = ep; 1259 /* validate the claimed number of bits */ 1260 if (BN_num_bits(ret->rsa->n) != (int)bits) 1261 return SSH_ERR_KEY_BITS_MISMATCH; 1262 retval = 0; 1263 #endif /* WITH_SSH1 */ 1264 break; 1265 case KEY_UNSPEC: 1266 case KEY_RSA: 1267 case KEY_DSA: 1268 case KEY_ECDSA: 1269 case KEY_ED25519: 1270 case KEY_DSA_CERT: 1271 case KEY_ECDSA_CERT: 1272 case KEY_RSA_CERT: 1273 case KEY_ED25519_CERT: 1274 space = strchr(cp, ' '); 1275 if (space == NULL) 1276 return SSH_ERR_INVALID_FORMAT; 1277 *space = '\0'; 1278 type = sshkey_type_from_name(cp); 1279 if (sshkey_type_plain(type) == KEY_ECDSA && 1280 (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) 1281 return SSH_ERR_EC_CURVE_INVALID; 1282 *space = ' '; 1283 if (type == KEY_UNSPEC) 1284 return SSH_ERR_INVALID_FORMAT; 1285 cp = space+1; 1286 if (*cp == '\0') 1287 return SSH_ERR_INVALID_FORMAT; 1288 if (ret->type != KEY_UNSPEC && ret->type != type) 1289 return SSH_ERR_KEY_TYPE_MISMATCH; 1290 if ((blob = sshbuf_new()) == NULL) 1291 return SSH_ERR_ALLOC_FAIL; 1292 /* trim comment */ 1293 space = strchr(cp, ' '); 1294 if (space) { 1295 /* advance 'space': skip whitespace */ 1296 *space++ = '\0'; 1297 while (*space == ' ' || *space == '\t') 1298 space++; 1299 *cpp = space; 1300 } else 1301 *cpp = cp + strlen(cp); 1302 if ((r = sshbuf_b64tod(blob, cp)) != 0) { 1303 sshbuf_free(blob); 1304 return r; 1305 } 1306 if ((r = sshkey_from_blob(sshbuf_ptr(blob), 1307 sshbuf_len(blob), &k)) != 0) { 1308 sshbuf_free(blob); 1309 return r; 1310 } 1311 sshbuf_free(blob); 1312 if (k->type != type) { 1313 sshkey_free(k); 1314 return SSH_ERR_KEY_TYPE_MISMATCH; 1315 } 1316 if (sshkey_type_plain(type) == KEY_ECDSA && 1317 curve_nid != k->ecdsa_nid) { 1318 sshkey_free(k); 1319 return SSH_ERR_EC_CURVE_MISMATCH; 1320 } 1321 ret->type = type; 1322 if (sshkey_is_cert(ret)) { 1323 if (!sshkey_is_cert(k)) { 1324 sshkey_free(k); 1325 return SSH_ERR_EXPECTED_CERT; 1326 } 1327 if (ret->cert != NULL) 1328 cert_free(ret->cert); 1329 ret->cert = k->cert; 1330 k->cert = NULL; 1331 } 1332 #ifdef WITH_OPENSSL 1333 if (sshkey_type_plain(ret->type) == KEY_RSA) { 1334 if (ret->rsa != NULL) 1335 RSA_free(ret->rsa); 1336 ret->rsa = k->rsa; 1337 k->rsa = NULL; 1338 #ifdef DEBUG_PK 1339 RSA_print_fp(stderr, ret->rsa, 8); 1340 #endif 1341 } 1342 if (sshkey_type_plain(ret->type) == KEY_DSA) { 1343 if (ret->dsa != NULL) 1344 DSA_free(ret->dsa); 1345 ret->dsa = k->dsa; 1346 k->dsa = NULL; 1347 #ifdef DEBUG_PK 1348 DSA_print_fp(stderr, ret->dsa, 8); 1349 #endif 1350 } 1351 # ifdef OPENSSL_HAS_ECC 1352 if (sshkey_type_plain(ret->type) == KEY_ECDSA) { 1353 if (ret->ecdsa != NULL) 1354 EC_KEY_free(ret->ecdsa); 1355 ret->ecdsa = k->ecdsa; 1356 ret->ecdsa_nid = k->ecdsa_nid; 1357 k->ecdsa = NULL; 1358 k->ecdsa_nid = -1; 1359 #ifdef DEBUG_PK 1360 sshkey_dump_ec_key(ret->ecdsa); 1361 #endif 1362 } 1363 # endif /* OPENSSL_HAS_ECC */ 1364 #endif /* WITH_OPENSSL */ 1365 if (sshkey_type_plain(ret->type) == KEY_ED25519) { 1366 free(ret->ed25519_pk); 1367 ret->ed25519_pk = k->ed25519_pk; 1368 k->ed25519_pk = NULL; 1369 #ifdef DEBUG_PK 1370 /* XXX */ 1371 #endif 1372 } 1373 retval = 0; 1374 /*XXXX*/ 1375 sshkey_free(k); 1376 if (retval != 0) 1377 break; 1378 break; 1379 default: 1380 return SSH_ERR_INVALID_ARGUMENT; 1381 } 1382 return retval; 1383 } 1384 1385 int 1386 sshkey_to_base64(const struct sshkey *key, char **b64p) 1387 { 1388 int r = SSH_ERR_INTERNAL_ERROR; 1389 struct sshbuf *b = NULL; 1390 char *uu = NULL; 1391 1392 if (b64p != NULL) 1393 *b64p = NULL; 1394 if ((b = sshbuf_new()) == NULL) 1395 return SSH_ERR_ALLOC_FAIL; 1396 if ((r = sshkey_putb(key, b)) != 0) 1397 goto out; 1398 if ((uu = sshbuf_dtob64(b)) == NULL) { 1399 r = SSH_ERR_ALLOC_FAIL; 1400 goto out; 1401 } 1402 /* Success */ 1403 if (b64p != NULL) { 1404 *b64p = uu; 1405 uu = NULL; 1406 } 1407 r = 0; 1408 out: 1409 sshbuf_free(b); 1410 free(uu); 1411 return r; 1412 } 1413 1414 static int 1415 sshkey_format_rsa1(const struct sshkey *key, struct sshbuf *b) 1416 { 1417 int r = SSH_ERR_INTERNAL_ERROR; 1418 #ifdef WITH_SSH1 1419 u_int bits = 0; 1420 char *dec_e = NULL, *dec_n = NULL; 1421 1422 if (key->rsa == NULL || key->rsa->e == NULL || 1423 key->rsa->n == NULL) { 1424 r = SSH_ERR_INVALID_ARGUMENT; 1425 goto out; 1426 } 1427 if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || 1428 (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { 1429 r = SSH_ERR_ALLOC_FAIL; 1430 goto out; 1431 } 1432 /* size of modulus 'n' */ 1433 if ((bits = BN_num_bits(key->rsa->n)) <= 0) { 1434 r = SSH_ERR_INVALID_ARGUMENT; 1435 goto out; 1436 } 1437 if ((r = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) 1438 goto out; 1439 1440 /* Success */ 1441 r = 0; 1442 out: 1443 if (dec_e != NULL) 1444 OPENSSL_free(dec_e); 1445 if (dec_n != NULL) 1446 OPENSSL_free(dec_n); 1447 #endif /* WITH_SSH1 */ 1448 1449 return r; 1450 } 1451 1452 static int 1453 sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1454 { 1455 int r = SSH_ERR_INTERNAL_ERROR; 1456 char *uu = NULL; 1457 1458 if (key->type == KEY_RSA1) { 1459 if ((r = sshkey_format_rsa1(key, b)) != 0) 1460 goto out; 1461 } else { 1462 /* Unsupported key types handled in sshkey_to_base64() */ 1463 if ((r = sshkey_to_base64(key, &uu)) != 0) 1464 goto out; 1465 if ((r = sshbuf_putf(b, "%s %s", 1466 sshkey_ssh_name(key), uu)) != 0) 1467 goto out; 1468 } 1469 r = 0; 1470 out: 1471 free(uu); 1472 return r; 1473 } 1474 1475 int 1476 sshkey_write(const struct sshkey *key, FILE *f) 1477 { 1478 struct sshbuf *b = NULL; 1479 int r = SSH_ERR_INTERNAL_ERROR; 1480 1481 if ((b = sshbuf_new()) == NULL) 1482 return SSH_ERR_ALLOC_FAIL; 1483 if ((r = sshkey_format_text(key, b)) != 0) 1484 goto out; 1485 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1486 if (feof(f)) 1487 errno = EPIPE; 1488 r = SSH_ERR_SYSTEM_ERROR; 1489 goto out; 1490 } 1491 /* Success */ 1492 r = 0; 1493 out: 1494 sshbuf_free(b); 1495 return r; 1496 } 1497 1498 const char * 1499 sshkey_cert_type(const struct sshkey *k) 1500 { 1501 switch (k->cert->type) { 1502 case SSH2_CERT_TYPE_USER: 1503 return "user"; 1504 case SSH2_CERT_TYPE_HOST: 1505 return "host"; 1506 default: 1507 return "unknown"; 1508 } 1509 } 1510 1511 #ifdef WITH_OPENSSL 1512 static int 1513 rsa_generate_private_key(u_int bits, RSA **rsap) 1514 { 1515 RSA *private = NULL; 1516 BIGNUM *f4 = NULL; 1517 int ret = SSH_ERR_INTERNAL_ERROR; 1518 1519 if (rsap == NULL || 1520 bits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1521 bits > SSHBUF_MAX_BIGNUM * 8) 1522 return SSH_ERR_INVALID_ARGUMENT; 1523 *rsap = NULL; 1524 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { 1525 ret = SSH_ERR_ALLOC_FAIL; 1526 goto out; 1527 } 1528 if (!BN_set_word(f4, RSA_F4) || 1529 !RSA_generate_key_ex(private, bits, f4, NULL)) { 1530 ret = SSH_ERR_LIBCRYPTO_ERROR; 1531 goto out; 1532 } 1533 *rsap = private; 1534 private = NULL; 1535 ret = 0; 1536 out: 1537 if (private != NULL) 1538 RSA_free(private); 1539 if (f4 != NULL) 1540 BN_free(f4); 1541 return ret; 1542 } 1543 1544 static int 1545 dsa_generate_private_key(u_int bits, DSA **dsap) 1546 { 1547 DSA *private; 1548 int ret = SSH_ERR_INTERNAL_ERROR; 1549 1550 if (dsap == NULL || bits != 1024) 1551 return SSH_ERR_INVALID_ARGUMENT; 1552 if ((private = DSA_new()) == NULL) { 1553 ret = SSH_ERR_ALLOC_FAIL; 1554 goto out; 1555 } 1556 *dsap = NULL; 1557 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1558 NULL, NULL) || !DSA_generate_key(private)) { 1559 DSA_free(private); 1560 ret = SSH_ERR_LIBCRYPTO_ERROR; 1561 goto out; 1562 } 1563 *dsap = private; 1564 private = NULL; 1565 ret = 0; 1566 out: 1567 if (private != NULL) 1568 DSA_free(private); 1569 return ret; 1570 } 1571 1572 # ifdef OPENSSL_HAS_ECC 1573 int 1574 sshkey_ecdsa_key_to_nid(EC_KEY *k) 1575 { 1576 EC_GROUP *eg; 1577 int nids[] = { 1578 NID_X9_62_prime256v1, 1579 NID_secp384r1, 1580 # ifdef OPENSSL_HAS_NISTP521 1581 NID_secp521r1, 1582 # endif /* OPENSSL_HAS_NISTP521 */ 1583 -1 1584 }; 1585 int nid; 1586 u_int i; 1587 BN_CTX *bnctx; 1588 const EC_GROUP *g = EC_KEY_get0_group(k); 1589 1590 /* 1591 * The group may be stored in a ASN.1 encoded private key in one of two 1592 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1593 * or explicit group parameters encoded into the key blob. Only the 1594 * "named group" case sets the group NID for us, but we can figure 1595 * it out for the other case by comparing against all the groups that 1596 * are supported. 1597 */ 1598 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1599 return nid; 1600 if ((bnctx = BN_CTX_new()) == NULL) 1601 return -1; 1602 for (i = 0; nids[i] != -1; i++) { 1603 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { 1604 BN_CTX_free(bnctx); 1605 return -1; 1606 } 1607 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1608 break; 1609 EC_GROUP_free(eg); 1610 } 1611 BN_CTX_free(bnctx); 1612 if (nids[i] != -1) { 1613 /* Use the group with the NID attached */ 1614 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1615 if (EC_KEY_set_group(k, eg) != 1) { 1616 EC_GROUP_free(eg); 1617 return -1; 1618 } 1619 } 1620 return nids[i]; 1621 } 1622 1623 static int 1624 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) 1625 { 1626 EC_KEY *private; 1627 int ret = SSH_ERR_INTERNAL_ERROR; 1628 1629 if (nid == NULL || ecdsap == NULL || 1630 (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) 1631 return SSH_ERR_INVALID_ARGUMENT; 1632 *ecdsap = NULL; 1633 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { 1634 ret = SSH_ERR_ALLOC_FAIL; 1635 goto out; 1636 } 1637 if (EC_KEY_generate_key(private) != 1) { 1638 ret = SSH_ERR_LIBCRYPTO_ERROR; 1639 goto out; 1640 } 1641 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1642 *ecdsap = private; 1643 private = NULL; 1644 ret = 0; 1645 out: 1646 if (private != NULL) 1647 EC_KEY_free(private); 1648 return ret; 1649 } 1650 # endif /* OPENSSL_HAS_ECC */ 1651 #endif /* WITH_OPENSSL */ 1652 1653 int 1654 sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1655 { 1656 struct sshkey *k; 1657 int ret = SSH_ERR_INTERNAL_ERROR; 1658 1659 if (keyp == NULL) 1660 return SSH_ERR_INVALID_ARGUMENT; 1661 *keyp = NULL; 1662 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1663 return SSH_ERR_ALLOC_FAIL; 1664 switch (type) { 1665 case KEY_ED25519: 1666 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || 1667 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { 1668 ret = SSH_ERR_ALLOC_FAIL; 1669 break; 1670 } 1671 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1672 ret = 0; 1673 break; 1674 #ifdef WITH_OPENSSL 1675 case KEY_DSA: 1676 ret = dsa_generate_private_key(bits, &k->dsa); 1677 break; 1678 # ifdef OPENSSL_HAS_ECC 1679 case KEY_ECDSA: 1680 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, 1681 &k->ecdsa); 1682 break; 1683 # endif /* OPENSSL_HAS_ECC */ 1684 case KEY_RSA: 1685 case KEY_RSA1: 1686 ret = rsa_generate_private_key(bits, &k->rsa); 1687 break; 1688 #endif /* WITH_OPENSSL */ 1689 default: 1690 ret = SSH_ERR_INVALID_ARGUMENT; 1691 } 1692 if (ret == 0) { 1693 k->type = type; 1694 *keyp = k; 1695 } else 1696 sshkey_free(k); 1697 return ret; 1698 } 1699 1700 int 1701 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1702 { 1703 u_int i; 1704 const struct sshkey_cert *from; 1705 struct sshkey_cert *to; 1706 int ret = SSH_ERR_INTERNAL_ERROR; 1707 1708 if (to_key->cert != NULL) { 1709 cert_free(to_key->cert); 1710 to_key->cert = NULL; 1711 } 1712 1713 if ((from = from_key->cert) == NULL) 1714 return SSH_ERR_INVALID_ARGUMENT; 1715 1716 if ((to = to_key->cert = cert_new()) == NULL) 1717 return SSH_ERR_ALLOC_FAIL; 1718 1719 if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1720 (ret = sshbuf_putb(to->critical, from->critical)) != 0 || 1721 (ret = sshbuf_putb(to->extensions, from->extensions) != 0)) 1722 return ret; 1723 1724 to->serial = from->serial; 1725 to->type = from->type; 1726 if (from->key_id == NULL) 1727 to->key_id = NULL; 1728 else if ((to->key_id = strdup(from->key_id)) == NULL) 1729 return SSH_ERR_ALLOC_FAIL; 1730 to->valid_after = from->valid_after; 1731 to->valid_before = from->valid_before; 1732 if (from->signature_key == NULL) 1733 to->signature_key = NULL; 1734 else if ((ret = sshkey_from_private(from->signature_key, 1735 &to->signature_key)) != 0) 1736 return ret; 1737 1738 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) 1739 return SSH_ERR_INVALID_ARGUMENT; 1740 if (from->nprincipals > 0) { 1741 if ((to->principals = calloc(from->nprincipals, 1742 sizeof(*to->principals))) == NULL) 1743 return SSH_ERR_ALLOC_FAIL; 1744 for (i = 0; i < from->nprincipals; i++) { 1745 to->principals[i] = strdup(from->principals[i]); 1746 if (to->principals[i] == NULL) { 1747 to->nprincipals = i; 1748 return SSH_ERR_ALLOC_FAIL; 1749 } 1750 } 1751 } 1752 to->nprincipals = from->nprincipals; 1753 return 0; 1754 } 1755 1756 int 1757 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1758 { 1759 struct sshkey *n = NULL; 1760 int ret = SSH_ERR_INTERNAL_ERROR; 1761 1762 if (pkp != NULL) 1763 *pkp = NULL; 1764 1765 switch (k->type) { 1766 #ifdef WITH_OPENSSL 1767 case KEY_DSA: 1768 case KEY_DSA_CERT: 1769 if ((n = sshkey_new(k->type)) == NULL) 1770 return SSH_ERR_ALLOC_FAIL; 1771 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1772 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1773 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1774 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { 1775 sshkey_free(n); 1776 return SSH_ERR_ALLOC_FAIL; 1777 } 1778 break; 1779 # ifdef OPENSSL_HAS_ECC 1780 case KEY_ECDSA: 1781 case KEY_ECDSA_CERT: 1782 if ((n = sshkey_new(k->type)) == NULL) 1783 return SSH_ERR_ALLOC_FAIL; 1784 n->ecdsa_nid = k->ecdsa_nid; 1785 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 1786 if (n->ecdsa == NULL) { 1787 sshkey_free(n); 1788 return SSH_ERR_ALLOC_FAIL; 1789 } 1790 if (EC_KEY_set_public_key(n->ecdsa, 1791 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 1792 sshkey_free(n); 1793 return SSH_ERR_LIBCRYPTO_ERROR; 1794 } 1795 break; 1796 # endif /* OPENSSL_HAS_ECC */ 1797 case KEY_RSA: 1798 case KEY_RSA1: 1799 case KEY_RSA_CERT: 1800 if ((n = sshkey_new(k->type)) == NULL) 1801 return SSH_ERR_ALLOC_FAIL; 1802 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1803 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { 1804 sshkey_free(n); 1805 return SSH_ERR_ALLOC_FAIL; 1806 } 1807 break; 1808 #endif /* WITH_OPENSSL */ 1809 case KEY_ED25519: 1810 case KEY_ED25519_CERT: 1811 if ((n = sshkey_new(k->type)) == NULL) 1812 return SSH_ERR_ALLOC_FAIL; 1813 if (k->ed25519_pk != NULL) { 1814 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 1815 sshkey_free(n); 1816 return SSH_ERR_ALLOC_FAIL; 1817 } 1818 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1819 } 1820 break; 1821 default: 1822 return SSH_ERR_KEY_TYPE_UNKNOWN; 1823 } 1824 if (sshkey_is_cert(k)) { 1825 if ((ret = sshkey_cert_copy(k, n)) != 0) { 1826 sshkey_free(n); 1827 return ret; 1828 } 1829 } 1830 *pkp = n; 1831 return 0; 1832 } 1833 1834 static int 1835 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1836 { 1837 struct sshbuf *principals = NULL, *crit = NULL; 1838 struct sshbuf *exts = NULL, *ca = NULL; 1839 u_char *sig = NULL; 1840 size_t signed_len = 0, slen = 0, kidlen = 0; 1841 int ret = SSH_ERR_INTERNAL_ERROR; 1842 1843 /* Copy the entire key blob for verification and later serialisation */ 1844 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1845 return ret; 1846 1847 /* Parse body of certificate up to signature */ 1848 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1849 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1850 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1851 (ret = sshbuf_froms(b, &principals)) != 0 || 1852 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1853 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1854 (ret = sshbuf_froms(b, &crit)) != 0 || 1855 (ret = sshbuf_froms(b, &exts)) != 0 || 1856 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1857 (ret = sshbuf_froms(b, &ca)) != 0) { 1858 /* XXX debug print error for ret */ 1859 ret = SSH_ERR_INVALID_FORMAT; 1860 goto out; 1861 } 1862 1863 /* Signature is left in the buffer so we can calculate this length */ 1864 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1865 1866 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1867 ret = SSH_ERR_INVALID_FORMAT; 1868 goto out; 1869 } 1870 1871 if (key->cert->type != SSH2_CERT_TYPE_USER && 1872 key->cert->type != SSH2_CERT_TYPE_HOST) { 1873 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1874 goto out; 1875 } 1876 1877 /* Parse principals section */ 1878 while (sshbuf_len(principals) > 0) { 1879 char *principal = NULL; 1880 char **oprincipals = NULL; 1881 1882 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1883 ret = SSH_ERR_INVALID_FORMAT; 1884 goto out; 1885 } 1886 if ((ret = sshbuf_get_cstring(principals, &principal, 1887 NULL)) != 0) { 1888 ret = SSH_ERR_INVALID_FORMAT; 1889 goto out; 1890 } 1891 oprincipals = key->cert->principals; 1892 key->cert->principals = reallocarray(key->cert->principals, 1893 key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1894 if (key->cert->principals == NULL) { 1895 free(principal); 1896 key->cert->principals = oprincipals; 1897 ret = SSH_ERR_ALLOC_FAIL; 1898 goto out; 1899 } 1900 key->cert->principals[key->cert->nprincipals++] = principal; 1901 } 1902 1903 /* 1904 * Stash a copies of the critical options and extensions sections 1905 * for later use. 1906 */ 1907 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1908 (exts != NULL && 1909 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1910 goto out; 1911 1912 /* 1913 * Validate critical options and extensions sections format. 1914 */ 1915 while (sshbuf_len(crit) != 0) { 1916 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1917 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1918 sshbuf_reset(key->cert->critical); 1919 ret = SSH_ERR_INVALID_FORMAT; 1920 goto out; 1921 } 1922 } 1923 while (exts != NULL && sshbuf_len(exts) != 0) { 1924 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1925 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1926 sshbuf_reset(key->cert->extensions); 1927 ret = SSH_ERR_INVALID_FORMAT; 1928 goto out; 1929 } 1930 } 1931 1932 /* Parse CA key and check signature */ 1933 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1934 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1935 goto out; 1936 } 1937 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1938 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1939 goto out; 1940 } 1941 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1942 sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) 1943 goto out; 1944 1945 /* Success */ 1946 ret = 0; 1947 out: 1948 sshbuf_free(ca); 1949 sshbuf_free(crit); 1950 sshbuf_free(exts); 1951 sshbuf_free(principals); 1952 free(sig); 1953 return ret; 1954 } 1955 1956 static int 1957 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1958 int allow_cert) 1959 { 1960 int type, ret = SSH_ERR_INTERNAL_ERROR; 1961 char *ktype = NULL, *curve = NULL; 1962 struct sshkey *key = NULL; 1963 size_t len; 1964 u_char *pk = NULL; 1965 struct sshbuf *copy; 1966 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 1967 EC_POINT *q = NULL; 1968 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 1969 1970 #ifdef DEBUG_PK /* XXX */ 1971 sshbuf_dump(b, stderr); 1972 #endif 1973 *keyp = NULL; 1974 if ((copy = sshbuf_fromb(b)) == NULL) { 1975 ret = SSH_ERR_ALLOC_FAIL; 1976 goto out; 1977 } 1978 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1979 ret = SSH_ERR_INVALID_FORMAT; 1980 goto out; 1981 } 1982 1983 type = sshkey_type_from_name(ktype); 1984 if (!allow_cert && sshkey_type_is_cert(type)) { 1985 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1986 goto out; 1987 } 1988 switch (type) { 1989 #ifdef WITH_OPENSSL 1990 case KEY_RSA_CERT: 1991 /* Skip nonce */ 1992 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1993 ret = SSH_ERR_INVALID_FORMAT; 1994 goto out; 1995 } 1996 /* FALLTHROUGH */ 1997 case KEY_RSA: 1998 if ((key = sshkey_new(type)) == NULL) { 1999 ret = SSH_ERR_ALLOC_FAIL; 2000 goto out; 2001 } 2002 if (sshbuf_get_bignum2(b, key->rsa->e) != 0 || 2003 sshbuf_get_bignum2(b, key->rsa->n) != 0) { 2004 ret = SSH_ERR_INVALID_FORMAT; 2005 goto out; 2006 } 2007 #ifdef DEBUG_PK 2008 RSA_print_fp(stderr, key->rsa, 8); 2009 #endif 2010 break; 2011 case KEY_DSA_CERT: 2012 /* Skip nonce */ 2013 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2014 ret = SSH_ERR_INVALID_FORMAT; 2015 goto out; 2016 } 2017 /* FALLTHROUGH */ 2018 case KEY_DSA: 2019 if ((key = sshkey_new(type)) == NULL) { 2020 ret = SSH_ERR_ALLOC_FAIL; 2021 goto out; 2022 } 2023 if (sshbuf_get_bignum2(b, key->dsa->p) != 0 || 2024 sshbuf_get_bignum2(b, key->dsa->q) != 0 || 2025 sshbuf_get_bignum2(b, key->dsa->g) != 0 || 2026 sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) { 2027 ret = SSH_ERR_INVALID_FORMAT; 2028 goto out; 2029 } 2030 #ifdef DEBUG_PK 2031 DSA_print_fp(stderr, key->dsa, 8); 2032 #endif 2033 break; 2034 case KEY_ECDSA_CERT: 2035 /* Skip nonce */ 2036 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2037 ret = SSH_ERR_INVALID_FORMAT; 2038 goto out; 2039 } 2040 /* FALLTHROUGH */ 2041 # ifdef OPENSSL_HAS_ECC 2042 case KEY_ECDSA: 2043 if ((key = sshkey_new(type)) == NULL) { 2044 ret = SSH_ERR_ALLOC_FAIL; 2045 goto out; 2046 } 2047 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); 2048 if (sshbuf_get_cstring(b, &curve, NULL) != 0) { 2049 ret = SSH_ERR_INVALID_FORMAT; 2050 goto out; 2051 } 2052 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2053 ret = SSH_ERR_EC_CURVE_MISMATCH; 2054 goto out; 2055 } 2056 if (key->ecdsa != NULL) 2057 EC_KEY_free(key->ecdsa); 2058 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 2059 == NULL) { 2060 ret = SSH_ERR_EC_CURVE_INVALID; 2061 goto out; 2062 } 2063 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { 2064 ret = SSH_ERR_ALLOC_FAIL; 2065 goto out; 2066 } 2067 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { 2068 ret = SSH_ERR_INVALID_FORMAT; 2069 goto out; 2070 } 2071 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 2072 q) != 0) { 2073 ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2074 goto out; 2075 } 2076 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { 2077 /* XXX assume it is a allocation error */ 2078 ret = SSH_ERR_ALLOC_FAIL; 2079 goto out; 2080 } 2081 #ifdef DEBUG_PK 2082 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 2083 #endif 2084 break; 2085 # endif /* OPENSSL_HAS_ECC */ 2086 #endif /* WITH_OPENSSL */ 2087 case KEY_ED25519_CERT: 2088 /* Skip nonce */ 2089 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 2090 ret = SSH_ERR_INVALID_FORMAT; 2091 goto out; 2092 } 2093 /* FALLTHROUGH */ 2094 case KEY_ED25519: 2095 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) 2096 goto out; 2097 if (len != ED25519_PK_SZ) { 2098 ret = SSH_ERR_INVALID_FORMAT; 2099 goto out; 2100 } 2101 if ((key = sshkey_new(type)) == NULL) { 2102 ret = SSH_ERR_ALLOC_FAIL; 2103 goto out; 2104 } 2105 key->ed25519_pk = pk; 2106 pk = NULL; 2107 break; 2108 case KEY_UNSPEC: 2109 if ((key = sshkey_new(type)) == NULL) { 2110 ret = SSH_ERR_ALLOC_FAIL; 2111 goto out; 2112 } 2113 break; 2114 default: 2115 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2116 goto out; 2117 } 2118 2119 /* Parse certificate potion */ 2120 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 2121 goto out; 2122 2123 if (key != NULL && sshbuf_len(b) != 0) { 2124 ret = SSH_ERR_INVALID_FORMAT; 2125 goto out; 2126 } 2127 ret = 0; 2128 *keyp = key; 2129 key = NULL; 2130 out: 2131 sshbuf_free(copy); 2132 sshkey_free(key); 2133 free(ktype); 2134 free(curve); 2135 free(pk); 2136 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 2137 if (q != NULL) 2138 EC_POINT_free(q); 2139 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 2140 return ret; 2141 } 2142 2143 int 2144 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2145 { 2146 struct sshbuf *b; 2147 int r; 2148 2149 if ((b = sshbuf_from(blob, blen)) == NULL) 2150 return SSH_ERR_ALLOC_FAIL; 2151 r = sshkey_from_blob_internal(b, keyp, 1); 2152 sshbuf_free(b); 2153 return r; 2154 } 2155 2156 int 2157 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2158 { 2159 return sshkey_from_blob_internal(b, keyp, 1); 2160 } 2161 2162 int 2163 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2164 { 2165 struct sshbuf *b; 2166 int r; 2167 2168 if ((r = sshbuf_froms(buf, &b)) != 0) 2169 return r; 2170 r = sshkey_from_blob_internal(b, keyp, 1); 2171 sshbuf_free(b); 2172 return r; 2173 } 2174 2175 int 2176 sshkey_sign(const struct sshkey *key, 2177 u_char **sigp, size_t *lenp, 2178 const u_char *data, size_t datalen, u_int compat) 2179 { 2180 if (sigp != NULL) 2181 *sigp = NULL; 2182 if (lenp != NULL) 2183 *lenp = 0; 2184 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2185 return SSH_ERR_INVALID_ARGUMENT; 2186 switch (key->type) { 2187 #ifdef WITH_OPENSSL 2188 case KEY_DSA_CERT: 2189 case KEY_DSA: 2190 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); 2191 # ifdef OPENSSL_HAS_ECC 2192 case KEY_ECDSA_CERT: 2193 case KEY_ECDSA: 2194 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); 2195 # endif /* OPENSSL_HAS_ECC */ 2196 case KEY_RSA_CERT: 2197 case KEY_RSA: 2198 return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); 2199 #endif /* WITH_OPENSSL */ 2200 case KEY_ED25519: 2201 case KEY_ED25519_CERT: 2202 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); 2203 default: 2204 return SSH_ERR_KEY_TYPE_UNKNOWN; 2205 } 2206 } 2207 2208 /* 2209 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2210 */ 2211 int 2212 sshkey_verify(const struct sshkey *key, 2213 const u_char *sig, size_t siglen, 2214 const u_char *data, size_t dlen, u_int compat) 2215 { 2216 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2217 return SSH_ERR_INVALID_ARGUMENT; 2218 switch (key->type) { 2219 #ifdef WITH_OPENSSL 2220 case KEY_DSA_CERT: 2221 case KEY_DSA: 2222 return ssh_dss_verify(key, sig, siglen, data, dlen, compat); 2223 # ifdef OPENSSL_HAS_ECC 2224 case KEY_ECDSA_CERT: 2225 case KEY_ECDSA: 2226 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); 2227 # endif /* OPENSSL_HAS_ECC */ 2228 case KEY_RSA_CERT: 2229 case KEY_RSA: 2230 return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); 2231 #endif /* WITH_OPENSSL */ 2232 case KEY_ED25519: 2233 case KEY_ED25519_CERT: 2234 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); 2235 default: 2236 return SSH_ERR_KEY_TYPE_UNKNOWN; 2237 } 2238 } 2239 2240 /* Converts a private to a public key */ 2241 int 2242 sshkey_demote(const struct sshkey *k, struct sshkey **dkp) 2243 { 2244 struct sshkey *pk; 2245 int ret = SSH_ERR_INTERNAL_ERROR; 2246 2247 if (dkp != NULL) 2248 *dkp = NULL; 2249 2250 if ((pk = calloc(1, sizeof(*pk))) == NULL) 2251 return SSH_ERR_ALLOC_FAIL; 2252 pk->type = k->type; 2253 pk->flags = k->flags; 2254 pk->ecdsa_nid = k->ecdsa_nid; 2255 pk->dsa = NULL; 2256 pk->ecdsa = NULL; 2257 pk->rsa = NULL; 2258 pk->ed25519_pk = NULL; 2259 pk->ed25519_sk = NULL; 2260 2261 switch (k->type) { 2262 #ifdef WITH_OPENSSL 2263 case KEY_RSA_CERT: 2264 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2265 goto fail; 2266 /* FALLTHROUGH */ 2267 case KEY_RSA1: 2268 case KEY_RSA: 2269 if ((pk->rsa = RSA_new()) == NULL || 2270 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2271 (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { 2272 ret = SSH_ERR_ALLOC_FAIL; 2273 goto fail; 2274 } 2275 break; 2276 case KEY_DSA_CERT: 2277 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2278 goto fail; 2279 /* FALLTHROUGH */ 2280 case KEY_DSA: 2281 if ((pk->dsa = DSA_new()) == NULL || 2282 (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || 2283 (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || 2284 (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || 2285 (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { 2286 ret = SSH_ERR_ALLOC_FAIL; 2287 goto fail; 2288 } 2289 break; 2290 case KEY_ECDSA_CERT: 2291 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2292 goto fail; 2293 /* FALLTHROUGH */ 2294 # ifdef OPENSSL_HAS_ECC 2295 case KEY_ECDSA: 2296 pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); 2297 if (pk->ecdsa == NULL) { 2298 ret = SSH_ERR_ALLOC_FAIL; 2299 goto fail; 2300 } 2301 if (EC_KEY_set_public_key(pk->ecdsa, 2302 EC_KEY_get0_public_key(k->ecdsa)) != 1) { 2303 ret = SSH_ERR_LIBCRYPTO_ERROR; 2304 goto fail; 2305 } 2306 break; 2307 # endif /* OPENSSL_HAS_ECC */ 2308 #endif /* WITH_OPENSSL */ 2309 case KEY_ED25519_CERT: 2310 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2311 goto fail; 2312 /* FALLTHROUGH */ 2313 case KEY_ED25519: 2314 if (k->ed25519_pk != NULL) { 2315 if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { 2316 ret = SSH_ERR_ALLOC_FAIL; 2317 goto fail; 2318 } 2319 memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 2320 } 2321 break; 2322 default: 2323 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 2324 fail: 2325 sshkey_free(pk); 2326 return ret; 2327 } 2328 *dkp = pk; 2329 return 0; 2330 } 2331 2332 /* Convert a plain key to their _CERT equivalent */ 2333 int 2334 sshkey_to_certified(struct sshkey *k) 2335 { 2336 int newtype; 2337 2338 switch (k->type) { 2339 #ifdef WITH_OPENSSL 2340 case KEY_RSA: 2341 newtype = KEY_RSA_CERT; 2342 break; 2343 case KEY_DSA: 2344 newtype = KEY_DSA_CERT; 2345 break; 2346 case KEY_ECDSA: 2347 newtype = KEY_ECDSA_CERT; 2348 break; 2349 #endif /* WITH_OPENSSL */ 2350 case KEY_ED25519: 2351 newtype = KEY_ED25519_CERT; 2352 break; 2353 default: 2354 return SSH_ERR_INVALID_ARGUMENT; 2355 } 2356 if ((k->cert = cert_new()) == NULL) 2357 return SSH_ERR_ALLOC_FAIL; 2358 k->type = newtype; 2359 return 0; 2360 } 2361 2362 /* Convert a certificate to its raw key equivalent */ 2363 int 2364 sshkey_drop_cert(struct sshkey *k) 2365 { 2366 if (!sshkey_type_is_cert(k->type)) 2367 return SSH_ERR_KEY_TYPE_UNKNOWN; 2368 cert_free(k->cert); 2369 k->cert = NULL; 2370 k->type = sshkey_type_plain(k->type); 2371 return 0; 2372 } 2373 2374 /* Sign a certified key, (re-)generating the signed certblob. */ 2375 int 2376 sshkey_certify(struct sshkey *k, struct sshkey *ca) 2377 { 2378 struct sshbuf *principals = NULL; 2379 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2380 size_t i, ca_len, sig_len; 2381 int ret = SSH_ERR_INTERNAL_ERROR; 2382 struct sshbuf *cert; 2383 2384 if (k == NULL || k->cert == NULL || 2385 k->cert->certblob == NULL || ca == NULL) 2386 return SSH_ERR_INVALID_ARGUMENT; 2387 if (!sshkey_is_cert(k)) 2388 return SSH_ERR_KEY_TYPE_UNKNOWN; 2389 if (!sshkey_type_is_valid_ca(ca->type)) 2390 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2391 2392 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2393 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2394 2395 cert = k->cert->certblob; /* for readability */ 2396 sshbuf_reset(cert); 2397 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2398 goto out; 2399 2400 /* -v01 certs put nonce first */ 2401 arc4random_buf(&nonce, sizeof(nonce)); 2402 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2403 goto out; 2404 2405 /* XXX this substantially duplicates to_blob(); refactor */ 2406 switch (k->type) { 2407 #ifdef WITH_OPENSSL 2408 case KEY_DSA_CERT: 2409 if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || 2410 (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || 2411 (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || 2412 (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) 2413 goto out; 2414 break; 2415 # ifdef OPENSSL_HAS_ECC 2416 case KEY_ECDSA_CERT: 2417 if ((ret = sshbuf_put_cstring(cert, 2418 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || 2419 (ret = sshbuf_put_ec(cert, 2420 EC_KEY_get0_public_key(k->ecdsa), 2421 EC_KEY_get0_group(k->ecdsa))) != 0) 2422 goto out; 2423 break; 2424 # endif /* OPENSSL_HAS_ECC */ 2425 case KEY_RSA_CERT: 2426 if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || 2427 (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) 2428 goto out; 2429 break; 2430 #endif /* WITH_OPENSSL */ 2431 case KEY_ED25519_CERT: 2432 if ((ret = sshbuf_put_string(cert, 2433 k->ed25519_pk, ED25519_PK_SZ)) != 0) 2434 goto out; 2435 break; 2436 default: 2437 ret = SSH_ERR_INVALID_ARGUMENT; 2438 goto out; 2439 } 2440 2441 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2442 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2443 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2444 goto out; 2445 2446 if ((principals = sshbuf_new()) == NULL) { 2447 ret = SSH_ERR_ALLOC_FAIL; 2448 goto out; 2449 } 2450 for (i = 0; i < k->cert->nprincipals; i++) { 2451 if ((ret = sshbuf_put_cstring(principals, 2452 k->cert->principals[i])) != 0) 2453 goto out; 2454 } 2455 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2456 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2457 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2458 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2459 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2460 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2461 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2462 goto out; 2463 2464 /* Sign the whole mess */ 2465 if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2466 sshbuf_len(cert), 0)) != 0) 2467 goto out; 2468 2469 /* Append signature and we are done */ 2470 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2471 goto out; 2472 ret = 0; 2473 out: 2474 if (ret != 0) 2475 sshbuf_reset(cert); 2476 if (sig_blob != NULL) 2477 free(sig_blob); 2478 if (ca_blob != NULL) 2479 free(ca_blob); 2480 if (principals != NULL) 2481 sshbuf_free(principals); 2482 return ret; 2483 } 2484 2485 int 2486 sshkey_cert_check_authority(const struct sshkey *k, 2487 int want_host, int require_principal, 2488 const char *name, const char **reason) 2489 { 2490 u_int i, principal_matches; 2491 time_t now = time(NULL); 2492 2493 if (reason != NULL) 2494 *reason = NULL; 2495 2496 if (want_host) { 2497 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2498 *reason = "Certificate invalid: not a host certificate"; 2499 return SSH_ERR_KEY_CERT_INVALID; 2500 } 2501 } else { 2502 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2503 *reason = "Certificate invalid: not a user certificate"; 2504 return SSH_ERR_KEY_CERT_INVALID; 2505 } 2506 } 2507 if (now < 0) { 2508 /* yikes - system clock before epoch! */ 2509 *reason = "Certificate invalid: not yet valid"; 2510 return SSH_ERR_KEY_CERT_INVALID; 2511 } 2512 if ((u_int64_t)now < k->cert->valid_after) { 2513 *reason = "Certificate invalid: not yet valid"; 2514 return SSH_ERR_KEY_CERT_INVALID; 2515 } 2516 if ((u_int64_t)now >= k->cert->valid_before) { 2517 *reason = "Certificate invalid: expired"; 2518 return SSH_ERR_KEY_CERT_INVALID; 2519 } 2520 if (k->cert->nprincipals == 0) { 2521 if (require_principal) { 2522 *reason = "Certificate lacks principal list"; 2523 return SSH_ERR_KEY_CERT_INVALID; 2524 } 2525 } else if (name != NULL) { 2526 principal_matches = 0; 2527 for (i = 0; i < k->cert->nprincipals; i++) { 2528 if (strcmp(name, k->cert->principals[i]) == 0) { 2529 principal_matches = 1; 2530 break; 2531 } 2532 } 2533 if (!principal_matches) { 2534 *reason = "Certificate invalid: name is not a listed " 2535 "principal"; 2536 return SSH_ERR_KEY_CERT_INVALID; 2537 } 2538 } 2539 return 0; 2540 } 2541 2542 int 2543 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) 2544 { 2545 int r = SSH_ERR_INTERNAL_ERROR; 2546 2547 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2548 goto out; 2549 switch (key->type) { 2550 #ifdef WITH_OPENSSL 2551 case KEY_RSA: 2552 if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || 2553 (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || 2554 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2555 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2556 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2557 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2558 goto out; 2559 break; 2560 case KEY_RSA_CERT: 2561 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2562 r = SSH_ERR_INVALID_ARGUMENT; 2563 goto out; 2564 } 2565 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2566 (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || 2567 (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || 2568 (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || 2569 (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) 2570 goto out; 2571 break; 2572 case KEY_DSA: 2573 if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || 2574 (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || 2575 (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || 2576 (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || 2577 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2578 goto out; 2579 break; 2580 case KEY_DSA_CERT: 2581 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2582 r = SSH_ERR_INVALID_ARGUMENT; 2583 goto out; 2584 } 2585 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2586 (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) 2587 goto out; 2588 break; 2589 # ifdef OPENSSL_HAS_ECC 2590 case KEY_ECDSA: 2591 if ((r = sshbuf_put_cstring(b, 2592 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || 2593 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || 2594 (r = sshbuf_put_bignum2(b, 2595 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2596 goto out; 2597 break; 2598 case KEY_ECDSA_CERT: 2599 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2600 r = SSH_ERR_INVALID_ARGUMENT; 2601 goto out; 2602 } 2603 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2604 (r = sshbuf_put_bignum2(b, 2605 EC_KEY_get0_private_key(key->ecdsa))) != 0) 2606 goto out; 2607 break; 2608 # endif /* OPENSSL_HAS_ECC */ 2609 #endif /* WITH_OPENSSL */ 2610 case KEY_ED25519: 2611 if ((r = sshbuf_put_string(b, key->ed25519_pk, 2612 ED25519_PK_SZ)) != 0 || 2613 (r = sshbuf_put_string(b, key->ed25519_sk, 2614 ED25519_SK_SZ)) != 0) 2615 goto out; 2616 break; 2617 case KEY_ED25519_CERT: 2618 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { 2619 r = SSH_ERR_INVALID_ARGUMENT; 2620 goto out; 2621 } 2622 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || 2623 (r = sshbuf_put_string(b, key->ed25519_pk, 2624 ED25519_PK_SZ)) != 0 || 2625 (r = sshbuf_put_string(b, key->ed25519_sk, 2626 ED25519_SK_SZ)) != 0) 2627 goto out; 2628 break; 2629 default: 2630 r = SSH_ERR_INVALID_ARGUMENT; 2631 goto out; 2632 } 2633 /* success */ 2634 r = 0; 2635 out: 2636 return r; 2637 } 2638 2639 int 2640 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2641 { 2642 char *tname = NULL, *curve = NULL; 2643 struct sshkey *k = NULL; 2644 size_t pklen = 0, sklen = 0; 2645 int type, r = SSH_ERR_INTERNAL_ERROR; 2646 u_char *ed25519_pk = NULL, *ed25519_sk = NULL; 2647 #ifdef WITH_OPENSSL 2648 BIGNUM *exponent = NULL; 2649 #endif /* WITH_OPENSSL */ 2650 2651 if (kp != NULL) 2652 *kp = NULL; 2653 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2654 goto out; 2655 type = sshkey_type_from_name(tname); 2656 switch (type) { 2657 #ifdef WITH_OPENSSL 2658 case KEY_DSA: 2659 if ((k = sshkey_new_private(type)) == NULL) { 2660 r = SSH_ERR_ALLOC_FAIL; 2661 goto out; 2662 } 2663 if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || 2664 (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || 2665 (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || 2666 (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || 2667 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2668 goto out; 2669 break; 2670 case KEY_DSA_CERT: 2671 if ((r = sshkey_froms(buf, &k)) != 0 || 2672 (r = sshkey_add_private(k)) != 0 || 2673 (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) 2674 goto out; 2675 break; 2676 # ifdef OPENSSL_HAS_ECC 2677 case KEY_ECDSA: 2678 if ((k = sshkey_new_private(type)) == NULL) { 2679 r = SSH_ERR_ALLOC_FAIL; 2680 goto out; 2681 } 2682 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { 2683 r = SSH_ERR_INVALID_ARGUMENT; 2684 goto out; 2685 } 2686 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) 2687 goto out; 2688 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { 2689 r = SSH_ERR_EC_CURVE_MISMATCH; 2690 goto out; 2691 } 2692 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2693 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { 2694 r = SSH_ERR_LIBCRYPTO_ERROR; 2695 goto out; 2696 } 2697 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || 2698 (r = sshbuf_get_bignum2(buf, exponent))) 2699 goto out; 2700 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2701 r = SSH_ERR_LIBCRYPTO_ERROR; 2702 goto out; 2703 } 2704 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2705 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2706 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2707 goto out; 2708 break; 2709 case KEY_ECDSA_CERT: 2710 if ((exponent = BN_new()) == NULL) { 2711 r = SSH_ERR_LIBCRYPTO_ERROR; 2712 goto out; 2713 } 2714 if ((r = sshkey_froms(buf, &k)) != 0 || 2715 (r = sshkey_add_private(k)) != 0 || 2716 (r = sshbuf_get_bignum2(buf, exponent)) != 0) 2717 goto out; 2718 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { 2719 r = SSH_ERR_LIBCRYPTO_ERROR; 2720 goto out; 2721 } 2722 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2723 EC_KEY_get0_public_key(k->ecdsa)) != 0) || 2724 (r = sshkey_ec_validate_private(k->ecdsa)) != 0) 2725 goto out; 2726 break; 2727 # endif /* OPENSSL_HAS_ECC */ 2728 case KEY_RSA: 2729 if ((k = sshkey_new_private(type)) == NULL) { 2730 r = SSH_ERR_ALLOC_FAIL; 2731 goto out; 2732 } 2733 if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || 2734 (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || 2735 (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || 2736 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || 2737 (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || 2738 (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || 2739 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2740 goto out; 2741 break; 2742 case KEY_RSA_CERT: 2743 if ((r = sshkey_froms(buf, &k)) != 0 || 2744 (r = sshkey_add_private(k)) != 0 || 2745 (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || 2746 (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || 2747 (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || 2748 (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || 2749 (r = rsa_generate_additional_parameters(k->rsa)) != 0) 2750 goto out; 2751 break; 2752 #endif /* WITH_OPENSSL */ 2753 case KEY_ED25519: 2754 if ((k = sshkey_new_private(type)) == NULL) { 2755 r = SSH_ERR_ALLOC_FAIL; 2756 goto out; 2757 } 2758 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2759 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2760 goto out; 2761 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2762 r = SSH_ERR_INVALID_FORMAT; 2763 goto out; 2764 } 2765 k->ed25519_pk = ed25519_pk; 2766 k->ed25519_sk = ed25519_sk; 2767 ed25519_pk = ed25519_sk = NULL; 2768 break; 2769 case KEY_ED25519_CERT: 2770 if ((r = sshkey_froms(buf, &k)) != 0 || 2771 (r = sshkey_add_private(k)) != 0 || 2772 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || 2773 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) 2774 goto out; 2775 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { 2776 r = SSH_ERR_INVALID_FORMAT; 2777 goto out; 2778 } 2779 k->ed25519_pk = ed25519_pk; 2780 k->ed25519_sk = ed25519_sk; 2781 ed25519_pk = ed25519_sk = NULL; 2782 break; 2783 default: 2784 r = SSH_ERR_KEY_TYPE_UNKNOWN; 2785 goto out; 2786 } 2787 #ifdef WITH_OPENSSL 2788 /* enable blinding */ 2789 switch (k->type) { 2790 case KEY_RSA: 2791 case KEY_RSA_CERT: 2792 case KEY_RSA1: 2793 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2794 r = SSH_ERR_LIBCRYPTO_ERROR; 2795 goto out; 2796 } 2797 break; 2798 } 2799 #endif /* WITH_OPENSSL */ 2800 /* success */ 2801 r = 0; 2802 if (kp != NULL) { 2803 *kp = k; 2804 k = NULL; 2805 } 2806 out: 2807 free(tname); 2808 free(curve); 2809 #ifdef WITH_OPENSSL 2810 if (exponent != NULL) 2811 BN_clear_free(exponent); 2812 #endif /* WITH_OPENSSL */ 2813 sshkey_free(k); 2814 if (ed25519_pk != NULL) { 2815 explicit_bzero(ed25519_pk, pklen); 2816 free(ed25519_pk); 2817 } 2818 if (ed25519_sk != NULL) { 2819 explicit_bzero(ed25519_sk, sklen); 2820 free(ed25519_sk); 2821 } 2822 return r; 2823 } 2824 2825 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) 2826 int 2827 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2828 { 2829 BN_CTX *bnctx; 2830 EC_POINT *nq = NULL; 2831 BIGNUM *order, *x, *y, *tmp; 2832 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2833 2834 if ((bnctx = BN_CTX_new()) == NULL) 2835 return SSH_ERR_ALLOC_FAIL; 2836 BN_CTX_start(bnctx); 2837 2838 /* 2839 * We shouldn't ever hit this case because bignum_get_ecpoint() 2840 * refuses to load GF2m points. 2841 */ 2842 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2843 NID_X9_62_prime_field) 2844 goto out; 2845 2846 /* Q != infinity */ 2847 if (EC_POINT_is_at_infinity(group, public)) 2848 goto out; 2849 2850 if ((x = BN_CTX_get(bnctx)) == NULL || 2851 (y = BN_CTX_get(bnctx)) == NULL || 2852 (order = BN_CTX_get(bnctx)) == NULL || 2853 (tmp = BN_CTX_get(bnctx)) == NULL) { 2854 ret = SSH_ERR_ALLOC_FAIL; 2855 goto out; 2856 } 2857 2858 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2859 if (EC_GROUP_get_order(group, order, bnctx) != 1 || 2860 EC_POINT_get_affine_coordinates_GFp(group, public, 2861 x, y, bnctx) != 1) { 2862 ret = SSH_ERR_LIBCRYPTO_ERROR; 2863 goto out; 2864 } 2865 if (BN_num_bits(x) <= BN_num_bits(order) / 2 || 2866 BN_num_bits(y) <= BN_num_bits(order) / 2) 2867 goto out; 2868 2869 /* nQ == infinity (n == order of subgroup) */ 2870 if ((nq = EC_POINT_new(group)) == NULL) { 2871 ret = SSH_ERR_ALLOC_FAIL; 2872 goto out; 2873 } 2874 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { 2875 ret = SSH_ERR_LIBCRYPTO_ERROR; 2876 goto out; 2877 } 2878 if (EC_POINT_is_at_infinity(group, nq) != 1) 2879 goto out; 2880 2881 /* x < order - 1, y < order - 1 */ 2882 if (!BN_sub(tmp, order, BN_value_one())) { 2883 ret = SSH_ERR_LIBCRYPTO_ERROR; 2884 goto out; 2885 } 2886 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) 2887 goto out; 2888 ret = 0; 2889 out: 2890 BN_CTX_free(bnctx); 2891 if (nq != NULL) 2892 EC_POINT_free(nq); 2893 return ret; 2894 } 2895 2896 int 2897 sshkey_ec_validate_private(const EC_KEY *key) 2898 { 2899 BN_CTX *bnctx; 2900 BIGNUM *order, *tmp; 2901 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2902 2903 if ((bnctx = BN_CTX_new()) == NULL) 2904 return SSH_ERR_ALLOC_FAIL; 2905 BN_CTX_start(bnctx); 2906 2907 if ((order = BN_CTX_get(bnctx)) == NULL || 2908 (tmp = BN_CTX_get(bnctx)) == NULL) { 2909 ret = SSH_ERR_ALLOC_FAIL; 2910 goto out; 2911 } 2912 2913 /* log2(private) > log2(order)/2 */ 2914 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { 2915 ret = SSH_ERR_LIBCRYPTO_ERROR; 2916 goto out; 2917 } 2918 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2919 BN_num_bits(order) / 2) 2920 goto out; 2921 2922 /* private < order - 1 */ 2923 if (!BN_sub(tmp, order, BN_value_one())) { 2924 ret = SSH_ERR_LIBCRYPTO_ERROR; 2925 goto out; 2926 } 2927 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2928 goto out; 2929 ret = 0; 2930 out: 2931 BN_CTX_free(bnctx); 2932 return ret; 2933 } 2934 2935 void 2936 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2937 { 2938 BIGNUM *x, *y; 2939 BN_CTX *bnctx; 2940 2941 if (point == NULL) { 2942 fputs("point=(NULL)\n", stderr); 2943 return; 2944 } 2945 if ((bnctx = BN_CTX_new()) == NULL) { 2946 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); 2947 return; 2948 } 2949 BN_CTX_start(bnctx); 2950 if ((x = BN_CTX_get(bnctx)) == NULL || 2951 (y = BN_CTX_get(bnctx)) == NULL) { 2952 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); 2953 return; 2954 } 2955 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2956 NID_X9_62_prime_field) { 2957 fprintf(stderr, "%s: group is not a prime field\n", __func__); 2958 return; 2959 } 2960 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, 2961 bnctx) != 1) { 2962 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", 2963 __func__); 2964 return; 2965 } 2966 fputs("x=", stderr); 2967 BN_print_fp(stderr, x); 2968 fputs("\ny=", stderr); 2969 BN_print_fp(stderr, y); 2970 fputs("\n", stderr); 2971 BN_CTX_free(bnctx); 2972 } 2973 2974 void 2975 sshkey_dump_ec_key(const EC_KEY *key) 2976 { 2977 const BIGNUM *exponent; 2978 2979 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2980 EC_KEY_get0_public_key(key)); 2981 fputs("exponent=", stderr); 2982 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2983 fputs("(NULL)", stderr); 2984 else 2985 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2986 fputs("\n", stderr); 2987 } 2988 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ 2989 2990 static int 2991 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, 2992 const char *passphrase, const char *comment, const char *ciphername, 2993 int rounds) 2994 { 2995 u_char *cp, *key = NULL, *pubkeyblob = NULL; 2996 u_char salt[SALT_LEN]; 2997 char *b64 = NULL; 2998 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 2999 u_int check; 3000 int r = SSH_ERR_INTERNAL_ERROR; 3001 struct sshcipher_ctx ciphercontext; 3002 const struct sshcipher *cipher; 3003 const char *kdfname = KDFNAME; 3004 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 3005 3006 memset(&ciphercontext, 0, sizeof(ciphercontext)); 3007 3008 if (rounds <= 0) 3009 rounds = DEFAULT_ROUNDS; 3010 if (passphrase == NULL || !strlen(passphrase)) { 3011 ciphername = "none"; 3012 kdfname = "none"; 3013 } else if (ciphername == NULL) 3014 ciphername = DEFAULT_CIPHERNAME; 3015 else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) { 3016 r = SSH_ERR_INVALID_ARGUMENT; 3017 goto out; 3018 } 3019 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3020 r = SSH_ERR_INTERNAL_ERROR; 3021 goto out; 3022 } 3023 3024 if ((kdf = sshbuf_new()) == NULL || 3025 (encoded = sshbuf_new()) == NULL || 3026 (encrypted = sshbuf_new()) == NULL) { 3027 r = SSH_ERR_ALLOC_FAIL; 3028 goto out; 3029 } 3030 blocksize = cipher_blocksize(cipher); 3031 keylen = cipher_keylen(cipher); 3032 ivlen = cipher_ivlen(cipher); 3033 authlen = cipher_authlen(cipher); 3034 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3035 r = SSH_ERR_ALLOC_FAIL; 3036 goto out; 3037 } 3038 if (strcmp(kdfname, "bcrypt") == 0) { 3039 arc4random_buf(salt, SALT_LEN); 3040 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 3041 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 3042 r = SSH_ERR_INVALID_ARGUMENT; 3043 goto out; 3044 } 3045 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 3046 (r = sshbuf_put_u32(kdf, rounds)) != 0) 3047 goto out; 3048 } else if (strcmp(kdfname, "none") != 0) { 3049 /* Unsupported KDF type */ 3050 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3051 goto out; 3052 } 3053 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 3054 key + keylen, ivlen, 1)) != 0) 3055 goto out; 3056 3057 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 3058 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 3059 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 3060 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 3061 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 3062 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 3063 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 3064 goto out; 3065 3066 /* set up the buffer that will be encrypted */ 3067 3068 /* Random check bytes */ 3069 check = arc4random(); 3070 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 3071 (r = sshbuf_put_u32(encrypted, check)) != 0) 3072 goto out; 3073 3074 /* append private key and comment*/ 3075 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 3076 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 3077 goto out; 3078 3079 /* padding */ 3080 i = 0; 3081 while (sshbuf_len(encrypted) % blocksize) { 3082 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 3083 goto out; 3084 } 3085 3086 /* length in destination buffer */ 3087 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 3088 goto out; 3089 3090 /* encrypt */ 3091 if ((r = sshbuf_reserve(encoded, 3092 sshbuf_len(encrypted) + authlen, &cp)) != 0) 3093 goto out; 3094 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3095 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 3096 goto out; 3097 3098 /* uuencode */ 3099 if ((b64 = sshbuf_dtob64(encoded)) == NULL) { 3100 r = SSH_ERR_ALLOC_FAIL; 3101 goto out; 3102 } 3103 3104 sshbuf_reset(blob); 3105 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) 3106 goto out; 3107 for (i = 0; i < strlen(b64); i++) { 3108 if ((r = sshbuf_put_u8(blob, b64[i])) != 0) 3109 goto out; 3110 /* insert line breaks */ 3111 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3112 goto out; 3113 } 3114 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) 3115 goto out; 3116 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 3117 goto out; 3118 3119 /* success */ 3120 r = 0; 3121 3122 out: 3123 sshbuf_free(kdf); 3124 sshbuf_free(encoded); 3125 sshbuf_free(encrypted); 3126 cipher_cleanup(&ciphercontext); 3127 explicit_bzero(salt, sizeof(salt)); 3128 if (key != NULL) { 3129 explicit_bzero(key, keylen + ivlen); 3130 free(key); 3131 } 3132 if (pubkeyblob != NULL) { 3133 explicit_bzero(pubkeyblob, pubkeylen); 3134 free(pubkeyblob); 3135 } 3136 if (b64 != NULL) { 3137 explicit_bzero(b64, strlen(b64)); 3138 free(b64); 3139 } 3140 return r; 3141 } 3142 3143 static int 3144 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3145 struct sshkey **keyp, char **commentp) 3146 { 3147 char *comment = NULL, *ciphername = NULL, *kdfname = NULL; 3148 const struct sshcipher *cipher = NULL; 3149 const u_char *cp; 3150 int r = SSH_ERR_INTERNAL_ERROR; 3151 size_t encoded_len; 3152 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0; 3153 struct sshbuf *encoded = NULL, *decoded = NULL; 3154 struct sshbuf *kdf = NULL, *decrypted = NULL; 3155 struct sshcipher_ctx ciphercontext; 3156 struct sshkey *k = NULL; 3157 u_char *key = NULL, *salt = NULL, *dp, pad, last; 3158 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 3159 3160 memset(&ciphercontext, 0, sizeof(ciphercontext)); 3161 if (keyp != NULL) 3162 *keyp = NULL; 3163 if (commentp != NULL) 3164 *commentp = NULL; 3165 3166 if ((encoded = sshbuf_new()) == NULL || 3167 (decoded = sshbuf_new()) == NULL || 3168 (decrypted = sshbuf_new()) == NULL) { 3169 r = SSH_ERR_ALLOC_FAIL; 3170 goto out; 3171 } 3172 3173 /* check preamble */ 3174 cp = sshbuf_ptr(blob); 3175 encoded_len = sshbuf_len(blob); 3176 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 3177 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 3178 r = SSH_ERR_INVALID_FORMAT; 3179 goto out; 3180 } 3181 cp += MARK_BEGIN_LEN; 3182 encoded_len -= MARK_BEGIN_LEN; 3183 3184 /* Look for end marker, removing whitespace as we go */ 3185 while (encoded_len > 0) { 3186 if (*cp != '\n' && *cp != '\r') { 3187 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 3188 goto out; 3189 } 3190 last = *cp; 3191 encoded_len--; 3192 cp++; 3193 if (last == '\n') { 3194 if (encoded_len >= MARK_END_LEN && 3195 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 3196 /* \0 terminate */ 3197 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 3198 goto out; 3199 break; 3200 } 3201 } 3202 } 3203 if (encoded_len == 0) { 3204 r = SSH_ERR_INVALID_FORMAT; 3205 goto out; 3206 } 3207 3208 /* decode base64 */ 3209 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 3210 goto out; 3211 3212 /* check magic */ 3213 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 3214 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 3215 r = SSH_ERR_INVALID_FORMAT; 3216 goto out; 3217 } 3218 /* parse public portion of key */ 3219 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3220 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 3221 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3222 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3223 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || 3224 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ 3225 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3226 goto out; 3227 3228 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3229 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3230 goto out; 3231 } 3232 if ((passphrase == NULL || strlen(passphrase) == 0) && 3233 strcmp(ciphername, "none") != 0) { 3234 /* passphrase required */ 3235 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3236 goto out; 3237 } 3238 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3239 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3240 goto out; 3241 } 3242 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { 3243 r = SSH_ERR_INVALID_FORMAT; 3244 goto out; 3245 } 3246 if (nkeys != 1) { 3247 /* XXX only one key supported */ 3248 r = SSH_ERR_INVALID_FORMAT; 3249 goto out; 3250 } 3251 3252 /* check size of encrypted key blob */ 3253 blocksize = cipher_blocksize(cipher); 3254 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3255 r = SSH_ERR_INVALID_FORMAT; 3256 goto out; 3257 } 3258 3259 /* setup key */ 3260 keylen = cipher_keylen(cipher); 3261 ivlen = cipher_ivlen(cipher); 3262 authlen = cipher_authlen(cipher); 3263 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3264 r = SSH_ERR_ALLOC_FAIL; 3265 goto out; 3266 } 3267 if (strcmp(kdfname, "bcrypt") == 0) { 3268 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3269 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3270 goto out; 3271 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3272 key, keylen + ivlen, rounds) < 0) { 3273 r = SSH_ERR_INVALID_FORMAT; 3274 goto out; 3275 } 3276 } 3277 3278 /* check that an appropriate amount of auth data is present */ 3279 if (sshbuf_len(decoded) < encrypted_len + authlen) { 3280 r = SSH_ERR_INVALID_FORMAT; 3281 goto out; 3282 } 3283 3284 /* decrypt private portion of key */ 3285 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3286 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3287 key + keylen, ivlen, 0)) != 0) 3288 goto out; 3289 if ((r = cipher_crypt(&ciphercontext, 0, dp, sshbuf_ptr(decoded), 3290 encrypted_len, 0, authlen)) != 0) { 3291 /* an integrity error here indicates an incorrect passphrase */ 3292 if (r == SSH_ERR_MAC_INVALID) 3293 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3294 goto out; 3295 } 3296 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3297 goto out; 3298 /* there should be no trailing data */ 3299 if (sshbuf_len(decoded) != 0) { 3300 r = SSH_ERR_INVALID_FORMAT; 3301 goto out; 3302 } 3303 3304 /* check check bytes */ 3305 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3306 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3307 goto out; 3308 if (check1 != check2) { 3309 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3310 goto out; 3311 } 3312 3313 /* Load the private key and comment */ 3314 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3315 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3316 goto out; 3317 3318 /* Check deterministic padding */ 3319 i = 0; 3320 while (sshbuf_len(decrypted)) { 3321 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 3322 goto out; 3323 if (pad != (++i & 0xff)) { 3324 r = SSH_ERR_INVALID_FORMAT; 3325 goto out; 3326 } 3327 } 3328 3329 /* XXX decode pubkey and check against private */ 3330 3331 /* success */ 3332 r = 0; 3333 if (keyp != NULL) { 3334 *keyp = k; 3335 k = NULL; 3336 } 3337 if (commentp != NULL) { 3338 *commentp = comment; 3339 comment = NULL; 3340 } 3341 out: 3342 pad = 0; 3343 cipher_cleanup(&ciphercontext); 3344 free(ciphername); 3345 free(kdfname); 3346 free(comment); 3347 if (salt != NULL) { 3348 explicit_bzero(salt, slen); 3349 free(salt); 3350 } 3351 if (key != NULL) { 3352 explicit_bzero(key, keylen + ivlen); 3353 free(key); 3354 } 3355 sshbuf_free(encoded); 3356 sshbuf_free(decoded); 3357 sshbuf_free(kdf); 3358 sshbuf_free(decrypted); 3359 sshkey_free(k); 3360 return r; 3361 } 3362 3363 #if WITH_SSH1 3364 /* 3365 * Serialises the authentication (private) key to a blob, encrypting it with 3366 * passphrase. The identification of the blob (lowest 64 bits of n) will 3367 * precede the key to provide identification of the key without needing a 3368 * passphrase. 3369 */ 3370 static int 3371 sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, 3372 const char *passphrase, const char *comment) 3373 { 3374 struct sshbuf *buffer = NULL, *encrypted = NULL; 3375 u_char buf[8]; 3376 int r, cipher_num; 3377 struct sshcipher_ctx ciphercontext; 3378 const struct sshcipher *cipher; 3379 u_char *cp; 3380 3381 /* 3382 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting 3383 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. 3384 */ 3385 cipher_num = (strcmp(passphrase, "") == 0) ? 3386 SSH_CIPHER_NONE : SSH_CIPHER_3DES; 3387 if ((cipher = cipher_by_number(cipher_num)) == NULL) 3388 return SSH_ERR_INTERNAL_ERROR; 3389 3390 /* This buffer is used to build the secret part of the private key. */ 3391 if ((buffer = sshbuf_new()) == NULL) 3392 return SSH_ERR_ALLOC_FAIL; 3393 3394 /* Put checkbytes for checking passphrase validity. */ 3395 if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0) 3396 goto out; 3397 arc4random_buf(cp, 2); 3398 memcpy(cp + 2, cp, 2); 3399 3400 /* 3401 * Store the private key (n and e will not be stored because they 3402 * will be stored in plain text, and storing them also in encrypted 3403 * format would just give known plaintext). 3404 * Note: q and p are stored in reverse order to SSL. 3405 */ 3406 if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 || 3407 (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 || 3408 (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 || 3409 (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0) 3410 goto out; 3411 3412 /* Pad the part to be encrypted to a size that is a multiple of 8. */ 3413 explicit_bzero(buf, 8); 3414 if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0) 3415 goto out; 3416 3417 /* This buffer will be used to contain the data in the file. */ 3418 if ((encrypted = sshbuf_new()) == NULL) { 3419 r = SSH_ERR_ALLOC_FAIL; 3420 goto out; 3421 } 3422 3423 /* First store keyfile id string. */ 3424 if ((r = sshbuf_put(encrypted, LEGACY_BEGIN, 3425 sizeof(LEGACY_BEGIN))) != 0) 3426 goto out; 3427 3428 /* Store cipher type and "reserved" field. */ 3429 if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 || 3430 (r = sshbuf_put_u32(encrypted, 0)) != 0) 3431 goto out; 3432 3433 /* Store public key. This will be in plain text. */ 3434 if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || 3435 (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) || 3436 (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) || 3437 (r = sshbuf_put_cstring(encrypted, comment) != 0)) 3438 goto out; 3439 3440 /* Allocate space for the private part of the key in the buffer. */ 3441 if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0) 3442 goto out; 3443 3444 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3445 CIPHER_ENCRYPT)) != 0) 3446 goto out; 3447 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3448 sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0) 3449 goto out; 3450 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3451 goto out; 3452 3453 r = sshbuf_putb(blob, encrypted); 3454 3455 out: 3456 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3457 explicit_bzero(buf, sizeof(buf)); 3458 if (buffer != NULL) 3459 sshbuf_free(buffer); 3460 if (encrypted != NULL) 3461 sshbuf_free(encrypted); 3462 3463 return r; 3464 } 3465 #endif /* WITH_SSH1 */ 3466 3467 #ifdef WITH_OPENSSL 3468 /* convert SSH v2 key in OpenSSL PEM format */ 3469 static int 3470 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, 3471 const char *_passphrase, const char *comment) 3472 { 3473 int success, r; 3474 int blen, len = strlen(_passphrase); 3475 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3476 #if (OPENSSL_VERSION_NUMBER < 0x00907000L) 3477 const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL; 3478 #else 3479 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3480 #endif 3481 const u_char *bptr; 3482 BIO *bio = NULL; 3483 3484 if (len > 0 && len <= 4) 3485 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3486 if ((bio = BIO_new(BIO_s_mem())) == NULL) 3487 return SSH_ERR_ALLOC_FAIL; 3488 3489 switch (key->type) { 3490 case KEY_DSA: 3491 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, 3492 cipher, passphrase, len, NULL, NULL); 3493 break; 3494 #ifdef OPENSSL_HAS_ECC 3495 case KEY_ECDSA: 3496 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, 3497 cipher, passphrase, len, NULL, NULL); 3498 break; 3499 #endif 3500 case KEY_RSA: 3501 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, 3502 cipher, passphrase, len, NULL, NULL); 3503 break; 3504 default: 3505 success = 0; 3506 break; 3507 } 3508 if (success == 0) { 3509 r = SSH_ERR_LIBCRYPTO_ERROR; 3510 goto out; 3511 } 3512 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3513 r = SSH_ERR_INTERNAL_ERROR; 3514 goto out; 3515 } 3516 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3517 goto out; 3518 r = 0; 3519 out: 3520 BIO_free(bio); 3521 return r; 3522 } 3523 #endif /* WITH_OPENSSL */ 3524 3525 /* Serialise "key" to buffer "blob" */ 3526 int 3527 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3528 const char *passphrase, const char *comment, 3529 int force_new_format, const char *new_format_cipher, int new_format_rounds) 3530 { 3531 switch (key->type) { 3532 #ifdef WITH_SSH1 3533 case KEY_RSA1: 3534 return sshkey_private_rsa1_to_blob(key, blob, 3535 passphrase, comment); 3536 #endif /* WITH_SSH1 */ 3537 #ifdef WITH_OPENSSL 3538 case KEY_DSA: 3539 case KEY_ECDSA: 3540 case KEY_RSA: 3541 if (force_new_format) { 3542 return sshkey_private_to_blob2(key, blob, passphrase, 3543 comment, new_format_cipher, new_format_rounds); 3544 } 3545 return sshkey_private_pem_to_blob(key, blob, 3546 passphrase, comment); 3547 #endif /* WITH_OPENSSL */ 3548 case KEY_ED25519: 3549 return sshkey_private_to_blob2(key, blob, passphrase, 3550 comment, new_format_cipher, new_format_rounds); 3551 default: 3552 return SSH_ERR_KEY_TYPE_UNKNOWN; 3553 } 3554 } 3555 3556 #ifdef WITH_SSH1 3557 /* 3558 * Parse the public, unencrypted portion of a RSA1 key. 3559 */ 3560 int 3561 sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, 3562 struct sshkey **keyp, char **commentp) 3563 { 3564 int r; 3565 struct sshkey *pub = NULL; 3566 struct sshbuf *copy = NULL; 3567 3568 if (keyp != NULL) 3569 *keyp = NULL; 3570 if (commentp != NULL) 3571 *commentp = NULL; 3572 3573 /* Check that it is at least big enough to contain the ID string. */ 3574 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3575 return SSH_ERR_INVALID_FORMAT; 3576 3577 /* 3578 * Make sure it begins with the id string. Consume the id string 3579 * from the buffer. 3580 */ 3581 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3582 return SSH_ERR_INVALID_FORMAT; 3583 /* Make a working copy of the keyblob and skip past the magic */ 3584 if ((copy = sshbuf_fromb(blob)) == NULL) 3585 return SSH_ERR_ALLOC_FAIL; 3586 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3587 goto out; 3588 3589 /* Skip cipher type, reserved data and key bits. */ 3590 if ((r = sshbuf_get_u8(copy, NULL)) != 0 || /* cipher type */ 3591 (r = sshbuf_get_u32(copy, NULL)) != 0 || /* reserved */ 3592 (r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */ 3593 goto out; 3594 3595 /* Read the public key from the buffer. */ 3596 if ((pub = sshkey_new(KEY_RSA1)) == NULL || 3597 (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 || 3598 (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0) 3599 goto out; 3600 3601 /* Finally, the comment */ 3602 if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0) 3603 goto out; 3604 3605 /* The encrypted private part is not parsed by this function. */ 3606 3607 r = 0; 3608 if (keyp != NULL) 3609 *keyp = pub; 3610 else 3611 sshkey_free(pub); 3612 pub = NULL; 3613 3614 out: 3615 if (copy != NULL) 3616 sshbuf_free(copy); 3617 if (pub != NULL) 3618 sshkey_free(pub); 3619 return r; 3620 } 3621 3622 static int 3623 sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, 3624 struct sshkey **keyp, char **commentp) 3625 { 3626 int r; 3627 u_int16_t check1, check2; 3628 u_int8_t cipher_type; 3629 struct sshbuf *decrypted = NULL, *copy = NULL; 3630 u_char *cp; 3631 char *comment = NULL; 3632 struct sshcipher_ctx ciphercontext; 3633 const struct sshcipher *cipher; 3634 struct sshkey *prv = NULL; 3635 3636 *keyp = NULL; 3637 if (commentp != NULL) 3638 *commentp = NULL; 3639 3640 /* Check that it is at least big enough to contain the ID string. */ 3641 if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) 3642 return SSH_ERR_INVALID_FORMAT; 3643 3644 /* 3645 * Make sure it begins with the id string. Consume the id string 3646 * from the buffer. 3647 */ 3648 if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) 3649 return SSH_ERR_INVALID_FORMAT; 3650 3651 if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) { 3652 r = SSH_ERR_ALLOC_FAIL; 3653 goto out; 3654 } 3655 if ((copy = sshbuf_fromb(blob)) == NULL || 3656 (decrypted = sshbuf_new()) == NULL) { 3657 r = SSH_ERR_ALLOC_FAIL; 3658 goto out; 3659 } 3660 if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) 3661 goto out; 3662 3663 /* Read cipher type. */ 3664 if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 || 3665 (r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */ 3666 goto out; 3667 3668 /* Read the public key and comment from the buffer. */ 3669 if ((r = sshbuf_get_u32(copy, NULL)) != 0 || /* key bits */ 3670 (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 || 3671 (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 || 3672 (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0) 3673 goto out; 3674 3675 /* Check that it is a supported cipher. */ 3676 cipher = cipher_by_number(cipher_type); 3677 if (cipher == NULL) { 3678 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3679 goto out; 3680 } 3681 /* Initialize space for decrypted data. */ 3682 if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0) 3683 goto out; 3684 3685 /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ 3686 if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, 3687 CIPHER_DECRYPT)) != 0) 3688 goto out; 3689 if ((r = cipher_crypt(&ciphercontext, 0, cp, 3690 sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) { 3691 cipher_cleanup(&ciphercontext); 3692 goto out; 3693 } 3694 if ((r = cipher_cleanup(&ciphercontext)) != 0) 3695 goto out; 3696 3697 if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 || 3698 (r = sshbuf_get_u16(decrypted, &check2)) != 0) 3699 goto out; 3700 if (check1 != check2) { 3701 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3702 goto out; 3703 } 3704 3705 /* Read the rest of the private key. */ 3706 if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 || 3707 (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 || 3708 (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 || 3709 (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0) 3710 goto out; 3711 3712 /* calculate p-1 and q-1 */ 3713 if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0) 3714 goto out; 3715 3716 /* enable blinding */ 3717 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3718 r = SSH_ERR_LIBCRYPTO_ERROR; 3719 goto out; 3720 } 3721 r = 0; 3722 *keyp = prv; 3723 prv = NULL; 3724 if (commentp != NULL) { 3725 *commentp = comment; 3726 comment = NULL; 3727 } 3728 out: 3729 explicit_bzero(&ciphercontext, sizeof(ciphercontext)); 3730 if (comment != NULL) 3731 free(comment); 3732 if (prv != NULL) 3733 sshkey_free(prv); 3734 if (copy != NULL) 3735 sshbuf_free(copy); 3736 if (decrypted != NULL) 3737 sshbuf_free(decrypted); 3738 return r; 3739 } 3740 #endif /* WITH_SSH1 */ 3741 3742 #ifdef WITH_OPENSSL 3743 static int 3744 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3745 const char *passphrase, struct sshkey **keyp) 3746 { 3747 EVP_PKEY *pk = NULL; 3748 struct sshkey *prv = NULL; 3749 BIO *bio = NULL; 3750 int r; 3751 3752 *keyp = NULL; 3753 3754 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3755 return SSH_ERR_ALLOC_FAIL; 3756 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3757 (int)sshbuf_len(blob)) { 3758 r = SSH_ERR_ALLOC_FAIL; 3759 goto out; 3760 } 3761 3762 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3763 (char *)passphrase)) == NULL) { 3764 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3765 goto out; 3766 } 3767 if (pk->type == EVP_PKEY_RSA && 3768 (type == KEY_UNSPEC || type == KEY_RSA)) { 3769 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3770 r = SSH_ERR_ALLOC_FAIL; 3771 goto out; 3772 } 3773 prv->rsa = EVP_PKEY_get1_RSA(pk); 3774 prv->type = KEY_RSA; 3775 #ifdef DEBUG_PK 3776 RSA_print_fp(stderr, prv->rsa, 8); 3777 #endif 3778 if (RSA_blinding_on(prv->rsa, NULL) != 1) { 3779 r = SSH_ERR_LIBCRYPTO_ERROR; 3780 goto out; 3781 } 3782 } else if (pk->type == EVP_PKEY_DSA && 3783 (type == KEY_UNSPEC || type == KEY_DSA)) { 3784 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3785 r = SSH_ERR_ALLOC_FAIL; 3786 goto out; 3787 } 3788 prv->dsa = EVP_PKEY_get1_DSA(pk); 3789 prv->type = KEY_DSA; 3790 #ifdef DEBUG_PK 3791 DSA_print_fp(stderr, prv->dsa, 8); 3792 #endif 3793 #ifdef OPENSSL_HAS_ECC 3794 } else if (pk->type == EVP_PKEY_EC && 3795 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3796 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3797 r = SSH_ERR_ALLOC_FAIL; 3798 goto out; 3799 } 3800 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); 3801 prv->type = KEY_ECDSA; 3802 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); 3803 if (prv->ecdsa_nid == -1 || 3804 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3805 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), 3806 EC_KEY_get0_public_key(prv->ecdsa)) != 0 || 3807 sshkey_ec_validate_private(prv->ecdsa) != 0) { 3808 r = SSH_ERR_INVALID_FORMAT; 3809 goto out; 3810 } 3811 # ifdef DEBUG_PK 3812 if (prv != NULL && prv->ecdsa != NULL) 3813 sshkey_dump_ec_key(prv->ecdsa); 3814 # endif 3815 #endif /* OPENSSL_HAS_ECC */ 3816 } else { 3817 r = SSH_ERR_INVALID_FORMAT; 3818 goto out; 3819 } 3820 r = 0; 3821 *keyp = prv; 3822 prv = NULL; 3823 out: 3824 BIO_free(bio); 3825 if (pk != NULL) 3826 EVP_PKEY_free(pk); 3827 if (prv != NULL) 3828 sshkey_free(prv); 3829 return r; 3830 } 3831 #endif /* WITH_OPENSSL */ 3832 3833 int 3834 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3835 const char *passphrase, struct sshkey **keyp, char **commentp) 3836 { 3837 int r; 3838 3839 *keyp = NULL; 3840 if (commentp != NULL) 3841 *commentp = NULL; 3842 3843 switch (type) { 3844 #ifdef WITH_SSH1 3845 case KEY_RSA1: 3846 return sshkey_parse_private_rsa1(blob, passphrase, 3847 keyp, commentp); 3848 #endif /* WITH_SSH1 */ 3849 #ifdef WITH_OPENSSL 3850 case KEY_DSA: 3851 case KEY_ECDSA: 3852 case KEY_RSA: 3853 return sshkey_parse_private_pem_fileblob(blob, type, 3854 passphrase, keyp); 3855 #endif /* WITH_OPENSSL */ 3856 case KEY_ED25519: 3857 return sshkey_parse_private2(blob, type, passphrase, 3858 keyp, commentp); 3859 case KEY_UNSPEC: 3860 if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, 3861 commentp)) == 0) 3862 return 0; 3863 #ifdef WITH_OPENSSL 3864 return sshkey_parse_private_pem_fileblob(blob, type, 3865 passphrase, keyp); 3866 #else 3867 return SSH_ERR_INVALID_FORMAT; 3868 #endif /* WITH_OPENSSL */ 3869 default: 3870 return SSH_ERR_KEY_TYPE_UNKNOWN; 3871 } 3872 } 3873 3874 int 3875 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3876 const char *filename, struct sshkey **keyp, char **commentp) 3877 { 3878 int r; 3879 3880 if (keyp != NULL) 3881 *keyp = NULL; 3882 if (commentp != NULL) 3883 *commentp = NULL; 3884 3885 #ifdef WITH_SSH1 3886 /* it's a SSH v1 key if the public key part is readable */ 3887 if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) { 3888 return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, 3889 passphrase, keyp, commentp); 3890 } 3891 #endif /* WITH_SSH1 */ 3892 if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3893 passphrase, keyp, commentp)) == 0) 3894 return 0; 3895 return r; 3896 } 3897