1 /* $OpenBSD: sshsig.c,v 1.38 2025/02/18 08:02:48 djm Exp $ */ 2 /* 3 * Copyright (c) 2019 Google LLC 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "includes.h" 19 20 #include <stdio.h> 21 #include <stdlib.h> 22 #include <stdarg.h> 23 #include <errno.h> 24 #include <string.h> 25 #include <unistd.h> 26 27 #include "authfd.h" 28 #include "authfile.h" 29 #include "log.h" 30 #include "misc.h" 31 #include "sshbuf.h" 32 #include "sshsig.h" 33 #include "ssherr.h" 34 #include "sshkey.h" 35 #include "match.h" 36 #include "digest.h" 37 38 #define SIG_VERSION 0x01 39 #define MAGIC_PREAMBLE "SSHSIG" 40 #define MAGIC_PREAMBLE_LEN (sizeof(MAGIC_PREAMBLE) - 1) 41 #define BEGIN_SIGNATURE "-----BEGIN SSH SIGNATURE-----" 42 #define END_SIGNATURE "-----END SSH SIGNATURE-----" 43 #define RSA_SIGN_ALG "rsa-sha2-512" 44 #define RSA_SIGN_ALLOWED "rsa-sha2-512,rsa-sha2-256" 45 #define HASHALG_DEFAULT "sha512" 46 #define HASHALG_ALLOWED "sha256,sha512" 47 48 int 49 sshsig_armor(const struct sshbuf *blob, struct sshbuf **out) 50 { 51 struct sshbuf *buf = NULL; 52 int r = SSH_ERR_INTERNAL_ERROR; 53 54 *out = NULL; 55 56 if ((buf = sshbuf_new()) == NULL) { 57 error_f("sshbuf_new failed"); 58 r = SSH_ERR_ALLOC_FAIL; 59 goto out; 60 } 61 62 if ((r = sshbuf_putf(buf, "%s\n", BEGIN_SIGNATURE)) != 0) { 63 error_fr(r, "sshbuf_putf"); 64 goto out; 65 } 66 67 if ((r = sshbuf_dtob64(blob, buf, 1)) != 0) { 68 error_fr(r, "base64 encode signature"); 69 goto out; 70 } 71 72 if ((r = sshbuf_put(buf, END_SIGNATURE, 73 sizeof(END_SIGNATURE)-1)) != 0 || 74 (r = sshbuf_put_u8(buf, '\n')) != 0) { 75 error_fr(r, "sshbuf_put"); 76 goto out; 77 } 78 /* success */ 79 *out = buf; 80 buf = NULL; /* transferred */ 81 r = 0; 82 out: 83 sshbuf_free(buf); 84 return r; 85 } 86 87 int 88 sshsig_dearmor(struct sshbuf *sig, struct sshbuf **out) 89 { 90 int r; 91 size_t eoffset = 0; 92 struct sshbuf *buf = NULL; 93 struct sshbuf *sbuf = NULL; 94 char *b64 = NULL; 95 96 if ((sbuf = sshbuf_fromb(sig)) == NULL) { 97 error_f("sshbuf_fromb failed"); 98 return SSH_ERR_ALLOC_FAIL; 99 } 100 101 /* Expect and consume preamble + lf/crlf */ 102 if ((r = sshbuf_cmp(sbuf, 0, 103 BEGIN_SIGNATURE, sizeof(BEGIN_SIGNATURE)-1)) != 0) { 104 error("Couldn't parse signature: missing header"); 105 goto done; 106 } 107 if ((r = sshbuf_consume(sbuf, sizeof(BEGIN_SIGNATURE)-1)) != 0) { 108 error_fr(r, "consume"); 109 goto done; 110 } 111 if ((r = sshbuf_cmp(sbuf, 0, "\r\n", 2)) == 0) 112 eoffset = 2; 113 else if ((r = sshbuf_cmp(sbuf, 0, "\n", 1)) == 0) 114 eoffset = 1; 115 else { 116 r = SSH_ERR_INVALID_FORMAT; 117 error_f("no header eol"); 118 goto done; 119 } 120 if ((r = sshbuf_consume(sbuf, eoffset)) != 0) { 121 error_fr(r, "consume eol"); 122 goto done; 123 } 124 /* Find and consume lf + suffix (any prior cr would be ignored) */ 125 if ((r = sshbuf_find(sbuf, 0, "\n" END_SIGNATURE, 126 sizeof(END_SIGNATURE), &eoffset)) != 0) { 127 error("Couldn't parse signature: missing footer"); 128 goto done; 129 } 130 if ((r = sshbuf_consume_end(sbuf, sshbuf_len(sbuf)-eoffset)) != 0) { 131 error_fr(r, "consume"); 132 goto done; 133 } 134 135 if ((b64 = sshbuf_dup_string(sbuf)) == NULL) { 136 error_f("sshbuf_dup_string failed"); 137 r = SSH_ERR_ALLOC_FAIL; 138 goto done; 139 } 140 141 if ((buf = sshbuf_new()) == NULL) { 142 error_f("sshbuf_new() failed"); 143 r = SSH_ERR_ALLOC_FAIL; 144 goto done; 145 } 146 147 if ((r = sshbuf_b64tod(buf, b64)) != 0) { 148 error_fr(r, "decode base64"); 149 goto done; 150 } 151 152 /* success */ 153 *out = buf; 154 r = 0; 155 buf = NULL; /* transferred */ 156 done: 157 sshbuf_free(buf); 158 sshbuf_free(sbuf); 159 free(b64); 160 return r; 161 } 162 163 static int 164 sshsig_wrap_sign(struct sshkey *key, const char *hashalg, 165 const char *sk_provider, const char *sk_pin, const struct sshbuf *h_message, 166 const char *sig_namespace, struct sshbuf **out, 167 sshsig_signer *signer, void *signer_ctx) 168 { 169 int r; 170 size_t slen = 0; 171 u_char *sig = NULL; 172 struct sshbuf *blob = NULL; 173 struct sshbuf *tosign = NULL; 174 const char *sign_alg = NULL; 175 176 if ((tosign = sshbuf_new()) == NULL || 177 (blob = sshbuf_new()) == NULL) { 178 error_f("sshbuf_new failed"); 179 r = SSH_ERR_ALLOC_FAIL; 180 goto done; 181 } 182 183 if ((r = sshbuf_put(tosign, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 || 184 (r = sshbuf_put_cstring(tosign, sig_namespace)) != 0 || 185 (r = sshbuf_put_string(tosign, NULL, 0)) != 0 || /* reserved */ 186 (r = sshbuf_put_cstring(tosign, hashalg)) != 0 || 187 (r = sshbuf_put_stringb(tosign, h_message)) != 0) { 188 error_fr(r, "assemble message to sign"); 189 goto done; 190 } 191 192 /* If using RSA keys then default to a good signature algorithm */ 193 if (sshkey_type_plain(key->type) == KEY_RSA) { 194 sign_alg = RSA_SIGN_ALG; 195 if (strcmp(hashalg, "sha256") == 0) 196 sign_alg = "rsa-sha2-256"; 197 else if (strcmp(hashalg, "sha512") == 0) 198 sign_alg = "rsa-sha2-512"; 199 } 200 201 if (signer != NULL) { 202 if ((r = signer(key, &sig, &slen, 203 sshbuf_ptr(tosign), sshbuf_len(tosign), 204 sign_alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) { 205 error_r(r, "Couldn't sign message (signer)"); 206 goto done; 207 } 208 } else { 209 if ((r = sshkey_sign(key, &sig, &slen, 210 sshbuf_ptr(tosign), sshbuf_len(tosign), 211 sign_alg, sk_provider, sk_pin, 0)) != 0) { 212 error_r(r, "Couldn't sign message"); 213 goto done; 214 } 215 } 216 217 if ((r = sshbuf_put(blob, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 || 218 (r = sshbuf_put_u32(blob, SIG_VERSION)) != 0 || 219 (r = sshkey_puts(key, blob)) != 0 || 220 (r = sshbuf_put_cstring(blob, sig_namespace)) != 0 || 221 (r = sshbuf_put_string(blob, NULL, 0)) != 0 || /* reserved */ 222 (r = sshbuf_put_cstring(blob, hashalg)) != 0 || 223 (r = sshbuf_put_string(blob, sig, slen)) != 0) { 224 error_fr(r, "assemble signature object"); 225 goto done; 226 } 227 228 if (out != NULL) { 229 *out = blob; 230 blob = NULL; 231 } 232 r = 0; 233 done: 234 free(sig); 235 sshbuf_free(blob); 236 sshbuf_free(tosign); 237 return r; 238 } 239 240 /* Check preamble and version. */ 241 static int 242 sshsig_parse_preamble(struct sshbuf *buf) 243 { 244 int r = SSH_ERR_INTERNAL_ERROR; 245 uint32_t sversion; 246 247 if ((r = sshbuf_cmp(buf, 0, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 || 248 (r = sshbuf_consume(buf, (sizeof(MAGIC_PREAMBLE)-1))) != 0 || 249 (r = sshbuf_get_u32(buf, &sversion)) != 0) { 250 error("Couldn't verify signature: invalid format"); 251 return r; 252 } 253 254 if (sversion > SIG_VERSION) { 255 error("Signature version %lu is larger than supported " 256 "version %u", (unsigned long)sversion, SIG_VERSION); 257 return SSH_ERR_INVALID_FORMAT; 258 } 259 return 0; 260 } 261 262 static int 263 sshsig_check_hashalg(const char *hashalg) 264 { 265 if (hashalg == NULL || 266 match_pattern_list(hashalg, HASHALG_ALLOWED, 0) == 1) 267 return 0; 268 error_f("unsupported hash algorithm \"%.100s\"", hashalg); 269 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 270 } 271 272 static int 273 sshsig_peek_hashalg(struct sshbuf *signature, char **hashalgp) 274 { 275 struct sshbuf *buf = NULL; 276 char *hashalg = NULL; 277 int r = SSH_ERR_INTERNAL_ERROR; 278 279 if (hashalgp != NULL) 280 *hashalgp = NULL; 281 if ((buf = sshbuf_fromb(signature)) == NULL) 282 return SSH_ERR_ALLOC_FAIL; 283 if ((r = sshsig_parse_preamble(buf)) != 0) 284 goto done; 285 if ((r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 || 286 (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 || 287 (r = sshbuf_get_string(buf, NULL, NULL)) != 0 || 288 (r = sshbuf_get_cstring(buf, &hashalg, NULL)) != 0 || 289 (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0) { 290 error_fr(r, "parse signature object"); 291 goto done; 292 } 293 294 /* success */ 295 r = 0; 296 *hashalgp = hashalg; 297 hashalg = NULL; 298 done: 299 free(hashalg); 300 sshbuf_free(buf); 301 return r; 302 } 303 304 static int 305 sshsig_wrap_verify(struct sshbuf *signature, const char *hashalg, 306 const struct sshbuf *h_message, const char *expect_namespace, 307 struct sshkey **sign_keyp, struct sshkey_sig_details **sig_details) 308 { 309 int r = SSH_ERR_INTERNAL_ERROR; 310 struct sshbuf *buf = NULL, *toverify = NULL; 311 struct sshkey *key = NULL; 312 const u_char *sig; 313 char *got_namespace = NULL, *sigtype = NULL, *sig_hashalg = NULL; 314 size_t siglen; 315 316 debug_f("verify message length %zu", sshbuf_len(h_message)); 317 if (sig_details != NULL) 318 *sig_details = NULL; 319 if (sign_keyp != NULL) 320 *sign_keyp = NULL; 321 322 if ((toverify = sshbuf_new()) == NULL) { 323 error_f("sshbuf_new failed"); 324 r = SSH_ERR_ALLOC_FAIL; 325 goto done; 326 } 327 if ((r = sshbuf_put(toverify, MAGIC_PREAMBLE, 328 MAGIC_PREAMBLE_LEN)) != 0 || 329 (r = sshbuf_put_cstring(toverify, expect_namespace)) != 0 || 330 (r = sshbuf_put_string(toverify, NULL, 0)) != 0 || /* reserved */ 331 (r = sshbuf_put_cstring(toverify, hashalg)) != 0 || 332 (r = sshbuf_put_stringb(toverify, h_message)) != 0) { 333 error_fr(r, "assemble message to verify"); 334 goto done; 335 } 336 337 if ((r = sshsig_parse_preamble(signature)) != 0) 338 goto done; 339 340 if ((r = sshkey_froms(signature, &key)) != 0 || 341 (r = sshbuf_get_cstring(signature, &got_namespace, NULL)) != 0 || 342 (r = sshbuf_get_string(signature, NULL, NULL)) != 0 || 343 (r = sshbuf_get_cstring(signature, &sig_hashalg, NULL)) != 0 || 344 (r = sshbuf_get_string_direct(signature, &sig, &siglen)) != 0) { 345 error_fr(r, "parse signature object"); 346 goto done; 347 } 348 349 if (sshbuf_len(signature) != 0) { 350 error("Signature contains trailing data"); 351 r = SSH_ERR_INVALID_FORMAT; 352 goto done; 353 } 354 355 if (strcmp(expect_namespace, got_namespace) != 0) { 356 error("Couldn't verify signature: namespace does not match"); 357 debug_f("expected namespace \"%s\" received \"%s\"", 358 expect_namespace, got_namespace); 359 r = SSH_ERR_SIGNATURE_INVALID; 360 goto done; 361 } 362 if (strcmp(hashalg, sig_hashalg) != 0) { 363 error("Couldn't verify signature: hash algorithm mismatch"); 364 debug_f("expected algorithm \"%s\" received \"%s\"", 365 hashalg, sig_hashalg); 366 r = SSH_ERR_SIGNATURE_INVALID; 367 goto done; 368 } 369 /* Ensure that RSA keys use an acceptable signature algorithm */ 370 if (sshkey_type_plain(key->type) == KEY_RSA) { 371 if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) { 372 error_r(r, "Couldn't verify signature: unable to get " 373 "signature type"); 374 goto done; 375 } 376 if (match_pattern_list(sigtype, RSA_SIGN_ALLOWED, 0) != 1) { 377 error("Couldn't verify signature: unsupported RSA " 378 "signature algorithm %s", sigtype); 379 r = SSH_ERR_SIGN_ALG_UNSUPPORTED; 380 goto done; 381 } 382 } 383 if ((r = sshkey_verify(key, sig, siglen, sshbuf_ptr(toverify), 384 sshbuf_len(toverify), NULL, 0, sig_details)) != 0) { 385 error_r(r, "Signature verification failed"); 386 goto done; 387 } 388 389 /* success */ 390 r = 0; 391 if (sign_keyp != NULL) { 392 *sign_keyp = key; 393 key = NULL; /* transferred */ 394 } 395 done: 396 free(got_namespace); 397 free(sigtype); 398 free(sig_hashalg); 399 sshbuf_free(buf); 400 sshbuf_free(toverify); 401 sshkey_free(key); 402 return r; 403 } 404 405 static int 406 hash_buffer(const struct sshbuf *m, const char *hashalg, struct sshbuf **bp) 407 { 408 char *hex, hash[SSH_DIGEST_MAX_LENGTH]; 409 int alg, r = SSH_ERR_INTERNAL_ERROR; 410 struct sshbuf *b = NULL; 411 412 *bp = NULL; 413 memset(hash, 0, sizeof(hash)); 414 415 if ((r = sshsig_check_hashalg(hashalg)) != 0) 416 return r; 417 if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) { 418 error_f("can't look up hash algorithm %s", hashalg); 419 return SSH_ERR_INTERNAL_ERROR; 420 } 421 if ((r = ssh_digest_buffer(alg, m, hash, sizeof(hash))) != 0) { 422 error_fr(r, "ssh_digest_buffer"); 423 return r; 424 } 425 if ((hex = tohex(hash, ssh_digest_bytes(alg))) != NULL) { 426 debug3_f("final hash: %s", hex); 427 freezero(hex, strlen(hex)); 428 } 429 if ((b = sshbuf_new()) == NULL) { 430 r = SSH_ERR_ALLOC_FAIL; 431 goto out; 432 } 433 if ((r = sshbuf_put(b, hash, ssh_digest_bytes(alg))) != 0) { 434 error_fr(r, "sshbuf_put"); 435 goto out; 436 } 437 *bp = b; 438 b = NULL; /* transferred */ 439 /* success */ 440 r = 0; 441 out: 442 sshbuf_free(b); 443 explicit_bzero(hash, sizeof(hash)); 444 return r; 445 } 446 447 int 448 sshsig_signb(struct sshkey *key, const char *hashalg, 449 const char *sk_provider, const char *sk_pin, 450 const struct sshbuf *message, const char *sig_namespace, 451 struct sshbuf **out, sshsig_signer *signer, void *signer_ctx) 452 { 453 struct sshbuf *b = NULL; 454 int r = SSH_ERR_INTERNAL_ERROR; 455 456 if (hashalg == NULL) 457 hashalg = HASHALG_DEFAULT; 458 if (out != NULL) 459 *out = NULL; 460 if ((r = hash_buffer(message, hashalg, &b)) != 0) { 461 error_fr(r, "hash buffer"); 462 goto out; 463 } 464 if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, sk_pin, b, 465 sig_namespace, out, signer, signer_ctx)) != 0) 466 goto out; 467 /* success */ 468 r = 0; 469 out: 470 sshbuf_free(b); 471 return r; 472 } 473 474 int 475 sshsig_verifyb(struct sshbuf *signature, const struct sshbuf *message, 476 const char *expect_namespace, struct sshkey **sign_keyp, 477 struct sshkey_sig_details **sig_details) 478 { 479 struct sshbuf *b = NULL; 480 int r = SSH_ERR_INTERNAL_ERROR; 481 char *hashalg = NULL; 482 483 if (sig_details != NULL) 484 *sig_details = NULL; 485 if (sign_keyp != NULL) 486 *sign_keyp = NULL; 487 if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0) 488 return r; 489 debug_f("signature made with hash \"%s\"", hashalg); 490 if ((r = hash_buffer(message, hashalg, &b)) != 0) { 491 error_fr(r, "hash buffer"); 492 goto out; 493 } 494 if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace, 495 sign_keyp, sig_details)) != 0) 496 goto out; 497 /* success */ 498 r = 0; 499 out: 500 sshbuf_free(b); 501 free(hashalg); 502 return r; 503 } 504 505 static int 506 hash_file(int fd, const char *hashalg, struct sshbuf **bp) 507 { 508 char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH]; 509 ssize_t n, total = 0; 510 struct ssh_digest_ctx *ctx = NULL; 511 int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR; 512 struct sshbuf *b = NULL; 513 514 *bp = NULL; 515 memset(hash, 0, sizeof(hash)); 516 517 if ((r = sshsig_check_hashalg(hashalg)) != 0) 518 return r; 519 if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) { 520 error_f("can't look up hash algorithm %s", hashalg); 521 return SSH_ERR_INTERNAL_ERROR; 522 } 523 if ((ctx = ssh_digest_start(alg)) == NULL) { 524 error_f("ssh_digest_start failed"); 525 return SSH_ERR_INTERNAL_ERROR; 526 } 527 for (;;) { 528 if ((n = read(fd, rbuf, sizeof(rbuf))) == -1) { 529 if (errno == EINTR || errno == EAGAIN) 530 continue; 531 oerrno = errno; 532 error_f("read: %s", strerror(errno)); 533 errno = oerrno; 534 r = SSH_ERR_SYSTEM_ERROR; 535 goto out; 536 } else if (n == 0) { 537 debug2_f("hashed %zu bytes", total); 538 break; /* EOF */ 539 } 540 total += (size_t)n; 541 if ((r = ssh_digest_update(ctx, rbuf, (size_t)n)) != 0) { 542 error_fr(r, "ssh_digest_update"); 543 goto out; 544 } 545 } 546 if ((r = ssh_digest_final(ctx, hash, sizeof(hash))) != 0) { 547 error_fr(r, "ssh_digest_final"); 548 goto out; 549 } 550 if ((hex = tohex(hash, ssh_digest_bytes(alg))) != NULL) { 551 debug3_f("final hash: %s", hex); 552 freezero(hex, strlen(hex)); 553 } 554 if ((b = sshbuf_new()) == NULL) { 555 r = SSH_ERR_ALLOC_FAIL; 556 goto out; 557 } 558 if ((r = sshbuf_put(b, hash, ssh_digest_bytes(alg))) != 0) { 559 error_fr(r, "sshbuf_put"); 560 goto out; 561 } 562 *bp = b; 563 b = NULL; /* transferred */ 564 /* success */ 565 r = 0; 566 out: 567 oerrno = errno; 568 sshbuf_free(b); 569 ssh_digest_free(ctx); 570 explicit_bzero(hash, sizeof(hash)); 571 errno = oerrno; 572 return r; 573 } 574 575 int 576 sshsig_sign_fd(struct sshkey *key, const char *hashalg, 577 const char *sk_provider, const char *sk_pin, 578 int fd, const char *sig_namespace, struct sshbuf **out, 579 sshsig_signer *signer, void *signer_ctx) 580 { 581 struct sshbuf *b = NULL; 582 int r = SSH_ERR_INTERNAL_ERROR; 583 584 if (hashalg == NULL) 585 hashalg = HASHALG_DEFAULT; 586 if (out != NULL) 587 *out = NULL; 588 if ((r = hash_file(fd, hashalg, &b)) != 0) { 589 error_fr(r, "hash_file"); 590 return r; 591 } 592 if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, sk_pin, b, 593 sig_namespace, out, signer, signer_ctx)) != 0) 594 goto out; 595 /* success */ 596 r = 0; 597 out: 598 sshbuf_free(b); 599 return r; 600 } 601 602 int 603 sshsig_verify_fd(struct sshbuf *signature, int fd, 604 const char *expect_namespace, struct sshkey **sign_keyp, 605 struct sshkey_sig_details **sig_details) 606 { 607 struct sshbuf *b = NULL; 608 int r = SSH_ERR_INTERNAL_ERROR; 609 char *hashalg = NULL; 610 611 if (sig_details != NULL) 612 *sig_details = NULL; 613 if (sign_keyp != NULL) 614 *sign_keyp = NULL; 615 if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0) 616 return r; 617 debug_f("signature made with hash \"%s\"", hashalg); 618 if ((r = hash_file(fd, hashalg, &b)) != 0) { 619 error_fr(r, "hash_file"); 620 goto out; 621 } 622 if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace, 623 sign_keyp, sig_details)) != 0) 624 goto out; 625 /* success */ 626 r = 0; 627 out: 628 sshbuf_free(b); 629 free(hashalg); 630 return r; 631 } 632 633 struct sshsigopt { 634 int ca; 635 char *namespaces; 636 uint64_t valid_after, valid_before; 637 }; 638 639 struct sshsigopt * 640 sshsigopt_parse(const char *opts, const char *path, u_long linenum, 641 const char **errstrp) 642 { 643 struct sshsigopt *ret; 644 int r; 645 char *opt; 646 const char *errstr = NULL; 647 648 if ((ret = calloc(1, sizeof(*ret))) == NULL) 649 return NULL; 650 if (opts == NULL || *opts == '\0') 651 return ret; /* Empty options yields empty options :) */ 652 653 while (*opts && *opts != ' ' && *opts != '\t') { 654 /* flag options */ 655 if ((r = opt_flag("cert-authority", 0, &opts)) != -1) { 656 ret->ca = 1; 657 } else if (opt_match(&opts, "namespaces")) { 658 if (ret->namespaces != NULL) { 659 errstr = "multiple \"namespaces\" clauses"; 660 goto fail; 661 } 662 ret->namespaces = opt_dequote(&opts, &errstr); 663 if (ret->namespaces == NULL) 664 goto fail; 665 } else if (opt_match(&opts, "valid-after")) { 666 if (ret->valid_after != 0) { 667 errstr = "multiple \"valid-after\" clauses"; 668 goto fail; 669 } 670 if ((opt = opt_dequote(&opts, &errstr)) == NULL) 671 goto fail; 672 if (parse_absolute_time(opt, &ret->valid_after) != 0 || 673 ret->valid_after == 0) { 674 free(opt); 675 errstr = "invalid \"valid-after\" time"; 676 goto fail; 677 } 678 free(opt); 679 } else if (opt_match(&opts, "valid-before")) { 680 if (ret->valid_before != 0) { 681 errstr = "multiple \"valid-before\" clauses"; 682 goto fail; 683 } 684 if ((opt = opt_dequote(&opts, &errstr)) == NULL) 685 goto fail; 686 if (parse_absolute_time(opt, &ret->valid_before) != 0 || 687 ret->valid_before == 0) { 688 free(opt); 689 errstr = "invalid \"valid-before\" time"; 690 goto fail; 691 } 692 free(opt); 693 } 694 /* 695 * Skip the comma, and move to the next option 696 * (or break out if there are no more). 697 */ 698 if (*opts == '\0' || *opts == ' ' || *opts == '\t') 699 break; /* End of options. */ 700 /* Anything other than a comma is an unknown option */ 701 if (*opts != ',') { 702 errstr = "unknown key option"; 703 goto fail; 704 } 705 opts++; 706 if (*opts == '\0') { 707 errstr = "unexpected end-of-options"; 708 goto fail; 709 } 710 } 711 /* final consistency check */ 712 if (ret->valid_after != 0 && ret->valid_before != 0 && 713 ret->valid_before <= ret->valid_after) { 714 errstr = "\"valid-before\" time is before \"valid-after\""; 715 goto fail; 716 } 717 /* success */ 718 return ret; 719 fail: 720 if (errstrp != NULL) 721 *errstrp = errstr; 722 sshsigopt_free(ret); 723 return NULL; 724 } 725 726 void 727 sshsigopt_free(struct sshsigopt *opts) 728 { 729 if (opts == NULL) 730 return; 731 free(opts->namespaces); 732 free(opts); 733 } 734 735 static int 736 parse_principals_key_and_options(const char *path, u_long linenum, char *line, 737 const char *required_principal, char **principalsp, struct sshkey **keyp, 738 struct sshsigopt **sigoptsp) 739 { 740 char *opts = NULL, *tmp, *cp, *principals = NULL; 741 const char *reason = NULL; 742 struct sshsigopt *sigopts = NULL; 743 struct sshkey *key = NULL; 744 int r = SSH_ERR_INTERNAL_ERROR; 745 746 if (principalsp != NULL) 747 *principalsp = NULL; 748 if (sigoptsp != NULL) 749 *sigoptsp = NULL; 750 if (keyp != NULL) 751 *keyp = NULL; 752 753 cp = line; 754 cp = cp + strspn(cp, " \t\n\r"); /* skip leading whitespace */ 755 if (*cp == '#' || *cp == '\0') 756 return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */ 757 758 /* format: identity[,identity...] [option[,option...]] key */ 759 if ((tmp = strdelimw(&cp)) == NULL || cp == NULL) { 760 error("%s:%lu: invalid line", path, linenum); 761 r = SSH_ERR_INVALID_FORMAT; 762 goto out; 763 } 764 if ((principals = strdup(tmp)) == NULL) { 765 error_f("strdup failed"); 766 r = SSH_ERR_ALLOC_FAIL; 767 goto out; 768 } 769 /* 770 * Bail out early if we're looking for a particular principal and this 771 * line does not list it. 772 */ 773 if (required_principal != NULL) { 774 if (match_pattern_list(required_principal, 775 principals, 0) != 1) { 776 /* principal didn't match */ 777 r = SSH_ERR_KEY_NOT_FOUND; 778 goto out; 779 } 780 debug_f("%s:%lu: matched principal \"%s\"", 781 path, linenum, required_principal); 782 } 783 784 if ((key = sshkey_new(KEY_UNSPEC)) == NULL) { 785 error_f("sshkey_new failed"); 786 r = SSH_ERR_ALLOC_FAIL; 787 goto out; 788 } 789 if (sshkey_read(key, &cp) != 0) { 790 /* no key? Check for options */ 791 opts = cp; 792 if (sshkey_advance_past_options(&cp) != 0) { 793 error("%s:%lu: invalid options", path, linenum); 794 r = SSH_ERR_INVALID_FORMAT; 795 goto out; 796 } 797 if (cp == NULL || *cp == '\0') { 798 error("%s:%lu: missing key", path, linenum); 799 r = SSH_ERR_INVALID_FORMAT; 800 goto out; 801 } 802 *cp++ = '\0'; 803 skip_space(&cp); 804 if (sshkey_read(key, &cp) != 0) { 805 error("%s:%lu: invalid key", path, linenum); 806 r = SSH_ERR_INVALID_FORMAT; 807 goto out; 808 } 809 } 810 debug3("%s:%lu: options %s", path, linenum, opts == NULL ? "" : opts); 811 if ((sigopts = sshsigopt_parse(opts, path, linenum, &reason)) == NULL) { 812 error("%s:%lu: bad options: %s", path, linenum, reason); 813 r = SSH_ERR_INVALID_FORMAT; 814 goto out; 815 } 816 /* success */ 817 if (principalsp != NULL) { 818 *principalsp = principals; 819 principals = NULL; /* transferred */ 820 } 821 if (sigoptsp != NULL) { 822 *sigoptsp = sigopts; 823 sigopts = NULL; /* transferred */ 824 } 825 if (keyp != NULL) { 826 *keyp = key; 827 key = NULL; /* transferred */ 828 } 829 r = 0; 830 out: 831 free(principals); 832 sshsigopt_free(sigopts); 833 sshkey_free(key); 834 return r; 835 } 836 837 static int 838 cert_filter_principals(const char *path, u_long linenum, 839 char **principalsp, const struct sshkey *cert, uint64_t verify_time) 840 { 841 char *cp, *oprincipals, *principals; 842 const char *reason; 843 struct sshbuf *nprincipals; 844 int r = SSH_ERR_INTERNAL_ERROR, success = 0; 845 u_int i; 846 847 oprincipals = principals = *principalsp; 848 *principalsp = NULL; 849 850 if ((nprincipals = sshbuf_new()) == NULL) { 851 r = SSH_ERR_ALLOC_FAIL; 852 goto out; 853 } 854 855 while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') { 856 /* Check certificate validity */ 857 if ((r = sshkey_cert_check_authority(cert, 0, 1, 0, 858 verify_time, NULL, &reason)) != 0) { 859 debug("%s:%lu: principal \"%s\" not authorized: %s", 860 path, linenum, cp, reason); 861 continue; 862 } 863 /* Return all matching principal names from the cert */ 864 for (i = 0; i < cert->cert->nprincipals; i++) { 865 if (match_pattern(cert->cert->principals[i], cp)) { 866 if ((r = sshbuf_putf(nprincipals, "%s%s", 867 sshbuf_len(nprincipals) != 0 ? "," : "", 868 cert->cert->principals[i])) != 0) { 869 error_f("buffer error"); 870 goto out; 871 } 872 } 873 } 874 } 875 if (sshbuf_len(nprincipals) == 0) { 876 error("%s:%lu: no valid principals found", path, linenum); 877 r = SSH_ERR_KEY_CERT_INVALID; 878 goto out; 879 } 880 if ((principals = sshbuf_dup_string(nprincipals)) == NULL) { 881 error_f("buffer error"); 882 r = SSH_ERR_ALLOC_FAIL; 883 goto out; 884 } 885 /* success */ 886 success = 1; 887 *principalsp = principals; 888 out: 889 sshbuf_free(nprincipals); 890 free(oprincipals); 891 return success ? 0 : r; 892 } 893 894 static int 895 check_allowed_keys_line(const char *path, u_long linenum, char *line, 896 const struct sshkey *sign_key, const char *principal, 897 const char *sig_namespace, uint64_t verify_time, char **principalsp) 898 { 899 struct sshkey *found_key = NULL; 900 char *principals = NULL; 901 int r, success = 0; 902 const char *reason = NULL; 903 struct sshsigopt *sigopts = NULL; 904 char tvalid[64], tverify[64]; 905 906 if (principalsp != NULL) 907 *principalsp = NULL; 908 909 /* Parse the line */ 910 if ((r = parse_principals_key_and_options(path, linenum, line, 911 principal, &principals, &found_key, &sigopts)) != 0) { 912 /* error already logged */ 913 goto done; 914 } 915 916 if (!sigopts->ca && sshkey_equal(found_key, sign_key)) { 917 /* Exact match of key */ 918 debug("%s:%lu: matched key", path, linenum); 919 } else if (sigopts->ca && sshkey_is_cert(sign_key) && 920 sshkey_equal_public(sign_key->cert->signature_key, found_key)) { 921 if (principal) { 922 /* Match certificate CA key with specified principal */ 923 if ((r = sshkey_cert_check_authority(sign_key, 0, 1, 0, 924 verify_time, principal, &reason)) != 0) { 925 error("%s:%lu: certificate not authorized: %s", 926 path, linenum, reason); 927 goto done; 928 } 929 debug("%s:%lu: matched certificate CA key", 930 path, linenum); 931 } else { 932 /* No principal specified - find all matching ones */ 933 if ((r = cert_filter_principals(path, linenum, 934 &principals, sign_key, verify_time)) != 0) { 935 /* error already displayed */ 936 debug_r(r, "%s:%lu: cert_filter_principals", 937 path, linenum); 938 goto done; 939 } 940 debug("%s:%lu: matched certificate CA key", 941 path, linenum); 942 } 943 } else { 944 /* Didn't match key */ 945 goto done; 946 } 947 948 /* Check whether options preclude the use of this key */ 949 if (sigopts->namespaces != NULL && sig_namespace != NULL && 950 match_pattern_list(sig_namespace, sigopts->namespaces, 0) != 1) { 951 error("%s:%lu: key is not permitted for use in signature " 952 "namespace \"%s\"", path, linenum, sig_namespace); 953 goto done; 954 } 955 956 /* check key time validity */ 957 format_absolute_time((uint64_t)verify_time, tverify, sizeof(tverify)); 958 if (sigopts->valid_after != 0 && 959 (uint64_t)verify_time < sigopts->valid_after) { 960 format_absolute_time(sigopts->valid_after, 961 tvalid, sizeof(tvalid)); 962 error("%s:%lu: key is not yet valid: " 963 "verify time %s < valid-after %s", path, linenum, 964 tverify, tvalid); 965 goto done; 966 } 967 if (sigopts->valid_before != 0 && 968 (uint64_t)verify_time > sigopts->valid_before) { 969 format_absolute_time(sigopts->valid_before, 970 tvalid, sizeof(tvalid)); 971 error("%s:%lu: key has expired: " 972 "verify time %s > valid-before %s", path, linenum, 973 tverify, tvalid); 974 goto done; 975 } 976 success = 1; 977 978 done: 979 if (success && principalsp != NULL) { 980 *principalsp = principals; 981 principals = NULL; /* transferred */ 982 } 983 free(principals); 984 sshkey_free(found_key); 985 sshsigopt_free(sigopts); 986 return success ? 0 : SSH_ERR_KEY_NOT_FOUND; 987 } 988 989 int 990 sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key, 991 const char *principal, const char *sig_namespace, uint64_t verify_time) 992 { 993 FILE *f = NULL; 994 char *line = NULL; 995 size_t linesize = 0; 996 u_long linenum = 0; 997 int r = SSH_ERR_KEY_NOT_FOUND, oerrno; 998 999 /* Check key and principal against file */ 1000 if ((f = fopen(path, "r")) == NULL) { 1001 oerrno = errno; 1002 error("Unable to open allowed keys file \"%s\": %s", 1003 path, strerror(errno)); 1004 errno = oerrno; 1005 return SSH_ERR_SYSTEM_ERROR; 1006 } 1007 1008 while (getline(&line, &linesize, f) != -1) { 1009 linenum++; 1010 r = check_allowed_keys_line(path, linenum, line, sign_key, 1011 principal, sig_namespace, verify_time, NULL); 1012 free(line); 1013 line = NULL; 1014 linesize = 0; 1015 if (r == SSH_ERR_KEY_NOT_FOUND) 1016 continue; 1017 else if (r == 0) { 1018 /* success */ 1019 fclose(f); 1020 return 0; 1021 } else 1022 break; 1023 } 1024 /* Either we hit an error parsing or we simply didn't find the key */ 1025 fclose(f); 1026 free(line); 1027 return r; 1028 } 1029 1030 int 1031 sshsig_find_principals(const char *path, const struct sshkey *sign_key, 1032 uint64_t verify_time, char **principals) 1033 { 1034 FILE *f = NULL; 1035 char *line = NULL; 1036 size_t linesize = 0; 1037 u_long linenum = 0; 1038 int r = SSH_ERR_KEY_NOT_FOUND, oerrno; 1039 1040 if ((f = fopen(path, "r")) == NULL) { 1041 oerrno = errno; 1042 error("Unable to open allowed keys file \"%s\": %s", 1043 path, strerror(errno)); 1044 errno = oerrno; 1045 return SSH_ERR_SYSTEM_ERROR; 1046 } 1047 1048 while (getline(&line, &linesize, f) != -1) { 1049 linenum++; 1050 r = check_allowed_keys_line(path, linenum, line, 1051 sign_key, NULL, NULL, verify_time, principals); 1052 free(line); 1053 line = NULL; 1054 linesize = 0; 1055 if (r == SSH_ERR_KEY_NOT_FOUND) 1056 continue; 1057 else if (r == 0) { 1058 /* success */ 1059 fclose(f); 1060 return 0; 1061 } else 1062 break; 1063 } 1064 free(line); 1065 /* Either we hit an error parsing or we simply didn't find the key */ 1066 if (ferror(f) != 0) { 1067 oerrno = errno; 1068 fclose(f); 1069 error("Unable to read allowed keys file \"%s\": %s", 1070 path, strerror(errno)); 1071 errno = oerrno; 1072 return SSH_ERR_SYSTEM_ERROR; 1073 } 1074 fclose(f); 1075 return r; 1076 } 1077 1078 int 1079 sshsig_match_principals(const char *path, const char *principal, 1080 char ***principalsp, size_t *nprincipalsp) 1081 { 1082 FILE *f = NULL; 1083 char *found, *line = NULL, **principals = NULL, **tmp; 1084 size_t i, nprincipals = 0, linesize = 0; 1085 u_long linenum = 0; 1086 int oerrno = 0, r, ret = 0; 1087 1088 if (principalsp != NULL) 1089 *principalsp = NULL; 1090 if (nprincipalsp != NULL) 1091 *nprincipalsp = 0; 1092 1093 /* Check key and principal against file */ 1094 if ((f = fopen(path, "r")) == NULL) { 1095 oerrno = errno; 1096 error("Unable to open allowed keys file \"%s\": %s", 1097 path, strerror(errno)); 1098 errno = oerrno; 1099 return SSH_ERR_SYSTEM_ERROR; 1100 } 1101 1102 while (getline(&line, &linesize, f) != -1) { 1103 linenum++; 1104 /* Parse the line */ 1105 if ((r = parse_principals_key_and_options(path, linenum, line, 1106 principal, &found, NULL, NULL)) != 0) { 1107 if (r == SSH_ERR_KEY_NOT_FOUND) 1108 continue; 1109 ret = r; 1110 oerrno = errno; 1111 break; /* unexpected error */ 1112 } 1113 if ((tmp = recallocarray(principals, nprincipals, 1114 nprincipals + 1, sizeof(*principals))) == NULL) { 1115 ret = SSH_ERR_ALLOC_FAIL; 1116 free(found); 1117 break; 1118 } 1119 principals = tmp; 1120 principals[nprincipals++] = found; /* transferred */ 1121 free(line); 1122 line = NULL; 1123 linesize = 0; 1124 } 1125 fclose(f); 1126 1127 if (ret == 0) { 1128 if (nprincipals == 0) 1129 ret = SSH_ERR_KEY_NOT_FOUND; 1130 if (nprincipalsp != 0) 1131 *nprincipalsp = nprincipals; 1132 if (principalsp != NULL) { 1133 *principalsp = principals; 1134 principals = NULL; /* transferred */ 1135 nprincipals = 0; 1136 } 1137 } 1138 1139 for (i = 0; i < nprincipals; i++) 1140 free(principals[i]); 1141 free(principals); 1142 1143 errno = oerrno; 1144 return ret; 1145 } 1146 1147 int 1148 sshsig_get_pubkey(struct sshbuf *signature, struct sshkey **pubkey) 1149 { 1150 struct sshkey *pk = NULL; 1151 int r = SSH_ERR_SIGNATURE_INVALID; 1152 1153 if (pubkey == NULL) 1154 return SSH_ERR_INTERNAL_ERROR; 1155 if ((r = sshsig_parse_preamble(signature)) != 0) 1156 return r; 1157 if ((r = sshkey_froms(signature, &pk)) != 0) 1158 return r; 1159 1160 *pubkey = pk; 1161 pk = NULL; 1162 return 0; 1163 } 1164