jcs.org / openbsd-src
jcs's openbsd hax
openbsd
fork atom
openbsd-src / usr.bin / ssh / sshkey.c
at jcs 3620 lines 90 kB view raw
dtucker Typo fixes, mostly in comments. From THE-Spellchecker via github PR#620.
911f653d
1/* $OpenBSD: sshkey.c,v 1.161 2026/02/06 22:59:18 dtucker Exp $ */ 2/* 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28#include <sys/types.h> 29#include <sys/mman.h> 30#include <netinet/in.h> 31 32#ifdef WITH_OPENSSL 33#include <openssl/bn.h> 34#include <openssl/evp.h> 35#include <openssl/err.h> 36#include <openssl/pem.h> 37#endif 38 39#include "crypto_api.h" 40 41#include <errno.h> 42#include <limits.h> 43#include <stdio.h> 44#include <stdlib.h> 45#include <string.h> 46#include <resolv.h> 47#include <time.h> 48#include <util.h> 49 50#include "ssh2.h" 51#include "ssherr.h" 52#include "misc.h" 53#include "sshbuf.h" 54#include "cipher.h" 55#include "digest.h" 56#define SSHKEY_INTERNAL 57#include "sshkey.h" 58#include "match.h" 59#include "ssh-sk.h" 60#include "ssh-pkcs11.h" 61 62 63/* openssh private key file format */ 64#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" 65#define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" 66#define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) 67#define MARK_END_LEN (sizeof(MARK_END) - 1) 68#define KDFNAME "bcrypt" 69#define AUTH_MAGIC "openssh-key-v1" 70#define SALT_LEN 16 71#define DEFAULT_CIPHERNAME "aes256-ctr" 72#define DEFAULT_ROUNDS 24 73 74/* 75 * Constants relating to "shielding" support; protection of keys expected 76 * to remain in memory for long durations 77 */ 78#define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024) 79#define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */ 80#define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512 81 82static int sshkey_from_blob_internal(struct sshbuf *buf, 83 struct sshkey **keyp, int allow_cert); 84 85/* Supported key types */ 86extern const struct sshkey_impl sshkey_ed25519_impl; 87extern const struct sshkey_impl sshkey_ed25519_cert_impl; 88extern const struct sshkey_impl sshkey_ed25519_sk_impl; 89extern const struct sshkey_impl sshkey_ed25519_sk_cert_impl; 90#ifdef WITH_OPENSSL 91extern const struct sshkey_impl sshkey_ecdsa_sk_impl; 92extern const struct sshkey_impl sshkey_ecdsa_sk_cert_impl; 93extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_impl; 94extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_cert_impl; 95extern const struct sshkey_impl sshkey_ecdsa_nistp256_impl; 96extern const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl; 97extern const struct sshkey_impl sshkey_ecdsa_nistp384_impl; 98extern const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl; 99extern const struct sshkey_impl sshkey_ecdsa_nistp521_impl; 100extern const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl; 101extern const struct sshkey_impl sshkey_rsa_impl; 102extern const struct sshkey_impl sshkey_rsa_cert_impl; 103extern const struct sshkey_impl sshkey_rsa_sha256_impl; 104extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl; 105extern const struct sshkey_impl sshkey_rsa_sha512_impl; 106extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl; 107#endif /* WITH_OPENSSL */ 108 109const struct sshkey_impl * const keyimpls[] = { 110 &sshkey_ed25519_impl, 111 &sshkey_ed25519_cert_impl, 112 &sshkey_ed25519_sk_impl, 113 &sshkey_ed25519_sk_cert_impl, 114#ifdef WITH_OPENSSL 115 &sshkey_ecdsa_nistp256_impl, 116 &sshkey_ecdsa_nistp256_cert_impl, 117 &sshkey_ecdsa_nistp384_impl, 118 &sshkey_ecdsa_nistp384_cert_impl, 119 &sshkey_ecdsa_nistp521_impl, 120 &sshkey_ecdsa_nistp521_cert_impl, 121 &sshkey_ecdsa_sk_impl, 122 &sshkey_ecdsa_sk_cert_impl, 123 &sshkey_ecdsa_sk_webauthn_impl, 124 &sshkey_ecdsa_sk_webauthn_cert_impl, 125 &sshkey_rsa_impl, 126 &sshkey_rsa_cert_impl, 127 &sshkey_rsa_sha256_impl, 128 &sshkey_rsa_sha256_cert_impl, 129 &sshkey_rsa_sha512_impl, 130 &sshkey_rsa_sha512_cert_impl, 131#endif /* WITH_OPENSSL */ 132 NULL 133}; 134 135static const struct sshkey_impl * 136sshkey_impl_from_type(int type) 137{ 138 int i; 139 140 for (i = 0; keyimpls[i] != NULL; i++) { 141 if (keyimpls[i]->type == type) 142 return keyimpls[i]; 143 } 144 return NULL; 145} 146 147static const struct sshkey_impl * 148sshkey_impl_from_type_nid(int type, int nid) 149{ 150 int i; 151 152 for (i = 0; keyimpls[i] != NULL; i++) { 153 if (keyimpls[i]->type == type && 154 (keyimpls[i]->nid == 0 || keyimpls[i]->nid == nid)) 155 return keyimpls[i]; 156 } 157 return NULL; 158} 159 160static const struct sshkey_impl * 161sshkey_impl_from_key(const struct sshkey *k) 162{ 163 if (k == NULL) 164 return NULL; 165 return sshkey_impl_from_type_nid(k->type, k->ecdsa_nid); 166} 167 168const char * 169sshkey_type(const struct sshkey *k) 170{ 171 const struct sshkey_impl *impl; 172 173 if ((impl = sshkey_impl_from_key(k)) == NULL) 174 return "unknown"; 175 return impl->shortname; 176} 177 178static const char * 179sshkey_ssh_name_from_type_nid(int type, int nid) 180{ 181 const struct sshkey_impl *impl; 182 183 if ((impl = sshkey_impl_from_type_nid(type, nid)) == NULL) 184 return "ssh-unknown"; 185 return impl->name; 186} 187 188int 189sshkey_type_is_cert(int type) 190{ 191 const struct sshkey_impl *impl; 192 193 if ((impl = sshkey_impl_from_type(type)) == NULL) 194 return 0; 195 return impl->cert; 196} 197 198const char * 199sshkey_ssh_name(const struct sshkey *k) 200{ 201 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 202} 203 204const char * 205sshkey_ssh_name_plain(const struct sshkey *k) 206{ 207 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), 208 k->ecdsa_nid); 209} 210 211static int 212type_from_name(const char *name, int allow_short) 213{ 214 int i; 215 const struct sshkey_impl *impl; 216 217 for (i = 0; keyimpls[i] != NULL; i++) { 218 impl = keyimpls[i]; 219 if (impl->name != NULL && strcmp(name, impl->name) == 0) 220 return impl->type; 221 /* Only allow shortname matches for plain key types */ 222 if (allow_short && !impl->cert && impl->shortname != NULL && 223 strcasecmp(impl->shortname, name) == 0) 224 return impl->type; 225 } 226 return KEY_UNSPEC; 227} 228 229int 230sshkey_type_from_name(const char *name) 231{ 232 return type_from_name(name, 0); 233} 234 235int 236sshkey_type_from_shortname(const char *name) 237{ 238 return type_from_name(name, 1); 239} 240 241static int 242key_type_is_ecdsa_variant(int type) 243{ 244 switch (type) { 245 case KEY_ECDSA: 246 case KEY_ECDSA_CERT: 247 case KEY_ECDSA_SK: 248 case KEY_ECDSA_SK_CERT: 249 return 1; 250 } 251 return 0; 252} 253 254int 255sshkey_ecdsa_nid_from_name(const char *name) 256{ 257 int i; 258 259 for (i = 0; keyimpls[i] != NULL; i++) { 260 if (!key_type_is_ecdsa_variant(keyimpls[i]->type)) 261 continue; 262 if (keyimpls[i]->name != NULL && 263 strcmp(name, keyimpls[i]->name) == 0) 264 return keyimpls[i]->nid; 265 } 266 return -1; 267} 268 269int 270sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs) 271{ 272 int ktype; 273 274 if (sigalgs == NULL || *sigalgs == '\0' || 275 (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC) 276 return 0; 277 else if (ktype == KEY_RSA) { 278 return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 || 279 match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 || 280 match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1; 281 } else if (ktype == KEY_RSA_CERT) { 282 return match_pattern_list("ssh-rsa-cert-v01@openssh.com", 283 sigalgs, 0) == 1 || 284 match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", 285 sigalgs, 0) == 1 || 286 match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", 287 sigalgs, 0) == 1; 288 } else if (ktype == KEY_ECDSA_SK) { 289 return match_pattern_list("sk-ecdsa-sha2-nistp256@openssh.com", 290 sigalgs, 0) == 1 || match_pattern_list( 291 "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", 292 sigalgs, 0) == 1; 293 } else if (ktype == KEY_ECDSA_SK_CERT) { 294 return match_pattern_list( 295 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", 296 sigalgs, 0) == 1 || match_pattern_list( 297 "webauthn-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", 298 sigalgs, 0) == 1; 299 } else 300 return match_pattern_list(keyname, sigalgs, 0) == 1; 301} 302 303char * 304sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) 305{ 306 char *ret = NULL; 307 size_t i; 308 const struct sshkey_impl *impl; 309 char sep_str[2] = {sep, '\0'}; 310 311 for (i = 0; keyimpls[i] != NULL; i++) { 312 impl = keyimpls[i]; 313 if (impl->name == NULL) 314 continue; 315 if (!include_sigonly && impl->sigonly) 316 continue; 317 if ((certs_only && !impl->cert) || (plain_only && impl->cert)) 318 continue; 319 xextendf(&ret, sep_str, "%s", impl->name); 320 } 321 return ret; 322} 323 324int 325sshkey_names_valid2(const char *names, int allow_wildcard, int plain_only) 326{ 327 char *s, *cp, *p; 328 const struct sshkey_impl *impl; 329 int i, type; 330 331 if (names == NULL || strcmp(names, "") == 0) 332 return 0; 333 if ((s = cp = strdup(names)) == NULL) 334 return 0; 335 for ((p = strsep(&cp, ",")); p && *p != '\0'; 336 (p = strsep(&cp, ","))) { 337 type = sshkey_type_from_name(p); 338 if (type == KEY_UNSPEC) { 339 if (allow_wildcard) { 340 /* 341 * Try matching key types against the string. 342 * If any has a positive or negative match then 343 * the component is accepted. 344 */ 345 impl = NULL; 346 for (i = 0; keyimpls[i] != NULL; i++) { 347 if (match_pattern_list( 348 keyimpls[i]->name, p, 0) != 0) { 349 impl = keyimpls[i]; 350 break; 351 } 352 } 353 if (impl != NULL) 354 continue; 355 } 356 free(s); 357 return 0; 358 } else if (plain_only && sshkey_type_is_cert(type)) { 359 free(s); 360 return 0; 361 } 362 } 363 free(s); 364 return 1; 365} 366 367u_int 368sshkey_size(const struct sshkey *k) 369{ 370 const struct sshkey_impl *impl; 371 372 if ((impl = sshkey_impl_from_key(k)) == NULL) 373 return 0; 374 if (impl->funcs->size != NULL) 375 return impl->funcs->size(k); 376 return impl->keybits; 377} 378 379static int 380sshkey_type_is_valid_ca(int type) 381{ 382 const struct sshkey_impl *impl; 383 384 if ((impl = sshkey_impl_from_type(type)) == NULL) 385 return 0; 386 /* All non-certificate types may act as CAs */ 387 return !impl->cert; 388} 389 390int 391sshkey_is_cert(const struct sshkey *k) 392{ 393 if (k == NULL) 394 return 0; 395 return sshkey_type_is_cert(k->type); 396} 397 398int 399sshkey_is_sk(const struct sshkey *k) 400{ 401 if (k == NULL) 402 return 0; 403 switch (sshkey_type_plain(k->type)) { 404 case KEY_ECDSA_SK: 405 case KEY_ED25519_SK: 406 return 1; 407 default: 408 return 0; 409 } 410} 411 412/* Return the cert-less equivalent to a certified key type */ 413int 414sshkey_type_plain(int type) 415{ 416 switch (type) { 417 case KEY_RSA_CERT: 418 return KEY_RSA; 419 case KEY_ECDSA_CERT: 420 return KEY_ECDSA; 421 case KEY_ECDSA_SK_CERT: 422 return KEY_ECDSA_SK; 423 case KEY_ED25519_CERT: 424 return KEY_ED25519; 425 case KEY_ED25519_SK_CERT: 426 return KEY_ED25519_SK; 427 default: 428 return type; 429 } 430} 431 432/* Return the cert equivalent to a plain key type */ 433static int 434sshkey_type_certified(int type) 435{ 436 switch (type) { 437 case KEY_RSA: 438 return KEY_RSA_CERT; 439 case KEY_ECDSA: 440 return KEY_ECDSA_CERT; 441 case KEY_ECDSA_SK: 442 return KEY_ECDSA_SK_CERT; 443 case KEY_ED25519: 444 return KEY_ED25519_CERT; 445 case KEY_ED25519_SK: 446 return KEY_ED25519_SK_CERT; 447 default: 448 return -1; 449 } 450} 451 452#ifdef WITH_OPENSSL 453static const EVP_MD * 454ssh_digest_to_md(int hash_alg) 455{ 456 switch (hash_alg) { 457 case SSH_DIGEST_SHA1: 458 return EVP_sha1(); 459 case SSH_DIGEST_SHA256: 460 return EVP_sha256(); 461 case SSH_DIGEST_SHA384: 462 return EVP_sha384(); 463 case SSH_DIGEST_SHA512: 464 return EVP_sha512(); 465 } 466 return NULL; 467} 468 469int 470sshkey_pkey_digest_sign(EVP_PKEY *pkey, int hash_alg, u_char **sigp, 471 size_t *lenp, const u_char *data, size_t datalen) 472{ 473 EVP_MD_CTX *ctx = NULL; 474 u_char *sig = NULL; 475 int ret; 476 size_t slen; 477 const EVP_MD *evpmd; 478 479 *sigp = NULL; 480 *lenp = 0; 481 482 slen = EVP_PKEY_size(pkey); 483 if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM || 484 (evpmd = ssh_digest_to_md(hash_alg)) == NULL) 485 return SSH_ERR_INVALID_ARGUMENT; 486 487 if ((sig = malloc(slen)) == NULL) 488 return SSH_ERR_ALLOC_FAIL; 489 490 if ((ctx = EVP_MD_CTX_new()) == NULL) { 491 ret = SSH_ERR_ALLOC_FAIL; 492 goto out; 493 } 494 if (EVP_DigestSignInit(ctx, NULL, evpmd, NULL, pkey) != 1 || 495 EVP_DigestSign(ctx, sig, &slen, data, datalen) != 1) { 496 ret = SSH_ERR_LIBCRYPTO_ERROR; 497 goto out; 498 } 499 500 *sigp = sig; 501 *lenp = slen; 502 /* Now owned by the caller */ 503 sig = NULL; 504 ret = 0; 505 506 out: 507 EVP_MD_CTX_free(ctx); 508 free(sig); 509 return ret; 510} 511 512int 513sshkey_pkey_digest_verify(EVP_PKEY *pkey, int hash_alg, const u_char *data, 514 size_t datalen, u_char *sigbuf, size_t siglen) 515{ 516 EVP_MD_CTX *ctx = NULL; 517 int ret = SSH_ERR_INTERNAL_ERROR; 518 const EVP_MD *evpmd; 519 520 if ((evpmd = ssh_digest_to_md(hash_alg)) == NULL) 521 return SSH_ERR_INVALID_ARGUMENT; 522 if ((ctx = EVP_MD_CTX_new()) == NULL) 523 return SSH_ERR_ALLOC_FAIL; 524 if (EVP_DigestVerifyInit(ctx, NULL, evpmd, NULL, pkey) != 1) { 525 ret = SSH_ERR_LIBCRYPTO_ERROR; 526 goto out; 527 } 528 switch (EVP_DigestVerify(ctx, sigbuf, siglen, data, datalen)) { 529 case 1: 530 ret = 0; 531 break; 532 case 0: 533 ret = SSH_ERR_SIGNATURE_INVALID; 534 break; 535 default: 536 ret = SSH_ERR_LIBCRYPTO_ERROR; 537 break; 538 } 539 540 out: 541 EVP_MD_CTX_free(ctx); 542 return ret; 543} 544 545/* XXX: these are really begging for a table-driven approach */ 546int 547sshkey_curve_name_to_nid(const char *name) 548{ 549 if (strcmp(name, "nistp256") == 0) 550 return NID_X9_62_prime256v1; 551 else if (strcmp(name, "nistp384") == 0) 552 return NID_secp384r1; 553 else if (strcmp(name, "nistp521") == 0) 554 return NID_secp521r1; 555 else 556 return -1; 557} 558 559u_int 560sshkey_curve_nid_to_bits(int nid) 561{ 562 switch (nid) { 563 case NID_X9_62_prime256v1: 564 return 256; 565 case NID_secp384r1: 566 return 384; 567 case NID_secp521r1: 568 return 521; 569 default: 570 return 0; 571 } 572} 573 574int 575sshkey_ecdsa_bits_to_nid(int bits) 576{ 577 switch (bits) { 578 case 256: 579 return NID_X9_62_prime256v1; 580 case 384: 581 return NID_secp384r1; 582 case 521: 583 return NID_secp521r1; 584 default: 585 return -1; 586 } 587} 588 589const char * 590sshkey_curve_nid_to_name(int nid) 591{ 592 switch (nid) { 593 case NID_X9_62_prime256v1: 594 return "nistp256"; 595 case NID_secp384r1: 596 return "nistp384"; 597 case NID_secp521r1: 598 return "nistp521"; 599 default: 600 return NULL; 601 } 602} 603 604int 605sshkey_ec_nid_to_hash_alg(int nid) 606{ 607 int kbits = sshkey_curve_nid_to_bits(nid); 608 609 if (kbits <= 0) 610 return -1; 611 612 /* RFC5656 section 6.2.1 */ 613 if (kbits <= 256) 614 return SSH_DIGEST_SHA256; 615 else if (kbits <= 384) 616 return SSH_DIGEST_SHA384; 617 else 618 return SSH_DIGEST_SHA512; 619} 620#endif /* WITH_OPENSSL */ 621 622static void 623cert_free(struct sshkey_cert *cert) 624{ 625 u_int i; 626 627 if (cert == NULL) 628 return; 629 sshbuf_free(cert->certblob); 630 sshbuf_free(cert->critical); 631 sshbuf_free(cert->extensions); 632 free(cert->key_id); 633 for (i = 0; i < cert->nprincipals; i++) 634 free(cert->principals[i]); 635 free(cert->principals); 636 sshkey_free(cert->signature_key); 637 free(cert->signature_type); 638 freezero(cert, sizeof(*cert)); 639} 640 641static struct sshkey_cert * 642cert_new(void) 643{ 644 struct sshkey_cert *cert; 645 646 if ((cert = calloc(1, sizeof(*cert))) == NULL) 647 return NULL; 648 if ((cert->certblob = sshbuf_new()) == NULL || 649 (cert->critical = sshbuf_new()) == NULL || 650 (cert->extensions = sshbuf_new()) == NULL) { 651 cert_free(cert); 652 return NULL; 653 } 654 cert->key_id = NULL; 655 cert->principals = NULL; 656 cert->signature_key = NULL; 657 cert->signature_type = NULL; 658 return cert; 659} 660 661struct sshkey * 662sshkey_new(int type) 663{ 664 struct sshkey *k; 665 const struct sshkey_impl *impl = NULL; 666 667 if (type != KEY_UNSPEC && 668 (impl = sshkey_impl_from_type(type)) == NULL) 669 return NULL; 670 671 /* All non-certificate types may act as CAs */ 672 if ((k = calloc(1, sizeof(*k))) == NULL) 673 return NULL; 674 k->type = type; 675 k->ecdsa_nid = -1; 676 if (impl != NULL && impl->funcs->alloc != NULL) { 677 if (impl->funcs->alloc(k) != 0) { 678 free(k); 679 return NULL; 680 } 681 } 682 if (sshkey_is_cert(k)) { 683 if ((k->cert = cert_new()) == NULL) { 684 sshkey_free(k); 685 return NULL; 686 } 687 } 688 689 return k; 690} 691 692/* Frees common FIDO fields */ 693void 694sshkey_sk_cleanup(struct sshkey *k) 695{ 696 free(k->sk_application); 697 sshbuf_free(k->sk_key_handle); 698 sshbuf_free(k->sk_reserved); 699 k->sk_application = NULL; 700 k->sk_key_handle = k->sk_reserved = NULL; 701} 702 703static int 704sshkey_prekey_alloc(u_char **prekeyp, size_t len) 705{ 706 u_char *prekey; 707 708 *prekeyp = NULL; 709 if ((prekey = mmap(NULL, len, PROT_READ|PROT_WRITE, 710 MAP_ANON|MAP_PRIVATE|MAP_CONCEAL, -1, 0)) == MAP_FAILED) 711 return SSH_ERR_SYSTEM_ERROR; 712 *prekeyp = prekey; 713 return 0; 714} 715 716static void 717sshkey_prekey_free(void *prekey, size_t len) 718{ 719 if (prekey == NULL) 720 return; 721 munmap(prekey, len); 722} 723 724static void 725sshkey_free_contents(struct sshkey *k) 726{ 727 const struct sshkey_impl *impl; 728 729 if (k == NULL) 730 return; 731 if ((k->flags & SSHKEY_FLAG_EXT) != 0) 732 pkcs11_key_free(k); 733 if ((impl = sshkey_impl_from_type(k->type)) != NULL && 734 impl->funcs->cleanup != NULL) 735 impl->funcs->cleanup(k); 736 if (sshkey_is_cert(k)) 737 cert_free(k->cert); 738 freezero(k->shielded_private, k->shielded_len); 739 sshkey_prekey_free(k->shield_prekey, k->shield_prekey_len); 740} 741 742void 743sshkey_free(struct sshkey *k) 744{ 745 sshkey_free_contents(k); 746 freezero(k, sizeof(*k)); 747} 748 749static int 750cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) 751{ 752 if (a == NULL && b == NULL) 753 return 1; 754 if (a == NULL || b == NULL) 755 return 0; 756 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) 757 return 0; 758 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), 759 sshbuf_len(a->certblob)) != 0) 760 return 0; 761 return 1; 762} 763 764/* Compares FIDO-specific pubkey fields only */ 765int 766sshkey_sk_fields_equal(const struct sshkey *a, const struct sshkey *b) 767{ 768 if (a->sk_application == NULL || b->sk_application == NULL) 769 return 0; 770 if (strcmp(a->sk_application, b->sk_application) != 0) 771 return 0; 772 return 1; 773} 774 775/* 776 * Compare public portions of key only, allowing comparisons between 777 * certificates and plain keys too. 778 */ 779int 780sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) 781{ 782 const struct sshkey_impl *impl; 783 784 if (a == NULL || b == NULL || 785 sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) 786 return 0; 787 if ((impl = sshkey_impl_from_type(a->type)) == NULL) 788 return 0; 789 return impl->funcs->equal(a, b); 790} 791 792int 793sshkey_equal(const struct sshkey *a, const struct sshkey *b) 794{ 795 if (a == NULL || b == NULL || a->type != b->type) 796 return 0; 797 if (sshkey_is_cert(a)) { 798 if (!cert_compare(a->cert, b->cert)) 799 return 0; 800 } 801 return sshkey_equal_public(a, b); 802} 803 804 805/* Serialise common FIDO key parts */ 806int 807sshkey_serialize_sk(const struct sshkey *key, struct sshbuf *b) 808{ 809 int r; 810 811 if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0) 812 return r; 813 814 return 0; 815} 816 817static int 818to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, 819 enum sshkey_serialize_rep opts) 820{ 821 int type, ret = SSH_ERR_INTERNAL_ERROR; 822 const char *typename; 823 const struct sshkey_impl *impl; 824 825 if (key == NULL) 826 return SSH_ERR_INVALID_ARGUMENT; 827 828 type = force_plain ? sshkey_type_plain(key->type) : key->type; 829 830 if (sshkey_type_is_cert(type)) { 831 if (key->cert == NULL) 832 return SSH_ERR_EXPECTED_CERT; 833 if (sshbuf_len(key->cert->certblob) == 0) 834 return SSH_ERR_KEY_LACKS_CERTBLOB; 835 /* Use the existing blob */ 836 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) 837 return ret; 838 return 0; 839 } 840 if ((impl = sshkey_impl_from_type(type)) == NULL) 841 return SSH_ERR_KEY_TYPE_UNKNOWN; 842 843 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); 844 if ((ret = sshbuf_put_cstring(b, typename)) != 0) 845 return ret; 846 return impl->funcs->serialize_public(key, b, opts); 847} 848 849int 850sshkey_putb(const struct sshkey *key, struct sshbuf *b) 851{ 852 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); 853} 854 855static int 856sshkey_puts_opts_internal(const struct sshkey *key, struct sshbuf *b, 857 enum sshkey_serialize_rep opts, int force_plain) 858{ 859 struct sshbuf *tmp; 860 int r; 861 862 if ((tmp = sshbuf_new()) == NULL) 863 return SSH_ERR_ALLOC_FAIL; 864 r = to_blob_buf(key, tmp, force_plain, opts); 865 if (r == 0) 866 r = sshbuf_put_stringb(b, tmp); 867 sshbuf_free(tmp); 868 return r; 869} 870 871int 872sshkey_puts(const struct sshkey *key, struct sshbuf *b) 873{ 874 return sshkey_puts_opts_internal(key, b, SSHKEY_SERIALIZE_DEFAULT, 0); 875} 876 877int 878sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) 879{ 880 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); 881} 882 883int 884sshkey_puts_plain(const struct sshkey *key, struct sshbuf *b) 885{ 886 return sshkey_puts_opts_internal(key, b, SSHKEY_SERIALIZE_DEFAULT, 1); 887} 888 889static int 890to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, 891 enum sshkey_serialize_rep opts) 892{ 893 int ret = SSH_ERR_INTERNAL_ERROR; 894 size_t len; 895 struct sshbuf *b = NULL; 896 897 if (lenp != NULL) 898 *lenp = 0; 899 if (blobp != NULL) 900 *blobp = NULL; 901 if ((b = sshbuf_new()) == NULL) 902 return SSH_ERR_ALLOC_FAIL; 903 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) 904 goto out; 905 len = sshbuf_len(b); 906 if (lenp != NULL) 907 *lenp = len; 908 if (blobp != NULL) { 909 if ((*blobp = malloc(len)) == NULL) { 910 ret = SSH_ERR_ALLOC_FAIL; 911 goto out; 912 } 913 memcpy(*blobp, sshbuf_ptr(b), len); 914 } 915 ret = 0; 916 out: 917 sshbuf_free(b); 918 return ret; 919} 920 921int 922sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 923{ 924 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); 925} 926 927int 928sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) 929{ 930 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); 931} 932 933int 934sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, 935 u_char **retp, size_t *lenp) 936{ 937 u_char *blob = NULL, *ret = NULL; 938 size_t blob_len = 0; 939 int r = SSH_ERR_INTERNAL_ERROR; 940 941 if (retp != NULL) 942 *retp = NULL; 943 if (lenp != NULL) 944 *lenp = 0; 945 if (ssh_digest_bytes(dgst_alg) == 0) { 946 r = SSH_ERR_INVALID_ARGUMENT; 947 goto out; 948 } 949 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) 950 != 0) 951 goto out; 952 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 953 r = SSH_ERR_ALLOC_FAIL; 954 goto out; 955 } 956 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, 957 ret, SSH_DIGEST_MAX_LENGTH)) != 0) 958 goto out; 959 /* success */ 960 if (retp != NULL) { 961 *retp = ret; 962 ret = NULL; 963 } 964 if (lenp != NULL) 965 *lenp = ssh_digest_bytes(dgst_alg); 966 r = 0; 967 out: 968 free(ret); 969 if (blob != NULL) 970 freezero(blob, blob_len); 971 return r; 972} 973 974static char * 975fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 976{ 977 char *ret; 978 size_t plen = strlen(alg) + 1; 979 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; 980 981 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) 982 return NULL; 983 strlcpy(ret, alg, rlen); 984 strlcat(ret, ":", rlen); 985 if (dgst_raw_len == 0) 986 return ret; 987 if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) { 988 freezero(ret, rlen); 989 return NULL; 990 } 991 /* Trim padding characters from end */ 992 ret[strcspn(ret, "=")] = '\0'; 993 return ret; 994} 995 996static char * 997fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) 998{ 999 char *retval, hex[5]; 1000 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; 1001 1002 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) 1003 return NULL; 1004 strlcpy(retval, alg, rlen); 1005 strlcat(retval, ":", rlen); 1006 for (i = 0; i < dgst_raw_len; i++) { 1007 snprintf(hex, sizeof(hex), "%s%02x", 1008 i > 0 ? ":" : "", dgst_raw[i]); 1009 strlcat(retval, hex, rlen); 1010 } 1011 return retval; 1012} 1013 1014static char * 1015fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) 1016{ 1017 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 1018 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 1019 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 1020 u_int i, j = 0, rounds, seed = 1; 1021 char *retval; 1022 1023 rounds = (dgst_raw_len / 2) + 1; 1024 if ((retval = calloc(rounds, 6)) == NULL) 1025 return NULL; 1026 retval[j++] = 'x'; 1027 for (i = 0; i < rounds; i++) { 1028 u_int idx0, idx1, idx2, idx3, idx4; 1029 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 1030 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 1031 seed) % 6; 1032 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 1033 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 1034 (seed / 6)) % 6; 1035 retval[j++] = vowels[idx0]; 1036 retval[j++] = consonants[idx1]; 1037 retval[j++] = vowels[idx2]; 1038 if ((i + 1) < rounds) { 1039 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 1040 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 1041 retval[j++] = consonants[idx3]; 1042 retval[j++] = '-'; 1043 retval[j++] = consonants[idx4]; 1044 seed = ((seed * 5) + 1045 ((((u_int)(dgst_raw[2 * i])) * 7) + 1046 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 1047 } 1048 } else { 1049 idx0 = seed % 6; 1050 idx1 = 16; 1051 idx2 = seed / 6; 1052 retval[j++] = vowels[idx0]; 1053 retval[j++] = consonants[idx1]; 1054 retval[j++] = vowels[idx2]; 1055 } 1056 } 1057 retval[j++] = 'x'; 1058 retval[j++] = '\0'; 1059 return retval; 1060} 1061 1062/* 1063 * Draw an ASCII-Art representing the fingerprint so human brain can 1064 * profit from its built-in pattern recognition ability. 1065 * This technique is called "random art" and can be found in some 1066 * scientific publications like this original paper: 1067 * 1068 * "Hash Visualization: a New Technique to improve Real-World Security", 1069 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 1070 * Techniques and E-Commerce (CrypTEC '99) 1071 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 1072 * 1073 * The subject came up in a talk by Dan Kaminsky, too. 1074 * 1075 * If you see the picture is different, the key is different. 1076 * If the picture looks the same, you still know nothing. 1077 * 1078 * The algorithm used here is a worm crawling over a discrete plane, 1079 * leaving a trace (augmenting the field) everywhere it goes. 1080 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 1081 * makes the respective movement vector be ignored for this turn. 1082 * Graphs are not unambiguous, because circles in graphs can be 1083 * walked in either direction. 1084 */ 1085 1086/* 1087 * Field sizes for the random art. Have to be odd, so the starting point 1088 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 1089 * Else pictures would be too dense, and drawing the frame would 1090 * fail, too, because the key type would not fit in anymore. 1091 */ 1092#define FLDBASE 8 1093#define FLDSIZE_Y (FLDBASE + 1) 1094#define FLDSIZE_X (FLDBASE * 2 + 1) 1095static char * 1096fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, 1097 const struct sshkey *k) 1098{ 1099 /* 1100 * Chars to be used after each other every time the worm 1101 * intersects with itself. Matter of taste. 1102 */ 1103 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 1104 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; 1105 u_char field[FLDSIZE_X][FLDSIZE_Y]; 1106 size_t i, tlen, hlen; 1107 u_int b; 1108 int x, y, r; 1109 size_t len = strlen(augmentation_string) - 1; 1110 1111 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) 1112 return NULL; 1113 1114 /* initialize field */ 1115 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 1116 x = FLDSIZE_X / 2; 1117 y = FLDSIZE_Y / 2; 1118 1119 /* process raw key */ 1120 for (i = 0; i < dgst_raw_len; i++) { 1121 int input; 1122 /* each byte conveys four 2-bit move commands */ 1123 input = dgst_raw[i]; 1124 for (b = 0; b < 4; b++) { 1125 /* evaluate 2 bit, rest is shifted later */ 1126 x += (input & 0x1) ? 1 : -1; 1127 y += (input & 0x2) ? 1 : -1; 1128 1129 /* assure we are still in bounds */ 1130 x = MAXIMUM(x, 0); 1131 y = MAXIMUM(y, 0); 1132 x = MINIMUM(x, FLDSIZE_X - 1); 1133 y = MINIMUM(y, FLDSIZE_Y - 1); 1134 1135 /* augment the field */ 1136 if (field[x][y] < len - 2) 1137 field[x][y]++; 1138 input = input >> 2; 1139 } 1140 } 1141 1142 /* mark starting point and end point*/ 1143 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 1144 field[x][y] = len; 1145 1146 /* assemble title */ 1147 r = snprintf(title, sizeof(title), "[%s %u]", 1148 sshkey_type(k), sshkey_size(k)); 1149 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ 1150 if (r < 0 || r > (int)sizeof(title)) 1151 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); 1152 tlen = (r <= 0) ? 0 : strlen(title); 1153 1154 /* assemble hash ID. */ 1155 r = snprintf(hash, sizeof(hash), "[%s]", alg); 1156 hlen = (r <= 0) ? 0 : strlen(hash); 1157 1158 /* output upper border */ 1159 p = retval; 1160 *p++ = '+'; 1161 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) 1162 *p++ = '-'; 1163 memcpy(p, title, tlen); 1164 p += tlen; 1165 for (i += tlen; i < FLDSIZE_X; i++) 1166 *p++ = '-'; 1167 *p++ = '+'; 1168 *p++ = '\n'; 1169 1170 /* output content */ 1171 for (y = 0; y < FLDSIZE_Y; y++) { 1172 *p++ = '|'; 1173 for (x = 0; x < FLDSIZE_X; x++) 1174 *p++ = augmentation_string[MINIMUM(field[x][y], len)]; 1175 *p++ = '|'; 1176 *p++ = '\n'; 1177 } 1178 1179 /* output lower border */ 1180 *p++ = '+'; 1181 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) 1182 *p++ = '-'; 1183 memcpy(p, hash, hlen); 1184 p += hlen; 1185 for (i += hlen; i < FLDSIZE_X; i++) 1186 *p++ = '-'; 1187 *p++ = '+'; 1188 1189 return retval; 1190} 1191 1192char * 1193sshkey_fingerprint(const struct sshkey *k, int dgst_alg, 1194 enum sshkey_fp_rep dgst_rep) 1195{ 1196 char *retval = NULL; 1197 u_char *dgst_raw; 1198 size_t dgst_raw_len; 1199 1200 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) 1201 return NULL; 1202 switch (dgst_rep) { 1203 case SSH_FP_DEFAULT: 1204 if (dgst_alg == SSH_DIGEST_MD5) { 1205 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1206 dgst_raw, dgst_raw_len); 1207 } else { 1208 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1209 dgst_raw, dgst_raw_len); 1210 } 1211 break; 1212 case SSH_FP_HEX: 1213 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), 1214 dgst_raw, dgst_raw_len); 1215 break; 1216 case SSH_FP_BASE64: 1217 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), 1218 dgst_raw, dgst_raw_len); 1219 break; 1220 case SSH_FP_BUBBLEBABBLE: 1221 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 1222 break; 1223 case SSH_FP_RANDOMART: 1224 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), 1225 dgst_raw, dgst_raw_len, k); 1226 break; 1227 default: 1228 freezero(dgst_raw, dgst_raw_len); 1229 return NULL; 1230 } 1231 freezero(dgst_raw, dgst_raw_len); 1232 return retval; 1233} 1234 1235static int 1236peek_type_nid(const char *s, size_t l, int *nid) 1237{ 1238 const struct sshkey_impl *impl; 1239 int i; 1240 1241 for (i = 0; keyimpls[i] != NULL; i++) { 1242 impl = keyimpls[i]; 1243 if (impl->name == NULL || strlen(impl->name) != l) 1244 continue; 1245 if (memcmp(s, impl->name, l) == 0) { 1246 *nid = -1; 1247 if (key_type_is_ecdsa_variant(impl->type)) 1248 *nid = impl->nid; 1249 return impl->type; 1250 } 1251 } 1252 return KEY_UNSPEC; 1253} 1254 1255/* XXX this can now be made const char * */ 1256int 1257sshkey_read(struct sshkey *ret, char **cpp) 1258{ 1259 struct sshkey *k; 1260 char *cp, *blobcopy; 1261 size_t space; 1262 int r, type, curve_nid = -1; 1263 struct sshbuf *blob; 1264 1265 if (ret == NULL) 1266 return SSH_ERR_INVALID_ARGUMENT; 1267 if (ret->type != KEY_UNSPEC && sshkey_impl_from_type(ret->type) == NULL) 1268 return SSH_ERR_INVALID_ARGUMENT; 1269 1270 /* Decode type */ 1271 cp = *cpp; 1272 space = strcspn(cp, " \t"); 1273 if (space == strlen(cp)) 1274 return SSH_ERR_INVALID_FORMAT; 1275 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) 1276 return SSH_ERR_INVALID_FORMAT; 1277 1278 /* skip whitespace */ 1279 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1280 ; 1281 if (*cp == '\0') 1282 return SSH_ERR_INVALID_FORMAT; 1283 if (ret->type != KEY_UNSPEC && ret->type != type) 1284 return SSH_ERR_KEY_TYPE_MISMATCH; 1285 if ((blob = sshbuf_new()) == NULL) 1286 return SSH_ERR_ALLOC_FAIL; 1287 1288 /* find end of keyblob and decode */ 1289 space = strcspn(cp, " \t"); 1290 if ((blobcopy = strndup(cp, space)) == NULL) { 1291 sshbuf_free(blob); 1292 return SSH_ERR_ALLOC_FAIL; 1293 } 1294 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { 1295 free(blobcopy); 1296 sshbuf_free(blob); 1297 return r; 1298 } 1299 free(blobcopy); 1300 if ((r = sshkey_fromb(blob, &k)) != 0) { 1301 sshbuf_free(blob); 1302 return r; 1303 } 1304 sshbuf_free(blob); 1305 1306 /* skip whitespace and leave cp at start of comment */ 1307 for (cp += space; *cp == ' ' || *cp == '\t'; cp++) 1308 ; 1309 1310 /* ensure type of blob matches type at start of line */ 1311 if (k->type != type) { 1312 sshkey_free(k); 1313 return SSH_ERR_KEY_TYPE_MISMATCH; 1314 } 1315 if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) { 1316 sshkey_free(k); 1317 return SSH_ERR_EC_CURVE_MISMATCH; 1318 } 1319 1320 /* Fill in ret from parsed key */ 1321 sshkey_free_contents(ret); 1322 *ret = *k; 1323 freezero(k, sizeof(*k)); 1324 1325 /* success */ 1326 *cpp = cp; 1327 return 0; 1328} 1329 1330int 1331sshkey_to_base64(const struct sshkey *key, char **b64p) 1332{ 1333 int r = SSH_ERR_INTERNAL_ERROR; 1334 struct sshbuf *b = NULL; 1335 char *uu = NULL; 1336 1337 if (b64p != NULL) 1338 *b64p = NULL; 1339 if ((b = sshbuf_new()) == NULL) 1340 return SSH_ERR_ALLOC_FAIL; 1341 if ((r = sshkey_putb(key, b)) != 0) 1342 goto out; 1343 if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) { 1344 r = SSH_ERR_ALLOC_FAIL; 1345 goto out; 1346 } 1347 /* Success */ 1348 if (b64p != NULL) { 1349 *b64p = uu; 1350 uu = NULL; 1351 } 1352 r = 0; 1353 out: 1354 sshbuf_free(b); 1355 free(uu); 1356 return r; 1357} 1358 1359int 1360sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1361{ 1362 int r = SSH_ERR_INTERNAL_ERROR; 1363 char *uu = NULL; 1364 1365 if ((r = sshkey_to_base64(key, &uu)) != 0) 1366 goto out; 1367 if ((r = sshbuf_putf(b, "%s %s", 1368 sshkey_ssh_name(key), uu)) != 0) 1369 goto out; 1370 r = 0; 1371 out: 1372 free(uu); 1373 return r; 1374} 1375 1376int 1377sshkey_write(const struct sshkey *key, FILE *f) 1378{ 1379 struct sshbuf *b = NULL; 1380 int r = SSH_ERR_INTERNAL_ERROR; 1381 1382 if ((b = sshbuf_new()) == NULL) 1383 return SSH_ERR_ALLOC_FAIL; 1384 if ((r = sshkey_format_text(key, b)) != 0) 1385 goto out; 1386 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { 1387 if (feof(f)) 1388 errno = EPIPE; 1389 r = SSH_ERR_SYSTEM_ERROR; 1390 goto out; 1391 } 1392 /* Success */ 1393 r = 0; 1394 out: 1395 sshbuf_free(b); 1396 return r; 1397} 1398 1399const char * 1400sshkey_cert_type(const struct sshkey *k) 1401{ 1402 switch (k->cert->type) { 1403 case SSH2_CERT_TYPE_USER: 1404 return "user"; 1405 case SSH2_CERT_TYPE_HOST: 1406 return "host"; 1407 default: 1408 return "unknown"; 1409 } 1410} 1411 1412int 1413sshkey_check_rsa_length(const struct sshkey *k, int min_size) 1414{ 1415#ifdef WITH_OPENSSL 1416 int nbits; 1417 1418 if (k == NULL || k->pkey == NULL || 1419 (k->type != KEY_RSA && k->type != KEY_RSA_CERT)) 1420 return 0; 1421 nbits = EVP_PKEY_bits(k->pkey); 1422 if (nbits < SSH_RSA_MINIMUM_MODULUS_SIZE || 1423 (min_size > 0 && nbits < min_size)) 1424 return SSH_ERR_KEY_LENGTH; 1425#endif /* WITH_OPENSSL */ 1426 return 0; 1427} 1428 1429#ifdef WITH_OPENSSL 1430int 1431sshkey_ecdsa_key_to_nid(const EC_KEY *k) 1432{ 1433 const EC_GROUP *g; 1434 int nid; 1435 1436 if (k == NULL || (g = EC_KEY_get0_group(k)) == NULL) 1437 return -1; 1438 if ((nid = EC_GROUP_get_curve_name(g)) <= 0) 1439 return -1; 1440 return nid; 1441} 1442 1443int 1444sshkey_ecdsa_pkey_to_nid(EVP_PKEY *pkey) 1445{ 1446 return sshkey_ecdsa_key_to_nid(EVP_PKEY_get0_EC_KEY(pkey)); 1447} 1448#endif /* WITH_OPENSSL */ 1449 1450int 1451sshkey_generate(int type, u_int bits, struct sshkey **keyp) 1452{ 1453 struct sshkey *k; 1454 int ret = SSH_ERR_INTERNAL_ERROR; 1455 const struct sshkey_impl *impl; 1456 1457 if (keyp == NULL || sshkey_type_is_cert(type)) 1458 return SSH_ERR_INVALID_ARGUMENT; 1459 *keyp = NULL; 1460 if ((impl = sshkey_impl_from_type(type)) == NULL) 1461 return SSH_ERR_KEY_TYPE_UNKNOWN; 1462 if (impl->funcs->generate == NULL) 1463 return SSH_ERR_FEATURE_UNSUPPORTED; 1464 if ((k = sshkey_new(KEY_UNSPEC)) == NULL) 1465 return SSH_ERR_ALLOC_FAIL; 1466 k->type = type; 1467 if ((ret = impl->funcs->generate(k, bits)) != 0) { 1468 sshkey_free(k); 1469 return ret; 1470 } 1471 /* success */ 1472 *keyp = k; 1473 return 0; 1474} 1475 1476int 1477sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) 1478{ 1479 u_int i; 1480 const struct sshkey_cert *from; 1481 struct sshkey_cert *to; 1482 int r = SSH_ERR_INTERNAL_ERROR; 1483 1484 if (to_key == NULL || (from = from_key->cert) == NULL) 1485 return SSH_ERR_INVALID_ARGUMENT; 1486 1487 if ((to = cert_new()) == NULL) 1488 return SSH_ERR_ALLOC_FAIL; 1489 1490 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || 1491 (r = sshbuf_putb(to->critical, from->critical)) != 0 || 1492 (r = sshbuf_putb(to->extensions, from->extensions)) != 0) 1493 goto out; 1494 1495 to->serial = from->serial; 1496 to->type = from->type; 1497 if (from->key_id == NULL) 1498 to->key_id = NULL; 1499 else if ((to->key_id = strdup(from->key_id)) == NULL) { 1500 r = SSH_ERR_ALLOC_FAIL; 1501 goto out; 1502 } 1503 to->valid_after = from->valid_after; 1504 to->valid_before = from->valid_before; 1505 if (from->signature_key == NULL) 1506 to->signature_key = NULL; 1507 else if ((r = sshkey_from_private(from->signature_key, 1508 &to->signature_key)) != 0) 1509 goto out; 1510 if (from->signature_type != NULL && 1511 (to->signature_type = strdup(from->signature_type)) == NULL) { 1512 r = SSH_ERR_ALLOC_FAIL; 1513 goto out; 1514 } 1515 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { 1516 r = SSH_ERR_INVALID_ARGUMENT; 1517 goto out; 1518 } 1519 if (from->nprincipals > 0) { 1520 if ((to->principals = calloc(from->nprincipals, 1521 sizeof(*to->principals))) == NULL) { 1522 r = SSH_ERR_ALLOC_FAIL; 1523 goto out; 1524 } 1525 for (i = 0; i < from->nprincipals; i++) { 1526 to->principals[i] = strdup(from->principals[i]); 1527 if (to->principals[i] == NULL) { 1528 to->nprincipals = i; 1529 r = SSH_ERR_ALLOC_FAIL; 1530 goto out; 1531 } 1532 } 1533 } 1534 to->nprincipals = from->nprincipals; 1535 1536 /* success */ 1537 cert_free(to_key->cert); 1538 to_key->cert = to; 1539 to = NULL; 1540 r = 0; 1541 out: 1542 cert_free(to); 1543 return r; 1544} 1545 1546int 1547sshkey_copy_public_sk(const struct sshkey *from, struct sshkey *to) 1548{ 1549 /* Append security-key application string */ 1550 if ((to->sk_application = strdup(from->sk_application)) == NULL) 1551 return SSH_ERR_ALLOC_FAIL; 1552 return 0; 1553} 1554 1555int 1556sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) 1557{ 1558 struct sshkey *n = NULL; 1559 int r = SSH_ERR_INTERNAL_ERROR; 1560 const struct sshkey_impl *impl; 1561 1562 *pkp = NULL; 1563 if ((impl = sshkey_impl_from_key(k)) == NULL) 1564 return SSH_ERR_KEY_TYPE_UNKNOWN; 1565 if ((n = sshkey_new(k->type)) == NULL) { 1566 r = SSH_ERR_ALLOC_FAIL; 1567 goto out; 1568 } 1569 if ((r = impl->funcs->copy_public(k, n)) != 0) 1570 goto out; 1571 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) 1572 goto out; 1573 /* success */ 1574 *pkp = n; 1575 n = NULL; 1576 r = 0; 1577 out: 1578 sshkey_free(n); 1579 return r; 1580} 1581 1582int 1583sshkey_is_shielded(struct sshkey *k) 1584{ 1585 return k != NULL && k->shielded_private != NULL; 1586} 1587 1588int 1589sshkey_shield_private(struct sshkey *k) 1590{ 1591 struct sshbuf *prvbuf = NULL; 1592 u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH]; 1593 struct sshcipher_ctx *cctx = NULL; 1594 const struct sshcipher *cipher; 1595 size_t i, enclen = 0; 1596 struct sshkey *kswap = NULL, tmp; 1597 int r = SSH_ERR_INTERNAL_ERROR; 1598 1599#ifdef DEBUG_PK 1600 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 1601#endif 1602 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 1603 r = SSH_ERR_INVALID_ARGUMENT; 1604 goto out; 1605 } 1606 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 1607 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 1608 r = SSH_ERR_INTERNAL_ERROR; 1609 goto out; 1610 } 1611 1612 /* Prepare a random pre-key, and from it an ephemeral key */ 1613 if ((r = sshkey_prekey_alloc(&prekey, SSHKEY_SHIELD_PREKEY_LEN)) != 0) 1614 goto out; 1615 arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN); 1616 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 1617 prekey, SSHKEY_SHIELD_PREKEY_LEN, 1618 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 1619 goto out; 1620#ifdef DEBUG_PK 1621 fprintf(stderr, "%s: key+iv\n", __func__); 1622 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 1623 stderr); 1624#endif 1625 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 1626 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0) 1627 goto out; 1628 1629 /* Serialise and encrypt the private key using the ephemeral key */ 1630 if ((prvbuf = sshbuf_new()) == NULL) { 1631 r = SSH_ERR_ALLOC_FAIL; 1632 goto out; 1633 } 1634 if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0) 1635 goto out; 1636 if ((r = sshkey_private_serialize(k, prvbuf)) != 0) 1637 goto out; 1638 /* pad to cipher blocksize */ 1639 i = 0; 1640 while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) { 1641 if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0) 1642 goto out; 1643 } 1644#ifdef DEBUG_PK 1645 fprintf(stderr, "%s: serialised\n", __func__); 1646 sshbuf_dump(prvbuf, stderr); 1647#endif 1648 /* encrypt */ 1649 enclen = sshbuf_len(prvbuf); 1650 if ((enc = malloc(enclen)) == NULL) { 1651 r = SSH_ERR_ALLOC_FAIL; 1652 goto out; 1653 } 1654 if ((r = cipher_crypt(cctx, 0, enc, 1655 sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0) 1656 goto out; 1657#ifdef DEBUG_PK 1658 fprintf(stderr, "%s: encrypted\n", __func__); 1659 sshbuf_dump_data(enc, enclen, stderr); 1660#endif 1661 1662 /* Make a scrubbed, public-only copy of our private key argument */ 1663 if ((r = sshkey_from_private(k, &kswap)) != 0) 1664 goto out; 1665 1666 /* Swap the private key out (it will be destroyed below) */ 1667 tmp = *kswap; 1668 *kswap = *k; 1669 *k = tmp; 1670 1671 /* Insert the shielded key into our argument */ 1672 k->shielded_private = enc; 1673 k->shielded_len = enclen; 1674 k->shield_prekey = prekey; 1675 k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN; 1676 enc = prekey = NULL; /* transferred */ 1677 enclen = 0; 1678 1679 /* preserve key fields that are required for correct operation */ 1680 k->sk_flags = kswap->sk_flags; 1681 1682 /* success */ 1683 r = 0; 1684 1685 out: 1686 /* XXX behaviour on error - invalidate original private key? */ 1687 cipher_free(cctx); 1688 explicit_bzero(keyiv, sizeof(keyiv)); 1689 explicit_bzero(&tmp, sizeof(tmp)); 1690 freezero(enc, enclen); 1691 sshkey_prekey_free(prekey, SSHKEY_SHIELD_PREKEY_LEN); 1692 sshkey_free(kswap); 1693 sshbuf_free(prvbuf); 1694 return r; 1695} 1696 1697/* Check deterministic padding after private key */ 1698static int 1699private2_check_padding(struct sshbuf *decrypted) 1700{ 1701 u_char pad; 1702 size_t i; 1703 int r; 1704 1705 i = 0; 1706 while (sshbuf_len(decrypted)) { 1707 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) 1708 goto out; 1709 if (pad != (++i & 0xff)) { 1710 r = SSH_ERR_INVALID_FORMAT; 1711 goto out; 1712 } 1713 } 1714 /* success */ 1715 r = 0; 1716 out: 1717 explicit_bzero(&pad, sizeof(pad)); 1718 explicit_bzero(&i, sizeof(i)); 1719 return r; 1720} 1721 1722int 1723sshkey_unshield_private(struct sshkey *k) 1724{ 1725 struct sshbuf *prvbuf = NULL; 1726 u_char *cp, keyiv[SSH_DIGEST_MAX_LENGTH]; 1727 struct sshcipher_ctx *cctx = NULL; 1728 const struct sshcipher *cipher; 1729 struct sshkey *kswap = NULL, tmp; 1730 int r = SSH_ERR_INTERNAL_ERROR; 1731 1732#ifdef DEBUG_PK 1733 fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); 1734#endif 1735 if (!sshkey_is_shielded(k)) 1736 return 0; /* nothing to do */ 1737 1738 if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { 1739 r = SSH_ERR_INVALID_ARGUMENT; 1740 goto out; 1741 } 1742 if (cipher_keylen(cipher) + cipher_ivlen(cipher) > 1743 ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { 1744 r = SSH_ERR_INTERNAL_ERROR; 1745 goto out; 1746 } 1747 /* check size of shielded key blob */ 1748 if (k->shielded_len < cipher_blocksize(cipher) || 1749 (k->shielded_len % cipher_blocksize(cipher)) != 0) { 1750 r = SSH_ERR_INVALID_FORMAT; 1751 goto out; 1752 } 1753 1754 /* Calculate the ephemeral key from the prekey */ 1755 if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, 1756 k->shield_prekey, k->shield_prekey_len, 1757 keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) 1758 goto out; 1759 if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), 1760 keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0) 1761 goto out; 1762#ifdef DEBUG_PK 1763 fprintf(stderr, "%s: key+iv\n", __func__); 1764 sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), 1765 stderr); 1766#endif 1767 1768 /* Decrypt and parse the shielded private key using the ephemeral key */ 1769 if ((prvbuf = sshbuf_new()) == NULL) { 1770 r = SSH_ERR_ALLOC_FAIL; 1771 goto out; 1772 } 1773 if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0) 1774 goto out; 1775 /* decrypt */ 1776#ifdef DEBUG_PK 1777 fprintf(stderr, "%s: encrypted\n", __func__); 1778 sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr); 1779#endif 1780 if ((r = cipher_crypt(cctx, 0, cp, 1781 k->shielded_private, k->shielded_len, 0, 0)) != 0) 1782 goto out; 1783#ifdef DEBUG_PK 1784 fprintf(stderr, "%s: serialised\n", __func__); 1785 sshbuf_dump(prvbuf, stderr); 1786#endif 1787 /* Parse private key */ 1788 if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0) 1789 goto out; 1790 1791 if ((r = private2_check_padding(prvbuf)) != 0) 1792 goto out; 1793 1794 /* Swap the parsed key back into place */ 1795 tmp = *kswap; 1796 *kswap = *k; 1797 *k = tmp; 1798 1799 /* success */ 1800 r = 0; 1801 1802 out: 1803 cipher_free(cctx); 1804 explicit_bzero(keyiv, sizeof(keyiv)); 1805 explicit_bzero(&tmp, sizeof(tmp)); 1806 sshkey_free(kswap); 1807 sshbuf_free(prvbuf); 1808 return r; 1809} 1810 1811static int 1812cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) 1813{ 1814 struct sshbuf *principals = NULL, *crit = NULL; 1815 struct sshbuf *exts = NULL, *ca = NULL; 1816 u_char *sig = NULL; 1817 size_t signed_len = 0, slen = 0, kidlen = 0; 1818 int ret = SSH_ERR_INTERNAL_ERROR; 1819 1820 /* Copy the entire key blob for verification and later serialisation */ 1821 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) 1822 return ret; 1823 1824 /* Parse body of certificate up to signature */ 1825 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || 1826 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || 1827 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || 1828 (ret = sshbuf_froms(b, &principals)) != 0 || 1829 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || 1830 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || 1831 (ret = sshbuf_froms(b, &crit)) != 0 || 1832 (ret = sshbuf_froms(b, &exts)) != 0 || 1833 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || 1834 (ret = sshbuf_froms(b, &ca)) != 0) { 1835 /* XXX debug print error for ret */ 1836 ret = SSH_ERR_INVALID_FORMAT; 1837 goto out; 1838 } 1839 1840 /* Signature is left in the buffer so we can calculate this length */ 1841 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); 1842 1843 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { 1844 ret = SSH_ERR_INVALID_FORMAT; 1845 goto out; 1846 } 1847 1848 if (key->cert->type != SSH2_CERT_TYPE_USER && 1849 key->cert->type != SSH2_CERT_TYPE_HOST) { 1850 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; 1851 goto out; 1852 } 1853 1854 /* Parse principals section */ 1855 while (sshbuf_len(principals) > 0) { 1856 char *principal = NULL; 1857 char **oprincipals = NULL; 1858 1859 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { 1860 ret = SSH_ERR_INVALID_FORMAT; 1861 goto out; 1862 } 1863 if ((ret = sshbuf_get_cstring(principals, &principal, 1864 NULL)) != 0) { 1865 ret = SSH_ERR_INVALID_FORMAT; 1866 goto out; 1867 } 1868 oprincipals = key->cert->principals; 1869 key->cert->principals = recallocarray(key->cert->principals, 1870 key->cert->nprincipals, key->cert->nprincipals + 1, 1871 sizeof(*key->cert->principals)); 1872 if (key->cert->principals == NULL) { 1873 free(principal); 1874 key->cert->principals = oprincipals; 1875 ret = SSH_ERR_ALLOC_FAIL; 1876 goto out; 1877 } 1878 key->cert->principals[key->cert->nprincipals++] = principal; 1879 } 1880 1881 /* 1882 * Stash a copies of the critical options and extensions sections 1883 * for later use. 1884 */ 1885 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || 1886 (exts != NULL && 1887 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) 1888 goto out; 1889 1890 /* 1891 * Validate critical options and extensions sections format. 1892 */ 1893 while (sshbuf_len(crit) != 0) { 1894 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || 1895 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { 1896 sshbuf_reset(key->cert->critical); 1897 ret = SSH_ERR_INVALID_FORMAT; 1898 goto out; 1899 } 1900 } 1901 while (exts != NULL && sshbuf_len(exts) != 0) { 1902 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || 1903 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { 1904 sshbuf_reset(key->cert->extensions); 1905 ret = SSH_ERR_INVALID_FORMAT; 1906 goto out; 1907 } 1908 } 1909 1910 /* Parse CA key and check signature */ 1911 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { 1912 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1913 goto out; 1914 } 1915 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { 1916 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1917 goto out; 1918 } 1919 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, 1920 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0) 1921 goto out; 1922 if ((ret = sshkey_get_sigtype(sig, slen, 1923 &key->cert->signature_type)) != 0) 1924 goto out; 1925 1926 /* Success */ 1927 ret = 0; 1928 out: 1929 sshbuf_free(ca); 1930 sshbuf_free(crit); 1931 sshbuf_free(exts); 1932 sshbuf_free(principals); 1933 free(sig); 1934 return ret; 1935} 1936 1937int 1938sshkey_deserialize_sk(struct sshbuf *b, struct sshkey *key) 1939{ 1940 /* Parse additional security-key application string */ 1941 if (sshbuf_get_cstring(b, &key->sk_application, NULL) != 0) 1942 return SSH_ERR_INVALID_FORMAT; 1943 return 0; 1944} 1945 1946static int 1947sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, 1948 int allow_cert) 1949{ 1950 int type, ret = SSH_ERR_INTERNAL_ERROR; 1951 char *ktype = NULL; 1952 struct sshkey *key = NULL; 1953 struct sshbuf *copy; 1954 const struct sshkey_impl *impl; 1955 1956#ifdef DEBUG_PK /* XXX */ 1957 sshbuf_dump(b, stderr); 1958#endif 1959 if (keyp != NULL) 1960 *keyp = NULL; 1961 if ((copy = sshbuf_fromb(b)) == NULL) { 1962 ret = SSH_ERR_ALLOC_FAIL; 1963 goto out; 1964 } 1965 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 1966 ret = SSH_ERR_INVALID_FORMAT; 1967 goto out; 1968 } 1969 1970 type = sshkey_type_from_name(ktype); 1971 if (!allow_cert && sshkey_type_is_cert(type)) { 1972 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 1973 goto out; 1974 } 1975 if ((impl = sshkey_impl_from_type(type)) == NULL) { 1976 ret = SSH_ERR_KEY_TYPE_UNKNOWN; 1977 goto out; 1978 } 1979 if ((key = sshkey_new(type)) == NULL) { 1980 ret = SSH_ERR_ALLOC_FAIL; 1981 goto out; 1982 } 1983 if (sshkey_type_is_cert(type)) { 1984 /* Skip nonce that precedes all certificates */ 1985 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { 1986 ret = SSH_ERR_INVALID_FORMAT; 1987 goto out; 1988 } 1989 } 1990 if ((ret = impl->funcs->deserialize_public(ktype, b, key)) != 0) 1991 goto out; 1992 1993 /* Parse certificate potion */ 1994 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) 1995 goto out; 1996 1997 if (key != NULL && sshbuf_len(b) != 0) { 1998 ret = SSH_ERR_INVALID_FORMAT; 1999 goto out; 2000 } 2001 ret = 0; 2002 if (keyp != NULL) { 2003 *keyp = key; 2004 key = NULL; 2005 } 2006 out: 2007 sshbuf_free(copy); 2008 sshkey_free(key); 2009 free(ktype); 2010 return ret; 2011} 2012 2013int 2014sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) 2015{ 2016 struct sshbuf *b; 2017 int r; 2018 2019 if ((b = sshbuf_from(blob, blen)) == NULL) 2020 return SSH_ERR_ALLOC_FAIL; 2021 r = sshkey_from_blob_internal(b, keyp, 1); 2022 sshbuf_free(b); 2023 return r; 2024} 2025 2026int 2027sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) 2028{ 2029 return sshkey_from_blob_internal(b, keyp, 1); 2030} 2031 2032int 2033sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) 2034{ 2035 struct sshbuf *b; 2036 int r; 2037 2038 if ((r = sshbuf_froms(buf, &b)) != 0) 2039 return r; 2040 r = sshkey_from_blob_internal(b, keyp, 1); 2041 sshbuf_free(b); 2042 return r; 2043} 2044 2045int 2046sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) 2047{ 2048 int r; 2049 struct sshbuf *b = NULL; 2050 char *sigtype = NULL; 2051 2052 if (sigtypep != NULL) 2053 *sigtypep = NULL; 2054 if ((b = sshbuf_from(sig, siglen)) == NULL) 2055 return SSH_ERR_ALLOC_FAIL; 2056 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) 2057 goto out; 2058 /* success */ 2059 if (sigtypep != NULL) { 2060 *sigtypep = sigtype; 2061 sigtype = NULL; 2062 } 2063 r = 0; 2064 out: 2065 free(sigtype); 2066 sshbuf_free(b); 2067 return r; 2068} 2069 2070/* 2071 * 2072 * Checks whether a certificate's signature type is allowed. 2073 * Returns 0 (success) if the certificate signature type appears in the 2074 * "allowed" pattern-list, or the key is not a certificate to begin with. 2075 * Otherwise returns a ssherr.h code. 2076 */ 2077int 2078sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) 2079{ 2080 if (key == NULL || allowed == NULL) 2081 return SSH_ERR_INVALID_ARGUMENT; 2082 if (!sshkey_type_is_cert(key->type)) 2083 return 0; 2084 if (key->cert == NULL || key->cert->signature_type == NULL) 2085 return SSH_ERR_INVALID_ARGUMENT; 2086 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) 2087 return SSH_ERR_SIGN_ALG_UNSUPPORTED; 2088 return 0; 2089} 2090 2091/* 2092 * Returns the expected signature algorithm for a given public key algorithm. 2093 */ 2094const char * 2095sshkey_sigalg_by_name(const char *name) 2096{ 2097 const struct sshkey_impl *impl; 2098 int i; 2099 2100 for (i = 0; keyimpls[i] != NULL; i++) { 2101 impl = keyimpls[i]; 2102 if (strcmp(impl->name, name) != 0) 2103 continue; 2104 if (impl->sigalg != NULL) 2105 return impl->sigalg; 2106 if (!impl->cert) 2107 return impl->name; 2108 return sshkey_ssh_name_from_type_nid( 2109 sshkey_type_plain(impl->type), impl->nid); 2110 } 2111 return NULL; 2112} 2113 2114/* 2115 * Verifies that the signature algorithm appearing inside the signature blob 2116 * matches that which was requested. 2117 */ 2118int 2119sshkey_check_sigtype(const u_char *sig, size_t siglen, 2120 const char *requested_alg) 2121{ 2122 const char *expected_alg; 2123 char *sigtype = NULL; 2124 int r; 2125 2126 if (requested_alg == NULL) 2127 return 0; 2128 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) 2129 return SSH_ERR_INVALID_ARGUMENT; 2130 if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) 2131 return r; 2132 r = strcmp(expected_alg, sigtype) == 0; 2133 free(sigtype); 2134 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; 2135} 2136 2137int 2138sshkey_sign(struct sshkey *key, 2139 u_char **sigp, size_t *lenp, 2140 const u_char *data, size_t datalen, 2141 const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) 2142{ 2143 int was_shielded = sshkey_is_shielded(key); 2144 int r2, r = SSH_ERR_INTERNAL_ERROR; 2145 const struct sshkey_impl *impl; 2146 2147 if (sigp != NULL) 2148 *sigp = NULL; 2149 if (lenp != NULL) 2150 *lenp = 0; 2151 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2152 return SSH_ERR_INVALID_ARGUMENT; 2153 if ((impl = sshkey_impl_from_key(key)) == NULL) 2154 return SSH_ERR_KEY_TYPE_UNKNOWN; 2155 if ((r = sshkey_unshield_private(key)) != 0) 2156 return r; 2157 if (sshkey_is_sk(key)) { 2158 r = sshsk_sign(sk_provider, key, sigp, lenp, data, 2159 datalen, compat, sk_pin); 2160 } else if ((key->flags & SSHKEY_FLAG_EXT) != 0) { 2161 r = pkcs11_sign(key, sigp, lenp, data, datalen, 2162 alg, sk_provider, sk_pin, compat); 2163 } else { 2164 if (impl->funcs->sign == NULL) 2165 r = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2166 else { 2167 r = impl->funcs->sign(key, sigp, lenp, data, datalen, 2168 alg, sk_provider, sk_pin, compat); 2169 } 2170 } 2171 if (was_shielded && (r2 = sshkey_shield_private(key)) != 0) 2172 return r2; 2173 return r; 2174} 2175 2176/* 2177 * ssh_key_verify returns 0 for a correct signature and < 0 on error. 2178 * If "alg" specified, then the signature must use that algorithm. 2179 */ 2180int 2181sshkey_verify(const struct sshkey *key, 2182 const u_char *sig, size_t siglen, 2183 const u_char *data, size_t dlen, const char *alg, u_int compat, 2184 struct sshkey_sig_details **detailsp) 2185{ 2186 const struct sshkey_impl *impl; 2187 2188 if (detailsp != NULL) 2189 *detailsp = NULL; 2190 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) 2191 return SSH_ERR_INVALID_ARGUMENT; 2192 if ((impl = sshkey_impl_from_key(key)) == NULL) 2193 return SSH_ERR_KEY_TYPE_UNKNOWN; 2194 return impl->funcs->verify(key, sig, siglen, data, dlen, 2195 alg, compat, detailsp); 2196} 2197 2198/* Convert a plain key to their _CERT equivalent */ 2199int 2200sshkey_to_certified(struct sshkey *k) 2201{ 2202 int newtype; 2203 2204 if ((newtype = sshkey_type_certified(k->type)) == -1) 2205 return SSH_ERR_INVALID_ARGUMENT; 2206 if ((k->cert = cert_new()) == NULL) 2207 return SSH_ERR_ALLOC_FAIL; 2208 k->type = newtype; 2209 return 0; 2210} 2211 2212/* Convert a certificate to its raw key equivalent */ 2213int 2214sshkey_drop_cert(struct sshkey *k) 2215{ 2216 if (!sshkey_type_is_cert(k->type)) 2217 return SSH_ERR_KEY_TYPE_UNKNOWN; 2218 cert_free(k->cert); 2219 k->cert = NULL; 2220 k->type = sshkey_type_plain(k->type); 2221 return 0; 2222} 2223 2224/* Sign a certified key, (re-)generating the signed certblob. */ 2225int 2226sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, 2227 const char *sk_provider, const char *sk_pin, 2228 sshkey_certify_signer *signer, void *signer_ctx) 2229{ 2230 const struct sshkey_impl *impl; 2231 struct sshbuf *principals = NULL; 2232 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; 2233 size_t i, ca_len, sig_len; 2234 int ret = SSH_ERR_INTERNAL_ERROR; 2235 struct sshbuf *cert = NULL; 2236 char *sigtype = NULL; 2237 2238 if (k == NULL || k->cert == NULL || 2239 k->cert->certblob == NULL || ca == NULL) 2240 return SSH_ERR_INVALID_ARGUMENT; 2241 if (!sshkey_is_cert(k)) 2242 return SSH_ERR_KEY_TYPE_UNKNOWN; 2243 if (!sshkey_type_is_valid_ca(ca->type)) 2244 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2245 if ((impl = sshkey_impl_from_key(k)) == NULL) 2246 return SSH_ERR_INTERNAL_ERROR; 2247 2248 /* 2249 * If no alg specified as argument but a signature_type was set, 2250 * then prefer that. If both were specified, then they must match. 2251 */ 2252 if (alg == NULL) 2253 alg = k->cert->signature_type; 2254 else if (k->cert->signature_type != NULL && 2255 strcmp(alg, k->cert->signature_type) != 0) 2256 return SSH_ERR_INVALID_ARGUMENT; 2257 2258 /* 2259 * If no signing algorithm or signature_type was specified and we're 2260 * using a RSA key, then default to a good signature algorithm. 2261 */ 2262 if (alg == NULL && ca->type == KEY_RSA) 2263 alg = "rsa-sha2-512"; 2264 2265 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) 2266 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; 2267 2268 cert = k->cert->certblob; /* for readability */ 2269 sshbuf_reset(cert); 2270 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) 2271 goto out; 2272 2273 /* -v01 certs put nonce first */ 2274 arc4random_buf(&nonce, sizeof(nonce)); 2275 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) 2276 goto out; 2277 2278 /* Public key next */ 2279 if ((ret = impl->funcs->serialize_public(k, cert, 2280 SSHKEY_SERIALIZE_DEFAULT)) != 0) 2281 goto out; 2282 2283 /* Then remaining cert fields */ 2284 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || 2285 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || 2286 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) 2287 goto out; 2288 2289 if ((principals = sshbuf_new()) == NULL) { 2290 ret = SSH_ERR_ALLOC_FAIL; 2291 goto out; 2292 } 2293 for (i = 0; i < k->cert->nprincipals; i++) { 2294 if ((ret = sshbuf_put_cstring(principals, 2295 k->cert->principals[i])) != 0) 2296 goto out; 2297 } 2298 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || 2299 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || 2300 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || 2301 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || 2302 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || 2303 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ 2304 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) 2305 goto out; 2306 2307 /* Sign the whole mess */ 2308 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), 2309 sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) 2310 goto out; 2311 /* Check and update signature_type against what was actually used */ 2312 if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) 2313 goto out; 2314 if (alg != NULL && strcmp(alg, sigtype) != 0) { 2315 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; 2316 goto out; 2317 } 2318 if (k->cert->signature_type == NULL) { 2319 k->cert->signature_type = sigtype; 2320 sigtype = NULL; 2321 } 2322 /* Append signature and we are done */ 2323 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) 2324 goto out; 2325 ret = 0; 2326 out: 2327 if (ret != 0) 2328 sshbuf_reset(cert); 2329 free(sig_blob); 2330 free(ca_blob); 2331 free(sigtype); 2332 sshbuf_free(principals); 2333 return ret; 2334} 2335 2336static int 2337default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, 2338 const u_char *data, size_t datalen, 2339 const char *alg, const char *sk_provider, const char *sk_pin, 2340 u_int compat, void *ctx) 2341{ 2342 if (ctx != NULL) 2343 return SSH_ERR_INVALID_ARGUMENT; 2344 return sshkey_sign(key, sigp, lenp, data, datalen, alg, 2345 sk_provider, sk_pin, compat); 2346} 2347 2348int 2349sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, 2350 const char *sk_provider, const char *sk_pin) 2351{ 2352 return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, 2353 default_key_sign, NULL); 2354} 2355 2356int 2357sshkey_cert_check_authority(const struct sshkey *k, 2358 int want_host, int wildcard_pattern, uint64_t verify_time, 2359 const char *name, const char **reason) 2360{ 2361 u_int i, principal_matches; 2362 2363 if (reason == NULL) 2364 return SSH_ERR_INVALID_ARGUMENT; 2365 if (!sshkey_is_cert(k)) { 2366 *reason = "Key is not a certificate"; 2367 return SSH_ERR_KEY_CERT_INVALID; 2368 } 2369 if (want_host) { 2370 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2371 *reason = "Certificate invalid: not a host certificate"; 2372 return SSH_ERR_KEY_CERT_INVALID; 2373 } 2374 } else { 2375 if (k->cert->type != SSH2_CERT_TYPE_USER) { 2376 *reason = "Certificate invalid: not a user certificate"; 2377 return SSH_ERR_KEY_CERT_INVALID; 2378 } 2379 } 2380 if (verify_time < k->cert->valid_after) { 2381 *reason = "Certificate invalid: not yet valid"; 2382 return SSH_ERR_KEY_CERT_INVALID; 2383 } 2384 if (verify_time >= k->cert->valid_before) { 2385 *reason = "Certificate invalid: expired"; 2386 return SSH_ERR_KEY_CERT_INVALID; 2387 } 2388 if (k->cert->nprincipals == 0) { 2389 *reason = "Certificate lacks principal list"; 2390 return SSH_ERR_KEY_CERT_INVALID; 2391 } 2392 if (name == NULL) 2393 return 0; /* principal matching not requested */ 2394 2395 principal_matches = 0; 2396 for (i = 0; i < k->cert->nprincipals; i++) { 2397 if (wildcard_pattern) { 2398 if (match_pattern(name, k->cert->principals[i])) { 2399 principal_matches = 1; 2400 break; 2401 } 2402 } else if (strcmp(name, k->cert->principals[i]) == 0) { 2403 principal_matches = 1; 2404 break; 2405 } 2406 } 2407 if (!principal_matches) { 2408 *reason = "Certificate invalid: name is not a listed " 2409 "principal"; 2410 return SSH_ERR_KEY_CERT_INVALID; 2411 } 2412 return 0; 2413} 2414 2415int 2416sshkey_cert_check_authority_now(const struct sshkey *k, 2417 int want_host, int wildcard_pattern, const char *name, 2418 const char **reason) 2419{ 2420 time_t now; 2421 2422 if ((now = time(NULL)) < 0) { 2423 /* yikes - system clock before epoch! */ 2424 *reason = "Certificate invalid: not yet valid"; 2425 return SSH_ERR_KEY_CERT_INVALID; 2426 } 2427 return sshkey_cert_check_authority(k, want_host, wildcard_pattern, 2428 (uint64_t)now, name, reason); 2429} 2430 2431int 2432sshkey_cert_check_host(const struct sshkey *key, const char *host, 2433 const char *ca_sign_algorithms, const char **reason) 2434{ 2435 int r; 2436 2437 if ((r = sshkey_cert_check_authority_now(key, 1, 1, host, reason)) != 0) 2438 return r; 2439 if (sshbuf_len(key->cert->critical) != 0) { 2440 *reason = "Certificate contains unsupported critical options"; 2441 return SSH_ERR_KEY_CERT_INVALID; 2442 } 2443 if (ca_sign_algorithms != NULL && 2444 (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) { 2445 *reason = "Certificate signed with disallowed algorithm"; 2446 return SSH_ERR_KEY_CERT_INVALID; 2447 } 2448 return 0; 2449} 2450 2451size_t 2452sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) 2453{ 2454 char from[32], to[32], ret[128]; 2455 2456 *from = *to = '\0'; 2457 if (cert->valid_after == 0 && 2458 cert->valid_before == 0xffffffffffffffffULL) 2459 return strlcpy(s, "forever", l); 2460 2461 if (cert->valid_after != 0) 2462 format_absolute_time(cert->valid_after, from, sizeof(from)); 2463 if (cert->valid_before != 0xffffffffffffffffULL) 2464 format_absolute_time(cert->valid_before, to, sizeof(to)); 2465 2466 if (cert->valid_after == 0) 2467 snprintf(ret, sizeof(ret), "before %s", to); 2468 else if (cert->valid_before == 0xffffffffffffffffULL) 2469 snprintf(ret, sizeof(ret), "after %s", from); 2470 else 2471 snprintf(ret, sizeof(ret), "from %s to %s", from, to); 2472 2473 return strlcpy(s, ret, l); 2474} 2475 2476/* Common serialization for FIDO private keys */ 2477int 2478sshkey_serialize_private_sk(const struct sshkey *key, struct sshbuf *b) 2479{ 2480 int r; 2481 2482 if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0 || 2483 (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || 2484 (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || 2485 (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) 2486 return r; 2487 2488 return 0; 2489} 2490 2491static int 2492sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, 2493 enum sshkey_serialize_rep opts) 2494{ 2495 int r = SSH_ERR_INTERNAL_ERROR; 2496 int was_shielded = sshkey_is_shielded(key); 2497 struct sshbuf *b = NULL; 2498 const struct sshkey_impl *impl; 2499 2500 if ((impl = sshkey_impl_from_key(key)) == NULL) 2501 return SSH_ERR_INTERNAL_ERROR; 2502 if ((r = sshkey_unshield_private(key)) != 0) 2503 return r; 2504 if ((b = sshbuf_new()) == NULL) 2505 return SSH_ERR_ALLOC_FAIL; 2506 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) 2507 goto out; 2508 if (sshkey_is_cert(key)) { 2509 if (key->cert == NULL || 2510 sshbuf_len(key->cert->certblob) == 0) { 2511 r = SSH_ERR_INVALID_ARGUMENT; 2512 goto out; 2513 } 2514 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0) 2515 goto out; 2516 } 2517 if ((r = impl->funcs->serialize_private(key, b, opts)) != 0) 2518 goto out; 2519 2520 /* 2521 * success (but we still need to append the output to buf after 2522 * possibly re-shielding the private key) 2523 */ 2524 r = 0; 2525 out: 2526 if (was_shielded) 2527 r = sshkey_shield_private(key); 2528 if (r == 0) 2529 r = sshbuf_putb(buf, b); 2530 sshbuf_free(b); 2531 2532 return r; 2533} 2534 2535int 2536sshkey_private_serialize(struct sshkey *key, struct sshbuf *b) 2537{ 2538 return sshkey_private_serialize_opt(key, b, 2539 SSHKEY_SERIALIZE_DEFAULT); 2540} 2541 2542 2543/* Shared deserialization of FIDO private key components */ 2544int 2545sshkey_private_deserialize_sk(struct sshbuf *buf, struct sshkey *k) 2546{ 2547 int r; 2548 2549 if ((k->sk_key_handle = sshbuf_new()) == NULL || 2550 (k->sk_reserved = sshbuf_new()) == NULL) 2551 return SSH_ERR_ALLOC_FAIL; 2552 if ((r = sshbuf_get_cstring(buf, &k->sk_application, NULL)) != 0 || 2553 (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || 2554 (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || 2555 (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) 2556 return r; 2557 2558 return 0; 2559} 2560 2561int 2562sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) 2563{ 2564 const struct sshkey_impl *impl; 2565 char *tname = NULL; 2566 char *expect_sk_application = NULL; 2567 u_char *expect_ed25519_pk = NULL; 2568 struct sshkey *k = NULL; 2569 int type, r = SSH_ERR_INTERNAL_ERROR; 2570 2571 if (kp != NULL) 2572 *kp = NULL; 2573 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) 2574 goto out; 2575 type = sshkey_type_from_name(tname); 2576 if (sshkey_type_is_cert(type)) { 2577 /* 2578 * Certificate key private keys begin with the certificate 2579 * itself. Make sure this matches the type of the enclosing 2580 * private key. 2581 */ 2582 if ((r = sshkey_froms(buf, &k)) != 0) 2583 goto out; 2584 if (k->type != type) { 2585 r = SSH_ERR_KEY_CERT_MISMATCH; 2586 goto out; 2587 } 2588 /* For ECDSA keys, the group must match too */ 2589 if (k->type == KEY_ECDSA && 2590 k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { 2591 r = SSH_ERR_KEY_CERT_MISMATCH; 2592 goto out; 2593 } 2594 /* 2595 * Several fields are redundant between certificate and 2596 * private key body, we require these to match. 2597 */ 2598 expect_sk_application = k->sk_application; 2599 expect_ed25519_pk = k->ed25519_pk; 2600 k->sk_application = NULL; 2601 k->ed25519_pk = NULL; 2602 } else { 2603 if ((k = sshkey_new(type)) == NULL) { 2604 r = SSH_ERR_ALLOC_FAIL; 2605 goto out; 2606 } 2607 } 2608 if ((impl = sshkey_impl_from_type(type)) == NULL) { 2609 r = SSH_ERR_INTERNAL_ERROR; 2610 goto out; 2611 } 2612 if ((r = impl->funcs->deserialize_private(tname, buf, k)) != 0) 2613 goto out; 2614 2615 if ((expect_sk_application != NULL && (k->sk_application == NULL || 2616 strcmp(expect_sk_application, k->sk_application) != 0)) || 2617 (expect_ed25519_pk != NULL && (k->ed25519_pk == NULL || 2618 memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) { 2619 r = SSH_ERR_KEY_CERT_MISMATCH; 2620 goto out; 2621 } 2622 /* success */ 2623 r = 0; 2624 if (kp != NULL) { 2625 *kp = k; 2626 k = NULL; 2627 } 2628 out: 2629 free(tname); 2630 sshkey_free(k); 2631 free(expect_sk_application); 2632 free(expect_ed25519_pk); 2633 return r; 2634} 2635 2636#ifdef WITH_OPENSSL 2637int 2638sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2639{ 2640 EC_POINT *nq = NULL; 2641 BIGNUM *order = NULL, *cofactor = NULL; 2642 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2643 2644 /* 2645 * NB. This assumes OpenSSL has already verified that the public 2646 * point lies on the curve and that its coordinates are in [0, p). 2647 * This is done by EC_POINT_oct2point() on at least OpenSSL >= 1.1, 2648 * LibreSSL and BoringSSL. 2649 */ 2650 2651 /* Q != infinity */ 2652 if (EC_POINT_is_at_infinity(group, public)) 2653 goto out; 2654 2655 if ((cofactor = BN_new()) == NULL) { 2656 ret = SSH_ERR_ALLOC_FAIL; 2657 goto out; 2658 } 2659 if (EC_GROUP_get_cofactor(group, cofactor, NULL) != 1) 2660 goto out; 2661 2662 /* 2663 * Verify nQ == infinity (n == order of subgroup) 2664 * This check may be skipped for curves with cofactor 1, as per 2665 * NIST SP 800-56A, 5.6.2.3. 2666 */ 2667 if (!BN_is_one(cofactor)) { 2668 if ((order = BN_new()) == NULL) { 2669 ret = SSH_ERR_ALLOC_FAIL; 2670 goto out; 2671 } 2672 if ((nq = EC_POINT_new(group)) == NULL) { 2673 ret = SSH_ERR_ALLOC_FAIL; 2674 goto out; 2675 } 2676 if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) { 2677 ret = SSH_ERR_LIBCRYPTO_ERROR; 2678 goto out; 2679 } 2680 if (EC_POINT_is_at_infinity(group, nq) != 1) 2681 goto out; 2682 } 2683 2684 /* success */ 2685 ret = 0; 2686 out: 2687 BN_clear_free(cofactor); 2688 BN_clear_free(order); 2689 EC_POINT_free(nq); 2690 return ret; 2691} 2692 2693int 2694sshkey_ec_validate_private(const EC_KEY *key) 2695{ 2696 BIGNUM *order = NULL, *tmp = NULL; 2697 int ret = SSH_ERR_KEY_INVALID_EC_VALUE; 2698 2699 if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) { 2700 ret = SSH_ERR_ALLOC_FAIL; 2701 goto out; 2702 } 2703 2704 /* log2(private) > log2(order)/2 */ 2705 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) { 2706 ret = SSH_ERR_LIBCRYPTO_ERROR; 2707 goto out; 2708 } 2709 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2710 BN_num_bits(order) / 2) 2711 goto out; 2712 2713 /* private < order - 1 */ 2714 if (!BN_sub(tmp, order, BN_value_one())) { 2715 ret = SSH_ERR_LIBCRYPTO_ERROR; 2716 goto out; 2717 } 2718 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) 2719 goto out; 2720 ret = 0; 2721 out: 2722 BN_clear_free(order); 2723 BN_clear_free(tmp); 2724 return ret; 2725} 2726 2727void 2728sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2729{ 2730 BIGNUM *x = NULL, *y = NULL; 2731 2732 if (point == NULL) { 2733 fputs("point=(NULL)\n", stderr); 2734 return; 2735 } 2736 if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) { 2737 fprintf(stderr, "%s: BN_new failed\n", __func__); 2738 goto out; 2739 } 2740 if (EC_POINT_get_affine_coordinates(group, point, x, y, NULL) != 1) { 2741 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates\n", 2742 __func__); 2743 goto out; 2744 } 2745 fputs("x=", stderr); 2746 BN_print_fp(stderr, x); 2747 fputs("\ny=", stderr); 2748 BN_print_fp(stderr, y); 2749 fputs("\n", stderr); 2750 out: 2751 BN_clear_free(x); 2752 BN_clear_free(y); 2753} 2754 2755void 2756sshkey_dump_ec_key(const EC_KEY *key) 2757{ 2758 const BIGNUM *exponent; 2759 2760 sshkey_dump_ec_point(EC_KEY_get0_group(key), 2761 EC_KEY_get0_public_key(key)); 2762 fputs("exponent=", stderr); 2763 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2764 fputs("(NULL)", stderr); 2765 else 2766 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2767 fputs("\n", stderr); 2768} 2769#endif /* WITH_OPENSSL */ 2770 2771static int 2772sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob, 2773 const char *passphrase, const char *comment, const char *ciphername, 2774 int rounds) 2775{ 2776 u_char *cp, *key = NULL, *pubkeyblob = NULL; 2777 u_char salt[SALT_LEN]; 2778 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; 2779 u_int check; 2780 int r = SSH_ERR_INTERNAL_ERROR; 2781 struct sshcipher_ctx *ciphercontext = NULL; 2782 const struct sshcipher *cipher; 2783 const char *kdfname = KDFNAME; 2784 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; 2785 2786 if (rounds <= 0) 2787 rounds = DEFAULT_ROUNDS; 2788 if (passphrase == NULL || !strlen(passphrase)) { 2789 ciphername = "none"; 2790 kdfname = "none"; 2791 } else if (ciphername == NULL) 2792 ciphername = DEFAULT_CIPHERNAME; 2793 if ((cipher = cipher_by_name(ciphername)) == NULL) { 2794 r = SSH_ERR_INVALID_ARGUMENT; 2795 goto out; 2796 } 2797 2798 if ((kdf = sshbuf_new()) == NULL || 2799 (encoded = sshbuf_new()) == NULL || 2800 (encrypted = sshbuf_new()) == NULL) { 2801 r = SSH_ERR_ALLOC_FAIL; 2802 goto out; 2803 } 2804 blocksize = cipher_blocksize(cipher); 2805 keylen = cipher_keylen(cipher); 2806 ivlen = cipher_ivlen(cipher); 2807 authlen = cipher_authlen(cipher); 2808 if ((key = calloc(1, keylen + ivlen)) == NULL) { 2809 r = SSH_ERR_ALLOC_FAIL; 2810 goto out; 2811 } 2812 if (strcmp(kdfname, "bcrypt") == 0) { 2813 arc4random_buf(salt, SALT_LEN); 2814 if (bcrypt_pbkdf(passphrase, strlen(passphrase), 2815 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { 2816 r = SSH_ERR_INVALID_ARGUMENT; 2817 goto out; 2818 } 2819 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || 2820 (r = sshbuf_put_u32(kdf, rounds)) != 0) 2821 goto out; 2822 } else if (strcmp(kdfname, "none") != 0) { 2823 /* Unsupported KDF type */ 2824 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 2825 goto out; 2826 } 2827 if ((r = cipher_init(&ciphercontext, cipher, key, keylen, 2828 key + keylen, ivlen, 1)) != 0) 2829 goto out; 2830 2831 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || 2832 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || 2833 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || 2834 (r = sshbuf_put_stringb(encoded, kdf)) != 0 || 2835 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ 2836 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || 2837 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) 2838 goto out; 2839 2840 /* set up the buffer that will be encrypted */ 2841 2842 /* Random check bytes */ 2843 check = arc4random(); 2844 if ((r = sshbuf_put_u32(encrypted, check)) != 0 || 2845 (r = sshbuf_put_u32(encrypted, check)) != 0) 2846 goto out; 2847 2848 /* append private key and comment*/ 2849 if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || 2850 (r = sshbuf_put_cstring(encrypted, comment)) != 0) 2851 goto out; 2852 2853 /* padding */ 2854 i = 0; 2855 while (sshbuf_len(encrypted) % blocksize) { 2856 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) 2857 goto out; 2858 } 2859 2860 /* length in destination buffer */ 2861 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) 2862 goto out; 2863 2864 /* encrypt */ 2865 if ((r = sshbuf_reserve(encoded, 2866 sshbuf_len(encrypted) + authlen, &cp)) != 0) 2867 goto out; 2868 if ((r = cipher_crypt(ciphercontext, 0, cp, 2869 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) 2870 goto out; 2871 2872 sshbuf_reset(blob); 2873 2874 /* assemble uuencoded key */ 2875 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 || 2876 (r = sshbuf_dtob64(encoded, blob, 1)) != 0 || 2877 (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) 2878 goto out; 2879 2880 /* success */ 2881 r = 0; 2882 2883 out: 2884 sshbuf_free(kdf); 2885 sshbuf_free(encoded); 2886 sshbuf_free(encrypted); 2887 cipher_free(ciphercontext); 2888 explicit_bzero(salt, sizeof(salt)); 2889 if (key != NULL) 2890 freezero(key, keylen + ivlen); 2891 if (pubkeyblob != NULL) 2892 freezero(pubkeyblob, pubkeylen); 2893 return r; 2894} 2895 2896static int 2897private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp) 2898{ 2899 const u_char *cp; 2900 size_t encoded_len; 2901 int r; 2902 u_char last; 2903 struct sshbuf *encoded = NULL, *decoded = NULL; 2904 2905 if (blob == NULL || decodedp == NULL) 2906 return SSH_ERR_INVALID_ARGUMENT; 2907 2908 *decodedp = NULL; 2909 2910 if ((encoded = sshbuf_new()) == NULL || 2911 (decoded = sshbuf_new()) == NULL) { 2912 r = SSH_ERR_ALLOC_FAIL; 2913 goto out; 2914 } 2915 2916 /* check preamble */ 2917 cp = sshbuf_ptr(blob); 2918 encoded_len = sshbuf_len(blob); 2919 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || 2920 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { 2921 r = SSH_ERR_INVALID_FORMAT; 2922 goto out; 2923 } 2924 cp += MARK_BEGIN_LEN; 2925 encoded_len -= MARK_BEGIN_LEN; 2926 2927 /* Look for end marker, removing whitespace as we go */ 2928 while (encoded_len > 0) { 2929 if (*cp != '\n' && *cp != '\r') { 2930 if ((r = sshbuf_put_u8(encoded, *cp)) != 0) 2931 goto out; 2932 } 2933 last = *cp; 2934 encoded_len--; 2935 cp++; 2936 if (last == '\n') { 2937 if (encoded_len >= MARK_END_LEN && 2938 memcmp(cp, MARK_END, MARK_END_LEN) == 0) { 2939 /* \0 terminate */ 2940 if ((r = sshbuf_put_u8(encoded, 0)) != 0) 2941 goto out; 2942 break; 2943 } 2944 } 2945 } 2946 if (encoded_len == 0) { 2947 r = SSH_ERR_INVALID_FORMAT; 2948 goto out; 2949 } 2950 2951 /* decode base64 */ 2952 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) 2953 goto out; 2954 2955 /* check magic */ 2956 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || 2957 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { 2958 r = SSH_ERR_INVALID_FORMAT; 2959 goto out; 2960 } 2961 /* success */ 2962 *decodedp = decoded; 2963 decoded = NULL; 2964 r = 0; 2965 out: 2966 sshbuf_free(encoded); 2967 sshbuf_free(decoded); 2968 return r; 2969} 2970 2971static int 2972private2_decrypt(struct sshbuf *decoded, const char *passphrase, 2973 struct sshbuf **decryptedp, struct sshkey **pubkeyp) 2974{ 2975 char *ciphername = NULL, *kdfname = NULL; 2976 const struct sshcipher *cipher = NULL; 2977 int r = SSH_ERR_INTERNAL_ERROR; 2978 size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0; 2979 struct sshbuf *kdf = NULL, *decrypted = NULL; 2980 struct sshcipher_ctx *ciphercontext = NULL; 2981 struct sshkey *pubkey = NULL; 2982 u_char *key = NULL, *salt = NULL, *dp; 2983 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; 2984 2985 if (decoded == NULL || decryptedp == NULL || pubkeyp == NULL) 2986 return SSH_ERR_INVALID_ARGUMENT; 2987 2988 *decryptedp = NULL; 2989 *pubkeyp = NULL; 2990 2991 if ((decrypted = sshbuf_new()) == NULL) { 2992 r = SSH_ERR_ALLOC_FAIL; 2993 goto out; 2994 } 2995 2996 /* parse public portion of key */ 2997 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 2998 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || 2999 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || 3000 (r = sshbuf_froms(decoded, &kdf)) != 0 || 3001 (r = sshbuf_get_u32(decoded, &nkeys)) != 0) 3002 goto out; 3003 3004 if (nkeys != 1) { 3005 /* XXX only one key supported at present */ 3006 r = SSH_ERR_INVALID_FORMAT; 3007 goto out; 3008 } 3009 3010 if ((r = sshkey_froms(decoded, &pubkey)) != 0 || 3011 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) 3012 goto out; 3013 3014 if ((cipher = cipher_by_name(ciphername)) == NULL) { 3015 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3016 goto out; 3017 } 3018 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { 3019 r = SSH_ERR_KEY_UNKNOWN_CIPHER; 3020 goto out; 3021 } 3022 if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) { 3023 r = SSH_ERR_INVALID_FORMAT; 3024 goto out; 3025 } 3026 if ((passphrase == NULL || strlen(passphrase) == 0) && 3027 strcmp(kdfname, "none") != 0) { 3028 /* passphrase required */ 3029 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3030 goto out; 3031 } 3032 3033 /* check size of encrypted key blob */ 3034 blocksize = cipher_blocksize(cipher); 3035 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { 3036 r = SSH_ERR_INVALID_FORMAT; 3037 goto out; 3038 } 3039 3040 /* setup key */ 3041 keylen = cipher_keylen(cipher); 3042 ivlen = cipher_ivlen(cipher); 3043 authlen = cipher_authlen(cipher); 3044 if ((key = calloc(1, keylen + ivlen)) == NULL) { 3045 r = SSH_ERR_ALLOC_FAIL; 3046 goto out; 3047 } 3048 if (strcmp(kdfname, "bcrypt") == 0) { 3049 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || 3050 (r = sshbuf_get_u32(kdf, &rounds)) != 0) 3051 goto out; 3052 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, 3053 key, keylen + ivlen, rounds) < 0) { 3054 r = SSH_ERR_INVALID_FORMAT; 3055 goto out; 3056 } 3057 } 3058 3059 /* check that an appropriate amount of auth data is present */ 3060 if (sshbuf_len(decoded) < authlen || 3061 sshbuf_len(decoded) - authlen < encrypted_len) { 3062 r = SSH_ERR_INVALID_FORMAT; 3063 goto out; 3064 } 3065 3066 /* decrypt private portion of key */ 3067 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || 3068 (r = cipher_init(&ciphercontext, cipher, key, keylen, 3069 key + keylen, ivlen, 0)) != 0) 3070 goto out; 3071 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), 3072 encrypted_len, 0, authlen)) != 0) { 3073 /* an integrity error here indicates an incorrect passphrase */ 3074 if (r == SSH_ERR_MAC_INVALID) 3075 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3076 goto out; 3077 } 3078 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) 3079 goto out; 3080 /* there should be no trailing data */ 3081 if (sshbuf_len(decoded) != 0) { 3082 r = SSH_ERR_INVALID_FORMAT; 3083 goto out; 3084 } 3085 3086 /* check check bytes */ 3087 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || 3088 (r = sshbuf_get_u32(decrypted, &check2)) != 0) 3089 goto out; 3090 if (check1 != check2) { 3091 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3092 goto out; 3093 } 3094 /* success */ 3095 *decryptedp = decrypted; 3096 decrypted = NULL; 3097 *pubkeyp = pubkey; 3098 pubkey = NULL; 3099 r = 0; 3100 out: 3101 cipher_free(ciphercontext); 3102 free(ciphername); 3103 free(kdfname); 3104 sshkey_free(pubkey); 3105 if (salt != NULL) { 3106 explicit_bzero(salt, slen); 3107 free(salt); 3108 } 3109 if (key != NULL) { 3110 explicit_bzero(key, keylen + ivlen); 3111 free(key); 3112 } 3113 sshbuf_free(kdf); 3114 sshbuf_free(decrypted); 3115 return r; 3116} 3117 3118static int 3119sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, 3120 struct sshkey **keyp, char **commentp) 3121{ 3122 char *comment = NULL; 3123 int r = SSH_ERR_INTERNAL_ERROR; 3124 struct sshbuf *decoded = NULL, *decrypted = NULL; 3125 struct sshkey *k = NULL, *pubkey = NULL; 3126 3127 if (keyp != NULL) 3128 *keyp = NULL; 3129 if (commentp != NULL) 3130 *commentp = NULL; 3131 3132 /* Undo base64 encoding and decrypt the private section */ 3133 if ((r = private2_uudecode(blob, &decoded)) != 0 || 3134 (r = private2_decrypt(decoded, passphrase, 3135 &decrypted, &pubkey)) != 0) 3136 goto out; 3137 3138 if (type != KEY_UNSPEC && 3139 sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { 3140 r = SSH_ERR_KEY_TYPE_MISMATCH; 3141 goto out; 3142 } 3143 3144 /* Load the private key and comment */ 3145 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || 3146 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) 3147 goto out; 3148 3149 /* Check deterministic padding after private section */ 3150 if ((r = private2_check_padding(decrypted)) != 0) 3151 goto out; 3152 3153 /* Check that the public key in the envelope matches the private key */ 3154 if (!sshkey_equal(pubkey, k)) { 3155 r = SSH_ERR_INVALID_FORMAT; 3156 goto out; 3157 } 3158 3159 /* success */ 3160 r = 0; 3161 if (keyp != NULL) { 3162 *keyp = k; 3163 k = NULL; 3164 } 3165 if (commentp != NULL) { 3166 *commentp = comment; 3167 comment = NULL; 3168 } 3169 out: 3170 free(comment); 3171 sshbuf_free(decoded); 3172 sshbuf_free(decrypted); 3173 sshkey_free(k); 3174 sshkey_free(pubkey); 3175 return r; 3176} 3177 3178static int 3179sshkey_parse_private2_pubkey(struct sshbuf *blob, int type, 3180 struct sshkey **keyp) 3181{ 3182 int r = SSH_ERR_INTERNAL_ERROR; 3183 struct sshbuf *decoded = NULL; 3184 struct sshkey *pubkey = NULL; 3185 u_int nkeys = 0; 3186 3187 if (keyp != NULL) 3188 *keyp = NULL; 3189 3190 if ((r = private2_uudecode(blob, &decoded)) != 0) 3191 goto out; 3192 /* parse public key from unencrypted envelope */ 3193 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || 3194 (r = sshbuf_skip_string(decoded)) != 0 || /* cipher */ 3195 (r = sshbuf_skip_string(decoded)) != 0 || /* KDF alg */ 3196 (r = sshbuf_skip_string(decoded)) != 0 || /* KDF hint */ 3197 (r = sshbuf_get_u32(decoded, &nkeys)) != 0) 3198 goto out; 3199 3200 if (nkeys != 1) { 3201 /* XXX only one key supported at present */ 3202 r = SSH_ERR_INVALID_FORMAT; 3203 goto out; 3204 } 3205 3206 /* Parse the public key */ 3207 if ((r = sshkey_froms(decoded, &pubkey)) != 0) 3208 goto out; 3209 3210 if (type != KEY_UNSPEC && 3211 sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { 3212 r = SSH_ERR_KEY_TYPE_MISMATCH; 3213 goto out; 3214 } 3215 3216 /* success */ 3217 r = 0; 3218 if (keyp != NULL) { 3219 *keyp = pubkey; 3220 pubkey = NULL; 3221 } 3222 out: 3223 sshbuf_free(decoded); 3224 sshkey_free(pubkey); 3225 return r; 3226} 3227 3228#ifdef WITH_OPENSSL 3229/* convert SSH v2 key to PEM or PKCS#8 format */ 3230static int 3231sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, 3232 int format, const char *_passphrase, const char *comment) 3233{ 3234 int was_shielded = sshkey_is_shielded(key); 3235 int success, r; 3236 int blen, len = strlen(_passphrase); 3237 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; 3238 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; 3239 char *bptr; 3240 BIO *bio = NULL; 3241 struct sshbuf *blob; 3242 EVP_PKEY *pkey = NULL; 3243 3244 if (len > 0 && len <= 4) 3245 return SSH_ERR_PASSPHRASE_TOO_SHORT; 3246 if ((blob = sshbuf_new()) == NULL) 3247 return SSH_ERR_ALLOC_FAIL; 3248 if ((bio = BIO_new(BIO_s_mem())) == NULL) { 3249 r = SSH_ERR_ALLOC_FAIL; 3250 goto out; 3251 } 3252 if ((r = sshkey_unshield_private(key)) != 0) 3253 goto out; 3254 3255 switch (key->type) { 3256 case KEY_ECDSA: 3257 if (format == SSHKEY_PRIVATE_PEM) { 3258 success = PEM_write_bio_ECPrivateKey(bio, 3259 EVP_PKEY_get0_EC_KEY(key->pkey), 3260 cipher, passphrase, len, NULL, NULL); 3261 } else { 3262 pkey = key->pkey; 3263 EVP_PKEY_up_ref(key->pkey); 3264 success = 1; 3265 } 3266 break; 3267 case KEY_RSA: 3268 if (format == SSHKEY_PRIVATE_PEM) { 3269 success = PEM_write_bio_RSAPrivateKey(bio, 3270 EVP_PKEY_get0_RSA(key->pkey), 3271 cipher, passphrase, len, NULL, NULL); 3272 } else { 3273 pkey = key->pkey; 3274 EVP_PKEY_up_ref(key->pkey); 3275 success = 1; 3276 } 3277 break; 3278#ifdef OPENSSL_HAS_ED25519 3279 case KEY_ED25519: 3280 if (format == SSHKEY_PRIVATE_PEM) { 3281 r = SSH_ERR_INVALID_FORMAT; 3282 goto out; 3283 } else { 3284 pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, 3285 NULL, key->ed25519_sk, 3286 ED25519_SK_SZ - ED25519_PK_SZ); 3287 success = pkey != NULL; 3288 } 3289 break; 3290#endif 3291 default: 3292 success = 0; 3293 break; 3294 } 3295 if (success == 0) { 3296 r = SSH_ERR_LIBCRYPTO_ERROR; 3297 goto out; 3298 } 3299 if (format == SSHKEY_PRIVATE_PKCS8) { 3300 if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher, 3301 passphrase, len, NULL, NULL)) == 0) { 3302 r = SSH_ERR_LIBCRYPTO_ERROR; 3303 goto out; 3304 } 3305 } 3306 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { 3307 r = SSH_ERR_INTERNAL_ERROR; 3308 goto out; 3309 } 3310 if ((r = sshbuf_put(blob, bptr, blen)) != 0) 3311 goto out; 3312 r = 0; 3313 out: 3314 if (was_shielded) 3315 r = sshkey_shield_private(key); 3316 if (r == 0) 3317 r = sshbuf_putb(buf, blob); 3318 3319 EVP_PKEY_free(pkey); 3320 sshbuf_free(blob); 3321 BIO_free(bio); 3322 return r; 3323} 3324#endif /* WITH_OPENSSL */ 3325 3326/* Serialise "key" to buffer "blob" */ 3327int 3328sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, 3329 const char *passphrase, const char *comment, 3330 int format, const char *openssh_format_cipher, int openssh_format_rounds) 3331{ 3332 switch (key->type) { 3333#ifdef WITH_OPENSSL 3334 case KEY_ECDSA: 3335 case KEY_RSA: 3336 case KEY_ED25519: 3337 break; /* see below */ 3338#else /* WITH_OPENSSL */ 3339 case KEY_ED25519: 3340#endif /* WITH_OPENSSL */ 3341 case KEY_ED25519_SK: 3342#ifdef WITH_OPENSSL 3343 case KEY_ECDSA_SK: 3344#endif /* WITH_OPENSSL */ 3345 return sshkey_private_to_blob2(key, blob, passphrase, 3346 comment, openssh_format_cipher, openssh_format_rounds); 3347 default: 3348 return SSH_ERR_KEY_TYPE_UNKNOWN; 3349 } 3350 3351#ifdef WITH_OPENSSL 3352 switch (format) { 3353 case SSHKEY_PRIVATE_OPENSSH: 3354 return sshkey_private_to_blob2(key, blob, passphrase, 3355 comment, openssh_format_cipher, openssh_format_rounds); 3356 case SSHKEY_PRIVATE_PEM: 3357 case SSHKEY_PRIVATE_PKCS8: 3358 return sshkey_private_to_blob_pem_pkcs8(key, blob, 3359 format, passphrase, comment); 3360 default: 3361 return SSH_ERR_INVALID_ARGUMENT; 3362 } 3363#endif /* WITH_OPENSSL */ 3364} 3365 3366#ifdef WITH_OPENSSL 3367static int 3368translate_libcrypto_error(unsigned long pem_err) 3369{ 3370 int pem_reason = ERR_GET_REASON(pem_err); 3371 3372 switch (ERR_GET_LIB(pem_err)) { 3373 case ERR_LIB_PEM: 3374 switch (pem_reason) { 3375 case PEM_R_BAD_PASSWORD_READ: 3376 case PEM_R_PROBLEMS_GETTING_PASSWORD: 3377 case PEM_R_BAD_DECRYPT: 3378 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3379 default: 3380 return SSH_ERR_INVALID_FORMAT; 3381 } 3382 case ERR_LIB_EVP: 3383 switch (pem_reason) { 3384 case EVP_R_BAD_DECRYPT: 3385 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3386#ifdef EVP_R_BN_DECODE_ERROR 3387 case EVP_R_BN_DECODE_ERROR: 3388#endif 3389 case EVP_R_DECODE_ERROR: 3390#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR 3391 case EVP_R_PRIVATE_KEY_DECODE_ERROR: 3392#endif 3393 return SSH_ERR_INVALID_FORMAT; 3394 default: 3395 return SSH_ERR_LIBCRYPTO_ERROR; 3396 } 3397 case ERR_LIB_ASN1: 3398 return SSH_ERR_INVALID_FORMAT; 3399 } 3400 return SSH_ERR_LIBCRYPTO_ERROR; 3401} 3402 3403static void 3404clear_libcrypto_errors(void) 3405{ 3406 while (ERR_get_error() != 0) 3407 ; 3408} 3409 3410/* 3411 * Translate OpenSSL error codes to determine whether 3412 * passphrase is required/incorrect. 3413 */ 3414static int 3415convert_libcrypto_error(void) 3416{ 3417 /* 3418 * Some password errors are reported at the beginning 3419 * of the error queue. 3420 */ 3421 if (translate_libcrypto_error(ERR_peek_error()) == 3422 SSH_ERR_KEY_WRONG_PASSPHRASE) 3423 return SSH_ERR_KEY_WRONG_PASSPHRASE; 3424 return translate_libcrypto_error(ERR_peek_last_error()); 3425} 3426 3427static int 3428sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, 3429 const char *passphrase, struct sshkey **keyp) 3430{ 3431 EVP_PKEY *pk = NULL; 3432 struct sshkey *prv = NULL; 3433 BIO *bio = NULL; 3434 int r; 3435 RSA *rsa = NULL; 3436 EC_KEY *ecdsa = NULL; 3437 3438 if (keyp != NULL) 3439 *keyp = NULL; 3440 3441 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) 3442 return SSH_ERR_ALLOC_FAIL; 3443 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != 3444 (int)sshbuf_len(blob)) { 3445 r = SSH_ERR_ALLOC_FAIL; 3446 goto out; 3447 } 3448 3449 clear_libcrypto_errors(); 3450 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, 3451 (char *)passphrase)) == NULL) { 3452 /* 3453 * libcrypto may return various ASN.1 errors when attempting 3454 * to parse a key with an incorrect passphrase. 3455 * Treat all format errors as "incorrect passphrase" if a 3456 * passphrase was supplied. 3457 */ 3458 if (passphrase != NULL && *passphrase != '\0') 3459 r = SSH_ERR_KEY_WRONG_PASSPHRASE; 3460 else 3461 r = convert_libcrypto_error(); 3462 goto out; 3463 } 3464 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && 3465 (type == KEY_UNSPEC || type == KEY_RSA)) { 3466 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3467 r = SSH_ERR_ALLOC_FAIL; 3468 goto out; 3469 } 3470 if ((rsa = EVP_PKEY_get1_RSA(pk)) == NULL) { 3471 r = SSH_ERR_LIBCRYPTO_ERROR; 3472 goto out; 3473 } 3474 prv->type = KEY_RSA; 3475#ifdef DEBUG_PK 3476 RSA_print_fp(stderr, rsa, 8); 3477#endif 3478 if (RSA_blinding_on(rsa, NULL) != 1 || 3479 EVP_PKEY_set1_RSA(pk, rsa) != 1) { 3480 r = SSH_ERR_LIBCRYPTO_ERROR; 3481 goto out; 3482 } 3483 EVP_PKEY_up_ref(pk); 3484 prv->pkey = pk; 3485 if ((r = sshkey_check_rsa_length(prv, 0)) != 0) 3486 goto out; 3487 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && 3488 (type == KEY_UNSPEC || type == KEY_ECDSA)) { 3489 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { 3490 r = SSH_ERR_ALLOC_FAIL; 3491 goto out; 3492 } 3493 if ((prv->ecdsa_nid = sshkey_ecdsa_fixup_group(pk)) == -1 || 3494 (ecdsa = EVP_PKEY_get1_EC_KEY(pk)) == NULL) { 3495 r = SSH_ERR_LIBCRYPTO_ERROR; 3496 goto out; 3497 } 3498 prv->type = KEY_ECDSA; 3499 if (sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || 3500 sshkey_ec_validate_public(EC_KEY_get0_group(ecdsa), 3501 EC_KEY_get0_public_key(ecdsa)) != 0 || 3502 sshkey_ec_validate_private(ecdsa) != 0) { 3503 r = SSH_ERR_INVALID_FORMAT; 3504 goto out; 3505 } 3506 EVP_PKEY_up_ref(pk); 3507 prv->pkey = pk; 3508#ifdef DEBUG_PK 3509 if (prv != NULL && prv->pkey != NULL) 3510 sshkey_dump_ec_key(EVP_PKEY_get0_EC_KEY(prv->pkey)); 3511#endif 3512 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_ED25519 && 3513 (type == KEY_UNSPEC || type == KEY_ED25519)) { 3514 size_t len; 3515 3516 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL || 3517 (prv->ed25519_sk = calloc(1, ED25519_SK_SZ)) == NULL || 3518 (prv->ed25519_pk = calloc(1, ED25519_PK_SZ)) == NULL) { 3519 r = SSH_ERR_ALLOC_FAIL; 3520 goto out; 3521 } 3522 prv->type = KEY_ED25519; 3523 len = ED25519_PK_SZ; 3524 if (!EVP_PKEY_get_raw_public_key(pk, prv->ed25519_pk, &len)) { 3525 r = SSH_ERR_LIBCRYPTO_ERROR; 3526 goto out; 3527 } 3528 if (len != ED25519_PK_SZ) { 3529 r = SSH_ERR_INVALID_FORMAT; 3530 goto out; 3531 } 3532 len = ED25519_SK_SZ - ED25519_PK_SZ; 3533 if (!EVP_PKEY_get_raw_private_key(pk, prv->ed25519_sk, &len)) { 3534 r = SSH_ERR_LIBCRYPTO_ERROR; 3535 goto out; 3536 } 3537 if (len != ED25519_SK_SZ - ED25519_PK_SZ) { 3538 r = SSH_ERR_INVALID_FORMAT; 3539 goto out; 3540 } 3541 /* Append the public key to our private key */ 3542 memcpy(prv->ed25519_sk + (ED25519_SK_SZ - ED25519_PK_SZ), 3543 prv->ed25519_pk, ED25519_PK_SZ); 3544#ifdef DEBUG_PK 3545 sshbuf_dump_data(prv->ed25519_sk, ED25519_SK_SZ, stderr); 3546#endif 3547 } else { 3548 r = SSH_ERR_INVALID_FORMAT; 3549 goto out; 3550 } 3551 r = 0; 3552 if (keyp != NULL) { 3553 *keyp = prv; 3554 prv = NULL; 3555 } 3556 out: 3557 BIO_free(bio); 3558 EVP_PKEY_free(pk); 3559 RSA_free(rsa); 3560 EC_KEY_free(ecdsa); 3561 sshkey_free(prv); 3562 return r; 3563} 3564#endif /* WITH_OPENSSL */ 3565 3566int 3567sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, 3568 const char *passphrase, struct sshkey **keyp, char **commentp) 3569{ 3570 int r = SSH_ERR_INTERNAL_ERROR; 3571 3572 if (keyp != NULL) 3573 *keyp = NULL; 3574 if (commentp != NULL) 3575 *commentp = NULL; 3576 3577 r = sshkey_parse_private2(blob, type, passphrase, keyp, commentp); 3578 /* Only fallback to PEM parser if a format error occurred. */ 3579 if (r != SSH_ERR_INVALID_FORMAT) 3580 return r; 3581#ifdef WITH_OPENSSL 3582 return sshkey_parse_private_pem_fileblob(blob, type, 3583 passphrase, keyp); 3584#else 3585 return SSH_ERR_INVALID_FORMAT; 3586#endif /* WITH_OPENSSL */ 3587} 3588 3589int 3590sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, 3591 struct sshkey **keyp, char **commentp) 3592{ 3593 if (keyp != NULL) 3594 *keyp = NULL; 3595 if (commentp != NULL) 3596 *commentp = NULL; 3597 3598 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, 3599 passphrase, keyp, commentp); 3600} 3601 3602void 3603sshkey_sig_details_free(struct sshkey_sig_details *details) 3604{ 3605 freezero(details, sizeof(*details)); 3606} 3607 3608int 3609sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type, 3610 struct sshkey **pubkeyp) 3611{ 3612 int r = SSH_ERR_INTERNAL_ERROR; 3613 3614 if (pubkeyp != NULL) 3615 *pubkeyp = NULL; 3616 /* only new-format private keys bundle a public key inside */ 3617 if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0) 3618 return r; 3619 return 0; 3620}