openssh/sshkey.c
Damien Miller 9244990ecd remove a bunch of ENABLE_SK #ifdefs
The ssh-sk-helper client API gives us a nice place to disable
security key support when it is wasn't enabled at compile time,
so we don't need to check everywere.

Also, verification of security key signatures can remain enabled
all the time - it has no additional dependencies. So sshd can
accept security key pubkeys in authorized_keys, etc regardless of
the host's support for dlopen, etc.
2019-12-14 09:21:46 +11:00

4750 lines
119 KiB
C

/* $OpenBSD: sshkey.c,v 1.97 2019/12/13 19:09:10 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
* Copyright (c) 2010,2011 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
#include <sys/types.h>
#include <netinet/in.h>
#ifdef WITH_OPENSSL
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#endif
#include "crypto_api.h"
#include <errno.h>
#include <limits.h>
#include <stdio.h>
#include <string.h>
#include <resolv.h>
#include <time.h>
#ifdef HAVE_UTIL_H
#include <util.h>
#endif /* HAVE_UTIL_H */
#include "ssh2.h"
#include "ssherr.h"
#include "misc.h"
#include "sshbuf.h"
#include "cipher.h"
#include "digest.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "match.h"
#include "ssh-sk.h"
#ifdef WITH_XMSS
#include "sshkey-xmss.h"
#include "xmss_fast.h"
#endif
#include "openbsd-compat/openssl-compat.h"
/* openssh private key file format */
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
#define MARK_END "-----END OPENSSH PRIVATE KEY-----\n"
#define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1)
#define MARK_END_LEN (sizeof(MARK_END) - 1)
#define KDFNAME "bcrypt"
#define AUTH_MAGIC "openssh-key-v1"
#define SALT_LEN 16
#define DEFAULT_CIPHERNAME "aes256-ctr"
#define DEFAULT_ROUNDS 16
/* Version identification string for SSH v1 identity files. */
#define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n"
/*
* Constants relating to "shielding" support; protection of keys expected
* to remain in memory for long durations
*/
#define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024)
#define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */
#define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512
int sshkey_private_serialize_opt(struct sshkey *key,
struct sshbuf *buf, enum sshkey_serialize_rep);
static int sshkey_from_blob_internal(struct sshbuf *buf,
struct sshkey **keyp, int allow_cert);
/* Supported key types */
struct keytype {
const char *name;
const char *shortname;
const char *sigalg;
int type;
int nid;
int cert;
int sigonly;
};
static const struct keytype keytypes[] = {
{ "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 },
{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL,
KEY_ED25519_CERT, 0, 1, 0 },
{ "sk-ssh-ed25519@openssh.com", "ED25519-SK", NULL,
KEY_ED25519_SK, 0, 0, 0 },
{ "sk-ssh-ed25519-cert-v01@openssh.com", "ED25519-SK-CERT", NULL,
KEY_ED25519_SK_CERT, 0, 1, 0 },
#ifdef WITH_XMSS
{ "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 },
{ "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL,
KEY_XMSS_CERT, 0, 1, 0 },
#endif /* WITH_XMSS */
#ifdef WITH_OPENSSL
{ "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 },
{ "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 },
{ "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 },
{ "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 },
# ifdef OPENSSL_HAS_ECC
{ "ecdsa-sha2-nistp256", "ECDSA", NULL,
KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
{ "ecdsa-sha2-nistp384", "ECDSA", NULL,
KEY_ECDSA, NID_secp384r1, 0, 0 },
# ifdef OPENSSL_HAS_NISTP521
{ "ecdsa-sha2-nistp521", "ECDSA", NULL,
KEY_ECDSA, NID_secp521r1, 0, 0 },
# endif /* OPENSSL_HAS_NISTP521 */
{ "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL,
KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 0 },
# endif /* OPENSSL_HAS_ECC */
{ "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL,
KEY_RSA_CERT, 0, 1, 0 },
{ "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT",
"rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
{ "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT",
"rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
{ "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL,
KEY_DSA_CERT, 0, 1, 0 },
# ifdef OPENSSL_HAS_ECC
{ "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL,
KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
{ "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL,
KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
# ifdef OPENSSL_HAS_NISTP521
{ "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL,
KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
# endif /* OPENSSL_HAS_NISTP521 */
{ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-SK-CERT", NULL,
KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
{ NULL, NULL, NULL, -1, -1, 0, 0 }
};
const char *
sshkey_type(const struct sshkey *k)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->type == k->type)
return kt->shortname;
}
return "unknown";
}
static const char *
sshkey_ssh_name_from_type_nid(int type, int nid)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
return kt->name;
}
return "ssh-unknown";
}
int
sshkey_type_is_cert(int type)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->type == type)
return kt->cert;
}
return 0;
}
const char *
sshkey_ssh_name(const struct sshkey *k)
{
return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
}
const char *
sshkey_ssh_name_plain(const struct sshkey *k)
{
return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
k->ecdsa_nid);
}
int
sshkey_type_from_name(const char *name)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
/* Only allow shortname matches for plain key types */
if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
(!kt->cert && strcasecmp(kt->shortname, name) == 0))
return kt->type;
}
return KEY_UNSPEC;
}
static int
key_type_is_ecdsa_variant(int type)
{
switch (type) {
case KEY_ECDSA:
case KEY_ECDSA_CERT:
case KEY_ECDSA_SK:
case KEY_ECDSA_SK_CERT:
return 1;
}
return 0;
}
int
sshkey_ecdsa_nid_from_name(const char *name)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (!key_type_is_ecdsa_variant(kt->type))
continue;
if (kt->name != NULL && strcmp(name, kt->name) == 0)
return kt->nid;
}
return -1;
}
char *
sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
{
char *tmp, *ret = NULL;
size_t nlen, rlen = 0;
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->name == NULL)
continue;
if (!include_sigonly && kt->sigonly)
continue;
if ((certs_only && !kt->cert) || (plain_only && kt->cert))
continue;
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(kt->name);
if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
free(ret);
return NULL;
}
ret = tmp;
memcpy(ret + rlen, kt->name, nlen + 1);
rlen += nlen;
}
return ret;
}
int
sshkey_names_valid2(const char *names, int allow_wildcard)
{
char *s, *cp, *p;
const struct keytype *kt;
int type;
if (names == NULL || strcmp(names, "") == 0)
return 0;
if ((s = cp = strdup(names)) == NULL)
return 0;
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
type = sshkey_type_from_name(p);
if (type == KEY_UNSPEC) {
if (allow_wildcard) {
/*
* Try matching key types against the string.
* If any has a positive or negative match then
* the component is accepted.
*/
for (kt = keytypes; kt->type != -1; kt++) {
if (match_pattern_list(kt->name,
p, 0) != 0)
break;
}
if (kt->type != -1)
continue;
}
free(s);
return 0;
}
}
free(s);
return 1;
}
u_int
sshkey_size(const struct sshkey *k)
{
#ifdef WITH_OPENSSL
const BIGNUM *rsa_n, *dsa_p;
#endif /* WITH_OPENSSL */
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_RSA:
case KEY_RSA_CERT:
if (k->rsa == NULL)
return 0;
RSA_get0_key(k->rsa, &rsa_n, NULL, NULL);
return BN_num_bits(rsa_n);
case KEY_DSA:
case KEY_DSA_CERT:
if (k->dsa == NULL)
return 0;
DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL);
return BN_num_bits(dsa_p);
case KEY_ECDSA:
case KEY_ECDSA_CERT:
case KEY_ECDSA_SK:
case KEY_ECDSA_SK_CERT:
return sshkey_curve_nid_to_bits(k->ecdsa_nid);
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
case KEY_ED25519_SK:
case KEY_ED25519_SK_CERT:
case KEY_XMSS:
case KEY_XMSS_CERT:
return 256; /* XXX */
}
return 0;
}
static int
sshkey_type_is_valid_ca(int type)
{
switch (type) {
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
case KEY_ECDSA_SK:
case KEY_ED25519:
case KEY_ED25519_SK:
case KEY_XMSS:
return 1;
default:
return 0;
}
}
int
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)
return 0;
return sshkey_type_is_cert(k->type);
}
int
sshkey_is_sk(const struct sshkey *k)
{
if (k == NULL)
return 0;
switch (sshkey_type_plain(k->type)) {
case KEY_ECDSA_SK:
case KEY_ED25519_SK:
return 1;
default:
return 0;
}
}
/* Return the cert-less equivalent to a certified key type */
int
sshkey_type_plain(int type)
{
switch (type) {
case KEY_RSA_CERT:
return KEY_RSA;
case KEY_DSA_CERT:
return KEY_DSA;
case KEY_ECDSA_CERT:
return KEY_ECDSA;
case KEY_ECDSA_SK_CERT:
return KEY_ECDSA_SK;
case KEY_ED25519_CERT:
return KEY_ED25519;
case KEY_ED25519_SK_CERT:
return KEY_ED25519_SK;
case KEY_XMSS_CERT:
return KEY_XMSS;
default:
return type;
}
}
#ifdef WITH_OPENSSL
/* XXX: these are really begging for a table-driven approach */
int
sshkey_curve_name_to_nid(const char *name)
{
if (strcmp(name, "nistp256") == 0)
return NID_X9_62_prime256v1;
else if (strcmp(name, "nistp384") == 0)
return NID_secp384r1;
# ifdef OPENSSL_HAS_NISTP521
else if (strcmp(name, "nistp521") == 0)
return NID_secp521r1;
# endif /* OPENSSL_HAS_NISTP521 */
else
return -1;
}
u_int
sshkey_curve_nid_to_bits(int nid)
{
switch (nid) {
case NID_X9_62_prime256v1:
return 256;
case NID_secp384r1:
return 384;
# ifdef OPENSSL_HAS_NISTP521
case NID_secp521r1:
return 521;
# endif /* OPENSSL_HAS_NISTP521 */
default:
return 0;
}
}
int
sshkey_ecdsa_bits_to_nid(int bits)
{
switch (bits) {
case 256:
return NID_X9_62_prime256v1;
case 384:
return NID_secp384r1;
# ifdef OPENSSL_HAS_NISTP521
case 521:
return NID_secp521r1;
# endif /* OPENSSL_HAS_NISTP521 */
default:
return -1;
}
}
const char *
sshkey_curve_nid_to_name(int nid)
{
switch (nid) {
case NID_X9_62_prime256v1:
return "nistp256";
case NID_secp384r1:
return "nistp384";
# ifdef OPENSSL_HAS_NISTP521
case NID_secp521r1:
return "nistp521";
# endif /* OPENSSL_HAS_NISTP521 */
default:
return NULL;
}
}
int
sshkey_ec_nid_to_hash_alg(int nid)
{
int kbits = sshkey_curve_nid_to_bits(nid);
if (kbits <= 0)
return -1;
/* RFC5656 section 6.2.1 */
if (kbits <= 256)
return SSH_DIGEST_SHA256;
else if (kbits <= 384)
return SSH_DIGEST_SHA384;
else
return SSH_DIGEST_SHA512;
}
#endif /* WITH_OPENSSL */
static void
cert_free(struct sshkey_cert *cert)
{
u_int i;
if (cert == NULL)
return;
sshbuf_free(cert->certblob);
sshbuf_free(cert->critical);
sshbuf_free(cert->extensions);
free(cert->key_id);
for (i = 0; i < cert->nprincipals; i++)
free(cert->principals[i]);
free(cert->principals);
sshkey_free(cert->signature_key);
free(cert->signature_type);
freezero(cert, sizeof(*cert));
}
static struct sshkey_cert *
cert_new(void)
{
struct sshkey_cert *cert;
if ((cert = calloc(1, sizeof(*cert))) == NULL)
return NULL;
if ((cert->certblob = sshbuf_new()) == NULL ||
(cert->critical = sshbuf_new()) == NULL ||
(cert->extensions = sshbuf_new()) == NULL) {
cert_free(cert);
return NULL;
}
cert->key_id = NULL;
cert->principals = NULL;
cert->signature_key = NULL;
cert->signature_type = NULL;
return cert;
}
struct sshkey *
sshkey_new(int type)
{
struct sshkey *k;
#ifdef WITH_OPENSSL
RSA *rsa;
DSA *dsa;
#endif /* WITH_OPENSSL */
if ((k = calloc(1, sizeof(*k))) == NULL)
return NULL;
k->type = type;
k->ecdsa = NULL;
k->ecdsa_nid = -1;
k->dsa = NULL;
k->rsa = NULL;
k->cert = NULL;
k->ed25519_sk = NULL;
k->ed25519_pk = NULL;
k->xmss_sk = NULL;
k->xmss_pk = NULL;
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_RSA:
case KEY_RSA_CERT:
if ((rsa = RSA_new()) == NULL) {
free(k);
return NULL;
}
k->rsa = rsa;
break;
case KEY_DSA:
case KEY_DSA_CERT:
if ((dsa = DSA_new()) == NULL) {
free(k);
return NULL;
}
k->dsa = dsa;
break;
case KEY_ECDSA:
case KEY_ECDSA_CERT:
case KEY_ECDSA_SK:
case KEY_ECDSA_SK_CERT:
/* Cannot do anything until we know the group */
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
case KEY_ED25519_SK:
case KEY_ED25519_SK_CERT:
case KEY_XMSS:
case KEY_XMSS_CERT:
/* no need to prealloc */
break;
case KEY_UNSPEC:
break;
default:
free(k);
return NULL;
}
if (sshkey_is_cert(k)) {
if ((k->cert = cert_new()) == NULL) {
sshkey_free(k);
return NULL;
}
}
return k;
}
void
sshkey_free(struct sshkey *k)
{
if (k == NULL)
return;
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_RSA:
case KEY_RSA_CERT:
RSA_free(k->rsa);
k->rsa = NULL;
break;
case KEY_DSA:
case KEY_DSA_CERT:
DSA_free(k->dsa);
k->dsa = NULL;
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_SK:
case KEY_ECDSA_SK_CERT:
free(k->sk_application);
sshbuf_free(k->sk_key_handle);
sshbuf_free(k->sk_reserved);
/* FALLTHROUGH */
case KEY_ECDSA:
case KEY_ECDSA_CERT:
EC_KEY_free(k->ecdsa);
k->ecdsa = NULL;
break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
case KEY_ED25519_SK:
case KEY_ED25519_SK_CERT:
free(k->sk_application);
sshbuf_free(k->sk_key_handle);
sshbuf_free(k->sk_reserved);
/* FALLTHROUGH */
case KEY_ED25519:
case KEY_ED25519_CERT:
freezero(k->ed25519_pk, ED25519_PK_SZ);
k->ed25519_pk = NULL;
freezero(k->ed25519_sk, ED25519_SK_SZ);
k->ed25519_sk = NULL;
break;
#ifdef WITH_XMSS
case KEY_XMSS:
case KEY_XMSS_CERT:
freezero(k->xmss_pk, sshkey_xmss_pklen(k));
k->xmss_pk = NULL;
freezero(k->xmss_sk, sshkey_xmss_sklen(k));
k->xmss_sk = NULL;
sshkey_xmss_free_state(k);
free(k->xmss_name);
k->xmss_name = NULL;
free(k->xmss_filename);
k->xmss_filename = NULL;
break;
#endif /* WITH_XMSS */
case KEY_UNSPEC:
break;
default:
break;
}
if (sshkey_is_cert(k))
cert_free(k->cert);
freezero(k->shielded_private, k->shielded_len);
freezero(k->shield_prekey, k->shield_prekey_len);
freezero(k, sizeof(*k));
}
static int
cert_compare(struct sshkey_cert *a, struct sshkey_cert *b)
{
if (a == NULL && b == NULL)
return 1;
if (a == NULL || b == NULL)
return 0;
if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
return 0;
if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
sshbuf_len(a->certblob)) != 0)
return 0;
return 1;
}
/*
* Compare public portions of key only, allowing comparisons between
* certificates and plain keys too.
*/
int
sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
{
#if defined(WITH_OPENSSL)
const BIGNUM *rsa_e_a, *rsa_n_a;
const BIGNUM *rsa_e_b, *rsa_n_b;
const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a;
const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b;
#endif /* WITH_OPENSSL */
if (a == NULL || b == NULL ||
sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
return 0;
switch (a->type) {
#ifdef WITH_OPENSSL
case KEY_RSA_CERT:
case KEY_RSA:
if (a->rsa == NULL || b->rsa == NULL)
return 0;
RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL);
RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL);
return BN_cmp(rsa_e_a, rsa_e_b) == 0 &&
BN_cmp(rsa_n_a, rsa_n_b) == 0;
case KEY_DSA_CERT:
case KEY_DSA:
if (a->dsa == NULL || b->dsa == NULL)
return 0;
DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a);
DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b);
DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL);
DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL);
return BN_cmp(dsa_p_a, dsa_p_b) == 0 &&
BN_cmp(dsa_q_a, dsa_q_b) == 0 &&
BN_cmp(dsa_g_a, dsa_g_b) == 0 &&
BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_SK:
case KEY_ECDSA_SK_CERT:
if (a->sk_application == NULL || b->sk_application == NULL)
return 0;
if (strcmp(a->sk_application, b->sk_application) != 0)
return 0;
/* FALLTHROUGH */
case KEY_ECDSA_CERT:
case KEY_ECDSA:
if (a->ecdsa == NULL || b->ecdsa == NULL ||
EC_KEY_get0_public_key(a->ecdsa) == NULL ||
EC_KEY_get0_public_key(b->ecdsa) == NULL)
return 0;
if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
EC_KEY_get0_group(b->ecdsa), NULL) != 0 ||
EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
EC_KEY_get0_public_key(a->ecdsa),
EC_KEY_get0_public_key(b->ecdsa), NULL) != 0)
return 0;
return 1;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
case KEY_ED25519_SK:
case KEY_ED25519_SK_CERT:
if (a->sk_application == NULL || b->sk_application == NULL)
return 0;
if (strcmp(a->sk_application, b->sk_application) != 0)
return 0;
/* FALLTHROUGH */
case KEY_ED25519:
case KEY_ED25519_CERT:
return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
#ifdef WITH_XMSS
case KEY_XMSS:
case KEY_XMSS_CERT:
return a->xmss_pk != NULL && b->xmss_pk != NULL &&
sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) &&
memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0;
#endif /* WITH_XMSS */
default:
return 0;
}
/* NOTREACHED */
}
int
sshkey_equal(const struct sshkey *a, const struct sshkey *b)
{
if (a == NULL || b == NULL || a->type != b->type)
return 0;
if (sshkey_is_cert(a)) {
if (!cert_compare(a->cert, b->cert))
return 0;
}
return sshkey_equal_public(a, b);
}
static int
to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
enum sshkey_serialize_rep opts)
{
int type, ret = SSH_ERR_INTERNAL_ERROR;
const char *typename;
#ifdef WITH_OPENSSL
const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
#endif /* WITH_OPENSSL */
if (key == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (sshkey_is_cert(key)) {
if (key->cert == NULL)
return SSH_ERR_EXPECTED_CERT;
if (sshbuf_len(key->cert->certblob) == 0)
return SSH_ERR_KEY_LACKS_CERTBLOB;
}
type = force_plain ? sshkey_type_plain(key->type) : key->type;
typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
switch (type) {
#ifdef WITH_OPENSSL
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_ECDSA_SK_CERT:
case KEY_RSA_CERT:
#endif /* WITH_OPENSSL */
case KEY_ED25519_CERT:
case KEY_ED25519_SK_CERT:
#ifdef WITH_XMSS
case KEY_XMSS_CERT:
#endif /* WITH_XMSS */
/* Use the existing blob */
/* XXX modified flag? */
if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
return ret;
break;
#ifdef WITH_OPENSSL
case KEY_DSA:
if (key->dsa == NULL)
return SSH_ERR_INVALID_ARGUMENT;
DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
DSA_get0_key(key->dsa, &dsa_pub_key, NULL);
if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
(ret = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
(ret = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
(ret = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
(ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0)
return ret;
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
case KEY_ECDSA_SK:
if (key->ecdsa == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
(ret = sshbuf_put_cstring(b,
sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
(ret = sshbuf_put_eckey(b, key->ecdsa)) != 0)
return ret;
if (type == KEY_ECDSA_SK) {
if ((ret = sshbuf_put_cstring(b,
key->sk_application)) != 0)
return ret;
}
break;
# endif
case KEY_RSA:
if (key->rsa == NULL)
return SSH_ERR_INVALID_ARGUMENT;
RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL);
if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
(ret = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
(ret = sshbuf_put_bignum2(b, rsa_n)) != 0)
return ret;
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_SK:
if (key->ed25519_pk == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
(ret = sshbuf_put_string(b,
key->ed25519_pk, ED25519_PK_SZ)) != 0)
return ret;
if (type == KEY_ED25519_SK) {
if ((ret = sshbuf_put_cstring(b,
key->sk_application)) != 0)
return ret;
}
break;
#ifdef WITH_XMSS
case KEY_XMSS:
if (key->xmss_name == NULL || key->xmss_pk == NULL ||
sshkey_xmss_pklen(key) == 0)
return SSH_ERR_INVALID_ARGUMENT;
if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
(ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
(ret = sshbuf_put_string(b,
key->xmss_pk, sshkey_xmss_pklen(key))) != 0 ||
(ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0)
return ret;
break;
#endif /* WITH_XMSS */
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
return 0;
}
int
sshkey_putb(const struct sshkey *key, struct sshbuf *b)
{
return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT);
}
int
sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b,
enum sshkey_serialize_rep opts)
{
struct sshbuf *tmp;
int r;
if ((tmp = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
r = to_blob_buf(key, tmp, 0, opts);
if (r == 0)
r = sshbuf_put_stringb(b, tmp);
sshbuf_free(tmp);
return r;
}
int
sshkey_puts(const struct sshkey *key, struct sshbuf *b)
{
return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT);
}
int
sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b)
{
return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT);
}
static int
to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain,
enum sshkey_serialize_rep opts)
{
int ret = SSH_ERR_INTERNAL_ERROR;
size_t len;
struct sshbuf *b = NULL;
if (lenp != NULL)
*lenp = 0;
if (blobp != NULL)
*blobp = NULL;
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0)
goto out;
len = sshbuf_len(b);
if (lenp != NULL)
*lenp = len;
if (blobp != NULL) {
if ((*blobp = malloc(len)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*blobp, sshbuf_ptr(b), len);
}
ret = 0;
out:
sshbuf_free(b);
return ret;
}
int
sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
{
return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT);
}
int
sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
{
return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT);
}
int
sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
u_char **retp, size_t *lenp)
{
u_char *blob = NULL, *ret = NULL;
size_t blob_len = 0;
int r = SSH_ERR_INTERNAL_ERROR;
if (retp != NULL)
*retp = NULL;
if (lenp != NULL)
*lenp = 0;
if (ssh_digest_bytes(dgst_alg) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT))
!= 0)
goto out;
if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
ret, SSH_DIGEST_MAX_LENGTH)) != 0)
goto out;
/* success */
if (retp != NULL) {
*retp = ret;
ret = NULL;
}
if (lenp != NULL)
*lenp = ssh_digest_bytes(dgst_alg);
r = 0;
out:
free(ret);
if (blob != NULL) {
explicit_bzero(blob, blob_len);
free(blob);
}
return r;
}
static char *
fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
{
char *ret;
size_t plen = strlen(alg) + 1;
size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
return NULL;
strlcpy(ret, alg, rlen);
strlcat(ret, ":", rlen);
if (dgst_raw_len == 0)
return ret;
if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) {
freezero(ret, rlen);
return NULL;
}
/* Trim padding characters from end */
ret[strcspn(ret, "=")] = '\0';
return ret;
}
static char *
fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
{
char *retval, hex[5];
size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
return NULL;
strlcpy(retval, alg, rlen);
strlcat(retval, ":", rlen);
for (i = 0; i < dgst_raw_len; i++) {
snprintf(hex, sizeof(hex), "%s%02x",
i > 0 ? ":" : "", dgst_raw[i]);
strlcat(retval, hex, rlen);
}
return retval;
}
static char *
fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
{
char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
u_int i, j = 0, rounds, seed = 1;
char *retval;
rounds = (dgst_raw_len / 2) + 1;
if ((retval = calloc(rounds, 6)) == NULL)
return NULL;
retval[j++] = 'x';
for (i = 0; i < rounds; i++) {
u_int idx0, idx1, idx2, idx3, idx4;
if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
seed) % 6;
idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
(seed / 6)) % 6;
retval[j++] = vowels[idx0];
retval[j++] = consonants[idx1];
retval[j++] = vowels[idx2];
if ((i + 1) < rounds) {
idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
retval[j++] = consonants[idx3];
retval[j++] = '-';
retval[j++] = consonants[idx4];
seed = ((seed * 5) +
((((u_int)(dgst_raw[2 * i])) * 7) +
((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
}
} else {
idx0 = seed % 6;
idx1 = 16;
idx2 = seed / 6;
retval[j++] = vowels[idx0];
retval[j++] = consonants[idx1];
retval[j++] = vowels[idx2];
}
}
retval[j++] = 'x';
retval[j++] = '\0';
return retval;
}
/*
* Draw an ASCII-Art representing the fingerprint so human brain can
* profit from its built-in pattern recognition ability.
* This technique is called "random art" and can be found in some
* scientific publications like this original paper:
*
* "Hash Visualization: a New Technique to improve Real-World Security",
* Perrig A. and Song D., 1999, International Workshop on Cryptographic
* Techniques and E-Commerce (CrypTEC '99)
* sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
*
* The subject came up in a talk by Dan Kaminsky, too.
*
* If you see the picture is different, the key is different.
* If the picture looks the same, you still know nothing.
*
* The algorithm used here is a worm crawling over a discrete plane,
* leaving a trace (augmenting the field) everywhere it goes.
* Movement is taken from dgst_raw 2bit-wise. Bumping into walls
* makes the respective movement vector be ignored for this turn.
* Graphs are not unambiguous, because circles in graphs can be
* walked in either direction.
*/
/*
* Field sizes for the random art. Have to be odd, so the starting point
* can be in the exact middle of the picture, and FLDBASE should be >=8 .
* Else pictures would be too dense, and drawing the frame would
* fail, too, because the key type would not fit in anymore.
*/
#define FLDBASE 8
#define FLDSIZE_Y (FLDBASE + 1)
#define FLDSIZE_X (FLDBASE * 2 + 1)
static char *
fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
const struct sshkey *k)
{
/*
* Chars to be used after each other every time the worm
* intersects with itself. Matter of taste.
*/
char *augmentation_string = " .o+=*BOX@%&#/^SE";
char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
u_char field[FLDSIZE_X][FLDSIZE_Y];
size_t i, tlen, hlen;
u_int b;
int x, y, r;
size_t len = strlen(augmentation_string) - 1;
if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
return NULL;
/* initialize field */
memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
x = FLDSIZE_X / 2;
y = FLDSIZE_Y / 2;
/* process raw key */
for (i = 0; i < dgst_raw_len; i++) {
int input;
/* each byte conveys four 2-bit move commands */
input = dgst_raw[i];
for (b = 0; b < 4; b++) {
/* evaluate 2 bit, rest is shifted later */
x += (input & 0x1) ? 1 : -1;
y += (input & 0x2) ? 1 : -1;
/* assure we are still in bounds */
x = MAXIMUM(x, 0);
y = MAXIMUM(y, 0);
x = MINIMUM(x, FLDSIZE_X - 1);
y = MINIMUM(y, FLDSIZE_Y - 1);
/* augment the field */
if (field[x][y] < len - 2)
field[x][y]++;
input = input >> 2;
}
}
/* mark starting point and end point*/
field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
field[x][y] = len;
/* assemble title */
r = snprintf(title, sizeof(title), "[%s %u]",
sshkey_type(k), sshkey_size(k));
/* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
if (r < 0 || r > (int)sizeof(title))
r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
tlen = (r <= 0) ? 0 : strlen(title);
/* assemble hash ID. */
r = snprintf(hash, sizeof(hash), "[%s]", alg);
hlen = (r <= 0) ? 0 : strlen(hash);
/* output upper border */
p = retval;
*p++ = '+';
for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
*p++ = '-';
memcpy(p, title, tlen);
p += tlen;
for (i += tlen; i < FLDSIZE_X; i++)
*p++ = '-';
*p++ = '+';
*p++ = '\n';
/* output content */
for (y = 0; y < FLDSIZE_Y; y++) {
*p++ = '|';
for (x = 0; x < FLDSIZE_X; x++)
*p++ = augmentation_string[MINIMUM(field[x][y], len)];
*p++ = '|';
*p++ = '\n';
}
/* output lower border */
*p++ = '+';
for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
*p++ = '-';
memcpy(p, hash, hlen);
p += hlen;
for (i += hlen; i < FLDSIZE_X; i++)
*p++ = '-';
*p++ = '+';
return retval;
}
char *
sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
enum sshkey_fp_rep dgst_rep)
{
char *retval = NULL;
u_char *dgst_raw;
size_t dgst_raw_len;
if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
return NULL;
switch (dgst_rep) {
case SSH_FP_DEFAULT:
if (dgst_alg == SSH_DIGEST_MD5) {
retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
dgst_raw, dgst_raw_len);
} else {
retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
dgst_raw, dgst_raw_len);
}
break;
case SSH_FP_HEX:
retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
dgst_raw, dgst_raw_len);
break;
case SSH_FP_BASE64:
retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
dgst_raw, dgst_raw_len);
break;
case SSH_FP_BUBBLEBABBLE:
retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
break;
case SSH_FP_RANDOMART:
retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
dgst_raw, dgst_raw_len, k);
break;
default:
explicit_bzero(dgst_raw, dgst_raw_len);
free(dgst_raw);
return NULL;
}
explicit_bzero(dgst_raw, dgst_raw_len);
free(dgst_raw);
return retval;
}
static int
peek_type_nid(const char *s, size_t l, int *nid)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->name == NULL || strlen(kt->name) != l)
continue;
if (memcmp(s, kt->name, l) == 0) {
*nid = -1;
if (key_type_is_ecdsa_variant(kt->type))
*nid = kt->nid;
return kt->type;
}
}
return KEY_UNSPEC;
}
/* XXX this can now be made const char * */
int
sshkey_read(struct sshkey *ret, char **cpp)
{
struct sshkey *k;
char *cp, *blobcopy;
size_t space;
int r, type, curve_nid = -1;
struct sshbuf *blob;
if (ret == NULL)
return SSH_ERR_INVALID_ARGUMENT;
switch (ret->type) {
case KEY_UNSPEC:
case KEY_RSA:
case KEY_DSA:
case KEY_ECDSA:
case KEY_ECDSA_SK:
case KEY_ED25519:
case KEY_ED25519_SK:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_ECDSA_SK_CERT:
case KEY_RSA_CERT:
case KEY_ED25519_CERT:
case KEY_ED25519_SK_CERT:
#ifdef WITH_XMSS
case KEY_XMSS:
case KEY_XMSS_CERT:
#endif /* WITH_XMSS */
break; /* ok */
default:
return SSH_ERR_INVALID_ARGUMENT;
}
/* Decode type */
cp = *cpp;
space = strcspn(cp, " \t");
if (space == strlen(cp))
return SSH_ERR_INVALID_FORMAT;
if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC)
return SSH_ERR_INVALID_FORMAT;
/* skip whitespace */
for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
;
if (*cp == '\0')
return SSH_ERR_INVALID_FORMAT;
if (ret->type != KEY_UNSPEC && ret->type != type)
return SSH_ERR_KEY_TYPE_MISMATCH;
if ((blob = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
/* find end of keyblob and decode */
space = strcspn(cp, " \t");
if ((blobcopy = strndup(cp, space)) == NULL) {
sshbuf_free(blob);
return SSH_ERR_ALLOC_FAIL;
}
if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) {
free(blobcopy);
sshbuf_free(blob);
return r;
}
free(blobcopy);
if ((r = sshkey_fromb(blob, &k)) != 0) {
sshbuf_free(blob);
return r;
}
sshbuf_free(blob);
/* skip whitespace and leave cp at start of comment */
for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
;
/* ensure type of blob matches type at start of line */
if (k->type != type) {
sshkey_free(k);
return SSH_ERR_KEY_TYPE_MISMATCH;
}
if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) {
sshkey_free(k);
return SSH_ERR_EC_CURVE_MISMATCH;
}
/* Fill in ret from parsed key */
ret->type = type;
if (sshkey_is_cert(ret)) {
if (!sshkey_is_cert(k)) {
sshkey_free(k);
return SSH_ERR_EXPECTED_CERT;
}
if (ret->cert != NULL)
cert_free(ret->cert);
ret->cert = k->cert;
k->cert = NULL;
}
switch (sshkey_type_plain(ret->type)) {
#ifdef WITH_OPENSSL
case KEY_RSA:
RSA_free(ret->rsa);
ret->rsa = k->rsa;
k->rsa = NULL;
#ifdef DEBUG_PK
RSA_print_fp(stderr, ret->rsa, 8);
#endif
break;
case KEY_DSA:
DSA_free(ret->dsa);
ret->dsa = k->dsa;
k->dsa = NULL;
#ifdef DEBUG_PK
DSA_print_fp(stderr, ret->dsa, 8);
#endif
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
EC_KEY_free(ret->ecdsa);
ret->ecdsa = k->ecdsa;
ret->ecdsa_nid = k->ecdsa_nid;
k->ecdsa = NULL;
k->ecdsa_nid = -1;
#ifdef DEBUG_PK
sshkey_dump_ec_key(ret->ecdsa);
#endif
break;
case KEY_ECDSA_SK:
EC_KEY_free(ret->ecdsa);
ret->ecdsa = k->ecdsa;
ret->ecdsa_nid = k->ecdsa_nid;
ret->sk_application = k->sk_application;
k->ecdsa = NULL;
k->ecdsa_nid = -1;
k->sk_application = NULL;
#ifdef DEBUG_PK
sshkey_dump_ec_key(ret->ecdsa);
fprintf(stderr, "App: %s\n", ret->sk_application);
#endif
break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
case KEY_ED25519:
freezero(ret->ed25519_pk, ED25519_PK_SZ);
ret->ed25519_pk = k->ed25519_pk;
k->ed25519_pk = NULL;
#ifdef DEBUG_PK
/* XXX */
#endif
break;
case KEY_ED25519_SK:
freezero(ret->ed25519_pk, ED25519_PK_SZ);
ret->ed25519_pk = k->ed25519_pk;
ret->sk_application = k->sk_application;
k->ed25519_pk = NULL;
k->sk_application = NULL;
break;
#ifdef WITH_XMSS
case KEY_XMSS:
free(ret->xmss_pk);
ret->xmss_pk = k->xmss_pk;
k->xmss_pk = NULL;
free(ret->xmss_state);
ret->xmss_state = k->xmss_state;
k->xmss_state = NULL;
free(ret->xmss_name);
ret->xmss_name = k->xmss_name;
k->xmss_name = NULL;
free(ret->xmss_filename);
ret->xmss_filename = k->xmss_filename;
k->xmss_filename = NULL;
#ifdef DEBUG_PK
/* XXX */
#endif
break;
#endif /* WITH_XMSS */
default:
sshkey_free(k);
return SSH_ERR_INTERNAL_ERROR;
}
sshkey_free(k);
/* success */
*cpp = cp;
return 0;
}
int
sshkey_to_base64(const struct sshkey *key, char **b64p)
{
int r = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
char *uu = NULL;
if (b64p != NULL)
*b64p = NULL;
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshkey_putb(key, b)) != 0)
goto out;
if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* Success */
if (b64p != NULL) {
*b64p = uu;
uu = NULL;
}
r = 0;
out:
sshbuf_free(b);
free(uu);
return r;
}
int
sshkey_format_text(const struct sshkey *key, struct sshbuf *b)
{
int r = SSH_ERR_INTERNAL_ERROR;
char *uu = NULL;
if ((r = sshkey_to_base64(key, &uu)) != 0)
goto out;
if ((r = sshbuf_putf(b, "%s %s",
sshkey_ssh_name(key), uu)) != 0)
goto out;
r = 0;
out:
free(uu);
return r;
}
int
sshkey_write(const struct sshkey *key, FILE *f)
{
struct sshbuf *b = NULL;
int r = SSH_ERR_INTERNAL_ERROR;
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshkey_format_text(key, b)) != 0)
goto out;
if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
if (feof(f))
errno = EPIPE;
r = SSH_ERR_SYSTEM_ERROR;
goto out;
}
/* Success */
r = 0;
out:
sshbuf_free(b);
return r;
}
const char *
sshkey_cert_type(const struct sshkey *k)
{
switch (k->cert->type) {
case SSH2_CERT_TYPE_USER:
return "user";
case SSH2_CERT_TYPE_HOST:
return "host";
default:
return "unknown";
}
}
#ifdef WITH_OPENSSL
static int
rsa_generate_private_key(u_int bits, RSA **rsap)
{
RSA *private = NULL;
BIGNUM *f4 = NULL;
int ret = SSH_ERR_INTERNAL_ERROR;
if (rsap == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
bits > SSHBUF_MAX_BIGNUM * 8)
return SSH_ERR_KEY_LENGTH;
*rsap = NULL;
if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
*rsap = private;
private = NULL;
ret = 0;
out:
RSA_free(private);
BN_free(f4);
return ret;
}
static int
dsa_generate_private_key(u_int bits, DSA **dsap)
{
DSA *private;
int ret = SSH_ERR_INTERNAL_ERROR;
if (dsap == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (bits != 1024)
return SSH_ERR_KEY_LENGTH;
if ((private = DSA_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
*dsap = NULL;
if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
NULL, NULL) || !DSA_generate_key(private)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
*dsap = private;
private = NULL;
ret = 0;
out:
DSA_free(private);
return ret;
}
# ifdef OPENSSL_HAS_ECC
int
sshkey_ecdsa_key_to_nid(EC_KEY *k)
{
EC_GROUP *eg;
int nids[] = {
NID_X9_62_prime256v1,
NID_secp384r1,
# ifdef OPENSSL_HAS_NISTP521
NID_secp521r1,
# endif /* OPENSSL_HAS_NISTP521 */
-1
};
int nid;
u_int i;
const EC_GROUP *g = EC_KEY_get0_group(k);
/*
* The group may be stored in a ASN.1 encoded private key in one of two
* ways: as a "named group", which is reconstituted by ASN.1 object ID
* or explicit group parameters encoded into the key blob. Only the
* "named group" case sets the group NID for us, but we can figure
* it out for the other case by comparing against all the groups that
* are supported.
*/
if ((nid = EC_GROUP_get_curve_name(g)) > 0)
return nid;
for (i = 0; nids[i] != -1; i++) {
if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
return -1;
if (EC_GROUP_cmp(g, eg, NULL) == 0)
break;
EC_GROUP_free(eg);
}
if (nids[i] != -1) {
/* Use the group with the NID attached */
EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
if (EC_KEY_set_group(k, eg) != 1) {
EC_GROUP_free(eg);
return -1;
}
}
return nids[i];
}
static int
ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)
{
EC_KEY *private;
int ret = SSH_ERR_INTERNAL_ERROR;
if (nid == NULL || ecdsap == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
return SSH_ERR_KEY_LENGTH;
*ecdsap = NULL;
if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EC_KEY_generate_key(private) != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
*ecdsap = private;
private = NULL;
ret = 0;
out:
EC_KEY_free(private);
return ret;
}
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
int
sshkey_generate(int type, u_int bits, struct sshkey **keyp)
{
struct sshkey *k;
int ret = SSH_ERR_INTERNAL_ERROR;
if (keyp == NULL)
return SSH_ERR_INVALID_ARGUMENT;
*keyp = NULL;
if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
return SSH_ERR_ALLOC_FAIL;
switch (type) {
case KEY_ED25519:
if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
(k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
break;
}
crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
ret = 0;
break;
#ifdef WITH_XMSS
case KEY_XMSS:
ret = sshkey_xmss_generate_private_key(k, bits);
break;
#endif /* WITH_XMSS */
#ifdef WITH_OPENSSL
case KEY_DSA:
ret = dsa_generate_private_key(bits, &k->dsa);
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
&k->ecdsa);
break;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA:
ret = rsa_generate_private_key(bits, &k->rsa);
break;
#endif /* WITH_OPENSSL */
default:
ret = SSH_ERR_INVALID_ARGUMENT;
}
if (ret == 0) {
k->type = type;
*keyp = k;
} else
sshkey_free(k);
return ret;
}
int
sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
{
u_int i;
const struct sshkey_cert *from;
struct sshkey_cert *to;
int r = SSH_ERR_INTERNAL_ERROR;
if (to_key == NULL || (from = from_key->cert) == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if ((to = cert_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
(r = sshbuf_putb(to->critical, from->critical)) != 0 ||
(r = sshbuf_putb(to->extensions, from->extensions)) != 0)
goto out;
to->serial = from->serial;
to->type = from->type;
if (from->key_id == NULL)
to->key_id = NULL;
else if ((to->key_id = strdup(from->key_id)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
to->valid_after = from->valid_after;
to->valid_before = from->valid_before;
if (from->signature_key == NULL)
to->signature_key = NULL;
else if ((r = sshkey_from_private(from->signature_key,
&to->signature_key)) != 0)
goto out;
if (from->signature_type != NULL &&
(to->signature_type = strdup(from->signature_type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if (from->nprincipals > 0) {
if ((to->principals = calloc(from->nprincipals,
sizeof(*to->principals))) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
for (i = 0; i < from->nprincipals; i++) {
to->principals[i] = strdup(from->principals[i]);
if (to->principals[i] == NULL) {
to->nprincipals = i;
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
}
}
to->nprincipals = from->nprincipals;
/* success */
cert_free(to_key->cert);
to_key->cert = to;
to = NULL;
r = 0;
out:
cert_free(to);
return r;
}
int
sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
{
struct sshkey *n = NULL;
int r = SSH_ERR_INTERNAL_ERROR;
#ifdef WITH_OPENSSL
const BIGNUM *rsa_n, *rsa_e;
BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL;
const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL;
BIGNUM *dsa_pub_key_dup = NULL;
#endif /* WITH_OPENSSL */
*pkp = NULL;
if ((n = sshkey_new(k->type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_DSA:
case KEY_DSA_CERT:
DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
if ((dsa_p_dup = BN_dup(dsa_p)) == NULL ||
(dsa_q_dup = BN_dup(dsa_q)) == NULL ||
(dsa_g_dup = BN_dup(dsa_g)) == NULL ||
(dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */
if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
dsa_pub_key_dup = NULL; /* transferred */
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
case KEY_ECDSA_CERT:
case KEY_ECDSA_SK:
case KEY_ECDSA_SK_CERT:
n->ecdsa_nid = k->ecdsa_nid;
n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
if (n->ecdsa == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EC_KEY_set_public_key(n->ecdsa,
EC_KEY_get0_public_key(k->ecdsa)) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (k->type != KEY_ECDSA_SK && k->type != KEY_ECDSA_SK_CERT)
break;
/* Append security-key application string */
if ((n->sk_application = strdup(k->sk_application)) == NULL)
goto out;
break;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA:
case KEY_RSA_CERT:
RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
if ((rsa_n_dup = BN_dup(rsa_n)) == NULL ||
(rsa_e_dup = BN_dup(rsa_e)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
rsa_n_dup = rsa_e_dup = NULL; /* transferred */
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
case KEY_ED25519_SK:
case KEY_ED25519_SK_CERT:
if (k->ed25519_pk != NULL) {
if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
}
if (k->type != KEY_ED25519_SK &&
k->type != KEY_ED25519_SK_CERT)
break;
/* Append security-key application string */
if ((n->sk_application = strdup(k->sk_application)) == NULL)
goto out;
break;
#ifdef WITH_XMSS
case KEY_XMSS:
case KEY_XMSS_CERT:
if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0)
goto out;
if (k->xmss_pk != NULL) {
u_int32_t left;
size_t pklen = sshkey_xmss_pklen(k);
if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) {
r = SSH_ERR_INTERNAL_ERROR;
goto out;
}
if ((n->xmss_pk = malloc(pklen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(n->xmss_pk, k->xmss_pk, pklen);
/* simulate number of signatures left on pubkey */
left = sshkey_xmss_signatures_left(k);
if (left)
sshkey_xmss_enable_maxsign(n, left);
}
break;
#endif /* WITH_XMSS */
default:
r = SSH_ERR_KEY_TYPE_UNKNOWN;
goto out;
}
if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0)
goto out;
/* success */
*pkp = n;
n = NULL;
r = 0;
out:
sshkey_free(n);
#ifdef WITH_OPENSSL
BN_clear_free(rsa_n_dup);
BN_clear_free(rsa_e_dup);
BN_clear_free(dsa_p_dup);
BN_clear_free(dsa_q_dup);
BN_clear_free(dsa_g_dup);
BN_clear_free(dsa_pub_key_dup);
#endif
return r;
}
int
sshkey_is_shielded(struct sshkey *k)
{
return k != NULL && k->shielded_private != NULL;
}
int
sshkey_shield_private(struct sshkey *k)
{
struct sshbuf *prvbuf = NULL;
u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH];
struct sshcipher_ctx *cctx = NULL;
const struct sshcipher *cipher;
size_t i, enclen = 0;
struct sshkey *kswap = NULL, tmp;
int r = SSH_ERR_INTERNAL_ERROR;
#ifdef DEBUG_PK
fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
#endif
if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
r = SSH_ERR_INTERNAL_ERROR;
goto out;
}
/* Prepare a random pre-key, and from it an ephemeral key */
if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN);
if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
prekey, SSHKEY_SHIELD_PREKEY_LEN,
keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
goto out;
#ifdef DEBUG_PK
fprintf(stderr, "%s: key+iv\n", __func__);
sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
stderr);
#endif
if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0)
goto out;
/* Serialise and encrypt the private key using the ephemeral key */
if ((prvbuf = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0)
goto out;
if ((r = sshkey_private_serialize_opt(k, prvbuf,
SSHKEY_SERIALIZE_SHIELD)) != 0)
goto out;
/* pad to cipher blocksize */
i = 0;
while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) {
if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0)
goto out;
}
#ifdef DEBUG_PK
fprintf(stderr, "%s: serialised\n", __func__);
sshbuf_dump(prvbuf, stderr);
#endif
/* encrypt */
enclen = sshbuf_len(prvbuf);
if ((enc = malloc(enclen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = cipher_crypt(cctx, 0, enc,
sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0)
goto out;
#ifdef DEBUG_PK
fprintf(stderr, "%s: encrypted\n", __func__);
sshbuf_dump_data(enc, enclen, stderr);
#endif
/* Make a scrubbed, public-only copy of our private key argument */
if ((r = sshkey_from_private(k, &kswap)) != 0)
goto out;
/* Swap the private key out (it will be destroyed below) */
tmp = *kswap;
*kswap = *k;
*k = tmp;
/* Insert the shielded key into our argument */
k->shielded_private = enc;
k->shielded_len = enclen;
k->shield_prekey = prekey;
k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN;
enc = prekey = NULL; /* transferred */
enclen = 0;
/* success */
r = 0;
out:
/* XXX behaviour on error - invalidate original private key? */
cipher_free(cctx);
explicit_bzero(keyiv, sizeof(keyiv));
explicit_bzero(&tmp, sizeof(tmp));
freezero(enc, enclen);
freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN);
sshkey_free(kswap);
sshbuf_free(prvbuf);
return r;
}
int
sshkey_unshield_private(struct sshkey *k)
{
struct sshbuf *prvbuf = NULL;
u_char pad, *cp, keyiv[SSH_DIGEST_MAX_LENGTH];
struct sshcipher_ctx *cctx = NULL;
const struct sshcipher *cipher;
size_t i;
struct sshkey *kswap = NULL, tmp;
int r = SSH_ERR_INTERNAL_ERROR;
#ifdef DEBUG_PK
fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
#endif
if (!sshkey_is_shielded(k))
return 0; /* nothing to do */
if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
r = SSH_ERR_INTERNAL_ERROR;
goto out;
}
/* check size of shielded key blob */
if (k->shielded_len < cipher_blocksize(cipher) ||
(k->shielded_len % cipher_blocksize(cipher)) != 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* Calculate the ephemeral key from the prekey */
if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
k->shield_prekey, k->shield_prekey_len,
keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
goto out;
if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0)
goto out;
#ifdef DEBUG_PK
fprintf(stderr, "%s: key+iv\n", __func__);
sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
stderr);
#endif
/* Decrypt and parse the shielded private key using the ephemeral key */
if ((prvbuf = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0)
goto out;
/* decrypt */
#ifdef DEBUG_PK
fprintf(stderr, "%s: encrypted\n", __func__);
sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr);
#endif
if ((r = cipher_crypt(cctx, 0, cp,
k->shielded_private, k->shielded_len, 0, 0)) != 0)
goto out;
#ifdef DEBUG_PK
fprintf(stderr, "%s: serialised\n", __func__);
sshbuf_dump(prvbuf, stderr);
#endif
/* Parse private key */
if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0)
goto out;
/* Check deterministic padding */
i = 0;
while (sshbuf_len(prvbuf)) {
if ((r = sshbuf_get_u8(prvbuf, &pad)) != 0)
goto out;
if (pad != (++i & 0xff)) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
}
/* Swap the parsed key back into place */
tmp = *kswap;
*kswap = *k;
*k = tmp;
/* success */
r = 0;
out:
cipher_free(cctx);
explicit_bzero(keyiv, sizeof(keyiv));
explicit_bzero(&tmp, sizeof(tmp));
sshkey_free(kswap);
sshbuf_free(prvbuf);
return r;
}
static int
cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
{
struct sshbuf *principals = NULL, *crit = NULL;
struct sshbuf *exts = NULL, *ca = NULL;
u_char *sig = NULL;
size_t signed_len = 0, slen = 0, kidlen = 0;
int ret = SSH_ERR_INTERNAL_ERROR;
/* Copy the entire key blob for verification and later serialisation */
if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
return ret;
/* Parse body of certificate up to signature */
if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
(ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
(ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
(ret = sshbuf_froms(b, &principals)) != 0 ||
(ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
(ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
(ret = sshbuf_froms(b, &crit)) != 0 ||
(ret = sshbuf_froms(b, &exts)) != 0 ||
(ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
(ret = sshbuf_froms(b, &ca)) != 0) {
/* XXX debug print error for ret */
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* Signature is left in the buffer so we can calculate this length */
signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (key->cert->type != SSH2_CERT_TYPE_USER &&
key->cert->type != SSH2_CERT_TYPE_HOST) {
ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
goto out;
}
/* Parse principals section */
while (sshbuf_len(principals) > 0) {
char *principal = NULL;
char **oprincipals = NULL;
if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if ((ret = sshbuf_get_cstring(principals, &principal,
NULL)) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
oprincipals = key->cert->principals;
key->cert->principals = recallocarray(key->cert->principals,
key->cert->nprincipals, key->cert->nprincipals + 1,
sizeof(*key->cert->principals));
if (key->cert->principals == NULL) {
free(principal);
key->cert->principals = oprincipals;
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
key->cert->principals[key->cert->nprincipals++] = principal;
}
/*
* Stash a copies of the critical options and extensions sections
* for later use.
*/
if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||
(exts != NULL &&
(ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
goto out;
/*
* Validate critical options and extensions sections format.
*/
while (sshbuf_len(crit) != 0) {
if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
(ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
sshbuf_reset(key->cert->critical);
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
}
while (exts != NULL && sshbuf_len(exts) != 0) {
if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 ||
(ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) {
sshbuf_reset(key->cert->extensions);
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
}
/* Parse CA key and check signature */
if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
goto out;
}
if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
goto out;
}
if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0)
goto out;
if ((ret = sshkey_get_sigtype(sig, slen,
&key->cert->signature_type)) != 0)
goto out;
/* Success */
ret = 0;
out:
sshbuf_free(ca);
sshbuf_free(crit);
sshbuf_free(exts);
sshbuf_free(principals);
free(sig);
return ret;
}
#ifdef WITH_OPENSSL
static int
check_rsa_length(const RSA *rsa)
{
const BIGNUM *rsa_n;
RSA_get0_key(rsa, &rsa_n, NULL, NULL);
if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
return SSH_ERR_KEY_LENGTH;
return 0;
}
#endif
static int
sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
int allow_cert)
{
int type, ret = SSH_ERR_INTERNAL_ERROR;
char *ktype = NULL, *curve = NULL, *xmss_name = NULL;
struct sshkey *key = NULL;
size_t len;
u_char *pk = NULL;
struct sshbuf *copy;
#if defined(WITH_OPENSSL)
BIGNUM *rsa_n = NULL, *rsa_e = NULL;
BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL;
# if defined(OPENSSL_HAS_ECC)
EC_POINT *q = NULL;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
#ifdef DEBUG_PK /* XXX */
sshbuf_dump(b, stderr);
#endif
if (keyp != NULL)
*keyp = NULL;
if ((copy = sshbuf_fromb(b)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
type = sshkey_type_from_name(ktype);
if (!allow_cert && sshkey_type_is_cert(type)) {
ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
goto out;
}
switch (type) {
#ifdef WITH_OPENSSL
case KEY_RSA_CERT:
/* Skip nonce */
if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* FALLTHROUGH */
case KEY_RSA:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (sshbuf_get_bignum2(b, &rsa_e) != 0 ||
sshbuf_get_bignum2(b, &rsa_n) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
rsa_n = rsa_e = NULL; /* transferred */
if ((ret = check_rsa_length(key->rsa)) != 0)
goto out;
#ifdef DEBUG_PK
RSA_print_fp(stderr, key->rsa, 8);
#endif
break;
case KEY_DSA_CERT:
/* Skip nonce */
if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* FALLTHROUGH */
case KEY_DSA:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (sshbuf_get_bignum2(b, &dsa_p) != 0 ||
sshbuf_get_bignum2(b, &dsa_q) != 0 ||
sshbuf_get_bignum2(b, &dsa_g) != 0 ||
sshbuf_get_bignum2(b, &dsa_pub_key) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
dsa_p = dsa_q = dsa_g = NULL; /* transferred */
if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
dsa_pub_key = NULL; /* transferred */
#ifdef DEBUG_PK
DSA_print_fp(stderr, key->dsa, 8);
#endif
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_CERT:
case KEY_ECDSA_SK_CERT:
/* Skip nonce */
if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* FALLTHROUGH */
case KEY_ECDSA:
case KEY_ECDSA_SK:
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
ret = SSH_ERR_EC_CURVE_MISMATCH;
goto out;
}
EC_KEY_free(key->ecdsa);
if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
== NULL) {
ret = SSH_ERR_EC_CURVE_INVALID;
goto out;
}
if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
q) != 0) {
ret = SSH_ERR_KEY_INVALID_EC_VALUE;
goto out;
}
if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
/* XXX assume it is a allocation error */
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
#ifdef DEBUG_PK
sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
#endif
if (type == KEY_ECDSA_SK || type == KEY_ECDSA_SK_CERT) {
/* Parse additional security-key application string */
if (sshbuf_get_cstring(b, &key->sk_application,
NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
#ifdef DEBUG_PK
fprintf(stderr, "App: %s\n", key->sk_application);
#endif
}
break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
case KEY_ED25519_CERT:
case KEY_ED25519_SK_CERT:
/* Skip nonce */
if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* FALLTHROUGH */
case KEY_ED25519:
case KEY_ED25519_SK:
if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
goto out;
if (len != ED25519_PK_SZ) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (type == KEY_ED25519_SK || type == KEY_ED25519_SK_CERT) {
/* Parse additional security-key application string */
if (sshbuf_get_cstring(b, &key->sk_application,
NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
#ifdef DEBUG_PK
fprintf(stderr, "App: %s\n", key->sk_application);
#endif
}
key->ed25519_pk = pk;
pk = NULL;
break;
#ifdef WITH_XMSS
case KEY_XMSS_CERT:
/* Skip nonce */
if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* FALLTHROUGH */
case KEY_XMSS:
if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0)
goto out;
if ((key = sshkey_new(type)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((ret = sshkey_xmss_init(key, xmss_name)) != 0)
goto out;
if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
goto out;
if (len == 0 || len != sshkey_xmss_pklen(key)) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
key->xmss_pk = pk;
pk = NULL;
if (type != KEY_XMSS_CERT &&
(ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0)
goto out;
break;
#endif /* WITH_XMSS */
case KEY_UNSPEC:
default:
ret = SSH_ERR_KEY_TYPE_UNKNOWN;
goto out;
}
/* Parse certificate potion */
if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
goto out;
if (key != NULL && sshbuf_len(b) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
ret = 0;
if (keyp != NULL) {
*keyp = key;
key = NULL;
}
out:
sshbuf_free(copy);
sshkey_free(key);
free(xmss_name);
free(ktype);
free(curve);
free(pk);
#if defined(WITH_OPENSSL)
BN_clear_free(rsa_n);
BN_clear_free(rsa_e);
BN_clear_free(dsa_p);
BN_clear_free(dsa_q);
BN_clear_free(dsa_g);
BN_clear_free(dsa_pub_key);
# if defined(OPENSSL_HAS_ECC)
EC_POINT_free(q);
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
return ret;
}
int
sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp)
{
struct sshbuf *b;
int r;
if ((b = sshbuf_from(blob, blen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
r = sshkey_from_blob_internal(b, keyp, 1);
sshbuf_free(b);
return r;
}
int
sshkey_fromb(struct sshbuf *b, struct sshkey **keyp)
{
return sshkey_from_blob_internal(b, keyp, 1);
}
int
sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
{
struct sshbuf *b;
int r;
if ((r = sshbuf_froms(buf, &b)) != 0)
return r;
r = sshkey_from_blob_internal(b, keyp, 1);
sshbuf_free(b);
return r;
}
int
sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
{
int r;
struct sshbuf *b = NULL;
char *sigtype = NULL;
if (sigtypep != NULL)
*sigtypep = NULL;
if ((b = sshbuf_from(sig, siglen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0)
goto out;
/* success */
if (sigtypep != NULL) {
*sigtypep = sigtype;
sigtype = NULL;
}
r = 0;
out:
free(sigtype);
sshbuf_free(b);
return r;
}
/*
*
* Checks whether a certificate's signature type is allowed.
* Returns 0 (success) if the certificate signature type appears in the
* "allowed" pattern-list, or the key is not a certificate to begin with.
* Otherwise returns a ssherr.h code.
*/
int
sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed)
{
if (key == NULL || allowed == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (!sshkey_type_is_cert(key->type))
return 0;
if (key->cert == NULL || key->cert->signature_type == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
return SSH_ERR_SIGN_ALG_UNSUPPORTED;
return 0;
}
/*
* Returns the expected signature algorithm for a given public key algorithm.
*/
const char *
sshkey_sigalg_by_name(const char *name)
{
const struct keytype *kt;
for (kt = keytypes; kt->type != -1; kt++) {
if (strcmp(kt->name, name) != 0)
continue;
if (kt->sigalg != NULL)
return kt->sigalg;
if (!kt->cert)
return kt->name;
return sshkey_ssh_name_from_type_nid(
sshkey_type_plain(kt->type), kt->nid);
}
return NULL;
}
/*
* Verifies that the signature algorithm appearing inside the signature blob
* matches that which was requested.
*/
int
sshkey_check_sigtype(const u_char *sig, size_t siglen,
const char *requested_alg)
{
const char *expected_alg;
char *sigtype = NULL;
int r;
if (requested_alg == NULL)
return 0;
if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0)
return r;
r = strcmp(expected_alg, sigtype) == 0;
free(sigtype);
return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED;
}
int
sshkey_sign(struct sshkey *key,
u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen,
const char *alg, const char *sk_provider, u_int compat)
{
int was_shielded = sshkey_is_shielded(key);
int r2, r = SSH_ERR_INTERNAL_ERROR;
if (sigp != NULL)
*sigp = NULL;
if (lenp != NULL)
*lenp = 0;
if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
return SSH_ERR_INVALID_ARGUMENT;
if ((r = sshkey_unshield_private(key)) != 0)
return r;
switch (key->type) {
#ifdef WITH_OPENSSL
case KEY_DSA_CERT:
case KEY_DSA:
r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_CERT:
case KEY_ECDSA:
r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
break;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT:
case KEY_RSA:
r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
break;
case KEY_ED25519_SK:
case KEY_ED25519_SK_CERT:
case KEY_ECDSA_SK_CERT:
case KEY_ECDSA_SK:
r = sshsk_sign(sk_provider, key, sigp, lenp, data,
datalen, compat);
break;
#ifdef WITH_XMSS
case KEY_XMSS:
case KEY_XMSS_CERT:
r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat);
break;
#endif /* WITH_XMSS */
default:
r = SSH_ERR_KEY_TYPE_UNKNOWN;
break;
}
if (was_shielded && (r2 = sshkey_shield_private(key)) != 0)
return r2;
return r;
}
/*
* ssh_key_verify returns 0 for a correct signature and < 0 on error.
* If "alg" specified, then the signature must use that algorithm.
*/
int
sshkey_verify(const struct sshkey *key,
const u_char *sig, size_t siglen,
const u_char *data, size_t dlen, const char *alg, u_int compat,
struct sshkey_sig_details **detailsp)
{
if (detailsp != NULL)
*detailsp = NULL;
if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
return SSH_ERR_INVALID_ARGUMENT;
switch (key->type) {
#ifdef WITH_OPENSSL
case KEY_DSA_CERT:
case KEY_DSA:
return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_CERT:
case KEY_ECDSA:
return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
case KEY_ECDSA_SK_CERT:
case KEY_ECDSA_SK:
return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen,
compat, detailsp);
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT:
case KEY_RSA:
return ssh_rsa_verify(key, sig, siglen, data, dlen, alg);
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
case KEY_ED25519_SK:
case KEY_ED25519_SK_CERT:
return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen,
compat, detailsp);
#ifdef WITH_XMSS
case KEY_XMSS:
case KEY_XMSS_CERT:
return ssh_xmss_verify(key, sig, siglen, data, dlen, compat);
#endif /* WITH_XMSS */
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
}
/* Convert a plain key to their _CERT equivalent */
int
sshkey_to_certified(struct sshkey *k)
{
int newtype;
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_RSA:
newtype = KEY_RSA_CERT;
break;
case KEY_DSA:
newtype = KEY_DSA_CERT;
break;
case KEY_ECDSA:
newtype = KEY_ECDSA_CERT;
break;
case KEY_ECDSA_SK:
newtype = KEY_ECDSA_SK_CERT;
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519_SK:
newtype = KEY_ED25519_SK_CERT;
break;
case KEY_ED25519:
newtype = KEY_ED25519_CERT;
break;
#ifdef WITH_XMSS
case KEY_XMSS:
newtype = KEY_XMSS_CERT;
break;
#endif /* WITH_XMSS */
default:
return SSH_ERR_INVALID_ARGUMENT;
}
if ((k->cert = cert_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
k->type = newtype;
return 0;
}
/* Convert a certificate to its raw key equivalent */
int
sshkey_drop_cert(struct sshkey *k)
{
if (!sshkey_type_is_cert(k->type))
return SSH_ERR_KEY_TYPE_UNKNOWN;
cert_free(k->cert);
k->cert = NULL;
k->type = sshkey_type_plain(k->type);
return 0;
}
/* Sign a certified key, (re-)generating the signed certblob. */
int
sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
const char *sk_provider, sshkey_certify_signer *signer, void *signer_ctx)
{
struct sshbuf *principals = NULL;
u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
size_t i, ca_len, sig_len;
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *cert = NULL;
char *sigtype = NULL;
#ifdef WITH_OPENSSL
const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
#endif /* WITH_OPENSSL */
if (k == NULL || k->cert == NULL ||
k->cert->certblob == NULL || ca == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (!sshkey_is_cert(k))
return SSH_ERR_KEY_TYPE_UNKNOWN;
if (!sshkey_type_is_valid_ca(ca->type))
return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
/*
* If no alg specified as argument but a signature_type was set,
* then prefer that. If both were specified, then they must match.
*/
if (alg == NULL)
alg = k->cert->signature_type;
else if (k->cert->signature_type != NULL &&
strcmp(alg, k->cert->signature_type) != 0)
return SSH_ERR_INVALID_ARGUMENT;
/*
* If no signing algorithm or signature_type was specified and we're
* using a RSA key, then default to a good signature algorithm.
*/
if (alg == NULL && ca->type == KEY_RSA)
alg = "rsa-sha2-512";
if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
cert = k->cert->certblob; /* for readability */
sshbuf_reset(cert);
if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
goto out;
/* -v01 certs put nonce first */
arc4random_buf(&nonce, sizeof(nonce));
if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
goto out;
/* XXX this substantially duplicates to_blob(); refactor */
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_DSA_CERT:
DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 ||
(ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 ||
(ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 ||
(ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0)
goto out;
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_CERT:
case KEY_ECDSA_SK_CERT:
if ((ret = sshbuf_put_cstring(cert,
sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
(ret = sshbuf_put_ec(cert,
EC_KEY_get0_public_key(k->ecdsa),
EC_KEY_get0_group(k->ecdsa))) != 0)
goto out;
if (k->type == KEY_ECDSA_SK_CERT) {
if ((ret = sshbuf_put_cstring(cert,
k->sk_application)) != 0)
goto out;
}
break;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT:
RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 ||
(ret = sshbuf_put_bignum2(cert, rsa_n)) != 0)
goto out;
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519_CERT:
case KEY_ED25519_SK_CERT:
if ((ret = sshbuf_put_string(cert,
k->ed25519_pk, ED25519_PK_SZ)) != 0)
goto out;
if (k->type == KEY_ED25519_SK_CERT) {
if ((ret = sshbuf_put_cstring(cert,
k->sk_application)) != 0)
goto out;
}
break;
#ifdef WITH_XMSS
case KEY_XMSS_CERT:
if (k->xmss_name == NULL) {
ret = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) ||
(ret = sshbuf_put_string(cert,
k->xmss_pk, sshkey_xmss_pklen(k))) != 0)
goto out;
break;
#endif /* WITH_XMSS */
default:
ret = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
(ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
(ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
goto out;
if ((principals = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
for (i = 0; i < k->cert->nprincipals; i++) {
if ((ret = sshbuf_put_cstring(principals,
k->cert->principals[i])) != 0)
goto out;
}
if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
(ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
(ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
(ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
(ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
(ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
goto out;
/* Sign the whole mess */
if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
sshbuf_len(cert), alg, sk_provider, 0, signer_ctx)) != 0)
goto out;
/* Check and update signature_type against what was actually used */
if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
goto out;
if (alg != NULL && strcmp(alg, sigtype) != 0) {
ret = SSH_ERR_SIGN_ALG_UNSUPPORTED;
goto out;
}
if (k->cert->signature_type == NULL) {
k->cert->signature_type = sigtype;
sigtype = NULL;
}
/* Append signature and we are done */
if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
goto out;
ret = 0;
out:
if (ret != 0)
sshbuf_reset(cert);
free(sig_blob);
free(ca_blob);
free(sigtype);
sshbuf_free(principals);
return ret;
}
static int
default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen,
const char *alg, const char *sk_provider, u_int compat, void *ctx)
{
if (ctx != NULL)
return SSH_ERR_INVALID_ARGUMENT;
return sshkey_sign(key, sigp, lenp, data, datalen, alg,
sk_provider, compat);
}
int
sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg,
const char *sk_provider)
{
return sshkey_certify_custom(k, ca, alg, sk_provider,
default_key_sign, NULL);
}
int
sshkey_cert_check_authority(const struct sshkey *k,
int want_host, int require_principal,
const char *name, const char **reason)
{
u_int i, principal_matches;
time_t now = time(NULL);
if (reason != NULL)
*reason = NULL;
if (want_host) {
if (k->cert->type != SSH2_CERT_TYPE_HOST) {
*reason = "Certificate invalid: not a host certificate";
return SSH_ERR_KEY_CERT_INVALID;
}
} else {
if (k->cert->type != SSH2_CERT_TYPE_USER) {
*reason = "Certificate invalid: not a user certificate";
return SSH_ERR_KEY_CERT_INVALID;
}
}
if (now < 0) {
/* yikes - system clock before epoch! */
*reason = "Certificate invalid: not yet valid";
return SSH_ERR_KEY_CERT_INVALID;
}
if ((u_int64_t)now < k->cert->valid_after) {
*reason = "Certificate invalid: not yet valid";
return SSH_ERR_KEY_CERT_INVALID;
}
if ((u_int64_t)now >= k->cert->valid_before) {
*reason = "Certificate invalid: expired";
return SSH_ERR_KEY_CERT_INVALID;
}
if (k->cert->nprincipals == 0) {
if (require_principal) {
*reason = "Certificate lacks principal list";
return SSH_ERR_KEY_CERT_INVALID;
}
} else if (name != NULL) {
principal_matches = 0;
for (i = 0; i < k->cert->nprincipals; i++) {
if (strcmp(name, k->cert->principals[i]) == 0) {
principal_matches = 1;
break;
}
}
if (!principal_matches) {
*reason = "Certificate invalid: name is not a listed "
"principal";
return SSH_ERR_KEY_CERT_INVALID;
}
}
return 0;
}
size_t
sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
{
char from[32], to[32], ret[64];
time_t tt;
struct tm *tm;
*from = *to = '\0';
if (cert->valid_after == 0 &&
cert->valid_before == 0xffffffffffffffffULL)
return strlcpy(s, "forever", l);
if (cert->valid_after != 0) {
/* XXX revisit INT_MAX in 2038 :) */
tt = cert->valid_after > INT_MAX ?
INT_MAX : cert->valid_after;
tm = localtime(&tt);
strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
}
if (cert->valid_before != 0xffffffffffffffffULL) {
/* XXX revisit INT_MAX in 2038 :) */
tt = cert->valid_before > INT_MAX ?
INT_MAX : cert->valid_before;
tm = localtime(&tt);
strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
}
if (cert->valid_after == 0)
snprintf(ret, sizeof(ret), "before %s", to);
else if (cert->valid_before == 0xffffffffffffffffULL)
snprintf(ret, sizeof(ret), "after %s", from);
else
snprintf(ret, sizeof(ret), "from %s to %s", from, to);
return strlcpy(s, ret, l);
}
int
sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf,
enum sshkey_serialize_rep opts)
{
int r = SSH_ERR_INTERNAL_ERROR;
int was_shielded = sshkey_is_shielded(key);
struct sshbuf *b = NULL;
#ifdef WITH_OPENSSL
const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q;
const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key;
#endif /* WITH_OPENSSL */
if ((r = sshkey_unshield_private(key)) != 0)
return r;
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
goto out;
switch (key->type) {
#ifdef WITH_OPENSSL
case KEY_RSA:
RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d);
RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 ||
(r = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
(r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
(r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
(r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
(r = sshbuf_put_bignum2(b, rsa_q)) != 0)
goto out;
break;
case KEY_RSA_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
(r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
(r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
(r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
(r = sshbuf_put_bignum2(b, rsa_q)) != 0)
goto out;
break;
case KEY_DSA:
DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key);
if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
(r = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
(r = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
(r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 ||
(r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
goto out;
break;
case KEY_DSA_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
DSA_get0_key(key->dsa, NULL, &dsa_priv_key);
if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
(r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
goto out;
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
if ((r = sshbuf_put_cstring(b,
sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
(r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
(r = sshbuf_put_bignum2(b,
EC_KEY_get0_private_key(key->ecdsa))) != 0)
goto out;
break;
case KEY_ECDSA_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
(r = sshbuf_put_bignum2(b,
EC_KEY_get0_private_key(key->ecdsa))) != 0)
goto out;
break;
case KEY_ECDSA_SK:
if ((r = sshbuf_put_cstring(b,
sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
(r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
(r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
(r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
(r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
(r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
goto out;
break;
case KEY_ECDSA_SK_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
(r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
(r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
(r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
(r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
goto out;
break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
case KEY_ED25519:
if ((r = sshbuf_put_string(b, key->ed25519_pk,
ED25519_PK_SZ)) != 0 ||
(r = sshbuf_put_string(b, key->ed25519_sk,
ED25519_SK_SZ)) != 0)
goto out;
break;
case KEY_ED25519_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
(r = sshbuf_put_string(b, key->ed25519_pk,
ED25519_PK_SZ)) != 0 ||
(r = sshbuf_put_string(b, key->ed25519_sk,
ED25519_SK_SZ)) != 0)
goto out;
break;
case KEY_ED25519_SK:
if ((r = sshbuf_put_string(b, key->ed25519_pk,
ED25519_PK_SZ)) != 0 ||
(r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
(r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
(r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
(r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
goto out;
break;
case KEY_ED25519_SK_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
(r = sshbuf_put_string(b, key->ed25519_pk,
ED25519_PK_SZ)) != 0 ||
(r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
(r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
(r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
(r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
goto out;
break;
#ifdef WITH_XMSS
case KEY_XMSS:
if (key->xmss_name == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
(r = sshbuf_put_string(b, key->xmss_pk,
sshkey_xmss_pklen(key))) != 0 ||
(r = sshbuf_put_string(b, key->xmss_sk,
sshkey_xmss_sklen(key))) != 0 ||
(r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
goto out;
break;
case KEY_XMSS_CERT:
if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 ||
key->xmss_name == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
(r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
(r = sshbuf_put_string(b, key->xmss_pk,
sshkey_xmss_pklen(key))) != 0 ||
(r = sshbuf_put_string(b, key->xmss_sk,
sshkey_xmss_sklen(key))) != 0 ||
(r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
goto out;
break;
#endif /* WITH_XMSS */
default:
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
/*
* success (but we still need to append the output to buf after
* possibly re-shielding the private key)
*/
r = 0;
out:
if (was_shielded)
r = sshkey_shield_private(key);
if (r == 0)
r = sshbuf_putb(buf, b);
sshbuf_free(b);
return r;
}
int
sshkey_private_serialize(struct sshkey *key, struct sshbuf *b)
{
return sshkey_private_serialize_opt(key, b,
SSHKEY_SERIALIZE_DEFAULT);
}
int
sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
{
char *tname = NULL, *curve = NULL, *xmss_name = NULL;
struct sshkey *k = NULL;
size_t pklen = 0, sklen = 0;
int type, r = SSH_ERR_INTERNAL_ERROR;
u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
u_char *xmss_pk = NULL, *xmss_sk = NULL;
#ifdef WITH_OPENSSL
BIGNUM *exponent = NULL;
BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL;
BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
#endif /* WITH_OPENSSL */
if (kp != NULL)
*kp = NULL;
if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
goto out;
type = sshkey_type_from_name(tname);
switch (type) {
#ifdef WITH_OPENSSL
case KEY_DSA:
if ((k = sshkey_new(type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 ||
(r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 ||
(r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 ||
(r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0 ||
(r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
goto out;
if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
dsa_p = dsa_q = dsa_g = NULL; /* transferred */
if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
dsa_pub_key = dsa_priv_key = NULL; /* transferred */
break;
case KEY_DSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
goto out;
if (k->type != type) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
dsa_priv_key = NULL; /* transferred */
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
if ((k = sshkey_new(type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
goto out;
if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
r = SSH_ERR_EC_CURVE_MISMATCH;
goto out;
}
k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
if (k->ecdsa == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
(r = sshbuf_get_bignum2(buf, &exponent)))
goto out;
if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
(r = sshkey_ec_validate_private(k->ecdsa)) != 0)
goto out;
break;
case KEY_ECDSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshbuf_get_bignum2(buf, &exponent)) != 0)
goto out;
if (k->type != type ||
k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
(r = sshkey_ec_validate_private(k->ecdsa)) != 0)
goto out;
break;
case KEY_ECDSA_SK:
if ((k = sshkey_new(type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
goto out;
if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
r = SSH_ERR_EC_CURVE_MISMATCH;
goto out;
}
if ((k->sk_key_handle = sshbuf_new()) == NULL ||
(k->sk_reserved = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
if (k->ecdsa == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
(r = sshbuf_get_cstring(buf, &k->sk_application,
NULL)) != 0 ||
(r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
(r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
(r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
goto out;
if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
EC_KEY_get0_public_key(k->ecdsa))) != 0)
goto out;
break;
case KEY_ECDSA_SK_CERT:
if ((r = sshkey_froms(buf, &k)) != 0)
goto out;
if ((k->sk_key_handle = sshbuf_new()) == NULL ||
(k->sk_reserved = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_get_cstring(buf, &k->sk_application,
NULL)) != 0 ||
(r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
(r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
(r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
goto out;
if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
EC_KEY_get0_public_key(k->ecdsa))) != 0)
goto out;
break;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA:
if ((k = sshkey_new(type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_e)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
goto out;
if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
rsa_n = rsa_e = rsa_d = NULL; /* transferred */
if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
rsa_p = rsa_q = NULL; /* transferred */
if ((r = check_rsa_length(k->rsa)) != 0)
goto out;
if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
goto out;
break;
case KEY_RSA_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
(r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
goto out;
if (k->type != type) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
rsa_d = NULL; /* transferred */
if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
rsa_p = rsa_q = NULL; /* transferred */
if ((r = check_rsa_length(k->rsa)) != 0)
goto out;
if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
goto out;
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
if ((k = sshkey_new(type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
(r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
goto out;
if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
k->ed25519_pk = ed25519_pk;
k->ed25519_sk = ed25519_sk;
ed25519_pk = ed25519_sk = NULL;
break;
case KEY_ED25519_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
(r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
goto out;
if (k->type != type) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
k->ed25519_pk = ed25519_pk;
k->ed25519_sk = ed25519_sk;
ed25519_pk = ed25519_sk = NULL; /* transferred */
break;
case KEY_ED25519_SK:
if ((k = sshkey_new(type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
goto out;
if (pklen != ED25519_PK_SZ) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if ((k->sk_key_handle = sshbuf_new()) == NULL ||
(k->sk_reserved = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_get_cstring(buf, &k->sk_application,
NULL)) != 0 ||
(r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
(r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
(r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
goto out;
k->ed25519_pk = ed25519_pk;
ed25519_pk = NULL;
break;
case KEY_ED25519_SK_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
goto out;
if (k->type != type) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (pklen != ED25519_PK_SZ) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if ((k->sk_key_handle = sshbuf_new()) == NULL ||
(k->sk_reserved = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_get_cstring(buf, &k->sk_application,
NULL)) != 0 ||
(r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
(r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
(r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
goto out;
k->ed25519_pk = ed25519_pk;
ed25519_pk = NULL; /* transferred */
break;
#ifdef WITH_XMSS
case KEY_XMSS:
if ((k = sshkey_new(type)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
(r = sshkey_xmss_init(k, xmss_name)) != 0 ||
(r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
(r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
goto out;
if (pklen != sshkey_xmss_pklen(k) ||
sklen != sshkey_xmss_sklen(k)) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
k->xmss_pk = xmss_pk;
k->xmss_sk = xmss_sk;
xmss_pk = xmss_sk = NULL;
/* optional internal state */
if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
goto out;
break;
case KEY_XMSS_CERT:
if ((r = sshkey_froms(buf, &k)) != 0 ||
(r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
(r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
(r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
goto out;
if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (pklen != sshkey_xmss_pklen(k) ||
sklen != sshkey_xmss_sklen(k)) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
k->xmss_pk = xmss_pk;
k->xmss_sk = xmss_sk;
xmss_pk = xmss_sk = NULL;
/* optional internal state */
if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
goto out;
break;
#endif /* WITH_XMSS */
default:
r = SSH_ERR_KEY_TYPE_UNKNOWN;
goto out;
}
#ifdef WITH_OPENSSL
/* enable blinding */
switch (k->type) {
case KEY_RSA:
case KEY_RSA_CERT:
if (RSA_blinding_on(k->rsa, NULL) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
break;
}
#endif /* WITH_OPENSSL */
/* success */
r = 0;
if (kp != NULL) {
*kp = k;
k = NULL;
}
out:
free(tname);
free(curve);
#ifdef WITH_OPENSSL
BN_clear_free(exponent);
BN_clear_free(dsa_p);
BN_clear_free(dsa_q);
BN_clear_free(dsa_g);
BN_clear_free(dsa_pub_key);
BN_clear_free(dsa_priv_key);
BN_clear_free(rsa_n);
BN_clear_free(rsa_e);
BN_clear_free(rsa_d);
BN_clear_free(rsa_p);
BN_clear_free(rsa_q);
BN_clear_free(rsa_iqmp);
#endif /* WITH_OPENSSL */
sshkey_free(k);
freezero(ed25519_pk, pklen);
freezero(ed25519_sk, sklen);
free(xmss_name);
freezero(xmss_pk, pklen);
freezero(xmss_sk, sklen);
return r;
}
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
int
sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
{
EC_POINT *nq = NULL;
BIGNUM *order = NULL, *x = NULL, *y = NULL, *tmp = NULL;
int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
/*
* NB. This assumes OpenSSL has already verified that the public
* point lies on the curve. This is done by EC_POINT_oct2point()
* implicitly calling EC_POINT_is_on_curve(). If this code is ever
* reachable with public points not unmarshalled using
* EC_POINT_oct2point then the caller will need to explicitly check.
*/
/*
* We shouldn't ever hit this case because bignum_get_ecpoint()
* refuses to load GF2m points.
*/
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
NID_X9_62_prime_field)
goto out;
/* Q != infinity */
if (EC_POINT_is_at_infinity(group, public))
goto out;
if ((x = BN_new()) == NULL ||
(y = BN_new()) == NULL ||
(order = BN_new()) == NULL ||
(tmp = BN_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
if (EC_GROUP_get_order(group, order, NULL) != 1 ||
EC_POINT_get_affine_coordinates_GFp(group, public,
x, y, NULL) != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (BN_num_bits(x) <= BN_num_bits(order) / 2 ||
BN_num_bits(y) <= BN_num_bits(order) / 2)
goto out;
/* nQ == infinity (n == order of subgroup) */
if ((nq = EC_POINT_new(group)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (EC_POINT_is_at_infinity(group, nq) != 1)
goto out;
/* x < order - 1, y < order - 1 */
if (!BN_sub(tmp, order, BN_value_one())) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0)
goto out;
ret = 0;
out:
BN_clear_free(x);
BN_clear_free(y);
BN_clear_free(order);
BN_clear_free(tmp);
EC_POINT_free(nq);
return ret;
}
int
sshkey_ec_validate_private(const EC_KEY *key)
{
BIGNUM *order = NULL, *tmp = NULL;
int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* log2(private) > log2(order)/2 */
if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
BN_num_bits(order) / 2)
goto out;
/* private < order - 1 */
if (!BN_sub(tmp, order, BN_value_one())) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
goto out;
ret = 0;
out:
BN_clear_free(order);
BN_clear_free(tmp);
return ret;
}
void
sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
{
BIGNUM *x = NULL, *y = NULL;
if (point == NULL) {
fputs("point=(NULL)\n", stderr);
return;
}
if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) {
fprintf(stderr, "%s: BN_new failed\n", __func__);
goto out;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
NID_X9_62_prime_field) {
fprintf(stderr, "%s: group is not a prime field\n", __func__);
goto out;
}
if (EC_POINT_get_affine_coordinates_GFp(group, point,
x, y, NULL) != 1) {
fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
__func__);
goto out;
}
fputs("x=", stderr);
BN_print_fp(stderr, x);
fputs("\ny=", stderr);
BN_print_fp(stderr, y);
fputs("\n", stderr);
out:
BN_clear_free(x);
BN_clear_free(y);
}
void
sshkey_dump_ec_key(const EC_KEY *key)
{
const BIGNUM *exponent;
sshkey_dump_ec_point(EC_KEY_get0_group(key),
EC_KEY_get0_public_key(key));
fputs("exponent=", stderr);
if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
fputs("(NULL)", stderr);
else
BN_print_fp(stderr, EC_KEY_get0_private_key(key));
fputs("\n", stderr);
}
#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
static int
sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob,
const char *passphrase, const char *comment, const char *ciphername,
int rounds)
{
u_char *cp, *key = NULL, *pubkeyblob = NULL;
u_char salt[SALT_LEN];
char *b64 = NULL;
size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
u_int check;
int r = SSH_ERR_INTERNAL_ERROR;
struct sshcipher_ctx *ciphercontext = NULL;
const struct sshcipher *cipher;
const char *kdfname = KDFNAME;
struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL;
if (rounds <= 0)
rounds = DEFAULT_ROUNDS;
if (passphrase == NULL || !strlen(passphrase)) {
ciphername = "none";
kdfname = "none";
} else if (ciphername == NULL)
ciphername = DEFAULT_CIPHERNAME;
if ((cipher = cipher_by_name(ciphername)) == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((kdf = sshbuf_new()) == NULL ||
(encoded = sshbuf_new()) == NULL ||
(encrypted = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
blocksize = cipher_blocksize(cipher);
keylen = cipher_keylen(cipher);
ivlen = cipher_ivlen(cipher);
authlen = cipher_authlen(cipher);
if ((key = calloc(1, keylen + ivlen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (strcmp(kdfname, "bcrypt") == 0) {
arc4random_buf(salt, SALT_LEN);
if (bcrypt_pbkdf(passphrase, strlen(passphrase),
salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 ||
(r = sshbuf_put_u32(kdf, rounds)) != 0)
goto out;
} else if (strcmp(kdfname, "none") != 0) {
/* Unsupported KDF type */
r = SSH_ERR_KEY_UNKNOWN_CIPHER;
goto out;
}
if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
key + keylen, ivlen, 1)) != 0)
goto out;
if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 ||
(r = sshbuf_put_cstring(encoded, ciphername)) != 0 ||
(r = sshbuf_put_cstring(encoded, kdfname)) != 0 ||
(r = sshbuf_put_stringb(encoded, kdf)) != 0 ||
(r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */
(r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 ||
(r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
goto out;
/* set up the buffer that will be encrypted */
/* Random check bytes */
check = arc4random();
if ((r = sshbuf_put_u32(encrypted, check)) != 0 ||
(r = sshbuf_put_u32(encrypted, check)) != 0)
goto out;
/* append private key and comment*/
if ((r = sshkey_private_serialize_opt(prv, encrypted,
SSHKEY_SERIALIZE_FULL)) != 0 ||
(r = sshbuf_put_cstring(encrypted, comment)) != 0)
goto out;
/* padding */
i = 0;
while (sshbuf_len(encrypted) % blocksize) {
if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
goto out;
}
/* length in destination buffer */
if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
goto out;
/* encrypt */
if ((r = sshbuf_reserve(encoded,
sshbuf_len(encrypted) + authlen, &cp)) != 0)
goto out;
if ((r = cipher_crypt(ciphercontext, 0, cp,
sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
goto out;
sshbuf_reset(blob);
/* assemble uuencoded key */
if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 ||
(r = sshbuf_dtob64(encoded, blob, 1)) != 0 ||
(r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
goto out;
/* success */
r = 0;
out:
sshbuf_free(kdf);
sshbuf_free(encoded);
sshbuf_free(encrypted);
cipher_free(ciphercontext);
explicit_bzero(salt, sizeof(salt));
if (key != NULL) {
explicit_bzero(key, keylen + ivlen);
free(key);
}
if (pubkeyblob != NULL) {
explicit_bzero(pubkeyblob, pubkeylen);
free(pubkeyblob);
}
if (b64 != NULL) {
explicit_bzero(b64, strlen(b64));
free(b64);
}
return r;
}
static int
sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
struct sshkey **keyp, char **commentp)
{
char *comment = NULL, *ciphername = NULL, *kdfname = NULL;
const struct sshcipher *cipher = NULL;
const u_char *cp;
int r = SSH_ERR_INTERNAL_ERROR;
size_t encoded_len;
size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0;
struct sshbuf *encoded = NULL, *decoded = NULL;
struct sshbuf *kdf = NULL, *decrypted = NULL;
struct sshcipher_ctx *ciphercontext = NULL;
struct sshkey *k = NULL;
u_char *key = NULL, *salt = NULL, *dp, pad, last;
u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
if (keyp != NULL)
*keyp = NULL;
if (commentp != NULL)
*commentp = NULL;
if ((encoded = sshbuf_new()) == NULL ||
(decoded = sshbuf_new()) == NULL ||
(decrypted = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
/* check preamble */
cp = sshbuf_ptr(blob);
encoded_len = sshbuf_len(blob);
if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) ||
memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
cp += MARK_BEGIN_LEN;
encoded_len -= MARK_BEGIN_LEN;
/* Look for end marker, removing whitespace as we go */
while (encoded_len > 0) {
if (*cp != '\n' && *cp != '\r') {
if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
goto out;
}
last = *cp;
encoded_len--;
cp++;
if (last == '\n') {
if (encoded_len >= MARK_END_LEN &&
memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
/* \0 terminate */
if ((r = sshbuf_put_u8(encoded, 0)) != 0)
goto out;
break;
}
}
}
if (encoded_len == 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* decode base64 */
if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
goto out;
/* check magic */
if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) ||
memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* parse public portion of key */
if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
(r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 ||
(r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 ||
(r = sshbuf_froms(decoded, &kdf)) != 0 ||
(r = sshbuf_get_u32(decoded, &nkeys)) != 0 ||
(r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */
(r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
goto out;
if ((cipher = cipher_by_name(ciphername)) == NULL) {
r = SSH_ERR_KEY_UNKNOWN_CIPHER;
goto out;
}
if ((passphrase == NULL || strlen(passphrase) == 0) &&
strcmp(ciphername, "none") != 0) {
/* passphrase required */
r = SSH_ERR_KEY_WRONG_PASSPHRASE;
goto out;
}
if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
r = SSH_ERR_KEY_UNKNOWN_CIPHER;
goto out;
}
if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (nkeys != 1) {
/* XXX only one key supported */
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* check size of encrypted key blob */
blocksize = cipher_blocksize(cipher);
if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* setup key */
keylen = cipher_keylen(cipher);
ivlen = cipher_ivlen(cipher);
authlen = cipher_authlen(cipher);
if ((key = calloc(1, keylen + ivlen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (strcmp(kdfname, "bcrypt") == 0) {
if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 ||
(r = sshbuf_get_u32(kdf, &rounds)) != 0)
goto out;
if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
key, keylen + ivlen, rounds) < 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
}
/* check that an appropriate amount of auth data is present */
if (sshbuf_len(decoded) < authlen ||
sshbuf_len(decoded) - authlen < encrypted_len) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* decrypt private portion of key */
if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 ||
(r = cipher_init(&ciphercontext, cipher, key, keylen,
key + keylen, ivlen, 0)) != 0)
goto out;
if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
encrypted_len, 0, authlen)) != 0) {
/* an integrity error here indicates an incorrect passphrase */
if (r == SSH_ERR_MAC_INVALID)
r = SSH_ERR_KEY_WRONG_PASSPHRASE;
goto out;
}
if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
goto out;
/* there should be no trailing data */
if (sshbuf_len(decoded) != 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* check check bytes */
if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 ||
(r = sshbuf_get_u32(decrypted, &check2)) != 0)
goto out;
if (check1 != check2) {
r = SSH_ERR_KEY_WRONG_PASSPHRASE;
goto out;
}
/* Load the private key and comment */
if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 ||
(r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
goto out;
/* Check deterministic padding */
i = 0;
while (sshbuf_len(decrypted)) {
if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
goto out;
if (pad != (++i & 0xff)) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
}
/* XXX decode pubkey and check against private */
/* success */
r = 0;
if (keyp != NULL) {
*keyp = k;
k = NULL;
}
if (commentp != NULL) {
*commentp = comment;
comment = NULL;
}
out:
pad = 0;
cipher_free(ciphercontext);
free(ciphername);
free(kdfname);
free(comment);
if (salt != NULL) {
explicit_bzero(salt, slen);
free(salt);
}
if (key != NULL) {
explicit_bzero(key, keylen + ivlen);
free(key);
}
sshbuf_free(encoded);
sshbuf_free(decoded);
sshbuf_free(kdf);
sshbuf_free(decrypted);
sshkey_free(k);
return r;
}
#ifdef WITH_OPENSSL
/* convert SSH v2 key to PEM or PKCS#8 format */
static int
sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf,
int format, const char *_passphrase, const char *comment)
{
int was_shielded = sshkey_is_shielded(key);
int success, r;
int blen, len = strlen(_passphrase);
u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
char *bptr;
BIO *bio = NULL;
struct sshbuf *blob;
EVP_PKEY *pkey = NULL;
if (len > 0 && len <= 4)
return SSH_ERR_PASSPHRASE_TOO_SHORT;
if ((blob = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((bio = BIO_new(BIO_s_mem())) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshkey_unshield_private(key)) != 0)
goto out;
switch (key->type) {
case KEY_DSA:
if (format == SSHKEY_PRIVATE_PEM) {
success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
cipher, passphrase, len, NULL, NULL);
} else {
success = EVP_PKEY_set1_DSA(pkey, key->dsa);
}
break;
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
if (format == SSHKEY_PRIVATE_PEM) {
success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
cipher, passphrase, len, NULL, NULL);
} else {
success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
}
break;
#endif
case KEY_RSA:
if (format == SSHKEY_PRIVATE_PEM) {
success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
cipher, passphrase, len, NULL, NULL);
} else {
success = EVP_PKEY_set1_RSA(pkey, key->rsa);
}
break;
default:
success = 0;
break;
}
if (success == 0) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (format == SSHKEY_PRIVATE_PKCS8) {
if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
passphrase, len, NULL, NULL)) == 0) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
}
if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
r = SSH_ERR_INTERNAL_ERROR;
goto out;
}
if ((r = sshbuf_put(blob, bptr, blen)) != 0)
goto out;
r = 0;
out:
if (was_shielded)
r = sshkey_shield_private(key);
if (r == 0)
r = sshbuf_putb(buf, blob);
EVP_PKEY_free(pkey);
sshbuf_free(blob);
BIO_free(bio);
return r;
}
#endif /* WITH_OPENSSL */
/* Serialise "key" to buffer "blob" */
int
sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
const char *passphrase, const char *comment,
int format, const char *openssh_format_cipher, int openssh_format_rounds)
{
switch (key->type) {
#ifdef WITH_OPENSSL
case KEY_DSA:
case KEY_ECDSA:
case KEY_RSA:
break; /* see below */
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_SK:
#ifdef WITH_XMSS
case KEY_XMSS:
#endif /* WITH_XMSS */
#ifdef WITH_OPENSSL
case KEY_ECDSA_SK:
#endif /* WITH_OPENSSL */
return sshkey_private_to_blob2(key, blob, passphrase,
comment, openssh_format_cipher, openssh_format_rounds);
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
#ifdef WITH_OPENSSL
switch (format) {
case SSHKEY_PRIVATE_OPENSSH:
return sshkey_private_to_blob2(key, blob, passphrase,
comment, openssh_format_cipher, openssh_format_rounds);
case SSHKEY_PRIVATE_PEM:
case SSHKEY_PRIVATE_PKCS8:
return sshkey_private_to_blob_pem_pkcs8(key, blob,
format, passphrase, comment);
default:
return SSH_ERR_INVALID_ARGUMENT;
}
#endif /* WITH_OPENSSL */
}
#ifdef WITH_OPENSSL
static int
translate_libcrypto_error(unsigned long pem_err)
{
int pem_reason = ERR_GET_REASON(pem_err);
switch (ERR_GET_LIB(pem_err)) {
case ERR_LIB_PEM:
switch (pem_reason) {
case PEM_R_BAD_PASSWORD_READ:
case PEM_R_PROBLEMS_GETTING_PASSWORD:
case PEM_R_BAD_DECRYPT:
return SSH_ERR_KEY_WRONG_PASSPHRASE;
default:
return SSH_ERR_INVALID_FORMAT;
}
case ERR_LIB_EVP:
switch (pem_reason) {
case EVP_R_BAD_DECRYPT:
return SSH_ERR_KEY_WRONG_PASSPHRASE;
#ifdef EVP_R_BN_DECODE_ERROR
case EVP_R_BN_DECODE_ERROR:
#endif
case EVP_R_DECODE_ERROR:
#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
case EVP_R_PRIVATE_KEY_DECODE_ERROR:
#endif
return SSH_ERR_INVALID_FORMAT;
default:
return SSH_ERR_LIBCRYPTO_ERROR;
}
case ERR_LIB_ASN1:
return SSH_ERR_INVALID_FORMAT;
}
return SSH_ERR_LIBCRYPTO_ERROR;
}
static void
clear_libcrypto_errors(void)
{
while (ERR_get_error() != 0)
;
}
/*
* Translate OpenSSL error codes to determine whether
* passphrase is required/incorrect.
*/
static int
convert_libcrypto_error(void)
{
/*
* Some password errors are reported at the beginning
* of the error queue.
*/
if (translate_libcrypto_error(ERR_peek_error()) ==
SSH_ERR_KEY_WRONG_PASSPHRASE)
return SSH_ERR_KEY_WRONG_PASSPHRASE;
return translate_libcrypto_error(ERR_peek_last_error());
}
static int
pem_passphrase_cb(char *buf, int size, int rwflag, void *u)
{
char *p = (char *)u;
size_t len;
if (p == NULL || (len = strlen(p)) == 0)
return -1;
if (size < 0 || len > (size_t)size)
return -1;
memcpy(buf, p, len);
return (int)len;
}
static int
sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
const char *passphrase, struct sshkey **keyp)
{
EVP_PKEY *pk = NULL;
struct sshkey *prv = NULL;
BIO *bio = NULL;
int r;
if (keyp != NULL)
*keyp = NULL;
if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
return SSH_ERR_ALLOC_FAIL;
if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
(int)sshbuf_len(blob)) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
clear_libcrypto_errors();
if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb,
(char *)passphrase)) == NULL) {
/*
* libcrypto may return various ASN.1 errors when attempting
* to parse a key with an incorrect passphrase.
* Treat all format errors as "incorrect passphrase" if a
* passphrase was supplied.
*/
if (passphrase != NULL && *passphrase != '\0')
r = SSH_ERR_KEY_WRONG_PASSPHRASE;
else
r = convert_libcrypto_error();
goto out;
}
if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA &&
(type == KEY_UNSPEC || type == KEY_RSA)) {
if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
prv->rsa = EVP_PKEY_get1_RSA(pk);
prv->type = KEY_RSA;
#ifdef DEBUG_PK
RSA_print_fp(stderr, prv->rsa, 8);
#endif
if (RSA_blinding_on(prv->rsa, NULL) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if ((r = check_rsa_length(prv->rsa)) != 0)
goto out;
} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA &&
(type == KEY_UNSPEC || type == KEY_DSA)) {
if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
prv->dsa = EVP_PKEY_get1_DSA(pk);
prv->type = KEY_DSA;
#ifdef DEBUG_PK
DSA_print_fp(stderr, prv->dsa, 8);
#endif
#ifdef OPENSSL_HAS_ECC
} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC &&
(type == KEY_UNSPEC || type == KEY_ECDSA)) {
if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
prv->type = KEY_ECDSA;
prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
if (prv->ecdsa_nid == -1 ||
sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
sshkey_ec_validate_private(prv->ecdsa) != 0) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
# ifdef DEBUG_PK
if (prv != NULL && prv->ecdsa != NULL)
sshkey_dump_ec_key(prv->ecdsa);
# endif
#endif /* OPENSSL_HAS_ECC */
} else {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
r = 0;
if (keyp != NULL) {
*keyp = prv;
prv = NULL;
}
out:
BIO_free(bio);
EVP_PKEY_free(pk);
sshkey_free(prv);
return r;
}
#endif /* WITH_OPENSSL */
int
sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
const char *passphrase, struct sshkey **keyp, char **commentp)
{
int r = SSH_ERR_INTERNAL_ERROR;
if (keyp != NULL)
*keyp = NULL;
if (commentp != NULL)
*commentp = NULL;
switch (type) {
#ifdef WITH_OPENSSL
case KEY_DSA:
case KEY_ECDSA:
case KEY_RSA:
return sshkey_parse_private_pem_fileblob(blob, type,
passphrase, keyp);
#endif /* WITH_OPENSSL */
case KEY_ED25519:
#ifdef WITH_XMSS
case KEY_XMSS:
#endif /* WITH_XMSS */
return sshkey_parse_private2(blob, type, passphrase,
keyp, commentp);
case KEY_UNSPEC:
r = sshkey_parse_private2(blob, type, passphrase, keyp,
commentp);
/* Do not fallback to PEM parser if only passphrase is wrong. */
if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE)
return r;
#ifdef WITH_OPENSSL
return sshkey_parse_private_pem_fileblob(blob, type,
passphrase, keyp);
#else
return SSH_ERR_INVALID_FORMAT;
#endif /* WITH_OPENSSL */
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
}
int
sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
struct sshkey **keyp, char **commentp)
{
if (keyp != NULL)
*keyp = NULL;
if (commentp != NULL)
*commentp = NULL;
return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
passphrase, keyp, commentp);
}
void
sshkey_sig_details_free(struct sshkey_sig_details *details)
{
freezero(details, sizeof(*details));
}
#ifdef WITH_XMSS
/*
* serialize the key with the current state and forward the state
* maxsign times.
*/
int
sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
u_int32_t maxsign, sshkey_printfn *pr)
{
int r, rupdate;
if (maxsign == 0 ||
sshkey_type_plain(k->type) != KEY_XMSS)
return sshkey_private_serialize_opt(k, b,
SSHKEY_SERIALIZE_DEFAULT);
if ((r = sshkey_xmss_get_state(k, pr)) != 0 ||
(r = sshkey_private_serialize_opt(k, b,
SSHKEY_SERIALIZE_STATE)) != 0 ||
(r = sshkey_xmss_forward_state(k, maxsign)) != 0)
goto out;
r = 0;
out:
if ((rupdate = sshkey_xmss_update_state(k, pr)) != 0) {
if (r == 0)
r = rupdate;
}
return r;
}
u_int32_t
sshkey_signatures_left(const struct sshkey *k)
{
if (sshkey_type_plain(k->type) == KEY_XMSS)
return sshkey_xmss_signatures_left(k);
return 0;
}
int
sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
{
if (sshkey_type_plain(k->type) != KEY_XMSS)
return SSH_ERR_INVALID_ARGUMENT;
return sshkey_xmss_enable_maxsign(k, maxsign);
}
int
sshkey_set_filename(struct sshkey *k, const char *filename)
{
if (k == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (sshkey_type_plain(k->type) != KEY_XMSS)
return 0;
if (filename == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if ((k->xmss_filename = strdup(filename)) == NULL)
return SSH_ERR_ALLOC_FAIL;
return 0;
}
#else
int
sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
u_int32_t maxsign, sshkey_printfn *pr)
{
return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT);
}
u_int32_t
sshkey_signatures_left(const struct sshkey *k)
{
return 0;
}
int
sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
{
return SSH_ERR_INVALID_ARGUMENT;
}
int
sshkey_set_filename(struct sshkey *k, const char *filename)
{
if (k == NULL)
return SSH_ERR_INVALID_ARGUMENT;
return 0;
}
#endif /* WITH_XMSS */