Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: sshkey.c,v 1.142 2024/01/11 01:45:36 djm Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
5 | | * Copyright (c) 2010,2011 Damien Miller. All rights reserved. |
6 | | * |
7 | | * Redistribution and use in source and binary forms, with or without |
8 | | * modification, are permitted provided that the following conditions |
9 | | * are met: |
10 | | * 1. Redistributions of source code must retain the above copyright |
11 | | * notice, this list of conditions and the following disclaimer. |
12 | | * 2. Redistributions in binary form must reproduce the above copyright |
13 | | * notice, this list of conditions and the following disclaimer in the |
14 | | * documentation and/or other materials provided with the distribution. |
15 | | * |
16 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
17 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
18 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
19 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
20 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
21 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
22 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
23 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
24 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
25 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
26 | | */ |
27 | | |
28 | | #include "includes.h" |
29 | | |
30 | | #include <sys/types.h> |
31 | | #include <netinet/in.h> |
32 | | |
33 | | #ifdef WITH_OPENSSL |
34 | | #include <openssl/evp.h> |
35 | | #include <openssl/err.h> |
36 | | #include <openssl/pem.h> |
37 | | #endif |
38 | | |
39 | | #include "crypto_api.h" |
40 | | |
41 | | #include <errno.h> |
42 | | #include <limits.h> |
43 | | #include <stdio.h> |
44 | | #include <stdlib.h> |
45 | | #include <string.h> |
46 | | #include <resolv.h> |
47 | | #include <time.h> |
48 | | #ifdef HAVE_UTIL_H |
49 | | #include <util.h> |
50 | | #endif /* HAVE_UTIL_H */ |
51 | | |
52 | | #include "ssh2.h" |
53 | | #include "ssherr.h" |
54 | | #include "misc.h" |
55 | | #include "sshbuf.h" |
56 | | #include "cipher.h" |
57 | | #include "digest.h" |
58 | | #define SSHKEY_INTERNAL |
59 | | #include "sshkey.h" |
60 | | #include "match.h" |
61 | | #include "ssh-sk.h" |
62 | | |
63 | | #ifdef WITH_XMSS |
64 | | #include "sshkey-xmss.h" |
65 | | #include "xmss_fast.h" |
66 | | #endif |
67 | | |
68 | | #include "openbsd-compat/openssl-compat.h" |
69 | | |
70 | | /* openssh private key file format */ |
71 | 47.7k | #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" |
72 | 357k | #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" |
73 | 38.1k | #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) |
74 | 357k | #define MARK_END_LEN (sizeof(MARK_END) - 1) |
75 | 0 | #define KDFNAME "bcrypt" |
76 | 38.1k | #define AUTH_MAGIC "openssh-key-v1" |
77 | 0 | #define SALT_LEN 16 |
78 | 0 | #define DEFAULT_CIPHERNAME "aes256-ctr" |
79 | 0 | #define DEFAULT_ROUNDS 24 |
80 | | |
81 | | /* Version identification string for SSH v1 identity files. */ |
82 | | #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" |
83 | | |
84 | | /* |
85 | | * Constants relating to "shielding" support; protection of keys expected |
86 | | * to remain in memory for long durations |
87 | | */ |
88 | 0 | #define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024) |
89 | 0 | #define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */ |
90 | 0 | #define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512 |
91 | | |
92 | | int sshkey_private_serialize_opt(struct sshkey *key, |
93 | | struct sshbuf *buf, enum sshkey_serialize_rep); |
94 | | static int sshkey_from_blob_internal(struct sshbuf *buf, |
95 | | struct sshkey **keyp, int allow_cert); |
96 | | |
97 | | /* Supported key types */ |
98 | | extern const struct sshkey_impl sshkey_ed25519_impl; |
99 | | extern const struct sshkey_impl sshkey_ed25519_cert_impl; |
100 | | extern const struct sshkey_impl sshkey_ed25519_sk_impl; |
101 | | extern const struct sshkey_impl sshkey_ed25519_sk_cert_impl; |
102 | | #ifdef WITH_OPENSSL |
103 | | # ifdef OPENSSL_HAS_ECC |
104 | | # ifdef ENABLE_SK |
105 | | extern const struct sshkey_impl sshkey_ecdsa_sk_impl; |
106 | | extern const struct sshkey_impl sshkey_ecdsa_sk_cert_impl; |
107 | | extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_impl; |
108 | | # endif /* ENABLE_SK */ |
109 | | extern const struct sshkey_impl sshkey_ecdsa_nistp256_impl; |
110 | | extern const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl; |
111 | | extern const struct sshkey_impl sshkey_ecdsa_nistp384_impl; |
112 | | extern const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl; |
113 | | # ifdef OPENSSL_HAS_NISTP521 |
114 | | extern const struct sshkey_impl sshkey_ecdsa_nistp521_impl; |
115 | | extern const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl; |
116 | | # endif /* OPENSSL_HAS_NISTP521 */ |
117 | | # endif /* OPENSSL_HAS_ECC */ |
118 | | extern const struct sshkey_impl sshkey_rsa_impl; |
119 | | extern const struct sshkey_impl sshkey_rsa_cert_impl; |
120 | | extern const struct sshkey_impl sshkey_rsa_sha256_impl; |
121 | | extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl; |
122 | | extern const struct sshkey_impl sshkey_rsa_sha512_impl; |
123 | | extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl; |
124 | | # ifdef WITH_DSA |
125 | | extern const struct sshkey_impl sshkey_dss_impl; |
126 | | extern const struct sshkey_impl sshkey_dsa_cert_impl; |
127 | | # endif |
128 | | #endif /* WITH_OPENSSL */ |
129 | | #ifdef WITH_XMSS |
130 | | extern const struct sshkey_impl sshkey_xmss_impl; |
131 | | extern const struct sshkey_impl sshkey_xmss_cert_impl; |
132 | | #endif |
133 | | |
134 | | const struct sshkey_impl * const keyimpls[] = { |
135 | | &sshkey_ed25519_impl, |
136 | | &sshkey_ed25519_cert_impl, |
137 | | #ifdef ENABLE_SK |
138 | | &sshkey_ed25519_sk_impl, |
139 | | &sshkey_ed25519_sk_cert_impl, |
140 | | #endif |
141 | | #ifdef WITH_OPENSSL |
142 | | # ifdef OPENSSL_HAS_ECC |
143 | | &sshkey_ecdsa_nistp256_impl, |
144 | | &sshkey_ecdsa_nistp256_cert_impl, |
145 | | &sshkey_ecdsa_nistp384_impl, |
146 | | &sshkey_ecdsa_nistp384_cert_impl, |
147 | | # ifdef OPENSSL_HAS_NISTP521 |
148 | | &sshkey_ecdsa_nistp521_impl, |
149 | | &sshkey_ecdsa_nistp521_cert_impl, |
150 | | # endif /* OPENSSL_HAS_NISTP521 */ |
151 | | # ifdef ENABLE_SK |
152 | | &sshkey_ecdsa_sk_impl, |
153 | | &sshkey_ecdsa_sk_cert_impl, |
154 | | &sshkey_ecdsa_sk_webauthn_impl, |
155 | | # endif /* ENABLE_SK */ |
156 | | # endif /* OPENSSL_HAS_ECC */ |
157 | | # ifdef WITH_DSA |
158 | | &sshkey_dss_impl, |
159 | | &sshkey_dsa_cert_impl, |
160 | | # endif |
161 | | &sshkey_rsa_impl, |
162 | | &sshkey_rsa_cert_impl, |
163 | | &sshkey_rsa_sha256_impl, |
164 | | &sshkey_rsa_sha256_cert_impl, |
165 | | &sshkey_rsa_sha512_impl, |
166 | | &sshkey_rsa_sha512_cert_impl, |
167 | | #endif /* WITH_OPENSSL */ |
168 | | #ifdef WITH_XMSS |
169 | | &sshkey_xmss_impl, |
170 | | &sshkey_xmss_cert_impl, |
171 | | #endif |
172 | | NULL |
173 | | }; |
174 | | |
175 | | static const struct sshkey_impl * |
176 | | sshkey_impl_from_type(int type) |
177 | 991k | { |
178 | 991k | int i; |
179 | | |
180 | 8.93M | for (i = 0; keyimpls[i] != NULL; i++) { |
181 | 8.92M | if (keyimpls[i]->type == type) |
182 | 975k | return keyimpls[i]; |
183 | 8.92M | } |
184 | 16.6k | return NULL; |
185 | 991k | } |
186 | | |
187 | | static const struct sshkey_impl * |
188 | | sshkey_impl_from_type_nid(int type, int nid) |
189 | 281k | { |
190 | 281k | int i; |
191 | | |
192 | 2.47M | for (i = 0; keyimpls[i] != NULL; i++) { |
193 | 2.47M | if (keyimpls[i]->type == type && |
194 | 2.47M | (keyimpls[i]->nid == 0 || keyimpls[i]->nid == nid)) |
195 | 281k | return keyimpls[i]; |
196 | 2.47M | } |
197 | 0 | return NULL; |
198 | 281k | } |
199 | | |
200 | | static const struct sshkey_impl * |
201 | | sshkey_impl_from_key(const struct sshkey *k) |
202 | 151k | { |
203 | 151k | if (k == NULL) |
204 | 0 | return NULL; |
205 | 151k | return sshkey_impl_from_type_nid(k->type, k->ecdsa_nid); |
206 | 151k | } |
207 | | |
208 | | const char * |
209 | | sshkey_type(const struct sshkey *k) |
210 | 3.95k | { |
211 | 3.95k | const struct sshkey_impl *impl; |
212 | | |
213 | 3.95k | if ((impl = sshkey_impl_from_key(k)) == NULL) |
214 | 0 | return "unknown"; |
215 | 3.95k | return impl->shortname; |
216 | 3.95k | } |
217 | | |
218 | | static const char * |
219 | | sshkey_ssh_name_from_type_nid(int type, int nid) |
220 | 130k | { |
221 | 130k | const struct sshkey_impl *impl; |
222 | | |
223 | 130k | if ((impl = sshkey_impl_from_type_nid(type, nid)) == NULL) |
224 | 0 | return "ssh-unknown"; |
225 | 130k | return impl->name; |
226 | 130k | } |
227 | | |
228 | | int |
229 | | sshkey_type_is_cert(int type) |
230 | 582k | { |
231 | 582k | const struct sshkey_impl *impl; |
232 | | |
233 | 582k | if ((impl = sshkey_impl_from_type(type)) == NULL) |
234 | 10.3k | return 0; |
235 | 571k | return impl->cert; |
236 | 582k | } |
237 | | |
238 | | const char * |
239 | | sshkey_ssh_name(const struct sshkey *k) |
240 | 125k | { |
241 | 125k | return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); |
242 | 125k | } |
243 | | |
244 | | const char * |
245 | | sshkey_ssh_name_plain(const struct sshkey *k) |
246 | 3.18k | { |
247 | 3.18k | return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), |
248 | 3.18k | k->ecdsa_nid); |
249 | 3.18k | } |
250 | | |
251 | | int |
252 | | sshkey_type_from_name(const char *name) |
253 | 178k | { |
254 | 178k | int i; |
255 | 178k | const struct sshkey_impl *impl; |
256 | | |
257 | 1.63M | for (i = 0; keyimpls[i] != NULL; i++) { |
258 | 1.63M | impl = keyimpls[i]; |
259 | | /* Only allow shortname matches for plain key types */ |
260 | 1.63M | if ((impl->name != NULL && strcmp(name, impl->name) == 0) || |
261 | 1.63M | (!impl->cert && strcasecmp(impl->shortname, name) == 0)) |
262 | 177k | return impl->type; |
263 | 1.63M | } |
264 | 1.20k | return KEY_UNSPEC; |
265 | 178k | } |
266 | | |
267 | | static int |
268 | | key_type_is_ecdsa_variant(int type) |
269 | 353k | { |
270 | 353k | switch (type) { |
271 | 54.8k | case KEY_ECDSA: |
272 | 103k | case KEY_ECDSA_CERT: |
273 | 130k | case KEY_ECDSA_SK: |
274 | 143k | case KEY_ECDSA_SK_CERT: |
275 | 143k | return 1; |
276 | 353k | } |
277 | 210k | return 0; |
278 | 353k | } |
279 | | |
280 | | int |
281 | | sshkey_ecdsa_nid_from_name(const char *name) |
282 | 23.5k | { |
283 | 23.5k | int i; |
284 | | |
285 | 355k | for (i = 0; keyimpls[i] != NULL; i++) { |
286 | 344k | if (!key_type_is_ecdsa_variant(keyimpls[i]->type)) |
287 | 203k | continue; |
288 | 140k | if (keyimpls[i]->name != NULL && |
289 | 140k | strcmp(name, keyimpls[i]->name) == 0) |
290 | 12.6k | return keyimpls[i]->nid; |
291 | 140k | } |
292 | 10.9k | return -1; |
293 | 23.5k | } |
294 | | |
295 | | int |
296 | | sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs) |
297 | 0 | { |
298 | 0 | int ktype; |
299 | |
|
300 | 0 | if (sigalgs == NULL || *sigalgs == '\0' || |
301 | 0 | (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC) |
302 | 0 | return 0; |
303 | 0 | else if (ktype == KEY_RSA) { |
304 | 0 | return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 || |
305 | 0 | match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 || |
306 | 0 | match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1; |
307 | 0 | } else if (ktype == KEY_RSA_CERT) { |
308 | 0 | return match_pattern_list("ssh-rsa-cert-v01@openssh.com", |
309 | 0 | sigalgs, 0) == 1 || |
310 | 0 | match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", |
311 | 0 | sigalgs, 0) == 1 || |
312 | 0 | match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", |
313 | 0 | sigalgs, 0) == 1; |
314 | 0 | } else |
315 | 0 | return match_pattern_list(keyname, sigalgs, 0) == 1; |
316 | 0 | } |
317 | | |
318 | | char * |
319 | | sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) |
320 | 141 | { |
321 | 141 | char *tmp, *ret = NULL; |
322 | 141 | size_t i, nlen, rlen = 0; |
323 | 141 | const struct sshkey_impl *impl; |
324 | | |
325 | 3.38k | for (i = 0; keyimpls[i] != NULL; i++) { |
326 | 3.24k | impl = keyimpls[i]; |
327 | 3.24k | if (impl->name == NULL) |
328 | 0 | continue; |
329 | 3.24k | if (!include_sigonly && impl->sigonly) |
330 | 0 | continue; |
331 | 3.24k | if ((certs_only && !impl->cert) || (plain_only && impl->cert)) |
332 | 1.55k | continue; |
333 | 1.69k | if (ret != NULL) |
334 | 1.55k | ret[rlen++] = sep; |
335 | 1.69k | nlen = strlen(impl->name); |
336 | 1.69k | if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { |
337 | 0 | free(ret); |
338 | 0 | return NULL; |
339 | 0 | } |
340 | 1.69k | ret = tmp; |
341 | 1.69k | memcpy(ret + rlen, impl->name, nlen + 1); |
342 | 1.69k | rlen += nlen; |
343 | 1.69k | } |
344 | 141 | return ret; |
345 | 141 | } |
346 | | |
347 | | int |
348 | | sshkey_names_valid2(const char *names, int allow_wildcard, int plain_only) |
349 | 0 | { |
350 | 0 | char *s, *cp, *p; |
351 | 0 | const struct sshkey_impl *impl; |
352 | 0 | int i, type; |
353 | |
|
354 | 0 | if (names == NULL || strcmp(names, "") == 0) |
355 | 0 | return 0; |
356 | 0 | if ((s = cp = strdup(names)) == NULL) |
357 | 0 | return 0; |
358 | 0 | for ((p = strsep(&cp, ",")); p && *p != '\0'; |
359 | 0 | (p = strsep(&cp, ","))) { |
360 | 0 | type = sshkey_type_from_name(p); |
361 | 0 | if (type == KEY_UNSPEC) { |
362 | 0 | if (allow_wildcard) { |
363 | | /* |
364 | | * Try matching key types against the string. |
365 | | * If any has a positive or negative match then |
366 | | * the component is accepted. |
367 | | */ |
368 | 0 | impl = NULL; |
369 | 0 | for (i = 0; keyimpls[i] != NULL; i++) { |
370 | 0 | if (match_pattern_list( |
371 | 0 | keyimpls[i]->name, p, 0) != 0) { |
372 | 0 | impl = keyimpls[i]; |
373 | 0 | break; |
374 | 0 | } |
375 | 0 | } |
376 | 0 | if (impl != NULL) |
377 | 0 | continue; |
378 | 0 | } |
379 | 0 | free(s); |
380 | 0 | return 0; |
381 | 0 | } else if (plain_only && sshkey_type_is_cert(type)) { |
382 | 0 | free(s); |
383 | 0 | return 0; |
384 | 0 | } |
385 | 0 | } |
386 | 0 | free(s); |
387 | 0 | return 1; |
388 | 0 | } |
389 | | |
390 | | u_int |
391 | | sshkey_size(const struct sshkey *k) |
392 | 0 | { |
393 | 0 | const struct sshkey_impl *impl; |
394 | |
|
395 | 0 | if ((impl = sshkey_impl_from_key(k)) == NULL) |
396 | 0 | return 0; |
397 | 0 | if (impl->funcs->size != NULL) |
398 | 0 | return impl->funcs->size(k); |
399 | 0 | return impl->keybits; |
400 | 0 | } |
401 | | |
402 | | static int |
403 | | sshkey_type_is_valid_ca(int type) |
404 | 7.88k | { |
405 | 7.88k | const struct sshkey_impl *impl; |
406 | | |
407 | 7.88k | if ((impl = sshkey_impl_from_type(type)) == NULL) |
408 | 0 | return 0; |
409 | | /* All non-certificate types may act as CAs */ |
410 | 7.88k | return !impl->cert; |
411 | 7.88k | } |
412 | | |
413 | | int |
414 | | sshkey_is_cert(const struct sshkey *k) |
415 | 528k | { |
416 | 528k | if (k == NULL) |
417 | 0 | return 0; |
418 | 528k | return sshkey_type_is_cert(k->type); |
419 | 528k | } |
420 | | |
421 | | int |
422 | | sshkey_is_sk(const struct sshkey *k) |
423 | 10.3k | { |
424 | 10.3k | if (k == NULL) |
425 | 0 | return 0; |
426 | 10.3k | switch (sshkey_type_plain(k->type)) { |
427 | 1.59k | case KEY_ECDSA_SK: |
428 | 3.18k | case KEY_ED25519_SK: |
429 | 3.18k | return 1; |
430 | 7.21k | default: |
431 | 7.21k | return 0; |
432 | 10.3k | } |
433 | 10.3k | } |
434 | | |
435 | | /* Return the cert-less equivalent to a certified key type */ |
436 | | int |
437 | | sshkey_type_plain(int type) |
438 | 53.5k | { |
439 | 53.5k | switch (type) { |
440 | 868 | case KEY_RSA_CERT: |
441 | 868 | return KEY_RSA; |
442 | 871 | case KEY_DSA_CERT: |
443 | 871 | return KEY_DSA; |
444 | 868 | case KEY_ECDSA_CERT: |
445 | 868 | return KEY_ECDSA; |
446 | 868 | case KEY_ECDSA_SK_CERT: |
447 | 868 | return KEY_ECDSA_SK; |
448 | 868 | case KEY_ED25519_CERT: |
449 | 868 | return KEY_ED25519; |
450 | 868 | case KEY_ED25519_SK_CERT: |
451 | 868 | return KEY_ED25519_SK; |
452 | 0 | case KEY_XMSS_CERT: |
453 | 0 | return KEY_XMSS; |
454 | 48.3k | default: |
455 | 48.3k | return type; |
456 | 53.5k | } |
457 | 53.5k | } |
458 | | |
459 | | /* Return the cert equivalent to a plain key type */ |
460 | | static int |
461 | | sshkey_type_certified(int type) |
462 | 4.77k | { |
463 | 4.77k | switch (type) { |
464 | 795 | case KEY_RSA: |
465 | 795 | return KEY_RSA_CERT; |
466 | 795 | case KEY_DSA: |
467 | 795 | return KEY_DSA_CERT; |
468 | 795 | case KEY_ECDSA: |
469 | 795 | return KEY_ECDSA_CERT; |
470 | 795 | case KEY_ECDSA_SK: |
471 | 795 | return KEY_ECDSA_SK_CERT; |
472 | 795 | case KEY_ED25519: |
473 | 795 | return KEY_ED25519_CERT; |
474 | 795 | case KEY_ED25519_SK: |
475 | 795 | return KEY_ED25519_SK_CERT; |
476 | 0 | case KEY_XMSS: |
477 | 0 | return KEY_XMSS_CERT; |
478 | 0 | default: |
479 | 0 | return -1; |
480 | 4.77k | } |
481 | 4.77k | } |
482 | | |
483 | | #ifdef WITH_OPENSSL |
484 | | /* XXX: these are really begging for a table-driven approach */ |
485 | | int |
486 | | sshkey_curve_name_to_nid(const char *name) |
487 | 9.77k | { |
488 | 9.77k | if (strcmp(name, "nistp256") == 0) |
489 | 9.18k | return NID_X9_62_prime256v1; |
490 | 591 | else if (strcmp(name, "nistp384") == 0) |
491 | 56 | return NID_secp384r1; |
492 | 535 | # ifdef OPENSSL_HAS_NISTP521 |
493 | 535 | else if (strcmp(name, "nistp521") == 0) |
494 | 94 | return NID_secp521r1; |
495 | 441 | # endif /* OPENSSL_HAS_NISTP521 */ |
496 | 441 | else |
497 | 441 | return -1; |
498 | 9.77k | } |
499 | | |
500 | | u_int |
501 | | sshkey_curve_nid_to_bits(int nid) |
502 | 3.89k | { |
503 | 3.89k | switch (nid) { |
504 | 1.60k | case NID_X9_62_prime256v1: |
505 | 1.60k | return 256; |
506 | 1.14k | case NID_secp384r1: |
507 | 1.14k | return 384; |
508 | 0 | # ifdef OPENSSL_HAS_NISTP521 |
509 | 1.14k | case NID_secp521r1: |
510 | 1.14k | return 521; |
511 | 0 | # endif /* OPENSSL_HAS_NISTP521 */ |
512 | 0 | default: |
513 | 0 | return 0; |
514 | 3.89k | } |
515 | 3.89k | } |
516 | | |
517 | | int |
518 | | sshkey_ecdsa_bits_to_nid(int bits) |
519 | 3 | { |
520 | 3 | switch (bits) { |
521 | 1 | case 256: |
522 | 1 | return NID_X9_62_prime256v1; |
523 | 1 | case 384: |
524 | 1 | return NID_secp384r1; |
525 | 0 | # ifdef OPENSSL_HAS_NISTP521 |
526 | 1 | case 521: |
527 | 1 | return NID_secp521r1; |
528 | 0 | # endif /* OPENSSL_HAS_NISTP521 */ |
529 | 0 | default: |
530 | 0 | return -1; |
531 | 3 | } |
532 | 3 | } |
533 | | |
534 | | const char * |
535 | | sshkey_curve_nid_to_name(int nid) |
536 | 462 | { |
537 | 462 | switch (nid) { |
538 | 462 | case NID_X9_62_prime256v1: |
539 | 462 | return "nistp256"; |
540 | 0 | case NID_secp384r1: |
541 | 0 | return "nistp384"; |
542 | 0 | # ifdef OPENSSL_HAS_NISTP521 |
543 | 0 | case NID_secp521r1: |
544 | 0 | return "nistp521"; |
545 | 0 | # endif /* OPENSSL_HAS_NISTP521 */ |
546 | 0 | default: |
547 | 0 | return NULL; |
548 | 462 | } |
549 | 462 | } |
550 | | |
551 | | int |
552 | | sshkey_ec_nid_to_hash_alg(int nid) |
553 | 3.89k | { |
554 | 3.89k | int kbits = sshkey_curve_nid_to_bits(nid); |
555 | | |
556 | 3.89k | if (kbits <= 0) |
557 | 0 | return -1; |
558 | | |
559 | | /* RFC5656 section 6.2.1 */ |
560 | 3.89k | if (kbits <= 256) |
561 | 1.60k | return SSH_DIGEST_SHA256; |
562 | 2.28k | else if (kbits <= 384) |
563 | 1.14k | return SSH_DIGEST_SHA384; |
564 | 1.14k | else |
565 | 1.14k | return SSH_DIGEST_SHA512; |
566 | 3.89k | } |
567 | | #endif /* WITH_OPENSSL */ |
568 | | |
569 | | static void |
570 | | cert_free(struct sshkey_cert *cert) |
571 | 23.4k | { |
572 | 23.4k | u_int i; |
573 | | |
574 | 23.4k | if (cert == NULL) |
575 | 4.77k | return; |
576 | 18.6k | sshbuf_free(cert->certblob); |
577 | 18.6k | sshbuf_free(cert->critical); |
578 | 18.6k | sshbuf_free(cert->extensions); |
579 | 18.6k | free(cert->key_id); |
580 | 47.2k | for (i = 0; i < cert->nprincipals; i++) |
581 | 28.6k | free(cert->principals[i]); |
582 | 18.6k | free(cert->principals); |
583 | 18.6k | sshkey_free(cert->signature_key); |
584 | 18.6k | free(cert->signature_type); |
585 | 18.6k | freezero(cert, sizeof(*cert)); |
586 | 18.6k | } |
587 | | |
588 | | static struct sshkey_cert * |
589 | | cert_new(void) |
590 | 18.6k | { |
591 | 18.6k | struct sshkey_cert *cert; |
592 | | |
593 | 18.6k | if ((cert = calloc(1, sizeof(*cert))) == NULL) |
594 | 0 | return NULL; |
595 | 18.6k | if ((cert->certblob = sshbuf_new()) == NULL || |
596 | 18.6k | (cert->critical = sshbuf_new()) == NULL || |
597 | 18.6k | (cert->extensions = sshbuf_new()) == NULL) { |
598 | 0 | cert_free(cert); |
599 | 0 | return NULL; |
600 | 0 | } |
601 | 18.6k | cert->key_id = NULL; |
602 | 18.6k | cert->principals = NULL; |
603 | 18.6k | cert->signature_key = NULL; |
604 | 18.6k | cert->signature_type = NULL; |
605 | 18.6k | return cert; |
606 | 18.6k | } |
607 | | |
608 | | struct sshkey * |
609 | | sshkey_new(int type) |
610 | 176k | { |
611 | 176k | struct sshkey *k; |
612 | 176k | const struct sshkey_impl *impl = NULL; |
613 | | |
614 | 176k | if (type != KEY_UNSPEC && |
615 | 176k | (impl = sshkey_impl_from_type(type)) == NULL) |
616 | 0 | return NULL; |
617 | | |
618 | | /* All non-certificate types may act as CAs */ |
619 | 176k | if ((k = calloc(1, sizeof(*k))) == NULL) |
620 | 0 | return NULL; |
621 | 176k | k->type = type; |
622 | 176k | k->ecdsa_nid = -1; |
623 | 176k | if (impl != NULL && impl->funcs->alloc != NULL) { |
624 | 77.4k | if (impl->funcs->alloc(k) != 0) { |
625 | 0 | free(k); |
626 | 0 | return NULL; |
627 | 0 | } |
628 | 77.4k | } |
629 | 176k | if (sshkey_is_cert(k)) { |
630 | 9.10k | if ((k->cert = cert_new()) == NULL) { |
631 | 0 | sshkey_free(k); |
632 | 0 | return NULL; |
633 | 0 | } |
634 | 9.10k | } |
635 | | |
636 | 176k | return k; |
637 | 176k | } |
638 | | |
639 | | /* Frees common FIDO fields */ |
640 | | void |
641 | | sshkey_sk_cleanup(struct sshkey *k) |
642 | 9.24k | { |
643 | 9.24k | free(k->sk_application); |
644 | 9.24k | sshbuf_free(k->sk_key_handle); |
645 | 9.24k | sshbuf_free(k->sk_reserved); |
646 | 9.24k | k->sk_application = NULL; |
647 | 9.24k | k->sk_key_handle = k->sk_reserved = NULL; |
648 | 9.24k | } |
649 | | |
650 | | static void |
651 | | sshkey_free_contents(struct sshkey *k) |
652 | 622k | { |
653 | 622k | const struct sshkey_impl *impl; |
654 | | |
655 | 622k | if (k == NULL) |
656 | 445k | return; |
657 | 176k | if ((impl = sshkey_impl_from_type(k->type)) != NULL && |
658 | 176k | impl->funcs->cleanup != NULL) |
659 | 171k | impl->funcs->cleanup(k); |
660 | 176k | if (sshkey_is_cert(k)) |
661 | 13.8k | cert_free(k->cert); |
662 | 176k | freezero(k->shielded_private, k->shielded_len); |
663 | 176k | freezero(k->shield_prekey, k->shield_prekey_len); |
664 | 176k | } |
665 | | |
666 | | void |
667 | | sshkey_free(struct sshkey *k) |
668 | 617k | { |
669 | 617k | sshkey_free_contents(k); |
670 | 617k | freezero(k, sizeof(*k)); |
671 | 617k | } |
672 | | |
673 | | static int |
674 | | cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) |
675 | 0 | { |
676 | 0 | if (a == NULL && b == NULL) |
677 | 0 | return 1; |
678 | 0 | if (a == NULL || b == NULL) |
679 | 0 | return 0; |
680 | 0 | if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) |
681 | 0 | return 0; |
682 | 0 | if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), |
683 | 0 | sshbuf_len(a->certblob)) != 0) |
684 | 0 | return 0; |
685 | 0 | return 1; |
686 | 0 | } |
687 | | |
688 | | /* Compares FIDO-specific pubkey fields only */ |
689 | | int |
690 | | sshkey_sk_fields_equal(const struct sshkey *a, const struct sshkey *b) |
691 | 3.18k | { |
692 | 3.18k | if (a->sk_application == NULL || b->sk_application == NULL) |
693 | 0 | return 0; |
694 | 3.18k | if (strcmp(a->sk_application, b->sk_application) != 0) |
695 | 0 | return 0; |
696 | 3.18k | return 1; |
697 | 3.18k | } |
698 | | |
699 | | /* |
700 | | * Compare public portions of key only, allowing comparisons between |
701 | | * certificates and plain keys too. |
702 | | */ |
703 | | int |
704 | | sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) |
705 | 10.1k | { |
706 | 10.1k | const struct sshkey_impl *impl; |
707 | | |
708 | 10.1k | if (a == NULL || b == NULL || |
709 | 10.1k | sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) |
710 | 0 | return 0; |
711 | 10.1k | if ((impl = sshkey_impl_from_type(a->type)) == NULL) |
712 | 0 | return 0; |
713 | 10.1k | return impl->funcs->equal(a, b); |
714 | 10.1k | } |
715 | | |
716 | | int |
717 | | sshkey_equal(const struct sshkey *a, const struct sshkey *b) |
718 | 9.54k | { |
719 | 9.54k | if (a == NULL || b == NULL || a->type != b->type) |
720 | 0 | return 0; |
721 | 9.54k | if (sshkey_is_cert(a)) { |
722 | 0 | if (!cert_compare(a->cert, b->cert)) |
723 | 0 | return 0; |
724 | 0 | } |
725 | 9.54k | return sshkey_equal_public(a, b); |
726 | 9.54k | } |
727 | | |
728 | | |
729 | | /* Serialise common FIDO key parts */ |
730 | | int |
731 | | sshkey_serialize_sk(const struct sshkey *key, struct sshbuf *b) |
732 | 438 | { |
733 | 438 | int r; |
734 | | |
735 | 438 | if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0) |
736 | 0 | return r; |
737 | | |
738 | 438 | return 0; |
739 | 438 | } |
740 | | |
741 | | static int |
742 | | to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, |
743 | | enum sshkey_serialize_rep opts) |
744 | 2.61k | { |
745 | 2.61k | int type, ret = SSH_ERR_INTERNAL_ERROR; |
746 | 2.61k | const char *typename; |
747 | 2.61k | const struct sshkey_impl *impl; |
748 | | |
749 | 2.61k | if (key == NULL) |
750 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
751 | | |
752 | 2.61k | type = force_plain ? sshkey_type_plain(key->type) : key->type; |
753 | | |
754 | 2.61k | if (sshkey_type_is_cert(type)) { |
755 | 438 | if (key->cert == NULL) |
756 | 0 | return SSH_ERR_EXPECTED_CERT; |
757 | 438 | if (sshbuf_len(key->cert->certblob) == 0) |
758 | 0 | return SSH_ERR_KEY_LACKS_CERTBLOB; |
759 | | /* Use the existing blob */ |
760 | 438 | if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) |
761 | 0 | return ret; |
762 | 438 | return 0; |
763 | 438 | } |
764 | 2.17k | if ((impl = sshkey_impl_from_type(type)) == NULL) |
765 | 0 | return SSH_ERR_KEY_TYPE_UNKNOWN; |
766 | | |
767 | 2.17k | typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); |
768 | 2.17k | if ((ret = sshbuf_put_cstring(b, typename)) != 0) |
769 | 0 | return ret; |
770 | 2.17k | return impl->funcs->serialize_public(key, b, opts); |
771 | 2.17k | } |
772 | | |
773 | | int |
774 | | sshkey_putb(const struct sshkey *key, struct sshbuf *b) |
775 | 858 | { |
776 | 858 | return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); |
777 | 858 | } |
778 | | |
779 | | int |
780 | | sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, |
781 | | enum sshkey_serialize_rep opts) |
782 | 876 | { |
783 | 876 | struct sshbuf *tmp; |
784 | 876 | int r; |
785 | | |
786 | 876 | if ((tmp = sshbuf_new()) == NULL) |
787 | 0 | return SSH_ERR_ALLOC_FAIL; |
788 | 876 | r = to_blob_buf(key, tmp, 0, opts); |
789 | 876 | if (r == 0) |
790 | 876 | r = sshbuf_put_stringb(b, tmp); |
791 | 876 | sshbuf_free(tmp); |
792 | 876 | return r; |
793 | 876 | } |
794 | | |
795 | | int |
796 | | sshkey_puts(const struct sshkey *key, struct sshbuf *b) |
797 | 0 | { |
798 | 0 | return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); |
799 | 0 | } |
800 | | |
801 | | int |
802 | | sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) |
803 | 0 | { |
804 | 0 | return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); |
805 | 0 | } |
806 | | |
807 | | static int |
808 | | to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, |
809 | | enum sshkey_serialize_rep opts) |
810 | 876 | { |
811 | 876 | int ret = SSH_ERR_INTERNAL_ERROR; |
812 | 876 | size_t len; |
813 | 876 | struct sshbuf *b = NULL; |
814 | | |
815 | 876 | if (lenp != NULL) |
816 | 876 | *lenp = 0; |
817 | 876 | if (blobp != NULL) |
818 | 876 | *blobp = NULL; |
819 | 876 | if ((b = sshbuf_new()) == NULL) |
820 | 0 | return SSH_ERR_ALLOC_FAIL; |
821 | 876 | if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) |
822 | 0 | goto out; |
823 | 876 | len = sshbuf_len(b); |
824 | 876 | if (lenp != NULL) |
825 | 876 | *lenp = len; |
826 | 876 | if (blobp != NULL) { |
827 | 876 | if ((*blobp = malloc(len)) == NULL) { |
828 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
829 | 0 | goto out; |
830 | 0 | } |
831 | 876 | memcpy(*blobp, sshbuf_ptr(b), len); |
832 | 876 | } |
833 | 876 | ret = 0; |
834 | 876 | out: |
835 | 876 | sshbuf_free(b); |
836 | 876 | return ret; |
837 | 876 | } |
838 | | |
839 | | int |
840 | | sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) |
841 | 0 | { |
842 | 0 | return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); |
843 | 0 | } |
844 | | |
845 | | int |
846 | | sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) |
847 | 0 | { |
848 | 0 | return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); |
849 | 0 | } |
850 | | |
851 | | int |
852 | | sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, |
853 | | u_char **retp, size_t *lenp) |
854 | 876 | { |
855 | 876 | u_char *blob = NULL, *ret = NULL; |
856 | 876 | size_t blob_len = 0; |
857 | 876 | int r = SSH_ERR_INTERNAL_ERROR; |
858 | | |
859 | 876 | if (retp != NULL) |
860 | 876 | *retp = NULL; |
861 | 876 | if (lenp != NULL) |
862 | 876 | *lenp = 0; |
863 | 876 | if (ssh_digest_bytes(dgst_alg) == 0) { |
864 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
865 | 0 | goto out; |
866 | 0 | } |
867 | 876 | if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) |
868 | 876 | != 0) |
869 | 0 | goto out; |
870 | 876 | if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { |
871 | 0 | r = SSH_ERR_ALLOC_FAIL; |
872 | 0 | goto out; |
873 | 0 | } |
874 | 876 | if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, |
875 | 876 | ret, SSH_DIGEST_MAX_LENGTH)) != 0) |
876 | 0 | goto out; |
877 | | /* success */ |
878 | 876 | if (retp != NULL) { |
879 | 876 | *retp = ret; |
880 | 876 | ret = NULL; |
881 | 876 | } |
882 | 876 | if (lenp != NULL) |
883 | 876 | *lenp = ssh_digest_bytes(dgst_alg); |
884 | 876 | r = 0; |
885 | 876 | out: |
886 | 876 | free(ret); |
887 | 876 | if (blob != NULL) |
888 | 876 | freezero(blob, blob_len); |
889 | 876 | return r; |
890 | 876 | } |
891 | | |
892 | | static char * |
893 | | fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) |
894 | 876 | { |
895 | 876 | char *ret; |
896 | 876 | size_t plen = strlen(alg) + 1; |
897 | 876 | size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; |
898 | | |
899 | 876 | if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) |
900 | 0 | return NULL; |
901 | 876 | strlcpy(ret, alg, rlen); |
902 | 876 | strlcat(ret, ":", rlen); |
903 | 876 | if (dgst_raw_len == 0) |
904 | 0 | return ret; |
905 | 876 | if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) { |
906 | 0 | freezero(ret, rlen); |
907 | 0 | return NULL; |
908 | 0 | } |
909 | | /* Trim padding characters from end */ |
910 | 876 | ret[strcspn(ret, "=")] = '\0'; |
911 | 876 | return ret; |
912 | 876 | } |
913 | | |
914 | | static char * |
915 | | fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) |
916 | 0 | { |
917 | 0 | char *retval, hex[5]; |
918 | 0 | size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; |
919 | |
|
920 | 0 | if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) |
921 | 0 | return NULL; |
922 | 0 | strlcpy(retval, alg, rlen); |
923 | 0 | strlcat(retval, ":", rlen); |
924 | 0 | for (i = 0; i < dgst_raw_len; i++) { |
925 | 0 | snprintf(hex, sizeof(hex), "%s%02x", |
926 | 0 | i > 0 ? ":" : "", dgst_raw[i]); |
927 | 0 | strlcat(retval, hex, rlen); |
928 | 0 | } |
929 | 0 | return retval; |
930 | 0 | } |
931 | | |
932 | | static char * |
933 | | fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) |
934 | 0 | { |
935 | 0 | char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; |
936 | 0 | char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', |
937 | 0 | 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; |
938 | 0 | u_int i, j = 0, rounds, seed = 1; |
939 | 0 | char *retval; |
940 | |
|
941 | 0 | rounds = (dgst_raw_len / 2) + 1; |
942 | 0 | if ((retval = calloc(rounds, 6)) == NULL) |
943 | 0 | return NULL; |
944 | 0 | retval[j++] = 'x'; |
945 | 0 | for (i = 0; i < rounds; i++) { |
946 | 0 | u_int idx0, idx1, idx2, idx3, idx4; |
947 | 0 | if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { |
948 | 0 | idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + |
949 | 0 | seed) % 6; |
950 | 0 | idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; |
951 | 0 | idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + |
952 | 0 | (seed / 6)) % 6; |
953 | 0 | retval[j++] = vowels[idx0]; |
954 | 0 | retval[j++] = consonants[idx1]; |
955 | 0 | retval[j++] = vowels[idx2]; |
956 | 0 | if ((i + 1) < rounds) { |
957 | 0 | idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; |
958 | 0 | idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; |
959 | 0 | retval[j++] = consonants[idx3]; |
960 | 0 | retval[j++] = '-'; |
961 | 0 | retval[j++] = consonants[idx4]; |
962 | 0 | seed = ((seed * 5) + |
963 | 0 | ((((u_int)(dgst_raw[2 * i])) * 7) + |
964 | 0 | ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; |
965 | 0 | } |
966 | 0 | } else { |
967 | 0 | idx0 = seed % 6; |
968 | 0 | idx1 = 16; |
969 | 0 | idx2 = seed / 6; |
970 | 0 | retval[j++] = vowels[idx0]; |
971 | 0 | retval[j++] = consonants[idx1]; |
972 | 0 | retval[j++] = vowels[idx2]; |
973 | 0 | } |
974 | 0 | } |
975 | 0 | retval[j++] = 'x'; |
976 | 0 | retval[j++] = '\0'; |
977 | 0 | return retval; |
978 | 0 | } |
979 | | |
980 | | /* |
981 | | * Draw an ASCII-Art representing the fingerprint so human brain can |
982 | | * profit from its built-in pattern recognition ability. |
983 | | * This technique is called "random art" and can be found in some |
984 | | * scientific publications like this original paper: |
985 | | * |
986 | | * "Hash Visualization: a New Technique to improve Real-World Security", |
987 | | * Perrig A. and Song D., 1999, International Workshop on Cryptographic |
988 | | * Techniques and E-Commerce (CrypTEC '99) |
989 | | * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf |
990 | | * |
991 | | * The subject came up in a talk by Dan Kaminsky, too. |
992 | | * |
993 | | * If you see the picture is different, the key is different. |
994 | | * If the picture looks the same, you still know nothing. |
995 | | * |
996 | | * The algorithm used here is a worm crawling over a discrete plane, |
997 | | * leaving a trace (augmenting the field) everywhere it goes. |
998 | | * Movement is taken from dgst_raw 2bit-wise. Bumping into walls |
999 | | * makes the respective movement vector be ignored for this turn. |
1000 | | * Graphs are not unambiguous, because circles in graphs can be |
1001 | | * walked in either direction. |
1002 | | */ |
1003 | | |
1004 | | /* |
1005 | | * Field sizes for the random art. Have to be odd, so the starting point |
1006 | | * can be in the exact middle of the picture, and FLDBASE should be >=8 . |
1007 | | * Else pictures would be too dense, and drawing the frame would |
1008 | | * fail, too, because the key type would not fit in anymore. |
1009 | | */ |
1010 | 0 | #define FLDBASE 8 |
1011 | 0 | #define FLDSIZE_Y (FLDBASE + 1) |
1012 | 0 | #define FLDSIZE_X (FLDBASE * 2 + 1) |
1013 | | static char * |
1014 | | fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, |
1015 | | const struct sshkey *k) |
1016 | 0 | { |
1017 | | /* |
1018 | | * Chars to be used after each other every time the worm |
1019 | | * intersects with itself. Matter of taste. |
1020 | | */ |
1021 | 0 | char *augmentation_string = " .o+=*BOX@%&#/^SE"; |
1022 | 0 | char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; |
1023 | 0 | u_char field[FLDSIZE_X][FLDSIZE_Y]; |
1024 | 0 | size_t i, tlen, hlen; |
1025 | 0 | u_int b; |
1026 | 0 | int x, y, r; |
1027 | 0 | size_t len = strlen(augmentation_string) - 1; |
1028 | |
|
1029 | 0 | if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) |
1030 | 0 | return NULL; |
1031 | | |
1032 | | /* initialize field */ |
1033 | 0 | memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); |
1034 | 0 | x = FLDSIZE_X / 2; |
1035 | 0 | y = FLDSIZE_Y / 2; |
1036 | | |
1037 | | /* process raw key */ |
1038 | 0 | for (i = 0; i < dgst_raw_len; i++) { |
1039 | 0 | int input; |
1040 | | /* each byte conveys four 2-bit move commands */ |
1041 | 0 | input = dgst_raw[i]; |
1042 | 0 | for (b = 0; b < 4; b++) { |
1043 | | /* evaluate 2 bit, rest is shifted later */ |
1044 | 0 | x += (input & 0x1) ? 1 : -1; |
1045 | 0 | y += (input & 0x2) ? 1 : -1; |
1046 | | |
1047 | | /* assure we are still in bounds */ |
1048 | 0 | x = MAXIMUM(x, 0); |
1049 | 0 | y = MAXIMUM(y, 0); |
1050 | 0 | x = MINIMUM(x, FLDSIZE_X - 1); |
1051 | 0 | y = MINIMUM(y, FLDSIZE_Y - 1); |
1052 | | |
1053 | | /* augment the field */ |
1054 | 0 | if (field[x][y] < len - 2) |
1055 | 0 | field[x][y]++; |
1056 | 0 | input = input >> 2; |
1057 | 0 | } |
1058 | 0 | } |
1059 | | |
1060 | | /* mark starting point and end point*/ |
1061 | 0 | field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; |
1062 | 0 | field[x][y] = len; |
1063 | | |
1064 | | /* assemble title */ |
1065 | 0 | r = snprintf(title, sizeof(title), "[%s %u]", |
1066 | 0 | sshkey_type(k), sshkey_size(k)); |
1067 | | /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ |
1068 | 0 | if (r < 0 || r > (int)sizeof(title)) |
1069 | 0 | r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); |
1070 | 0 | tlen = (r <= 0) ? 0 : strlen(title); |
1071 | | |
1072 | | /* assemble hash ID. */ |
1073 | 0 | r = snprintf(hash, sizeof(hash), "[%s]", alg); |
1074 | 0 | hlen = (r <= 0) ? 0 : strlen(hash); |
1075 | | |
1076 | | /* output upper border */ |
1077 | 0 | p = retval; |
1078 | 0 | *p++ = '+'; |
1079 | 0 | for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) |
1080 | 0 | *p++ = '-'; |
1081 | 0 | memcpy(p, title, tlen); |
1082 | 0 | p += tlen; |
1083 | 0 | for (i += tlen; i < FLDSIZE_X; i++) |
1084 | 0 | *p++ = '-'; |
1085 | 0 | *p++ = '+'; |
1086 | 0 | *p++ = '\n'; |
1087 | | |
1088 | | /* output content */ |
1089 | 0 | for (y = 0; y < FLDSIZE_Y; y++) { |
1090 | 0 | *p++ = '|'; |
1091 | 0 | for (x = 0; x < FLDSIZE_X; x++) |
1092 | 0 | *p++ = augmentation_string[MINIMUM(field[x][y], len)]; |
1093 | 0 | *p++ = '|'; |
1094 | 0 | *p++ = '\n'; |
1095 | 0 | } |
1096 | | |
1097 | | /* output lower border */ |
1098 | 0 | *p++ = '+'; |
1099 | 0 | for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) |
1100 | 0 | *p++ = '-'; |
1101 | 0 | memcpy(p, hash, hlen); |
1102 | 0 | p += hlen; |
1103 | 0 | for (i += hlen; i < FLDSIZE_X; i++) |
1104 | 0 | *p++ = '-'; |
1105 | 0 | *p++ = '+'; |
1106 | |
|
1107 | 0 | return retval; |
1108 | 0 | } |
1109 | | |
1110 | | char * |
1111 | | sshkey_fingerprint(const struct sshkey *k, int dgst_alg, |
1112 | | enum sshkey_fp_rep dgst_rep) |
1113 | 876 | { |
1114 | 876 | char *retval = NULL; |
1115 | 876 | u_char *dgst_raw; |
1116 | 876 | size_t dgst_raw_len; |
1117 | | |
1118 | 876 | if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) |
1119 | 0 | return NULL; |
1120 | 876 | switch (dgst_rep) { |
1121 | 876 | case SSH_FP_DEFAULT: |
1122 | 876 | if (dgst_alg == SSH_DIGEST_MD5) { |
1123 | 0 | retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), |
1124 | 0 | dgst_raw, dgst_raw_len); |
1125 | 876 | } else { |
1126 | 876 | retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), |
1127 | 876 | dgst_raw, dgst_raw_len); |
1128 | 876 | } |
1129 | 876 | break; |
1130 | 0 | case SSH_FP_HEX: |
1131 | 0 | retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), |
1132 | 0 | dgst_raw, dgst_raw_len); |
1133 | 0 | break; |
1134 | 0 | case SSH_FP_BASE64: |
1135 | 0 | retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), |
1136 | 0 | dgst_raw, dgst_raw_len); |
1137 | 0 | break; |
1138 | 0 | case SSH_FP_BUBBLEBABBLE: |
1139 | 0 | retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); |
1140 | 0 | break; |
1141 | 0 | case SSH_FP_RANDOMART: |
1142 | 0 | retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), |
1143 | 0 | dgst_raw, dgst_raw_len, k); |
1144 | 0 | break; |
1145 | 0 | default: |
1146 | 0 | freezero(dgst_raw, dgst_raw_len); |
1147 | 0 | return NULL; |
1148 | 876 | } |
1149 | 876 | freezero(dgst_raw, dgst_raw_len); |
1150 | 876 | return retval; |
1151 | 876 | } |
1152 | | |
1153 | | static int |
1154 | | peek_type_nid(const char *s, size_t l, int *nid) |
1155 | 4.77k | { |
1156 | 4.77k | const struct sshkey_impl *impl; |
1157 | 4.77k | int i; |
1158 | | |
1159 | 44.5k | for (i = 0; keyimpls[i] != NULL; i++) { |
1160 | 44.5k | impl = keyimpls[i]; |
1161 | 44.5k | if (impl->name == NULL || strlen(impl->name) != l) |
1162 | 38.9k | continue; |
1163 | 5.57k | if (memcmp(s, impl->name, l) == 0) { |
1164 | 4.77k | *nid = -1; |
1165 | 4.77k | if (key_type_is_ecdsa_variant(impl->type)) |
1166 | 1.59k | *nid = impl->nid; |
1167 | 4.77k | return impl->type; |
1168 | 4.77k | } |
1169 | 5.57k | } |
1170 | 0 | return KEY_UNSPEC; |
1171 | 4.77k | } |
1172 | | |
1173 | | /* XXX this can now be made const char * */ |
1174 | | int |
1175 | | sshkey_read(struct sshkey *ret, char **cpp) |
1176 | 4.77k | { |
1177 | 4.77k | struct sshkey *k; |
1178 | 4.77k | char *cp, *blobcopy; |
1179 | 4.77k | size_t space; |
1180 | 4.77k | int r, type, curve_nid = -1; |
1181 | 4.77k | struct sshbuf *blob; |
1182 | | |
1183 | 4.77k | if (ret == NULL) |
1184 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
1185 | 4.77k | if (ret->type != KEY_UNSPEC && sshkey_impl_from_type(ret->type) == NULL) |
1186 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
1187 | | |
1188 | | /* Decode type */ |
1189 | 4.77k | cp = *cpp; |
1190 | 4.77k | space = strcspn(cp, " \t"); |
1191 | 4.77k | if (space == strlen(cp)) |
1192 | 0 | return SSH_ERR_INVALID_FORMAT; |
1193 | 4.77k | if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) |
1194 | 0 | return SSH_ERR_INVALID_FORMAT; |
1195 | | |
1196 | | /* skip whitespace */ |
1197 | 9.54k | for (cp += space; *cp == ' ' || *cp == '\t'; cp++) |
1198 | 4.77k | ; |
1199 | 4.77k | if (*cp == '\0') |
1200 | 0 | return SSH_ERR_INVALID_FORMAT; |
1201 | 4.77k | if (ret->type != KEY_UNSPEC && ret->type != type) |
1202 | 0 | return SSH_ERR_KEY_TYPE_MISMATCH; |
1203 | 4.77k | if ((blob = sshbuf_new()) == NULL) |
1204 | 0 | return SSH_ERR_ALLOC_FAIL; |
1205 | | |
1206 | | /* find end of keyblob and decode */ |
1207 | 4.77k | space = strcspn(cp, " \t"); |
1208 | 4.77k | if ((blobcopy = strndup(cp, space)) == NULL) { |
1209 | 0 | sshbuf_free(blob); |
1210 | 0 | return SSH_ERR_ALLOC_FAIL; |
1211 | 0 | } |
1212 | 4.77k | if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { |
1213 | 0 | free(blobcopy); |
1214 | 0 | sshbuf_free(blob); |
1215 | 0 | return r; |
1216 | 0 | } |
1217 | 4.77k | free(blobcopy); |
1218 | 4.77k | if ((r = sshkey_fromb(blob, &k)) != 0) { |
1219 | 0 | sshbuf_free(blob); |
1220 | 0 | return r; |
1221 | 0 | } |
1222 | 4.77k | sshbuf_free(blob); |
1223 | | |
1224 | | /* skip whitespace and leave cp at start of comment */ |
1225 | 7.95k | for (cp += space; *cp == ' ' || *cp == '\t'; cp++) |
1226 | 3.18k | ; |
1227 | | |
1228 | | /* ensure type of blob matches type at start of line */ |
1229 | 4.77k | if (k->type != type) { |
1230 | 0 | sshkey_free(k); |
1231 | 0 | return SSH_ERR_KEY_TYPE_MISMATCH; |
1232 | 0 | } |
1233 | 4.77k | if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) { |
1234 | 0 | sshkey_free(k); |
1235 | 0 | return SSH_ERR_EC_CURVE_MISMATCH; |
1236 | 0 | } |
1237 | | |
1238 | | /* Fill in ret from parsed key */ |
1239 | 4.77k | sshkey_free_contents(ret); |
1240 | 4.77k | *ret = *k; |
1241 | 4.77k | freezero(k, sizeof(*k)); |
1242 | | |
1243 | | /* success */ |
1244 | 4.77k | *cpp = cp; |
1245 | 4.77k | return 0; |
1246 | 4.77k | } |
1247 | | |
1248 | | int |
1249 | | sshkey_to_base64(const struct sshkey *key, char **b64p) |
1250 | 0 | { |
1251 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
1252 | 0 | struct sshbuf *b = NULL; |
1253 | 0 | char *uu = NULL; |
1254 | |
|
1255 | 0 | if (b64p != NULL) |
1256 | 0 | *b64p = NULL; |
1257 | 0 | if ((b = sshbuf_new()) == NULL) |
1258 | 0 | return SSH_ERR_ALLOC_FAIL; |
1259 | 0 | if ((r = sshkey_putb(key, b)) != 0) |
1260 | 0 | goto out; |
1261 | 0 | if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) { |
1262 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1263 | 0 | goto out; |
1264 | 0 | } |
1265 | | /* Success */ |
1266 | 0 | if (b64p != NULL) { |
1267 | 0 | *b64p = uu; |
1268 | 0 | uu = NULL; |
1269 | 0 | } |
1270 | 0 | r = 0; |
1271 | 0 | out: |
1272 | 0 | sshbuf_free(b); |
1273 | 0 | free(uu); |
1274 | 0 | return r; |
1275 | 0 | } |
1276 | | |
1277 | | int |
1278 | | sshkey_format_text(const struct sshkey *key, struct sshbuf *b) |
1279 | 0 | { |
1280 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
1281 | 0 | char *uu = NULL; |
1282 | |
|
1283 | 0 | if ((r = sshkey_to_base64(key, &uu)) != 0) |
1284 | 0 | goto out; |
1285 | 0 | if ((r = sshbuf_putf(b, "%s %s", |
1286 | 0 | sshkey_ssh_name(key), uu)) != 0) |
1287 | 0 | goto out; |
1288 | 0 | r = 0; |
1289 | 0 | out: |
1290 | 0 | free(uu); |
1291 | 0 | return r; |
1292 | 0 | } |
1293 | | |
1294 | | int |
1295 | | sshkey_write(const struct sshkey *key, FILE *f) |
1296 | 0 | { |
1297 | 0 | struct sshbuf *b = NULL; |
1298 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
1299 | |
|
1300 | 0 | if ((b = sshbuf_new()) == NULL) |
1301 | 0 | return SSH_ERR_ALLOC_FAIL; |
1302 | 0 | if ((r = sshkey_format_text(key, b)) != 0) |
1303 | 0 | goto out; |
1304 | 0 | if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { |
1305 | 0 | if (feof(f)) |
1306 | 0 | errno = EPIPE; |
1307 | 0 | r = SSH_ERR_SYSTEM_ERROR; |
1308 | 0 | goto out; |
1309 | 0 | } |
1310 | | /* Success */ |
1311 | 0 | r = 0; |
1312 | 0 | out: |
1313 | 0 | sshbuf_free(b); |
1314 | 0 | return r; |
1315 | 0 | } |
1316 | | |
1317 | | const char * |
1318 | | sshkey_cert_type(const struct sshkey *k) |
1319 | 0 | { |
1320 | 0 | switch (k->cert->type) { |
1321 | 0 | case SSH2_CERT_TYPE_USER: |
1322 | 0 | return "user"; |
1323 | 0 | case SSH2_CERT_TYPE_HOST: |
1324 | 0 | return "host"; |
1325 | 0 | default: |
1326 | 0 | return "unknown"; |
1327 | 0 | } |
1328 | 0 | } |
1329 | | |
1330 | | int |
1331 | | sshkey_check_rsa_length(const struct sshkey *k, int min_size) |
1332 | 4.99k | { |
1333 | 4.99k | #ifdef WITH_OPENSSL |
1334 | 4.99k | const BIGNUM *rsa_n; |
1335 | 4.99k | int nbits; |
1336 | | |
1337 | 4.99k | if (k == NULL || k->rsa == NULL || |
1338 | 4.99k | (k->type != KEY_RSA && k->type != KEY_RSA_CERT)) |
1339 | 0 | return 0; |
1340 | 4.99k | RSA_get0_key(k->rsa, &rsa_n, NULL, NULL); |
1341 | 4.99k | nbits = BN_num_bits(rsa_n); |
1342 | 4.99k | if (nbits < SSH_RSA_MINIMUM_MODULUS_SIZE || |
1343 | 4.99k | (min_size > 0 && nbits < min_size)) |
1344 | 76 | return SSH_ERR_KEY_LENGTH; |
1345 | 4.91k | #endif /* WITH_OPENSSL */ |
1346 | 4.91k | return 0; |
1347 | 4.99k | } |
1348 | | |
1349 | | #ifdef WITH_OPENSSL |
1350 | | # ifdef OPENSSL_HAS_ECC |
1351 | | int |
1352 | | sshkey_ecdsa_key_to_nid(EC_KEY *k) |
1353 | 0 | { |
1354 | 0 | EC_GROUP *eg; |
1355 | 0 | int nids[] = { |
1356 | 0 | NID_X9_62_prime256v1, |
1357 | 0 | NID_secp384r1, |
1358 | 0 | # ifdef OPENSSL_HAS_NISTP521 |
1359 | 0 | NID_secp521r1, |
1360 | 0 | # endif /* OPENSSL_HAS_NISTP521 */ |
1361 | 0 | -1 |
1362 | 0 | }; |
1363 | 0 | int nid; |
1364 | 0 | u_int i; |
1365 | 0 | const EC_GROUP *g = EC_KEY_get0_group(k); |
1366 | | |
1367 | | /* |
1368 | | * The group may be stored in a ASN.1 encoded private key in one of two |
1369 | | * ways: as a "named group", which is reconstituted by ASN.1 object ID |
1370 | | * or explicit group parameters encoded into the key blob. Only the |
1371 | | * "named group" case sets the group NID for us, but we can figure |
1372 | | * it out for the other case by comparing against all the groups that |
1373 | | * are supported. |
1374 | | */ |
1375 | 0 | if ((nid = EC_GROUP_get_curve_name(g)) > 0) |
1376 | 0 | return nid; |
1377 | 0 | for (i = 0; nids[i] != -1; i++) { |
1378 | 0 | if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) |
1379 | 0 | return -1; |
1380 | 0 | if (EC_GROUP_cmp(g, eg, NULL) == 0) |
1381 | 0 | break; |
1382 | 0 | EC_GROUP_free(eg); |
1383 | 0 | } |
1384 | 0 | if (nids[i] != -1) { |
1385 | | /* Use the group with the NID attached */ |
1386 | 0 | EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); |
1387 | 0 | if (EC_KEY_set_group(k, eg) != 1) { |
1388 | 0 | EC_GROUP_free(eg); |
1389 | 0 | return -1; |
1390 | 0 | } |
1391 | 0 | } |
1392 | 0 | return nids[i]; |
1393 | 0 | } |
1394 | | # endif /* OPENSSL_HAS_ECC */ |
1395 | | #endif /* WITH_OPENSSL */ |
1396 | | |
1397 | | int |
1398 | | sshkey_generate(int type, u_int bits, struct sshkey **keyp) |
1399 | 6 | { |
1400 | 6 | struct sshkey *k; |
1401 | 6 | int ret = SSH_ERR_INTERNAL_ERROR; |
1402 | 6 | const struct sshkey_impl *impl; |
1403 | | |
1404 | 6 | if (keyp == NULL || sshkey_type_is_cert(type)) |
1405 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
1406 | 6 | *keyp = NULL; |
1407 | 6 | if ((impl = sshkey_impl_from_type(type)) == NULL) |
1408 | 0 | return SSH_ERR_KEY_TYPE_UNKNOWN; |
1409 | 6 | if (impl->funcs->generate == NULL) |
1410 | 0 | return SSH_ERR_FEATURE_UNSUPPORTED; |
1411 | 6 | if ((k = sshkey_new(KEY_UNSPEC)) == NULL) |
1412 | 0 | return SSH_ERR_ALLOC_FAIL; |
1413 | 6 | k->type = type; |
1414 | 6 | if ((ret = impl->funcs->generate(k, bits)) != 0) { |
1415 | 0 | sshkey_free(k); |
1416 | 0 | return ret; |
1417 | 0 | } |
1418 | | /* success */ |
1419 | 6 | *keyp = k; |
1420 | 6 | return 0; |
1421 | 6 | } |
1422 | | |
1423 | | int |
1424 | | sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) |
1425 | 4.77k | { |
1426 | 4.77k | u_int i; |
1427 | 4.77k | const struct sshkey_cert *from; |
1428 | 4.77k | struct sshkey_cert *to; |
1429 | 4.77k | int r = SSH_ERR_INTERNAL_ERROR; |
1430 | | |
1431 | 4.77k | if (to_key == NULL || (from = from_key->cert) == NULL) |
1432 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
1433 | | |
1434 | 4.77k | if ((to = cert_new()) == NULL) |
1435 | 0 | return SSH_ERR_ALLOC_FAIL; |
1436 | | |
1437 | 4.77k | if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || |
1438 | 4.77k | (r = sshbuf_putb(to->critical, from->critical)) != 0 || |
1439 | 4.77k | (r = sshbuf_putb(to->extensions, from->extensions)) != 0) |
1440 | 0 | goto out; |
1441 | | |
1442 | 4.77k | to->serial = from->serial; |
1443 | 4.77k | to->type = from->type; |
1444 | 4.77k | if (from->key_id == NULL) |
1445 | 0 | to->key_id = NULL; |
1446 | 4.77k | else if ((to->key_id = strdup(from->key_id)) == NULL) { |
1447 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1448 | 0 | goto out; |
1449 | 0 | } |
1450 | 4.77k | to->valid_after = from->valid_after; |
1451 | 4.77k | to->valid_before = from->valid_before; |
1452 | 4.77k | if (from->signature_key == NULL) |
1453 | 0 | to->signature_key = NULL; |
1454 | 4.77k | else if ((r = sshkey_from_private(from->signature_key, |
1455 | 4.77k | &to->signature_key)) != 0) |
1456 | 0 | goto out; |
1457 | 4.77k | if (from->signature_type != NULL && |
1458 | 4.77k | (to->signature_type = strdup(from->signature_type)) == NULL) { |
1459 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1460 | 0 | goto out; |
1461 | 0 | } |
1462 | 4.77k | if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) { |
1463 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
1464 | 0 | goto out; |
1465 | 0 | } |
1466 | 4.77k | if (from->nprincipals > 0) { |
1467 | 4.77k | if ((to->principals = calloc(from->nprincipals, |
1468 | 4.77k | sizeof(*to->principals))) == NULL) { |
1469 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1470 | 0 | goto out; |
1471 | 0 | } |
1472 | 14.3k | for (i = 0; i < from->nprincipals; i++) { |
1473 | 9.54k | to->principals[i] = strdup(from->principals[i]); |
1474 | 9.54k | if (to->principals[i] == NULL) { |
1475 | 0 | to->nprincipals = i; |
1476 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1477 | 0 | goto out; |
1478 | 0 | } |
1479 | 9.54k | } |
1480 | 4.77k | } |
1481 | 4.77k | to->nprincipals = from->nprincipals; |
1482 | | |
1483 | | /* success */ |
1484 | 4.77k | cert_free(to_key->cert); |
1485 | 4.77k | to_key->cert = to; |
1486 | 4.77k | to = NULL; |
1487 | 4.77k | r = 0; |
1488 | 4.77k | out: |
1489 | 4.77k | cert_free(to); |
1490 | 4.77k | return r; |
1491 | 4.77k | } |
1492 | | |
1493 | | int |
1494 | | sshkey_copy_public_sk(const struct sshkey *from, struct sshkey *to) |
1495 | 0 | { |
1496 | | /* Append security-key application string */ |
1497 | 0 | if ((to->sk_application = strdup(from->sk_application)) == NULL) |
1498 | 0 | return SSH_ERR_ALLOC_FAIL; |
1499 | 0 | return 0; |
1500 | 0 | } |
1501 | | |
1502 | | int |
1503 | | sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) |
1504 | 130k | { |
1505 | 130k | struct sshkey *n = NULL; |
1506 | 130k | int r = SSH_ERR_INTERNAL_ERROR; |
1507 | 130k | const struct sshkey_impl *impl; |
1508 | | |
1509 | 130k | *pkp = NULL; |
1510 | 130k | if ((impl = sshkey_impl_from_key(k)) == NULL) |
1511 | 0 | return SSH_ERR_KEY_TYPE_UNKNOWN; |
1512 | 130k | if ((n = sshkey_new(k->type)) == NULL) { |
1513 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1514 | 0 | goto out; |
1515 | 0 | } |
1516 | 130k | if ((r = impl->funcs->copy_public(k, n)) != 0) |
1517 | 0 | goto out; |
1518 | 130k | if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) |
1519 | 0 | goto out; |
1520 | | /* success */ |
1521 | 130k | *pkp = n; |
1522 | 130k | n = NULL; |
1523 | 130k | r = 0; |
1524 | 130k | out: |
1525 | 130k | sshkey_free(n); |
1526 | 130k | return r; |
1527 | 130k | } |
1528 | | |
1529 | | int |
1530 | | sshkey_is_shielded(struct sshkey *k) |
1531 | 1.71k | { |
1532 | 1.71k | return k != NULL && k->shielded_private != NULL; |
1533 | 1.71k | } |
1534 | | |
1535 | | int |
1536 | | sshkey_shield_private(struct sshkey *k) |
1537 | 0 | { |
1538 | 0 | struct sshbuf *prvbuf = NULL; |
1539 | 0 | u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH]; |
1540 | 0 | struct sshcipher_ctx *cctx = NULL; |
1541 | 0 | const struct sshcipher *cipher; |
1542 | 0 | size_t i, enclen = 0; |
1543 | 0 | struct sshkey *kswap = NULL, tmp; |
1544 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
1545 | |
|
1546 | | #ifdef DEBUG_PK |
1547 | | fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); |
1548 | | #endif |
1549 | 0 | if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { |
1550 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
1551 | 0 | goto out; |
1552 | 0 | } |
1553 | 0 | if (cipher_keylen(cipher) + cipher_ivlen(cipher) > |
1554 | 0 | ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { |
1555 | 0 | r = SSH_ERR_INTERNAL_ERROR; |
1556 | 0 | goto out; |
1557 | 0 | } |
1558 | | |
1559 | | /* Prepare a random pre-key, and from it an ephemeral key */ |
1560 | 0 | if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) { |
1561 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1562 | 0 | goto out; |
1563 | 0 | } |
1564 | 0 | arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN); |
1565 | 0 | if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, |
1566 | 0 | prekey, SSHKEY_SHIELD_PREKEY_LEN, |
1567 | 0 | keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) |
1568 | 0 | goto out; |
1569 | | #ifdef DEBUG_PK |
1570 | | fprintf(stderr, "%s: key+iv\n", __func__); |
1571 | | sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), |
1572 | | stderr); |
1573 | | #endif |
1574 | 0 | if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), |
1575 | 0 | keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0) |
1576 | 0 | goto out; |
1577 | | |
1578 | | /* Serialise and encrypt the private key using the ephemeral key */ |
1579 | 0 | if ((prvbuf = sshbuf_new()) == NULL) { |
1580 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1581 | 0 | goto out; |
1582 | 0 | } |
1583 | 0 | if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0) |
1584 | 0 | goto out; |
1585 | 0 | if ((r = sshkey_private_serialize_opt(k, prvbuf, |
1586 | 0 | SSHKEY_SERIALIZE_SHIELD)) != 0) |
1587 | 0 | goto out; |
1588 | | /* pad to cipher blocksize */ |
1589 | 0 | i = 0; |
1590 | 0 | while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) { |
1591 | 0 | if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0) |
1592 | 0 | goto out; |
1593 | 0 | } |
1594 | | #ifdef DEBUG_PK |
1595 | | fprintf(stderr, "%s: serialised\n", __func__); |
1596 | | sshbuf_dump(prvbuf, stderr); |
1597 | | #endif |
1598 | | /* encrypt */ |
1599 | 0 | enclen = sshbuf_len(prvbuf); |
1600 | 0 | if ((enc = malloc(enclen)) == NULL) { |
1601 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1602 | 0 | goto out; |
1603 | 0 | } |
1604 | 0 | if ((r = cipher_crypt(cctx, 0, enc, |
1605 | 0 | sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0) |
1606 | 0 | goto out; |
1607 | | #ifdef DEBUG_PK |
1608 | | fprintf(stderr, "%s: encrypted\n", __func__); |
1609 | | sshbuf_dump_data(enc, enclen, stderr); |
1610 | | #endif |
1611 | | |
1612 | | /* Make a scrubbed, public-only copy of our private key argument */ |
1613 | 0 | if ((r = sshkey_from_private(k, &kswap)) != 0) |
1614 | 0 | goto out; |
1615 | | |
1616 | | /* Swap the private key out (it will be destroyed below) */ |
1617 | 0 | tmp = *kswap; |
1618 | 0 | *kswap = *k; |
1619 | 0 | *k = tmp; |
1620 | | |
1621 | | /* Insert the shielded key into our argument */ |
1622 | 0 | k->shielded_private = enc; |
1623 | 0 | k->shielded_len = enclen; |
1624 | 0 | k->shield_prekey = prekey; |
1625 | 0 | k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN; |
1626 | 0 | enc = prekey = NULL; /* transferred */ |
1627 | 0 | enclen = 0; |
1628 | | |
1629 | | /* preserve key fields that are required for correct operation */ |
1630 | 0 | k->sk_flags = kswap->sk_flags; |
1631 | | |
1632 | | /* success */ |
1633 | 0 | r = 0; |
1634 | |
|
1635 | 0 | out: |
1636 | | /* XXX behaviour on error - invalidate original private key? */ |
1637 | 0 | cipher_free(cctx); |
1638 | 0 | explicit_bzero(keyiv, sizeof(keyiv)); |
1639 | 0 | explicit_bzero(&tmp, sizeof(tmp)); |
1640 | 0 | freezero(enc, enclen); |
1641 | 0 | freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN); |
1642 | 0 | sshkey_free(kswap); |
1643 | 0 | sshbuf_free(prvbuf); |
1644 | 0 | return r; |
1645 | 0 | } |
1646 | | |
1647 | | /* Check deterministic padding after private key */ |
1648 | | static int |
1649 | | private2_check_padding(struct sshbuf *decrypted) |
1650 | 9.54k | { |
1651 | 9.54k | u_char pad; |
1652 | 9.54k | size_t i; |
1653 | 9.54k | int r; |
1654 | | |
1655 | 9.54k | i = 0; |
1656 | 52.4k | while (sshbuf_len(decrypted)) { |
1657 | 42.9k | if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) |
1658 | 0 | goto out; |
1659 | 42.9k | if (pad != (++i & 0xff)) { |
1660 | 0 | r = SSH_ERR_INVALID_FORMAT; |
1661 | 0 | goto out; |
1662 | 0 | } |
1663 | 42.9k | } |
1664 | | /* success */ |
1665 | 9.54k | r = 0; |
1666 | 9.54k | out: |
1667 | 9.54k | explicit_bzero(&pad, sizeof(pad)); |
1668 | 9.54k | explicit_bzero(&i, sizeof(i)); |
1669 | 9.54k | return r; |
1670 | 9.54k | } |
1671 | | |
1672 | | int |
1673 | | sshkey_unshield_private(struct sshkey *k) |
1674 | 858 | { |
1675 | 858 | struct sshbuf *prvbuf = NULL; |
1676 | 858 | u_char *cp, keyiv[SSH_DIGEST_MAX_LENGTH]; |
1677 | 858 | struct sshcipher_ctx *cctx = NULL; |
1678 | 858 | const struct sshcipher *cipher; |
1679 | 858 | struct sshkey *kswap = NULL, tmp; |
1680 | 858 | int r = SSH_ERR_INTERNAL_ERROR; |
1681 | | |
1682 | | #ifdef DEBUG_PK |
1683 | | fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); |
1684 | | #endif |
1685 | 858 | if (!sshkey_is_shielded(k)) |
1686 | 858 | return 0; /* nothing to do */ |
1687 | | |
1688 | 0 | if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) { |
1689 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
1690 | 0 | goto out; |
1691 | 0 | } |
1692 | 0 | if (cipher_keylen(cipher) + cipher_ivlen(cipher) > |
1693 | 0 | ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) { |
1694 | 0 | r = SSH_ERR_INTERNAL_ERROR; |
1695 | 0 | goto out; |
1696 | 0 | } |
1697 | | /* check size of shielded key blob */ |
1698 | 0 | if (k->shielded_len < cipher_blocksize(cipher) || |
1699 | 0 | (k->shielded_len % cipher_blocksize(cipher)) != 0) { |
1700 | 0 | r = SSH_ERR_INVALID_FORMAT; |
1701 | 0 | goto out; |
1702 | 0 | } |
1703 | | |
1704 | | /* Calculate the ephemeral key from the prekey */ |
1705 | 0 | if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH, |
1706 | 0 | k->shield_prekey, k->shield_prekey_len, |
1707 | 0 | keyiv, SSH_DIGEST_MAX_LENGTH)) != 0) |
1708 | 0 | goto out; |
1709 | 0 | if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), |
1710 | 0 | keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0) |
1711 | 0 | goto out; |
1712 | | #ifdef DEBUG_PK |
1713 | | fprintf(stderr, "%s: key+iv\n", __func__); |
1714 | | sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH), |
1715 | | stderr); |
1716 | | #endif |
1717 | | |
1718 | | /* Decrypt and parse the shielded private key using the ephemeral key */ |
1719 | 0 | if ((prvbuf = sshbuf_new()) == NULL) { |
1720 | 0 | r = SSH_ERR_ALLOC_FAIL; |
1721 | 0 | goto out; |
1722 | 0 | } |
1723 | 0 | if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0) |
1724 | 0 | goto out; |
1725 | | /* decrypt */ |
1726 | | #ifdef DEBUG_PK |
1727 | | fprintf(stderr, "%s: encrypted\n", __func__); |
1728 | | sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr); |
1729 | | #endif |
1730 | 0 | if ((r = cipher_crypt(cctx, 0, cp, |
1731 | 0 | k->shielded_private, k->shielded_len, 0, 0)) != 0) |
1732 | 0 | goto out; |
1733 | | #ifdef DEBUG_PK |
1734 | | fprintf(stderr, "%s: serialised\n", __func__); |
1735 | | sshbuf_dump(prvbuf, stderr); |
1736 | | #endif |
1737 | | /* Parse private key */ |
1738 | 0 | if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0) |
1739 | 0 | goto out; |
1740 | | |
1741 | 0 | if ((r = private2_check_padding(prvbuf)) != 0) |
1742 | 0 | goto out; |
1743 | | |
1744 | | /* Swap the parsed key back into place */ |
1745 | 0 | tmp = *kswap; |
1746 | 0 | *kswap = *k; |
1747 | 0 | *k = tmp; |
1748 | | |
1749 | | /* success */ |
1750 | 0 | r = 0; |
1751 | |
|
1752 | 0 | out: |
1753 | 0 | cipher_free(cctx); |
1754 | 0 | explicit_bzero(keyiv, sizeof(keyiv)); |
1755 | 0 | explicit_bzero(&tmp, sizeof(tmp)); |
1756 | 0 | sshkey_free(kswap); |
1757 | 0 | sshbuf_free(prvbuf); |
1758 | 0 | return r; |
1759 | 0 | } |
1760 | | |
1761 | | static int |
1762 | | cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) |
1763 | 8.93k | { |
1764 | 8.93k | struct sshbuf *principals = NULL, *crit = NULL; |
1765 | 8.93k | struct sshbuf *exts = NULL, *ca = NULL; |
1766 | 8.93k | u_char *sig = NULL; |
1767 | 8.93k | size_t signed_len = 0, slen = 0, kidlen = 0; |
1768 | 8.93k | int ret = SSH_ERR_INTERNAL_ERROR; |
1769 | | |
1770 | | /* Copy the entire key blob for verification and later serialisation */ |
1771 | 8.93k | if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) |
1772 | 0 | return ret; |
1773 | | |
1774 | | /* Parse body of certificate up to signature */ |
1775 | 8.93k | if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || |
1776 | 8.93k | (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || |
1777 | 8.93k | (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || |
1778 | 8.93k | (ret = sshbuf_froms(b, &principals)) != 0 || |
1779 | 8.93k | (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || |
1780 | 8.93k | (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || |
1781 | 8.93k | (ret = sshbuf_froms(b, &crit)) != 0 || |
1782 | 8.93k | (ret = sshbuf_froms(b, &exts)) != 0 || |
1783 | 8.93k | (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || |
1784 | 8.93k | (ret = sshbuf_froms(b, &ca)) != 0) { |
1785 | | /* XXX debug print error for ret */ |
1786 | 276 | ret = SSH_ERR_INVALID_FORMAT; |
1787 | 276 | goto out; |
1788 | 276 | } |
1789 | | |
1790 | | /* Signature is left in the buffer so we can calculate this length */ |
1791 | 8.65k | signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); |
1792 | | |
1793 | 8.65k | if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { |
1794 | 37 | ret = SSH_ERR_INVALID_FORMAT; |
1795 | 37 | goto out; |
1796 | 37 | } |
1797 | | |
1798 | 8.62k | if (key->cert->type != SSH2_CERT_TYPE_USER && |
1799 | 8.62k | key->cert->type != SSH2_CERT_TYPE_HOST) { |
1800 | 165 | ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; |
1801 | 165 | goto out; |
1802 | 165 | } |
1803 | | |
1804 | | /* Parse principals section */ |
1805 | 27.5k | while (sshbuf_len(principals) > 0) { |
1806 | 19.2k | char *principal = NULL; |
1807 | 19.2k | char **oprincipals = NULL; |
1808 | | |
1809 | 19.2k | if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { |
1810 | 4 | ret = SSH_ERR_INVALID_FORMAT; |
1811 | 4 | goto out; |
1812 | 4 | } |
1813 | 19.1k | if ((ret = sshbuf_get_cstring(principals, &principal, |
1814 | 19.1k | NULL)) != 0) { |
1815 | 94 | ret = SSH_ERR_INVALID_FORMAT; |
1816 | 94 | goto out; |
1817 | 94 | } |
1818 | 19.1k | oprincipals = key->cert->principals; |
1819 | 19.1k | key->cert->principals = recallocarray(key->cert->principals, |
1820 | 19.1k | key->cert->nprincipals, key->cert->nprincipals + 1, |
1821 | 19.1k | sizeof(*key->cert->principals)); |
1822 | 19.1k | if (key->cert->principals == NULL) { |
1823 | 0 | free(principal); |
1824 | 0 | key->cert->principals = oprincipals; |
1825 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
1826 | 0 | goto out; |
1827 | 0 | } |
1828 | 19.1k | key->cert->principals[key->cert->nprincipals++] = principal; |
1829 | 19.1k | } |
1830 | | |
1831 | | /* |
1832 | | * Stash a copies of the critical options and extensions sections |
1833 | | * for later use. |
1834 | | */ |
1835 | 8.35k | if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || |
1836 | 8.35k | (exts != NULL && |
1837 | 8.35k | (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) |
1838 | 0 | goto out; |
1839 | | |
1840 | | /* |
1841 | | * Validate critical options and extensions sections format. |
1842 | | */ |
1843 | 24.0k | while (sshbuf_len(crit) != 0) { |
1844 | 15.8k | if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 || |
1845 | 15.8k | (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) { |
1846 | 130 | sshbuf_reset(key->cert->critical); |
1847 | 130 | ret = SSH_ERR_INVALID_FORMAT; |
1848 | 130 | goto out; |
1849 | 130 | } |
1850 | 15.8k | } |
1851 | 35.0k | while (exts != NULL && sshbuf_len(exts) != 0) { |
1852 | 26.9k | if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 || |
1853 | 26.9k | (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) { |
1854 | 102 | sshbuf_reset(key->cert->extensions); |
1855 | 102 | ret = SSH_ERR_INVALID_FORMAT; |
1856 | 102 | goto out; |
1857 | 102 | } |
1858 | 26.9k | } |
1859 | | |
1860 | | /* Parse CA key and check signature */ |
1861 | 8.12k | if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { |
1862 | 242 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; |
1863 | 242 | goto out; |
1864 | 242 | } |
1865 | 7.88k | if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { |
1866 | 0 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; |
1867 | 0 | goto out; |
1868 | 0 | } |
1869 | 7.88k | if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, |
1870 | 7.88k | sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0) |
1871 | 3.10k | goto out; |
1872 | 4.77k | if ((ret = sshkey_get_sigtype(sig, slen, |
1873 | 4.77k | &key->cert->signature_type)) != 0) |
1874 | 0 | goto out; |
1875 | | |
1876 | | /* Success */ |
1877 | 4.77k | ret = 0; |
1878 | 8.93k | out: |
1879 | 8.93k | sshbuf_free(ca); |
1880 | 8.93k | sshbuf_free(crit); |
1881 | 8.93k | sshbuf_free(exts); |
1882 | 8.93k | sshbuf_free(principals); |
1883 | 8.93k | free(sig); |
1884 | 8.93k | return ret; |
1885 | 4.77k | } |
1886 | | |
1887 | | int |
1888 | | sshkey_deserialize_sk(struct sshbuf *b, struct sshkey *key) |
1889 | 5.83k | { |
1890 | | /* Parse additional security-key application string */ |
1891 | 5.83k | if (sshbuf_get_cstring(b, &key->sk_application, NULL) != 0) |
1892 | 11 | return SSH_ERR_INVALID_FORMAT; |
1893 | 5.82k | return 0; |
1894 | 5.83k | } |
1895 | | |
1896 | | static int |
1897 | | sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, |
1898 | | int allow_cert) |
1899 | 31.0k | { |
1900 | 31.0k | int type, ret = SSH_ERR_INTERNAL_ERROR; |
1901 | 31.0k | char *ktype = NULL; |
1902 | 31.0k | struct sshkey *key = NULL; |
1903 | 31.0k | struct sshbuf *copy; |
1904 | 31.0k | const struct sshkey_impl *impl; |
1905 | | |
1906 | | #ifdef DEBUG_PK /* XXX */ |
1907 | | sshbuf_dump(b, stderr); |
1908 | | #endif |
1909 | 31.0k | if (keyp != NULL) |
1910 | 31.0k | *keyp = NULL; |
1911 | 31.0k | if ((copy = sshbuf_fromb(b)) == NULL) { |
1912 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
1913 | 0 | goto out; |
1914 | 0 | } |
1915 | 31.0k | if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { |
1916 | 356 | ret = SSH_ERR_INVALID_FORMAT; |
1917 | 356 | goto out; |
1918 | 356 | } |
1919 | | |
1920 | 30.6k | type = sshkey_type_from_name(ktype); |
1921 | 30.6k | if (!allow_cert && sshkey_type_is_cert(type)) { |
1922 | 8 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; |
1923 | 8 | goto out; |
1924 | 8 | } |
1925 | 30.6k | if ((impl = sshkey_impl_from_type(type)) == NULL) { |
1926 | 929 | ret = SSH_ERR_KEY_TYPE_UNKNOWN; |
1927 | 929 | goto out; |
1928 | 929 | } |
1929 | 29.7k | if ((key = sshkey_new(type)) == NULL) { |
1930 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
1931 | 0 | goto out; |
1932 | 0 | } |
1933 | 29.7k | if (sshkey_type_is_cert(type)) { |
1934 | | /* Skip nonce that precedes all certificates */ |
1935 | 9.10k | if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { |
1936 | 105 | ret = SSH_ERR_INVALID_FORMAT; |
1937 | 105 | goto out; |
1938 | 105 | } |
1939 | 9.10k | } |
1940 | 29.6k | if ((ret = impl->funcs->deserialize_public(ktype, b, key)) != 0) |
1941 | 1.84k | goto out; |
1942 | | |
1943 | | /* Parse certificate potion */ |
1944 | 27.7k | if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) |
1945 | 4.15k | goto out; |
1946 | | |
1947 | 23.6k | if (key != NULL && sshbuf_len(b) != 0) { |
1948 | 111 | ret = SSH_ERR_INVALID_FORMAT; |
1949 | 111 | goto out; |
1950 | 111 | } |
1951 | 23.5k | ret = 0; |
1952 | 23.5k | if (keyp != NULL) { |
1953 | 23.5k | *keyp = key; |
1954 | 23.5k | key = NULL; |
1955 | 23.5k | } |
1956 | 31.0k | out: |
1957 | 31.0k | sshbuf_free(copy); |
1958 | 31.0k | sshkey_free(key); |
1959 | 31.0k | free(ktype); |
1960 | 31.0k | return ret; |
1961 | 23.5k | } |
1962 | | |
1963 | | int |
1964 | | sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) |
1965 | 2.99k | { |
1966 | 2.99k | struct sshbuf *b; |
1967 | 2.99k | int r; |
1968 | | |
1969 | 2.99k | if ((b = sshbuf_from(blob, blen)) == NULL) |
1970 | 0 | return SSH_ERR_ALLOC_FAIL; |
1971 | 2.99k | r = sshkey_from_blob_internal(b, keyp, 1); |
1972 | 2.99k | sshbuf_free(b); |
1973 | 2.99k | return r; |
1974 | 2.99k | } |
1975 | | |
1976 | | int |
1977 | | sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) |
1978 | 5.94k | { |
1979 | 5.94k | return sshkey_from_blob_internal(b, keyp, 1); |
1980 | 5.94k | } |
1981 | | |
1982 | | int |
1983 | | sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) |
1984 | 14.0k | { |
1985 | 14.0k | struct sshbuf *b; |
1986 | 14.0k | int r; |
1987 | | |
1988 | 14.0k | if ((r = sshbuf_froms(buf, &b)) != 0) |
1989 | 123 | return r; |
1990 | 13.9k | r = sshkey_from_blob_internal(b, keyp, 1); |
1991 | 13.9k | sshbuf_free(b); |
1992 | 13.9k | return r; |
1993 | 14.0k | } |
1994 | | |
1995 | | int |
1996 | | sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) |
1997 | 4.81k | { |
1998 | 4.81k | int r; |
1999 | 4.81k | struct sshbuf *b = NULL; |
2000 | 4.81k | char *sigtype = NULL; |
2001 | | |
2002 | 4.81k | if (sigtypep != NULL) |
2003 | 4.81k | *sigtypep = NULL; |
2004 | 4.81k | if ((b = sshbuf_from(sig, siglen)) == NULL) |
2005 | 0 | return SSH_ERR_ALLOC_FAIL; |
2006 | 4.81k | if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0) |
2007 | 2 | goto out; |
2008 | | /* success */ |
2009 | 4.81k | if (sigtypep != NULL) { |
2010 | 4.81k | *sigtypep = sigtype; |
2011 | 4.81k | sigtype = NULL; |
2012 | 4.81k | } |
2013 | 4.81k | r = 0; |
2014 | 4.81k | out: |
2015 | 4.81k | free(sigtype); |
2016 | 4.81k | sshbuf_free(b); |
2017 | 4.81k | return r; |
2018 | 4.81k | } |
2019 | | |
2020 | | /* |
2021 | | * |
2022 | | * Checks whether a certificate's signature type is allowed. |
2023 | | * Returns 0 (success) if the certificate signature type appears in the |
2024 | | * "allowed" pattern-list, or the key is not a certificate to begin with. |
2025 | | * Otherwise returns a ssherr.h code. |
2026 | | */ |
2027 | | int |
2028 | | sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) |
2029 | 0 | { |
2030 | 0 | if (key == NULL || allowed == NULL) |
2031 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2032 | 0 | if (!sshkey_type_is_cert(key->type)) |
2033 | 0 | return 0; |
2034 | 0 | if (key->cert == NULL || key->cert->signature_type == NULL) |
2035 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2036 | 0 | if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) |
2037 | 0 | return SSH_ERR_SIGN_ALG_UNSUPPORTED; |
2038 | 0 | return 0; |
2039 | 0 | } |
2040 | | |
2041 | | /* |
2042 | | * Returns the expected signature algorithm for a given public key algorithm. |
2043 | | */ |
2044 | | const char * |
2045 | | sshkey_sigalg_by_name(const char *name) |
2046 | 0 | { |
2047 | 0 | const struct sshkey_impl *impl; |
2048 | 0 | int i; |
2049 | |
|
2050 | 0 | for (i = 0; keyimpls[i] != NULL; i++) { |
2051 | 0 | impl = keyimpls[i]; |
2052 | 0 | if (strcmp(impl->name, name) != 0) |
2053 | 0 | continue; |
2054 | 0 | if (impl->sigalg != NULL) |
2055 | 0 | return impl->sigalg; |
2056 | 0 | if (!impl->cert) |
2057 | 0 | return impl->name; |
2058 | 0 | return sshkey_ssh_name_from_type_nid( |
2059 | 0 | sshkey_type_plain(impl->type), impl->nid); |
2060 | 0 | } |
2061 | 0 | return NULL; |
2062 | 0 | } |
2063 | | |
2064 | | /* |
2065 | | * Verifies that the signature algorithm appearing inside the signature blob |
2066 | | * matches that which was requested. |
2067 | | */ |
2068 | | int |
2069 | | sshkey_check_sigtype(const u_char *sig, size_t siglen, |
2070 | | const char *requested_alg) |
2071 | 0 | { |
2072 | 0 | const char *expected_alg; |
2073 | 0 | char *sigtype = NULL; |
2074 | 0 | int r; |
2075 | |
|
2076 | 0 | if (requested_alg == NULL) |
2077 | 0 | return 0; |
2078 | 0 | if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL) |
2079 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2080 | 0 | if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) |
2081 | 0 | return r; |
2082 | 0 | r = strcmp(expected_alg, sigtype) == 0; |
2083 | 0 | free(sigtype); |
2084 | 0 | return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED; |
2085 | 0 | } |
2086 | | |
2087 | | int |
2088 | | sshkey_sign(struct sshkey *key, |
2089 | | u_char **sigp, size_t *lenp, |
2090 | | const u_char *data, size_t datalen, |
2091 | | const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) |
2092 | 858 | { |
2093 | 858 | int was_shielded = sshkey_is_shielded(key); |
2094 | 858 | int r2, r = SSH_ERR_INTERNAL_ERROR; |
2095 | 858 | const struct sshkey_impl *impl; |
2096 | | |
2097 | 858 | if (sigp != NULL) |
2098 | 858 | *sigp = NULL; |
2099 | 858 | if (lenp != NULL) |
2100 | 858 | *lenp = 0; |
2101 | 858 | if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) |
2102 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2103 | 858 | if ((impl = sshkey_impl_from_key(key)) == NULL) |
2104 | 0 | return SSH_ERR_KEY_TYPE_UNKNOWN; |
2105 | 858 | if ((r = sshkey_unshield_private(key)) != 0) |
2106 | 0 | return r; |
2107 | 858 | if (sshkey_is_sk(key)) { |
2108 | 0 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, |
2109 | 0 | datalen, compat, sk_pin); |
2110 | 858 | } else { |
2111 | 858 | if (impl->funcs->sign == NULL) |
2112 | 0 | r = SSH_ERR_SIGN_ALG_UNSUPPORTED; |
2113 | 858 | else { |
2114 | 858 | r = impl->funcs->sign(key, sigp, lenp, data, datalen, |
2115 | 858 | alg, sk_provider, sk_pin, compat); |
2116 | 858 | } |
2117 | 858 | } |
2118 | 858 | if (was_shielded && (r2 = sshkey_shield_private(key)) != 0) |
2119 | 0 | return r2; |
2120 | 858 | return r; |
2121 | 858 | } |
2122 | | |
2123 | | /* |
2124 | | * ssh_key_verify returns 0 for a correct signature and < 0 on error. |
2125 | | * If "alg" specified, then the signature must use that algorithm. |
2126 | | */ |
2127 | | int |
2128 | | sshkey_verify(const struct sshkey *key, |
2129 | | const u_char *sig, size_t siglen, |
2130 | | const u_char *data, size_t dlen, const char *alg, u_int compat, |
2131 | | struct sshkey_sig_details **detailsp) |
2132 | 15.8k | { |
2133 | 15.8k | const struct sshkey_impl *impl; |
2134 | | |
2135 | 15.8k | if (detailsp != NULL) |
2136 | 7.44k | *detailsp = NULL; |
2137 | 15.8k | if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) |
2138 | 25 | return SSH_ERR_INVALID_ARGUMENT; |
2139 | 15.7k | if ((impl = sshkey_impl_from_key(key)) == NULL) |
2140 | 0 | return SSH_ERR_KEY_TYPE_UNKNOWN; |
2141 | 15.7k | return impl->funcs->verify(key, sig, siglen, data, dlen, |
2142 | 15.7k | alg, compat, detailsp); |
2143 | 15.7k | } |
2144 | | |
2145 | | /* Convert a plain key to their _CERT equivalent */ |
2146 | | int |
2147 | | sshkey_to_certified(struct sshkey *k) |
2148 | 4.77k | { |
2149 | 4.77k | int newtype; |
2150 | | |
2151 | 4.77k | if ((newtype = sshkey_type_certified(k->type)) == -1) |
2152 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2153 | 4.77k | if ((k->cert = cert_new()) == NULL) |
2154 | 0 | return SSH_ERR_ALLOC_FAIL; |
2155 | 4.77k | k->type = newtype; |
2156 | 4.77k | return 0; |
2157 | 4.77k | } |
2158 | | |
2159 | | /* Convert a certificate to its raw key equivalent */ |
2160 | | int |
2161 | | sshkey_drop_cert(struct sshkey *k) |
2162 | 0 | { |
2163 | 0 | if (!sshkey_type_is_cert(k->type)) |
2164 | 0 | return SSH_ERR_KEY_TYPE_UNKNOWN; |
2165 | 0 | cert_free(k->cert); |
2166 | 0 | k->cert = NULL; |
2167 | 0 | k->type = sshkey_type_plain(k->type); |
2168 | 0 | return 0; |
2169 | 0 | } |
2170 | | |
2171 | | /* Sign a certified key, (re-)generating the signed certblob. */ |
2172 | | int |
2173 | | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, |
2174 | | const char *sk_provider, const char *sk_pin, |
2175 | | sshkey_certify_signer *signer, void *signer_ctx) |
2176 | 0 | { |
2177 | 0 | const struct sshkey_impl *impl; |
2178 | 0 | struct sshbuf *principals = NULL; |
2179 | 0 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; |
2180 | 0 | size_t i, ca_len, sig_len; |
2181 | 0 | int ret = SSH_ERR_INTERNAL_ERROR; |
2182 | 0 | struct sshbuf *cert = NULL; |
2183 | 0 | char *sigtype = NULL; |
2184 | |
|
2185 | 0 | if (k == NULL || k->cert == NULL || |
2186 | 0 | k->cert->certblob == NULL || ca == NULL) |
2187 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2188 | 0 | if (!sshkey_is_cert(k)) |
2189 | 0 | return SSH_ERR_KEY_TYPE_UNKNOWN; |
2190 | 0 | if (!sshkey_type_is_valid_ca(ca->type)) |
2191 | 0 | return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; |
2192 | 0 | if ((impl = sshkey_impl_from_key(k)) == NULL) |
2193 | 0 | return SSH_ERR_INTERNAL_ERROR; |
2194 | | |
2195 | | /* |
2196 | | * If no alg specified as argument but a signature_type was set, |
2197 | | * then prefer that. If both were specified, then they must match. |
2198 | | */ |
2199 | 0 | if (alg == NULL) |
2200 | 0 | alg = k->cert->signature_type; |
2201 | 0 | else if (k->cert->signature_type != NULL && |
2202 | 0 | strcmp(alg, k->cert->signature_type) != 0) |
2203 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2204 | | |
2205 | | /* |
2206 | | * If no signing algorithm or signature_type was specified and we're |
2207 | | * using a RSA key, then default to a good signature algorithm. |
2208 | | */ |
2209 | 0 | if (alg == NULL && ca->type == KEY_RSA) |
2210 | 0 | alg = "rsa-sha2-512"; |
2211 | |
|
2212 | 0 | if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) |
2213 | 0 | return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; |
2214 | | |
2215 | 0 | cert = k->cert->certblob; /* for readability */ |
2216 | 0 | sshbuf_reset(cert); |
2217 | 0 | if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) |
2218 | 0 | goto out; |
2219 | | |
2220 | | /* -v01 certs put nonce first */ |
2221 | 0 | arc4random_buf(&nonce, sizeof(nonce)); |
2222 | 0 | if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) |
2223 | 0 | goto out; |
2224 | | |
2225 | | /* Public key next */ |
2226 | 0 | if ((ret = impl->funcs->serialize_public(k, cert, |
2227 | 0 | SSHKEY_SERIALIZE_DEFAULT)) != 0) |
2228 | 0 | goto out; |
2229 | | |
2230 | | /* Then remaining cert fields */ |
2231 | 0 | if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || |
2232 | 0 | (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || |
2233 | 0 | (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) |
2234 | 0 | goto out; |
2235 | | |
2236 | 0 | if ((principals = sshbuf_new()) == NULL) { |
2237 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
2238 | 0 | goto out; |
2239 | 0 | } |
2240 | 0 | for (i = 0; i < k->cert->nprincipals; i++) { |
2241 | 0 | if ((ret = sshbuf_put_cstring(principals, |
2242 | 0 | k->cert->principals[i])) != 0) |
2243 | 0 | goto out; |
2244 | 0 | } |
2245 | 0 | if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || |
2246 | 0 | (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || |
2247 | 0 | (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || |
2248 | 0 | (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || |
2249 | 0 | (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || |
2250 | 0 | (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ |
2251 | 0 | (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) |
2252 | 0 | goto out; |
2253 | | |
2254 | | /* Sign the whole mess */ |
2255 | 0 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
2256 | 0 | sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) |
2257 | 0 | goto out; |
2258 | | /* Check and update signature_type against what was actually used */ |
2259 | 0 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) |
2260 | 0 | goto out; |
2261 | 0 | if (alg != NULL && strcmp(alg, sigtype) != 0) { |
2262 | 0 | ret = SSH_ERR_SIGN_ALG_UNSUPPORTED; |
2263 | 0 | goto out; |
2264 | 0 | } |
2265 | 0 | if (k->cert->signature_type == NULL) { |
2266 | 0 | k->cert->signature_type = sigtype; |
2267 | 0 | sigtype = NULL; |
2268 | 0 | } |
2269 | | /* Append signature and we are done */ |
2270 | 0 | if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) |
2271 | 0 | goto out; |
2272 | 0 | ret = 0; |
2273 | 0 | out: |
2274 | 0 | if (ret != 0) |
2275 | 0 | sshbuf_reset(cert); |
2276 | 0 | free(sig_blob); |
2277 | 0 | free(ca_blob); |
2278 | 0 | free(sigtype); |
2279 | 0 | sshbuf_free(principals); |
2280 | 0 | return ret; |
2281 | 0 | } |
2282 | | |
2283 | | static int |
2284 | | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, |
2285 | | const u_char *data, size_t datalen, |
2286 | | const char *alg, const char *sk_provider, const char *sk_pin, |
2287 | | u_int compat, void *ctx) |
2288 | 0 | { |
2289 | 0 | if (ctx != NULL) |
2290 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2291 | 0 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, |
2292 | 0 | sk_provider, sk_pin, compat); |
2293 | 0 | } |
2294 | | |
2295 | | int |
2296 | | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, |
2297 | | const char *sk_provider, const char *sk_pin) |
2298 | 0 | { |
2299 | 0 | return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, |
2300 | 0 | default_key_sign, NULL); |
2301 | 0 | } |
2302 | | |
2303 | | int |
2304 | | sshkey_cert_check_authority(const struct sshkey *k, |
2305 | | int want_host, int require_principal, int wildcard_pattern, |
2306 | | uint64_t verify_time, const char *name, const char **reason) |
2307 | 0 | { |
2308 | 0 | u_int i, principal_matches; |
2309 | |
|
2310 | 0 | if (reason == NULL) |
2311 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2312 | 0 | if (!sshkey_is_cert(k)) { |
2313 | 0 | *reason = "Key is not a certificate"; |
2314 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2315 | 0 | } |
2316 | 0 | if (want_host) { |
2317 | 0 | if (k->cert->type != SSH2_CERT_TYPE_HOST) { |
2318 | 0 | *reason = "Certificate invalid: not a host certificate"; |
2319 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2320 | 0 | } |
2321 | 0 | } else { |
2322 | 0 | if (k->cert->type != SSH2_CERT_TYPE_USER) { |
2323 | 0 | *reason = "Certificate invalid: not a user certificate"; |
2324 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2325 | 0 | } |
2326 | 0 | } |
2327 | 0 | if (verify_time < k->cert->valid_after) { |
2328 | 0 | *reason = "Certificate invalid: not yet valid"; |
2329 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2330 | 0 | } |
2331 | 0 | if (verify_time >= k->cert->valid_before) { |
2332 | 0 | *reason = "Certificate invalid: expired"; |
2333 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2334 | 0 | } |
2335 | 0 | if (k->cert->nprincipals == 0) { |
2336 | 0 | if (require_principal) { |
2337 | 0 | *reason = "Certificate lacks principal list"; |
2338 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2339 | 0 | } |
2340 | 0 | } else if (name != NULL) { |
2341 | 0 | principal_matches = 0; |
2342 | 0 | for (i = 0; i < k->cert->nprincipals; i++) { |
2343 | 0 | if (wildcard_pattern) { |
2344 | 0 | if (match_pattern(k->cert->principals[i], |
2345 | 0 | name)) { |
2346 | 0 | principal_matches = 1; |
2347 | 0 | break; |
2348 | 0 | } |
2349 | 0 | } else if (strcmp(name, k->cert->principals[i]) == 0) { |
2350 | 0 | principal_matches = 1; |
2351 | 0 | break; |
2352 | 0 | } |
2353 | 0 | } |
2354 | 0 | if (!principal_matches) { |
2355 | 0 | *reason = "Certificate invalid: name is not a listed " |
2356 | 0 | "principal"; |
2357 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2358 | 0 | } |
2359 | 0 | } |
2360 | 0 | return 0; |
2361 | 0 | } |
2362 | | |
2363 | | int |
2364 | | sshkey_cert_check_authority_now(const struct sshkey *k, |
2365 | | int want_host, int require_principal, int wildcard_pattern, |
2366 | | const char *name, const char **reason) |
2367 | 0 | { |
2368 | 0 | time_t now; |
2369 | |
|
2370 | 0 | if ((now = time(NULL)) < 0) { |
2371 | | /* yikes - system clock before epoch! */ |
2372 | 0 | *reason = "Certificate invalid: not yet valid"; |
2373 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2374 | 0 | } |
2375 | 0 | return sshkey_cert_check_authority(k, want_host, require_principal, |
2376 | 0 | wildcard_pattern, (uint64_t)now, name, reason); |
2377 | 0 | } |
2378 | | |
2379 | | int |
2380 | | sshkey_cert_check_host(const struct sshkey *key, const char *host, |
2381 | | int wildcard_principals, const char *ca_sign_algorithms, |
2382 | | const char **reason) |
2383 | 0 | { |
2384 | 0 | int r; |
2385 | |
|
2386 | 0 | if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals, |
2387 | 0 | host, reason)) != 0) |
2388 | 0 | return r; |
2389 | 0 | if (sshbuf_len(key->cert->critical) != 0) { |
2390 | 0 | *reason = "Certificate contains unsupported critical options"; |
2391 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2392 | 0 | } |
2393 | 0 | if (ca_sign_algorithms != NULL && |
2394 | 0 | (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) { |
2395 | 0 | *reason = "Certificate signed with disallowed algorithm"; |
2396 | 0 | return SSH_ERR_KEY_CERT_INVALID; |
2397 | 0 | } |
2398 | 0 | return 0; |
2399 | 0 | } |
2400 | | |
2401 | | size_t |
2402 | | sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) |
2403 | 0 | { |
2404 | 0 | char from[32], to[32], ret[128]; |
2405 | |
|
2406 | 0 | *from = *to = '\0'; |
2407 | 0 | if (cert->valid_after == 0 && |
2408 | 0 | cert->valid_before == 0xffffffffffffffffULL) |
2409 | 0 | return strlcpy(s, "forever", l); |
2410 | | |
2411 | 0 | if (cert->valid_after != 0) |
2412 | 0 | format_absolute_time(cert->valid_after, from, sizeof(from)); |
2413 | 0 | if (cert->valid_before != 0xffffffffffffffffULL) |
2414 | 0 | format_absolute_time(cert->valid_before, to, sizeof(to)); |
2415 | |
|
2416 | 0 | if (cert->valid_after == 0) |
2417 | 0 | snprintf(ret, sizeof(ret), "before %s", to); |
2418 | 0 | else if (cert->valid_before == 0xffffffffffffffffULL) |
2419 | 0 | snprintf(ret, sizeof(ret), "after %s", from); |
2420 | 0 | else |
2421 | 0 | snprintf(ret, sizeof(ret), "from %s to %s", from, to); |
2422 | |
|
2423 | 0 | return strlcpy(s, ret, l); |
2424 | 0 | } |
2425 | | |
2426 | | /* Common serialization for FIDO private keys */ |
2427 | | int |
2428 | | sshkey_serialize_private_sk(const struct sshkey *key, struct sshbuf *b) |
2429 | 0 | { |
2430 | 0 | int r; |
2431 | |
|
2432 | 0 | if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0 || |
2433 | 0 | (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || |
2434 | 0 | (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || |
2435 | 0 | (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) |
2436 | 0 | return r; |
2437 | | |
2438 | 0 | return 0; |
2439 | 0 | } |
2440 | | |
2441 | | int |
2442 | | sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, |
2443 | | enum sshkey_serialize_rep opts) |
2444 | 0 | { |
2445 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
2446 | 0 | int was_shielded = sshkey_is_shielded(key); |
2447 | 0 | struct sshbuf *b = NULL; |
2448 | 0 | const struct sshkey_impl *impl; |
2449 | |
|
2450 | 0 | if ((impl = sshkey_impl_from_key(key)) == NULL) |
2451 | 0 | return SSH_ERR_INTERNAL_ERROR; |
2452 | 0 | if ((r = sshkey_unshield_private(key)) != 0) |
2453 | 0 | return r; |
2454 | 0 | if ((b = sshbuf_new()) == NULL) |
2455 | 0 | return SSH_ERR_ALLOC_FAIL; |
2456 | 0 | if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) |
2457 | 0 | goto out; |
2458 | 0 | if (sshkey_is_cert(key)) { |
2459 | 0 | if (key->cert == NULL || |
2460 | 0 | sshbuf_len(key->cert->certblob) == 0) { |
2461 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
2462 | 0 | goto out; |
2463 | 0 | } |
2464 | 0 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0) |
2465 | 0 | goto out; |
2466 | 0 | } |
2467 | 0 | if ((r = impl->funcs->serialize_private(key, b, opts)) != 0) |
2468 | 0 | goto out; |
2469 | | |
2470 | | /* |
2471 | | * success (but we still need to append the output to buf after |
2472 | | * possibly re-shielding the private key) |
2473 | | */ |
2474 | 0 | r = 0; |
2475 | 0 | out: |
2476 | 0 | if (was_shielded) |
2477 | 0 | r = sshkey_shield_private(key); |
2478 | 0 | if (r == 0) |
2479 | 0 | r = sshbuf_putb(buf, b); |
2480 | 0 | sshbuf_free(b); |
2481 | |
|
2482 | 0 | return r; |
2483 | 0 | } |
2484 | | |
2485 | | int |
2486 | | sshkey_private_serialize(struct sshkey *key, struct sshbuf *b) |
2487 | 0 | { |
2488 | 0 | return sshkey_private_serialize_opt(key, b, |
2489 | 0 | SSHKEY_SERIALIZE_DEFAULT); |
2490 | 0 | } |
2491 | | |
2492 | | /* Shared deserialization of FIDO private key components */ |
2493 | | int |
2494 | | sshkey_private_deserialize_sk(struct sshbuf *buf, struct sshkey *k) |
2495 | 3.32k | { |
2496 | 3.32k | int r; |
2497 | | |
2498 | 3.32k | if ((k->sk_key_handle = sshbuf_new()) == NULL || |
2499 | 3.32k | (k->sk_reserved = sshbuf_new()) == NULL) |
2500 | 0 | return SSH_ERR_ALLOC_FAIL; |
2501 | 3.32k | if ((r = sshbuf_get_cstring(buf, &k->sk_application, NULL)) != 0 || |
2502 | 3.32k | (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || |
2503 | 3.32k | (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || |
2504 | 3.32k | (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) |
2505 | 123 | return r; |
2506 | | |
2507 | 3.20k | return 0; |
2508 | 3.32k | } |
2509 | | |
2510 | | int |
2511 | | sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) |
2512 | 13.6k | { |
2513 | 13.6k | const struct sshkey_impl *impl; |
2514 | 13.6k | char *tname = NULL; |
2515 | 13.6k | char *expect_sk_application = NULL; |
2516 | 13.6k | u_char *expect_ed25519_pk = NULL; |
2517 | 13.6k | struct sshkey *k = NULL; |
2518 | 13.6k | int type, r = SSH_ERR_INTERNAL_ERROR; |
2519 | | |
2520 | 13.6k | if (kp != NULL) |
2521 | 13.6k | *kp = NULL; |
2522 | 13.6k | if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) |
2523 | 75 | goto out; |
2524 | 13.5k | type = sshkey_type_from_name(tname); |
2525 | 13.5k | if (sshkey_type_is_cert(type)) { |
2526 | | /* |
2527 | | * Certificate key private keys begin with the certificate |
2528 | | * itself. Make sure this matches the type of the enclosing |
2529 | | * private key. |
2530 | | */ |
2531 | 2.23k | if ((r = sshkey_froms(buf, &k)) != 0) |
2532 | 2.21k | goto out; |
2533 | 15 | if (k->type != type) { |
2534 | 13 | r = SSH_ERR_KEY_CERT_MISMATCH; |
2535 | 13 | goto out; |
2536 | 13 | } |
2537 | | /* For ECDSA keys, the group must match too */ |
2538 | 2 | if (k->type == KEY_ECDSA && |
2539 | 2 | k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { |
2540 | 0 | r = SSH_ERR_KEY_CERT_MISMATCH; |
2541 | 0 | goto out; |
2542 | 0 | } |
2543 | | /* |
2544 | | * Several fields are redundant between certificate and |
2545 | | * private key body, we require these to match. |
2546 | | */ |
2547 | 2 | expect_sk_application = k->sk_application; |
2548 | 2 | expect_ed25519_pk = k->ed25519_pk; |
2549 | 2 | k->sk_application = NULL; |
2550 | 2 | k->ed25519_pk = NULL; |
2551 | | /* XXX xmss too or refactor */ |
2552 | 11.2k | } else { |
2553 | 11.2k | if ((k = sshkey_new(type)) == NULL) { |
2554 | 0 | r = SSH_ERR_ALLOC_FAIL; |
2555 | 0 | goto out; |
2556 | 0 | } |
2557 | 11.2k | } |
2558 | 11.2k | if ((impl = sshkey_impl_from_type(type)) == NULL) { |
2559 | 272 | r = SSH_ERR_INTERNAL_ERROR; |
2560 | 272 | goto out; |
2561 | 272 | } |
2562 | 11.0k | if ((r = impl->funcs->deserialize_private(tname, buf, k)) != 0) |
2563 | 1.43k | goto out; |
2564 | | |
2565 | | /* XXX xmss too or refactor */ |
2566 | 9.59k | if ((expect_sk_application != NULL && (k->sk_application == NULL || |
2567 | 0 | strcmp(expect_sk_application, k->sk_application) != 0)) || |
2568 | 9.59k | (expect_ed25519_pk != NULL && (k->ed25519_pk == NULL || |
2569 | 0 | memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) { |
2570 | 0 | r = SSH_ERR_KEY_CERT_MISMATCH; |
2571 | 0 | goto out; |
2572 | 0 | } |
2573 | | /* success */ |
2574 | 9.59k | r = 0; |
2575 | 9.59k | if (kp != NULL) { |
2576 | 9.59k | *kp = k; |
2577 | 9.59k | k = NULL; |
2578 | 9.59k | } |
2579 | 13.6k | out: |
2580 | 13.6k | free(tname); |
2581 | 13.6k | sshkey_free(k); |
2582 | 13.6k | free(expect_sk_application); |
2583 | 13.6k | free(expect_ed25519_pk); |
2584 | 13.6k | return r; |
2585 | 9.59k | } |
2586 | | |
2587 | | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) |
2588 | | int |
2589 | | sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) |
2590 | 8.95k | { |
2591 | 8.95k | EC_POINT *nq = NULL; |
2592 | 8.95k | BIGNUM *order = NULL, *x = NULL, *y = NULL, *tmp = NULL; |
2593 | 8.95k | int ret = SSH_ERR_KEY_INVALID_EC_VALUE; |
2594 | | |
2595 | | /* |
2596 | | * NB. This assumes OpenSSL has already verified that the public |
2597 | | * point lies on the curve. This is done by EC_POINT_oct2point() |
2598 | | * implicitly calling EC_POINT_is_on_curve(). If this code is ever |
2599 | | * reachable with public points not unmarshalled using |
2600 | | * EC_POINT_oct2point then the caller will need to explicitly check. |
2601 | | */ |
2602 | | |
2603 | | /* |
2604 | | * We shouldn't ever hit this case because bignum_get_ecpoint() |
2605 | | * refuses to load GF2m points. |
2606 | | */ |
2607 | 8.95k | if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != |
2608 | 8.95k | NID_X9_62_prime_field) |
2609 | 0 | goto out; |
2610 | | |
2611 | | /* Q != infinity */ |
2612 | 8.95k | if (EC_POINT_is_at_infinity(group, public)) |
2613 | 0 | goto out; |
2614 | | |
2615 | 8.95k | if ((x = BN_new()) == NULL || |
2616 | 8.95k | (y = BN_new()) == NULL || |
2617 | 8.95k | (order = BN_new()) == NULL || |
2618 | 8.95k | (tmp = BN_new()) == NULL) { |
2619 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
2620 | 0 | goto out; |
2621 | 0 | } |
2622 | | |
2623 | | /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ |
2624 | 8.95k | if (EC_GROUP_get_order(group, order, NULL) != 1 || |
2625 | 8.95k | EC_POINT_get_affine_coordinates_GFp(group, public, |
2626 | 8.95k | x, y, NULL) != 1) { |
2627 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
2628 | 0 | goto out; |
2629 | 0 | } |
2630 | 8.95k | if (BN_num_bits(x) <= BN_num_bits(order) / 2 || |
2631 | 8.95k | BN_num_bits(y) <= BN_num_bits(order) / 2) |
2632 | 0 | goto out; |
2633 | | |
2634 | | /* nQ == infinity (n == order of subgroup) */ |
2635 | 8.95k | if ((nq = EC_POINT_new(group)) == NULL) { |
2636 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
2637 | 0 | goto out; |
2638 | 0 | } |
2639 | 8.95k | if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) { |
2640 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
2641 | 0 | goto out; |
2642 | 0 | } |
2643 | 8.95k | if (EC_POINT_is_at_infinity(group, nq) != 1) |
2644 | 0 | goto out; |
2645 | | |
2646 | | /* x < order - 1, y < order - 1 */ |
2647 | 8.95k | if (!BN_sub(tmp, order, BN_value_one())) { |
2648 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
2649 | 0 | goto out; |
2650 | 0 | } |
2651 | 8.95k | if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) |
2652 | 0 | goto out; |
2653 | 8.95k | ret = 0; |
2654 | 8.95k | out: |
2655 | 8.95k | BN_clear_free(x); |
2656 | 8.95k | BN_clear_free(y); |
2657 | 8.95k | BN_clear_free(order); |
2658 | 8.95k | BN_clear_free(tmp); |
2659 | 8.95k | EC_POINT_free(nq); |
2660 | 8.95k | return ret; |
2661 | 8.95k | } |
2662 | | |
2663 | | int |
2664 | | sshkey_ec_validate_private(const EC_KEY *key) |
2665 | 1.63k | { |
2666 | 1.63k | BIGNUM *order = NULL, *tmp = NULL; |
2667 | 1.63k | int ret = SSH_ERR_KEY_INVALID_EC_VALUE; |
2668 | | |
2669 | 1.63k | if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) { |
2670 | 0 | ret = SSH_ERR_ALLOC_FAIL; |
2671 | 0 | goto out; |
2672 | 0 | } |
2673 | | |
2674 | | /* log2(private) > log2(order)/2 */ |
2675 | 1.63k | if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) { |
2676 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
2677 | 0 | goto out; |
2678 | 0 | } |
2679 | 1.63k | if (BN_num_bits(EC_KEY_get0_private_key(key)) <= |
2680 | 1.63k | BN_num_bits(order) / 2) |
2681 | 14 | goto out; |
2682 | | |
2683 | | /* private < order - 1 */ |
2684 | 1.61k | if (!BN_sub(tmp, order, BN_value_one())) { |
2685 | 0 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
2686 | 0 | goto out; |
2687 | 0 | } |
2688 | 1.61k | if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) |
2689 | 18 | goto out; |
2690 | 1.60k | ret = 0; |
2691 | 1.63k | out: |
2692 | 1.63k | BN_clear_free(order); |
2693 | 1.63k | BN_clear_free(tmp); |
2694 | 1.63k | return ret; |
2695 | 1.60k | } |
2696 | | |
2697 | | void |
2698 | | sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) |
2699 | 0 | { |
2700 | 0 | BIGNUM *x = NULL, *y = NULL; |
2701 | |
|
2702 | 0 | if (point == NULL) { |
2703 | 0 | fputs("point=(NULL)\n", stderr); |
2704 | 0 | return; |
2705 | 0 | } |
2706 | 0 | if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) { |
2707 | 0 | fprintf(stderr, "%s: BN_new failed\n", __func__); |
2708 | 0 | goto out; |
2709 | 0 | } |
2710 | 0 | if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != |
2711 | 0 | NID_X9_62_prime_field) { |
2712 | 0 | fprintf(stderr, "%s: group is not a prime field\n", __func__); |
2713 | 0 | goto out; |
2714 | 0 | } |
2715 | 0 | if (EC_POINT_get_affine_coordinates_GFp(group, point, |
2716 | 0 | x, y, NULL) != 1) { |
2717 | 0 | fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", |
2718 | 0 | __func__); |
2719 | 0 | goto out; |
2720 | 0 | } |
2721 | 0 | fputs("x=", stderr); |
2722 | 0 | BN_print_fp(stderr, x); |
2723 | 0 | fputs("\ny=", stderr); |
2724 | 0 | BN_print_fp(stderr, y); |
2725 | 0 | fputs("\n", stderr); |
2726 | 0 | out: |
2727 | 0 | BN_clear_free(x); |
2728 | 0 | BN_clear_free(y); |
2729 | 0 | } |
2730 | | |
2731 | | void |
2732 | | sshkey_dump_ec_key(const EC_KEY *key) |
2733 | 0 | { |
2734 | 0 | const BIGNUM *exponent; |
2735 | |
|
2736 | 0 | sshkey_dump_ec_point(EC_KEY_get0_group(key), |
2737 | 0 | EC_KEY_get0_public_key(key)); |
2738 | 0 | fputs("exponent=", stderr); |
2739 | 0 | if ((exponent = EC_KEY_get0_private_key(key)) == NULL) |
2740 | 0 | fputs("(NULL)", stderr); |
2741 | 0 | else |
2742 | 0 | BN_print_fp(stderr, EC_KEY_get0_private_key(key)); |
2743 | 0 | fputs("\n", stderr); |
2744 | 0 | } |
2745 | | #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ |
2746 | | |
2747 | | static int |
2748 | | sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob, |
2749 | | const char *passphrase, const char *comment, const char *ciphername, |
2750 | | int rounds) |
2751 | 0 | { |
2752 | 0 | u_char *cp, *key = NULL, *pubkeyblob = NULL; |
2753 | 0 | u_char salt[SALT_LEN]; |
2754 | 0 | size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; |
2755 | 0 | u_int check; |
2756 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
2757 | 0 | struct sshcipher_ctx *ciphercontext = NULL; |
2758 | 0 | const struct sshcipher *cipher; |
2759 | 0 | const char *kdfname = KDFNAME; |
2760 | 0 | struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; |
2761 | |
|
2762 | 0 | if (rounds <= 0) |
2763 | 0 | rounds = DEFAULT_ROUNDS; |
2764 | 0 | if (passphrase == NULL || !strlen(passphrase)) { |
2765 | 0 | ciphername = "none"; |
2766 | 0 | kdfname = "none"; |
2767 | 0 | } else if (ciphername == NULL) |
2768 | 0 | ciphername = DEFAULT_CIPHERNAME; |
2769 | 0 | if ((cipher = cipher_by_name(ciphername)) == NULL) { |
2770 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
2771 | 0 | goto out; |
2772 | 0 | } |
2773 | | |
2774 | 0 | if ((kdf = sshbuf_new()) == NULL || |
2775 | 0 | (encoded = sshbuf_new()) == NULL || |
2776 | 0 | (encrypted = sshbuf_new()) == NULL) { |
2777 | 0 | r = SSH_ERR_ALLOC_FAIL; |
2778 | 0 | goto out; |
2779 | 0 | } |
2780 | 0 | blocksize = cipher_blocksize(cipher); |
2781 | 0 | keylen = cipher_keylen(cipher); |
2782 | 0 | ivlen = cipher_ivlen(cipher); |
2783 | 0 | authlen = cipher_authlen(cipher); |
2784 | 0 | if ((key = calloc(1, keylen + ivlen)) == NULL) { |
2785 | 0 | r = SSH_ERR_ALLOC_FAIL; |
2786 | 0 | goto out; |
2787 | 0 | } |
2788 | 0 | if (strcmp(kdfname, "bcrypt") == 0) { |
2789 | 0 | arc4random_buf(salt, SALT_LEN); |
2790 | 0 | if (bcrypt_pbkdf(passphrase, strlen(passphrase), |
2791 | 0 | salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { |
2792 | 0 | r = SSH_ERR_INVALID_ARGUMENT; |
2793 | 0 | goto out; |
2794 | 0 | } |
2795 | 0 | if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || |
2796 | 0 | (r = sshbuf_put_u32(kdf, rounds)) != 0) |
2797 | 0 | goto out; |
2798 | 0 | } else if (strcmp(kdfname, "none") != 0) { |
2799 | | /* Unsupported KDF type */ |
2800 | 0 | r = SSH_ERR_KEY_UNKNOWN_CIPHER; |
2801 | 0 | goto out; |
2802 | 0 | } |
2803 | 0 | if ((r = cipher_init(&ciphercontext, cipher, key, keylen, |
2804 | 0 | key + keylen, ivlen, 1)) != 0) |
2805 | 0 | goto out; |
2806 | | |
2807 | 0 | if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || |
2808 | 0 | (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || |
2809 | 0 | (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || |
2810 | 0 | (r = sshbuf_put_stringb(encoded, kdf)) != 0 || |
2811 | 0 | (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ |
2812 | 0 | (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || |
2813 | 0 | (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) |
2814 | 0 | goto out; |
2815 | | |
2816 | | /* set up the buffer that will be encrypted */ |
2817 | | |
2818 | | /* Random check bytes */ |
2819 | 0 | check = arc4random(); |
2820 | 0 | if ((r = sshbuf_put_u32(encrypted, check)) != 0 || |
2821 | 0 | (r = sshbuf_put_u32(encrypted, check)) != 0) |
2822 | 0 | goto out; |
2823 | | |
2824 | | /* append private key and comment*/ |
2825 | 0 | if ((r = sshkey_private_serialize_opt(prv, encrypted, |
2826 | 0 | SSHKEY_SERIALIZE_FULL)) != 0 || |
2827 | 0 | (r = sshbuf_put_cstring(encrypted, comment)) != 0) |
2828 | 0 | goto out; |
2829 | | |
2830 | | /* padding */ |
2831 | 0 | i = 0; |
2832 | 0 | while (sshbuf_len(encrypted) % blocksize) { |
2833 | 0 | if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) |
2834 | 0 | goto out; |
2835 | 0 | } |
2836 | | |
2837 | | /* length in destination buffer */ |
2838 | 0 | if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) |
2839 | 0 | goto out; |
2840 | | |
2841 | | /* encrypt */ |
2842 | 0 | if ((r = sshbuf_reserve(encoded, |
2843 | 0 | sshbuf_len(encrypted) + authlen, &cp)) != 0) |
2844 | 0 | goto out; |
2845 | 0 | if ((r = cipher_crypt(ciphercontext, 0, cp, |
2846 | 0 | sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) |
2847 | 0 | goto out; |
2848 | | |
2849 | 0 | sshbuf_reset(blob); |
2850 | | |
2851 | | /* assemble uuencoded key */ |
2852 | 0 | if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 || |
2853 | 0 | (r = sshbuf_dtob64(encoded, blob, 1)) != 0 || |
2854 | 0 | (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) |
2855 | 0 | goto out; |
2856 | | |
2857 | | /* success */ |
2858 | 0 | r = 0; |
2859 | |
|
2860 | 0 | out: |
2861 | 0 | sshbuf_free(kdf); |
2862 | 0 | sshbuf_free(encoded); |
2863 | 0 | sshbuf_free(encrypted); |
2864 | 0 | cipher_free(ciphercontext); |
2865 | 0 | explicit_bzero(salt, sizeof(salt)); |
2866 | 0 | if (key != NULL) |
2867 | 0 | freezero(key, keylen + ivlen); |
2868 | 0 | if (pubkeyblob != NULL) |
2869 | 0 | freezero(pubkeyblob, pubkeylen); |
2870 | 0 | return r; |
2871 | 0 | } |
2872 | | |
2873 | | static int |
2874 | | private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp) |
2875 | 9.54k | { |
2876 | 9.54k | const u_char *cp; |
2877 | 9.54k | size_t encoded_len; |
2878 | 9.54k | int r; |
2879 | 9.54k | u_char last; |
2880 | 9.54k | struct sshbuf *encoded = NULL, *decoded = NULL; |
2881 | | |
2882 | 9.54k | if (blob == NULL || decodedp == NULL) |
2883 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2884 | | |
2885 | 9.54k | *decodedp = NULL; |
2886 | | |
2887 | 9.54k | if ((encoded = sshbuf_new()) == NULL || |
2888 | 9.54k | (decoded = sshbuf_new()) == NULL) { |
2889 | 0 | r = SSH_ERR_ALLOC_FAIL; |
2890 | 0 | goto out; |
2891 | 0 | } |
2892 | | |
2893 | | /* check preamble */ |
2894 | 9.54k | cp = sshbuf_ptr(blob); |
2895 | 9.54k | encoded_len = sshbuf_len(blob); |
2896 | 9.54k | if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || |
2897 | 9.54k | memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { |
2898 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2899 | 0 | goto out; |
2900 | 0 | } |
2901 | 9.54k | cp += MARK_BEGIN_LEN; |
2902 | 9.54k | encoded_len -= MARK_BEGIN_LEN; |
2903 | | |
2904 | | /* Look for end marker, removing whitespace as we go */ |
2905 | 7.91M | while (encoded_len > 0) { |
2906 | 7.91M | if (*cp != '\n' && *cp != '\r') { |
2907 | 7.79M | if ((r = sshbuf_put_u8(encoded, *cp)) != 0) |
2908 | 0 | goto out; |
2909 | 7.79M | } |
2910 | 7.91M | last = *cp; |
2911 | 7.91M | encoded_len--; |
2912 | 7.91M | cp++; |
2913 | 7.91M | if (last == '\n') { |
2914 | 116k | if (encoded_len >= MARK_END_LEN && |
2915 | 116k | memcmp(cp, MARK_END, MARK_END_LEN) == 0) { |
2916 | | /* \0 terminate */ |
2917 | 9.54k | if ((r = sshbuf_put_u8(encoded, 0)) != 0) |
2918 | 0 | goto out; |
2919 | 9.54k | break; |
2920 | 9.54k | } |
2921 | 116k | } |
2922 | 7.91M | } |
2923 | 9.54k | if (encoded_len == 0) { |
2924 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2925 | 0 | goto out; |
2926 | 0 | } |
2927 | | |
2928 | | /* decode base64 */ |
2929 | 9.54k | if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) |
2930 | 0 | goto out; |
2931 | | |
2932 | | /* check magic */ |
2933 | 9.54k | if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || |
2934 | 9.54k | memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { |
2935 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2936 | 0 | goto out; |
2937 | 0 | } |
2938 | | /* success */ |
2939 | 9.54k | *decodedp = decoded; |
2940 | 9.54k | decoded = NULL; |
2941 | 9.54k | r = 0; |
2942 | 9.54k | out: |
2943 | 9.54k | sshbuf_free(encoded); |
2944 | 9.54k | sshbuf_free(decoded); |
2945 | 9.54k | return r; |
2946 | 9.54k | } |
2947 | | |
2948 | | static int |
2949 | | private2_decrypt(struct sshbuf *decoded, const char *passphrase, |
2950 | | struct sshbuf **decryptedp, struct sshkey **pubkeyp) |
2951 | 9.54k | { |
2952 | 9.54k | char *ciphername = NULL, *kdfname = NULL; |
2953 | 9.54k | const struct sshcipher *cipher = NULL; |
2954 | 9.54k | int r = SSH_ERR_INTERNAL_ERROR; |
2955 | 9.54k | size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0; |
2956 | 9.54k | struct sshbuf *kdf = NULL, *decrypted = NULL; |
2957 | 9.54k | struct sshcipher_ctx *ciphercontext = NULL; |
2958 | 9.54k | struct sshkey *pubkey = NULL; |
2959 | 9.54k | u_char *key = NULL, *salt = NULL, *dp; |
2960 | 9.54k | u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; |
2961 | | |
2962 | 9.54k | if (decoded == NULL || decryptedp == NULL || pubkeyp == NULL) |
2963 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
2964 | | |
2965 | 9.54k | *decryptedp = NULL; |
2966 | 9.54k | *pubkeyp = NULL; |
2967 | | |
2968 | 9.54k | if ((decrypted = sshbuf_new()) == NULL) { |
2969 | 0 | r = SSH_ERR_ALLOC_FAIL; |
2970 | 0 | goto out; |
2971 | 0 | } |
2972 | | |
2973 | | /* parse public portion of key */ |
2974 | 9.54k | if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || |
2975 | 9.54k | (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || |
2976 | 9.54k | (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || |
2977 | 9.54k | (r = sshbuf_froms(decoded, &kdf)) != 0 || |
2978 | 9.54k | (r = sshbuf_get_u32(decoded, &nkeys)) != 0) |
2979 | 0 | goto out; |
2980 | | |
2981 | 9.54k | if (nkeys != 1) { |
2982 | | /* XXX only one key supported at present */ |
2983 | 0 | r = SSH_ERR_INVALID_FORMAT; |
2984 | 0 | goto out; |
2985 | 0 | } |
2986 | | |
2987 | 9.54k | if ((r = sshkey_froms(decoded, &pubkey)) != 0 || |
2988 | 9.54k | (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) |
2989 | 0 | goto out; |
2990 | | |
2991 | 9.54k | if ((cipher = cipher_by_name(ciphername)) == NULL) { |
2992 | 0 | r = SSH_ERR_KEY_UNKNOWN_CIPHER; |
2993 | 0 | goto out; |
2994 | 0 | } |
2995 | 9.54k | if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { |
2996 | 0 | r = SSH_ERR_KEY_UNKNOWN_CIPHER; |
2997 | 0 | goto out; |
2998 | 0 | } |
2999 | 9.54k | if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) { |
3000 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3001 | 0 | goto out; |
3002 | 0 | } |
3003 | 9.54k | if ((passphrase == NULL || strlen(passphrase) == 0) && |
3004 | 9.54k | strcmp(kdfname, "none") != 0) { |
3005 | | /* passphrase required */ |
3006 | 0 | r = SSH_ERR_KEY_WRONG_PASSPHRASE; |
3007 | 0 | goto out; |
3008 | 0 | } |
3009 | | |
3010 | | /* check size of encrypted key blob */ |
3011 | 9.54k | blocksize = cipher_blocksize(cipher); |
3012 | 9.54k | if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { |
3013 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3014 | 0 | goto out; |
3015 | 0 | } |
3016 | | |
3017 | | /* setup key */ |
3018 | 9.54k | keylen = cipher_keylen(cipher); |
3019 | 9.54k | ivlen = cipher_ivlen(cipher); |
3020 | 9.54k | authlen = cipher_authlen(cipher); |
3021 | 9.54k | if ((key = calloc(1, keylen + ivlen)) == NULL) { |
3022 | 0 | r = SSH_ERR_ALLOC_FAIL; |
3023 | 0 | goto out; |
3024 | 0 | } |
3025 | 9.54k | if (strcmp(kdfname, "bcrypt") == 0) { |
3026 | 0 | if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || |
3027 | 0 | (r = sshbuf_get_u32(kdf, &rounds)) != 0) |
3028 | 0 | goto out; |
3029 | 0 | if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, |
3030 | 0 | key, keylen + ivlen, rounds) < 0) { |
3031 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3032 | 0 | goto out; |
3033 | 0 | } |
3034 | 0 | } |
3035 | | |
3036 | | /* check that an appropriate amount of auth data is present */ |
3037 | 9.54k | if (sshbuf_len(decoded) < authlen || |
3038 | 9.54k | sshbuf_len(decoded) - authlen < encrypted_len) { |
3039 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3040 | 0 | goto out; |
3041 | 0 | } |
3042 | | |
3043 | | /* decrypt private portion of key */ |
3044 | 9.54k | if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || |
3045 | 9.54k | (r = cipher_init(&ciphercontext, cipher, key, keylen, |
3046 | 9.54k | key + keylen, ivlen, 0)) != 0) |
3047 | 0 | goto out; |
3048 | 9.54k | if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), |
3049 | 9.54k | encrypted_len, 0, authlen)) != 0) { |
3050 | | /* an integrity error here indicates an incorrect passphrase */ |
3051 | 0 | if (r == SSH_ERR_MAC_INVALID) |
3052 | 0 | r = SSH_ERR_KEY_WRONG_PASSPHRASE; |
3053 | 0 | goto out; |
3054 | 0 | } |
3055 | 9.54k | if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) |
3056 | 0 | goto out; |
3057 | | /* there should be no trailing data */ |
3058 | 9.54k | if (sshbuf_len(decoded) != 0) { |
3059 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3060 | 0 | goto out; |
3061 | 0 | } |
3062 | | |
3063 | | /* check check bytes */ |
3064 | 9.54k | if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || |
3065 | 9.54k | (r = sshbuf_get_u32(decrypted, &check2)) != 0) |
3066 | 0 | goto out; |
3067 | 9.54k | if (check1 != check2) { |
3068 | 0 | r = SSH_ERR_KEY_WRONG_PASSPHRASE; |
3069 | 0 | goto out; |
3070 | 0 | } |
3071 | | /* success */ |
3072 | 9.54k | *decryptedp = decrypted; |
3073 | 9.54k | decrypted = NULL; |
3074 | 9.54k | *pubkeyp = pubkey; |
3075 | 9.54k | pubkey = NULL; |
3076 | 9.54k | r = 0; |
3077 | 9.54k | out: |
3078 | 9.54k | cipher_free(ciphercontext); |
3079 | 9.54k | free(ciphername); |
3080 | 9.54k | free(kdfname); |
3081 | 9.54k | sshkey_free(pubkey); |
3082 | 9.54k | if (salt != NULL) { |
3083 | 0 | explicit_bzero(salt, slen); |
3084 | 0 | free(salt); |
3085 | 0 | } |
3086 | 9.54k | if (key != NULL) { |
3087 | 9.54k | explicit_bzero(key, keylen + ivlen); |
3088 | 9.54k | free(key); |
3089 | 9.54k | } |
3090 | 9.54k | sshbuf_free(kdf); |
3091 | 9.54k | sshbuf_free(decrypted); |
3092 | 9.54k | return r; |
3093 | 9.54k | } |
3094 | | |
3095 | | static int |
3096 | | sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, |
3097 | | struct sshkey **keyp, char **commentp) |
3098 | 9.54k | { |
3099 | 9.54k | char *comment = NULL; |
3100 | 9.54k | int r = SSH_ERR_INTERNAL_ERROR; |
3101 | 9.54k | struct sshbuf *decoded = NULL, *decrypted = NULL; |
3102 | 9.54k | struct sshkey *k = NULL, *pubkey = NULL; |
3103 | | |
3104 | 9.54k | if (keyp != NULL) |
3105 | 9.54k | *keyp = NULL; |
3106 | 9.54k | if (commentp != NULL) |
3107 | 0 | *commentp = NULL; |
3108 | | |
3109 | | /* Undo base64 encoding and decrypt the private section */ |
3110 | 9.54k | if ((r = private2_uudecode(blob, &decoded)) != 0 || |
3111 | 9.54k | (r = private2_decrypt(decoded, passphrase, |
3112 | 9.54k | &decrypted, &pubkey)) != 0) |
3113 | 0 | goto out; |
3114 | | |
3115 | 9.54k | if (type != KEY_UNSPEC && |
3116 | 9.54k | sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { |
3117 | 0 | r = SSH_ERR_KEY_TYPE_MISMATCH; |
3118 | 0 | goto out; |
3119 | 0 | } |
3120 | | |
3121 | | /* Load the private key and comment */ |
3122 | 9.54k | if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || |
3123 | 9.54k | (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) |
3124 | 0 | goto out; |
3125 | | |
3126 | | /* Check deterministic padding after private section */ |
3127 | 9.54k | if ((r = private2_check_padding(decrypted)) != 0) |
3128 | 0 | goto out; |
3129 | | |
3130 | | /* Check that the public key in the envelope matches the private key */ |
3131 | 9.54k | if (!sshkey_equal(pubkey, k)) { |
3132 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3133 | 0 | goto out; |
3134 | 0 | } |
3135 | | |
3136 | | /* success */ |
3137 | 9.54k | r = 0; |
3138 | 9.54k | if (keyp != NULL) { |
3139 | 9.54k | *keyp = k; |
3140 | 9.54k | k = NULL; |
3141 | 9.54k | } |
3142 | 9.54k | if (commentp != NULL) { |
3143 | 0 | *commentp = comment; |
3144 | 0 | comment = NULL; |
3145 | 0 | } |
3146 | 9.54k | out: |
3147 | 9.54k | free(comment); |
3148 | 9.54k | sshbuf_free(decoded); |
3149 | 9.54k | sshbuf_free(decrypted); |
3150 | 9.54k | sshkey_free(k); |
3151 | 9.54k | sshkey_free(pubkey); |
3152 | 9.54k | return r; |
3153 | 9.54k | } |
3154 | | |
3155 | | static int |
3156 | | sshkey_parse_private2_pubkey(struct sshbuf *blob, int type, |
3157 | | struct sshkey **keyp) |
3158 | 0 | { |
3159 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
3160 | 0 | struct sshbuf *decoded = NULL; |
3161 | 0 | struct sshkey *pubkey = NULL; |
3162 | 0 | u_int nkeys = 0; |
3163 | |
|
3164 | 0 | if (keyp != NULL) |
3165 | 0 | *keyp = NULL; |
3166 | |
|
3167 | 0 | if ((r = private2_uudecode(blob, &decoded)) != 0) |
3168 | 0 | goto out; |
3169 | | /* parse public key from unencrypted envelope */ |
3170 | 0 | if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || |
3171 | 0 | (r = sshbuf_skip_string(decoded)) != 0 || /* cipher */ |
3172 | 0 | (r = sshbuf_skip_string(decoded)) != 0 || /* KDF alg */ |
3173 | 0 | (r = sshbuf_skip_string(decoded)) != 0 || /* KDF hint */ |
3174 | 0 | (r = sshbuf_get_u32(decoded, &nkeys)) != 0) |
3175 | 0 | goto out; |
3176 | | |
3177 | 0 | if (nkeys != 1) { |
3178 | | /* XXX only one key supported at present */ |
3179 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3180 | 0 | goto out; |
3181 | 0 | } |
3182 | | |
3183 | | /* Parse the public key */ |
3184 | 0 | if ((r = sshkey_froms(decoded, &pubkey)) != 0) |
3185 | 0 | goto out; |
3186 | | |
3187 | 0 | if (type != KEY_UNSPEC && |
3188 | 0 | sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { |
3189 | 0 | r = SSH_ERR_KEY_TYPE_MISMATCH; |
3190 | 0 | goto out; |
3191 | 0 | } |
3192 | | |
3193 | | /* success */ |
3194 | 0 | r = 0; |
3195 | 0 | if (keyp != NULL) { |
3196 | 0 | *keyp = pubkey; |
3197 | 0 | pubkey = NULL; |
3198 | 0 | } |
3199 | 0 | out: |
3200 | 0 | sshbuf_free(decoded); |
3201 | 0 | sshkey_free(pubkey); |
3202 | 0 | return r; |
3203 | 0 | } |
3204 | | |
3205 | | #ifdef WITH_OPENSSL |
3206 | | /* convert SSH v2 key to PEM or PKCS#8 format */ |
3207 | | static int |
3208 | | sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, |
3209 | | int format, const char *_passphrase, const char *comment) |
3210 | 0 | { |
3211 | 0 | int was_shielded = sshkey_is_shielded(key); |
3212 | 0 | int success, r; |
3213 | 0 | int blen, len = strlen(_passphrase); |
3214 | 0 | u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; |
3215 | 0 | const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; |
3216 | 0 | char *bptr; |
3217 | 0 | BIO *bio = NULL; |
3218 | 0 | struct sshbuf *blob; |
3219 | 0 | EVP_PKEY *pkey = NULL; |
3220 | |
|
3221 | 0 | if (len > 0 && len <= 4) |
3222 | 0 | return SSH_ERR_PASSPHRASE_TOO_SHORT; |
3223 | 0 | if ((blob = sshbuf_new()) == NULL) |
3224 | 0 | return SSH_ERR_ALLOC_FAIL; |
3225 | 0 | if ((bio = BIO_new(BIO_s_mem())) == NULL) { |
3226 | 0 | r = SSH_ERR_ALLOC_FAIL; |
3227 | 0 | goto out; |
3228 | 0 | } |
3229 | 0 | if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) { |
3230 | 0 | r = SSH_ERR_ALLOC_FAIL; |
3231 | 0 | goto out; |
3232 | 0 | } |
3233 | 0 | if ((r = sshkey_unshield_private(key)) != 0) |
3234 | 0 | goto out; |
3235 | | |
3236 | 0 | switch (key->type) { |
3237 | 0 | #ifdef WITH_DSA |
3238 | 0 | case KEY_DSA: |
3239 | 0 | if (format == SSHKEY_PRIVATE_PEM) { |
3240 | 0 | success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, |
3241 | 0 | cipher, passphrase, len, NULL, NULL); |
3242 | 0 | } else { |
3243 | 0 | success = EVP_PKEY_set1_DSA(pkey, key->dsa); |
3244 | 0 | } |
3245 | 0 | break; |
3246 | 0 | #endif |
3247 | 0 | #ifdef OPENSSL_HAS_ECC |
3248 | 0 | case KEY_ECDSA: |
3249 | 0 | if (format == SSHKEY_PRIVATE_PEM) { |
3250 | 0 | success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, |
3251 | 0 | cipher, passphrase, len, NULL, NULL); |
3252 | 0 | } else { |
3253 | 0 | success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa); |
3254 | 0 | } |
3255 | 0 | break; |
3256 | 0 | #endif |
3257 | 0 | case KEY_RSA: |
3258 | 0 | if (format == SSHKEY_PRIVATE_PEM) { |
3259 | 0 | success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, |
3260 | 0 | cipher, passphrase, len, NULL, NULL); |
3261 | 0 | } else { |
3262 | 0 | success = EVP_PKEY_set1_RSA(pkey, key->rsa); |
3263 | 0 | } |
3264 | 0 | break; |
3265 | 0 | default: |
3266 | 0 | success = 0; |
3267 | 0 | break; |
3268 | 0 | } |
3269 | 0 | if (success == 0) { |
3270 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
3271 | 0 | goto out; |
3272 | 0 | } |
3273 | 0 | if (format == SSHKEY_PRIVATE_PKCS8) { |
3274 | 0 | if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher, |
3275 | 0 | passphrase, len, NULL, NULL)) == 0) { |
3276 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
3277 | 0 | goto out; |
3278 | 0 | } |
3279 | 0 | } |
3280 | 0 | if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { |
3281 | 0 | r = SSH_ERR_INTERNAL_ERROR; |
3282 | 0 | goto out; |
3283 | 0 | } |
3284 | 0 | if ((r = sshbuf_put(blob, bptr, blen)) != 0) |
3285 | 0 | goto out; |
3286 | 0 | r = 0; |
3287 | 0 | out: |
3288 | 0 | if (was_shielded) |
3289 | 0 | r = sshkey_shield_private(key); |
3290 | 0 | if (r == 0) |
3291 | 0 | r = sshbuf_putb(buf, blob); |
3292 | |
|
3293 | 0 | EVP_PKEY_free(pkey); |
3294 | 0 | sshbuf_free(blob); |
3295 | 0 | BIO_free(bio); |
3296 | 0 | return r; |
3297 | 0 | } |
3298 | | #endif /* WITH_OPENSSL */ |
3299 | | |
3300 | | /* Serialise "key" to buffer "blob" */ |
3301 | | int |
3302 | | sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, |
3303 | | const char *passphrase, const char *comment, |
3304 | | int format, const char *openssh_format_cipher, int openssh_format_rounds) |
3305 | 0 | { |
3306 | 0 | switch (key->type) { |
3307 | 0 | #ifdef WITH_OPENSSL |
3308 | 0 | case KEY_DSA: |
3309 | 0 | case KEY_ECDSA: |
3310 | 0 | case KEY_RSA: |
3311 | 0 | break; /* see below */ |
3312 | 0 | #endif /* WITH_OPENSSL */ |
3313 | 0 | case KEY_ED25519: |
3314 | 0 | case KEY_ED25519_SK: |
3315 | 0 | #ifdef WITH_XMSS |
3316 | 0 | case KEY_XMSS: |
3317 | 0 | #endif /* WITH_XMSS */ |
3318 | 0 | #ifdef WITH_OPENSSL |
3319 | 0 | case KEY_ECDSA_SK: |
3320 | 0 | #endif /* WITH_OPENSSL */ |
3321 | 0 | return sshkey_private_to_blob2(key, blob, passphrase, |
3322 | 0 | comment, openssh_format_cipher, openssh_format_rounds); |
3323 | 0 | default: |
3324 | 0 | return SSH_ERR_KEY_TYPE_UNKNOWN; |
3325 | 0 | } |
3326 | | |
3327 | 0 | #ifdef WITH_OPENSSL |
3328 | 0 | switch (format) { |
3329 | 0 | case SSHKEY_PRIVATE_OPENSSH: |
3330 | 0 | return sshkey_private_to_blob2(key, blob, passphrase, |
3331 | 0 | comment, openssh_format_cipher, openssh_format_rounds); |
3332 | 0 | case SSHKEY_PRIVATE_PEM: |
3333 | 0 | case SSHKEY_PRIVATE_PKCS8: |
3334 | 0 | return sshkey_private_to_blob_pem_pkcs8(key, blob, |
3335 | 0 | format, passphrase, comment); |
3336 | 0 | default: |
3337 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
3338 | 0 | } |
3339 | 0 | #endif /* WITH_OPENSSL */ |
3340 | 0 | } |
3341 | | |
3342 | | #ifdef WITH_OPENSSL |
3343 | | static int |
3344 | | translate_libcrypto_error(unsigned long pem_err) |
3345 | 0 | { |
3346 | 0 | int pem_reason = ERR_GET_REASON(pem_err); |
3347 | |
|
3348 | 0 | switch (ERR_GET_LIB(pem_err)) { |
3349 | 0 | case ERR_LIB_PEM: |
3350 | 0 | switch (pem_reason) { |
3351 | 0 | case PEM_R_BAD_PASSWORD_READ: |
3352 | 0 | #ifdef PEM_R_PROBLEMS_GETTING_PASSWORD |
3353 | 0 | case PEM_R_PROBLEMS_GETTING_PASSWORD: |
3354 | 0 | #endif |
3355 | 0 | #ifdef PEM_R_BAD_DECRYPT |
3356 | 0 | case PEM_R_BAD_DECRYPT: |
3357 | 0 | #endif |
3358 | 0 | return SSH_ERR_KEY_WRONG_PASSPHRASE; |
3359 | 0 | default: |
3360 | 0 | return SSH_ERR_INVALID_FORMAT; |
3361 | 0 | } |
3362 | 0 | case ERR_LIB_EVP: |
3363 | 0 | switch (pem_reason) { |
3364 | 0 | #ifdef EVP_R_BAD_DECRYPT |
3365 | 0 | case EVP_R_BAD_DECRYPT: |
3366 | 0 | return SSH_ERR_KEY_WRONG_PASSPHRASE; |
3367 | 0 | #endif |
3368 | | #ifdef EVP_R_BN_DECODE_ERROR |
3369 | | case EVP_R_BN_DECODE_ERROR: |
3370 | | #endif |
3371 | 0 | case EVP_R_DECODE_ERROR: |
3372 | 0 | #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR |
3373 | 0 | case EVP_R_PRIVATE_KEY_DECODE_ERROR: |
3374 | 0 | #endif |
3375 | 0 | return SSH_ERR_INVALID_FORMAT; |
3376 | 0 | default: |
3377 | 0 | return SSH_ERR_LIBCRYPTO_ERROR; |
3378 | 0 | } |
3379 | 0 | case ERR_LIB_ASN1: |
3380 | 0 | return SSH_ERR_INVALID_FORMAT; |
3381 | 0 | } |
3382 | 0 | return SSH_ERR_LIBCRYPTO_ERROR; |
3383 | 0 | } |
3384 | | |
3385 | | static void |
3386 | | clear_libcrypto_errors(void) |
3387 | 0 | { |
3388 | 0 | while (ERR_get_error() != 0) |
3389 | 0 | ; |
3390 | 0 | } |
3391 | | |
3392 | | /* |
3393 | | * Translate OpenSSL error codes to determine whether |
3394 | | * passphrase is required/incorrect. |
3395 | | */ |
3396 | | static int |
3397 | | convert_libcrypto_error(void) |
3398 | 0 | { |
3399 | | /* |
3400 | | * Some password errors are reported at the beginning |
3401 | | * of the error queue. |
3402 | | */ |
3403 | 0 | if (translate_libcrypto_error(ERR_peek_error()) == |
3404 | 0 | SSH_ERR_KEY_WRONG_PASSPHRASE) |
3405 | 0 | return SSH_ERR_KEY_WRONG_PASSPHRASE; |
3406 | 0 | return translate_libcrypto_error(ERR_peek_last_error()); |
3407 | 0 | } |
3408 | | |
3409 | | static int |
3410 | | pem_passphrase_cb(char *buf, int size, int rwflag, void *u) |
3411 | 0 | { |
3412 | 0 | char *p = (char *)u; |
3413 | 0 | size_t len; |
3414 | |
|
3415 | 0 | if (p == NULL || (len = strlen(p)) == 0) |
3416 | 0 | return -1; |
3417 | 0 | if (size < 0 || len > (size_t)size) |
3418 | 0 | return -1; |
3419 | 0 | memcpy(buf, p, len); |
3420 | 0 | return (int)len; |
3421 | 0 | } |
3422 | | |
3423 | | static int |
3424 | | sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, |
3425 | | const char *passphrase, struct sshkey **keyp) |
3426 | 0 | { |
3427 | 0 | EVP_PKEY *pk = NULL; |
3428 | 0 | struct sshkey *prv = NULL; |
3429 | 0 | BIO *bio = NULL; |
3430 | 0 | int r; |
3431 | |
|
3432 | 0 | if (keyp != NULL) |
3433 | 0 | *keyp = NULL; |
3434 | |
|
3435 | 0 | if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) |
3436 | 0 | return SSH_ERR_ALLOC_FAIL; |
3437 | 0 | if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != |
3438 | 0 | (int)sshbuf_len(blob)) { |
3439 | 0 | r = SSH_ERR_ALLOC_FAIL; |
3440 | 0 | goto out; |
3441 | 0 | } |
3442 | | |
3443 | 0 | clear_libcrypto_errors(); |
3444 | 0 | if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb, |
3445 | 0 | (char *)passphrase)) == NULL) { |
3446 | | /* |
3447 | | * libcrypto may return various ASN.1 errors when attempting |
3448 | | * to parse a key with an incorrect passphrase. |
3449 | | * Treat all format errors as "incorrect passphrase" if a |
3450 | | * passphrase was supplied. |
3451 | | */ |
3452 | 0 | if (passphrase != NULL && *passphrase != '\0') |
3453 | 0 | r = SSH_ERR_KEY_WRONG_PASSPHRASE; |
3454 | 0 | else |
3455 | 0 | r = convert_libcrypto_error(); |
3456 | 0 | goto out; |
3457 | 0 | } |
3458 | 0 | if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA && |
3459 | 0 | (type == KEY_UNSPEC || type == KEY_RSA)) { |
3460 | 0 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { |
3461 | 0 | r = SSH_ERR_ALLOC_FAIL; |
3462 | 0 | goto out; |
3463 | 0 | } |
3464 | 0 | prv->rsa = EVP_PKEY_get1_RSA(pk); |
3465 | 0 | prv->type = KEY_RSA; |
3466 | | #ifdef DEBUG_PK |
3467 | | RSA_print_fp(stderr, prv->rsa, 8); |
3468 | | #endif |
3469 | 0 | if (RSA_blinding_on(prv->rsa, NULL) != 1) { |
3470 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
3471 | 0 | goto out; |
3472 | 0 | } |
3473 | 0 | if ((r = sshkey_check_rsa_length(prv, 0)) != 0) |
3474 | 0 | goto out; |
3475 | 0 | #ifdef WITH_DSA |
3476 | 0 | } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && |
3477 | 0 | (type == KEY_UNSPEC || type == KEY_DSA)) { |
3478 | 0 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { |
3479 | 0 | r = SSH_ERR_ALLOC_FAIL; |
3480 | 0 | goto out; |
3481 | 0 | } |
3482 | 0 | prv->dsa = EVP_PKEY_get1_DSA(pk); |
3483 | 0 | prv->type = KEY_DSA; |
3484 | | #ifdef DEBUG_PK |
3485 | | DSA_print_fp(stderr, prv->dsa, 8); |
3486 | | #endif |
3487 | 0 | #endif |
3488 | 0 | #ifdef OPENSSL_HAS_ECC |
3489 | 0 | } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && |
3490 | 0 | (type == KEY_UNSPEC || type == KEY_ECDSA)) { |
3491 | 0 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { |
3492 | 0 | r = SSH_ERR_ALLOC_FAIL; |
3493 | 0 | goto out; |
3494 | 0 | } |
3495 | 0 | prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); |
3496 | 0 | prv->type = KEY_ECDSA; |
3497 | 0 | prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); |
3498 | 0 | if (prv->ecdsa_nid == -1 || |
3499 | 0 | sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || |
3500 | 0 | sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), |
3501 | 0 | EC_KEY_get0_public_key(prv->ecdsa)) != 0 || |
3502 | 0 | sshkey_ec_validate_private(prv->ecdsa) != 0) { |
3503 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3504 | 0 | goto out; |
3505 | 0 | } |
3506 | | # ifdef DEBUG_PK |
3507 | | if (prv != NULL && prv->ecdsa != NULL) |
3508 | | sshkey_dump_ec_key(prv->ecdsa); |
3509 | | # endif |
3510 | 0 | #endif /* OPENSSL_HAS_ECC */ |
3511 | 0 | #ifdef OPENSSL_HAS_ED25519 |
3512 | 0 | } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_ED25519 && |
3513 | 0 | (type == KEY_UNSPEC || type == KEY_ED25519)) { |
3514 | 0 | size_t len; |
3515 | |
|
3516 | 0 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL || |
3517 | 0 | (prv->ed25519_sk = calloc(1, ED25519_SK_SZ)) == NULL || |
3518 | 0 | (prv->ed25519_pk = calloc(1, ED25519_PK_SZ)) == NULL) { |
3519 | 0 | r = SSH_ERR_ALLOC_FAIL; |
3520 | 0 | goto out; |
3521 | 0 | } |
3522 | 0 | prv->type = KEY_ED25519; |
3523 | 0 | len = ED25519_PK_SZ; |
3524 | 0 | if (!EVP_PKEY_get_raw_public_key(pk, prv->ed25519_pk, &len)) { |
3525 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
3526 | 0 | goto out; |
3527 | 0 | } |
3528 | 0 | if (len != ED25519_PK_SZ) { |
3529 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3530 | 0 | goto out; |
3531 | 0 | } |
3532 | 0 | len = ED25519_SK_SZ - ED25519_PK_SZ; |
3533 | 0 | if (!EVP_PKEY_get_raw_private_key(pk, prv->ed25519_sk, &len)) { |
3534 | 0 | r = SSH_ERR_LIBCRYPTO_ERROR; |
3535 | 0 | goto out; |
3536 | 0 | } |
3537 | 0 | if (len != ED25519_SK_SZ - ED25519_PK_SZ) { |
3538 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3539 | 0 | goto out; |
3540 | 0 | } |
3541 | | /* Append the public key to our private key */ |
3542 | 0 | memcpy(prv->ed25519_sk + (ED25519_SK_SZ - ED25519_PK_SZ), |
3543 | 0 | prv->ed25519_pk, ED25519_PK_SZ); |
3544 | | # ifdef DEBUG_PK |
3545 | | sshbuf_dump_data(prv->ed25519_sk, ED25519_SK_SZ, stderr); |
3546 | | # endif |
3547 | 0 | #endif /* OPENSSL_HAS_ED25519 */ |
3548 | 0 | } else { |
3549 | 0 | r = SSH_ERR_INVALID_FORMAT; |
3550 | 0 | goto out; |
3551 | 0 | } |
3552 | 0 | r = 0; |
3553 | 0 | if (keyp != NULL) { |
3554 | 0 | *keyp = prv; |
3555 | 0 | prv = NULL; |
3556 | 0 | } |
3557 | 0 | out: |
3558 | 0 | BIO_free(bio); |
3559 | 0 | EVP_PKEY_free(pk); |
3560 | 0 | sshkey_free(prv); |
3561 | 0 | return r; |
3562 | 0 | } |
3563 | | #endif /* WITH_OPENSSL */ |
3564 | | |
3565 | | int |
3566 | | sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, |
3567 | | const char *passphrase, struct sshkey **keyp, char **commentp) |
3568 | 9.54k | { |
3569 | 9.54k | int r = SSH_ERR_INTERNAL_ERROR; |
3570 | | |
3571 | 9.54k | if (keyp != NULL) |
3572 | 9.54k | *keyp = NULL; |
3573 | 9.54k | if (commentp != NULL) |
3574 | 0 | *commentp = NULL; |
3575 | | |
3576 | 9.54k | switch (type) { |
3577 | 0 | case KEY_XMSS: |
3578 | | /* No fallback for new-format-only keys */ |
3579 | 0 | return sshkey_parse_private2(blob, type, passphrase, |
3580 | 0 | keyp, commentp); |
3581 | 9.54k | default: |
3582 | 9.54k | r = sshkey_parse_private2(blob, type, passphrase, keyp, |
3583 | 9.54k | commentp); |
3584 | | /* Only fallback to PEM parser if a format error occurred. */ |
3585 | 9.54k | if (r != SSH_ERR_INVALID_FORMAT) |
3586 | 9.54k | return r; |
3587 | 0 | #ifdef WITH_OPENSSL |
3588 | 0 | return sshkey_parse_private_pem_fileblob(blob, type, |
3589 | 0 | passphrase, keyp); |
3590 | | #else |
3591 | | return SSH_ERR_INVALID_FORMAT; |
3592 | | #endif /* WITH_OPENSSL */ |
3593 | 9.54k | } |
3594 | 9.54k | } |
3595 | | |
3596 | | int |
3597 | | sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, |
3598 | | struct sshkey **keyp, char **commentp) |
3599 | 9.54k | { |
3600 | 9.54k | if (keyp != NULL) |
3601 | 9.54k | *keyp = NULL; |
3602 | 9.54k | if (commentp != NULL) |
3603 | 0 | *commentp = NULL; |
3604 | | |
3605 | 9.54k | return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, |
3606 | 9.54k | passphrase, keyp, commentp); |
3607 | 9.54k | } |
3608 | | |
3609 | | void |
3610 | | sshkey_sig_details_free(struct sshkey_sig_details *details) |
3611 | 10.5k | { |
3612 | 10.5k | freezero(details, sizeof(*details)); |
3613 | 10.5k | } |
3614 | | |
3615 | | int |
3616 | | sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type, |
3617 | | struct sshkey **pubkeyp) |
3618 | 0 | { |
3619 | 0 | int r = SSH_ERR_INTERNAL_ERROR; |
3620 | |
|
3621 | 0 | if (pubkeyp != NULL) |
3622 | 0 | *pubkeyp = NULL; |
3623 | | /* only new-format private keys bundle a public key inside */ |
3624 | 0 | if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0) |
3625 | 0 | return r; |
3626 | 0 | return 0; |
3627 | 0 | } |
3628 | | |
3629 | | #ifdef WITH_XMSS |
3630 | | /* |
3631 | | * serialize the key with the current state and forward the state |
3632 | | * maxsign times. |
3633 | | */ |
3634 | | int |
3635 | | sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, |
3636 | | u_int32_t maxsign, int printerror) |
3637 | 0 | { |
3638 | 0 | int r, rupdate; |
3639 | |
|
3640 | 0 | if (maxsign == 0 || |
3641 | 0 | sshkey_type_plain(k->type) != KEY_XMSS) |
3642 | 0 | return sshkey_private_serialize_opt(k, b, |
3643 | 0 | SSHKEY_SERIALIZE_DEFAULT); |
3644 | 0 | if ((r = sshkey_xmss_get_state(k, printerror)) != 0 || |
3645 | 0 | (r = sshkey_private_serialize_opt(k, b, |
3646 | 0 | SSHKEY_SERIALIZE_STATE)) != 0 || |
3647 | 0 | (r = sshkey_xmss_forward_state(k, maxsign)) != 0) |
3648 | 0 | goto out; |
3649 | 0 | r = 0; |
3650 | 0 | out: |
3651 | 0 | if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) { |
3652 | 0 | if (r == 0) |
3653 | 0 | r = rupdate; |
3654 | 0 | } |
3655 | 0 | return r; |
3656 | 0 | } |
3657 | | |
3658 | | u_int32_t |
3659 | | sshkey_signatures_left(const struct sshkey *k) |
3660 | 0 | { |
3661 | 0 | if (sshkey_type_plain(k->type) == KEY_XMSS) |
3662 | 0 | return sshkey_xmss_signatures_left(k); |
3663 | 0 | return 0; |
3664 | 0 | } |
3665 | | |
3666 | | int |
3667 | | sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) |
3668 | 0 | { |
3669 | 0 | if (sshkey_type_plain(k->type) != KEY_XMSS) |
3670 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
3671 | 0 | return sshkey_xmss_enable_maxsign(k, maxsign); |
3672 | 0 | } |
3673 | | |
3674 | | int |
3675 | | sshkey_set_filename(struct sshkey *k, const char *filename) |
3676 | 0 | { |
3677 | 0 | if (k == NULL) |
3678 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
3679 | 0 | if (sshkey_type_plain(k->type) != KEY_XMSS) |
3680 | 0 | return 0; |
3681 | 0 | if (filename == NULL) |
3682 | 0 | return SSH_ERR_INVALID_ARGUMENT; |
3683 | 0 | if ((k->xmss_filename = strdup(filename)) == NULL) |
3684 | 0 | return SSH_ERR_ALLOC_FAIL; |
3685 | 0 | return 0; |
3686 | 0 | } |
3687 | | #else |
3688 | | int |
3689 | | sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, |
3690 | | u_int32_t maxsign, int printerror) |
3691 | | { |
3692 | | return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); |
3693 | | } |
3694 | | |
3695 | | u_int32_t |
3696 | | sshkey_signatures_left(const struct sshkey *k) |
3697 | | { |
3698 | | return 0; |
3699 | | } |
3700 | | |
3701 | | int |
3702 | | sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) |
3703 | | { |
3704 | | return SSH_ERR_INVALID_ARGUMENT; |
3705 | | } |
3706 | | |
3707 | | int |
3708 | | sshkey_set_filename(struct sshkey *k, const char *filename) |
3709 | | { |
3710 | | if (k == NULL) |
3711 | | return SSH_ERR_INVALID_ARGUMENT; |
3712 | | return 0; |
3713 | | } |
3714 | | #endif /* WITH_XMSS */ |