Annotation of src/crypto/external/bsd/openssh/dist/sshkey.c, Revision 1.21
1.21 ! christos 1: /* $NetBSD: sshkey.c,v 1.20 2019/10/09 20:59:26 christos Exp $ */
! 2: /* $OpenBSD: sshkey.c,v 1.84 2019/10/09 00:04:42 djm Exp $ */
1.1 christos 3: /*
4: * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
5: * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
6: * Copyright (c) 2010,2011 Damien Miller. All rights reserved.
7: *
8: * Redistribution and use in source and binary forms, with or without
9: * modification, are permitted provided that the following conditions
10: * are met:
11: * 1. Redistributions of source code must retain the above copyright
12: * notice, this list of conditions and the following disclaimer.
13: * 2. Redistributions in binary form must reproduce the above copyright
14: * notice, this list of conditions and the following disclaimer in the
15: * documentation and/or other materials provided with the distribution.
16: *
17: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27: */
1.2 christos 28: #include "includes.h"
1.21 ! christos 29: __RCSID("$NetBSD: sshkey.c,v 1.20 2019/10/09 20:59:26 christos Exp $");
1.1 christos 30:
31: #include <sys/types.h>
1.3 christos 32: #include <netinet/in.h>
1.1 christos 33:
1.3 christos 34: #ifdef WITH_OPENSSL
1.1 christos 35: #include <openssl/evp.h>
36: #include <openssl/err.h>
37: #include <openssl/pem.h>
1.3 christos 38: #endif
1.1 christos 39:
40: #include "crypto_api.h"
41:
42: #include <errno.h>
43: #include <stdio.h>
44: #include <string.h>
45: #include <util.h>
1.3 christos 46: #include <limits.h>
47: #include <resolv.h>
1.1 christos 48:
49: #include "ssh2.h"
50: #include "ssherr.h"
51: #include "misc.h"
52: #include "sshbuf.h"
53: #include "cipher.h"
54: #include "digest.h"
55: #define SSHKEY_INTERNAL
56: #include "sshkey.h"
1.3 christos 57: #include "match.h"
1.1 christos 58:
1.21 ! christos 59: #ifdef WITH_XMSS
! 60: #include "sshkey-xmss.h"
1.14 christos 61: #include "xmss_fast.h"
1.21 ! christos 62: #endif
1.14 christos 63:
1.1 christos 64: /* openssh private key file format */
65: #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
66: #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n"
67: #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1)
68: #define MARK_END_LEN (sizeof(MARK_END) - 1)
69: #define KDFNAME "bcrypt"
70: #define AUTH_MAGIC "openssh-key-v1"
71: #define SALT_LEN 16
1.11 christos 72: #define DEFAULT_CIPHERNAME "aes256-ctr"
1.1 christos 73: #define DEFAULT_ROUNDS 16
74:
75: /* Version identification string for SSH v1 identity files. */
76: #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n"
77:
1.21 ! christos 78: /*
! 79: * Constants relating to "shielding" support; protection of keys expected
! 80: * to remain in memory for long durations
! 81: */
! 82: #define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024)
! 83: #define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */
! 84: #define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512
! 85:
! 86: int sshkey_private_serialize_opt(struct sshkey *key,
1.14 christos 87: struct sshbuf *buf, enum sshkey_serialize_rep);
1.3 christos 88: static int sshkey_from_blob_internal(struct sshbuf *buf,
1.1 christos 89: struct sshkey **keyp, int allow_cert);
90:
91: /* Supported key types */
92: struct keytype {
93: const char *name;
94: const char *shortname;
1.17 christos 95: const char *sigalg;
1.1 christos 96: int type;
97: int nid;
98: int cert;
1.7 christos 99: int sigonly;
1.1 christos 100: };
101: static const struct keytype keytypes[] = {
1.17 christos 102: { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 },
103: { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL,
1.7 christos 104: KEY_ED25519_CERT, 0, 1, 0 },
1.14 christos 105: #ifdef WITH_XMSS
1.17 christos 106: { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 },
107: { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL,
1.14 christos 108: KEY_XMSS_CERT, 0, 1, 0 },
109: #endif /* WITH_XMSS */
1.1 christos 110: #ifdef WITH_OPENSSL
1.17 christos 111: { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 },
112: { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 },
113: { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 },
114: { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 },
115: { "ecdsa-sha2-nistp256", "ECDSA", NULL,
116: KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
117: { "ecdsa-sha2-nistp384", "ECDSA", NULL,
118: KEY_ECDSA, NID_secp384r1, 0, 0 },
119: { "ecdsa-sha2-nistp521", "ECDSA", NULL,
120: KEY_ECDSA, NID_secp521r1, 0, 0 },
121: { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL,
122: KEY_RSA_CERT, 0, 1, 0 },
123: { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT",
1.19 christos 124: "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
1.17 christos 125: { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT",
1.19 christos 126: "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
1.17 christos 127: { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL,
128: KEY_DSA_CERT, 0, 1, 0 },
129: { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL,
1.7 christos 130: KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
1.17 christos 131: { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL,
1.7 christos 132: KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
1.17 christos 133: { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL,
134: KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
1.1 christos 135: #endif /* WITH_OPENSSL */
1.17 christos 136: { NULL, NULL, NULL, -1, -1, 0, 0 }
1.1 christos 137: };
138:
139: const char *
140: sshkey_type(const struct sshkey *k)
141: {
142: const struct keytype *kt;
143:
144: for (kt = keytypes; kt->type != -1; kt++) {
145: if (kt->type == k->type)
146: return kt->shortname;
147: }
148: return "unknown";
149: }
150:
151: static const char *
152: sshkey_ssh_name_from_type_nid(int type, int nid)
153: {
154: const struct keytype *kt;
155:
156: for (kt = keytypes; kt->type != -1; kt++) {
157: if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
158: return kt->name;
159: }
160: return "ssh-unknown";
161: }
162:
163: int
164: sshkey_type_is_cert(int type)
165: {
166: const struct keytype *kt;
167:
168: for (kt = keytypes; kt->type != -1; kt++) {
169: if (kt->type == type)
170: return kt->cert;
171: }
172: return 0;
173: }
174:
175: const char *
176: sshkey_ssh_name(const struct sshkey *k)
177: {
178: return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
179: }
180:
181: const char *
182: sshkey_ssh_name_plain(const struct sshkey *k)
183: {
184: return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
185: k->ecdsa_nid);
186: }
187:
188: int
189: sshkey_type_from_name(const char *name)
190: {
191: const struct keytype *kt;
192:
193: for (kt = keytypes; kt->type != -1; kt++) {
194: /* Only allow shortname matches for plain key types */
195: if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
196: (!kt->cert && strcasecmp(kt->shortname, name) == 0))
197: return kt->type;
198: }
199: return KEY_UNSPEC;
200: }
201:
202: int
203: sshkey_ecdsa_nid_from_name(const char *name)
204: {
205: const struct keytype *kt;
206:
1.3 christos 207: for (kt = keytypes; kt->type != -1; kt++) {
208: if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
209: continue;
210: if (kt->name != NULL && strcmp(name, kt->name) == 0)
211: return kt->nid;
212: }
1.1 christos 213: return -1;
214: }
215:
216: char *
1.10 christos 217: sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
1.1 christos 218: {
219: char *tmp, *ret = NULL;
220: size_t nlen, rlen = 0;
221: const struct keytype *kt;
222:
223: for (kt = keytypes; kt->type != -1; kt++) {
1.10 christos 224: if (kt->name == NULL)
225: continue;
226: if (!include_sigonly && kt->sigonly)
1.1 christos 227: continue;
228: if ((certs_only && !kt->cert) || (plain_only && kt->cert))
229: continue;
230: if (ret != NULL)
1.9 christos 231: ret[rlen++] = sep;
1.1 christos 232: nlen = strlen(kt->name);
233: if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
234: free(ret);
235: return NULL;
236: }
237: ret = tmp;
238: memcpy(ret + rlen, kt->name, nlen + 1);
239: rlen += nlen;
240: }
241: return ret;
242: }
243:
244: int
1.3 christos 245: sshkey_names_valid2(const char *names, int allow_wildcard)
1.1 christos 246: {
247: char *s, *cp, *p;
1.3 christos 248: const struct keytype *kt;
249: int type;
1.1 christos 250:
251: if (names == NULL || strcmp(names, "") == 0)
252: return 0;
253: if ((s = cp = strdup(names)) == NULL)
254: return 0;
255: for ((p = strsep(&cp, ",")); p && *p != '\0';
256: (p = strsep(&cp, ","))) {
1.3 christos 257: type = sshkey_type_from_name(p);
258: if (type == KEY_UNSPEC) {
259: if (allow_wildcard) {
260: /*
261: * Try matching key types against the string.
262: * If any has a positive or negative match then
263: * the component is accepted.
264: */
265: for (kt = keytypes; kt->type != -1; kt++) {
266: if (match_pattern_list(kt->name,
1.4 christos 267: p, 0) != 0)
1.3 christos 268: break;
269: }
270: if (kt->type != -1)
271: continue;
272: }
1.1 christos 273: free(s);
274: return 0;
275: }
276: }
277: free(s);
278: return 1;
279: }
280:
281: u_int
282: sshkey_size(const struct sshkey *k)
283: {
1.19 christos 284: #ifdef WITH_OPENSSL
285: const BIGNUM *rsa_n, *dsa_p;
286: #endif /* WITH_OPENSSL */
287:
1.1 christos 288: switch (k->type) {
289: #ifdef WITH_OPENSSL
290: case KEY_RSA:
291: case KEY_RSA_CERT:
1.19 christos 292: if (k->rsa == NULL)
293: return 0;
294: RSA_get0_key(k->rsa, &rsa_n, NULL, NULL);
295: return BN_num_bits(rsa_n);
1.1 christos 296: case KEY_DSA:
297: case KEY_DSA_CERT:
1.19 christos 298: if (k->dsa == NULL)
299: return 0;
300: DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL);
301: return BN_num_bits(dsa_p);
1.1 christos 302: case KEY_ECDSA:
303: case KEY_ECDSA_CERT:
304: return sshkey_curve_nid_to_bits(k->ecdsa_nid);
305: #endif /* WITH_OPENSSL */
306: case KEY_ED25519:
307: case KEY_ED25519_CERT:
1.14 christos 308: case KEY_XMSS:
309: case KEY_XMSS_CERT:
1.1 christos 310: return 256; /* XXX */
311: }
312: return 0;
313: }
314:
315: static int
316: sshkey_type_is_valid_ca(int type)
317: {
318: switch (type) {
319: case KEY_RSA:
320: case KEY_DSA:
321: case KEY_ECDSA:
322: case KEY_ED25519:
1.14 christos 323: case KEY_XMSS:
1.1 christos 324: return 1;
325: default:
326: return 0;
327: }
328: }
329:
330: int
331: sshkey_is_cert(const struct sshkey *k)
332: {
333: if (k == NULL)
334: return 0;
335: return sshkey_type_is_cert(k->type);
336: }
337:
338: /* Return the cert-less equivalent to a certified key type */
339: int
340: sshkey_type_plain(int type)
341: {
342: switch (type) {
343: case KEY_RSA_CERT:
344: return KEY_RSA;
345: case KEY_DSA_CERT:
346: return KEY_DSA;
347: case KEY_ECDSA_CERT:
348: return KEY_ECDSA;
349: case KEY_ED25519_CERT:
350: return KEY_ED25519;
1.14 christos 351: case KEY_XMSS_CERT:
352: return KEY_XMSS;
1.1 christos 353: default:
354: return type;
355: }
356: }
357:
358: #ifdef WITH_OPENSSL
359: /* XXX: these are really begging for a table-driven approach */
360: int
361: sshkey_curve_name_to_nid(const char *name)
362: {
363: if (strcmp(name, "nistp256") == 0)
364: return NID_X9_62_prime256v1;
365: else if (strcmp(name, "nistp384") == 0)
366: return NID_secp384r1;
367: else if (strcmp(name, "nistp521") == 0)
368: return NID_secp521r1;
369: else
370: return -1;
371: }
372:
373: u_int
374: sshkey_curve_nid_to_bits(int nid)
375: {
376: switch (nid) {
377: case NID_X9_62_prime256v1:
378: return 256;
379: case NID_secp384r1:
380: return 384;
381: case NID_secp521r1:
382: return 521;
383: default:
384: return 0;
385: }
386: }
387:
388: int
389: sshkey_ecdsa_bits_to_nid(int bits)
390: {
391: switch (bits) {
392: case 256:
393: return NID_X9_62_prime256v1;
394: case 384:
395: return NID_secp384r1;
396: case 521:
397: return NID_secp521r1;
398: default:
399: return -1;
400: }
401: }
402:
403: const char *
404: sshkey_curve_nid_to_name(int nid)
405: {
406: switch (nid) {
407: case NID_X9_62_prime256v1:
408: return "nistp256";
409: case NID_secp384r1:
410: return "nistp384";
411: case NID_secp521r1:
412: return "nistp521";
413: default:
414: return NULL;
415: }
416: }
417:
418: int
419: sshkey_ec_nid_to_hash_alg(int nid)
420: {
421: int kbits = sshkey_curve_nid_to_bits(nid);
422:
423: if (kbits <= 0)
424: return -1;
425:
426: /* RFC5656 section 6.2.1 */
427: if (kbits <= 256)
428: return SSH_DIGEST_SHA256;
429: else if (kbits <= 384)
430: return SSH_DIGEST_SHA384;
431: else
432: return SSH_DIGEST_SHA512;
433: }
434: #endif /* WITH_OPENSSL */
435:
436: static void
437: cert_free(struct sshkey_cert *cert)
438: {
439: u_int i;
440:
441: if (cert == NULL)
442: return;
1.7 christos 443: sshbuf_free(cert->certblob);
444: sshbuf_free(cert->critical);
445: sshbuf_free(cert->extensions);
446: free(cert->key_id);
1.1 christos 447: for (i = 0; i < cert->nprincipals; i++)
448: free(cert->principals[i]);
1.7 christos 449: free(cert->principals);
450: sshkey_free(cert->signature_key);
1.19 christos 451: free(cert->signature_type);
1.14 christos 452: freezero(cert, sizeof(*cert));
1.1 christos 453: }
454:
455: static struct sshkey_cert *
456: cert_new(void)
457: {
458: struct sshkey_cert *cert;
459:
460: if ((cert = calloc(1, sizeof(*cert))) == NULL)
461: return NULL;
462: if ((cert->certblob = sshbuf_new()) == NULL ||
463: (cert->critical = sshbuf_new()) == NULL ||
464: (cert->extensions = sshbuf_new()) == NULL) {
465: cert_free(cert);
466: return NULL;
467: }
468: cert->key_id = NULL;
469: cert->principals = NULL;
470: cert->signature_key = NULL;
1.19 christos 471: cert->signature_type = NULL;
1.1 christos 472: return cert;
473: }
474:
475: struct sshkey *
476: sshkey_new(int type)
477: {
478: struct sshkey *k;
479: #ifdef WITH_OPENSSL
480: RSA *rsa;
481: DSA *dsa;
482: #endif /* WITH_OPENSSL */
483:
484: if ((k = calloc(1, sizeof(*k))) == NULL)
485: return NULL;
486: k->type = type;
487: k->ecdsa = NULL;
488: k->ecdsa_nid = -1;
489: k->dsa = NULL;
490: k->rsa = NULL;
491: k->cert = NULL;
492: k->ed25519_sk = NULL;
493: k->ed25519_pk = NULL;
1.14 christos 494: k->xmss_sk = NULL;
495: k->xmss_pk = NULL;
1.1 christos 496: switch (k->type) {
497: #ifdef WITH_OPENSSL
498: case KEY_RSA:
499: case KEY_RSA_CERT:
1.19 christos 500: if ((rsa = RSA_new()) == NULL) {
1.1 christos 501: free(k);
502: return NULL;
503: }
504: k->rsa = rsa;
505: break;
506: case KEY_DSA:
507: case KEY_DSA_CERT:
1.19 christos 508: if ((dsa = DSA_new()) == NULL) {
1.1 christos 509: free(k);
510: return NULL;
511: }
512: k->dsa = dsa;
513: break;
514: case KEY_ECDSA:
515: case KEY_ECDSA_CERT:
516: /* Cannot do anything until we know the group */
517: break;
518: #endif /* WITH_OPENSSL */
519: case KEY_ED25519:
520: case KEY_ED25519_CERT:
1.14 christos 521: case KEY_XMSS:
522: case KEY_XMSS_CERT:
1.1 christos 523: /* no need to prealloc */
524: break;
525: case KEY_UNSPEC:
526: break;
527: default:
528: free(k);
529: return NULL;
530: }
531:
532: if (sshkey_is_cert(k)) {
533: if ((k->cert = cert_new()) == NULL) {
534: sshkey_free(k);
535: return NULL;
536: }
537: }
538:
539: return k;
540: }
541:
542: void
543: sshkey_free(struct sshkey *k)
544: {
545: if (k == NULL)
546: return;
547: switch (k->type) {
548: #ifdef WITH_OPENSSL
549: case KEY_RSA:
550: case KEY_RSA_CERT:
1.14 christos 551: RSA_free(k->rsa);
1.1 christos 552: k->rsa = NULL;
553: break;
554: case KEY_DSA:
555: case KEY_DSA_CERT:
1.14 christos 556: DSA_free(k->dsa);
1.1 christos 557: k->dsa = NULL;
558: break;
559: case KEY_ECDSA:
560: case KEY_ECDSA_CERT:
1.14 christos 561: EC_KEY_free(k->ecdsa);
1.1 christos 562: k->ecdsa = NULL;
563: break;
564: #endif /* WITH_OPENSSL */
565: case KEY_ED25519:
566: case KEY_ED25519_CERT:
1.14 christos 567: freezero(k->ed25519_pk, ED25519_PK_SZ);
568: k->ed25519_pk = NULL;
569: freezero(k->ed25519_sk, ED25519_SK_SZ);
570: k->ed25519_sk = NULL;
571: break;
572: #ifdef WITH_XMSS
573: case KEY_XMSS:
574: case KEY_XMSS_CERT:
575: freezero(k->xmss_pk, sshkey_xmss_pklen(k));
576: k->xmss_pk = NULL;
577: freezero(k->xmss_sk, sshkey_xmss_sklen(k));
578: k->xmss_sk = NULL;
579: sshkey_xmss_free_state(k);
580: free(k->xmss_name);
581: k->xmss_name = NULL;
582: free(k->xmss_filename);
583: k->xmss_filename = NULL;
1.1 christos 584: break;
1.14 christos 585: #endif /* WITH_XMSS */
1.1 christos 586: case KEY_UNSPEC:
587: break;
588: default:
589: break;
590: }
591: if (sshkey_is_cert(k))
592: cert_free(k->cert);
1.21 ! christos 593: freezero(k->shielded_private, k->shielded_len);
! 594: freezero(k->shield_prekey, k->shield_prekey_len);
1.14 christos 595: freezero(k, sizeof(*k));
1.1 christos 596: }
597:
598: static int
599: cert_compare(struct sshkey_cert *a, struct sshkey_cert *b)
600: {
601: if (a == NULL && b == NULL)
602: return 1;
603: if (a == NULL || b == NULL)
604: return 0;
605: if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
606: return 0;
607: if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
608: sshbuf_len(a->certblob)) != 0)
609: return 0;
610: return 1;
611: }
612:
613: /*
614: * Compare public portions of key only, allowing comparisons between
615: * certificates and plain keys too.
616: */
617: int
618: sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
619: {
620: #ifdef WITH_OPENSSL
621: BN_CTX *bnctx;
1.19 christos 622: const BIGNUM *rsa_e_a, *rsa_n_a;
623: const BIGNUM *rsa_e_b, *rsa_n_b;
624: const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a;
625: const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b;
1.1 christos 626: #endif /* WITH_OPENSSL */
627:
628: if (a == NULL || b == NULL ||
629: sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
630: return 0;
631:
632: switch (a->type) {
633: #ifdef WITH_OPENSSL
634: case KEY_RSA_CERT:
635: case KEY_RSA:
1.19 christos 636: if (a->rsa == NULL || b->rsa == NULL)
637: return 0;
638: RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL);
639: RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL);
640: return BN_cmp(rsa_e_a, rsa_e_b) == 0 &&
641: BN_cmp(rsa_n_a, rsa_n_b) == 0;
1.1 christos 642: case KEY_DSA_CERT:
643: case KEY_DSA:
1.19 christos 644: if (a->dsa == NULL || b->dsa == NULL)
645: return 0;
646: DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a);
647: DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b);
648: DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL);
649: DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL);
650: return BN_cmp(dsa_p_a, dsa_p_b) == 0 &&
651: BN_cmp(dsa_q_a, dsa_q_b) == 0 &&
652: BN_cmp(dsa_g_a, dsa_g_b) == 0 &&
653: BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0;
1.1 christos 654: case KEY_ECDSA_CERT:
655: case KEY_ECDSA:
656: if (a->ecdsa == NULL || b->ecdsa == NULL ||
657: EC_KEY_get0_public_key(a->ecdsa) == NULL ||
658: EC_KEY_get0_public_key(b->ecdsa) == NULL)
659: return 0;
660: if ((bnctx = BN_CTX_new()) == NULL)
661: return 0;
662: if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
663: EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
664: EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
665: EC_KEY_get0_public_key(a->ecdsa),
666: EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
667: BN_CTX_free(bnctx);
668: return 0;
669: }
670: BN_CTX_free(bnctx);
671: return 1;
672: #endif /* WITH_OPENSSL */
673: case KEY_ED25519:
674: case KEY_ED25519_CERT:
675: return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
676: memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
1.14 christos 677: #ifdef WITH_XMSS
678: case KEY_XMSS:
679: case KEY_XMSS_CERT:
680: return a->xmss_pk != NULL && b->xmss_pk != NULL &&
681: sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) &&
682: memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0;
683: #endif /* WITH_XMSS */
1.1 christos 684: default:
685: return 0;
686: }
687: /* NOTREACHED */
688: }
689:
690: int
691: sshkey_equal(const struct sshkey *a, const struct sshkey *b)
692: {
693: if (a == NULL || b == NULL || a->type != b->type)
694: return 0;
695: if (sshkey_is_cert(a)) {
696: if (!cert_compare(a->cert, b->cert))
697: return 0;
698: }
699: return sshkey_equal_public(a, b);
700: }
701:
702: static int
1.14 christos 703: to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
704: enum sshkey_serialize_rep opts)
1.1 christos 705: {
706: int type, ret = SSH_ERR_INTERNAL_ERROR;
707: const char *typename;
1.19 christos 708: #ifdef WITH_OPENSSL
709: const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
710: #endif /* WITH_OPENSSL */
1.1 christos 711:
712: if (key == NULL)
713: return SSH_ERR_INVALID_ARGUMENT;
714:
1.4 christos 715: if (sshkey_is_cert(key)) {
716: if (key->cert == NULL)
717: return SSH_ERR_EXPECTED_CERT;
718: if (sshbuf_len(key->cert->certblob) == 0)
719: return SSH_ERR_KEY_LACKS_CERTBLOB;
720: }
1.1 christos 721: type = force_plain ? sshkey_type_plain(key->type) : key->type;
722: typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
723:
724: switch (type) {
725: #ifdef WITH_OPENSSL
726: case KEY_DSA_CERT:
727: case KEY_ECDSA_CERT:
728: case KEY_RSA_CERT:
729: #endif /* WITH_OPENSSL */
730: case KEY_ED25519_CERT:
1.14 christos 731: #ifdef WITH_XMSS
732: case KEY_XMSS_CERT:
733: #endif /* WITH_XMSS */
1.1 christos 734: /* Use the existing blob */
735: /* XXX modified flag? */
736: if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
737: return ret;
738: break;
739: #ifdef WITH_OPENSSL
740: case KEY_DSA:
741: if (key->dsa == NULL)
742: return SSH_ERR_INVALID_ARGUMENT;
1.19 christos 743: DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
744: DSA_get0_key(key->dsa, &dsa_pub_key, NULL);
1.1 christos 745: if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
1.19 christos 746: (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
747: (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
748: (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
749: (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0)
1.1 christos 750: return ret;
751: break;
752: case KEY_ECDSA:
753: if (key->ecdsa == NULL)
754: return SSH_ERR_INVALID_ARGUMENT;
755: if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
756: (ret = sshbuf_put_cstring(b,
757: sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
758: (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0)
759: return ret;
760: break;
761: case KEY_RSA:
762: if (key->rsa == NULL)
763: return SSH_ERR_INVALID_ARGUMENT;
1.19 christos 764: RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL);
1.1 christos 765: if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
1.19 christos 766: (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
767: (ret = sshbuf_put_bignum2(b, rsa_n)) != 0)
1.1 christos 768: return ret;
769: break;
770: #endif /* WITH_OPENSSL */
771: case KEY_ED25519:
772: if (key->ed25519_pk == NULL)
773: return SSH_ERR_INVALID_ARGUMENT;
774: if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
775: (ret = sshbuf_put_string(b,
776: key->ed25519_pk, ED25519_PK_SZ)) != 0)
777: return ret;
778: break;
1.14 christos 779: #ifdef WITH_XMSS
780: case KEY_XMSS:
781: if (key->xmss_name == NULL || key->xmss_pk == NULL ||
782: sshkey_xmss_pklen(key) == 0)
783: return SSH_ERR_INVALID_ARGUMENT;
784: if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
785: (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
786: (ret = sshbuf_put_string(b,
787: key->xmss_pk, sshkey_xmss_pklen(key))) != 0 ||
788: (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0)
789: return ret;
790: break;
791: #endif /* WITH_XMSS */
1.1 christos 792: default:
793: return SSH_ERR_KEY_TYPE_UNKNOWN;
794: }
795: return 0;
796: }
797:
798: int
1.3 christos 799: sshkey_putb(const struct sshkey *key, struct sshbuf *b)
1.1 christos 800: {
1.14 christos 801: return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT);
1.1 christos 802: }
803:
804: int
1.14 christos 805: sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b,
806: enum sshkey_serialize_rep opts)
1.3 christos 807: {
808: struct sshbuf *tmp;
809: int r;
810:
811: if ((tmp = sshbuf_new()) == NULL)
812: return SSH_ERR_ALLOC_FAIL;
1.14 christos 813: r = to_blob_buf(key, tmp, 0, opts);
1.3 christos 814: if (r == 0)
815: r = sshbuf_put_stringb(b, tmp);
816: sshbuf_free(tmp);
817: return r;
818: }
819:
820: int
1.14 christos 821: sshkey_puts(const struct sshkey *key, struct sshbuf *b)
822: {
823: return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT);
824: }
825:
826: int
1.3 christos 827: sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b)
1.1 christos 828: {
1.14 christos 829: return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT);
1.1 christos 830: }
831:
832: static int
1.14 christos 833: to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain,
834: enum sshkey_serialize_rep opts)
1.1 christos 835: {
836: int ret = SSH_ERR_INTERNAL_ERROR;
837: size_t len;
838: struct sshbuf *b = NULL;
839:
840: if (lenp != NULL)
841: *lenp = 0;
842: if (blobp != NULL)
843: *blobp = NULL;
844: if ((b = sshbuf_new()) == NULL)
845: return SSH_ERR_ALLOC_FAIL;
1.14 christos 846: if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0)
1.1 christos 847: goto out;
848: len = sshbuf_len(b);
849: if (lenp != NULL)
850: *lenp = len;
851: if (blobp != NULL) {
852: if ((*blobp = malloc(len)) == NULL) {
853: ret = SSH_ERR_ALLOC_FAIL;
854: goto out;
855: }
856: memcpy(*blobp, sshbuf_ptr(b), len);
857: }
858: ret = 0;
859: out:
860: sshbuf_free(b);
861: return ret;
862: }
863:
864: int
865: sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
866: {
1.14 christos 867: return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT);
1.1 christos 868: }
869:
870: int
871: sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
872: {
1.14 christos 873: return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT);
1.1 christos 874: }
875:
876: int
1.3 christos 877: sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
1.1 christos 878: u_char **retp, size_t *lenp)
879: {
880: u_char *blob = NULL, *ret = NULL;
881: size_t blob_len = 0;
1.3 christos 882: int r = SSH_ERR_INTERNAL_ERROR;
1.1 christos 883:
884: if (retp != NULL)
885: *retp = NULL;
886: if (lenp != NULL)
887: *lenp = 0;
1.3 christos 888: if (ssh_digest_bytes(dgst_alg) == 0) {
1.1 christos 889: r = SSH_ERR_INVALID_ARGUMENT;
890: goto out;
891: }
1.14 christos 892: if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT))
893: != 0)
1.1 christos 894: goto out;
895: if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
896: r = SSH_ERR_ALLOC_FAIL;
897: goto out;
898: }
1.3 christos 899: if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
1.1 christos 900: ret, SSH_DIGEST_MAX_LENGTH)) != 0)
901: goto out;
902: /* success */
903: if (retp != NULL) {
904: *retp = ret;
905: ret = NULL;
906: }
907: if (lenp != NULL)
1.3 christos 908: *lenp = ssh_digest_bytes(dgst_alg);
1.1 christos 909: r = 0;
910: out:
911: free(ret);
912: if (blob != NULL) {
913: explicit_bzero(blob, blob_len);
914: free(blob);
915: }
916: return r;
917: }
918:
919: static char *
1.3 christos 920: fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
921: {
922: char *ret;
923: size_t plen = strlen(alg) + 1;
924: size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
925:
926: if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
927: return NULL;
928: strlcpy(ret, alg, rlen);
929: strlcat(ret, ":", rlen);
930: if (dgst_raw_len == 0)
931: return ret;
1.21 ! christos 932: if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) {
1.14 christos 933: freezero(ret, rlen);
1.3 christos 934: return NULL;
935: }
936: /* Trim padding characters from end */
937: ret[strcspn(ret, "=")] = '\0';
938: return ret;
939: }
940:
941: static char *
942: fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
1.1 christos 943: {
1.3 christos 944: char *retval, hex[5];
945: size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
1.1 christos 946:
1.3 christos 947: if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
1.1 christos 948: return NULL;
1.3 christos 949: strlcpy(retval, alg, rlen);
950: strlcat(retval, ":", rlen);
1.1 christos 951: for (i = 0; i < dgst_raw_len; i++) {
1.3 christos 952: snprintf(hex, sizeof(hex), "%s%02x",
953: i > 0 ? ":" : "", dgst_raw[i]);
954: strlcat(retval, hex, rlen);
1.1 christos 955: }
956: return retval;
957: }
958:
959: static char *
960: fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
961: {
962: char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
963: char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
964: 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
965: u_int i, j = 0, rounds, seed = 1;
966: char *retval;
967:
968: rounds = (dgst_raw_len / 2) + 1;
969: if ((retval = calloc(rounds, 6)) == NULL)
970: return NULL;
971: retval[j++] = 'x';
972: for (i = 0; i < rounds; i++) {
973: u_int idx0, idx1, idx2, idx3, idx4;
974: if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
975: idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
976: seed) % 6;
977: idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
978: idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
979: (seed / 6)) % 6;
980: retval[j++] = vowels[idx0];
981: retval[j++] = consonants[idx1];
982: retval[j++] = vowels[idx2];
983: if ((i + 1) < rounds) {
984: idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
985: idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
986: retval[j++] = consonants[idx3];
987: retval[j++] = '-';
988: retval[j++] = consonants[idx4];
989: seed = ((seed * 5) +
990: ((((u_int)(dgst_raw[2 * i])) * 7) +
991: ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
992: }
993: } else {
994: idx0 = seed % 6;
995: idx1 = 16;
996: idx2 = seed / 6;
997: retval[j++] = vowels[idx0];
998: retval[j++] = consonants[idx1];
999: retval[j++] = vowels[idx2];
1000: }
1001: }
1002: retval[j++] = 'x';
1003: retval[j++] = '\0';
1004: return retval;
1005: }
1006:
1007: /*
1008: * Draw an ASCII-Art representing the fingerprint so human brain can
1009: * profit from its built-in pattern recognition ability.
1010: * This technique is called "random art" and can be found in some
1011: * scientific publications like this original paper:
1012: *
1013: * "Hash Visualization: a New Technique to improve Real-World Security",
1014: * Perrig A. and Song D., 1999, International Workshop on Cryptographic
1015: * Techniques and E-Commerce (CrypTEC '99)
1016: * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
1017: *
1018: * The subject came up in a talk by Dan Kaminsky, too.
1019: *
1020: * If you see the picture is different, the key is different.
1021: * If the picture looks the same, you still know nothing.
1022: *
1023: * The algorithm used here is a worm crawling over a discrete plane,
1024: * leaving a trace (augmenting the field) everywhere it goes.
1025: * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
1026: * makes the respective movement vector be ignored for this turn.
1027: * Graphs are not unambiguous, because circles in graphs can be
1028: * walked in either direction.
1029: */
1030:
1031: /*
1032: * Field sizes for the random art. Have to be odd, so the starting point
1033: * can be in the exact middle of the picture, and FLDBASE should be >=8 .
1034: * Else pictures would be too dense, and drawing the frame would
1035: * fail, too, because the key type would not fit in anymore.
1036: */
1037: #define FLDBASE 8
1038: #define FLDSIZE_Y (FLDBASE + 1)
1039: #define FLDSIZE_X (FLDBASE * 2 + 1)
1040: static char *
1.3 christos 1041: fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
1.1 christos 1042: const struct sshkey *k)
1043: {
1044: /*
1045: * Chars to be used after each other every time the worm
1046: * intersects with itself. Matter of taste.
1047: */
1.2 christos 1048: const char *augmentation_string = " .o+=*BOX@%&#/^SE";
1.3 christos 1049: char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
1.1 christos 1050: u_char field[FLDSIZE_X][FLDSIZE_Y];
1.3 christos 1051: size_t i, tlen, hlen;
1.1 christos 1052: u_int b;
1053: int x, y, r;
1054: size_t len = strlen(augmentation_string) - 1;
1055:
1056: if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
1057: return NULL;
1058:
1059: /* initialize field */
1060: memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
1061: x = FLDSIZE_X / 2;
1062: y = FLDSIZE_Y / 2;
1063:
1064: /* process raw key */
1065: for (i = 0; i < dgst_raw_len; i++) {
1066: int input;
1067: /* each byte conveys four 2-bit move commands */
1068: input = dgst_raw[i];
1069: for (b = 0; b < 4; b++) {
1070: /* evaluate 2 bit, rest is shifted later */
1071: x += (input & 0x1) ? 1 : -1;
1072: y += (input & 0x2) ? 1 : -1;
1073:
1074: /* assure we are still in bounds */
1.9 christos 1075: x = MAXIMUM(x, 0);
1076: y = MAXIMUM(y, 0);
1077: x = MINIMUM(x, FLDSIZE_X - 1);
1078: y = MINIMUM(y, FLDSIZE_Y - 1);
1.1 christos 1079:
1080: /* augment the field */
1081: if (field[x][y] < len - 2)
1082: field[x][y]++;
1083: input = input >> 2;
1084: }
1085: }
1086:
1087: /* mark starting point and end point*/
1088: field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
1089: field[x][y] = len;
1090:
1091: /* assemble title */
1092: r = snprintf(title, sizeof(title), "[%s %u]",
1093: sshkey_type(k), sshkey_size(k));
1094: /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
1095: if (r < 0 || r > (int)sizeof(title))
1.3 christos 1096: r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
1097: tlen = (r <= 0) ? 0 : strlen(title);
1098:
1099: /* assemble hash ID. */
1100: r = snprintf(hash, sizeof(hash), "[%s]", alg);
1101: hlen = (r <= 0) ? 0 : strlen(hash);
1.1 christos 1102:
1103: /* output upper border */
1104: p = retval;
1105: *p++ = '+';
1106: for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
1107: *p++ = '-';
1108: memcpy(p, title, tlen);
1109: p += tlen;
1.3 christos 1110: for (i += tlen; i < FLDSIZE_X; i++)
1.1 christos 1111: *p++ = '-';
1112: *p++ = '+';
1113: *p++ = '\n';
1114:
1115: /* output content */
1116: for (y = 0; y < FLDSIZE_Y; y++) {
1117: *p++ = '|';
1118: for (x = 0; x < FLDSIZE_X; x++)
1.9 christos 1119: *p++ = augmentation_string[MINIMUM(field[x][y], len)];
1.1 christos 1120: *p++ = '|';
1121: *p++ = '\n';
1122: }
1123:
1124: /* output lower border */
1125: *p++ = '+';
1.3 christos 1126: for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
1127: *p++ = '-';
1128: memcpy(p, hash, hlen);
1129: p += hlen;
1130: for (i += hlen; i < FLDSIZE_X; i++)
1.1 christos 1131: *p++ = '-';
1132: *p++ = '+';
1133:
1134: return retval;
1135: }
1136:
1137: char *
1.3 christos 1138: sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
1.1 christos 1139: enum sshkey_fp_rep dgst_rep)
1140: {
1141: char *retval = NULL;
1142: u_char *dgst_raw;
1143: size_t dgst_raw_len;
1144:
1.3 christos 1145: if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
1.1 christos 1146: return NULL;
1147: switch (dgst_rep) {
1.3 christos 1148: case SSH_FP_DEFAULT:
1149: if (dgst_alg == SSH_DIGEST_MD5) {
1150: retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1151: dgst_raw, dgst_raw_len);
1152: } else {
1153: retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1154: dgst_raw, dgst_raw_len);
1155: }
1156: break;
1.1 christos 1157: case SSH_FP_HEX:
1.3 christos 1158: retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1159: dgst_raw, dgst_raw_len);
1160: break;
1161: case SSH_FP_BASE64:
1162: retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1163: dgst_raw, dgst_raw_len);
1.1 christos 1164: break;
1165: case SSH_FP_BUBBLEBABBLE:
1166: retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
1167: break;
1168: case SSH_FP_RANDOMART:
1.3 christos 1169: retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
1170: dgst_raw, dgst_raw_len, k);
1.1 christos 1171: break;
1172: default:
1173: explicit_bzero(dgst_raw, dgst_raw_len);
1174: free(dgst_raw);
1175: return NULL;
1176: }
1177: explicit_bzero(dgst_raw, dgst_raw_len);
1178: free(dgst_raw);
1179: return retval;
1180: }
1181:
1.14 christos 1182: static int
1183: peek_type_nid(const char *s, size_t l, int *nid)
1184: {
1185: const struct keytype *kt;
1186:
1187: for (kt = keytypes; kt->type != -1; kt++) {
1188: if (kt->name == NULL || strlen(kt->name) != l)
1189: continue;
1190: if (memcmp(s, kt->name, l) == 0) {
1191: *nid = -1;
1192: if (kt->type == KEY_ECDSA || kt->type == KEY_ECDSA_CERT)
1193: *nid = kt->nid;
1194: return kt->type;
1195: }
1196: }
1197: return KEY_UNSPEC;
1198: }
1199:
1.1 christos 1200:
1.14 christos 1201: /* XXX this can now be made const char * */
1.1 christos 1202: int
1203: sshkey_read(struct sshkey *ret, char **cpp)
1204: {
1205: struct sshkey *k;
1.14 christos 1206: char *cp, *blobcopy;
1207: size_t space;
1.1 christos 1208: int r, type, curve_nid = -1;
1209: struct sshbuf *blob;
1210:
1.10 christos 1211: if (ret == NULL)
1212: return SSH_ERR_INVALID_ARGUMENT;
1213:
1.1 christos 1214: switch (ret->type) {
1215: case KEY_UNSPEC:
1216: case KEY_RSA:
1217: case KEY_DSA:
1218: case KEY_ECDSA:
1219: case KEY_ED25519:
1220: case KEY_DSA_CERT:
1221: case KEY_ECDSA_CERT:
1222: case KEY_RSA_CERT:
1223: case KEY_ED25519_CERT:
1.14 christos 1224: #ifdef WITH_XMSS
1225: case KEY_XMSS:
1226: case KEY_XMSS_CERT:
1227: #endif /* WITH_XMSS */
1228: break; /* ok */
1229: default:
1230: return SSH_ERR_INVALID_ARGUMENT;
1231: }
1232:
1233: /* Decode type */
1234: cp = *cpp;
1235: space = strcspn(cp, " \t");
1236: if (space == strlen(cp))
1237: return SSH_ERR_INVALID_FORMAT;
1238: if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC)
1239: return SSH_ERR_INVALID_FORMAT;
1240:
1241: /* skip whitespace */
1242: for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
1243: ;
1244: if (*cp == '\0')
1245: return SSH_ERR_INVALID_FORMAT;
1246: if (ret->type != KEY_UNSPEC && ret->type != type)
1247: return SSH_ERR_KEY_TYPE_MISMATCH;
1248: if ((blob = sshbuf_new()) == NULL)
1249: return SSH_ERR_ALLOC_FAIL;
1250:
1251: /* find end of keyblob and decode */
1252: space = strcspn(cp, " \t");
1253: if ((blobcopy = strndup(cp, space)) == NULL) {
1254: sshbuf_free(blob);
1255: return SSH_ERR_ALLOC_FAIL;
1256: }
1257: if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) {
1258: free(blobcopy);
1259: sshbuf_free(blob);
1260: return r;
1261: }
1262: free(blobcopy);
1263: if ((r = sshkey_fromb(blob, &k)) != 0) {
1.1 christos 1264: sshbuf_free(blob);
1.14 christos 1265: return r;
1266: }
1267: sshbuf_free(blob);
1268:
1269: /* skip whitespace and leave cp at start of comment */
1270: for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
1271: ;
1272:
1273: /* ensure type of blob matches type at start of line */
1274: if (k->type != type) {
1275: sshkey_free(k);
1276: return SSH_ERR_KEY_TYPE_MISMATCH;
1277: }
1278: if (sshkey_type_plain(type) == KEY_ECDSA && curve_nid != k->ecdsa_nid) {
1279: sshkey_free(k);
1280: return SSH_ERR_EC_CURVE_MISMATCH;
1281: }
1282:
1283: /* Fill in ret from parsed key */
1284: ret->type = type;
1285: if (sshkey_is_cert(ret)) {
1286: if (!sshkey_is_cert(k)) {
1.1 christos 1287: sshkey_free(k);
1.14 christos 1288: return SSH_ERR_EXPECTED_CERT;
1.1 christos 1289: }
1.14 christos 1290: if (ret->cert != NULL)
1291: cert_free(ret->cert);
1292: ret->cert = k->cert;
1293: k->cert = NULL;
1294: }
1295: switch (sshkey_type_plain(ret->type)) {
1296: #ifdef WITH_OPENSSL
1297: case KEY_RSA:
1298: RSA_free(ret->rsa);
1299: ret->rsa = k->rsa;
1300: k->rsa = NULL;
1.1 christos 1301: #ifdef DEBUG_PK
1.14 christos 1302: RSA_print_fp(stderr, ret->rsa, 8);
1.1 christos 1303: #endif
1.14 christos 1304: break;
1305: case KEY_DSA:
1306: DSA_free(ret->dsa);
1307: ret->dsa = k->dsa;
1308: k->dsa = NULL;
1.1 christos 1309: #ifdef DEBUG_PK
1.14 christos 1310: DSA_print_fp(stderr, ret->dsa, 8);
1.1 christos 1311: #endif
1.14 christos 1312: break;
1313: case KEY_ECDSA:
1314: EC_KEY_free(ret->ecdsa);
1315: ret->ecdsa = k->ecdsa;
1316: ret->ecdsa_nid = k->ecdsa_nid;
1317: k->ecdsa = NULL;
1318: k->ecdsa_nid = -1;
1.1 christos 1319: #ifdef DEBUG_PK
1.14 christos 1320: sshkey_dump_ec_key(ret->ecdsa);
1.1 christos 1321: #endif
1.14 christos 1322: break;
1.1 christos 1323: #endif /* WITH_OPENSSL */
1.14 christos 1324: case KEY_ED25519:
1325: freezero(ret->ed25519_pk, ED25519_PK_SZ);
1326: ret->ed25519_pk = k->ed25519_pk;
1327: k->ed25519_pk = NULL;
1328: #ifdef DEBUG_PK
1329: /* XXX */
1330: #endif
1331: break;
1332: #ifdef WITH_XMSS
1333: case KEY_XMSS:
1334: free(ret->xmss_pk);
1335: ret->xmss_pk = k->xmss_pk;
1336: k->xmss_pk = NULL;
1337: free(ret->xmss_state);
1338: ret->xmss_state = k->xmss_state;
1339: k->xmss_state = NULL;
1340: free(ret->xmss_name);
1341: ret->xmss_name = k->xmss_name;
1342: k->xmss_name = NULL;
1343: free(ret->xmss_filename);
1344: ret->xmss_filename = k->xmss_filename;
1345: k->xmss_filename = NULL;
1.1 christos 1346: #ifdef DEBUG_PK
1.14 christos 1347: /* XXX */
1.1 christos 1348: #endif
1349: break;
1.14 christos 1350: #endif /* WITH_XMSS */
1.1 christos 1351: default:
1.14 christos 1352: sshkey_free(k);
1353: return SSH_ERR_INTERNAL_ERROR;
1.1 christos 1354: }
1.14 christos 1355: sshkey_free(k);
1356:
1357: /* success */
1358: *cpp = cp;
1359: return 0;
1.1 christos 1360: }
1361:
1362: int
1.4 christos 1363: sshkey_to_base64(const struct sshkey *key, char **b64p)
1.1 christos 1364: {
1.4 christos 1365: int r = SSH_ERR_INTERNAL_ERROR;
1366: struct sshbuf *b = NULL;
1.1 christos 1367: char *uu = NULL;
1.4 christos 1368:
1369: if (b64p != NULL)
1370: *b64p = NULL;
1371: if ((b = sshbuf_new()) == NULL)
1372: return SSH_ERR_ALLOC_FAIL;
1373: if ((r = sshkey_putb(key, b)) != 0)
1374: goto out;
1.21 ! christos 1375: if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) {
1.4 christos 1376: r = SSH_ERR_ALLOC_FAIL;
1377: goto out;
1378: }
1379: /* Success */
1380: if (b64p != NULL) {
1381: *b64p = uu;
1382: uu = NULL;
1383: }
1384: r = 0;
1385: out:
1386: sshbuf_free(b);
1387: free(uu);
1388: return r;
1389: }
1390:
1.11 christos 1391: int
1392: sshkey_format_text(const struct sshkey *key, struct sshbuf *b)
1.4 christos 1393: {
1394: int r = SSH_ERR_INTERNAL_ERROR;
1.11 christos 1395: char *uu = NULL;
1.1 christos 1396:
1.11 christos 1397: if ((r = sshkey_to_base64(key, &uu)) != 0)
1.4 christos 1398: goto out;
1.11 christos 1399: if ((r = sshbuf_putf(b, "%s %s",
1400: sshkey_ssh_name(key), uu)) != 0)
1.4 christos 1401: goto out;
1402: r = 0;
1403: out:
1404: free(uu);
1405: return r;
1406: }
1407:
1408: int
1409: sshkey_write(const struct sshkey *key, FILE *f)
1410: {
1411: struct sshbuf *b = NULL;
1412: int r = SSH_ERR_INTERNAL_ERROR;
1413:
1414: if ((b = sshbuf_new()) == NULL)
1415: return SSH_ERR_ALLOC_FAIL;
1416: if ((r = sshkey_format_text(key, b)) != 0)
1.1 christos 1417: goto out;
1418: if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
1419: if (feof(f))
1420: errno = EPIPE;
1.4 christos 1421: r = SSH_ERR_SYSTEM_ERROR;
1.1 christos 1422: goto out;
1423: }
1.4 christos 1424: /* Success */
1425: r = 0;
1.1 christos 1426: out:
1.4 christos 1427: sshbuf_free(b);
1428: return r;
1.1 christos 1429: }
1430:
1431: const char *
1432: sshkey_cert_type(const struct sshkey *k)
1433: {
1434: switch (k->cert->type) {
1435: case SSH2_CERT_TYPE_USER:
1436: return "user";
1437: case SSH2_CERT_TYPE_HOST:
1438: return "host";
1439: default:
1440: return "unknown";
1441: }
1442: }
1443:
1444: #ifdef WITH_OPENSSL
1445: static int
1446: rsa_generate_private_key(u_int bits, RSA **rsap)
1447: {
1448: RSA *private = NULL;
1449: BIGNUM *f4 = NULL;
1450: int ret = SSH_ERR_INTERNAL_ERROR;
1451:
1.11 christos 1452: if (rsap == NULL)
1453: return SSH_ERR_INVALID_ARGUMENT;
1454: if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
1.1 christos 1455: bits > SSHBUF_MAX_BIGNUM * 8)
1.11 christos 1456: return SSH_ERR_KEY_LENGTH;
1.1 christos 1457: *rsap = NULL;
1458: if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) {
1459: ret = SSH_ERR_ALLOC_FAIL;
1460: goto out;
1461: }
1462: if (!BN_set_word(f4, RSA_F4) ||
1463: !RSA_generate_key_ex(private, bits, f4, NULL)) {
1464: ret = SSH_ERR_LIBCRYPTO_ERROR;
1465: goto out;
1466: }
1467: *rsap = private;
1468: private = NULL;
1469: ret = 0;
1470: out:
1.14 christos 1471: RSA_free(private);
1472: BN_free(f4);
1.1 christos 1473: return ret;
1474: }
1475:
1476: static int
1477: dsa_generate_private_key(u_int bits, DSA **dsap)
1478: {
1479: DSA *private;
1480: int ret = SSH_ERR_INTERNAL_ERROR;
1481:
1.11 christos 1482: if (dsap == NULL)
1.1 christos 1483: return SSH_ERR_INVALID_ARGUMENT;
1.11 christos 1484: if (bits != 1024)
1485: return SSH_ERR_KEY_LENGTH;
1.1 christos 1486: if ((private = DSA_new()) == NULL) {
1487: ret = SSH_ERR_ALLOC_FAIL;
1488: goto out;
1489: }
1490: *dsap = NULL;
1491: if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
1492: NULL, NULL) || !DSA_generate_key(private)) {
1493: ret = SSH_ERR_LIBCRYPTO_ERROR;
1494: goto out;
1495: }
1496: *dsap = private;
1497: private = NULL;
1498: ret = 0;
1499: out:
1.14 christos 1500: DSA_free(private);
1.1 christos 1501: return ret;
1502: }
1503:
1504: int
1505: sshkey_ecdsa_key_to_nid(EC_KEY *k)
1506: {
1.16 kre 1507: EC_GROUP *eg = NULL; /* XXXGCC: unneeded init */
1.1 christos 1508: int nids[] = {
1509: NID_X9_62_prime256v1,
1510: NID_secp384r1,
1511: NID_secp521r1,
1512: -1
1513: };
1514: int nid;
1515: u_int i;
1516: BN_CTX *bnctx;
1517: const EC_GROUP *g = EC_KEY_get0_group(k);
1518:
1519: /*
1520: * The group may be stored in a ASN.1 encoded private key in one of two
1521: * ways: as a "named group", which is reconstituted by ASN.1 object ID
1522: * or explicit group parameters encoded into the key blob. Only the
1523: * "named group" case sets the group NID for us, but we can figure
1524: * it out for the other case by comparing against all the groups that
1525: * are supported.
1526: */
1527: if ((nid = EC_GROUP_get_curve_name(g)) > 0)
1528: return nid;
1529: if ((bnctx = BN_CTX_new()) == NULL)
1530: return -1;
1531: for (i = 0; nids[i] != -1; i++) {
1532: if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) {
1533: BN_CTX_free(bnctx);
1534: return -1;
1535: }
1536: if (EC_GROUP_cmp(g, eg, bnctx) == 0)
1537: break;
1538: EC_GROUP_free(eg);
1539: }
1540: BN_CTX_free(bnctx);
1541: if (nids[i] != -1) {
1542: /* Use the group with the NID attached */
1543: EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
1544: if (EC_KEY_set_group(k, eg) != 1) {
1545: EC_GROUP_free(eg);
1546: return -1;
1547: }
1548: }
1549: return nids[i];
1550: }
1551:
1552: static int
1553: ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)
1554: {
1555: EC_KEY *private;
1556: int ret = SSH_ERR_INTERNAL_ERROR;
1557:
1.11 christos 1558: if (nid == NULL || ecdsap == NULL)
1.1 christos 1559: return SSH_ERR_INVALID_ARGUMENT;
1.11 christos 1560: if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
1561: return SSH_ERR_KEY_LENGTH;
1.1 christos 1562: *ecdsap = NULL;
1563: if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
1564: ret = SSH_ERR_ALLOC_FAIL;
1565: goto out;
1566: }
1567: if (EC_KEY_generate_key(private) != 1) {
1568: ret = SSH_ERR_LIBCRYPTO_ERROR;
1569: goto out;
1570: }
1571: EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
1572: *ecdsap = private;
1573: private = NULL;
1574: ret = 0;
1575: out:
1.14 christos 1576: EC_KEY_free(private);
1.1 christos 1577: return ret;
1578: }
1579: #endif /* WITH_OPENSSL */
1580:
1581: int
1582: sshkey_generate(int type, u_int bits, struct sshkey **keyp)
1583: {
1584: struct sshkey *k;
1585: int ret = SSH_ERR_INTERNAL_ERROR;
1586:
1587: if (keyp == NULL)
1588: return SSH_ERR_INVALID_ARGUMENT;
1589: *keyp = NULL;
1590: if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
1591: return SSH_ERR_ALLOC_FAIL;
1592: switch (type) {
1593: case KEY_ED25519:
1594: if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
1595: (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
1596: ret = SSH_ERR_ALLOC_FAIL;
1597: break;
1598: }
1599: crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
1600: ret = 0;
1601: break;
1.14 christos 1602: #ifdef WITH_XMSS
1603: case KEY_XMSS:
1604: ret = sshkey_xmss_generate_private_key(k, bits);
1605: break;
1606: #endif /* WITH_XMSS */
1.1 christos 1607: #ifdef WITH_OPENSSL
1608: case KEY_DSA:
1609: ret = dsa_generate_private_key(bits, &k->dsa);
1610: break;
1611: case KEY_ECDSA:
1612: ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
1613: &k->ecdsa);
1614: break;
1615: case KEY_RSA:
1616: ret = rsa_generate_private_key(bits, &k->rsa);
1617: break;
1618: #endif /* WITH_OPENSSL */
1619: default:
1620: ret = SSH_ERR_INVALID_ARGUMENT;
1621: }
1622: if (ret == 0) {
1623: k->type = type;
1624: *keyp = k;
1625: } else
1626: sshkey_free(k);
1627: return ret;
1628: }
1629:
1630: int
1631: sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
1632: {
1633: u_int i;
1634: const struct sshkey_cert *from;
1635: struct sshkey_cert *to;
1.19 christos 1636: int r = SSH_ERR_INTERNAL_ERROR;
1.1 christos 1637:
1.19 christos 1638: if (to_key == NULL || (from = from_key->cert) == NULL)
1.1 christos 1639: return SSH_ERR_INVALID_ARGUMENT;
1640:
1.19 christos 1641: if ((to = cert_new()) == NULL)
1.1 christos 1642: return SSH_ERR_ALLOC_FAIL;
1643:
1.19 christos 1644: if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
1645: (r = sshbuf_putb(to->critical, from->critical)) != 0 ||
1646: (r = sshbuf_putb(to->extensions, from->extensions)) != 0)
1647: goto out;
1.1 christos 1648:
1649: to->serial = from->serial;
1650: to->type = from->type;
1651: if (from->key_id == NULL)
1652: to->key_id = NULL;
1.19 christos 1653: else if ((to->key_id = strdup(from->key_id)) == NULL) {
1654: r = SSH_ERR_ALLOC_FAIL;
1655: goto out;
1656: }
1.1 christos 1657: to->valid_after = from->valid_after;
1658: to->valid_before = from->valid_before;
1659: if (from->signature_key == NULL)
1660: to->signature_key = NULL;
1.19 christos 1661: else if ((r = sshkey_from_private(from->signature_key,
1.1 christos 1662: &to->signature_key)) != 0)
1.19 christos 1663: goto out;
1664: if (from->signature_type != NULL &&
1665: (to->signature_type = strdup(from->signature_type)) == NULL) {
1666: r = SSH_ERR_ALLOC_FAIL;
1667: goto out;
1668: }
1669: if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) {
1670: r = SSH_ERR_INVALID_ARGUMENT;
1671: goto out;
1672: }
1.1 christos 1673: if (from->nprincipals > 0) {
1674: if ((to->principals = calloc(from->nprincipals,
1.19 christos 1675: sizeof(*to->principals))) == NULL) {
1676: r = SSH_ERR_ALLOC_FAIL;
1677: goto out;
1678: }
1.1 christos 1679: for (i = 0; i < from->nprincipals; i++) {
1680: to->principals[i] = strdup(from->principals[i]);
1681: if (to->principals[i] == NULL) {
1682: to->nprincipals = i;
1.19 christos 1683: r = SSH_ERR_ALLOC_FAIL;
1684: goto out;
1.1 christos 1685: }
1686: }
1687: }
1688: to->nprincipals = from->nprincipals;
1.19 christos 1689:
1690: /* success */
1691: cert_free(to_key->cert);
1692: to_key->cert = to;
1693: to = NULL;
1694: r = 0;
1695: out:
1696: cert_free(to);
1697: return r;
1.1 christos 1698: }
1699:
1700: int
1701: sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1702: {
1703: struct sshkey *n = NULL;
1.19 christos 1704: int r = SSH_ERR_INTERNAL_ERROR;
1705: #ifdef WITH_OPENSSL
1706: const BIGNUM *rsa_n, *rsa_e;
1707: BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL;
1708: const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
1709: BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL;
1710: BIGNUM *dsa_pub_key_dup = NULL;
1711: #endif /* WITH_OPENSSL */
1.1 christos 1712:
1.7 christos 1713: *pkp = NULL;
1.1 christos 1714: switch (k->type) {
1715: #ifdef WITH_OPENSSL
1716: case KEY_DSA:
1717: case KEY_DSA_CERT:
1.19 christos 1718: if ((n = sshkey_new(k->type)) == NULL) {
1719: r = SSH_ERR_ALLOC_FAIL;
1720: goto out;
1721: }
1722:
1723: DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
1724: DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
1725: if ((dsa_p_dup = BN_dup(dsa_p)) == NULL ||
1726: (dsa_q_dup = BN_dup(dsa_q)) == NULL ||
1727: (dsa_g_dup = BN_dup(dsa_g)) == NULL ||
1728: (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) {
1729: r = SSH_ERR_ALLOC_FAIL;
1730: goto out;
1731: }
1732: if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) {
1733: r = SSH_ERR_LIBCRYPTO_ERROR;
1734: goto out;
1.12 christos 1735: }
1.19 christos 1736: dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */
1737: if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) {
1738: r = SSH_ERR_LIBCRYPTO_ERROR;
1739: goto out;
1.12 christos 1740: }
1.19 christos 1741: dsa_pub_key_dup = NULL; /* transferred */
1742:
1.1 christos 1743: break;
1744: case KEY_ECDSA:
1745: case KEY_ECDSA_CERT:
1.19 christos 1746: if ((n = sshkey_new(k->type)) == NULL) {
1747: r = SSH_ERR_ALLOC_FAIL;
1748: goto out;
1749: }
1.1 christos 1750: n->ecdsa_nid = k->ecdsa_nid;
1751: n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
1752: if (n->ecdsa == NULL) {
1.19 christos 1753: r = SSH_ERR_ALLOC_FAIL;
1754: goto out;
1.1 christos 1755: }
1756: if (EC_KEY_set_public_key(n->ecdsa,
1757: EC_KEY_get0_public_key(k->ecdsa)) != 1) {
1.19 christos 1758: r = SSH_ERR_LIBCRYPTO_ERROR;
1759: goto out;
1.1 christos 1760: }
1761: break;
1762: case KEY_RSA:
1763: case KEY_RSA_CERT:
1.19 christos 1764: if ((n = sshkey_new(k->type)) == NULL) {
1765: r = SSH_ERR_ALLOC_FAIL;
1766: goto out;
1.12 christos 1767: }
1.19 christos 1768: RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
1769: if ((rsa_n_dup = BN_dup(rsa_n)) == NULL ||
1770: (rsa_e_dup = BN_dup(rsa_e)) == NULL) {
1771: r = SSH_ERR_ALLOC_FAIL;
1772: goto out;
1.12 christos 1773: }
1.19 christos 1774: if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) {
1775: r = SSH_ERR_LIBCRYPTO_ERROR;
1776: goto out;
1777: }
1778: rsa_n_dup = rsa_e_dup = NULL; /* transferred */
1.1 christos 1779: break;
1780: #endif /* WITH_OPENSSL */
1781: case KEY_ED25519:
1782: case KEY_ED25519_CERT:
1.19 christos 1783: if ((n = sshkey_new(k->type)) == NULL) {
1784: r = SSH_ERR_ALLOC_FAIL;
1785: goto out;
1786: }
1.1 christos 1787: if (k->ed25519_pk != NULL) {
1788: if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
1.19 christos 1789: r = SSH_ERR_ALLOC_FAIL;
1790: goto out;
1.1 christos 1791: }
1792: memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
1793: }
1794: break;
1.14 christos 1795: #ifdef WITH_XMSS
1796: case KEY_XMSS:
1797: case KEY_XMSS_CERT:
1.19 christos 1798: if ((n = sshkey_new(k->type)) == NULL) {
1799: r = SSH_ERR_ALLOC_FAIL;
1800: goto out;
1.14 christos 1801: }
1.19 christos 1802: if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0)
1803: goto out;
1.14 christos 1804: if (k->xmss_pk != NULL) {
1805: size_t pklen = sshkey_xmss_pklen(k);
1806: if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) {
1.19 christos 1807: r = SSH_ERR_INTERNAL_ERROR;
1808: goto out;
1.14 christos 1809: }
1810: if ((n->xmss_pk = malloc(pklen)) == NULL) {
1.19 christos 1811: r = SSH_ERR_ALLOC_FAIL;
1812: goto out;
1.14 christos 1813: }
1814: memcpy(n->xmss_pk, k->xmss_pk, pklen);
1815: }
1816: break;
1817: #endif /* WITH_XMSS */
1.1 christos 1818: default:
1.19 christos 1819: r = SSH_ERR_KEY_TYPE_UNKNOWN;
1820: goto out;
1.1 christos 1821: }
1.19 christos 1822: if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0)
1823: goto out;
1824: /* success */
1.1 christos 1825: *pkp = n;
1.19 christos 1826: n = NULL;
1827: r = 0;
1828: out:
1829: sshkey_free(n);
1.21 ! christos 1830: #ifdef WITH_OPENSSL
1.19 christos 1831: BN_clear_free(rsa_n_dup);
1832: BN_clear_free(rsa_e_dup);
1833: BN_clear_free(dsa_p_dup);
1834: BN_clear_free(dsa_q_dup);
1835: BN_clear_free(dsa_g_dup);
1836: BN_clear_free(dsa_pub_key_dup);
1.21 ! christos 1837: #endif /* WITH_OPENSSL */
! 1838:
! 1839: return r;
! 1840: }
! 1841:
! 1842: int
! 1843: sshkey_is_shielded(struct sshkey *k)
! 1844: {
! 1845: return k != NULL && k->shielded_private != NULL;
! 1846: }
! 1847:
! 1848: int
! 1849: sshkey_shield_private(struct sshkey *k)
! 1850: {
! 1851: struct sshbuf *prvbuf = NULL;
! 1852: u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH];
! 1853: struct sshcipher_ctx *cctx = NULL;
! 1854: const struct sshcipher *cipher;
! 1855: size_t i, enclen = 0;
! 1856: struct sshkey *kswap = NULL, tmp;
! 1857: int r = SSH_ERR_INTERNAL_ERROR;
! 1858:
! 1859: #ifdef DEBUG_PK
! 1860: fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
! 1861: #endif
! 1862: if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
! 1863: r = SSH_ERR_INVALID_ARGUMENT;
! 1864: goto out;
! 1865: }
! 1866: if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
! 1867: ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
! 1868: r = SSH_ERR_INTERNAL_ERROR;
! 1869: goto out;
! 1870: }
! 1871:
! 1872: /* Prepare a random pre-key, and from it an ephemeral key */
! 1873: if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) {
! 1874: r = SSH_ERR_ALLOC_FAIL;
! 1875: goto out;
! 1876: }
! 1877: arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN);
! 1878: if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
! 1879: prekey, SSHKEY_SHIELD_PREKEY_LEN,
! 1880: keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
! 1881: goto out;
! 1882: #ifdef DEBUG_PK
! 1883: fprintf(stderr, "%s: key+iv\n", __func__);
! 1884: sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
! 1885: stderr);
! 1886: #endif
! 1887: if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
! 1888: keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0)
! 1889: goto out;
! 1890:
! 1891: /* Serialise and encrypt the private key using the ephemeral key */
! 1892: if ((prvbuf = sshbuf_new()) == NULL) {
! 1893: r = SSH_ERR_ALLOC_FAIL;
! 1894: goto out;
! 1895: }
! 1896: if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0)
! 1897: goto out;
! 1898: if ((r = sshkey_private_serialize_opt(k, prvbuf,
! 1899: SSHKEY_SERIALIZE_FULL)) != 0)
! 1900: goto out;
! 1901: /* pad to cipher blocksize */
! 1902: i = 0;
! 1903: while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) {
! 1904: if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0)
! 1905: goto out;
! 1906: }
! 1907: #ifdef DEBUG_PK
! 1908: fprintf(stderr, "%s: serialised\n", __func__);
! 1909: sshbuf_dump(prvbuf, stderr);
! 1910: #endif
! 1911: /* encrypt */
! 1912: enclen = sshbuf_len(prvbuf);
! 1913: if ((enc = malloc(enclen)) == NULL) {
! 1914: r = SSH_ERR_ALLOC_FAIL;
! 1915: goto out;
! 1916: }
! 1917: if ((r = cipher_crypt(cctx, 0, enc,
! 1918: sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0)
! 1919: goto out;
! 1920: #ifdef DEBUG_PK
! 1921: fprintf(stderr, "%s: encrypted\n", __func__);
! 1922: sshbuf_dump_data(enc, enclen, stderr);
! 1923: #endif
! 1924:
! 1925: /* Make a scrubbed, public-only copy of our private key argument */
! 1926: if ((r = sshkey_from_private(k, &kswap)) != 0)
! 1927: goto out;
1.19 christos 1928:
1.21 ! christos 1929: /* Swap the private key out (it will be destroyed below) */
! 1930: tmp = *kswap;
! 1931: *kswap = *k;
! 1932: *k = tmp;
! 1933:
! 1934: /* Insert the shielded key into our argument */
! 1935: k->shielded_private = enc;
! 1936: k->shielded_len = enclen;
! 1937: k->shield_prekey = prekey;
! 1938: k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN;
! 1939: enc = prekey = NULL; /* transferred */
! 1940: enclen = 0;
! 1941:
! 1942: /* success */
! 1943: r = 0;
! 1944:
! 1945: out:
! 1946: /* XXX behaviour on error - invalidate original private key? */
! 1947: cipher_free(cctx);
! 1948: explicit_bzero(keyiv, sizeof(keyiv));
! 1949: explicit_bzero(&tmp, sizeof(tmp));
! 1950: freezero(enc, enclen);
! 1951: freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN);
! 1952: sshkey_free(kswap);
! 1953: sshbuf_free(prvbuf);
! 1954: return r;
! 1955: }
! 1956:
! 1957: int
! 1958: sshkey_unshield_private(struct sshkey *k)
! 1959: {
! 1960: struct sshbuf *prvbuf = NULL;
! 1961: u_char pad, *cp, keyiv[SSH_DIGEST_MAX_LENGTH];
! 1962: struct sshcipher_ctx *cctx = NULL;
! 1963: const struct sshcipher *cipher;
! 1964: size_t i;
! 1965: struct sshkey *kswap = NULL, tmp;
! 1966: int r = SSH_ERR_INTERNAL_ERROR;
! 1967:
! 1968: #ifdef DEBUG_PK
! 1969: fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
! 1970: #endif
! 1971: if (!sshkey_is_shielded(k))
! 1972: return 0; /* nothing to do */
! 1973:
! 1974: if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
! 1975: r = SSH_ERR_INVALID_ARGUMENT;
! 1976: goto out;
! 1977: }
! 1978: if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
! 1979: ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
! 1980: r = SSH_ERR_INTERNAL_ERROR;
! 1981: goto out;
! 1982: }
! 1983: /* check size of shielded key blob */
! 1984: if (k->shielded_len < cipher_blocksize(cipher) ||
! 1985: (k->shielded_len % cipher_blocksize(cipher)) != 0) {
! 1986: r = SSH_ERR_INVALID_FORMAT;
! 1987: goto out;
! 1988: }
! 1989:
! 1990: /* Calculate the ephemeral key from the prekey */
! 1991: if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
! 1992: k->shield_prekey, k->shield_prekey_len,
! 1993: keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
! 1994: goto out;
! 1995: if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
! 1996: keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0)
! 1997: goto out;
! 1998: #ifdef DEBUG_PK
! 1999: fprintf(stderr, "%s: key+iv\n", __func__);
! 2000: sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
! 2001: stderr);
! 2002: #endif
! 2003:
! 2004: /* Decrypt and parse the shielded private key using the ephemeral key */
! 2005: if ((prvbuf = sshbuf_new()) == NULL) {
! 2006: r = SSH_ERR_ALLOC_FAIL;
! 2007: goto out;
! 2008: }
! 2009: if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0)
! 2010: goto out;
! 2011: /* decrypt */
! 2012: #ifdef DEBUG_PK
! 2013: fprintf(stderr, "%s: encrypted\n", __func__);
! 2014: sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr);
! 2015: #endif
! 2016: if ((r = cipher_crypt(cctx, 0, cp,
! 2017: k->shielded_private, k->shielded_len, 0, 0)) != 0)
! 2018: goto out;
! 2019: #ifdef DEBUG_PK
! 2020: fprintf(stderr, "%s: serialised\n", __func__);
! 2021: sshbuf_dump(prvbuf, stderr);
! 2022: #endif
! 2023: /* Parse private key */
! 2024: if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0)
! 2025: goto out;
! 2026: /* Check deterministic padding */
! 2027: i = 0;
! 2028: while (sshbuf_len(prvbuf)) {
! 2029: if ((r = sshbuf_get_u8(prvbuf, &pad)) != 0)
! 2030: goto out;
! 2031: if (pad != (++i & 0xff)) {
! 2032: r = SSH_ERR_INVALID_FORMAT;
! 2033: goto out;
! 2034: }
! 2035: }
! 2036:
! 2037: /* Swap the parsed key back into place */
! 2038: tmp = *kswap;
! 2039: *kswap = *k;
! 2040: *k = tmp;
! 2041:
! 2042: /* success */
! 2043: r = 0;
! 2044:
! 2045: out:
! 2046: cipher_free(cctx);
! 2047: explicit_bzero(keyiv, sizeof(keyiv));
! 2048: explicit_bzero(&tmp, sizeof(tmp));
! 2049: sshkey_free(kswap);
! 2050: sshbuf_free(prvbuf);
1.19 christos 2051: return r;
1.1 christos 2052: }
2053:
2054: static int
1.3 christos 2055: cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1.1 christos 2056: {
1.3 christos 2057: struct sshbuf *principals = NULL, *crit = NULL;
2058: struct sshbuf *exts = NULL, *ca = NULL;
2059: u_char *sig = NULL;
2060: size_t signed_len = 0, slen = 0, kidlen = 0;
1.1 christos 2061: int ret = SSH_ERR_INTERNAL_ERROR;
2062:
2063: /* Copy the entire key blob for verification and later serialisation */
1.3 christos 2064: if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1.1 christos 2065: return ret;
2066:
1.5 christos 2067: /* Parse body of certificate up to signature */
2068: if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
1.1 christos 2069: (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
2070: (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
1.3 christos 2071: (ret = sshbuf_froms(b, &principals)) != 0 ||
1.1 christos 2072: (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
2073: (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
1.3 christos 2074: (ret = sshbuf_froms(b, &crit)) != 0 ||
1.5 christos 2075: (ret = sshbuf_froms(b, &exts)) != 0 ||
1.1 christos 2076: (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
1.3 christos 2077: (ret = sshbuf_froms(b, &ca)) != 0) {
1.1 christos 2078: /* XXX debug print error for ret */
2079: ret = SSH_ERR_INVALID_FORMAT;
2080: goto out;
2081: }
2082:
2083: /* Signature is left in the buffer so we can calculate this length */
2084: signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
2085:
2086: if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
2087: ret = SSH_ERR_INVALID_FORMAT;
2088: goto out;
2089: }
2090:
2091: if (key->cert->type != SSH2_CERT_TYPE_USER &&
2092: key->cert->type != SSH2_CERT_TYPE_HOST) {
2093: ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
2094: goto out;
2095: }
2096:
1.3 christos 2097: /* Parse principals section */
2098: while (sshbuf_len(principals) > 0) {
2099: char *principal = NULL;
2100: char **oprincipals = NULL;
2101:
1.1 christos 2102: if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
2103: ret = SSH_ERR_INVALID_FORMAT;
2104: goto out;
2105: }
1.3 christos 2106: if ((ret = sshbuf_get_cstring(principals, &principal,
2107: NULL)) != 0) {
1.1 christos 2108: ret = SSH_ERR_INVALID_FORMAT;
2109: goto out;
2110: }
2111: oprincipals = key->cert->principals;
1.11 christos 2112: key->cert->principals = recallocarray(key->cert->principals,
2113: key->cert->nprincipals, key->cert->nprincipals + 1,
2114: sizeof(*key->cert->principals));
1.1 christos 2115: if (key->cert->principals == NULL) {
2116: free(principal);
2117: key->cert->principals = oprincipals;
2118: ret = SSH_ERR_ALLOC_FAIL;
2119: goto out;
2120: }
2121: key->cert->principals[key->cert->nprincipals++] = principal;
2122: }
2123:
1.3 christos 2124: /*
2125: * Stash a copies of the critical options and extensions sections
2126: * for later use.
2127: */
2128: if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||
2129: (exts != NULL &&
2130: (ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
1.1 christos 2131: goto out;
2132:
1.3 christos 2133: /*
2134: * Validate critical options and extensions sections format.
2135: */
2136: while (sshbuf_len(crit) != 0) {
2137: if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
2138: (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
2139: sshbuf_reset(key->cert->critical);
1.1 christos 2140: ret = SSH_ERR_INVALID_FORMAT;
2141: goto out;
2142: }
2143: }
1.3 christos 2144: while (exts != NULL && sshbuf_len(exts) != 0) {
2145: if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 ||
2146: (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) {
2147: sshbuf_reset(key->cert->extensions);
1.1 christos 2148: ret = SSH_ERR_INVALID_FORMAT;
2149: goto out;
2150: }
2151: }
2152:
1.3 christos 2153: /* Parse CA key and check signature */
2154: if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
1.1 christos 2155: ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2156: goto out;
2157: }
2158: if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
2159: ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2160: goto out;
2161: }
2162: if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
1.14 christos 2163: sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0)) != 0)
1.1 christos 2164: goto out;
1.21 ! christos 2165: if ((ret = sshkey_get_sigtype(sig, slen,
! 2166: &key->cert->signature_type)) != 0)
1.19 christos 2167: goto out;
1.3 christos 2168:
2169: /* Success */
1.1 christos 2170: ret = 0;
2171: out:
1.3 christos 2172: sshbuf_free(ca);
2173: sshbuf_free(crit);
2174: sshbuf_free(exts);
2175: sshbuf_free(principals);
1.1 christos 2176: free(sig);
2177: return ret;
2178: }
2179:
1.21 ! christos 2180: #ifdef WITH_OPENSSL
1.1 christos 2181: static int
1.19 christos 2182: check_rsa_length(const RSA *rsa)
2183: {
2184: const BIGNUM *rsa_n;
2185:
2186: RSA_get0_key(rsa, &rsa_n, NULL, NULL);
2187: if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
2188: return SSH_ERR_KEY_LENGTH;
2189: return 0;
2190: }
1.21 ! christos 2191: #endif /* WITH_OPENSSL */
1.19 christos 2192:
2193: static int
1.3 christos 2194: sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
2195: int allow_cert)
1.1 christos 2196: {
1.3 christos 2197: int type, ret = SSH_ERR_INTERNAL_ERROR;
1.14 christos 2198: char *ktype = NULL, *curve = NULL, *xmss_name = NULL;
1.1 christos 2199: struct sshkey *key = NULL;
2200: size_t len;
2201: u_char *pk = NULL;
1.3 christos 2202: struct sshbuf *copy;
1.1 christos 2203: #ifdef WITH_OPENSSL
1.19 christos 2204: EC_POINT *q = NULL, *qq = NULL;
2205: BIGNUM *rsa_n = NULL, *rsa_e = NULL;
2206: BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL;
1.1 christos 2207: #endif /* WITH_OPENSSL */
2208:
2209: #ifdef DEBUG_PK /* XXX */
1.3 christos 2210: sshbuf_dump(b, stderr);
1.1 christos 2211: #endif
1.8 christos 2212: if (keyp != NULL)
2213: *keyp = NULL;
1.3 christos 2214: if ((copy = sshbuf_fromb(b)) == NULL) {
2215: ret = SSH_ERR_ALLOC_FAIL;
2216: goto out;
2217: }
1.1 christos 2218: if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
2219: ret = SSH_ERR_INVALID_FORMAT;
2220: goto out;
2221: }
2222:
2223: type = sshkey_type_from_name(ktype);
2224: if (!allow_cert && sshkey_type_is_cert(type)) {
2225: ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2226: goto out;
2227: }
2228: switch (type) {
2229: #ifdef WITH_OPENSSL
2230: case KEY_RSA_CERT:
1.3 christos 2231: /* Skip nonce */
1.1 christos 2232: if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2233: ret = SSH_ERR_INVALID_FORMAT;
2234: goto out;
2235: }
2236: /* FALLTHROUGH */
2237: case KEY_RSA:
2238: if ((key = sshkey_new(type)) == NULL) {
2239: ret = SSH_ERR_ALLOC_FAIL;
2240: goto out;
2241: }
1.19 christos 2242: if (sshbuf_get_bignum2(b, &rsa_e) != 0 ||
2243: sshbuf_get_bignum2(b, &rsa_n) != 0) {
2244: ret = SSH_ERR_INVALID_FORMAT;
1.12 christos 2245: goto out;
2246: }
1.19 christos 2247: if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) {
2248: ret = SSH_ERR_LIBCRYPTO_ERROR;
1.1 christos 2249: goto out;
2250: }
1.19 christos 2251: rsa_n = rsa_e = NULL; /* transferred */
2252: if ((ret = check_rsa_length(key->rsa)) != 0)
1.11 christos 2253: goto out;
1.1 christos 2254: #ifdef DEBUG_PK
2255: RSA_print_fp(stderr, key->rsa, 8);
2256: #endif
2257: break;
2258: case KEY_DSA_CERT:
1.3 christos 2259: /* Skip nonce */
1.1 christos 2260: if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2261: ret = SSH_ERR_INVALID_FORMAT;
2262: goto out;
2263: }
2264: /* FALLTHROUGH */
2265: case KEY_DSA:
2266: if ((key = sshkey_new(type)) == NULL) {
2267: ret = SSH_ERR_ALLOC_FAIL;
2268: goto out;
2269: }
1.19 christos 2270: if (sshbuf_get_bignum2(b, &dsa_p) != 0 ||
2271: sshbuf_get_bignum2(b, &dsa_q) != 0 ||
2272: sshbuf_get_bignum2(b, &dsa_g) != 0 ||
2273: sshbuf_get_bignum2(b, &dsa_pub_key) != 0) {
1.1 christos 2274: ret = SSH_ERR_INVALID_FORMAT;
1.19 christos 2275: goto out;
1.12 christos 2276: }
1.19 christos 2277: if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) {
1.12 christos 2278: ret = SSH_ERR_LIBCRYPTO_ERROR;
1.19 christos 2279: goto out;
1.12 christos 2280: }
1.19 christos 2281: dsa_p = dsa_q = dsa_g = NULL; /* transferred */
2282: if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) {
1.12 christos 2283: ret = SSH_ERR_LIBCRYPTO_ERROR;
1.1 christos 2284: goto out;
2285: }
1.19 christos 2286: dsa_pub_key = NULL; /* transferred */
1.1 christos 2287: #ifdef DEBUG_PK
2288: DSA_print_fp(stderr, key->dsa, 8);
2289: #endif
2290: break;
2291: case KEY_ECDSA_CERT:
1.3 christos 2292: /* Skip nonce */
1.1 christos 2293: if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2294: ret = SSH_ERR_INVALID_FORMAT;
2295: goto out;
2296: }
2297: /* FALLTHROUGH */
2298: case KEY_ECDSA:
2299: if ((key = sshkey_new(type)) == NULL) {
2300: ret = SSH_ERR_ALLOC_FAIL;
2301: goto out;
2302: }
1.3 christos 2303: key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
1.1 christos 2304: if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
2305: ret = SSH_ERR_INVALID_FORMAT;
2306: goto out;
2307: }
2308: if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
2309: ret = SSH_ERR_EC_CURVE_MISMATCH;
2310: goto out;
2311: }
1.14 christos 2312: EC_KEY_free(key->ecdsa);
1.1 christos 2313: if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
2314: == NULL) {
2315: ret = SSH_ERR_EC_CURVE_INVALID;
2316: goto out;
2317: }
1.12 christos 2318: if ((qq = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
1.1 christos 2319: ret = SSH_ERR_ALLOC_FAIL;
2320: goto out;
2321: }
1.12 christos 2322: if (sshbuf_get_ec(b, qq, EC_KEY_get0_group(key->ecdsa)) != 0) {
1.1 christos 2323: ret = SSH_ERR_INVALID_FORMAT;
2324: goto out;
2325: }
2326: if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
1.12 christos 2327: qq) != 0) {
1.1 christos 2328: ret = SSH_ERR_KEY_INVALID_EC_VALUE;
2329: goto out;
2330: }
1.12 christos 2331: if (EC_KEY_set_public_key(key->ecdsa, qq) != 1) {
1.1 christos 2332: /* XXX assume it is a allocation error */
2333: ret = SSH_ERR_ALLOC_FAIL;
2334: goto out;
2335: }
2336: #ifdef DEBUG_PK
1.12 christos 2337: sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), qq);
1.1 christos 2338: #endif
2339: break;
2340: #endif /* WITH_OPENSSL */
2341: case KEY_ED25519_CERT:
1.3 christos 2342: /* Skip nonce */
1.1 christos 2343: if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2344: ret = SSH_ERR_INVALID_FORMAT;
2345: goto out;
2346: }
2347: /* FALLTHROUGH */
2348: case KEY_ED25519:
2349: if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
2350: goto out;
2351: if (len != ED25519_PK_SZ) {
2352: ret = SSH_ERR_INVALID_FORMAT;
2353: goto out;
2354: }
2355: if ((key = sshkey_new(type)) == NULL) {
2356: ret = SSH_ERR_ALLOC_FAIL;
2357: goto out;
2358: }
2359: key->ed25519_pk = pk;
2360: pk = NULL;
2361: break;
1.14 christos 2362: #ifdef WITH_XMSS
2363: case KEY_XMSS_CERT:
2364: /* Skip nonce */
2365: if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2366: ret = SSH_ERR_INVALID_FORMAT;
2367: goto out;
2368: }
2369: /* FALLTHROUGH */
2370: case KEY_XMSS:
2371: if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0)
2372: goto out;
2373: if ((key = sshkey_new(type)) == NULL) {
2374: ret = SSH_ERR_ALLOC_FAIL;
2375: goto out;
2376: }
2377: if ((ret = sshkey_xmss_init(key, xmss_name)) != 0)
2378: goto out;
2379: if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
2380: goto out;
2381: if (len == 0 || len != sshkey_xmss_pklen(key)) {
2382: ret = SSH_ERR_INVALID_FORMAT;
2383: goto out;
2384: }
2385: key->xmss_pk = pk;
2386: pk = NULL;
2387: if (type != KEY_XMSS_CERT &&
2388: (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0)
2389: goto out;
2390: break;
2391: #endif /* WITH_XMSS */
1.1 christos 2392: case KEY_UNSPEC:
2393: default:
2394: ret = SSH_ERR_KEY_TYPE_UNKNOWN;
2395: goto out;
2396: }
2397:
2398: /* Parse certificate potion */
1.3 christos 2399: if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
1.1 christos 2400: goto out;
2401:
2402: if (key != NULL && sshbuf_len(b) != 0) {
2403: ret = SSH_ERR_INVALID_FORMAT;
2404: goto out;
2405: }
2406: ret = 0;
1.8 christos 2407: if (keyp != NULL) {
2408: *keyp = key;
2409: key = NULL;
2410: }
1.1 christos 2411: out:
1.3 christos 2412: sshbuf_free(copy);
1.1 christos 2413: sshkey_free(key);
1.14 christos 2414: free(xmss_name);
1.1 christos 2415: free(ktype);
2416: free(curve);
2417: free(pk);
2418: #ifdef WITH_OPENSSL
1.19 christos 2419: EC_POINT_free(q);
2420: BN_clear_free(rsa_n);
2421: BN_clear_free(rsa_e);
2422: BN_clear_free(dsa_p);
2423: BN_clear_free(dsa_q);
2424: BN_clear_free(dsa_g);
2425: BN_clear_free(dsa_pub_key);
1.1 christos 2426: #endif /* WITH_OPENSSL */
2427: return ret;
2428: }
2429:
2430: int
2431: sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp)
2432: {
1.3 christos 2433: struct sshbuf *b;
2434: int r;
2435:
2436: if ((b = sshbuf_from(blob, blen)) == NULL)
2437: return SSH_ERR_ALLOC_FAIL;
2438: r = sshkey_from_blob_internal(b, keyp, 1);
2439: sshbuf_free(b);
2440: return r;
2441: }
2442:
2443: int
2444: sshkey_fromb(struct sshbuf *b, struct sshkey **keyp)
2445: {
2446: return sshkey_from_blob_internal(b, keyp, 1);
2447: }
2448:
2449: int
2450: sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
2451: {
2452: struct sshbuf *b;
2453: int r;
2454:
2455: if ((r = sshbuf_froms(buf, &b)) != 0)
2456: return r;
2457: r = sshkey_from_blob_internal(b, keyp, 1);
2458: sshbuf_free(b);
2459: return r;
1.1 christos 2460: }
2461:
1.21 ! christos 2462: int
! 2463: sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
1.14 christos 2464: {
2465: int r;
2466: struct sshbuf *b = NULL;
2467: char *sigtype = NULL;
2468:
2469: if (sigtypep != NULL)
2470: *sigtypep = NULL;
2471: if ((b = sshbuf_from(sig, siglen)) == NULL)
2472: return SSH_ERR_ALLOC_FAIL;
2473: if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0)
2474: goto out;
2475: /* success */
2476: if (sigtypep != NULL) {
2477: *sigtypep = sigtype;
2478: sigtype = NULL;
2479: }
2480: r = 0;
2481: out:
2482: free(sigtype);
2483: sshbuf_free(b);
2484: return r;
2485: }
2486:
1.17 christos 2487: /*
1.19 christos 2488: *
2489: * Checks whether a certificate's signature type is allowed.
2490: * Returns 0 (success) if the certificate signature type appears in the
2491: * "allowed" pattern-list, or the key is not a certificate to begin with.
2492: * Otherwise returns a ssherr.h code.
2493: */
2494: int
2495: sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed)
2496: {
2497: if (key == NULL || allowed == NULL)
2498: return SSH_ERR_INVALID_ARGUMENT;
2499: if (!sshkey_type_is_cert(key->type))
2500: return 0;
2501: if (key->cert == NULL || key->cert->signature_type == NULL)
2502: return SSH_ERR_INVALID_ARGUMENT;
2503: if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
2504: return SSH_ERR_SIGN_ALG_UNSUPPORTED;
2505: return 0;
2506: }
2507:
2508: /*
1.17 christos 2509: * Returns the expected signature algorithm for a given public key algorithm.
2510: */
2511: const char *
2512: sshkey_sigalg_by_name(const char *name)
2513: {
2514: const struct keytype *kt;
2515:
2516: for (kt = keytypes; kt->type != -1; kt++) {
2517: if (strcmp(kt->name, name) != 0)
2518: continue;
2519: if (kt->sigalg != NULL)
2520: return kt->sigalg;
2521: if (!kt->cert)
2522: return kt->name;
2523: return sshkey_ssh_name_from_type_nid(
2524: sshkey_type_plain(kt->type), kt->nid);
2525: }
2526: return NULL;
2527: }
2528:
2529: /*
2530: * Verifies that the signature algorithm appearing inside the signature blob
2531: * matches that which was requested.
2532: */
2533: int
2534: sshkey_check_sigtype(const u_char *sig, size_t siglen,
2535: const char *requested_alg)
2536: {
2537: const char *expected_alg;
2538: char *sigtype = NULL;
2539: int r;
2540:
2541: if (requested_alg == NULL)
2542: return 0;
2543: if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL)
2544: return SSH_ERR_INVALID_ARGUMENT;
1.21 ! christos 2545: if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0)
1.17 christos 2546: return r;
2547: r = strcmp(expected_alg, sigtype) == 0;
2548: free(sigtype);
2549: return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED;
2550: }
2551:
1.14 christos 2552: int
1.21 ! christos 2553: sshkey_sign(struct sshkey *key,
1.1 christos 2554: u_char **sigp, size_t *lenp,
1.7 christos 2555: const u_char *data, size_t datalen, const char *alg, u_int compat)
1.1 christos 2556: {
1.21 ! christos 2557: int was_shielded = sshkey_is_shielded(key);
! 2558: int r2, r = SSH_ERR_INTERNAL_ERROR;
! 2559:
1.1 christos 2560: if (sigp != NULL)
2561: *sigp = NULL;
2562: if (lenp != NULL)
2563: *lenp = 0;
2564: if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2565: return SSH_ERR_INVALID_ARGUMENT;
1.21 ! christos 2566: if ((r = sshkey_unshield_private(key)) != 0)
! 2567: return r;
1.1 christos 2568: switch (key->type) {
2569: #ifdef WITH_OPENSSL
2570: case KEY_DSA_CERT:
2571: case KEY_DSA:
1.21 ! christos 2572: r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
! 2573: break;
1.1 christos 2574: case KEY_ECDSA_CERT:
2575: case KEY_ECDSA:
1.21 ! christos 2576: r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
! 2577: break;
1.1 christos 2578: case KEY_RSA_CERT:
2579: case KEY_RSA:
1.21 ! christos 2580: r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
! 2581: break;
1.1 christos 2582: #endif /* WITH_OPENSSL */
2583: case KEY_ED25519:
2584: case KEY_ED25519_CERT:
1.21 ! christos 2585: r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
! 2586: break;
1.14 christos 2587: #ifdef WITH_XMSS
2588: case KEY_XMSS:
2589: case KEY_XMSS_CERT:
1.21 ! christos 2590: r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat);
! 2591: break;
1.14 christos 2592: #endif /* WITH_XMSS */
1.1 christos 2593: default:
1.21 ! christos 2594: r = SSH_ERR_KEY_TYPE_UNKNOWN;
! 2595: break;
1.1 christos 2596: }
1.21 ! christos 2597: if (was_shielded && (r2 = sshkey_shield_private(key)) != 0)
! 2598: return r2;
! 2599: return r;
1.1 christos 2600: }
2601:
2602: /*
2603: * ssh_key_verify returns 0 for a correct signature and < 0 on error.
1.14 christos 2604: * If "alg" specified, then the signature must use that algorithm.
1.1 christos 2605: */
2606: int
2607: sshkey_verify(const struct sshkey *key,
2608: const u_char *sig, size_t siglen,
1.14 christos 2609: const u_char *data, size_t dlen, const char *alg, u_int compat)
1.1 christos 2610: {
1.3 christos 2611: if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
1.1 christos 2612: return SSH_ERR_INVALID_ARGUMENT;
2613: switch (key->type) {
2614: #ifdef WITH_OPENSSL
2615: case KEY_DSA_CERT:
2616: case KEY_DSA:
2617: return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
2618: case KEY_ECDSA_CERT:
2619: case KEY_ECDSA:
2620: return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2621: case KEY_RSA_CERT:
2622: case KEY_RSA:
1.14 christos 2623: return ssh_rsa_verify(key, sig, siglen, data, dlen, alg);
1.1 christos 2624: #endif /* WITH_OPENSSL */
2625: case KEY_ED25519:
2626: case KEY_ED25519_CERT:
2627: return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
1.14 christos 2628: #ifdef WITH_XMSS
2629: case KEY_XMSS:
2630: case KEY_XMSS_CERT:
2631: return ssh_xmss_verify(key, sig, siglen, data, dlen, compat);
2632: #endif /* WITH_XMSS */
1.1 christos 2633: default:
2634: return SSH_ERR_KEY_TYPE_UNKNOWN;
2635: }
2636: }
2637:
2638: /* Convert a plain key to their _CERT equivalent */
2639: int
1.5 christos 2640: sshkey_to_certified(struct sshkey *k)
1.1 christos 2641: {
2642: int newtype;
2643:
2644: switch (k->type) {
2645: #ifdef WITH_OPENSSL
2646: case KEY_RSA:
1.5 christos 2647: newtype = KEY_RSA_CERT;
1.1 christos 2648: break;
2649: case KEY_DSA:
1.5 christos 2650: newtype = KEY_DSA_CERT;
1.1 christos 2651: break;
2652: case KEY_ECDSA:
2653: newtype = KEY_ECDSA_CERT;
2654: break;
2655: #endif /* WITH_OPENSSL */
2656: case KEY_ED25519:
2657: newtype = KEY_ED25519_CERT;
2658: break;
1.14 christos 2659: #ifdef WITH_XMSS
2660: case KEY_XMSS:
2661: newtype = KEY_XMSS_CERT;
2662: break;
2663: #endif /* WITH_XMSS */
1.1 christos 2664: default:
2665: return SSH_ERR_INVALID_ARGUMENT;
2666: }
2667: if ((k->cert = cert_new()) == NULL)
2668: return SSH_ERR_ALLOC_FAIL;
2669: k->type = newtype;
2670: return 0;
2671: }
2672:
2673: /* Convert a certificate to its raw key equivalent */
2674: int
2675: sshkey_drop_cert(struct sshkey *k)
2676: {
2677: if (!sshkey_type_is_cert(k->type))
2678: return SSH_ERR_KEY_TYPE_UNKNOWN;
2679: cert_free(k->cert);
2680: k->cert = NULL;
2681: k->type = sshkey_type_plain(k->type);
2682: return 0;
2683: }
2684:
2685: /* Sign a certified key, (re-)generating the signed certblob. */
2686: int
1.11 christos 2687: sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
2688: sshkey_certify_signer *signer, void *signer_ctx)
1.1 christos 2689: {
2690: struct sshbuf *principals = NULL;
2691: u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
2692: size_t i, ca_len, sig_len;
2693: int ret = SSH_ERR_INTERNAL_ERROR;
1.19 christos 2694: struct sshbuf *cert = NULL;
2695: char *sigtype = NULL;
2696: #ifdef WITH_OPENSSL
2697: const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
2698: #endif /* WITH_OPENSSL */
1.1 christos 2699:
2700: if (k == NULL || k->cert == NULL ||
2701: k->cert->certblob == NULL || ca == NULL)
2702: return SSH_ERR_INVALID_ARGUMENT;
2703: if (!sshkey_is_cert(k))
2704: return SSH_ERR_KEY_TYPE_UNKNOWN;
2705: if (!sshkey_type_is_valid_ca(ca->type))
2706: return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2707:
1.19 christos 2708: /*
2709: * If no alg specified as argument but a signature_type was set,
2710: * then prefer that. If both were specified, then they must match.
2711: */
2712: if (alg == NULL)
2713: alg = k->cert->signature_type;
2714: else if (k->cert->signature_type != NULL &&
2715: strcmp(alg, k->cert->signature_type) != 0)
2716: return SSH_ERR_INVALID_ARGUMENT;
2717:
1.21 ! christos 2718: /*
! 2719: * If no signing algorithm or signature_type was specified and we're
! 2720: * using a RSA key, then default to a good signature algorithm.
! 2721: */
! 2722: if (alg == NULL && ca->type == KEY_RSA)
! 2723: alg = "rsa-sha2-512";
! 2724:
1.1 christos 2725: if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
2726: return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2727:
2728: cert = k->cert->certblob; /* for readability */
2729: sshbuf_reset(cert);
2730: if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
2731: goto out;
2732:
2733: /* -v01 certs put nonce first */
2734: arc4random_buf(&nonce, sizeof(nonce));
1.5 christos 2735: if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2736: goto out;
1.1 christos 2737:
2738: /* XXX this substantially duplicates to_blob(); refactor */
2739: switch (k->type) {
2740: #ifdef WITH_OPENSSL
2741: case KEY_DSA_CERT:
1.19 christos 2742: DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
2743: DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
2744: if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 ||
2745: (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 ||
2746: (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 ||
2747: (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0)
1.1 christos 2748: goto out;
2749: break;
2750: case KEY_ECDSA_CERT:
2751: if ((ret = sshbuf_put_cstring(cert,
2752: sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
2753: (ret = sshbuf_put_ec(cert,
2754: EC_KEY_get0_public_key(k->ecdsa),
2755: EC_KEY_get0_group(k->ecdsa))) != 0)
2756: goto out;
2757: break;
2758: case KEY_RSA_CERT:
1.19 christos 2759: RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
2760: if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 ||
2761: (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0)
1.1 christos 2762: goto out;
2763: break;
2764: #endif /* WITH_OPENSSL */
2765: case KEY_ED25519_CERT:
2766: if ((ret = sshbuf_put_string(cert,
2767: k->ed25519_pk, ED25519_PK_SZ)) != 0)
2768: goto out;
2769: break;
1.14 christos 2770: #ifdef WITH_XMSS
2771: case KEY_XMSS_CERT:
2772: if (k->xmss_name == NULL) {
2773: ret = SSH_ERR_INVALID_ARGUMENT;
2774: goto out;
2775: }
2776: if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) ||
2777: (ret = sshbuf_put_string(cert,
2778: k->xmss_pk, sshkey_xmss_pklen(k))) != 0)
2779: goto out;
2780: break;
2781: #endif /* WITH_XMSS */
1.1 christos 2782: default:
2783: ret = SSH_ERR_INVALID_ARGUMENT;
1.3 christos 2784: goto out;
1.1 christos 2785: }
2786:
1.5 christos 2787: if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
2788: (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
1.1 christos 2789: (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2790: goto out;
2791:
2792: if ((principals = sshbuf_new()) == NULL) {
2793: ret = SSH_ERR_ALLOC_FAIL;
2794: goto out;
2795: }
2796: for (i = 0; i < k->cert->nprincipals; i++) {
2797: if ((ret = sshbuf_put_cstring(principals,
2798: k->cert->principals[i])) != 0)
2799: goto out;
2800: }
2801: if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
2802: (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
2803: (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
1.5 christos 2804: (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
2805: (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
2806: (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
1.1 christos 2807: (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2808: goto out;
2809:
2810: /* Sign the whole mess */
1.11 christos 2811: if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2812: sshbuf_len(cert), alg, 0, signer_ctx)) != 0)
1.1 christos 2813: goto out;
1.19 christos 2814: /* Check and update signature_type against what was actually used */
1.21 ! christos 2815: if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
1.19 christos 2816: goto out;
2817: if (alg != NULL && strcmp(alg, sigtype) != 0) {
2818: ret = SSH_ERR_SIGN_ALG_UNSUPPORTED;
2819: goto out;
2820: }
2821: if (k->cert->signature_type == NULL) {
2822: k->cert->signature_type = sigtype;
2823: sigtype = NULL;
2824: }
1.1 christos 2825: /* Append signature and we are done */
2826: if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
2827: goto out;
2828: ret = 0;
2829: out:
2830: if (ret != 0)
2831: sshbuf_reset(cert);
1.7 christos 2832: free(sig_blob);
2833: free(ca_blob);
1.19 christos 2834: free(sigtype);
1.7 christos 2835: sshbuf_free(principals);
1.1 christos 2836: return ret;
2837: }
2838:
1.11 christos 2839: static int
1.21 ! christos 2840: default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
1.11 christos 2841: const u_char *data, size_t datalen,
2842: const char *alg, u_int compat, void *ctx)
2843: {
2844: if (ctx != NULL)
2845: return SSH_ERR_INVALID_ARGUMENT;
2846: return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat);
2847: }
2848:
2849: int
2850: sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
2851: {
2852: return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL);
2853: }
2854:
1.1 christos 2855: int
2856: sshkey_cert_check_authority(const struct sshkey *k,
2857: int want_host, int require_principal,
2858: const char *name, const char **reason)
2859: {
2860: u_int i, principal_matches;
2861: time_t now = time(NULL);
2862:
2863: if (reason != NULL)
2864: *reason = NULL;
2865:
2866: if (want_host) {
2867: if (k->cert->type != SSH2_CERT_TYPE_HOST) {
2868: *reason = "Certificate invalid: not a host certificate";
2869: return SSH_ERR_KEY_CERT_INVALID;
2870: }
2871: } else {
2872: if (k->cert->type != SSH2_CERT_TYPE_USER) {
2873: *reason = "Certificate invalid: not a user certificate";
2874: return SSH_ERR_KEY_CERT_INVALID;
2875: }
2876: }
2877: if (now < 0) {
2878: /* yikes - system clock before epoch! */
2879: *reason = "Certificate invalid: not yet valid";
2880: return SSH_ERR_KEY_CERT_INVALID;
2881: }
2882: if ((u_int64_t)now < k->cert->valid_after) {
2883: *reason = "Certificate invalid: not yet valid";
2884: return SSH_ERR_KEY_CERT_INVALID;
2885: }
2886: if ((u_int64_t)now >= k->cert->valid_before) {
2887: *reason = "Certificate invalid: expired";
2888: return SSH_ERR_KEY_CERT_INVALID;
2889: }
2890: if (k->cert->nprincipals == 0) {
2891: if (require_principal) {
2892: *reason = "Certificate lacks principal list";
2893: return SSH_ERR_KEY_CERT_INVALID;
2894: }
2895: } else if (name != NULL) {
2896: principal_matches = 0;
2897: for (i = 0; i < k->cert->nprincipals; i++) {
2898: if (strcmp(name, k->cert->principals[i]) == 0) {
2899: principal_matches = 1;
2900: break;
2901: }
2902: }
2903: if (!principal_matches) {
2904: *reason = "Certificate invalid: name is not a listed "
2905: "principal";
2906: return SSH_ERR_KEY_CERT_INVALID;
2907: }
2908: }
2909: return 0;
2910: }
2911:
1.7 christos 2912: size_t
2913: sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
2914: {
1.20 christos 2915: char from[32], to[32], ret[128];
1.7 christos 2916: time_t tt;
2917: struct tm *tm;
2918:
2919: *from = *to = '\0';
2920: if (cert->valid_after == 0 &&
2921: cert->valid_before == 0xffffffffffffffffULL)
2922: return strlcpy(s, "forever", l);
2923:
2924: if (cert->valid_after != 0) {
2925: /* XXX revisit INT_MAX in 2038 :) */
2926: tt = cert->valid_after > INT_MAX ?
2927: INT_MAX : cert->valid_after;
2928: tm = localtime(&tt);
2929: strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
2930: }
2931: if (cert->valid_before != 0xffffffffffffffffULL) {
2932: /* XXX revisit INT_MAX in 2038 :) */
2933: tt = cert->valid_before > INT_MAX ?
2934: INT_MAX : cert->valid_before;
2935: tm = localtime(&tt);
2936: strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
2937: }
2938:
2939: if (cert->valid_after == 0)
2940: snprintf(ret, sizeof(ret), "before %s", to);
2941: else if (cert->valid_before == 0xffffffffffffffffULL)
2942: snprintf(ret, sizeof(ret), "after %s", from);
2943: else
2944: snprintf(ret, sizeof(ret), "from %s to %s", from, to);
2945:
2946: return strlcpy(s, ret, l);
2947: }
2948:
1.1 christos 2949: int
1.21 ! christos 2950: sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf,
1.14 christos 2951: enum sshkey_serialize_rep opts)
1.1 christos 2952: {
2953: int r = SSH_ERR_INTERNAL_ERROR;
1.21 ! christos 2954: int was_shielded = sshkey_is_shielded(key);
! 2955: struct sshbuf *b = NULL;
1.19 christos 2956: #ifdef WITH_OPENSSL
2957: const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q;
2958: const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key;
2959: #endif /* WITH_OPENSSL */
1.1 christos 2960:
1.21 ! christos 2961: if ((r = sshkey_unshield_private(key)) != 0)
! 2962: return r;
! 2963: if ((b = sshbuf_new()) == NULL)
! 2964: return SSH_ERR_ALLOC_FAIL;
1.1 christos 2965: if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
2966: goto out;
2967: switch (key->type) {
2968: #ifdef WITH_OPENSSL
2969: case KEY_RSA:
1.19 christos 2970: RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d);
2971: RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
2972: RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
2973: if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 ||
2974: (r = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
2975: (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
2976: (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
2977: (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
2978: (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
1.1 christos 2979: goto out;
2980: break;
2981: case KEY_RSA_CERT:
2982: if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2983: r = SSH_ERR_INVALID_ARGUMENT;
2984: goto out;
2985: }
1.19 christos 2986: RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
2987: RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
2988: RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
1.1 christos 2989: if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
1.19 christos 2990: (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
2991: (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
2992: (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
2993: (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
1.1 christos 2994: goto out;
2995: break;
2996: case KEY_DSA:
1.19 christos 2997: DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
2998: DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key);
2999: if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
3000: (r = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
3001: (r = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
3002: (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 ||
3003: (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
1.1 christos 3004: goto out;
3005: break;
3006: case KEY_DSA_CERT:
3007: if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
3008: r = SSH_ERR_INVALID_ARGUMENT;
3009: goto out;
3010: }
1.19 christos 3011: DSA_get0_key(key->dsa, NULL, &dsa_priv_key);
1.1 christos 3012: if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
1.19 christos 3013: (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
1.1 christos 3014: goto out;
3015: break;
3016: case KEY_ECDSA:
3017: if ((r = sshbuf_put_cstring(b,
3018: sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
3019: (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
3020: (r = sshbuf_put_bignum2(b,
3021: EC_KEY_get0_private_key(key->ecdsa))) != 0)
3022: goto out;
3023: break;
3024: case KEY_ECDSA_CERT:
3025: if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
3026: r = SSH_ERR_INVALID_ARGUMENT;
3027: goto out;
3028: }
3029: if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
3030: (r = sshbuf_put_bignum2(b,
3031: EC_KEY_get0_private_key(key->ecdsa))) != 0)
3032: goto out;
3033: break;
3034: #endif /* WITH_OPENSSL */
3035: case KEY_ED25519:
3036: if ((r = sshbuf_put_string(b, key->ed25519_pk,
3037: ED25519_PK_SZ)) != 0 ||
3038: (r = sshbuf_put_string(b, key->ed25519_sk,
3039: ED25519_SK_SZ)) != 0)
3040: goto out;
3041: break;
3042: case KEY_ED25519_CERT:
3043: if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
3044: r = SSH_ERR_INVALID_ARGUMENT;
3045: goto out;
3046: }
3047: if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
3048: (r = sshbuf_put_string(b, key->ed25519_pk,
3049: ED25519_PK_SZ)) != 0 ||
3050: (r = sshbuf_put_string(b, key->ed25519_sk,
3051: ED25519_SK_SZ)) != 0)
3052: goto out;
3053: break;
1.14 christos 3054: #ifdef WITH_XMSS
3055: case KEY_XMSS:
3056: if (key->xmss_name == NULL) {
3057: r = SSH_ERR_INVALID_ARGUMENT;
3058: goto out;
3059: }
3060: if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
3061: (r = sshbuf_put_string(b, key->xmss_pk,
3062: sshkey_xmss_pklen(key))) != 0 ||
3063: (r = sshbuf_put_string(b, key->xmss_sk,
3064: sshkey_xmss_sklen(key))) != 0 ||
3065: (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
3066: goto out;
3067: break;
3068: case KEY_XMSS_CERT:
3069: if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 ||
3070: key->xmss_name == NULL) {
3071: r = SSH_ERR_INVALID_ARGUMENT;
3072: goto out;
3073: }
3074: if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
3075: (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
3076: (r = sshbuf_put_string(b, key->xmss_pk,
3077: sshkey_xmss_pklen(key))) != 0 ||
3078: (r = sshbuf_put_string(b, key->xmss_sk,
3079: sshkey_xmss_sklen(key))) != 0 ||
3080: (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
3081: goto out;
3082: break;
3083: #endif /* WITH_XMSS */
1.1 christos 3084: default:
3085: r = SSH_ERR_INVALID_ARGUMENT;
3086: goto out;
3087: }
1.21 ! christos 3088: /*
! 3089: * success (but we still need to append the output to buf after
! 3090: * possibly re-shielding the private key)
! 3091: */
1.1 christos 3092: r = 0;
3093: out:
1.21 ! christos 3094: if (was_shielded)
! 3095: r = sshkey_shield_private(key);
! 3096: if (r == 0)
! 3097: r = sshbuf_putb(buf, b);
! 3098: sshbuf_free(b);
! 3099:
1.1 christos 3100: return r;
3101: }
3102:
3103: int
1.21 ! christos 3104: sshkey_private_serialize(struct sshkey *key, struct sshbuf *b)
1.14 christos 3105: {
3106: return sshkey_private_serialize_opt(key, b,
3107: SSHKEY_SERIALIZE_DEFAULT);
3108: }
3109:
3110: int
1.1 christos 3111: sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
3112: {
1.14 christos 3113: char *tname = NULL, *curve = NULL, *xmss_name = NULL;
1.1 christos 3114: struct sshkey *k = NULL;
1.3 christos 3115: size_t pklen = 0, sklen = 0;
1.1 christos 3116: int type, r = SSH_ERR_INTERNAL_ERROR;
3117: u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
1.14 christos 3118: u_char *xmss_pk = NULL, *xmss_sk = NULL;
1.1 christos 3119: #ifdef WITH_OPENSSL
3120: BIGNUM *exponent = NULL;
1.19 christos 3121: BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
3122: BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL;
3123: BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
3124: BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
1.1 christos 3125: #endif /* WITH_OPENSSL */
3126:
3127: if (kp != NULL)
3128: *kp = NULL;
3129: if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
3130: goto out;
3131: type = sshkey_type_from_name(tname);
3132: switch (type) {
3133: #ifdef WITH_OPENSSL
3134: case KEY_DSA:
1.19 christos 3135: if ((k = sshkey_new(type)) == NULL) {
1.1 christos 3136: r = SSH_ERR_ALLOC_FAIL;
3137: goto out;
3138: }
1.19 christos 3139: if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 ||
3140: (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 ||
3141: (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 ||
3142: (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0 ||
3143: (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
3144: goto out;
3145: if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) {
1.12 christos 3146: r = SSH_ERR_LIBCRYPTO_ERROR;
1.19 christos 3147: goto out;
1.12 christos 3148: }
1.19 christos 3149: dsa_p = dsa_q = dsa_g = NULL; /* transferred */
3150: if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) {
1.12 christos 3151: r = SSH_ERR_LIBCRYPTO_ERROR;
1.1 christos 3152: goto out;
1.12 christos 3153: }
1.19 christos 3154: dsa_pub_key = dsa_priv_key = NULL; /* transferred */
1.1 christos 3155: break;
3156: case KEY_DSA_CERT:
1.19 christos 3157: if ((r = sshkey_froms(buf, &k)) != 0 ||
3158: (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
1.1 christos 3159: goto out;
1.21 ! christos 3160: if (k->type != type) {
! 3161: r = SSH_ERR_INVALID_FORMAT;
! 3162: goto out;
! 3163: }
1.19 christos 3164: if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
1.12 christos 3165: r = SSH_ERR_LIBCRYPTO_ERROR;
3166: goto out;
3167: }
1.19 christos 3168: dsa_priv_key = NULL; /* transferred */
1.1 christos 3169: break;
3170: case KEY_ECDSA:
1.19 christos 3171: if ((k = sshkey_new(type)) == NULL) {
1.1 christos 3172: r = SSH_ERR_ALLOC_FAIL;
3173: goto out;
3174: }
3175: if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
3176: r = SSH_ERR_INVALID_ARGUMENT;
3177: goto out;
3178: }
3179: if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
3180: goto out;
3181: if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
3182: r = SSH_ERR_EC_CURVE_MISMATCH;
3183: goto out;
3184: }
3185: k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
1.19 christos 3186: if (k->ecdsa == NULL) {
1.1 christos 3187: r = SSH_ERR_LIBCRYPTO_ERROR;
3188: goto out;
3189: }
3190: if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
1.19 christos 3191: (r = sshbuf_get_bignum2(buf, &exponent)))
1.1 christos 3192: goto out;
3193: if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
3194: r = SSH_ERR_LIBCRYPTO_ERROR;
3195: goto out;
3196: }
3197: if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
1.7 christos 3198: EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
1.1 christos 3199: (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
3200: goto out;
3201: break;
3202: case KEY_ECDSA_CERT:
1.3 christos 3203: if ((r = sshkey_froms(buf, &k)) != 0 ||
1.19 christos 3204: (r = sshbuf_get_bignum2(buf, &exponent)) != 0)
1.1 christos 3205: goto out;
1.21 ! christos 3206: if (k->type != type ||
! 3207: k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
! 3208: r = SSH_ERR_INVALID_FORMAT;
! 3209: goto out;
! 3210: }
1.1 christos 3211: if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
3212: r = SSH_ERR_LIBCRYPTO_ERROR;
3213: goto out;
3214: }
3215: if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
1.7 christos 3216: EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
1.1 christos 3217: (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
3218: goto out;
3219: break;
3220: case KEY_RSA:
1.19 christos 3221: if ((k = sshkey_new(type)) == NULL) {
1.1 christos 3222: r = SSH_ERR_ALLOC_FAIL;
3223: goto out;
3224: }
1.19 christos 3225: if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 ||
3226: (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0 ||
3227: (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
3228: (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 ||
3229: (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
3230: (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
3231: goto out;
3232: if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) {
1.12 christos 3233: r = SSH_ERR_LIBCRYPTO_ERROR;
1.19 christos 3234: goto out;
1.12 christos 3235: }
1.19 christos 3236: rsa_n = rsa_e = rsa_d = NULL; /* transferred */
3237: if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
1.12 christos 3238: r = SSH_ERR_LIBCRYPTO_ERROR;
3239: goto out;
3240: }
1.19 christos 3241: rsa_p = rsa_q = NULL; /* transferred */
3242: if ((r = check_rsa_length(k->rsa)) != 0)
1.1 christos 3243: goto out;
1.19 christos 3244: if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
1.11 christos 3245: goto out;
1.1 christos 3246: break;
3247: case KEY_RSA_CERT:
1.3 christos 3248: if ((r = sshkey_froms(buf, &k)) != 0 ||
1.19 christos 3249: (r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
3250: (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 ||
3251: (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
3252: (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
3253: goto out;
1.21 ! christos 3254: if (k->type != type) {
! 3255: r = SSH_ERR_INVALID_FORMAT;
! 3256: goto out;
! 3257: }
1.19 christos 3258: if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
1.12 christos 3259: r = SSH_ERR_LIBCRYPTO_ERROR;
1.19 christos 3260: goto out;
1.12 christos 3261: }
1.19 christos 3262: rsa_d = NULL; /* transferred */
3263: if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
1.12 christos 3264: r = SSH_ERR_LIBCRYPTO_ERROR;
1.1 christos 3265: goto out;
1.12 christos 3266: }
1.19 christos 3267: rsa_p = rsa_q = NULL; /* transferred */
3268: if ((r = check_rsa_length(k->rsa)) != 0)
1.12 christos 3269: goto out;
1.19 christos 3270: if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
1.11 christos 3271: goto out;
1.1 christos 3272: break;
3273: #endif /* WITH_OPENSSL */
3274: case KEY_ED25519:
1.19 christos 3275: if ((k = sshkey_new(type)) == NULL) {
1.1 christos 3276: r = SSH_ERR_ALLOC_FAIL;
3277: goto out;
3278: }
3279: if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
3280: (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
3281: goto out;
3282: if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
3283: r = SSH_ERR_INVALID_FORMAT;
3284: goto out;
3285: }
3286: k->ed25519_pk = ed25519_pk;
3287: k->ed25519_sk = ed25519_sk;
3288: ed25519_pk = ed25519_sk = NULL;
3289: break;
3290: case KEY_ED25519_CERT:
1.3 christos 3291: if ((r = sshkey_froms(buf, &k)) != 0 ||
1.1 christos 3292: (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
3293: (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
3294: goto out;
1.21 ! christos 3295: if (k->type != type) {
! 3296: r = SSH_ERR_INVALID_FORMAT;
! 3297: goto out;
! 3298: }
1.1 christos 3299: if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
3300: r = SSH_ERR_INVALID_FORMAT;
3301: goto out;
3302: }
3303: k->ed25519_pk = ed25519_pk;
3304: k->ed25519_sk = ed25519_sk;
1.21 ! christos 3305: ed25519_pk = ed25519_sk = NULL; /* transferred */
1.1 christos 3306: break;
1.14 christos 3307: #ifdef WITH_XMSS
3308: case KEY_XMSS:
1.19 christos 3309: if ((k = sshkey_new(type)) == NULL) {
1.14 christos 3310: r = SSH_ERR_ALLOC_FAIL;
3311: goto out;
3312: }
3313: if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
3314: (r = sshkey_xmss_init(k, xmss_name)) != 0 ||
3315: (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
3316: (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
3317: goto out;
3318: if (pklen != sshkey_xmss_pklen(k) ||
3319: sklen != sshkey_xmss_sklen(k)) {
3320: r = SSH_ERR_INVALID_FORMAT;
3321: goto out;
3322: }
3323: k->xmss_pk = xmss_pk;
3324: k->xmss_sk = xmss_sk;
3325: xmss_pk = xmss_sk = NULL;
3326: /* optional internal state */
3327: if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
3328: goto out;
3329: break;
3330: case KEY_XMSS_CERT:
3331: if ((r = sshkey_froms(buf, &k)) != 0 ||
3332: (r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
3333: (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
3334: (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
3335: goto out;
1.21 ! christos 3336: if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) {
1.14 christos 3337: r = SSH_ERR_INVALID_FORMAT;
3338: goto out;
3339: }
3340: if (pklen != sshkey_xmss_pklen(k) ||
3341: sklen != sshkey_xmss_sklen(k)) {
3342: r = SSH_ERR_INVALID_FORMAT;
3343: goto out;
3344: }
3345: k->xmss_pk = xmss_pk;
3346: k->xmss_sk = xmss_sk;
3347: xmss_pk = xmss_sk = NULL;
3348: /* optional internal state */
3349: if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
3350: goto out;
3351: break;
3352: #endif /* WITH_XMSS */
1.1 christos 3353: default:
3354: r = SSH_ERR_KEY_TYPE_UNKNOWN;
3355: goto out;
3356: }
3357: #ifdef WITH_OPENSSL
3358: /* enable blinding */
3359: switch (k->type) {
3360: case KEY_RSA:
3361: case KEY_RSA_CERT:
3362: if (RSA_blinding_on(k->rsa, NULL) != 1) {
3363: r = SSH_ERR_LIBCRYPTO_ERROR;
3364: goto out;
3365: }
3366: break;
3367: }
3368: #endif /* WITH_OPENSSL */
3369: /* success */
3370: r = 0;
3371: if (kp != NULL) {
3372: *kp = k;
3373: k = NULL;
3374: }
3375: out:
3376: free(tname);
3377: free(curve);
3378: #ifdef WITH_OPENSSL
1.14 christos 3379: BN_clear_free(exponent);
1.19 christos 3380: BN_clear_free(dsa_p);
3381: BN_clear_free(dsa_q);
3382: BN_clear_free(dsa_g);
3383: BN_clear_free(dsa_pub_key);
3384: BN_clear_free(dsa_priv_key);
3385: BN_clear_free(rsa_n);
3386: BN_clear_free(rsa_e);
3387: BN_clear_free(rsa_d);
3388: BN_clear_free(rsa_p);
3389: BN_clear_free(rsa_q);
3390: BN_clear_free(rsa_iqmp);
1.1 christos 3391: #endif /* WITH_OPENSSL */
3392: sshkey_free(k);
1.14 christos 3393: freezero(ed25519_pk, pklen);
3394: freezero(ed25519_sk, sklen);
3395: free(xmss_name);
3396: freezero(xmss_pk, pklen);
3397: freezero(xmss_sk, sklen);
1.1 christos 3398: return r;
3399: }
3400:
3401: #ifdef WITH_OPENSSL
3402: int
3403: sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
3404: {
3405: BN_CTX *bnctx;
3406: EC_POINT *nq = NULL;
3407: BIGNUM *order, *x, *y, *tmp;
3408: int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
3409:
1.9 christos 3410: /*
3411: * NB. This assumes OpenSSL has already verified that the public
3412: * point lies on the curve. This is done by EC_POINT_oct2point()
3413: * implicitly calling EC_POINT_is_on_curve(). If this code is ever
3414: * reachable with public points not unmarshalled using
3415: * EC_POINT_oct2point then the caller will need to explicitly check.
3416: */
3417:
1.1 christos 3418: if ((bnctx = BN_CTX_new()) == NULL)
3419: return SSH_ERR_ALLOC_FAIL;
3420: BN_CTX_start(bnctx);
3421:
3422: /*
3423: * We shouldn't ever hit this case because bignum_get_ecpoint()
3424: * refuses to load GF2m points.
3425: */
3426: if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
3427: NID_X9_62_prime_field)
3428: goto out;
3429:
3430: /* Q != infinity */
3431: if (EC_POINT_is_at_infinity(group, public))
3432: goto out;
3433:
3434: if ((x = BN_CTX_get(bnctx)) == NULL ||
3435: (y = BN_CTX_get(bnctx)) == NULL ||
3436: (order = BN_CTX_get(bnctx)) == NULL ||
3437: (tmp = BN_CTX_get(bnctx)) == NULL) {
3438: ret = SSH_ERR_ALLOC_FAIL;
3439: goto out;
3440: }
3441:
3442: /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
3443: if (EC_GROUP_get_order(group, order, bnctx) != 1 ||
3444: EC_POINT_get_affine_coordinates_GFp(group, public,
3445: x, y, bnctx) != 1) {
3446: ret = SSH_ERR_LIBCRYPTO_ERROR;
3447: goto out;
3448: }
3449: if (BN_num_bits(x) <= BN_num_bits(order) / 2 ||
3450: BN_num_bits(y) <= BN_num_bits(order) / 2)
3451: goto out;
3452:
3453: /* nQ == infinity (n == order of subgroup) */
3454: if ((nq = EC_POINT_new(group)) == NULL) {
3455: ret = SSH_ERR_ALLOC_FAIL;
3456: goto out;
3457: }
3458: if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) {
3459: ret = SSH_ERR_LIBCRYPTO_ERROR;
3460: goto out;
3461: }
3462: if (EC_POINT_is_at_infinity(group, nq) != 1)
3463: goto out;
3464:
3465: /* x < order - 1, y < order - 1 */
3466: if (!BN_sub(tmp, order, BN_value_one())) {
3467: ret = SSH_ERR_LIBCRYPTO_ERROR;
3468: goto out;
3469: }
3470: if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0)
3471: goto out;
3472: ret = 0;
3473: out:
3474: BN_CTX_free(bnctx);
1.14 christos 3475: EC_POINT_free(nq);
1.1 christos 3476: return ret;
3477: }
3478:
3479: int
3480: sshkey_ec_validate_private(const EC_KEY *key)
3481: {
3482: BN_CTX *bnctx;
3483: BIGNUM *order, *tmp;
3484: int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
3485:
3486: if ((bnctx = BN_CTX_new()) == NULL)
3487: return SSH_ERR_ALLOC_FAIL;
3488: BN_CTX_start(bnctx);
3489:
3490: if ((order = BN_CTX_get(bnctx)) == NULL ||
3491: (tmp = BN_CTX_get(bnctx)) == NULL) {
3492: ret = SSH_ERR_ALLOC_FAIL;
3493: goto out;
3494: }
3495:
3496: /* log2(private) > log2(order)/2 */
3497: if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) {
3498: ret = SSH_ERR_LIBCRYPTO_ERROR;
3499: goto out;
3500: }
3501: if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
3502: BN_num_bits(order) / 2)
3503: goto out;
3504:
3505: /* private < order - 1 */
3506: if (!BN_sub(tmp, order, BN_value_one())) {
3507: ret = SSH_ERR_LIBCRYPTO_ERROR;
3508: goto out;
3509: }
3510: if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
3511: goto out;
3512: ret = 0;
3513: out:
3514: BN_CTX_free(bnctx);
3515: return ret;
3516: }
3517:
3518: void
3519: sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
3520: {
3521: BIGNUM *x, *y;
3522: BN_CTX *bnctx;
3523:
3524: if (point == NULL) {
3525: fputs("point=(NULL)\n", stderr);
3526: return;
3527: }
3528: if ((bnctx = BN_CTX_new()) == NULL) {
3529: fprintf(stderr, "%s: BN_CTX_new failed\n", __func__);
3530: return;
3531: }
3532: BN_CTX_start(bnctx);
3533: if ((x = BN_CTX_get(bnctx)) == NULL ||
3534: (y = BN_CTX_get(bnctx)) == NULL) {
3535: fprintf(stderr, "%s: BN_CTX_get failed\n", __func__);
3536: return;
3537: }
3538: if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
3539: NID_X9_62_prime_field) {
3540: fprintf(stderr, "%s: group is not a prime field\n", __func__);
3541: return;
3542: }
3543: if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y,
3544: bnctx) != 1) {
3545: fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
3546: __func__);
3547: return;
3548: }
3549: fputs("x=", stderr);
3550: BN_print_fp(stderr, x);
3551: fputs("\ny=", stderr);
3552: BN_print_fp(stderr, y);
3553: fputs("\n", stderr);
3554: BN_CTX_free(bnctx);
3555: }
3556:
3557: void
3558: sshkey_dump_ec_key(const EC_KEY *key)
3559: {
3560: const BIGNUM *exponent;
3561:
3562: sshkey_dump_ec_point(EC_KEY_get0_group(key),
3563: EC_KEY_get0_public_key(key));
3564: fputs("exponent=", stderr);
3565: if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
3566: fputs("(NULL)", stderr);
3567: else
3568: BN_print_fp(stderr, EC_KEY_get0_private_key(key));
3569: fputs("\n", stderr);
3570: }
3571: #endif /* WITH_OPENSSL */
3572:
3573: static int
1.21 ! christos 3574: sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob,
1.1 christos 3575: const char *passphrase, const char *comment, const char *ciphername,
3576: int rounds)
3577: {
1.2 christos 3578: u_char *cp, *key = NULL, *pubkeyblob = NULL;
1.3 christos 3579: u_char salt[SALT_LEN];
1.2 christos 3580: char *b64 = NULL;
1.1 christos 3581: size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
3582: u_int check;
3583: int r = SSH_ERR_INTERNAL_ERROR;
1.9 christos 3584: struct sshcipher_ctx *ciphercontext = NULL;
1.1 christos 3585: const struct sshcipher *cipher;
3586: const char *kdfname = KDFNAME;
3587: struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL;
3588:
3589: if (rounds <= 0)
3590: rounds = DEFAULT_ROUNDS;
3591: if (passphrase == NULL || !strlen(passphrase)) {
3592: ciphername = "none";
3593: kdfname = "none";
3594: } else if (ciphername == NULL)
3595: ciphername = DEFAULT_CIPHERNAME;
1.11 christos 3596: if ((cipher = cipher_by_name(ciphername)) == NULL) {
1.1 christos 3597: r = SSH_ERR_INVALID_ARGUMENT;
3598: goto out;
3599: }
3600:
3601: if ((kdf = sshbuf_new()) == NULL ||
3602: (encoded = sshbuf_new()) == NULL ||
3603: (encrypted = sshbuf_new()) == NULL) {
3604: r = SSH_ERR_ALLOC_FAIL;
3605: goto out;
3606: }
3607: blocksize = cipher_blocksize(cipher);
3608: keylen = cipher_keylen(cipher);
3609: ivlen = cipher_ivlen(cipher);
3610: authlen = cipher_authlen(cipher);
3611: if ((key = calloc(1, keylen + ivlen)) == NULL) {
3612: r = SSH_ERR_ALLOC_FAIL;
3613: goto out;
3614: }
3615: if (strcmp(kdfname, "bcrypt") == 0) {
3616: arc4random_buf(salt, SALT_LEN);
3617: if (bcrypt_pbkdf(passphrase, strlen(passphrase),
3618: salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
3619: r = SSH_ERR_INVALID_ARGUMENT;
3620: goto out;
3621: }
3622: if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 ||
3623: (r = sshbuf_put_u32(kdf, rounds)) != 0)
3624: goto out;
3625: } else if (strcmp(kdfname, "none") != 0) {
3626: /* Unsupported KDF type */
3627: r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3628: goto out;
3629: }
3630: if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
3631: key + keylen, ivlen, 1)) != 0)
3632: goto out;
3633:
3634: if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 ||
3635: (r = sshbuf_put_cstring(encoded, ciphername)) != 0 ||
3636: (r = sshbuf_put_cstring(encoded, kdfname)) != 0 ||
3637: (r = sshbuf_put_stringb(encoded, kdf)) != 0 ||
3638: (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */
3639: (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 ||
3640: (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
3641: goto out;
3642:
3643: /* set up the buffer that will be encrypted */
3644:
3645: /* Random check bytes */
3646: check = arc4random();
3647: if ((r = sshbuf_put_u32(encrypted, check)) != 0 ||
3648: (r = sshbuf_put_u32(encrypted, check)) != 0)
3649: goto out;
3650:
3651: /* append private key and comment*/
1.14 christos 3652: if ((r = sshkey_private_serialize_opt(prv, encrypted,
3653: SSHKEY_SERIALIZE_FULL)) != 0 ||
1.1 christos 3654: (r = sshbuf_put_cstring(encrypted, comment)) != 0)
3655: goto out;
3656:
3657: /* padding */
3658: i = 0;
3659: while (sshbuf_len(encrypted) % blocksize) {
3660: if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
3661: goto out;
3662: }
3663:
3664: /* length in destination buffer */
3665: if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
3666: goto out;
3667:
3668: /* encrypt */
3669: if ((r = sshbuf_reserve(encoded,
3670: sshbuf_len(encrypted) + authlen, &cp)) != 0)
3671: goto out;
1.9 christos 3672: if ((r = cipher_crypt(ciphercontext, 0, cp,
1.1 christos 3673: sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
3674: goto out;
3675:
1.21 ! christos 3676: sshbuf_reset(blob);
1.1 christos 3677:
1.21 ! christos 3678: /* assemble uuencoded key */
! 3679: if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 ||
! 3680: (r = sshbuf_dtob64(encoded, blob, 1)) != 0 ||
! 3681: (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
1.1 christos 3682: goto out;
3683:
3684: /* success */
3685: r = 0;
3686:
3687: out:
3688: sshbuf_free(kdf);
3689: sshbuf_free(encoded);
3690: sshbuf_free(encrypted);
1.9 christos 3691: cipher_free(ciphercontext);
1.1 christos 3692: explicit_bzero(salt, sizeof(salt));
3693: if (key != NULL) {
3694: explicit_bzero(key, keylen + ivlen);
3695: free(key);
3696: }
3697: if (pubkeyblob != NULL) {
3698: explicit_bzero(pubkeyblob, pubkeylen);
3699: free(pubkeyblob);
3700: }
3701: if (b64 != NULL) {
3702: explicit_bzero(b64, strlen(b64));
3703: free(b64);
3704: }
3705: return r;
3706: }
3707:
3708: static int
3709: sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
3710: struct sshkey **keyp, char **commentp)
3711: {
3712: char *comment = NULL, *ciphername = NULL, *kdfname = NULL;
3713: const struct sshcipher *cipher = NULL;
3714: const u_char *cp;
3715: int r = SSH_ERR_INTERNAL_ERROR;
3716: size_t encoded_len;
1.4 christos 3717: size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0;
1.1 christos 3718: struct sshbuf *encoded = NULL, *decoded = NULL;
3719: struct sshbuf *kdf = NULL, *decrypted = NULL;
1.9 christos 3720: struct sshcipher_ctx *ciphercontext = NULL;
1.1 christos 3721: struct sshkey *k = NULL;
3722: u_char *key = NULL, *salt = NULL, *dp, pad, last;
3723: u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
3724:
3725: if (keyp != NULL)
3726: *keyp = NULL;
3727: if (commentp != NULL)
3728: *commentp = NULL;
3729:
3730: if ((encoded = sshbuf_new()) == NULL ||
3731: (decoded = sshbuf_new()) == NULL ||
3732: (decrypted = sshbuf_new()) == NULL) {
3733: r = SSH_ERR_ALLOC_FAIL;
3734: goto out;
3735: }
3736:
3737: /* check preamble */
3738: cp = sshbuf_ptr(blob);
3739: encoded_len = sshbuf_len(blob);
3740: if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) ||
3741: memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
3742: r = SSH_ERR_INVALID_FORMAT;
3743: goto out;
3744: }
3745: cp += MARK_BEGIN_LEN;
3746: encoded_len -= MARK_BEGIN_LEN;
3747:
3748: /* Look for end marker, removing whitespace as we go */
3749: while (encoded_len > 0) {
3750: if (*cp != '\n' && *cp != '\r') {
3751: if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
3752: goto out;
3753: }
3754: last = *cp;
3755: encoded_len--;
3756: cp++;
3757: if (last == '\n') {
3758: if (encoded_len >= MARK_END_LEN &&
3759: memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
3760: /* \0 terminate */
3761: if ((r = sshbuf_put_u8(encoded, 0)) != 0)
3762: goto out;
3763: break;
3764: }
3765: }
3766: }
3767: if (encoded_len == 0) {
3768: r = SSH_ERR_INVALID_FORMAT;
3769: goto out;
3770: }
3771:
3772: /* decode base64 */
1.2 christos 3773: if ((r = sshbuf_b64tod(decoded, (const char *)sshbuf_ptr(encoded))) != 0)
1.1 christos 3774: goto out;
3775:
3776: /* check magic */
3777: if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) ||
3778: memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
3779: r = SSH_ERR_INVALID_FORMAT;
3780: goto out;
3781: }
3782: /* parse public portion of key */
3783: if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
3784: (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 ||
3785: (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 ||
3786: (r = sshbuf_froms(decoded, &kdf)) != 0 ||
3787: (r = sshbuf_get_u32(decoded, &nkeys)) != 0 ||
3788: (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */
3789: (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
3790: goto out;
3791:
3792: if ((cipher = cipher_by_name(ciphername)) == NULL) {
3793: r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3794: goto out;
3795: }
3796: if ((passphrase == NULL || strlen(passphrase) == 0) &&
3797: strcmp(ciphername, "none") != 0) {
3798: /* passphrase required */
3799: r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3800: goto out;
3801: }
3802: if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
3803: r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3804: goto out;
3805: }
3806: if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) {
3807: r = SSH_ERR_INVALID_FORMAT;
3808: goto out;
3809: }
3810: if (nkeys != 1) {
3811: /* XXX only one key supported */
3812: r = SSH_ERR_INVALID_FORMAT;
3813: goto out;
3814: }
3815:
3816: /* check size of encrypted key blob */
3817: blocksize = cipher_blocksize(cipher);
3818: if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
3819: r = SSH_ERR_INVALID_FORMAT;
3820: goto out;
3821: }
3822:
3823: /* setup key */
3824: keylen = cipher_keylen(cipher);
3825: ivlen = cipher_ivlen(cipher);
1.4 christos 3826: authlen = cipher_authlen(cipher);
1.1 christos 3827: if ((key = calloc(1, keylen + ivlen)) == NULL) {
3828: r = SSH_ERR_ALLOC_FAIL;
3829: goto out;
3830: }
3831: if (strcmp(kdfname, "bcrypt") == 0) {
3832: if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 ||
3833: (r = sshbuf_get_u32(kdf, &rounds)) != 0)
3834: goto out;
3835: if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
3836: key, keylen + ivlen, rounds) < 0) {
3837: r = SSH_ERR_INVALID_FORMAT;
3838: goto out;
3839: }
3840: }
3841:
1.4 christos 3842: /* check that an appropriate amount of auth data is present */
1.21 ! christos 3843: if (sshbuf_len(decoded) < authlen ||
! 3844: sshbuf_len(decoded) - authlen < encrypted_len) {
1.4 christos 3845: r = SSH_ERR_INVALID_FORMAT;
3846: goto out;
3847: }
3848:
1.1 christos 3849: /* decrypt private portion of key */
3850: if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 ||
3851: (r = cipher_init(&ciphercontext, cipher, key, keylen,
3852: key + keylen, ivlen, 0)) != 0)
3853: goto out;
1.9 christos 3854: if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
1.4 christos 3855: encrypted_len, 0, authlen)) != 0) {
1.1 christos 3856: /* an integrity error here indicates an incorrect passphrase */
3857: if (r == SSH_ERR_MAC_INVALID)
3858: r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3859: goto out;
3860: }
1.4 christos 3861: if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
1.1 christos 3862: goto out;
3863: /* there should be no trailing data */
3864: if (sshbuf_len(decoded) != 0) {
3865: r = SSH_ERR_INVALID_FORMAT;
3866: goto out;
3867: }
3868:
3869: /* check check bytes */
3870: if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 ||
3871: (r = sshbuf_get_u32(decrypted, &check2)) != 0)
3872: goto out;
3873: if (check1 != check2) {
3874: r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3875: goto out;
3876: }
3877:
3878: /* Load the private key and comment */
3879: if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 ||
3880: (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
3881: goto out;
3882:
3883: /* Check deterministic padding */
3884: i = 0;
3885: while (sshbuf_len(decrypted)) {
3886: if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
3887: goto out;
3888: if (pad != (++i & 0xff)) {
3889: r = SSH_ERR_INVALID_FORMAT;
3890: goto out;
3891: }
3892: }
3893:
3894: /* XXX decode pubkey and check against private */
3895:
3896: /* success */
3897: r = 0;
3898: if (keyp != NULL) {
3899: *keyp = k;
3900: k = NULL;
3901: }
3902: if (commentp != NULL) {
3903: *commentp = comment;
3904: comment = NULL;
3905: }
3906: out:
3907: pad = 0;
1.9 christos 3908: cipher_free(ciphercontext);
1.1 christos 3909: free(ciphername);
3910: free(kdfname);
3911: free(comment);
3912: if (salt != NULL) {
3913: explicit_bzero(salt, slen);
3914: free(salt);
3915: }
3916: if (key != NULL) {
3917: explicit_bzero(key, keylen + ivlen);
3918: free(key);
3919: }
3920: sshbuf_free(encoded);
3921: sshbuf_free(decoded);
3922: sshbuf_free(kdf);
3923: sshbuf_free(decrypted);
3924: sshkey_free(k);
3925: return r;
3926: }
3927:
3928:
3929: #ifdef WITH_OPENSSL
1.21 ! christos 3930: /* convert SSH v2 key to PEM or PKCS#8 format */
1.1 christos 3931: static int
1.21 ! christos 3932: sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf,
! 3933: int format, const char *_passphrase, const char *comment)
1.1 christos 3934: {
1.21 ! christos 3935: int was_shielded = sshkey_is_shielded(key);
1.1 christos 3936: int success, r;
3937: int blen, len = strlen(_passphrase);
1.2 christos 3938: u_char *passphrase = (len > 0) ? __UNCONST(_passphrase) : NULL;
1.1 christos 3939: const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
1.14 christos 3940: char *bptr;
1.1 christos 3941: BIO *bio = NULL;
1.21 ! christos 3942: struct sshbuf *blob;
! 3943: EVP_PKEY *pkey = NULL;
1.1 christos 3944:
3945: if (len > 0 && len <= 4)
3946: return SSH_ERR_PASSPHRASE_TOO_SHORT;
1.21 ! christos 3947: if ((blob = sshbuf_new()) == NULL)
1.1 christos 3948: return SSH_ERR_ALLOC_FAIL;
1.21 ! christos 3949: if ((bio = BIO_new(BIO_s_mem())) == NULL) {
! 3950: r = SSH_ERR_ALLOC_FAIL;
! 3951: goto out;
! 3952: }
! 3953: if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) {
! 3954: r = SSH_ERR_ALLOC_FAIL;
! 3955: goto out;
! 3956: }
! 3957: if ((r = sshkey_unshield_private(key)) != 0)
! 3958: goto out;
1.1 christos 3959:
3960: switch (key->type) {
3961: case KEY_DSA:
1.21 ! christos 3962: if (format == SSHKEY_PRIVATE_PEM) {
! 3963: success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
! 3964: cipher, passphrase, len, NULL, NULL);
! 3965: } else {
! 3966: success = EVP_PKEY_set1_DSA(pkey, key->dsa);
! 3967: }
1.1 christos 3968: break;
3969: case KEY_ECDSA:
1.21 ! christos 3970: if (format == SSHKEY_PRIVATE_PEM) {
! 3971: success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
! 3972: cipher, passphrase, len, NULL, NULL);
! 3973: } else {
! 3974: success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
! 3975: }
1.1 christos 3976: break;
3977: case KEY_RSA:
1.21 ! christos 3978: if (format == SSHKEY_PRIVATE_PEM) {
! 3979: success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
! 3980: cipher, passphrase, len, NULL, NULL);
! 3981: } else {
! 3982: success = EVP_PKEY_set1_RSA(pkey, key->rsa);
! 3983: }
1.1 christos 3984: break;
3985: default:
3986: success = 0;
3987: break;
3988: }
3989: if (success == 0) {
3990: r = SSH_ERR_LIBCRYPTO_ERROR;
3991: goto out;
3992: }
1.21 ! christos 3993: if (format == SSHKEY_PRIVATE_PKCS8) {
! 3994: if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
! 3995: passphrase, len, NULL, NULL)) == 0) {
! 3996: r = SSH_ERR_LIBCRYPTO_ERROR;
! 3997: goto out;
! 3998: }
! 3999: }
1.1 christos 4000: if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
4001: r = SSH_ERR_INTERNAL_ERROR;
4002: goto out;
4003: }
4004: if ((r = sshbuf_put(blob, bptr, blen)) != 0)
4005: goto out;
4006: r = 0;
4007: out:
1.21 ! christos 4008: if (was_shielded)
! 4009: r = sshkey_shield_private(key);
! 4010: if (r == 0)
! 4011: r = sshbuf_putb(buf, blob);
! 4012:
! 4013: EVP_PKEY_free(pkey);
! 4014: sshbuf_free(blob);
1.1 christos 4015: BIO_free(bio);
4016: return r;
4017: }
4018: #endif /* WITH_OPENSSL */
4019:
4020: /* Serialise "key" to buffer "blob" */
4021: int
4022: sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
4023: const char *passphrase, const char *comment,
1.21 ! christos 4024: int format, const char *openssh_format_cipher, int openssh_format_rounds)
1.1 christos 4025: {
4026: switch (key->type) {
1.3 christos 4027: #ifdef WITH_OPENSSL
1.1 christos 4028: case KEY_DSA:
4029: case KEY_ECDSA:
4030: case KEY_RSA:
1.21 ! christos 4031: break; /* see below */
1.1 christos 4032: #endif /* WITH_OPENSSL */
4033: case KEY_ED25519:
1.14 christos 4034: #ifdef WITH_XMSS
4035: case KEY_XMSS:
4036: #endif /* WITH_XMSS */
1.1 christos 4037: return sshkey_private_to_blob2(key, blob, passphrase,
1.21 ! christos 4038: comment, openssh_format_cipher, openssh_format_rounds);
1.1 christos 4039: default:
4040: return SSH_ERR_KEY_TYPE_UNKNOWN;
4041: }
1.21 ! christos 4042:
! 4043: #ifdef WITH_OPENSSL
! 4044: switch (format) {
! 4045: case SSHKEY_PRIVATE_OPENSSH:
! 4046: return sshkey_private_to_blob2(key, blob, passphrase,
! 4047: comment, openssh_format_cipher, openssh_format_rounds);
! 4048: case SSHKEY_PRIVATE_PEM:
! 4049: case SSHKEY_PRIVATE_PKCS8:
! 4050: return sshkey_private_to_blob_pem_pkcs8(key, blob,
! 4051: format, passphrase, comment);
! 4052: default:
! 4053: return SSH_ERR_INVALID_ARGUMENT;
! 4054: }
! 4055: #endif /* WITH_OPENSSL */
1.1 christos 4056: }
4057:
1.11 christos 4058:
4059: #ifdef WITH_OPENSSL
4060: static int
4061: translate_libcrypto_error(unsigned long pem_err)
1.1 christos 4062: {
1.11 christos 4063: int pem_reason = ERR_GET_REASON(pem_err);
1.1 christos 4064:
1.11 christos 4065: switch (ERR_GET_LIB(pem_err)) {
4066: case ERR_LIB_PEM:
4067: switch (pem_reason) {
4068: case PEM_R_BAD_PASSWORD_READ:
4069: case PEM_R_PROBLEMS_GETTING_PASSWORD:
4070: case PEM_R_BAD_DECRYPT:
4071: return SSH_ERR_KEY_WRONG_PASSPHRASE;
4072: default:
4073: return SSH_ERR_INVALID_FORMAT;
4074: }
4075: case ERR_LIB_EVP:
4076: switch (pem_reason) {
4077: case EVP_R_BAD_DECRYPT:
4078: return SSH_ERR_KEY_WRONG_PASSPHRASE;
1.19 christos 4079: #ifdef EVP_R_BN_DECODE_ERROR
4080: case EVP_R_BN_DECODE_ERROR:
4081: #endif
1.11 christos 4082: case EVP_R_DECODE_ERROR:
4083: #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
4084: case EVP_R_PRIVATE_KEY_DECODE_ERROR:
4085: #endif
4086: return SSH_ERR_INVALID_FORMAT;
4087: default:
4088: return SSH_ERR_LIBCRYPTO_ERROR;
4089: }
4090: case ERR_LIB_ASN1:
1.1 christos 4091: return SSH_ERR_INVALID_FORMAT;
1.11 christos 4092: }
4093: return SSH_ERR_LIBCRYPTO_ERROR;
4094: }
1.1 christos 4095:
1.11 christos 4096: static void
4097: clear_libcrypto_errors(void)
4098: {
4099: while (ERR_get_error() != 0)
4100: ;
1.1 christos 4101: }
4102:
1.11 christos 4103: /*
4104: * Translate OpenSSL error codes to determine whether
4105: * passphrase is required/incorrect.
4106: */
1.1 christos 4107: static int
1.11 christos 4108: convert_libcrypto_error(void)
1.1 christos 4109: {
4110: /*
1.11 christos 4111: * Some password errors are reported at the beginning
4112: * of the error queue.
1.1 christos 4113: */
1.11 christos 4114: if (translate_libcrypto_error(ERR_peek_error()) ==
4115: SSH_ERR_KEY_WRONG_PASSPHRASE)
4116: return SSH_ERR_KEY_WRONG_PASSPHRASE;
4117: return translate_libcrypto_error(ERR_peek_last_error());
1.1 christos 4118: }
4119:
1.3 christos 4120: static int
1.19 christos 4121: pem_passphrase_cb(char *buf, int size, int rwflag, void *u)
4122: {
4123: char *p = (char *)u;
4124: size_t len;
4125:
4126: if (p == NULL || (len = strlen(p)) == 0)
4127: return -1;
4128: if (size < 0 || len > (size_t)size)
4129: return -1;
4130: memcpy(buf, p, len);
4131: return (int)len;
4132: }
4133:
4134: static int
1.1 christos 4135: sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
1.3 christos 4136: const char *passphrase, struct sshkey **keyp)
1.1 christos 4137: {
4138: EVP_PKEY *pk = NULL;
4139: struct sshkey *prv = NULL;
4140: BIO *bio = NULL;
4141: int r;
4142:
1.8 christos 4143: if (keyp != NULL)
4144: *keyp = NULL;
1.1 christos 4145:
4146: if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
4147: return SSH_ERR_ALLOC_FAIL;
4148: if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
4149: (int)sshbuf_len(blob)) {
4150: r = SSH_ERR_ALLOC_FAIL;
4151: goto out;
4152: }
4153:
1.11 christos 4154: clear_libcrypto_errors();
1.19 christos 4155: if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb,
1.2 christos 4156: __UNCONST(passphrase))) == NULL) {
1.19 christos 4157: /*
4158: * libcrypto may return various ASN.1 errors when attempting
4159: * to parse a key with an incorrect passphrase.
4160: * Treat all format errors as "incorrect passphrase" if a
4161: * passphrase was supplied.
4162: */
4163: if (passphrase != NULL && *passphrase != '\0')
4164: r = SSH_ERR_KEY_WRONG_PASSPHRASE;
4165: else
4166: r = convert_libcrypto_error();
1.1 christos 4167: goto out;
4168: }
1.19 christos 4169: if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA &&
1.1 christos 4170: (type == KEY_UNSPEC || type == KEY_RSA)) {
4171: if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
4172: r = SSH_ERR_ALLOC_FAIL;
4173: goto out;
4174: }
4175: prv->rsa = EVP_PKEY_get1_RSA(pk);
4176: prv->type = KEY_RSA;
4177: #ifdef DEBUG_PK
4178: RSA_print_fp(stderr, prv->rsa, 8);
4179: #endif
4180: if (RSA_blinding_on(prv->rsa, NULL) != 1) {
4181: r = SSH_ERR_LIBCRYPTO_ERROR;
4182: goto out;
4183: }
1.19 christos 4184: if ((r = check_rsa_length(prv->rsa)) != 0)
1.11 christos 4185: goto out;
1.19 christos 4186: } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA &&
1.1 christos 4187: (type == KEY_UNSPEC || type == KEY_DSA)) {
4188: if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
4189: r = SSH_ERR_ALLOC_FAIL;
4190: goto out;
4191: }
4192: prv->dsa = EVP_PKEY_get1_DSA(pk);
4193: prv->type = KEY_DSA;
4194: #ifdef DEBUG_PK
4195: DSA_print_fp(stderr, prv->dsa, 8);
4196: #endif
1.19 christos 4197: } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC &&
1.1 christos 4198: (type == KEY_UNSPEC || type == KEY_ECDSA)) {
4199: if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
4200: r = SSH_ERR_ALLOC_FAIL;
4201: goto out;
4202: }
4203: prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
4204: prv->type = KEY_ECDSA;
4205: prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
4206: if (prv->ecdsa_nid == -1 ||
4207: sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
4208: sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
4209: EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
4210: sshkey_ec_validate_private(prv->ecdsa) != 0) {
4211: r = SSH_ERR_INVALID_FORMAT;
4212: goto out;
4213: }
4214: #ifdef DEBUG_PK
4215: if (prv != NULL && prv->ecdsa != NULL)
4216: sshkey_dump_ec_key(prv->ecdsa);
4217: #endif
4218: } else {
4219: r = SSH_ERR_INVALID_FORMAT;
4220: goto out;
4221: }
4222: r = 0;
1.8 christos 4223: if (keyp != NULL) {
4224: *keyp = prv;
4225: prv = NULL;
4226: }
1.1 christos 4227: out:
4228: BIO_free(bio);
1.14 christos 4229: EVP_PKEY_free(pk);
1.7 christos 4230: sshkey_free(prv);
1.1 christos 4231: return r;
4232: }
4233: #endif /* WITH_OPENSSL */
4234:
4235: int
4236: sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
4237: const char *passphrase, struct sshkey **keyp, char **commentp)
4238: {
1.10 christos 4239: int r = SSH_ERR_INTERNAL_ERROR;
4240:
1.8 christos 4241: if (keyp != NULL)
4242: *keyp = NULL;
1.1 christos 4243: if (commentp != NULL)
4244: *commentp = NULL;
4245:
4246: switch (type) {
1.3 christos 4247: #ifdef WITH_OPENSSL
1.1 christos 4248: case KEY_DSA:
4249: case KEY_ECDSA:
4250: case KEY_RSA:
1.3 christos 4251: return sshkey_parse_private_pem_fileblob(blob, type,
4252: passphrase, keyp);
1.1 christos 4253: #endif /* WITH_OPENSSL */
4254: case KEY_ED25519:
1.14 christos 4255: #ifdef WITH_XMSS
4256: case KEY_XMSS:
4257: #endif /* WITH_XMSS */
1.1 christos 4258: return sshkey_parse_private2(blob, type, passphrase,
4259: keyp, commentp);
4260: case KEY_UNSPEC:
1.10 christos 4261: r = sshkey_parse_private2(blob, type, passphrase, keyp,
4262: commentp);
4263: /* Do not fallback to PEM parser if only passphrase is wrong. */
4264: if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE)
4265: return r;
1.1 christos 4266: #ifdef WITH_OPENSSL
1.3 christos 4267: return sshkey_parse_private_pem_fileblob(blob, type,
4268: passphrase, keyp);
1.1 christos 4269: #else
4270: return SSH_ERR_INVALID_FORMAT;
4271: #endif /* WITH_OPENSSL */
4272: default:
4273: return SSH_ERR_KEY_TYPE_UNKNOWN;
4274: }
4275: }
4276:
4277: int
4278: sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
1.7 christos 4279: struct sshkey **keyp, char **commentp)
1.1 christos 4280: {
4281: if (keyp != NULL)
4282: *keyp = NULL;
4283: if (commentp != NULL)
4284: *commentp = NULL;
4285:
1.7 christos 4286: return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
4287: passphrase, keyp, commentp);
1.1 christos 4288: }
1.14 christos 4289:
4290: #ifdef WITH_XMSS
4291: /*
4292: * serialize the key with the current state and forward the state
4293: * maxsign times.
4294: */
4295: int
1.21 ! christos 4296: sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
1.14 christos 4297: u_int32_t maxsign, sshkey_printfn *pr)
4298: {
4299: int r, rupdate;
4300:
4301: if (maxsign == 0 ||
4302: sshkey_type_plain(k->type) != KEY_XMSS)
4303: return sshkey_private_serialize_opt(k, b,
4304: SSHKEY_SERIALIZE_DEFAULT);
4305: if ((r = sshkey_xmss_get_state(k, pr)) != 0 ||
4306: (r = sshkey_private_serialize_opt(k, b,
4307: SSHKEY_SERIALIZE_STATE)) != 0 ||
4308: (r = sshkey_xmss_forward_state(k, maxsign)) != 0)
4309: goto out;
4310: r = 0;
4311: out:
4312: if ((rupdate = sshkey_xmss_update_state(k, pr)) != 0) {
4313: if (r == 0)
4314: r = rupdate;
4315: }
4316: return r;
4317: }
4318:
4319: u_int32_t
4320: sshkey_signatures_left(const struct sshkey *k)
4321: {
4322: if (sshkey_type_plain(k->type) == KEY_XMSS)
4323: return sshkey_xmss_signatures_left(k);
4324: return 0;
4325: }
4326:
4327: int
4328: sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
4329: {
4330: if (sshkey_type_plain(k->type) != KEY_XMSS)
4331: return SSH_ERR_INVALID_ARGUMENT;
4332: return sshkey_xmss_enable_maxsign(k, maxsign);
4333: }
4334:
4335: int
4336: sshkey_set_filename(struct sshkey *k, const char *filename)
4337: {
4338: if (k == NULL)
4339: return SSH_ERR_INVALID_ARGUMENT;
4340: if (sshkey_type_plain(k->type) != KEY_XMSS)
4341: return 0;
4342: if (filename == NULL)
4343: return SSH_ERR_INVALID_ARGUMENT;
4344: if ((k->xmss_filename = strdup(filename)) == NULL)
4345: return SSH_ERR_ALLOC_FAIL;
4346: return 0;
4347: }
4348: #else
4349: int
1.21 ! christos 4350: sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
1.14 christos 4351: u_int32_t maxsign, sshkey_printfn *pr)
4352: {
4353: return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT);
4354: }
4355:
4356: u_int32_t
4357: sshkey_signatures_left(const struct sshkey *k)
4358: {
4359: return 0;
4360: }
4361:
4362: int
4363: sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
4364: {
4365: return SSH_ERR_INVALID_ARGUMENT;
4366: }
4367:
4368: int
4369: sshkey_set_filename(struct sshkey *k, const char *filename)
4370: {
4371: if (k == NULL)
4372: return SSH_ERR_INVALID_ARGUMENT;
4373: return 0;
4374: }
4375: #endif /* WITH_XMSS */
CVSweb <webmaster@jp.NetBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to sshkey.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / crypto / external / bsd / openssh / dist