diff options
Diffstat (limited to 'sshkey.c')
-rw-r--r-- | sshkey.c | 3857 |
1 files changed, 3857 insertions, 0 deletions
diff --git a/sshkey.c b/sshkey.c new file mode 100644 index 000000000..1a96eae19 --- /dev/null +++ b/sshkey.c | |||
@@ -0,0 +1,3857 @@ | |||
1 | /* $OpenBSD: sshkey.c,v 1.3 2014/07/03 01:45:38 djm Exp $ */ | ||
2 | /* | ||
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | ||
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | ||
5 | * Copyright (c) 2010,2011 Damien Miller. All rights reserved. | ||
6 | * | ||
7 | * Redistribution and use in source and binary forms, with or without | ||
8 | * modification, are permitted provided that the following conditions | ||
9 | * are met: | ||
10 | * 1. Redistributions of source code must retain the above copyright | ||
11 | * notice, this list of conditions and the following disclaimer. | ||
12 | * 2. Redistributions in binary form must reproduce the above copyright | ||
13 | * notice, this list of conditions and the following disclaimer in the | ||
14 | * documentation and/or other materials provided with the distribution. | ||
15 | * | ||
16 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | ||
17 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | ||
18 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | ||
19 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | ||
20 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
21 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
22 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
23 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||
25 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||
26 | */ | ||
27 | |||
28 | #include "includes.h" | ||
29 | |||
30 | #include <sys/param.h> | ||
31 | #include <sys/types.h> | ||
32 | |||
33 | #include <openssl/evp.h> | ||
34 | #include <openssl/err.h> | ||
35 | #include <openssl/pem.h> | ||
36 | |||
37 | #include "crypto_api.h" | ||
38 | |||
39 | #include <errno.h> | ||
40 | #include <stdio.h> | ||
41 | #include <string.h> | ||
42 | #ifdef HAVE_UTIL_H | ||
43 | #include <util.h> | ||
44 | #endif /* HAVE_UTIL_H */ | ||
45 | |||
46 | #include "ssh2.h" | ||
47 | #include "ssherr.h" | ||
48 | #include "misc.h" | ||
49 | #include "sshbuf.h" | ||
50 | #include "rsa.h" | ||
51 | #include "cipher.h" | ||
52 | #include "digest.h" | ||
53 | #define SSHKEY_INTERNAL | ||
54 | #include "sshkey.h" | ||
55 | |||
56 | /* openssh private key file format */ | ||
57 | #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" | ||
58 | #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n" | ||
59 | #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1) | ||
60 | #define MARK_END_LEN (sizeof(MARK_END) - 1) | ||
61 | #define KDFNAME "bcrypt" | ||
62 | #define AUTH_MAGIC "openssh-key-v1" | ||
63 | #define SALT_LEN 16 | ||
64 | #define DEFAULT_CIPHERNAME "aes256-cbc" | ||
65 | #define DEFAULT_ROUNDS 16 | ||
66 | |||
67 | /* Version identification string for SSH v1 identity files. */ | ||
68 | #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n" | ||
69 | |||
70 | static int sshkey_from_blob_internal(const u_char *blob, size_t blen, | ||
71 | struct sshkey **keyp, int allow_cert); | ||
72 | |||
73 | /* Supported key types */ | ||
74 | struct keytype { | ||
75 | const char *name; | ||
76 | const char *shortname; | ||
77 | int type; | ||
78 | int nid; | ||
79 | int cert; | ||
80 | }; | ||
81 | static const struct keytype keytypes[] = { | ||
82 | { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, | ||
83 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", | ||
84 | KEY_ED25519_CERT, 0, 1 }, | ||
85 | #ifdef WITH_OPENSSL | ||
86 | { NULL, "RSA1", KEY_RSA1, 0, 0 }, | ||
87 | { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, | ||
88 | { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, | ||
89 | # ifdef OPENSSL_HAS_ECC | ||
90 | { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, | ||
91 | { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, | ||
92 | # ifdef OPENSSL_HAS_NISTP521 | ||
93 | { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, | ||
94 | # endif /* OPENSSL_HAS_NISTP521 */ | ||
95 | # endif /* OPENSSL_HAS_ECC */ | ||
96 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, | ||
97 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, | ||
98 | # ifdef OPENSSL_HAS_ECC | ||
99 | { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", | ||
100 | KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, | ||
101 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", | ||
102 | KEY_ECDSA_CERT, NID_secp384r1, 1 }, | ||
103 | # ifdef OPENSSL_HAS_NISTP521 | ||
104 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", | ||
105 | KEY_ECDSA_CERT, NID_secp521r1, 1 }, | ||
106 | # endif /* OPENSSL_HAS_NISTP521 */ | ||
107 | # endif /* OPENSSL_HAS_ECC */ | ||
108 | { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", | ||
109 | KEY_RSA_CERT_V00, 0, 1 }, | ||
110 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | ||
111 | KEY_DSA_CERT_V00, 0, 1 }, | ||
112 | #endif /* WITH_OPENSSL */ | ||
113 | { "null", "null", KEY_NULL, 0, 0 }, | ||
114 | { NULL, NULL, -1, -1, 0 } | ||
115 | }; | ||
116 | |||
117 | const char * | ||
118 | sshkey_type(const struct sshkey *k) | ||
119 | { | ||
120 | const struct keytype *kt; | ||
121 | |||
122 | for (kt = keytypes; kt->type != -1; kt++) { | ||
123 | if (kt->type == k->type) | ||
124 | return kt->shortname; | ||
125 | } | ||
126 | return "unknown"; | ||
127 | } | ||
128 | |||
129 | static const char * | ||
130 | sshkey_ssh_name_from_type_nid(int type, int nid) | ||
131 | { | ||
132 | const struct keytype *kt; | ||
133 | |||
134 | for (kt = keytypes; kt->type != -1; kt++) { | ||
135 | if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) | ||
136 | return kt->name; | ||
137 | } | ||
138 | return "ssh-unknown"; | ||
139 | } | ||
140 | |||
141 | int | ||
142 | sshkey_type_is_cert(int type) | ||
143 | { | ||
144 | const struct keytype *kt; | ||
145 | |||
146 | for (kt = keytypes; kt->type != -1; kt++) { | ||
147 | if (kt->type == type) | ||
148 | return kt->cert; | ||
149 | } | ||
150 | return 0; | ||
151 | } | ||
152 | |||
153 | const char * | ||
154 | sshkey_ssh_name(const struct sshkey *k) | ||
155 | { | ||
156 | return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); | ||
157 | } | ||
158 | |||
159 | const char * | ||
160 | sshkey_ssh_name_plain(const struct sshkey *k) | ||
161 | { | ||
162 | return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), | ||
163 | k->ecdsa_nid); | ||
164 | } | ||
165 | |||
166 | int | ||
167 | sshkey_type_from_name(const char *name) | ||
168 | { | ||
169 | const struct keytype *kt; | ||
170 | |||
171 | for (kt = keytypes; kt->type != -1; kt++) { | ||
172 | /* Only allow shortname matches for plain key types */ | ||
173 | if ((kt->name != NULL && strcmp(name, kt->name) == 0) || | ||
174 | (!kt->cert && strcasecmp(kt->shortname, name) == 0)) | ||
175 | return kt->type; | ||
176 | } | ||
177 | return KEY_UNSPEC; | ||
178 | } | ||
179 | |||
180 | int | ||
181 | sshkey_ecdsa_nid_from_name(const char *name) | ||
182 | { | ||
183 | const struct keytype *kt; | ||
184 | |||
185 | for (kt = keytypes; kt->type != -1; kt++) { | ||
186 | if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) | ||
187 | continue; | ||
188 | if (kt->name != NULL && strcmp(name, kt->name) == 0) | ||
189 | return kt->nid; | ||
190 | } | ||
191 | return -1; | ||
192 | } | ||
193 | |||
194 | char * | ||
195 | key_alg_list(int certs_only, int plain_only) | ||
196 | { | ||
197 | char *tmp, *ret = NULL; | ||
198 | size_t nlen, rlen = 0; | ||
199 | const struct keytype *kt; | ||
200 | |||
201 | for (kt = keytypes; kt->type != -1; kt++) { | ||
202 | if (kt->name == NULL || kt->type == KEY_NULL) | ||
203 | continue; | ||
204 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | ||
205 | continue; | ||
206 | if (ret != NULL) | ||
207 | ret[rlen++] = '\n'; | ||
208 | nlen = strlen(kt->name); | ||
209 | if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) { | ||
210 | free(ret); | ||
211 | return NULL; | ||
212 | } | ||
213 | ret = tmp; | ||
214 | memcpy(ret + rlen, kt->name, nlen + 1); | ||
215 | rlen += nlen; | ||
216 | } | ||
217 | return ret; | ||
218 | } | ||
219 | |||
220 | int | ||
221 | sshkey_names_valid2(const char *names) | ||
222 | { | ||
223 | char *s, *cp, *p; | ||
224 | |||
225 | if (names == NULL || strcmp(names, "") == 0) | ||
226 | return 0; | ||
227 | if ((s = cp = strdup(names)) == NULL) | ||
228 | return 0; | ||
229 | for ((p = strsep(&cp, ",")); p && *p != '\0'; | ||
230 | (p = strsep(&cp, ","))) { | ||
231 | switch (sshkey_type_from_name(p)) { | ||
232 | case KEY_RSA1: | ||
233 | case KEY_UNSPEC: | ||
234 | free(s); | ||
235 | return 0; | ||
236 | } | ||
237 | } | ||
238 | free(s); | ||
239 | return 1; | ||
240 | } | ||
241 | |||
242 | u_int | ||
243 | sshkey_size(const struct sshkey *k) | ||
244 | { | ||
245 | switch (k->type) { | ||
246 | #ifdef WITH_OPENSSL | ||
247 | case KEY_RSA1: | ||
248 | case KEY_RSA: | ||
249 | case KEY_RSA_CERT_V00: | ||
250 | case KEY_RSA_CERT: | ||
251 | return BN_num_bits(k->rsa->n); | ||
252 | case KEY_DSA: | ||
253 | case KEY_DSA_CERT_V00: | ||
254 | case KEY_DSA_CERT: | ||
255 | return BN_num_bits(k->dsa->p); | ||
256 | case KEY_ECDSA: | ||
257 | case KEY_ECDSA_CERT: | ||
258 | return sshkey_curve_nid_to_bits(k->ecdsa_nid); | ||
259 | #endif /* WITH_OPENSSL */ | ||
260 | case KEY_ED25519: | ||
261 | case KEY_ED25519_CERT: | ||
262 | return 256; /* XXX */ | ||
263 | } | ||
264 | return 0; | ||
265 | } | ||
266 | |||
267 | int | ||
268 | sshkey_cert_is_legacy(const struct sshkey *k) | ||
269 | { | ||
270 | switch (k->type) { | ||
271 | case KEY_DSA_CERT_V00: | ||
272 | case KEY_RSA_CERT_V00: | ||
273 | return 1; | ||
274 | default: | ||
275 | return 0; | ||
276 | } | ||
277 | } | ||
278 | |||
279 | static int | ||
280 | sshkey_type_is_valid_ca(int type) | ||
281 | { | ||
282 | switch (type) { | ||
283 | case KEY_RSA: | ||
284 | case KEY_DSA: | ||
285 | case KEY_ECDSA: | ||
286 | case KEY_ED25519: | ||
287 | return 1; | ||
288 | default: | ||
289 | return 0; | ||
290 | } | ||
291 | } | ||
292 | |||
293 | int | ||
294 | sshkey_is_cert(const struct sshkey *k) | ||
295 | { | ||
296 | if (k == NULL) | ||
297 | return 0; | ||
298 | return sshkey_type_is_cert(k->type); | ||
299 | } | ||
300 | |||
301 | /* Return the cert-less equivalent to a certified key type */ | ||
302 | int | ||
303 | sshkey_type_plain(int type) | ||
304 | { | ||
305 | switch (type) { | ||
306 | case KEY_RSA_CERT_V00: | ||
307 | case KEY_RSA_CERT: | ||
308 | return KEY_RSA; | ||
309 | case KEY_DSA_CERT_V00: | ||
310 | case KEY_DSA_CERT: | ||
311 | return KEY_DSA; | ||
312 | case KEY_ECDSA_CERT: | ||
313 | return KEY_ECDSA; | ||
314 | case KEY_ED25519_CERT: | ||
315 | return KEY_ED25519; | ||
316 | default: | ||
317 | return type; | ||
318 | } | ||
319 | } | ||
320 | |||
321 | #ifdef WITH_OPENSSL | ||
322 | /* XXX: these are really begging for a table-driven approach */ | ||
323 | int | ||
324 | sshkey_curve_name_to_nid(const char *name) | ||
325 | { | ||
326 | if (strcmp(name, "nistp256") == 0) | ||
327 | return NID_X9_62_prime256v1; | ||
328 | else if (strcmp(name, "nistp384") == 0) | ||
329 | return NID_secp384r1; | ||
330 | # ifdef OPENSSL_HAS_NISTP521 | ||
331 | else if (strcmp(name, "nistp521") == 0) | ||
332 | return NID_secp521r1; | ||
333 | # endif /* OPENSSL_HAS_NISTP521 */ | ||
334 | else | ||
335 | return -1; | ||
336 | } | ||
337 | |||
338 | u_int | ||
339 | sshkey_curve_nid_to_bits(int nid) | ||
340 | { | ||
341 | switch (nid) { | ||
342 | case NID_X9_62_prime256v1: | ||
343 | return 256; | ||
344 | case NID_secp384r1: | ||
345 | return 384; | ||
346 | # ifdef OPENSSL_HAS_NISTP521 | ||
347 | case NID_secp521r1: | ||
348 | return 521; | ||
349 | # endif /* OPENSSL_HAS_NISTP521 */ | ||
350 | default: | ||
351 | return 0; | ||
352 | } | ||
353 | } | ||
354 | |||
355 | int | ||
356 | sshkey_ecdsa_bits_to_nid(int bits) | ||
357 | { | ||
358 | switch (bits) { | ||
359 | case 256: | ||
360 | return NID_X9_62_prime256v1; | ||
361 | case 384: | ||
362 | return NID_secp384r1; | ||
363 | # ifdef OPENSSL_HAS_NISTP521 | ||
364 | case 521: | ||
365 | return NID_secp521r1; | ||
366 | # endif /* OPENSSL_HAS_NISTP521 */ | ||
367 | default: | ||
368 | return -1; | ||
369 | } | ||
370 | } | ||
371 | |||
372 | const char * | ||
373 | sshkey_curve_nid_to_name(int nid) | ||
374 | { | ||
375 | switch (nid) { | ||
376 | case NID_X9_62_prime256v1: | ||
377 | return "nistp256"; | ||
378 | case NID_secp384r1: | ||
379 | return "nistp384"; | ||
380 | # ifdef OPENSSL_HAS_NISTP521 | ||
381 | case NID_secp521r1: | ||
382 | return "nistp521"; | ||
383 | # endif /* OPENSSL_HAS_NISTP521 */ | ||
384 | default: | ||
385 | return NULL; | ||
386 | } | ||
387 | } | ||
388 | |||
389 | int | ||
390 | sshkey_ec_nid_to_hash_alg(int nid) | ||
391 | { | ||
392 | int kbits = sshkey_curve_nid_to_bits(nid); | ||
393 | |||
394 | if (kbits <= 0) | ||
395 | return -1; | ||
396 | |||
397 | /* RFC5656 section 6.2.1 */ | ||
398 | if (kbits <= 256) | ||
399 | return SSH_DIGEST_SHA256; | ||
400 | else if (kbits <= 384) | ||
401 | return SSH_DIGEST_SHA384; | ||
402 | else | ||
403 | return SSH_DIGEST_SHA512; | ||
404 | } | ||
405 | #endif /* WITH_OPENSSL */ | ||
406 | |||
407 | static void | ||
408 | cert_free(struct sshkey_cert *cert) | ||
409 | { | ||
410 | u_int i; | ||
411 | |||
412 | if (cert == NULL) | ||
413 | return; | ||
414 | if (cert->certblob != NULL) | ||
415 | sshbuf_free(cert->certblob); | ||
416 | if (cert->critical != NULL) | ||
417 | sshbuf_free(cert->critical); | ||
418 | if (cert->extensions != NULL) | ||
419 | sshbuf_free(cert->extensions); | ||
420 | if (cert->key_id != NULL) | ||
421 | free(cert->key_id); | ||
422 | for (i = 0; i < cert->nprincipals; i++) | ||
423 | free(cert->principals[i]); | ||
424 | if (cert->principals != NULL) | ||
425 | free(cert->principals); | ||
426 | if (cert->signature_key != NULL) | ||
427 | sshkey_free(cert->signature_key); | ||
428 | explicit_bzero(cert, sizeof(*cert)); | ||
429 | free(cert); | ||
430 | } | ||
431 | |||
432 | static struct sshkey_cert * | ||
433 | cert_new(void) | ||
434 | { | ||
435 | struct sshkey_cert *cert; | ||
436 | |||
437 | if ((cert = calloc(1, sizeof(*cert))) == NULL) | ||
438 | return NULL; | ||
439 | if ((cert->certblob = sshbuf_new()) == NULL || | ||
440 | (cert->critical = sshbuf_new()) == NULL || | ||
441 | (cert->extensions = sshbuf_new()) == NULL) { | ||
442 | cert_free(cert); | ||
443 | return NULL; | ||
444 | } | ||
445 | cert->key_id = NULL; | ||
446 | cert->principals = NULL; | ||
447 | cert->signature_key = NULL; | ||
448 | return cert; | ||
449 | } | ||
450 | |||
451 | struct sshkey * | ||
452 | sshkey_new(int type) | ||
453 | { | ||
454 | struct sshkey *k; | ||
455 | #ifdef WITH_OPENSSL | ||
456 | RSA *rsa; | ||
457 | DSA *dsa; | ||
458 | #endif /* WITH_OPENSSL */ | ||
459 | |||
460 | if ((k = calloc(1, sizeof(*k))) == NULL) | ||
461 | return NULL; | ||
462 | k->type = type; | ||
463 | k->ecdsa = NULL; | ||
464 | k->ecdsa_nid = -1; | ||
465 | k->dsa = NULL; | ||
466 | k->rsa = NULL; | ||
467 | k->cert = NULL; | ||
468 | k->ed25519_sk = NULL; | ||
469 | k->ed25519_pk = NULL; | ||
470 | switch (k->type) { | ||
471 | #ifdef WITH_OPENSSL | ||
472 | case KEY_RSA1: | ||
473 | case KEY_RSA: | ||
474 | case KEY_RSA_CERT_V00: | ||
475 | case KEY_RSA_CERT: | ||
476 | if ((rsa = RSA_new()) == NULL || | ||
477 | (rsa->n = BN_new()) == NULL || | ||
478 | (rsa->e = BN_new()) == NULL) { | ||
479 | if (rsa != NULL) | ||
480 | RSA_free(rsa); | ||
481 | free(k); | ||
482 | return NULL; | ||
483 | } | ||
484 | k->rsa = rsa; | ||
485 | break; | ||
486 | case KEY_DSA: | ||
487 | case KEY_DSA_CERT_V00: | ||
488 | case KEY_DSA_CERT: | ||
489 | if ((dsa = DSA_new()) == NULL || | ||
490 | (dsa->p = BN_new()) == NULL || | ||
491 | (dsa->q = BN_new()) == NULL || | ||
492 | (dsa->g = BN_new()) == NULL || | ||
493 | (dsa->pub_key = BN_new()) == NULL) { | ||
494 | if (dsa != NULL) | ||
495 | DSA_free(dsa); | ||
496 | free(k); | ||
497 | return NULL; | ||
498 | } | ||
499 | k->dsa = dsa; | ||
500 | break; | ||
501 | case KEY_ECDSA: | ||
502 | case KEY_ECDSA_CERT: | ||
503 | /* Cannot do anything until we know the group */ | ||
504 | break; | ||
505 | #endif /* WITH_OPENSSL */ | ||
506 | case KEY_ED25519: | ||
507 | case KEY_ED25519_CERT: | ||
508 | /* no need to prealloc */ | ||
509 | break; | ||
510 | case KEY_UNSPEC: | ||
511 | break; | ||
512 | default: | ||
513 | free(k); | ||
514 | return NULL; | ||
515 | break; | ||
516 | } | ||
517 | |||
518 | if (sshkey_is_cert(k)) { | ||
519 | if ((k->cert = cert_new()) == NULL) { | ||
520 | sshkey_free(k); | ||
521 | return NULL; | ||
522 | } | ||
523 | } | ||
524 | |||
525 | return k; | ||
526 | } | ||
527 | |||
528 | int | ||
529 | sshkey_add_private(struct sshkey *k) | ||
530 | { | ||
531 | switch (k->type) { | ||
532 | #ifdef WITH_OPENSSL | ||
533 | case KEY_RSA1: | ||
534 | case KEY_RSA: | ||
535 | case KEY_RSA_CERT_V00: | ||
536 | case KEY_RSA_CERT: | ||
537 | #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) | ||
538 | if (bn_maybe_alloc_failed(k->rsa->d) || | ||
539 | bn_maybe_alloc_failed(k->rsa->iqmp) || | ||
540 | bn_maybe_alloc_failed(k->rsa->q) || | ||
541 | bn_maybe_alloc_failed(k->rsa->p) || | ||
542 | bn_maybe_alloc_failed(k->rsa->dmq1) || | ||
543 | bn_maybe_alloc_failed(k->rsa->dmp1)) | ||
544 | return SSH_ERR_ALLOC_FAIL; | ||
545 | break; | ||
546 | case KEY_DSA: | ||
547 | case KEY_DSA_CERT_V00: | ||
548 | case KEY_DSA_CERT: | ||
549 | if (bn_maybe_alloc_failed(k->dsa->priv_key)) | ||
550 | return SSH_ERR_ALLOC_FAIL; | ||
551 | break; | ||
552 | #undef bn_maybe_alloc_failed | ||
553 | case KEY_ECDSA: | ||
554 | case KEY_ECDSA_CERT: | ||
555 | /* Cannot do anything until we know the group */ | ||
556 | break; | ||
557 | #endif /* WITH_OPENSSL */ | ||
558 | case KEY_ED25519: | ||
559 | case KEY_ED25519_CERT: | ||
560 | /* no need to prealloc */ | ||
561 | break; | ||
562 | case KEY_UNSPEC: | ||
563 | break; | ||
564 | default: | ||
565 | return SSH_ERR_INVALID_ARGUMENT; | ||
566 | } | ||
567 | return 0; | ||
568 | } | ||
569 | |||
570 | struct sshkey * | ||
571 | sshkey_new_private(int type) | ||
572 | { | ||
573 | struct sshkey *k = sshkey_new(type); | ||
574 | |||
575 | if (k == NULL) | ||
576 | return NULL; | ||
577 | if (sshkey_add_private(k) != 0) { | ||
578 | sshkey_free(k); | ||
579 | return NULL; | ||
580 | } | ||
581 | return k; | ||
582 | } | ||
583 | |||
584 | void | ||
585 | sshkey_free(struct sshkey *k) | ||
586 | { | ||
587 | if (k == NULL) | ||
588 | return; | ||
589 | switch (k->type) { | ||
590 | #ifdef WITH_OPENSSL | ||
591 | case KEY_RSA1: | ||
592 | case KEY_RSA: | ||
593 | case KEY_RSA_CERT_V00: | ||
594 | case KEY_RSA_CERT: | ||
595 | if (k->rsa != NULL) | ||
596 | RSA_free(k->rsa); | ||
597 | k->rsa = NULL; | ||
598 | break; | ||
599 | case KEY_DSA: | ||
600 | case KEY_DSA_CERT_V00: | ||
601 | case KEY_DSA_CERT: | ||
602 | if (k->dsa != NULL) | ||
603 | DSA_free(k->dsa); | ||
604 | k->dsa = NULL; | ||
605 | break; | ||
606 | # ifdef OPENSSL_HAS_ECC | ||
607 | case KEY_ECDSA: | ||
608 | case KEY_ECDSA_CERT: | ||
609 | if (k->ecdsa != NULL) | ||
610 | EC_KEY_free(k->ecdsa); | ||
611 | k->ecdsa = NULL; | ||
612 | break; | ||
613 | # endif /* OPENSSL_HAS_ECC */ | ||
614 | #endif /* WITH_OPENSSL */ | ||
615 | case KEY_ED25519: | ||
616 | case KEY_ED25519_CERT: | ||
617 | if (k->ed25519_pk) { | ||
618 | explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); | ||
619 | free(k->ed25519_pk); | ||
620 | k->ed25519_pk = NULL; | ||
621 | } | ||
622 | if (k->ed25519_sk) { | ||
623 | explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); | ||
624 | free(k->ed25519_sk); | ||
625 | k->ed25519_sk = NULL; | ||
626 | } | ||
627 | break; | ||
628 | case KEY_UNSPEC: | ||
629 | break; | ||
630 | default: | ||
631 | break; | ||
632 | } | ||
633 | if (sshkey_is_cert(k)) | ||
634 | cert_free(k->cert); | ||
635 | explicit_bzero(k, sizeof(*k)); | ||
636 | free(k); | ||
637 | } | ||
638 | |||
639 | static int | ||
640 | cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) | ||
641 | { | ||
642 | if (a == NULL && b == NULL) | ||
643 | return 1; | ||
644 | if (a == NULL || b == NULL) | ||
645 | return 0; | ||
646 | if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) | ||
647 | return 0; | ||
648 | if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), | ||
649 | sshbuf_len(a->certblob)) != 0) | ||
650 | return 0; | ||
651 | return 1; | ||
652 | } | ||
653 | |||
654 | /* | ||
655 | * Compare public portions of key only, allowing comparisons between | ||
656 | * certificates and plain keys too. | ||
657 | */ | ||
658 | int | ||
659 | sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) | ||
660 | { | ||
661 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) | ||
662 | BN_CTX *bnctx; | ||
663 | #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ | ||
664 | |||
665 | if (a == NULL || b == NULL || | ||
666 | sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) | ||
667 | return 0; | ||
668 | |||
669 | switch (a->type) { | ||
670 | #ifdef WITH_OPENSSL | ||
671 | case KEY_RSA1: | ||
672 | case KEY_RSA_CERT_V00: | ||
673 | case KEY_RSA_CERT: | ||
674 | case KEY_RSA: | ||
675 | return a->rsa != NULL && b->rsa != NULL && | ||
676 | BN_cmp(a->rsa->e, b->rsa->e) == 0 && | ||
677 | BN_cmp(a->rsa->n, b->rsa->n) == 0; | ||
678 | case KEY_DSA_CERT_V00: | ||
679 | case KEY_DSA_CERT: | ||
680 | case KEY_DSA: | ||
681 | return a->dsa != NULL && b->dsa != NULL && | ||
682 | BN_cmp(a->dsa->p, b->dsa->p) == 0 && | ||
683 | BN_cmp(a->dsa->q, b->dsa->q) == 0 && | ||
684 | BN_cmp(a->dsa->g, b->dsa->g) == 0 && | ||
685 | BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; | ||
686 | # ifdef OPENSSL_HAS_ECC | ||
687 | case KEY_ECDSA_CERT: | ||
688 | case KEY_ECDSA: | ||
689 | if (a->ecdsa == NULL || b->ecdsa == NULL || | ||
690 | EC_KEY_get0_public_key(a->ecdsa) == NULL || | ||
691 | EC_KEY_get0_public_key(b->ecdsa) == NULL) | ||
692 | return 0; | ||
693 | if ((bnctx = BN_CTX_new()) == NULL) | ||
694 | return 0; | ||
695 | if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), | ||
696 | EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || | ||
697 | EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), | ||
698 | EC_KEY_get0_public_key(a->ecdsa), | ||
699 | EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { | ||
700 | BN_CTX_free(bnctx); | ||
701 | return 0; | ||
702 | } | ||
703 | BN_CTX_free(bnctx); | ||
704 | return 1; | ||
705 | # endif /* OPENSSL_HAS_ECC */ | ||
706 | #endif /* WITH_OPENSSL */ | ||
707 | case KEY_ED25519: | ||
708 | case KEY_ED25519_CERT: | ||
709 | return a->ed25519_pk != NULL && b->ed25519_pk != NULL && | ||
710 | memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; | ||
711 | default: | ||
712 | return 0; | ||
713 | } | ||
714 | /* NOTREACHED */ | ||
715 | } | ||
716 | |||
717 | int | ||
718 | sshkey_equal(const struct sshkey *a, const struct sshkey *b) | ||
719 | { | ||
720 | if (a == NULL || b == NULL || a->type != b->type) | ||
721 | return 0; | ||
722 | if (sshkey_is_cert(a)) { | ||
723 | if (!cert_compare(a->cert, b->cert)) | ||
724 | return 0; | ||
725 | } | ||
726 | return sshkey_equal_public(a, b); | ||
727 | } | ||
728 | |||
729 | static int | ||
730 | to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain) | ||
731 | { | ||
732 | int type, ret = SSH_ERR_INTERNAL_ERROR; | ||
733 | const char *typename; | ||
734 | |||
735 | if (key == NULL) | ||
736 | return SSH_ERR_INVALID_ARGUMENT; | ||
737 | |||
738 | type = force_plain ? sshkey_type_plain(key->type) : key->type; | ||
739 | typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); | ||
740 | |||
741 | switch (type) { | ||
742 | #ifdef WITH_OPENSSL | ||
743 | case KEY_DSA_CERT_V00: | ||
744 | case KEY_RSA_CERT_V00: | ||
745 | case KEY_DSA_CERT: | ||
746 | case KEY_ECDSA_CERT: | ||
747 | case KEY_RSA_CERT: | ||
748 | #endif /* WITH_OPENSSL */ | ||
749 | case KEY_ED25519_CERT: | ||
750 | /* Use the existing blob */ | ||
751 | /* XXX modified flag? */ | ||
752 | if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) | ||
753 | return ret; | ||
754 | break; | ||
755 | #ifdef WITH_OPENSSL | ||
756 | case KEY_DSA: | ||
757 | if (key->dsa == NULL) | ||
758 | return SSH_ERR_INVALID_ARGUMENT; | ||
759 | if ((ret = sshbuf_put_cstring(b, typename)) != 0 || | ||
760 | (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || | ||
761 | (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || | ||
762 | (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || | ||
763 | (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0) | ||
764 | return ret; | ||
765 | break; | ||
766 | # ifdef OPENSSL_HAS_ECC | ||
767 | case KEY_ECDSA: | ||
768 | if (key->ecdsa == NULL) | ||
769 | return SSH_ERR_INVALID_ARGUMENT; | ||
770 | if ((ret = sshbuf_put_cstring(b, typename)) != 0 || | ||
771 | (ret = sshbuf_put_cstring(b, | ||
772 | sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || | ||
773 | (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) | ||
774 | return ret; | ||
775 | break; | ||
776 | # endif | ||
777 | case KEY_RSA: | ||
778 | if (key->rsa == NULL) | ||
779 | return SSH_ERR_INVALID_ARGUMENT; | ||
780 | if ((ret = sshbuf_put_cstring(b, typename)) != 0 || | ||
781 | (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || | ||
782 | (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0) | ||
783 | return ret; | ||
784 | break; | ||
785 | #endif /* WITH_OPENSSL */ | ||
786 | case KEY_ED25519: | ||
787 | if (key->ed25519_pk == NULL) | ||
788 | return SSH_ERR_INVALID_ARGUMENT; | ||
789 | if ((ret = sshbuf_put_cstring(b, typename)) != 0 || | ||
790 | (ret = sshbuf_put_string(b, | ||
791 | key->ed25519_pk, ED25519_PK_SZ)) != 0) | ||
792 | return ret; | ||
793 | break; | ||
794 | default: | ||
795 | return SSH_ERR_KEY_TYPE_UNKNOWN; | ||
796 | } | ||
797 | return 0; | ||
798 | } | ||
799 | |||
800 | int | ||
801 | sshkey_to_blob_buf(const struct sshkey *key, struct sshbuf *b) | ||
802 | { | ||
803 | return to_blob_buf(key, b, 0); | ||
804 | } | ||
805 | |||
806 | int | ||
807 | sshkey_plain_to_blob_buf(const struct sshkey *key, struct sshbuf *b) | ||
808 | { | ||
809 | return to_blob_buf(key, b, 1); | ||
810 | } | ||
811 | |||
812 | static int | ||
813 | to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain) | ||
814 | { | ||
815 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
816 | size_t len; | ||
817 | struct sshbuf *b = NULL; | ||
818 | |||
819 | if (lenp != NULL) | ||
820 | *lenp = 0; | ||
821 | if (blobp != NULL) | ||
822 | *blobp = NULL; | ||
823 | if ((b = sshbuf_new()) == NULL) | ||
824 | return SSH_ERR_ALLOC_FAIL; | ||
825 | if ((ret = to_blob_buf(key, b, force_plain)) != 0) | ||
826 | goto out; | ||
827 | len = sshbuf_len(b); | ||
828 | if (lenp != NULL) | ||
829 | *lenp = len; | ||
830 | if (blobp != NULL) { | ||
831 | if ((*blobp = malloc(len)) == NULL) { | ||
832 | ret = SSH_ERR_ALLOC_FAIL; | ||
833 | goto out; | ||
834 | } | ||
835 | memcpy(*blobp, sshbuf_ptr(b), len); | ||
836 | } | ||
837 | ret = 0; | ||
838 | out: | ||
839 | sshbuf_free(b); | ||
840 | return ret; | ||
841 | } | ||
842 | |||
843 | int | ||
844 | sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) | ||
845 | { | ||
846 | return to_blob(key, blobp, lenp, 0); | ||
847 | } | ||
848 | |||
849 | int | ||
850 | sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) | ||
851 | { | ||
852 | return to_blob(key, blobp, lenp, 1); | ||
853 | } | ||
854 | |||
855 | int | ||
856 | sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, | ||
857 | u_char **retp, size_t *lenp) | ||
858 | { | ||
859 | u_char *blob = NULL, *ret = NULL; | ||
860 | size_t blob_len = 0; | ||
861 | int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR; | ||
862 | |||
863 | if (retp != NULL) | ||
864 | *retp = NULL; | ||
865 | if (lenp != NULL) | ||
866 | *lenp = 0; | ||
867 | |||
868 | switch (dgst_type) { | ||
869 | case SSH_FP_MD5: | ||
870 | hash_alg = SSH_DIGEST_MD5; | ||
871 | break; | ||
872 | case SSH_FP_SHA1: | ||
873 | hash_alg = SSH_DIGEST_SHA1; | ||
874 | break; | ||
875 | case SSH_FP_SHA256: | ||
876 | hash_alg = SSH_DIGEST_SHA256; | ||
877 | break; | ||
878 | default: | ||
879 | r = SSH_ERR_INVALID_ARGUMENT; | ||
880 | goto out; | ||
881 | } | ||
882 | |||
883 | if (k->type == KEY_RSA1) { | ||
884 | #ifdef WITH_OPENSSL | ||
885 | int nlen = BN_num_bytes(k->rsa->n); | ||
886 | int elen = BN_num_bytes(k->rsa->e); | ||
887 | |||
888 | blob_len = nlen + elen; | ||
889 | if (nlen >= INT_MAX - elen || | ||
890 | (blob = malloc(blob_len)) == NULL) { | ||
891 | r = SSH_ERR_ALLOC_FAIL; | ||
892 | goto out; | ||
893 | } | ||
894 | BN_bn2bin(k->rsa->n, blob); | ||
895 | BN_bn2bin(k->rsa->e, blob + nlen); | ||
896 | #endif /* WITH_OPENSSL */ | ||
897 | } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0) | ||
898 | goto out; | ||
899 | if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { | ||
900 | r = SSH_ERR_ALLOC_FAIL; | ||
901 | goto out; | ||
902 | } | ||
903 | if ((r = ssh_digest_memory(hash_alg, blob, blob_len, | ||
904 | ret, SSH_DIGEST_MAX_LENGTH)) != 0) | ||
905 | goto out; | ||
906 | /* success */ | ||
907 | if (retp != NULL) { | ||
908 | *retp = ret; | ||
909 | ret = NULL; | ||
910 | } | ||
911 | if (lenp != NULL) | ||
912 | *lenp = ssh_digest_bytes(hash_alg); | ||
913 | r = 0; | ||
914 | out: | ||
915 | free(ret); | ||
916 | if (blob != NULL) { | ||
917 | explicit_bzero(blob, blob_len); | ||
918 | free(blob); | ||
919 | } | ||
920 | return r; | ||
921 | } | ||
922 | |||
923 | static char * | ||
924 | fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len) | ||
925 | { | ||
926 | char *retval; | ||
927 | size_t i; | ||
928 | |||
929 | if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL) | ||
930 | return NULL; | ||
931 | for (i = 0; i < dgst_raw_len; i++) { | ||
932 | char hex[4]; | ||
933 | snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); | ||
934 | strlcat(retval, hex, dgst_raw_len * 3 + 1); | ||
935 | } | ||
936 | |||
937 | /* Remove the trailing ':' character */ | ||
938 | retval[(dgst_raw_len * 3) - 1] = '\0'; | ||
939 | return retval; | ||
940 | } | ||
941 | |||
942 | static char * | ||
943 | fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) | ||
944 | { | ||
945 | char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; | ||
946 | char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', | ||
947 | 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; | ||
948 | u_int i, j = 0, rounds, seed = 1; | ||
949 | char *retval; | ||
950 | |||
951 | rounds = (dgst_raw_len / 2) + 1; | ||
952 | if ((retval = calloc(rounds, 6)) == NULL) | ||
953 | return NULL; | ||
954 | retval[j++] = 'x'; | ||
955 | for (i = 0; i < rounds; i++) { | ||
956 | u_int idx0, idx1, idx2, idx3, idx4; | ||
957 | if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { | ||
958 | idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + | ||
959 | seed) % 6; | ||
960 | idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; | ||
961 | idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + | ||
962 | (seed / 6)) % 6; | ||
963 | retval[j++] = vowels[idx0]; | ||
964 | retval[j++] = consonants[idx1]; | ||
965 | retval[j++] = vowels[idx2]; | ||
966 | if ((i + 1) < rounds) { | ||
967 | idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; | ||
968 | idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; | ||
969 | retval[j++] = consonants[idx3]; | ||
970 | retval[j++] = '-'; | ||
971 | retval[j++] = consonants[idx4]; | ||
972 | seed = ((seed * 5) + | ||
973 | ((((u_int)(dgst_raw[2 * i])) * 7) + | ||
974 | ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; | ||
975 | } | ||
976 | } else { | ||
977 | idx0 = seed % 6; | ||
978 | idx1 = 16; | ||
979 | idx2 = seed / 6; | ||
980 | retval[j++] = vowels[idx0]; | ||
981 | retval[j++] = consonants[idx1]; | ||
982 | retval[j++] = vowels[idx2]; | ||
983 | } | ||
984 | } | ||
985 | retval[j++] = 'x'; | ||
986 | retval[j++] = '\0'; | ||
987 | return retval; | ||
988 | } | ||
989 | |||
990 | /* | ||
991 | * Draw an ASCII-Art representing the fingerprint so human brain can | ||
992 | * profit from its built-in pattern recognition ability. | ||
993 | * This technique is called "random art" and can be found in some | ||
994 | * scientific publications like this original paper: | ||
995 | * | ||
996 | * "Hash Visualization: a New Technique to improve Real-World Security", | ||
997 | * Perrig A. and Song D., 1999, International Workshop on Cryptographic | ||
998 | * Techniques and E-Commerce (CrypTEC '99) | ||
999 | * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf | ||
1000 | * | ||
1001 | * The subject came up in a talk by Dan Kaminsky, too. | ||
1002 | * | ||
1003 | * If you see the picture is different, the key is different. | ||
1004 | * If the picture looks the same, you still know nothing. | ||
1005 | * | ||
1006 | * The algorithm used here is a worm crawling over a discrete plane, | ||
1007 | * leaving a trace (augmenting the field) everywhere it goes. | ||
1008 | * Movement is taken from dgst_raw 2bit-wise. Bumping into walls | ||
1009 | * makes the respective movement vector be ignored for this turn. | ||
1010 | * Graphs are not unambiguous, because circles in graphs can be | ||
1011 | * walked in either direction. | ||
1012 | */ | ||
1013 | |||
1014 | /* | ||
1015 | * Field sizes for the random art. Have to be odd, so the starting point | ||
1016 | * can be in the exact middle of the picture, and FLDBASE should be >=8 . | ||
1017 | * Else pictures would be too dense, and drawing the frame would | ||
1018 | * fail, too, because the key type would not fit in anymore. | ||
1019 | */ | ||
1020 | #define FLDBASE 8 | ||
1021 | #define FLDSIZE_Y (FLDBASE + 1) | ||
1022 | #define FLDSIZE_X (FLDBASE * 2 + 1) | ||
1023 | static char * | ||
1024 | fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, | ||
1025 | const struct sshkey *k) | ||
1026 | { | ||
1027 | /* | ||
1028 | * Chars to be used after each other every time the worm | ||
1029 | * intersects with itself. Matter of taste. | ||
1030 | */ | ||
1031 | char *augmentation_string = " .o+=*BOX@%&#/^SE"; | ||
1032 | char *retval, *p, title[FLDSIZE_X]; | ||
1033 | u_char field[FLDSIZE_X][FLDSIZE_Y]; | ||
1034 | size_t i, tlen; | ||
1035 | u_int b; | ||
1036 | int x, y, r; | ||
1037 | size_t len = strlen(augmentation_string) - 1; | ||
1038 | |||
1039 | if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL) | ||
1040 | return NULL; | ||
1041 | |||
1042 | /* initialize field */ | ||
1043 | memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); | ||
1044 | x = FLDSIZE_X / 2; | ||
1045 | y = FLDSIZE_Y / 2; | ||
1046 | |||
1047 | /* process raw key */ | ||
1048 | for (i = 0; i < dgst_raw_len; i++) { | ||
1049 | int input; | ||
1050 | /* each byte conveys four 2-bit move commands */ | ||
1051 | input = dgst_raw[i]; | ||
1052 | for (b = 0; b < 4; b++) { | ||
1053 | /* evaluate 2 bit, rest is shifted later */ | ||
1054 | x += (input & 0x1) ? 1 : -1; | ||
1055 | y += (input & 0x2) ? 1 : -1; | ||
1056 | |||
1057 | /* assure we are still in bounds */ | ||
1058 | x = MAX(x, 0); | ||
1059 | y = MAX(y, 0); | ||
1060 | x = MIN(x, FLDSIZE_X - 1); | ||
1061 | y = MIN(y, FLDSIZE_Y - 1); | ||
1062 | |||
1063 | /* augment the field */ | ||
1064 | if (field[x][y] < len - 2) | ||
1065 | field[x][y]++; | ||
1066 | input = input >> 2; | ||
1067 | } | ||
1068 | } | ||
1069 | |||
1070 | /* mark starting point and end point*/ | ||
1071 | field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; | ||
1072 | field[x][y] = len; | ||
1073 | |||
1074 | /* assemble title */ | ||
1075 | r = snprintf(title, sizeof(title), "[%s %u]", | ||
1076 | sshkey_type(k), sshkey_size(k)); | ||
1077 | /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ | ||
1078 | if (r < 0 || r > (int)sizeof(title)) | ||
1079 | snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); | ||
1080 | tlen = strlen(title); | ||
1081 | |||
1082 | /* output upper border */ | ||
1083 | p = retval; | ||
1084 | *p++ = '+'; | ||
1085 | for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++) | ||
1086 | *p++ = '-'; | ||
1087 | memcpy(p, title, tlen); | ||
1088 | p += tlen; | ||
1089 | for (i = p - retval - 1; i < FLDSIZE_X; i++) | ||
1090 | *p++ = '-'; | ||
1091 | *p++ = '+'; | ||
1092 | *p++ = '\n'; | ||
1093 | |||
1094 | /* output content */ | ||
1095 | for (y = 0; y < FLDSIZE_Y; y++) { | ||
1096 | *p++ = '|'; | ||
1097 | for (x = 0; x < FLDSIZE_X; x++) | ||
1098 | *p++ = augmentation_string[MIN(field[x][y], len)]; | ||
1099 | *p++ = '|'; | ||
1100 | *p++ = '\n'; | ||
1101 | } | ||
1102 | |||
1103 | /* output lower border */ | ||
1104 | *p++ = '+'; | ||
1105 | for (i = 0; i < FLDSIZE_X; i++) | ||
1106 | *p++ = '-'; | ||
1107 | *p++ = '+'; | ||
1108 | |||
1109 | return retval; | ||
1110 | } | ||
1111 | |||
1112 | char * | ||
1113 | sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type, | ||
1114 | enum sshkey_fp_rep dgst_rep) | ||
1115 | { | ||
1116 | char *retval = NULL; | ||
1117 | u_char *dgst_raw; | ||
1118 | size_t dgst_raw_len; | ||
1119 | |||
1120 | if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0) | ||
1121 | return NULL; | ||
1122 | switch (dgst_rep) { | ||
1123 | case SSH_FP_HEX: | ||
1124 | retval = fingerprint_hex(dgst_raw, dgst_raw_len); | ||
1125 | break; | ||
1126 | case SSH_FP_BUBBLEBABBLE: | ||
1127 | retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); | ||
1128 | break; | ||
1129 | case SSH_FP_RANDOMART: | ||
1130 | retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k); | ||
1131 | break; | ||
1132 | default: | ||
1133 | explicit_bzero(dgst_raw, dgst_raw_len); | ||
1134 | free(dgst_raw); | ||
1135 | return NULL; | ||
1136 | } | ||
1137 | explicit_bzero(dgst_raw, dgst_raw_len); | ||
1138 | free(dgst_raw); | ||
1139 | return retval; | ||
1140 | } | ||
1141 | |||
1142 | #ifdef WITH_SSH1 | ||
1143 | /* | ||
1144 | * Reads a multiple-precision integer in decimal from the buffer, and advances | ||
1145 | * the pointer. The integer must already be initialized. This function is | ||
1146 | * permitted to modify the buffer. This leaves *cpp to point just beyond the | ||
1147 | * last processed character. | ||
1148 | */ | ||
1149 | static int | ||
1150 | read_decimal_bignum(char **cpp, BIGNUM *v) | ||
1151 | { | ||
1152 | char *cp; | ||
1153 | size_t e; | ||
1154 | int skip = 1; /* skip white space */ | ||
1155 | |||
1156 | cp = *cpp; | ||
1157 | while (*cp == ' ' || *cp == '\t') | ||
1158 | cp++; | ||
1159 | e = strspn(cp, "0123456789"); | ||
1160 | if (e == 0) | ||
1161 | return SSH_ERR_INVALID_FORMAT; | ||
1162 | if (e > SSHBUF_MAX_BIGNUM * 3) | ||
1163 | return SSH_ERR_BIGNUM_TOO_LARGE; | ||
1164 | if (cp[e] == '\0') | ||
1165 | skip = 0; | ||
1166 | else if (index(" \t\r\n", cp[e]) == NULL) | ||
1167 | return SSH_ERR_INVALID_FORMAT; | ||
1168 | cp[e] = '\0'; | ||
1169 | if (BN_dec2bn(&v, cp) <= 0) | ||
1170 | return SSH_ERR_INVALID_FORMAT; | ||
1171 | *cpp = cp + e + skip; | ||
1172 | return 0; | ||
1173 | } | ||
1174 | #endif /* WITH_SSH1 */ | ||
1175 | |||
1176 | /* returns 0 ok, and < 0 error */ | ||
1177 | int | ||
1178 | sshkey_read(struct sshkey *ret, char **cpp) | ||
1179 | { | ||
1180 | struct sshkey *k; | ||
1181 | int retval = SSH_ERR_INVALID_FORMAT; | ||
1182 | char *cp, *space; | ||
1183 | int r, type, curve_nid = -1; | ||
1184 | struct sshbuf *blob; | ||
1185 | #ifdef WITH_SSH1 | ||
1186 | char *ep; | ||
1187 | u_long bits; | ||
1188 | #endif /* WITH_SSH1 */ | ||
1189 | |||
1190 | cp = *cpp; | ||
1191 | |||
1192 | switch (ret->type) { | ||
1193 | case KEY_RSA1: | ||
1194 | #ifdef WITH_SSH1 | ||
1195 | /* Get number of bits. */ | ||
1196 | bits = strtoul(cp, &ep, 10); | ||
1197 | if (*cp == '\0' || index(" \t\r\n", *ep) == NULL || | ||
1198 | bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8) | ||
1199 | return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */ | ||
1200 | /* Get public exponent, public modulus. */ | ||
1201 | if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0) | ||
1202 | return r; | ||
1203 | if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0) | ||
1204 | return r; | ||
1205 | *cpp = ep; | ||
1206 | /* validate the claimed number of bits */ | ||
1207 | if (BN_num_bits(ret->rsa->n) != (int)bits) | ||
1208 | return SSH_ERR_KEY_BITS_MISMATCH; | ||
1209 | retval = 0; | ||
1210 | #endif /* WITH_SSH1 */ | ||
1211 | break; | ||
1212 | case KEY_UNSPEC: | ||
1213 | case KEY_RSA: | ||
1214 | case KEY_DSA: | ||
1215 | case KEY_ECDSA: | ||
1216 | case KEY_ED25519: | ||
1217 | case KEY_DSA_CERT_V00: | ||
1218 | case KEY_RSA_CERT_V00: | ||
1219 | case KEY_DSA_CERT: | ||
1220 | case KEY_ECDSA_CERT: | ||
1221 | case KEY_RSA_CERT: | ||
1222 | case KEY_ED25519_CERT: | ||
1223 | space = strchr(cp, ' '); | ||
1224 | if (space == NULL) | ||
1225 | return SSH_ERR_INVALID_FORMAT; | ||
1226 | *space = '\0'; | ||
1227 | type = sshkey_type_from_name(cp); | ||
1228 | if (sshkey_type_plain(type) == KEY_ECDSA && | ||
1229 | (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1) | ||
1230 | return SSH_ERR_EC_CURVE_INVALID; | ||
1231 | *space = ' '; | ||
1232 | if (type == KEY_UNSPEC) | ||
1233 | return SSH_ERR_INVALID_FORMAT; | ||
1234 | cp = space+1; | ||
1235 | if (*cp == '\0') | ||
1236 | return SSH_ERR_INVALID_FORMAT; | ||
1237 | if (ret->type == KEY_UNSPEC) { | ||
1238 | ret->type = type; | ||
1239 | } else if (ret->type != type) | ||
1240 | return SSH_ERR_KEY_TYPE_MISMATCH; | ||
1241 | if ((blob = sshbuf_new()) == NULL) | ||
1242 | return SSH_ERR_ALLOC_FAIL; | ||
1243 | /* trim comment */ | ||
1244 | space = strchr(cp, ' '); | ||
1245 | if (space) | ||
1246 | *space = '\0'; | ||
1247 | if ((r = sshbuf_b64tod(blob, cp)) != 0) { | ||
1248 | sshbuf_free(blob); | ||
1249 | return r; | ||
1250 | } | ||
1251 | if ((r = sshkey_from_blob(sshbuf_ptr(blob), | ||
1252 | sshbuf_len(blob), &k)) != 0) { | ||
1253 | sshbuf_free(blob); | ||
1254 | return r; | ||
1255 | } | ||
1256 | sshbuf_free(blob); | ||
1257 | if (k->type != type) { | ||
1258 | sshkey_free(k); | ||
1259 | return SSH_ERR_KEY_TYPE_MISMATCH; | ||
1260 | } | ||
1261 | if (sshkey_type_plain(type) == KEY_ECDSA && | ||
1262 | curve_nid != k->ecdsa_nid) { | ||
1263 | sshkey_free(k); | ||
1264 | return SSH_ERR_EC_CURVE_MISMATCH; | ||
1265 | } | ||
1266 | /*XXXX*/ | ||
1267 | if (sshkey_is_cert(ret)) { | ||
1268 | if (!sshkey_is_cert(k)) { | ||
1269 | sshkey_free(k); | ||
1270 | return SSH_ERR_EXPECTED_CERT; | ||
1271 | } | ||
1272 | if (ret->cert != NULL) | ||
1273 | cert_free(ret->cert); | ||
1274 | ret->cert = k->cert; | ||
1275 | k->cert = NULL; | ||
1276 | } | ||
1277 | #ifdef WITH_OPENSSL | ||
1278 | if (sshkey_type_plain(ret->type) == KEY_RSA) { | ||
1279 | if (ret->rsa != NULL) | ||
1280 | RSA_free(ret->rsa); | ||
1281 | ret->rsa = k->rsa; | ||
1282 | k->rsa = NULL; | ||
1283 | #ifdef DEBUG_PK | ||
1284 | RSA_print_fp(stderr, ret->rsa, 8); | ||
1285 | #endif | ||
1286 | } | ||
1287 | if (sshkey_type_plain(ret->type) == KEY_DSA) { | ||
1288 | if (ret->dsa != NULL) | ||
1289 | DSA_free(ret->dsa); | ||
1290 | ret->dsa = k->dsa; | ||
1291 | k->dsa = NULL; | ||
1292 | #ifdef DEBUG_PK | ||
1293 | DSA_print_fp(stderr, ret->dsa, 8); | ||
1294 | #endif | ||
1295 | } | ||
1296 | # ifdef OPENSSL_HAS_ECC | ||
1297 | if (sshkey_type_plain(ret->type) == KEY_ECDSA) { | ||
1298 | if (ret->ecdsa != NULL) | ||
1299 | EC_KEY_free(ret->ecdsa); | ||
1300 | ret->ecdsa = k->ecdsa; | ||
1301 | ret->ecdsa_nid = k->ecdsa_nid; | ||
1302 | k->ecdsa = NULL; | ||
1303 | k->ecdsa_nid = -1; | ||
1304 | #ifdef DEBUG_PK | ||
1305 | sshkey_dump_ec_key(ret->ecdsa); | ||
1306 | #endif | ||
1307 | } | ||
1308 | # endif /* OPENSSL_HAS_ECC */ | ||
1309 | #endif /* WITH_OPENSSL */ | ||
1310 | if (sshkey_type_plain(ret->type) == KEY_ED25519) { | ||
1311 | free(ret->ed25519_pk); | ||
1312 | ret->ed25519_pk = k->ed25519_pk; | ||
1313 | k->ed25519_pk = NULL; | ||
1314 | #ifdef DEBUG_PK | ||
1315 | /* XXX */ | ||
1316 | #endif | ||
1317 | } | ||
1318 | retval = 0; | ||
1319 | /*XXXX*/ | ||
1320 | sshkey_free(k); | ||
1321 | if (retval != 0) | ||
1322 | break; | ||
1323 | /* advance cp: skip whitespace and data */ | ||
1324 | while (*cp == ' ' || *cp == '\t') | ||
1325 | cp++; | ||
1326 | while (*cp != '\0' && *cp != ' ' && *cp != '\t') | ||
1327 | cp++; | ||
1328 | *cpp = cp; | ||
1329 | break; | ||
1330 | default: | ||
1331 | return SSH_ERR_INVALID_ARGUMENT; | ||
1332 | } | ||
1333 | return retval; | ||
1334 | } | ||
1335 | |||
1336 | int | ||
1337 | sshkey_write(const struct sshkey *key, FILE *f) | ||
1338 | { | ||
1339 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
1340 | struct sshbuf *b = NULL, *bb = NULL; | ||
1341 | char *uu = NULL; | ||
1342 | #ifdef WITH_SSH1 | ||
1343 | u_int bits = 0; | ||
1344 | char *dec_e = NULL, *dec_n = NULL; | ||
1345 | #endif /* WITH_SSH1 */ | ||
1346 | |||
1347 | if (sshkey_is_cert(key)) { | ||
1348 | if (key->cert == NULL) | ||
1349 | return SSH_ERR_EXPECTED_CERT; | ||
1350 | if (sshbuf_len(key->cert->certblob) == 0) | ||
1351 | return SSH_ERR_KEY_LACKS_CERTBLOB; | ||
1352 | } | ||
1353 | if ((b = sshbuf_new()) == NULL) | ||
1354 | return SSH_ERR_ALLOC_FAIL; | ||
1355 | switch (key->type) { | ||
1356 | #ifdef WITH_SSH1 | ||
1357 | case KEY_RSA1: | ||
1358 | if (key->rsa == NULL || key->rsa->e == NULL || | ||
1359 | key->rsa->n == NULL) { | ||
1360 | ret = SSH_ERR_INVALID_ARGUMENT; | ||
1361 | goto out; | ||
1362 | } | ||
1363 | if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL || | ||
1364 | (dec_n = BN_bn2dec(key->rsa->n)) == NULL) { | ||
1365 | ret = SSH_ERR_ALLOC_FAIL; | ||
1366 | goto out; | ||
1367 | } | ||
1368 | /* size of modulus 'n' */ | ||
1369 | if ((bits = BN_num_bits(key->rsa->n)) <= 0) { | ||
1370 | ret = SSH_ERR_INVALID_ARGUMENT; | ||
1371 | goto out; | ||
1372 | } | ||
1373 | if ((ret = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0) | ||
1374 | goto out; | ||
1375 | #endif /* WITH_SSH1 */ | ||
1376 | break; | ||
1377 | #ifdef WITH_OPENSSL | ||
1378 | case KEY_DSA: | ||
1379 | case KEY_DSA_CERT_V00: | ||
1380 | case KEY_DSA_CERT: | ||
1381 | case KEY_ECDSA: | ||
1382 | case KEY_ECDSA_CERT: | ||
1383 | case KEY_RSA: | ||
1384 | case KEY_RSA_CERT_V00: | ||
1385 | case KEY_RSA_CERT: | ||
1386 | #endif /* WITH_OPENSSL */ | ||
1387 | case KEY_ED25519: | ||
1388 | case KEY_ED25519_CERT: | ||
1389 | if ((bb = sshbuf_new()) == NULL) { | ||
1390 | ret = SSH_ERR_ALLOC_FAIL; | ||
1391 | goto out; | ||
1392 | } | ||
1393 | if ((ret = sshkey_to_blob_buf(key, bb)) != 0) | ||
1394 | goto out; | ||
1395 | if ((uu = sshbuf_dtob64(bb)) == NULL) { | ||
1396 | ret = SSH_ERR_ALLOC_FAIL; | ||
1397 | goto out; | ||
1398 | } | ||
1399 | if ((ret = sshbuf_putf(b, "%s ", sshkey_ssh_name(key))) != 0) | ||
1400 | goto out; | ||
1401 | if ((ret = sshbuf_put(b, uu, strlen(uu))) != 0) | ||
1402 | goto out; | ||
1403 | break; | ||
1404 | default: | ||
1405 | ret = SSH_ERR_KEY_TYPE_UNKNOWN; | ||
1406 | goto out; | ||
1407 | } | ||
1408 | if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { | ||
1409 | if (feof(f)) | ||
1410 | errno = EPIPE; | ||
1411 | ret = SSH_ERR_SYSTEM_ERROR; | ||
1412 | goto out; | ||
1413 | } | ||
1414 | ret = 0; | ||
1415 | out: | ||
1416 | if (b != NULL) | ||
1417 | sshbuf_free(b); | ||
1418 | if (bb != NULL) | ||
1419 | sshbuf_free(bb); | ||
1420 | if (uu != NULL) | ||
1421 | free(uu); | ||
1422 | #ifdef WITH_SSH1 | ||
1423 | if (dec_e != NULL) | ||
1424 | OPENSSL_free(dec_e); | ||
1425 | if (dec_n != NULL) | ||
1426 | OPENSSL_free(dec_n); | ||
1427 | #endif /* WITH_SSH1 */ | ||
1428 | return ret; | ||
1429 | } | ||
1430 | |||
1431 | const char * | ||
1432 | sshkey_cert_type(const struct sshkey *k) | ||
1433 | { | ||
1434 | switch (k->cert->type) { | ||
1435 | case SSH2_CERT_TYPE_USER: | ||
1436 | return "user"; | ||
1437 | case SSH2_CERT_TYPE_HOST: | ||
1438 | return "host"; | ||
1439 | default: | ||
1440 | return "unknown"; | ||
1441 | } | ||
1442 | } | ||
1443 | |||
1444 | #ifdef WITH_OPENSSL | ||
1445 | static int | ||
1446 | rsa_generate_private_key(u_int bits, RSA **rsap) | ||
1447 | { | ||
1448 | RSA *private = NULL; | ||
1449 | BIGNUM *f4 = NULL; | ||
1450 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
1451 | |||
1452 | if (rsap == NULL || | ||
1453 | bits < SSH_RSA_MINIMUM_MODULUS_SIZE || | ||
1454 | bits > SSHBUF_MAX_BIGNUM * 8) | ||
1455 | return SSH_ERR_INVALID_ARGUMENT; | ||
1456 | *rsap = NULL; | ||
1457 | if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) { | ||
1458 | ret = SSH_ERR_ALLOC_FAIL; | ||
1459 | goto out; | ||
1460 | } | ||
1461 | if (!BN_set_word(f4, RSA_F4) || | ||
1462 | !RSA_generate_key_ex(private, bits, f4, NULL)) { | ||
1463 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
1464 | goto out; | ||
1465 | } | ||
1466 | *rsap = private; | ||
1467 | private = NULL; | ||
1468 | ret = 0; | ||
1469 | out: | ||
1470 | if (private != NULL) | ||
1471 | RSA_free(private); | ||
1472 | if (f4 != NULL) | ||
1473 | BN_free(f4); | ||
1474 | return ret; | ||
1475 | } | ||
1476 | |||
1477 | static int | ||
1478 | dsa_generate_private_key(u_int bits, DSA **dsap) | ||
1479 | { | ||
1480 | DSA *private; | ||
1481 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
1482 | |||
1483 | if (dsap == NULL || bits != 1024) | ||
1484 | return SSH_ERR_INVALID_ARGUMENT; | ||
1485 | if ((private = DSA_new()) == NULL) { | ||
1486 | ret = SSH_ERR_ALLOC_FAIL; | ||
1487 | goto out; | ||
1488 | } | ||
1489 | *dsap = NULL; | ||
1490 | if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, | ||
1491 | NULL, NULL) || !DSA_generate_key(private)) { | ||
1492 | DSA_free(private); | ||
1493 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
1494 | goto out; | ||
1495 | } | ||
1496 | *dsap = private; | ||
1497 | private = NULL; | ||
1498 | ret = 0; | ||
1499 | out: | ||
1500 | if (private != NULL) | ||
1501 | DSA_free(private); | ||
1502 | return ret; | ||
1503 | } | ||
1504 | |||
1505 | # ifdef OPENSSL_HAS_ECC | ||
1506 | int | ||
1507 | sshkey_ecdsa_key_to_nid(EC_KEY *k) | ||
1508 | { | ||
1509 | EC_GROUP *eg; | ||
1510 | int nids[] = { | ||
1511 | NID_X9_62_prime256v1, | ||
1512 | NID_secp384r1, | ||
1513 | # ifdef OPENSSL_HAS_NISTP521 | ||
1514 | NID_secp521r1, | ||
1515 | # endif /* OPENSSL_HAS_NISTP521 */ | ||
1516 | -1 | ||
1517 | }; | ||
1518 | int nid; | ||
1519 | u_int i; | ||
1520 | BN_CTX *bnctx; | ||
1521 | const EC_GROUP *g = EC_KEY_get0_group(k); | ||
1522 | |||
1523 | /* | ||
1524 | * The group may be stored in a ASN.1 encoded private key in one of two | ||
1525 | * ways: as a "named group", which is reconstituted by ASN.1 object ID | ||
1526 | * or explicit group parameters encoded into the key blob. Only the | ||
1527 | * "named group" case sets the group NID for us, but we can figure | ||
1528 | * it out for the other case by comparing against all the groups that | ||
1529 | * are supported. | ||
1530 | */ | ||
1531 | if ((nid = EC_GROUP_get_curve_name(g)) > 0) | ||
1532 | return nid; | ||
1533 | if ((bnctx = BN_CTX_new()) == NULL) | ||
1534 | return -1; | ||
1535 | for (i = 0; nids[i] != -1; i++) { | ||
1536 | if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) { | ||
1537 | BN_CTX_free(bnctx); | ||
1538 | return -1; | ||
1539 | } | ||
1540 | if (EC_GROUP_cmp(g, eg, bnctx) == 0) | ||
1541 | break; | ||
1542 | EC_GROUP_free(eg); | ||
1543 | } | ||
1544 | BN_CTX_free(bnctx); | ||
1545 | if (nids[i] != -1) { | ||
1546 | /* Use the group with the NID attached */ | ||
1547 | EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); | ||
1548 | if (EC_KEY_set_group(k, eg) != 1) { | ||
1549 | EC_GROUP_free(eg); | ||
1550 | return -1; | ||
1551 | } | ||
1552 | } | ||
1553 | return nids[i]; | ||
1554 | } | ||
1555 | |||
1556 | static int | ||
1557 | ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) | ||
1558 | { | ||
1559 | EC_KEY *private; | ||
1560 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
1561 | |||
1562 | if (nid == NULL || ecdsap == NULL || | ||
1563 | (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) | ||
1564 | return SSH_ERR_INVALID_ARGUMENT; | ||
1565 | *ecdsap = NULL; | ||
1566 | if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) { | ||
1567 | ret = SSH_ERR_ALLOC_FAIL; | ||
1568 | goto out; | ||
1569 | } | ||
1570 | if (EC_KEY_generate_key(private) != 1) { | ||
1571 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
1572 | goto out; | ||
1573 | } | ||
1574 | EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); | ||
1575 | *ecdsap = private; | ||
1576 | private = NULL; | ||
1577 | ret = 0; | ||
1578 | out: | ||
1579 | if (private != NULL) | ||
1580 | EC_KEY_free(private); | ||
1581 | return ret; | ||
1582 | } | ||
1583 | # endif /* OPENSSL_HAS_ECC */ | ||
1584 | #endif /* WITH_OPENSSL */ | ||
1585 | |||
1586 | int | ||
1587 | sshkey_generate(int type, u_int bits, struct sshkey **keyp) | ||
1588 | { | ||
1589 | struct sshkey *k; | ||
1590 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
1591 | |||
1592 | if (keyp == NULL) | ||
1593 | return SSH_ERR_INVALID_ARGUMENT; | ||
1594 | *keyp = NULL; | ||
1595 | if ((k = sshkey_new(KEY_UNSPEC)) == NULL) | ||
1596 | return SSH_ERR_ALLOC_FAIL; | ||
1597 | switch (type) { | ||
1598 | case KEY_ED25519: | ||
1599 | if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL || | ||
1600 | (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) { | ||
1601 | ret = SSH_ERR_ALLOC_FAIL; | ||
1602 | break; | ||
1603 | } | ||
1604 | crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); | ||
1605 | ret = 0; | ||
1606 | break; | ||
1607 | #ifdef WITH_OPENSSL | ||
1608 | case KEY_DSA: | ||
1609 | ret = dsa_generate_private_key(bits, &k->dsa); | ||
1610 | break; | ||
1611 | # ifdef OPENSSL_HAS_ECC | ||
1612 | case KEY_ECDSA: | ||
1613 | ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, | ||
1614 | &k->ecdsa); | ||
1615 | break; | ||
1616 | # endif /* OPENSSL_HAS_ECC */ | ||
1617 | case KEY_RSA: | ||
1618 | case KEY_RSA1: | ||
1619 | ret = rsa_generate_private_key(bits, &k->rsa); | ||
1620 | break; | ||
1621 | #endif /* WITH_OPENSSL */ | ||
1622 | default: | ||
1623 | ret = SSH_ERR_INVALID_ARGUMENT; | ||
1624 | } | ||
1625 | if (ret == 0) { | ||
1626 | k->type = type; | ||
1627 | *keyp = k; | ||
1628 | } else | ||
1629 | sshkey_free(k); | ||
1630 | return ret; | ||
1631 | } | ||
1632 | |||
1633 | int | ||
1634 | sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) | ||
1635 | { | ||
1636 | u_int i; | ||
1637 | const struct sshkey_cert *from; | ||
1638 | struct sshkey_cert *to; | ||
1639 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
1640 | |||
1641 | if (to_key->cert != NULL) { | ||
1642 | cert_free(to_key->cert); | ||
1643 | to_key->cert = NULL; | ||
1644 | } | ||
1645 | |||
1646 | if ((from = from_key->cert) == NULL) | ||
1647 | return SSH_ERR_INVALID_ARGUMENT; | ||
1648 | |||
1649 | if ((to = to_key->cert = cert_new()) == NULL) | ||
1650 | return SSH_ERR_ALLOC_FAIL; | ||
1651 | |||
1652 | if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 || | ||
1653 | (ret = sshbuf_putb(to->critical, from->critical)) != 0 || | ||
1654 | (ret = sshbuf_putb(to->extensions, from->extensions) != 0)) | ||
1655 | return ret; | ||
1656 | |||
1657 | to->serial = from->serial; | ||
1658 | to->type = from->type; | ||
1659 | if (from->key_id == NULL) | ||
1660 | to->key_id = NULL; | ||
1661 | else if ((to->key_id = strdup(from->key_id)) == NULL) | ||
1662 | return SSH_ERR_ALLOC_FAIL; | ||
1663 | to->valid_after = from->valid_after; | ||
1664 | to->valid_before = from->valid_before; | ||
1665 | if (from->signature_key == NULL) | ||
1666 | to->signature_key = NULL; | ||
1667 | else if ((ret = sshkey_from_private(from->signature_key, | ||
1668 | &to->signature_key)) != 0) | ||
1669 | return ret; | ||
1670 | |||
1671 | if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) | ||
1672 | return SSH_ERR_INVALID_ARGUMENT; | ||
1673 | if (from->nprincipals > 0) { | ||
1674 | if ((to->principals = calloc(from->nprincipals, | ||
1675 | sizeof(*to->principals))) == NULL) | ||
1676 | return SSH_ERR_ALLOC_FAIL; | ||
1677 | for (i = 0; i < from->nprincipals; i++) { | ||
1678 | to->principals[i] = strdup(from->principals[i]); | ||
1679 | if (to->principals[i] == NULL) { | ||
1680 | to->nprincipals = i; | ||
1681 | return SSH_ERR_ALLOC_FAIL; | ||
1682 | } | ||
1683 | } | ||
1684 | } | ||
1685 | to->nprincipals = from->nprincipals; | ||
1686 | return 0; | ||
1687 | } | ||
1688 | |||
1689 | int | ||
1690 | sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) | ||
1691 | { | ||
1692 | struct sshkey *n = NULL; | ||
1693 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
1694 | |||
1695 | if (pkp != NULL) | ||
1696 | *pkp = NULL; | ||
1697 | |||
1698 | switch (k->type) { | ||
1699 | #ifdef WITH_OPENSSL | ||
1700 | case KEY_DSA: | ||
1701 | case KEY_DSA_CERT_V00: | ||
1702 | case KEY_DSA_CERT: | ||
1703 | if ((n = sshkey_new(k->type)) == NULL) | ||
1704 | return SSH_ERR_ALLOC_FAIL; | ||
1705 | if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || | ||
1706 | (BN_copy(n->dsa->q, k->dsa->q) == NULL) || | ||
1707 | (BN_copy(n->dsa->g, k->dsa->g) == NULL) || | ||
1708 | (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) { | ||
1709 | sshkey_free(n); | ||
1710 | return SSH_ERR_ALLOC_FAIL; | ||
1711 | } | ||
1712 | break; | ||
1713 | # ifdef OPENSSL_HAS_ECC | ||
1714 | case KEY_ECDSA: | ||
1715 | case KEY_ECDSA_CERT: | ||
1716 | if ((n = sshkey_new(k->type)) == NULL) | ||
1717 | return SSH_ERR_ALLOC_FAIL; | ||
1718 | n->ecdsa_nid = k->ecdsa_nid; | ||
1719 | n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); | ||
1720 | if (n->ecdsa == NULL) { | ||
1721 | sshkey_free(n); | ||
1722 | return SSH_ERR_ALLOC_FAIL; | ||
1723 | } | ||
1724 | if (EC_KEY_set_public_key(n->ecdsa, | ||
1725 | EC_KEY_get0_public_key(k->ecdsa)) != 1) { | ||
1726 | sshkey_free(n); | ||
1727 | return SSH_ERR_LIBCRYPTO_ERROR; | ||
1728 | } | ||
1729 | break; | ||
1730 | # endif /* OPENSSL_HAS_ECC */ | ||
1731 | case KEY_RSA: | ||
1732 | case KEY_RSA1: | ||
1733 | case KEY_RSA_CERT_V00: | ||
1734 | case KEY_RSA_CERT: | ||
1735 | if ((n = sshkey_new(k->type)) == NULL) | ||
1736 | return SSH_ERR_ALLOC_FAIL; | ||
1737 | if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || | ||
1738 | (BN_copy(n->rsa->e, k->rsa->e) == NULL)) { | ||
1739 | sshkey_free(n); | ||
1740 | return SSH_ERR_ALLOC_FAIL; | ||
1741 | } | ||
1742 | break; | ||
1743 | #endif /* WITH_OPENSSL */ | ||
1744 | case KEY_ED25519: | ||
1745 | case KEY_ED25519_CERT: | ||
1746 | if ((n = sshkey_new(k->type)) == NULL) | ||
1747 | return SSH_ERR_ALLOC_FAIL; | ||
1748 | if (k->ed25519_pk != NULL) { | ||
1749 | if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { | ||
1750 | sshkey_free(n); | ||
1751 | return SSH_ERR_ALLOC_FAIL; | ||
1752 | } | ||
1753 | memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); | ||
1754 | } | ||
1755 | break; | ||
1756 | default: | ||
1757 | return SSH_ERR_KEY_TYPE_UNKNOWN; | ||
1758 | } | ||
1759 | if (sshkey_is_cert(k)) { | ||
1760 | if ((ret = sshkey_cert_copy(k, n)) != 0) { | ||
1761 | sshkey_free(n); | ||
1762 | return ret; | ||
1763 | } | ||
1764 | } | ||
1765 | *pkp = n; | ||
1766 | return 0; | ||
1767 | } | ||
1768 | |||
1769 | static int | ||
1770 | cert_parse(struct sshbuf *b, struct sshkey *key, const u_char *blob, | ||
1771 | size_t blen) | ||
1772 | { | ||
1773 | u_char *principals = NULL, *critical = NULL, *exts = NULL; | ||
1774 | u_char *sig_key = NULL, *sig = NULL; | ||
1775 | size_t signed_len, plen, clen, sklen, slen, kidlen, elen; | ||
1776 | struct sshbuf *tmp; | ||
1777 | char *principal; | ||
1778 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
1779 | int v00 = sshkey_cert_is_legacy(key); | ||
1780 | char **oprincipals; | ||
1781 | |||
1782 | if ((tmp = sshbuf_new()) == NULL) | ||
1783 | return SSH_ERR_ALLOC_FAIL; | ||
1784 | |||
1785 | /* Copy the entire key blob for verification and later serialisation */ | ||
1786 | if ((ret = sshbuf_put(key->cert->certblob, blob, blen)) != 0) | ||
1787 | return ret; | ||
1788 | |||
1789 | elen = 0; /* Not touched for v00 certs */ | ||
1790 | principals = exts = critical = sig_key = sig = NULL; | ||
1791 | if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) || | ||
1792 | (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || | ||
1793 | (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || | ||
1794 | (ret = sshbuf_get_string(b, &principals, &plen)) != 0 || | ||
1795 | (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || | ||
1796 | (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || | ||
1797 | (ret = sshbuf_get_string(b, &critical, &clen)) != 0 || | ||
1798 | (!v00 && (ret = sshbuf_get_string(b, &exts, &elen)) != 0) || | ||
1799 | (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) || | ||
1800 | (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || | ||
1801 | (ret = sshbuf_get_string(b, &sig_key, &sklen)) != 0) { | ||
1802 | /* XXX debug print error for ret */ | ||
1803 | ret = SSH_ERR_INVALID_FORMAT; | ||
1804 | goto out; | ||
1805 | } | ||
1806 | |||
1807 | /* Signature is left in the buffer so we can calculate this length */ | ||
1808 | signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); | ||
1809 | |||
1810 | if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { | ||
1811 | ret = SSH_ERR_INVALID_FORMAT; | ||
1812 | goto out; | ||
1813 | } | ||
1814 | |||
1815 | if (key->cert->type != SSH2_CERT_TYPE_USER && | ||
1816 | key->cert->type != SSH2_CERT_TYPE_HOST) { | ||
1817 | ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE; | ||
1818 | goto out; | ||
1819 | } | ||
1820 | |||
1821 | if ((ret = sshbuf_put(tmp, principals, plen)) != 0) | ||
1822 | goto out; | ||
1823 | while (sshbuf_len(tmp) > 0) { | ||
1824 | if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) { | ||
1825 | ret = SSH_ERR_INVALID_FORMAT; | ||
1826 | goto out; | ||
1827 | } | ||
1828 | if ((ret = sshbuf_get_cstring(tmp, &principal, &plen)) != 0) { | ||
1829 | ret = SSH_ERR_INVALID_FORMAT; | ||
1830 | goto out; | ||
1831 | } | ||
1832 | oprincipals = key->cert->principals; | ||
1833 | key->cert->principals = realloc(key->cert->principals, | ||
1834 | (key->cert->nprincipals + 1) * | ||
1835 | sizeof(*key->cert->principals)); | ||
1836 | if (key->cert->principals == NULL) { | ||
1837 | free(principal); | ||
1838 | key->cert->principals = oprincipals; | ||
1839 | ret = SSH_ERR_ALLOC_FAIL; | ||
1840 | goto out; | ||
1841 | } | ||
1842 | key->cert->principals[key->cert->nprincipals++] = principal; | ||
1843 | } | ||
1844 | |||
1845 | sshbuf_reset(tmp); | ||
1846 | |||
1847 | if ((ret = sshbuf_put(key->cert->critical, critical, clen)) != 0 || | ||
1848 | (ret = sshbuf_put(tmp, critical, clen)) != 0) | ||
1849 | goto out; | ||
1850 | |||
1851 | /* validate structure */ | ||
1852 | while (sshbuf_len(tmp) != 0) { | ||
1853 | if ((ret = sshbuf_get_string_direct(tmp, NULL, NULL)) != 0 || | ||
1854 | (ret = sshbuf_get_string_direct(tmp, NULL, NULL)) != 0) { | ||
1855 | ret = SSH_ERR_INVALID_FORMAT; | ||
1856 | goto out; | ||
1857 | } | ||
1858 | } | ||
1859 | sshbuf_reset(tmp); | ||
1860 | |||
1861 | if ((ret = sshbuf_put(key->cert->extensions, exts, elen)) != 0 || | ||
1862 | (ret = sshbuf_put(tmp, exts, elen)) != 0) | ||
1863 | goto out; | ||
1864 | |||
1865 | /* validate structure */ | ||
1866 | while (sshbuf_len(tmp) != 0) { | ||
1867 | if ((ret = sshbuf_get_string_direct(tmp, NULL, NULL)) != 0 || | ||
1868 | (ret = sshbuf_get_string_direct(tmp, NULL, NULL)) != 0) { | ||
1869 | ret = SSH_ERR_INVALID_FORMAT; | ||
1870 | goto out; | ||
1871 | } | ||
1872 | } | ||
1873 | sshbuf_reset(tmp); | ||
1874 | |||
1875 | if (sshkey_from_blob_internal(sig_key, sklen, | ||
1876 | &key->cert->signature_key, 0) != 0) { | ||
1877 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; | ||
1878 | goto out; | ||
1879 | } | ||
1880 | if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { | ||
1881 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; | ||
1882 | goto out; | ||
1883 | } | ||
1884 | |||
1885 | if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, | ||
1886 | sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0) | ||
1887 | goto out; | ||
1888 | ret = 0; | ||
1889 | |||
1890 | out: | ||
1891 | sshbuf_free(tmp); | ||
1892 | free(principals); | ||
1893 | free(critical); | ||
1894 | free(exts); | ||
1895 | free(sig_key); | ||
1896 | free(sig); | ||
1897 | return ret; | ||
1898 | } | ||
1899 | |||
1900 | static int | ||
1901 | sshkey_from_blob_internal(const u_char *blob, size_t blen, | ||
1902 | struct sshkey **keyp, int allow_cert) | ||
1903 | { | ||
1904 | struct sshbuf *b = NULL; | ||
1905 | int type, nid = -1, ret = SSH_ERR_INTERNAL_ERROR; | ||
1906 | char *ktype = NULL, *curve = NULL; | ||
1907 | struct sshkey *key = NULL; | ||
1908 | size_t len; | ||
1909 | u_char *pk = NULL; | ||
1910 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) | ||
1911 | EC_POINT *q = NULL; | ||
1912 | #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ | ||
1913 | |||
1914 | #ifdef DEBUG_PK /* XXX */ | ||
1915 | dump_base64(stderr, blob, blen); | ||
1916 | #endif | ||
1917 | *keyp = NULL; | ||
1918 | if ((b = sshbuf_from(blob, blen)) == NULL) | ||
1919 | return SSH_ERR_ALLOC_FAIL; | ||
1920 | if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { | ||
1921 | ret = SSH_ERR_INVALID_FORMAT; | ||
1922 | goto out; | ||
1923 | } | ||
1924 | |||
1925 | type = sshkey_type_from_name(ktype); | ||
1926 | if (sshkey_type_plain(type) == KEY_ECDSA) | ||
1927 | nid = sshkey_ecdsa_nid_from_name(ktype); | ||
1928 | if (!allow_cert && sshkey_type_is_cert(type)) { | ||
1929 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; | ||
1930 | goto out; | ||
1931 | } | ||
1932 | switch (type) { | ||
1933 | #ifdef WITH_OPENSSL | ||
1934 | case KEY_RSA_CERT: | ||
1935 | if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { | ||
1936 | ret = SSH_ERR_INVALID_FORMAT; | ||
1937 | goto out; | ||
1938 | } | ||
1939 | /* FALLTHROUGH */ | ||
1940 | case KEY_RSA: | ||
1941 | case KEY_RSA_CERT_V00: | ||
1942 | if ((key = sshkey_new(type)) == NULL) { | ||
1943 | ret = SSH_ERR_ALLOC_FAIL; | ||
1944 | goto out; | ||
1945 | } | ||
1946 | if (sshbuf_get_bignum2(b, key->rsa->e) == -1 || | ||
1947 | sshbuf_get_bignum2(b, key->rsa->n) == -1) { | ||
1948 | ret = SSH_ERR_INVALID_FORMAT; | ||
1949 | goto out; | ||
1950 | } | ||
1951 | #ifdef DEBUG_PK | ||
1952 | RSA_print_fp(stderr, key->rsa, 8); | ||
1953 | #endif | ||
1954 | break; | ||
1955 | case KEY_DSA_CERT: | ||
1956 | if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { | ||
1957 | ret = SSH_ERR_INVALID_FORMAT; | ||
1958 | goto out; | ||
1959 | } | ||
1960 | /* FALLTHROUGH */ | ||
1961 | case KEY_DSA: | ||
1962 | case KEY_DSA_CERT_V00: | ||
1963 | if ((key = sshkey_new(type)) == NULL) { | ||
1964 | ret = SSH_ERR_ALLOC_FAIL; | ||
1965 | goto out; | ||
1966 | } | ||
1967 | if (sshbuf_get_bignum2(b, key->dsa->p) == -1 || | ||
1968 | sshbuf_get_bignum2(b, key->dsa->q) == -1 || | ||
1969 | sshbuf_get_bignum2(b, key->dsa->g) == -1 || | ||
1970 | sshbuf_get_bignum2(b, key->dsa->pub_key) == -1) { | ||
1971 | ret = SSH_ERR_INVALID_FORMAT; | ||
1972 | goto out; | ||
1973 | } | ||
1974 | #ifdef DEBUG_PK | ||
1975 | DSA_print_fp(stderr, key->dsa, 8); | ||
1976 | #endif | ||
1977 | break; | ||
1978 | case KEY_ECDSA_CERT: | ||
1979 | if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { | ||
1980 | ret = SSH_ERR_INVALID_FORMAT; | ||
1981 | goto out; | ||
1982 | } | ||
1983 | /* FALLTHROUGH */ | ||
1984 | # ifdef OPENSSL_HAS_ECC | ||
1985 | case KEY_ECDSA: | ||
1986 | if ((key = sshkey_new(type)) == NULL) { | ||
1987 | ret = SSH_ERR_ALLOC_FAIL; | ||
1988 | goto out; | ||
1989 | } | ||
1990 | key->ecdsa_nid = nid; | ||
1991 | if (sshbuf_get_cstring(b, &curve, NULL) != 0) { | ||
1992 | ret = SSH_ERR_INVALID_FORMAT; | ||
1993 | goto out; | ||
1994 | } | ||
1995 | if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { | ||
1996 | ret = SSH_ERR_EC_CURVE_MISMATCH; | ||
1997 | goto out; | ||
1998 | } | ||
1999 | if (key->ecdsa != NULL) | ||
2000 | EC_KEY_free(key->ecdsa); | ||
2001 | if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) | ||
2002 | == NULL) { | ||
2003 | ret = SSH_ERR_EC_CURVE_INVALID; | ||
2004 | goto out; | ||
2005 | } | ||
2006 | if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) { | ||
2007 | ret = SSH_ERR_ALLOC_FAIL; | ||
2008 | goto out; | ||
2009 | } | ||
2010 | if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { | ||
2011 | ret = SSH_ERR_INVALID_FORMAT; | ||
2012 | goto out; | ||
2013 | } | ||
2014 | if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), | ||
2015 | q) != 0) { | ||
2016 | ret = SSH_ERR_KEY_INVALID_EC_VALUE; | ||
2017 | goto out; | ||
2018 | } | ||
2019 | if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { | ||
2020 | /* XXX assume it is a allocation error */ | ||
2021 | ret = SSH_ERR_ALLOC_FAIL; | ||
2022 | goto out; | ||
2023 | } | ||
2024 | #ifdef DEBUG_PK | ||
2025 | sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); | ||
2026 | #endif | ||
2027 | break; | ||
2028 | # endif /* OPENSSL_HAS_ECC */ | ||
2029 | #endif /* WITH_OPENSSL */ | ||
2030 | case KEY_ED25519_CERT: | ||
2031 | if (sshbuf_get_string_direct(b, NULL, NULL) != 0) { | ||
2032 | ret = SSH_ERR_INVALID_FORMAT; | ||
2033 | goto out; | ||
2034 | } | ||
2035 | /* FALLTHROUGH */ | ||
2036 | case KEY_ED25519: | ||
2037 | if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) | ||
2038 | goto out; | ||
2039 | if (len != ED25519_PK_SZ) { | ||
2040 | ret = SSH_ERR_INVALID_FORMAT; | ||
2041 | goto out; | ||
2042 | } | ||
2043 | if ((key = sshkey_new(type)) == NULL) { | ||
2044 | ret = SSH_ERR_ALLOC_FAIL; | ||
2045 | goto out; | ||
2046 | } | ||
2047 | key->ed25519_pk = pk; | ||
2048 | pk = NULL; | ||
2049 | break; | ||
2050 | case KEY_UNSPEC: | ||
2051 | if ((key = sshkey_new(type)) == NULL) { | ||
2052 | ret = SSH_ERR_ALLOC_FAIL; | ||
2053 | goto out; | ||
2054 | } | ||
2055 | break; | ||
2056 | default: | ||
2057 | ret = SSH_ERR_KEY_TYPE_UNKNOWN; | ||
2058 | goto out; | ||
2059 | } | ||
2060 | |||
2061 | /* Parse certificate potion */ | ||
2062 | if (sshkey_is_cert(key) && | ||
2063 | (ret = cert_parse(b, key, blob, blen)) != 0) | ||
2064 | goto out; | ||
2065 | |||
2066 | if (key != NULL && sshbuf_len(b) != 0) { | ||
2067 | ret = SSH_ERR_INVALID_FORMAT; | ||
2068 | goto out; | ||
2069 | } | ||
2070 | ret = 0; | ||
2071 | *keyp = key; | ||
2072 | key = NULL; | ||
2073 | out: | ||
2074 | sshbuf_free(b); | ||
2075 | sshkey_free(key); | ||
2076 | free(ktype); | ||
2077 | free(curve); | ||
2078 | free(pk); | ||
2079 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) | ||
2080 | if (q != NULL) | ||
2081 | EC_POINT_free(q); | ||
2082 | #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ | ||
2083 | return ret; | ||
2084 | } | ||
2085 | |||
2086 | int | ||
2087 | sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) | ||
2088 | { | ||
2089 | return sshkey_from_blob_internal(blob, blen, keyp, 1); | ||
2090 | } | ||
2091 | |||
2092 | int | ||
2093 | sshkey_sign(const struct sshkey *key, | ||
2094 | u_char **sigp, size_t *lenp, | ||
2095 | const u_char *data, size_t datalen, u_int compat) | ||
2096 | { | ||
2097 | if (sigp != NULL) | ||
2098 | *sigp = NULL; | ||
2099 | if (lenp != NULL) | ||
2100 | *lenp = 0; | ||
2101 | if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) | ||
2102 | return SSH_ERR_INVALID_ARGUMENT; | ||
2103 | switch (key->type) { | ||
2104 | #ifdef WITH_OPENSSL | ||
2105 | case KEY_DSA_CERT_V00: | ||
2106 | case KEY_DSA_CERT: | ||
2107 | case KEY_DSA: | ||
2108 | return ssh_dss_sign(key, sigp, lenp, data, datalen, compat); | ||
2109 | # ifdef OPENSSL_HAS_ECC | ||
2110 | case KEY_ECDSA_CERT: | ||
2111 | case KEY_ECDSA: | ||
2112 | return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); | ||
2113 | # endif /* OPENSSL_HAS_ECC */ | ||
2114 | case KEY_RSA_CERT_V00: | ||
2115 | case KEY_RSA_CERT: | ||
2116 | case KEY_RSA: | ||
2117 | return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat); | ||
2118 | #endif /* WITH_OPENSSL */ | ||
2119 | case KEY_ED25519: | ||
2120 | case KEY_ED25519_CERT: | ||
2121 | return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); | ||
2122 | default: | ||
2123 | return SSH_ERR_KEY_TYPE_UNKNOWN; | ||
2124 | } | ||
2125 | } | ||
2126 | |||
2127 | /* | ||
2128 | * ssh_key_verify returns 0 for a correct signature and < 0 on error. | ||
2129 | */ | ||
2130 | int | ||
2131 | sshkey_verify(const struct sshkey *key, | ||
2132 | const u_char *sig, size_t siglen, | ||
2133 | const u_char *data, size_t dlen, u_int compat) | ||
2134 | { | ||
2135 | if (siglen == 0) | ||
2136 | return -1; | ||
2137 | |||
2138 | if (dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) | ||
2139 | return SSH_ERR_INVALID_ARGUMENT; | ||
2140 | switch (key->type) { | ||
2141 | #ifdef WITH_OPENSSL | ||
2142 | case KEY_DSA_CERT_V00: | ||
2143 | case KEY_DSA_CERT: | ||
2144 | case KEY_DSA: | ||
2145 | return ssh_dss_verify(key, sig, siglen, data, dlen, compat); | ||
2146 | # ifdef OPENSSL_HAS_ECC | ||
2147 | case KEY_ECDSA_CERT: | ||
2148 | case KEY_ECDSA: | ||
2149 | return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); | ||
2150 | # endif /* OPENSSL_HAS_ECC */ | ||
2151 | case KEY_RSA_CERT_V00: | ||
2152 | case KEY_RSA_CERT: | ||
2153 | case KEY_RSA: | ||
2154 | return ssh_rsa_verify(key, sig, siglen, data, dlen, compat); | ||
2155 | #endif /* WITH_OPENSSL */ | ||
2156 | case KEY_ED25519: | ||
2157 | case KEY_ED25519_CERT: | ||
2158 | return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); | ||
2159 | default: | ||
2160 | return SSH_ERR_KEY_TYPE_UNKNOWN; | ||
2161 | } | ||
2162 | } | ||
2163 | |||
2164 | /* Converts a private to a public key */ | ||
2165 | int | ||
2166 | sshkey_demote(const struct sshkey *k, struct sshkey **dkp) | ||
2167 | { | ||
2168 | struct sshkey *pk; | ||
2169 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
2170 | |||
2171 | if (dkp != NULL) | ||
2172 | *dkp = NULL; | ||
2173 | |||
2174 | if ((pk = calloc(1, sizeof(*pk))) == NULL) | ||
2175 | return SSH_ERR_ALLOC_FAIL; | ||
2176 | pk->type = k->type; | ||
2177 | pk->flags = k->flags; | ||
2178 | pk->ecdsa_nid = k->ecdsa_nid; | ||
2179 | pk->dsa = NULL; | ||
2180 | pk->ecdsa = NULL; | ||
2181 | pk->rsa = NULL; | ||
2182 | pk->ed25519_pk = NULL; | ||
2183 | pk->ed25519_sk = NULL; | ||
2184 | |||
2185 | switch (k->type) { | ||
2186 | #ifdef WITH_OPENSSL | ||
2187 | case KEY_RSA_CERT_V00: | ||
2188 | case KEY_RSA_CERT: | ||
2189 | if ((ret = sshkey_cert_copy(k, pk)) != 0) | ||
2190 | goto fail; | ||
2191 | /* FALLTHROUGH */ | ||
2192 | case KEY_RSA1: | ||
2193 | case KEY_RSA: | ||
2194 | if ((pk->rsa = RSA_new()) == NULL || | ||
2195 | (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || | ||
2196 | (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) { | ||
2197 | ret = SSH_ERR_ALLOC_FAIL; | ||
2198 | goto fail; | ||
2199 | } | ||
2200 | break; | ||
2201 | case KEY_DSA_CERT_V00: | ||
2202 | case KEY_DSA_CERT: | ||
2203 | if ((ret = sshkey_cert_copy(k, pk)) != 0) | ||
2204 | goto fail; | ||
2205 | /* FALLTHROUGH */ | ||
2206 | case KEY_DSA: | ||
2207 | if ((pk->dsa = DSA_new()) == NULL || | ||
2208 | (pk->dsa->p = BN_dup(k->dsa->p)) == NULL || | ||
2209 | (pk->dsa->q = BN_dup(k->dsa->q)) == NULL || | ||
2210 | (pk->dsa->g = BN_dup(k->dsa->g)) == NULL || | ||
2211 | (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) { | ||
2212 | ret = SSH_ERR_ALLOC_FAIL; | ||
2213 | goto fail; | ||
2214 | } | ||
2215 | break; | ||
2216 | case KEY_ECDSA_CERT: | ||
2217 | if ((ret = sshkey_cert_copy(k, pk)) != 0) | ||
2218 | goto fail; | ||
2219 | /* FALLTHROUGH */ | ||
2220 | # ifdef OPENSSL_HAS_ECC | ||
2221 | case KEY_ECDSA: | ||
2222 | pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid); | ||
2223 | if (pk->ecdsa == NULL) { | ||
2224 | ret = SSH_ERR_ALLOC_FAIL; | ||
2225 | goto fail; | ||
2226 | } | ||
2227 | if (EC_KEY_set_public_key(pk->ecdsa, | ||
2228 | EC_KEY_get0_public_key(k->ecdsa)) != 1) { | ||
2229 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
2230 | goto fail; | ||
2231 | } | ||
2232 | break; | ||
2233 | # endif /* OPENSSL_HAS_ECC */ | ||
2234 | #endif /* WITH_OPENSSL */ | ||
2235 | case KEY_ED25519_CERT: | ||
2236 | if ((ret = sshkey_cert_copy(k, pk)) != 0) | ||
2237 | goto fail; | ||
2238 | /* FALLTHROUGH */ | ||
2239 | case KEY_ED25519: | ||
2240 | if (k->ed25519_pk != NULL) { | ||
2241 | if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { | ||
2242 | ret = SSH_ERR_ALLOC_FAIL; | ||
2243 | goto fail; | ||
2244 | } | ||
2245 | memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); | ||
2246 | } | ||
2247 | break; | ||
2248 | default: | ||
2249 | ret = SSH_ERR_KEY_TYPE_UNKNOWN; | ||
2250 | fail: | ||
2251 | sshkey_free(pk); | ||
2252 | return ret; | ||
2253 | } | ||
2254 | *dkp = pk; | ||
2255 | return 0; | ||
2256 | } | ||
2257 | |||
2258 | /* Convert a plain key to their _CERT equivalent */ | ||
2259 | int | ||
2260 | sshkey_to_certified(struct sshkey *k, int legacy) | ||
2261 | { | ||
2262 | int newtype; | ||
2263 | |||
2264 | switch (k->type) { | ||
2265 | #ifdef WITH_OPENSSL | ||
2266 | case KEY_RSA: | ||
2267 | newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; | ||
2268 | break; | ||
2269 | case KEY_DSA: | ||
2270 | newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; | ||
2271 | break; | ||
2272 | case KEY_ECDSA: | ||
2273 | if (legacy) | ||
2274 | return SSH_ERR_INVALID_ARGUMENT; | ||
2275 | newtype = KEY_ECDSA_CERT; | ||
2276 | break; | ||
2277 | #endif /* WITH_OPENSSL */ | ||
2278 | case KEY_ED25519: | ||
2279 | if (legacy) | ||
2280 | return SSH_ERR_INVALID_ARGUMENT; | ||
2281 | newtype = KEY_ED25519_CERT; | ||
2282 | break; | ||
2283 | default: | ||
2284 | return SSH_ERR_INVALID_ARGUMENT; | ||
2285 | } | ||
2286 | if ((k->cert = cert_new()) == NULL) | ||
2287 | return SSH_ERR_ALLOC_FAIL; | ||
2288 | k->type = newtype; | ||
2289 | return 0; | ||
2290 | } | ||
2291 | |||
2292 | /* Convert a certificate to its raw key equivalent */ | ||
2293 | int | ||
2294 | sshkey_drop_cert(struct sshkey *k) | ||
2295 | { | ||
2296 | if (!sshkey_type_is_cert(k->type)) | ||
2297 | return SSH_ERR_KEY_TYPE_UNKNOWN; | ||
2298 | cert_free(k->cert); | ||
2299 | k->cert = NULL; | ||
2300 | k->type = sshkey_type_plain(k->type); | ||
2301 | return 0; | ||
2302 | } | ||
2303 | |||
2304 | /* Sign a certified key, (re-)generating the signed certblob. */ | ||
2305 | int | ||
2306 | sshkey_certify(struct sshkey *k, struct sshkey *ca) | ||
2307 | { | ||
2308 | struct sshbuf *principals = NULL; | ||
2309 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; | ||
2310 | size_t i, ca_len, sig_len; | ||
2311 | int ret = SSH_ERR_INTERNAL_ERROR; | ||
2312 | struct sshbuf *cert; | ||
2313 | |||
2314 | if (k == NULL || k->cert == NULL || | ||
2315 | k->cert->certblob == NULL || ca == NULL) | ||
2316 | return SSH_ERR_INVALID_ARGUMENT; | ||
2317 | if (!sshkey_is_cert(k)) | ||
2318 | return SSH_ERR_KEY_TYPE_UNKNOWN; | ||
2319 | if (!sshkey_type_is_valid_ca(ca->type)) | ||
2320 | return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; | ||
2321 | |||
2322 | if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) | ||
2323 | return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY; | ||
2324 | |||
2325 | cert = k->cert->certblob; /* for readability */ | ||
2326 | sshbuf_reset(cert); | ||
2327 | if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) | ||
2328 | goto out; | ||
2329 | |||
2330 | /* -v01 certs put nonce first */ | ||
2331 | arc4random_buf(&nonce, sizeof(nonce)); | ||
2332 | if (!sshkey_cert_is_legacy(k)) { | ||
2333 | if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) | ||
2334 | goto out; | ||
2335 | } | ||
2336 | |||
2337 | /* XXX this substantially duplicates to_blob(); refactor */ | ||
2338 | switch (k->type) { | ||
2339 | #ifdef WITH_OPENSSL | ||
2340 | case KEY_DSA_CERT_V00: | ||
2341 | case KEY_DSA_CERT: | ||
2342 | if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 || | ||
2343 | (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 || | ||
2344 | (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 || | ||
2345 | (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0) | ||
2346 | goto out; | ||
2347 | break; | ||
2348 | # ifdef OPENSSL_HAS_ECC | ||
2349 | case KEY_ECDSA_CERT: | ||
2350 | if ((ret = sshbuf_put_cstring(cert, | ||
2351 | sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || | ||
2352 | (ret = sshbuf_put_ec(cert, | ||
2353 | EC_KEY_get0_public_key(k->ecdsa), | ||
2354 | EC_KEY_get0_group(k->ecdsa))) != 0) | ||
2355 | goto out; | ||
2356 | break; | ||
2357 | # endif /* OPENSSL_HAS_ECC */ | ||
2358 | case KEY_RSA_CERT_V00: | ||
2359 | case KEY_RSA_CERT: | ||
2360 | if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 || | ||
2361 | (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0) | ||
2362 | goto out; | ||
2363 | break; | ||
2364 | #endif /* WITH_OPENSSL */ | ||
2365 | case KEY_ED25519_CERT: | ||
2366 | if ((ret = sshbuf_put_string(cert, | ||
2367 | k->ed25519_pk, ED25519_PK_SZ)) != 0) | ||
2368 | goto out; | ||
2369 | break; | ||
2370 | default: | ||
2371 | ret = SSH_ERR_INVALID_ARGUMENT; | ||
2372 | } | ||
2373 | |||
2374 | /* -v01 certs have a serial number next */ | ||
2375 | if (!sshkey_cert_is_legacy(k)) { | ||
2376 | if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0) | ||
2377 | goto out; | ||
2378 | } | ||
2379 | |||
2380 | if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || | ||
2381 | (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) | ||
2382 | goto out; | ||
2383 | |||
2384 | if ((principals = sshbuf_new()) == NULL) { | ||
2385 | ret = SSH_ERR_ALLOC_FAIL; | ||
2386 | goto out; | ||
2387 | } | ||
2388 | for (i = 0; i < k->cert->nprincipals; i++) { | ||
2389 | if ((ret = sshbuf_put_cstring(principals, | ||
2390 | k->cert->principals[i])) != 0) | ||
2391 | goto out; | ||
2392 | } | ||
2393 | if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || | ||
2394 | (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || | ||
2395 | (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || | ||
2396 | (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0) | ||
2397 | goto out; | ||
2398 | |||
2399 | /* -v01 certs have non-critical options here */ | ||
2400 | if (!sshkey_cert_is_legacy(k)) { | ||
2401 | if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0) | ||
2402 | goto out; | ||
2403 | } | ||
2404 | |||
2405 | /* -v00 certs put the nonce at the end */ | ||
2406 | if (sshkey_cert_is_legacy(k)) { | ||
2407 | if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) | ||
2408 | goto out; | ||
2409 | } | ||
2410 | |||
2411 | if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */ | ||
2412 | (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) | ||
2413 | goto out; | ||
2414 | |||
2415 | /* Sign the whole mess */ | ||
2416 | if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | ||
2417 | sshbuf_len(cert), 0)) != 0) | ||
2418 | goto out; | ||
2419 | |||
2420 | /* Append signature and we are done */ | ||
2421 | if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) | ||
2422 | goto out; | ||
2423 | ret = 0; | ||
2424 | out: | ||
2425 | if (ret != 0) | ||
2426 | sshbuf_reset(cert); | ||
2427 | if (sig_blob != NULL) | ||
2428 | free(sig_blob); | ||
2429 | if (ca_blob != NULL) | ||
2430 | free(ca_blob); | ||
2431 | if (principals != NULL) | ||
2432 | sshbuf_free(principals); | ||
2433 | return ret; | ||
2434 | } | ||
2435 | |||
2436 | int | ||
2437 | sshkey_cert_check_authority(const struct sshkey *k, | ||
2438 | int want_host, int require_principal, | ||
2439 | const char *name, const char **reason) | ||
2440 | { | ||
2441 | u_int i, principal_matches; | ||
2442 | time_t now = time(NULL); | ||
2443 | |||
2444 | if (reason != NULL) | ||
2445 | *reason = NULL; | ||
2446 | |||
2447 | if (want_host) { | ||
2448 | if (k->cert->type != SSH2_CERT_TYPE_HOST) { | ||
2449 | *reason = "Certificate invalid: not a host certificate"; | ||
2450 | return SSH_ERR_KEY_CERT_INVALID; | ||
2451 | } | ||
2452 | } else { | ||
2453 | if (k->cert->type != SSH2_CERT_TYPE_USER) { | ||
2454 | *reason = "Certificate invalid: not a user certificate"; | ||
2455 | return SSH_ERR_KEY_CERT_INVALID; | ||
2456 | } | ||
2457 | } | ||
2458 | if (now < 0) { | ||
2459 | /* yikes - system clock before epoch! */ | ||
2460 | *reason = "Certificate invalid: not yet valid"; | ||
2461 | return SSH_ERR_KEY_CERT_INVALID; | ||
2462 | } | ||
2463 | if ((u_int64_t)now < k->cert->valid_after) { | ||
2464 | *reason = "Certificate invalid: not yet valid"; | ||
2465 | return SSH_ERR_KEY_CERT_INVALID; | ||
2466 | } | ||
2467 | if ((u_int64_t)now >= k->cert->valid_before) { | ||
2468 | *reason = "Certificate invalid: expired"; | ||
2469 | return SSH_ERR_KEY_CERT_INVALID; | ||
2470 | } | ||
2471 | if (k->cert->nprincipals == 0) { | ||
2472 | if (require_principal) { | ||
2473 | *reason = "Certificate lacks principal list"; | ||
2474 | return SSH_ERR_KEY_CERT_INVALID; | ||
2475 | } | ||
2476 | } else if (name != NULL) { | ||
2477 | principal_matches = 0; | ||
2478 | for (i = 0; i < k->cert->nprincipals; i++) { | ||
2479 | if (strcmp(name, k->cert->principals[i]) == 0) { | ||
2480 | principal_matches = 1; | ||
2481 | break; | ||
2482 | } | ||
2483 | } | ||
2484 | if (!principal_matches) { | ||
2485 | *reason = "Certificate invalid: name is not a listed " | ||
2486 | "principal"; | ||
2487 | return SSH_ERR_KEY_CERT_INVALID; | ||
2488 | } | ||
2489 | } | ||
2490 | return 0; | ||
2491 | } | ||
2492 | |||
2493 | int | ||
2494 | sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b) | ||
2495 | { | ||
2496 | int r = SSH_ERR_INTERNAL_ERROR; | ||
2497 | |||
2498 | if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) | ||
2499 | goto out; | ||
2500 | switch (key->type) { | ||
2501 | #ifdef WITH_OPENSSL | ||
2502 | case KEY_RSA: | ||
2503 | if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 || | ||
2504 | (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 || | ||
2505 | (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || | ||
2506 | (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || | ||
2507 | (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || | ||
2508 | (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) | ||
2509 | goto out; | ||
2510 | break; | ||
2511 | case KEY_RSA_CERT_V00: | ||
2512 | case KEY_RSA_CERT: | ||
2513 | if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { | ||
2514 | r = SSH_ERR_INVALID_ARGUMENT; | ||
2515 | goto out; | ||
2516 | } | ||
2517 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || | ||
2518 | (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 || | ||
2519 | (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 || | ||
2520 | (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 || | ||
2521 | (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0) | ||
2522 | goto out; | ||
2523 | break; | ||
2524 | case KEY_DSA: | ||
2525 | if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 || | ||
2526 | (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 || | ||
2527 | (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 || | ||
2528 | (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 || | ||
2529 | (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) | ||
2530 | goto out; | ||
2531 | break; | ||
2532 | case KEY_DSA_CERT_V00: | ||
2533 | case KEY_DSA_CERT: | ||
2534 | if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { | ||
2535 | r = SSH_ERR_INVALID_ARGUMENT; | ||
2536 | goto out; | ||
2537 | } | ||
2538 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || | ||
2539 | (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0) | ||
2540 | goto out; | ||
2541 | break; | ||
2542 | # ifdef OPENSSL_HAS_ECC | ||
2543 | case KEY_ECDSA: | ||
2544 | if ((r = sshbuf_put_cstring(b, | ||
2545 | sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || | ||
2546 | (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || | ||
2547 | (r = sshbuf_put_bignum2(b, | ||
2548 | EC_KEY_get0_private_key(key->ecdsa))) != 0) | ||
2549 | goto out; | ||
2550 | break; | ||
2551 | case KEY_ECDSA_CERT: | ||
2552 | if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { | ||
2553 | r = SSH_ERR_INVALID_ARGUMENT; | ||
2554 | goto out; | ||
2555 | } | ||
2556 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || | ||
2557 | (r = sshbuf_put_bignum2(b, | ||
2558 | EC_KEY_get0_private_key(key->ecdsa))) != 0) | ||
2559 | goto out; | ||
2560 | break; | ||
2561 | # endif /* OPENSSL_HAS_ECC */ | ||
2562 | #endif /* WITH_OPENSSL */ | ||
2563 | case KEY_ED25519: | ||
2564 | if ((r = sshbuf_put_string(b, key->ed25519_pk, | ||
2565 | ED25519_PK_SZ)) != 0 || | ||
2566 | (r = sshbuf_put_string(b, key->ed25519_sk, | ||
2567 | ED25519_SK_SZ)) != 0) | ||
2568 | goto out; | ||
2569 | break; | ||
2570 | case KEY_ED25519_CERT: | ||
2571 | if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) { | ||
2572 | r = SSH_ERR_INVALID_ARGUMENT; | ||
2573 | goto out; | ||
2574 | } | ||
2575 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || | ||
2576 | (r = sshbuf_put_string(b, key->ed25519_pk, | ||
2577 | ED25519_PK_SZ)) != 0 || | ||
2578 | (r = sshbuf_put_string(b, key->ed25519_sk, | ||
2579 | ED25519_SK_SZ)) != 0) | ||
2580 | goto out; | ||
2581 | break; | ||
2582 | default: | ||
2583 | r = SSH_ERR_INVALID_ARGUMENT; | ||
2584 | goto out; | ||
2585 | } | ||
2586 | /* success */ | ||
2587 | r = 0; | ||
2588 | out: | ||
2589 | return r; | ||
2590 | } | ||
2591 | |||
2592 | int | ||
2593 | sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) | ||
2594 | { | ||
2595 | char *tname = NULL, *curve = NULL; | ||
2596 | struct sshkey *k = NULL; | ||
2597 | const u_char *cert; | ||
2598 | size_t len, pklen = 0, sklen = 0; | ||
2599 | int type, r = SSH_ERR_INTERNAL_ERROR; | ||
2600 | u_char *ed25519_pk = NULL, *ed25519_sk = NULL; | ||
2601 | #ifdef WITH_OPENSSL | ||
2602 | BIGNUM *exponent = NULL; | ||
2603 | #endif /* WITH_OPENSSL */ | ||
2604 | |||
2605 | if (kp != NULL) | ||
2606 | *kp = NULL; | ||
2607 | if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0) | ||
2608 | goto out; | ||
2609 | type = sshkey_type_from_name(tname); | ||
2610 | switch (type) { | ||
2611 | #ifdef WITH_OPENSSL | ||
2612 | case KEY_DSA: | ||
2613 | if ((k = sshkey_new_private(type)) == NULL) { | ||
2614 | r = SSH_ERR_ALLOC_FAIL; | ||
2615 | goto out; | ||
2616 | } | ||
2617 | if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 || | ||
2618 | (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 || | ||
2619 | (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 || | ||
2620 | (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 || | ||
2621 | (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) | ||
2622 | goto out; | ||
2623 | break; | ||
2624 | case KEY_DSA_CERT_V00: | ||
2625 | case KEY_DSA_CERT: | ||
2626 | if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || | ||
2627 | (r = sshkey_from_blob(cert, len, &k)) != 0 || | ||
2628 | (r = sshkey_add_private(k)) != 0 || | ||
2629 | (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0) | ||
2630 | goto out; | ||
2631 | break; | ||
2632 | # ifdef OPENSSL_HAS_ECC | ||
2633 | case KEY_ECDSA: | ||
2634 | if ((k = sshkey_new_private(type)) == NULL) { | ||
2635 | r = SSH_ERR_ALLOC_FAIL; | ||
2636 | goto out; | ||
2637 | } | ||
2638 | if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { | ||
2639 | r = SSH_ERR_INVALID_ARGUMENT; | ||
2640 | goto out; | ||
2641 | } | ||
2642 | if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0) | ||
2643 | goto out; | ||
2644 | if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { | ||
2645 | r = SSH_ERR_EC_CURVE_MISMATCH; | ||
2646 | goto out; | ||
2647 | } | ||
2648 | k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); | ||
2649 | if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) { | ||
2650 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
2651 | goto out; | ||
2652 | } | ||
2653 | if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || | ||
2654 | (r = sshbuf_get_bignum2(buf, exponent))) | ||
2655 | goto out; | ||
2656 | if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { | ||
2657 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
2658 | goto out; | ||
2659 | } | ||
2660 | if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | ||
2661 | EC_KEY_get0_public_key(k->ecdsa)) != 0) || | ||
2662 | (r = sshkey_ec_validate_private(k->ecdsa)) != 0) | ||
2663 | goto out; | ||
2664 | break; | ||
2665 | case KEY_ECDSA_CERT: | ||
2666 | if ((exponent = BN_new()) == NULL) { | ||
2667 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
2668 | goto out; | ||
2669 | } | ||
2670 | if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || | ||
2671 | (r = sshkey_from_blob(cert, len, &k)) != 0 || | ||
2672 | (r = sshkey_add_private(k)) != 0 || | ||
2673 | (r = sshbuf_get_bignum2(buf, exponent)) != 0) | ||
2674 | goto out; | ||
2675 | if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { | ||
2676 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
2677 | goto out; | ||
2678 | } | ||
2679 | if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | ||
2680 | EC_KEY_get0_public_key(k->ecdsa)) != 0) || | ||
2681 | (r = sshkey_ec_validate_private(k->ecdsa)) != 0) | ||
2682 | goto out; | ||
2683 | break; | ||
2684 | # endif /* OPENSSL_HAS_ECC */ | ||
2685 | case KEY_RSA: | ||
2686 | if ((k = sshkey_new_private(type)) == NULL) { | ||
2687 | r = SSH_ERR_ALLOC_FAIL; | ||
2688 | goto out; | ||
2689 | } | ||
2690 | if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 || | ||
2691 | (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 || | ||
2692 | (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 || | ||
2693 | (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 || | ||
2694 | (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 || | ||
2695 | (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 || | ||
2696 | (r = rsa_generate_additional_parameters(k->rsa)) != 0) | ||
2697 | goto out; | ||
2698 | break; | ||
2699 | case KEY_RSA_CERT_V00: | ||
2700 | case KEY_RSA_CERT: | ||
2701 | if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || | ||
2702 | (r = sshkey_from_blob(cert, len, &k)) != 0 || | ||
2703 | (r = sshkey_add_private(k)) != 0 || | ||
2704 | (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) || | ||
2705 | (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) || | ||
2706 | (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) || | ||
2707 | (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) || | ||
2708 | (r = rsa_generate_additional_parameters(k->rsa)) != 0) | ||
2709 | goto out; | ||
2710 | break; | ||
2711 | #endif /* WITH_OPENSSL */ | ||
2712 | case KEY_ED25519: | ||
2713 | if ((k = sshkey_new_private(type)) == NULL) { | ||
2714 | r = SSH_ERR_ALLOC_FAIL; | ||
2715 | goto out; | ||
2716 | } | ||
2717 | if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || | ||
2718 | (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) | ||
2719 | goto out; | ||
2720 | if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { | ||
2721 | r = SSH_ERR_INVALID_FORMAT; | ||
2722 | goto out; | ||
2723 | } | ||
2724 | k->ed25519_pk = ed25519_pk; | ||
2725 | k->ed25519_sk = ed25519_sk; | ||
2726 | ed25519_pk = ed25519_sk = NULL; | ||
2727 | break; | ||
2728 | case KEY_ED25519_CERT: | ||
2729 | if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 || | ||
2730 | (r = sshkey_from_blob(cert, len, &k)) != 0 || | ||
2731 | (r = sshkey_add_private(k)) != 0 || | ||
2732 | (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || | ||
2733 | (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) | ||
2734 | goto out; | ||
2735 | if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { | ||
2736 | r = SSH_ERR_INVALID_FORMAT; | ||
2737 | goto out; | ||
2738 | } | ||
2739 | k->ed25519_pk = ed25519_pk; | ||
2740 | k->ed25519_sk = ed25519_sk; | ||
2741 | ed25519_pk = ed25519_sk = NULL; | ||
2742 | break; | ||
2743 | default: | ||
2744 | r = SSH_ERR_KEY_TYPE_UNKNOWN; | ||
2745 | goto out; | ||
2746 | } | ||
2747 | #ifdef WITH_OPENSSL | ||
2748 | /* enable blinding */ | ||
2749 | switch (k->type) { | ||
2750 | case KEY_RSA: | ||
2751 | case KEY_RSA_CERT_V00: | ||
2752 | case KEY_RSA_CERT: | ||
2753 | case KEY_RSA1: | ||
2754 | if (RSA_blinding_on(k->rsa, NULL) != 1) { | ||
2755 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
2756 | goto out; | ||
2757 | } | ||
2758 | break; | ||
2759 | } | ||
2760 | #endif /* WITH_OPENSSL */ | ||
2761 | /* success */ | ||
2762 | r = 0; | ||
2763 | if (kp != NULL) { | ||
2764 | *kp = k; | ||
2765 | k = NULL; | ||
2766 | } | ||
2767 | out: | ||
2768 | free(tname); | ||
2769 | free(curve); | ||
2770 | #ifdef WITH_OPENSSL | ||
2771 | if (exponent != NULL) | ||
2772 | BN_clear_free(exponent); | ||
2773 | #endif /* WITH_OPENSSL */ | ||
2774 | sshkey_free(k); | ||
2775 | if (ed25519_pk != NULL) { | ||
2776 | explicit_bzero(ed25519_pk, pklen); | ||
2777 | free(ed25519_pk); | ||
2778 | } | ||
2779 | if (ed25519_sk != NULL) { | ||
2780 | explicit_bzero(ed25519_sk, sklen); | ||
2781 | free(ed25519_sk); | ||
2782 | } | ||
2783 | return r; | ||
2784 | } | ||
2785 | |||
2786 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) | ||
2787 | int | ||
2788 | sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) | ||
2789 | { | ||
2790 | BN_CTX *bnctx; | ||
2791 | EC_POINT *nq = NULL; | ||
2792 | BIGNUM *order, *x, *y, *tmp; | ||
2793 | int ret = SSH_ERR_KEY_INVALID_EC_VALUE; | ||
2794 | |||
2795 | if ((bnctx = BN_CTX_new()) == NULL) | ||
2796 | return SSH_ERR_ALLOC_FAIL; | ||
2797 | BN_CTX_start(bnctx); | ||
2798 | |||
2799 | /* | ||
2800 | * We shouldn't ever hit this case because bignum_get_ecpoint() | ||
2801 | * refuses to load GF2m points. | ||
2802 | */ | ||
2803 | if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != | ||
2804 | NID_X9_62_prime_field) | ||
2805 | goto out; | ||
2806 | |||
2807 | /* Q != infinity */ | ||
2808 | if (EC_POINT_is_at_infinity(group, public)) | ||
2809 | goto out; | ||
2810 | |||
2811 | if ((x = BN_CTX_get(bnctx)) == NULL || | ||
2812 | (y = BN_CTX_get(bnctx)) == NULL || | ||
2813 | (order = BN_CTX_get(bnctx)) == NULL || | ||
2814 | (tmp = BN_CTX_get(bnctx)) == NULL) { | ||
2815 | ret = SSH_ERR_ALLOC_FAIL; | ||
2816 | goto out; | ||
2817 | } | ||
2818 | |||
2819 | /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ | ||
2820 | if (EC_GROUP_get_order(group, order, bnctx) != 1 || | ||
2821 | EC_POINT_get_affine_coordinates_GFp(group, public, | ||
2822 | x, y, bnctx) != 1) { | ||
2823 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
2824 | goto out; | ||
2825 | } | ||
2826 | if (BN_num_bits(x) <= BN_num_bits(order) / 2 || | ||
2827 | BN_num_bits(y) <= BN_num_bits(order) / 2) | ||
2828 | goto out; | ||
2829 | |||
2830 | /* nQ == infinity (n == order of subgroup) */ | ||
2831 | if ((nq = EC_POINT_new(group)) == NULL) { | ||
2832 | ret = SSH_ERR_ALLOC_FAIL; | ||
2833 | goto out; | ||
2834 | } | ||
2835 | if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) { | ||
2836 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
2837 | goto out; | ||
2838 | } | ||
2839 | if (EC_POINT_is_at_infinity(group, nq) != 1) | ||
2840 | goto out; | ||
2841 | |||
2842 | /* x < order - 1, y < order - 1 */ | ||
2843 | if (!BN_sub(tmp, order, BN_value_one())) { | ||
2844 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
2845 | goto out; | ||
2846 | } | ||
2847 | if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) | ||
2848 | goto out; | ||
2849 | ret = 0; | ||
2850 | out: | ||
2851 | BN_CTX_free(bnctx); | ||
2852 | if (nq != NULL) | ||
2853 | EC_POINT_free(nq); | ||
2854 | return ret; | ||
2855 | } | ||
2856 | |||
2857 | int | ||
2858 | sshkey_ec_validate_private(const EC_KEY *key) | ||
2859 | { | ||
2860 | BN_CTX *bnctx; | ||
2861 | BIGNUM *order, *tmp; | ||
2862 | int ret = SSH_ERR_KEY_INVALID_EC_VALUE; | ||
2863 | |||
2864 | if ((bnctx = BN_CTX_new()) == NULL) | ||
2865 | return SSH_ERR_ALLOC_FAIL; | ||
2866 | BN_CTX_start(bnctx); | ||
2867 | |||
2868 | if ((order = BN_CTX_get(bnctx)) == NULL || | ||
2869 | (tmp = BN_CTX_get(bnctx)) == NULL) { | ||
2870 | ret = SSH_ERR_ALLOC_FAIL; | ||
2871 | goto out; | ||
2872 | } | ||
2873 | |||
2874 | /* log2(private) > log2(order)/2 */ | ||
2875 | if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) { | ||
2876 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
2877 | goto out; | ||
2878 | } | ||
2879 | if (BN_num_bits(EC_KEY_get0_private_key(key)) <= | ||
2880 | BN_num_bits(order) / 2) | ||
2881 | goto out; | ||
2882 | |||
2883 | /* private < order - 1 */ | ||
2884 | if (!BN_sub(tmp, order, BN_value_one())) { | ||
2885 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
2886 | goto out; | ||
2887 | } | ||
2888 | if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) | ||
2889 | goto out; | ||
2890 | ret = 0; | ||
2891 | out: | ||
2892 | BN_CTX_free(bnctx); | ||
2893 | return ret; | ||
2894 | } | ||
2895 | |||
2896 | void | ||
2897 | sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) | ||
2898 | { | ||
2899 | BIGNUM *x, *y; | ||
2900 | BN_CTX *bnctx; | ||
2901 | |||
2902 | if (point == NULL) { | ||
2903 | fputs("point=(NULL)\n", stderr); | ||
2904 | return; | ||
2905 | } | ||
2906 | if ((bnctx = BN_CTX_new()) == NULL) { | ||
2907 | fprintf(stderr, "%s: BN_CTX_new failed\n", __func__); | ||
2908 | return; | ||
2909 | } | ||
2910 | BN_CTX_start(bnctx); | ||
2911 | if ((x = BN_CTX_get(bnctx)) == NULL || | ||
2912 | (y = BN_CTX_get(bnctx)) == NULL) { | ||
2913 | fprintf(stderr, "%s: BN_CTX_get failed\n", __func__); | ||
2914 | return; | ||
2915 | } | ||
2916 | if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != | ||
2917 | NID_X9_62_prime_field) { | ||
2918 | fprintf(stderr, "%s: group is not a prime field\n", __func__); | ||
2919 | return; | ||
2920 | } | ||
2921 | if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, | ||
2922 | bnctx) != 1) { | ||
2923 | fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", | ||
2924 | __func__); | ||
2925 | return; | ||
2926 | } | ||
2927 | fputs("x=", stderr); | ||
2928 | BN_print_fp(stderr, x); | ||
2929 | fputs("\ny=", stderr); | ||
2930 | BN_print_fp(stderr, y); | ||
2931 | fputs("\n", stderr); | ||
2932 | BN_CTX_free(bnctx); | ||
2933 | } | ||
2934 | |||
2935 | void | ||
2936 | sshkey_dump_ec_key(const EC_KEY *key) | ||
2937 | { | ||
2938 | const BIGNUM *exponent; | ||
2939 | |||
2940 | sshkey_dump_ec_point(EC_KEY_get0_group(key), | ||
2941 | EC_KEY_get0_public_key(key)); | ||
2942 | fputs("exponent=", stderr); | ||
2943 | if ((exponent = EC_KEY_get0_private_key(key)) == NULL) | ||
2944 | fputs("(NULL)", stderr); | ||
2945 | else | ||
2946 | BN_print_fp(stderr, EC_KEY_get0_private_key(key)); | ||
2947 | fputs("\n", stderr); | ||
2948 | } | ||
2949 | #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ | ||
2950 | |||
2951 | static int | ||
2952 | sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob, | ||
2953 | const char *passphrase, const char *comment, const char *ciphername, | ||
2954 | int rounds) | ||
2955 | { | ||
2956 | u_char *cp, *b64 = NULL, *key = NULL, *pubkeyblob = NULL; | ||
2957 | u_char salt[SALT_LEN]; | ||
2958 | size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; | ||
2959 | u_int check; | ||
2960 | int r = SSH_ERR_INTERNAL_ERROR; | ||
2961 | struct sshcipher_ctx ciphercontext; | ||
2962 | const struct sshcipher *cipher; | ||
2963 | const char *kdfname = KDFNAME; | ||
2964 | struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL; | ||
2965 | |||
2966 | memset(&ciphercontext, 0, sizeof(ciphercontext)); | ||
2967 | |||
2968 | if (rounds <= 0) | ||
2969 | rounds = DEFAULT_ROUNDS; | ||
2970 | if (passphrase == NULL || !strlen(passphrase)) { | ||
2971 | ciphername = "none"; | ||
2972 | kdfname = "none"; | ||
2973 | } else if (ciphername == NULL) | ||
2974 | ciphername = DEFAULT_CIPHERNAME; | ||
2975 | else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) { | ||
2976 | r = SSH_ERR_INVALID_ARGUMENT; | ||
2977 | goto out; | ||
2978 | } | ||
2979 | if ((cipher = cipher_by_name(ciphername)) == NULL) { | ||
2980 | r = SSH_ERR_INTERNAL_ERROR; | ||
2981 | goto out; | ||
2982 | } | ||
2983 | |||
2984 | if ((kdf = sshbuf_new()) == NULL || | ||
2985 | (encoded = sshbuf_new()) == NULL || | ||
2986 | (encrypted = sshbuf_new()) == NULL) { | ||
2987 | r = SSH_ERR_ALLOC_FAIL; | ||
2988 | goto out; | ||
2989 | } | ||
2990 | blocksize = cipher_blocksize(cipher); | ||
2991 | keylen = cipher_keylen(cipher); | ||
2992 | ivlen = cipher_ivlen(cipher); | ||
2993 | authlen = cipher_authlen(cipher); | ||
2994 | if ((key = calloc(1, keylen + ivlen)) == NULL) { | ||
2995 | r = SSH_ERR_ALLOC_FAIL; | ||
2996 | goto out; | ||
2997 | } | ||
2998 | if (strcmp(kdfname, "bcrypt") == 0) { | ||
2999 | arc4random_buf(salt, SALT_LEN); | ||
3000 | if (bcrypt_pbkdf(passphrase, strlen(passphrase), | ||
3001 | salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) { | ||
3002 | r = SSH_ERR_INVALID_ARGUMENT; | ||
3003 | goto out; | ||
3004 | } | ||
3005 | if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 || | ||
3006 | (r = sshbuf_put_u32(kdf, rounds)) != 0) | ||
3007 | goto out; | ||
3008 | } else if (strcmp(kdfname, "none") != 0) { | ||
3009 | /* Unsupported KDF type */ | ||
3010 | r = SSH_ERR_KEY_UNKNOWN_CIPHER; | ||
3011 | goto out; | ||
3012 | } | ||
3013 | if ((r = cipher_init(&ciphercontext, cipher, key, keylen, | ||
3014 | key + keylen, ivlen, 1)) != 0) | ||
3015 | goto out; | ||
3016 | |||
3017 | if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 || | ||
3018 | (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || | ||
3019 | (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || | ||
3020 | (r = sshbuf_put_stringb(encoded, kdf)) != 0 || | ||
3021 | (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ | ||
3022 | (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || | ||
3023 | (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) | ||
3024 | goto out; | ||
3025 | |||
3026 | /* set up the buffer that will be encrypted */ | ||
3027 | |||
3028 | /* Random check bytes */ | ||
3029 | check = arc4random(); | ||
3030 | if ((r = sshbuf_put_u32(encrypted, check)) != 0 || | ||
3031 | (r = sshbuf_put_u32(encrypted, check)) != 0) | ||
3032 | goto out; | ||
3033 | |||
3034 | /* append private key and comment*/ | ||
3035 | if ((r = sshkey_private_serialize(prv, encrypted)) != 0 || | ||
3036 | (r = sshbuf_put_cstring(encrypted, comment)) != 0) | ||
3037 | goto out; | ||
3038 | |||
3039 | /* padding */ | ||
3040 | i = 0; | ||
3041 | while (sshbuf_len(encrypted) % blocksize) { | ||
3042 | if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) | ||
3043 | goto out; | ||
3044 | } | ||
3045 | |||
3046 | /* length in destination buffer */ | ||
3047 | if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) | ||
3048 | goto out; | ||
3049 | |||
3050 | /* encrypt */ | ||
3051 | if ((r = sshbuf_reserve(encoded, | ||
3052 | sshbuf_len(encrypted) + authlen, &cp)) != 0) | ||
3053 | goto out; | ||
3054 | if ((r = cipher_crypt(&ciphercontext, 0, cp, | ||
3055 | sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) | ||
3056 | goto out; | ||
3057 | |||
3058 | /* uuencode */ | ||
3059 | if ((b64 = sshbuf_dtob64(encoded)) == NULL) { | ||
3060 | r = SSH_ERR_ALLOC_FAIL; | ||
3061 | goto out; | ||
3062 | } | ||
3063 | |||
3064 | sshbuf_reset(blob); | ||
3065 | if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0) | ||
3066 | goto out; | ||
3067 | for (i = 0; i < strlen(b64); i++) { | ||
3068 | if ((r = sshbuf_put_u8(blob, b64[i])) != 0) | ||
3069 | goto out; | ||
3070 | /* insert line breaks */ | ||
3071 | if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) | ||
3072 | goto out; | ||
3073 | } | ||
3074 | if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0) | ||
3075 | goto out; | ||
3076 | if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0) | ||
3077 | goto out; | ||
3078 | |||
3079 | /* success */ | ||
3080 | r = 0; | ||
3081 | |||
3082 | out: | ||
3083 | sshbuf_free(kdf); | ||
3084 | sshbuf_free(encoded); | ||
3085 | sshbuf_free(encrypted); | ||
3086 | cipher_cleanup(&ciphercontext); | ||
3087 | explicit_bzero(salt, sizeof(salt)); | ||
3088 | if (key != NULL) { | ||
3089 | explicit_bzero(key, keylen + ivlen); | ||
3090 | free(key); | ||
3091 | } | ||
3092 | if (pubkeyblob != NULL) { | ||
3093 | explicit_bzero(pubkeyblob, pubkeylen); | ||
3094 | free(pubkeyblob); | ||
3095 | } | ||
3096 | if (b64 != NULL) { | ||
3097 | explicit_bzero(b64, strlen(b64)); | ||
3098 | free(b64); | ||
3099 | } | ||
3100 | return r; | ||
3101 | } | ||
3102 | |||
3103 | static int | ||
3104 | sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, | ||
3105 | struct sshkey **keyp, char **commentp) | ||
3106 | { | ||
3107 | char *comment = NULL, *ciphername = NULL, *kdfname = NULL; | ||
3108 | const struct sshcipher *cipher = NULL; | ||
3109 | const u_char *cp; | ||
3110 | int r = SSH_ERR_INTERNAL_ERROR; | ||
3111 | size_t encoded_len; | ||
3112 | size_t i, keylen = 0, ivlen = 0, slen = 0; | ||
3113 | struct sshbuf *encoded = NULL, *decoded = NULL; | ||
3114 | struct sshbuf *kdf = NULL, *decrypted = NULL; | ||
3115 | struct sshcipher_ctx ciphercontext; | ||
3116 | struct sshkey *k = NULL; | ||
3117 | u_char *key = NULL, *salt = NULL, *dp, pad, last; | ||
3118 | u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; | ||
3119 | |||
3120 | memset(&ciphercontext, 0, sizeof(ciphercontext)); | ||
3121 | if (keyp != NULL) | ||
3122 | *keyp = NULL; | ||
3123 | if (commentp != NULL) | ||
3124 | *commentp = NULL; | ||
3125 | |||
3126 | if ((encoded = sshbuf_new()) == NULL || | ||
3127 | (decoded = sshbuf_new()) == NULL || | ||
3128 | (decrypted = sshbuf_new()) == NULL) { | ||
3129 | r = SSH_ERR_ALLOC_FAIL; | ||
3130 | goto out; | ||
3131 | } | ||
3132 | |||
3133 | /* check preamble */ | ||
3134 | cp = sshbuf_ptr(blob); | ||
3135 | encoded_len = sshbuf_len(blob); | ||
3136 | if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) || | ||
3137 | memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) { | ||
3138 | r = SSH_ERR_INVALID_FORMAT; | ||
3139 | goto out; | ||
3140 | } | ||
3141 | cp += MARK_BEGIN_LEN; | ||
3142 | encoded_len -= MARK_BEGIN_LEN; | ||
3143 | |||
3144 | /* Look for end marker, removing whitespace as we go */ | ||
3145 | while (encoded_len > 0) { | ||
3146 | if (*cp != '\n' && *cp != '\r') { | ||
3147 | if ((r = sshbuf_put_u8(encoded, *cp)) != 0) | ||
3148 | goto out; | ||
3149 | } | ||
3150 | last = *cp; | ||
3151 | encoded_len--; | ||
3152 | cp++; | ||
3153 | if (last == '\n') { | ||
3154 | if (encoded_len >= MARK_END_LEN && | ||
3155 | memcmp(cp, MARK_END, MARK_END_LEN) == 0) { | ||
3156 | /* \0 terminate */ | ||
3157 | if ((r = sshbuf_put_u8(encoded, 0)) != 0) | ||
3158 | goto out; | ||
3159 | break; | ||
3160 | } | ||
3161 | } | ||
3162 | } | ||
3163 | if (encoded_len == 0) { | ||
3164 | r = SSH_ERR_INVALID_FORMAT; | ||
3165 | goto out; | ||
3166 | } | ||
3167 | |||
3168 | /* decode base64 */ | ||
3169 | if ((r = sshbuf_b64tod(decoded, sshbuf_ptr(encoded))) != 0) | ||
3170 | goto out; | ||
3171 | |||
3172 | /* check magic */ | ||
3173 | if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) || | ||
3174 | memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) { | ||
3175 | r = SSH_ERR_INVALID_FORMAT; | ||
3176 | goto out; | ||
3177 | } | ||
3178 | /* parse public portion of key */ | ||
3179 | if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 || | ||
3180 | (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 || | ||
3181 | (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 || | ||
3182 | (r = sshbuf_froms(decoded, &kdf)) != 0 || | ||
3183 | (r = sshbuf_get_u32(decoded, &nkeys)) != 0 || | ||
3184 | (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */ | ||
3185 | (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) | ||
3186 | goto out; | ||
3187 | |||
3188 | if ((cipher = cipher_by_name(ciphername)) == NULL) { | ||
3189 | r = SSH_ERR_KEY_UNKNOWN_CIPHER; | ||
3190 | goto out; | ||
3191 | } | ||
3192 | if ((passphrase == NULL || strlen(passphrase) == 0) && | ||
3193 | strcmp(ciphername, "none") != 0) { | ||
3194 | /* passphrase required */ | ||
3195 | r = SSH_ERR_KEY_WRONG_PASSPHRASE; | ||
3196 | goto out; | ||
3197 | } | ||
3198 | if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { | ||
3199 | r = SSH_ERR_KEY_UNKNOWN_CIPHER; | ||
3200 | goto out; | ||
3201 | } | ||
3202 | if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) { | ||
3203 | r = SSH_ERR_INVALID_FORMAT; | ||
3204 | goto out; | ||
3205 | } | ||
3206 | if (nkeys != 1) { | ||
3207 | /* XXX only one key supported */ | ||
3208 | r = SSH_ERR_INVALID_FORMAT; | ||
3209 | goto out; | ||
3210 | } | ||
3211 | |||
3212 | /* check size of encrypted key blob */ | ||
3213 | blocksize = cipher_blocksize(cipher); | ||
3214 | if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { | ||
3215 | r = SSH_ERR_INVALID_FORMAT; | ||
3216 | goto out; | ||
3217 | } | ||
3218 | |||
3219 | /* setup key */ | ||
3220 | keylen = cipher_keylen(cipher); | ||
3221 | ivlen = cipher_ivlen(cipher); | ||
3222 | if ((key = calloc(1, keylen + ivlen)) == NULL) { | ||
3223 | r = SSH_ERR_ALLOC_FAIL; | ||
3224 | goto out; | ||
3225 | } | ||
3226 | if (strcmp(kdfname, "bcrypt") == 0) { | ||
3227 | if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || | ||
3228 | (r = sshbuf_get_u32(kdf, &rounds)) != 0) | ||
3229 | goto out; | ||
3230 | if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, | ||
3231 | key, keylen + ivlen, rounds) < 0) { | ||
3232 | r = SSH_ERR_INVALID_FORMAT; | ||
3233 | goto out; | ||
3234 | } | ||
3235 | } | ||
3236 | |||
3237 | /* decrypt private portion of key */ | ||
3238 | if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || | ||
3239 | (r = cipher_init(&ciphercontext, cipher, key, keylen, | ||
3240 | key + keylen, ivlen, 0)) != 0) | ||
3241 | goto out; | ||
3242 | if ((r = cipher_crypt(&ciphercontext, 0, dp, sshbuf_ptr(decoded), | ||
3243 | sshbuf_len(decoded), 0, cipher_authlen(cipher))) != 0) { | ||
3244 | /* an integrity error here indicates an incorrect passphrase */ | ||
3245 | if (r == SSH_ERR_MAC_INVALID) | ||
3246 | r = SSH_ERR_KEY_WRONG_PASSPHRASE; | ||
3247 | goto out; | ||
3248 | } | ||
3249 | if ((r = sshbuf_consume(decoded, encrypted_len)) != 0) | ||
3250 | goto out; | ||
3251 | /* there should be no trailing data */ | ||
3252 | if (sshbuf_len(decoded) != 0) { | ||
3253 | r = SSH_ERR_INVALID_FORMAT; | ||
3254 | goto out; | ||
3255 | } | ||
3256 | |||
3257 | /* check check bytes */ | ||
3258 | if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || | ||
3259 | (r = sshbuf_get_u32(decrypted, &check2)) != 0) | ||
3260 | goto out; | ||
3261 | if (check1 != check2) { | ||
3262 | r = SSH_ERR_KEY_WRONG_PASSPHRASE; | ||
3263 | goto out; | ||
3264 | } | ||
3265 | |||
3266 | /* Load the private key and comment */ | ||
3267 | if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || | ||
3268 | (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0) | ||
3269 | goto out; | ||
3270 | |||
3271 | /* Check deterministic padding */ | ||
3272 | i = 0; | ||
3273 | while (sshbuf_len(decrypted)) { | ||
3274 | if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) | ||
3275 | goto out; | ||
3276 | if (pad != (++i & 0xff)) { | ||
3277 | r = SSH_ERR_INVALID_FORMAT; | ||
3278 | goto out; | ||
3279 | } | ||
3280 | } | ||
3281 | |||
3282 | /* XXX decode pubkey and check against private */ | ||
3283 | |||
3284 | /* success */ | ||
3285 | r = 0; | ||
3286 | if (keyp != NULL) { | ||
3287 | *keyp = k; | ||
3288 | k = NULL; | ||
3289 | } | ||
3290 | if (commentp != NULL) { | ||
3291 | *commentp = comment; | ||
3292 | comment = NULL; | ||
3293 | } | ||
3294 | out: | ||
3295 | pad = 0; | ||
3296 | cipher_cleanup(&ciphercontext); | ||
3297 | free(ciphername); | ||
3298 | free(kdfname); | ||
3299 | free(comment); | ||
3300 | if (salt != NULL) { | ||
3301 | explicit_bzero(salt, slen); | ||
3302 | free(salt); | ||
3303 | } | ||
3304 | if (key != NULL) { | ||
3305 | explicit_bzero(key, keylen + ivlen); | ||
3306 | free(key); | ||
3307 | } | ||
3308 | sshbuf_free(encoded); | ||
3309 | sshbuf_free(decoded); | ||
3310 | sshbuf_free(kdf); | ||
3311 | sshbuf_free(decrypted); | ||
3312 | sshkey_free(k); | ||
3313 | return r; | ||
3314 | } | ||
3315 | |||
3316 | #if WITH_SSH1 | ||
3317 | /* | ||
3318 | * Serialises the authentication (private) key to a blob, encrypting it with | ||
3319 | * passphrase. The identification of the blob (lowest 64 bits of n) will | ||
3320 | * precede the key to provide identification of the key without needing a | ||
3321 | * passphrase. | ||
3322 | */ | ||
3323 | static int | ||
3324 | sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob, | ||
3325 | const char *passphrase, const char *comment) | ||
3326 | { | ||
3327 | struct sshbuf *buffer = NULL, *encrypted = NULL; | ||
3328 | u_char buf[8]; | ||
3329 | int r, cipher_num; | ||
3330 | struct sshcipher_ctx ciphercontext; | ||
3331 | const struct sshcipher *cipher; | ||
3332 | u_char *cp; | ||
3333 | |||
3334 | /* | ||
3335 | * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting | ||
3336 | * to another cipher; otherwise use SSH_AUTHFILE_CIPHER. | ||
3337 | */ | ||
3338 | cipher_num = (strcmp(passphrase, "") == 0) ? | ||
3339 | SSH_CIPHER_NONE : SSH_CIPHER_3DES; | ||
3340 | if ((cipher = cipher_by_number(cipher_num)) == NULL) | ||
3341 | return SSH_ERR_INTERNAL_ERROR; | ||
3342 | |||
3343 | /* This buffer is used to build the secret part of the private key. */ | ||
3344 | if ((buffer = sshbuf_new()) == NULL) | ||
3345 | return SSH_ERR_ALLOC_FAIL; | ||
3346 | |||
3347 | /* Put checkbytes for checking passphrase validity. */ | ||
3348 | if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0) | ||
3349 | goto out; | ||
3350 | arc4random_buf(cp, 2); | ||
3351 | memcpy(cp + 2, cp, 2); | ||
3352 | |||
3353 | /* | ||
3354 | * Store the private key (n and e will not be stored because they | ||
3355 | * will be stored in plain text, and storing them also in encrypted | ||
3356 | * format would just give known plaintext). | ||
3357 | * Note: q and p are stored in reverse order to SSL. | ||
3358 | */ | ||
3359 | if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 || | ||
3360 | (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 || | ||
3361 | (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 || | ||
3362 | (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0) | ||
3363 | goto out; | ||
3364 | |||
3365 | /* Pad the part to be encrypted to a size that is a multiple of 8. */ | ||
3366 | explicit_bzero(buf, 8); | ||
3367 | if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0) | ||
3368 | goto out; | ||
3369 | |||
3370 | /* This buffer will be used to contain the data in the file. */ | ||
3371 | if ((encrypted = sshbuf_new()) == NULL) { | ||
3372 | r = SSH_ERR_ALLOC_FAIL; | ||
3373 | goto out; | ||
3374 | } | ||
3375 | |||
3376 | /* First store keyfile id string. */ | ||
3377 | if ((r = sshbuf_put(encrypted, LEGACY_BEGIN, | ||
3378 | sizeof(LEGACY_BEGIN))) != 0) | ||
3379 | goto out; | ||
3380 | |||
3381 | /* Store cipher type and "reserved" field. */ | ||
3382 | if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 || | ||
3383 | (r = sshbuf_put_u32(encrypted, 0)) != 0) | ||
3384 | goto out; | ||
3385 | |||
3386 | /* Store public key. This will be in plain text. */ | ||
3387 | if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 || | ||
3388 | (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) || | ||
3389 | (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) || | ||
3390 | (r = sshbuf_put_cstring(encrypted, comment) != 0)) | ||
3391 | goto out; | ||
3392 | |||
3393 | /* Allocate space for the private part of the key in the buffer. */ | ||
3394 | if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0) | ||
3395 | goto out; | ||
3396 | |||
3397 | if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, | ||
3398 | CIPHER_ENCRYPT)) != 0) | ||
3399 | goto out; | ||
3400 | if ((r = cipher_crypt(&ciphercontext, 0, cp, | ||
3401 | sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0) | ||
3402 | goto out; | ||
3403 | if ((r = cipher_cleanup(&ciphercontext)) != 0) | ||
3404 | goto out; | ||
3405 | |||
3406 | r = sshbuf_putb(blob, encrypted); | ||
3407 | |||
3408 | out: | ||
3409 | explicit_bzero(&ciphercontext, sizeof(ciphercontext)); | ||
3410 | explicit_bzero(buf, sizeof(buf)); | ||
3411 | if (buffer != NULL) | ||
3412 | sshbuf_free(buffer); | ||
3413 | if (encrypted != NULL) | ||
3414 | sshbuf_free(encrypted); | ||
3415 | |||
3416 | return r; | ||
3417 | } | ||
3418 | #endif /* WITH_SSH1 */ | ||
3419 | |||
3420 | #ifdef WITH_OPENSSL | ||
3421 | /* convert SSH v2 key in OpenSSL PEM format */ | ||
3422 | static int | ||
3423 | sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob, | ||
3424 | const char *_passphrase, const char *comment) | ||
3425 | { | ||
3426 | int success, r; | ||
3427 | int blen, len = strlen(_passphrase); | ||
3428 | u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL; | ||
3429 | #if (OPENSSL_VERSION_NUMBER < 0x00907000L) | ||
3430 | const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL; | ||
3431 | #else | ||
3432 | const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL; | ||
3433 | #endif | ||
3434 | const u_char *bptr; | ||
3435 | BIO *bio = NULL; | ||
3436 | |||
3437 | if (len > 0 && len <= 4) | ||
3438 | return SSH_ERR_PASSPHRASE_TOO_SHORT; | ||
3439 | if ((bio = BIO_new(BIO_s_mem())) == NULL) | ||
3440 | return SSH_ERR_ALLOC_FAIL; | ||
3441 | |||
3442 | switch (key->type) { | ||
3443 | case KEY_DSA: | ||
3444 | success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, | ||
3445 | cipher, passphrase, len, NULL, NULL); | ||
3446 | break; | ||
3447 | #ifdef OPENSSL_HAS_ECC | ||
3448 | case KEY_ECDSA: | ||
3449 | success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, | ||
3450 | cipher, passphrase, len, NULL, NULL); | ||
3451 | break; | ||
3452 | #endif | ||
3453 | case KEY_RSA: | ||
3454 | success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, | ||
3455 | cipher, passphrase, len, NULL, NULL); | ||
3456 | break; | ||
3457 | default: | ||
3458 | success = 0; | ||
3459 | break; | ||
3460 | } | ||
3461 | if (success == 0) { | ||
3462 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
3463 | goto out; | ||
3464 | } | ||
3465 | if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) { | ||
3466 | r = SSH_ERR_INTERNAL_ERROR; | ||
3467 | goto out; | ||
3468 | } | ||
3469 | if ((r = sshbuf_put(blob, bptr, blen)) != 0) | ||
3470 | goto out; | ||
3471 | r = 0; | ||
3472 | out: | ||
3473 | BIO_free(bio); | ||
3474 | return r; | ||
3475 | } | ||
3476 | #endif /* WITH_OPENSSL */ | ||
3477 | |||
3478 | /* Serialise "key" to buffer "blob" */ | ||
3479 | int | ||
3480 | sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, | ||
3481 | const char *passphrase, const char *comment, | ||
3482 | int force_new_format, const char *new_format_cipher, int new_format_rounds) | ||
3483 | { | ||
3484 | switch (key->type) { | ||
3485 | #ifdef WITH_OPENSSL | ||
3486 | case KEY_RSA1: | ||
3487 | return sshkey_private_rsa1_to_blob(key, blob, | ||
3488 | passphrase, comment); | ||
3489 | case KEY_DSA: | ||
3490 | case KEY_ECDSA: | ||
3491 | case KEY_RSA: | ||
3492 | if (force_new_format) { | ||
3493 | return sshkey_private_to_blob2(key, blob, passphrase, | ||
3494 | comment, new_format_cipher, new_format_rounds); | ||
3495 | } | ||
3496 | return sshkey_private_pem_to_blob(key, blob, | ||
3497 | passphrase, comment); | ||
3498 | #endif /* WITH_OPENSSL */ | ||
3499 | case KEY_ED25519: | ||
3500 | return sshkey_private_to_blob2(key, blob, passphrase, | ||
3501 | comment, new_format_cipher, new_format_rounds); | ||
3502 | default: | ||
3503 | return SSH_ERR_KEY_TYPE_UNKNOWN; | ||
3504 | } | ||
3505 | } | ||
3506 | |||
3507 | #ifdef WITH_SSH1 | ||
3508 | /* | ||
3509 | * Parse the public, unencrypted portion of a RSA1 key. | ||
3510 | */ | ||
3511 | int | ||
3512 | sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob, | ||
3513 | struct sshkey **keyp, char **commentp) | ||
3514 | { | ||
3515 | int r; | ||
3516 | struct sshkey *pub = NULL; | ||
3517 | struct sshbuf *copy = NULL; | ||
3518 | |||
3519 | if (keyp != NULL) | ||
3520 | *keyp = NULL; | ||
3521 | if (commentp != NULL) | ||
3522 | *commentp = NULL; | ||
3523 | |||
3524 | /* Check that it is at least big enough to contain the ID string. */ | ||
3525 | if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) | ||
3526 | return SSH_ERR_INVALID_FORMAT; | ||
3527 | |||
3528 | /* | ||
3529 | * Make sure it begins with the id string. Consume the id string | ||
3530 | * from the buffer. | ||
3531 | */ | ||
3532 | if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) | ||
3533 | return SSH_ERR_INVALID_FORMAT; | ||
3534 | /* Make a working copy of the keyblob and skip past the magic */ | ||
3535 | if ((copy = sshbuf_fromb(blob)) == NULL) | ||
3536 | return SSH_ERR_ALLOC_FAIL; | ||
3537 | if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) | ||
3538 | goto out; | ||
3539 | |||
3540 | /* Skip cipher type, reserved data and key bits. */ | ||
3541 | if ((r = sshbuf_get_u8(copy, NULL)) != 0 || /* cipher type */ | ||
3542 | (r = sshbuf_get_u32(copy, NULL)) != 0 || /* reserved */ | ||
3543 | (r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */ | ||
3544 | goto out; | ||
3545 | |||
3546 | /* Read the public key from the buffer. */ | ||
3547 | if ((pub = sshkey_new(KEY_RSA1)) == NULL || | ||
3548 | (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 || | ||
3549 | (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0) | ||
3550 | goto out; | ||
3551 | |||
3552 | /* Finally, the comment */ | ||
3553 | if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0) | ||
3554 | goto out; | ||
3555 | |||
3556 | /* The encrypted private part is not parsed by this function. */ | ||
3557 | |||
3558 | r = 0; | ||
3559 | if (keyp != NULL) | ||
3560 | *keyp = pub; | ||
3561 | else | ||
3562 | sshkey_free(pub); | ||
3563 | pub = NULL; | ||
3564 | |||
3565 | out: | ||
3566 | if (copy != NULL) | ||
3567 | sshbuf_free(copy); | ||
3568 | if (pub != NULL) | ||
3569 | sshkey_free(pub); | ||
3570 | return r; | ||
3571 | } | ||
3572 | |||
3573 | static int | ||
3574 | sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase, | ||
3575 | struct sshkey **keyp, char **commentp) | ||
3576 | { | ||
3577 | int r; | ||
3578 | u_int16_t check1, check2; | ||
3579 | u_int8_t cipher_type; | ||
3580 | struct sshbuf *decrypted = NULL, *copy = NULL; | ||
3581 | u_char *cp; | ||
3582 | char *comment = NULL; | ||
3583 | struct sshcipher_ctx ciphercontext; | ||
3584 | const struct sshcipher *cipher; | ||
3585 | struct sshkey *prv = NULL; | ||
3586 | |||
3587 | *keyp = NULL; | ||
3588 | if (commentp != NULL) | ||
3589 | *commentp = NULL; | ||
3590 | |||
3591 | /* Check that it is at least big enough to contain the ID string. */ | ||
3592 | if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN)) | ||
3593 | return SSH_ERR_INVALID_FORMAT; | ||
3594 | |||
3595 | /* | ||
3596 | * Make sure it begins with the id string. Consume the id string | ||
3597 | * from the buffer. | ||
3598 | */ | ||
3599 | if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0) | ||
3600 | return SSH_ERR_INVALID_FORMAT; | ||
3601 | |||
3602 | if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) { | ||
3603 | r = SSH_ERR_ALLOC_FAIL; | ||
3604 | goto out; | ||
3605 | } | ||
3606 | if ((copy = sshbuf_fromb(blob)) == NULL || | ||
3607 | (decrypted = sshbuf_new()) == NULL) { | ||
3608 | r = SSH_ERR_ALLOC_FAIL; | ||
3609 | goto out; | ||
3610 | } | ||
3611 | if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0) | ||
3612 | goto out; | ||
3613 | |||
3614 | /* Read cipher type. */ | ||
3615 | if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 || | ||
3616 | (r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */ | ||
3617 | goto out; | ||
3618 | |||
3619 | /* Read the public key and comment from the buffer. */ | ||
3620 | if ((r = sshbuf_get_u32(copy, NULL)) != 0 || /* key bits */ | ||
3621 | (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 || | ||
3622 | (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 || | ||
3623 | (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0) | ||
3624 | goto out; | ||
3625 | |||
3626 | /* Check that it is a supported cipher. */ | ||
3627 | cipher = cipher_by_number(cipher_type); | ||
3628 | if (cipher == NULL) { | ||
3629 | r = SSH_ERR_KEY_UNKNOWN_CIPHER; | ||
3630 | goto out; | ||
3631 | } | ||
3632 | /* Initialize space for decrypted data. */ | ||
3633 | if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0) | ||
3634 | goto out; | ||
3635 | |||
3636 | /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */ | ||
3637 | if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase, | ||
3638 | CIPHER_DECRYPT)) != 0) | ||
3639 | goto out; | ||
3640 | if ((r = cipher_crypt(&ciphercontext, 0, cp, | ||
3641 | sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) { | ||
3642 | cipher_cleanup(&ciphercontext); | ||
3643 | goto out; | ||
3644 | } | ||
3645 | if ((r = cipher_cleanup(&ciphercontext)) != 0) | ||
3646 | goto out; | ||
3647 | |||
3648 | if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 || | ||
3649 | (r = sshbuf_get_u16(decrypted, &check2)) != 0) | ||
3650 | goto out; | ||
3651 | if (check1 != check2) { | ||
3652 | r = SSH_ERR_KEY_WRONG_PASSPHRASE; | ||
3653 | goto out; | ||
3654 | } | ||
3655 | |||
3656 | /* Read the rest of the private key. */ | ||
3657 | if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 || | ||
3658 | (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 || | ||
3659 | (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 || | ||
3660 | (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0) | ||
3661 | goto out; | ||
3662 | |||
3663 | /* calculate p-1 and q-1 */ | ||
3664 | if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0) | ||
3665 | goto out; | ||
3666 | |||
3667 | /* enable blinding */ | ||
3668 | if (RSA_blinding_on(prv->rsa, NULL) != 1) { | ||
3669 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
3670 | goto out; | ||
3671 | } | ||
3672 | r = 0; | ||
3673 | *keyp = prv; | ||
3674 | prv = NULL; | ||
3675 | if (commentp != NULL) { | ||
3676 | *commentp = comment; | ||
3677 | comment = NULL; | ||
3678 | } | ||
3679 | out: | ||
3680 | explicit_bzero(&ciphercontext, sizeof(ciphercontext)); | ||
3681 | if (comment != NULL) | ||
3682 | free(comment); | ||
3683 | if (prv != NULL) | ||
3684 | sshkey_free(prv); | ||
3685 | if (copy != NULL) | ||
3686 | sshbuf_free(copy); | ||
3687 | if (decrypted != NULL) | ||
3688 | sshbuf_free(decrypted); | ||
3689 | return r; | ||
3690 | } | ||
3691 | #endif /* WITH_SSH1 */ | ||
3692 | |||
3693 | #ifdef WITH_OPENSSL | ||
3694 | /* XXX make private once ssh-keysign.c fixed */ | ||
3695 | int | ||
3696 | sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, | ||
3697 | const char *passphrase, struct sshkey **keyp, char **commentp) | ||
3698 | { | ||
3699 | EVP_PKEY *pk = NULL; | ||
3700 | struct sshkey *prv = NULL; | ||
3701 | char *name = "<no key>"; | ||
3702 | BIO *bio = NULL; | ||
3703 | int r; | ||
3704 | |||
3705 | *keyp = NULL; | ||
3706 | if (commentp != NULL) | ||
3707 | *commentp = NULL; | ||
3708 | |||
3709 | if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) | ||
3710 | return SSH_ERR_ALLOC_FAIL; | ||
3711 | if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != | ||
3712 | (int)sshbuf_len(blob)) { | ||
3713 | r = SSH_ERR_ALLOC_FAIL; | ||
3714 | goto out; | ||
3715 | } | ||
3716 | |||
3717 | if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, | ||
3718 | (char *)passphrase)) == NULL) { | ||
3719 | r = SSH_ERR_KEY_WRONG_PASSPHRASE; | ||
3720 | goto out; | ||
3721 | } | ||
3722 | if (pk->type == EVP_PKEY_RSA && | ||
3723 | (type == KEY_UNSPEC || type == KEY_RSA)) { | ||
3724 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { | ||
3725 | r = SSH_ERR_ALLOC_FAIL; | ||
3726 | goto out; | ||
3727 | } | ||
3728 | prv->rsa = EVP_PKEY_get1_RSA(pk); | ||
3729 | prv->type = KEY_RSA; | ||
3730 | name = "rsa w/o comment"; | ||
3731 | #ifdef DEBUG_PK | ||
3732 | RSA_print_fp(stderr, prv->rsa, 8); | ||
3733 | #endif | ||
3734 | if (RSA_blinding_on(prv->rsa, NULL) != 1) { | ||
3735 | r = SSH_ERR_LIBCRYPTO_ERROR; | ||
3736 | goto out; | ||
3737 | } | ||
3738 | } else if (pk->type == EVP_PKEY_DSA && | ||
3739 | (type == KEY_UNSPEC || type == KEY_DSA)) { | ||
3740 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { | ||
3741 | r = SSH_ERR_ALLOC_FAIL; | ||
3742 | goto out; | ||
3743 | } | ||
3744 | prv->dsa = EVP_PKEY_get1_DSA(pk); | ||
3745 | prv->type = KEY_DSA; | ||
3746 | name = "dsa w/o comment"; | ||
3747 | #ifdef DEBUG_PK | ||
3748 | DSA_print_fp(stderr, prv->dsa, 8); | ||
3749 | #endif | ||
3750 | #ifdef OPENSSL_HAS_ECC | ||
3751 | } else if (pk->type == EVP_PKEY_EC && | ||
3752 | (type == KEY_UNSPEC || type == KEY_ECDSA)) { | ||
3753 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { | ||
3754 | r = SSH_ERR_ALLOC_FAIL; | ||
3755 | goto out; | ||
3756 | } | ||
3757 | prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); | ||
3758 | prv->type = KEY_ECDSA; | ||
3759 | prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); | ||
3760 | if (prv->ecdsa_nid == -1 || | ||
3761 | sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL || | ||
3762 | sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), | ||
3763 | EC_KEY_get0_public_key(prv->ecdsa)) != 0 || | ||
3764 | sshkey_ec_validate_private(prv->ecdsa) != 0) { | ||
3765 | r = SSH_ERR_INVALID_FORMAT; | ||
3766 | goto out; | ||
3767 | } | ||
3768 | name = "ecdsa w/o comment"; | ||
3769 | # ifdef DEBUG_PK | ||
3770 | if (prv != NULL && prv->ecdsa != NULL) | ||
3771 | sshkey_dump_ec_key(prv->ecdsa); | ||
3772 | # endif | ||
3773 | #endif /* OPENSSL_HAS_ECC */ | ||
3774 | } else { | ||
3775 | r = SSH_ERR_INVALID_FORMAT; | ||
3776 | goto out; | ||
3777 | } | ||
3778 | if (commentp != NULL && | ||
3779 | (*commentp = strdup(name)) == NULL) { | ||
3780 | r = SSH_ERR_ALLOC_FAIL; | ||
3781 | goto out; | ||
3782 | } | ||
3783 | r = 0; | ||
3784 | *keyp = prv; | ||
3785 | prv = NULL; | ||
3786 | out: | ||
3787 | BIO_free(bio); | ||
3788 | if (pk != NULL) | ||
3789 | EVP_PKEY_free(pk); | ||
3790 | if (prv != NULL) | ||
3791 | sshkey_free(prv); | ||
3792 | return r; | ||
3793 | } | ||
3794 | #endif /* WITH_OPENSSL */ | ||
3795 | |||
3796 | int | ||
3797 | sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, | ||
3798 | const char *passphrase, struct sshkey **keyp, char **commentp) | ||
3799 | { | ||
3800 | int r; | ||
3801 | |||
3802 | *keyp = NULL; | ||
3803 | if (commentp != NULL) | ||
3804 | *commentp = NULL; | ||
3805 | |||
3806 | switch (type) { | ||
3807 | #ifdef WITH_OPENSSL | ||
3808 | case KEY_RSA1: | ||
3809 | return sshkey_parse_private_rsa1(blob, passphrase, | ||
3810 | keyp, commentp); | ||
3811 | case KEY_DSA: | ||
3812 | case KEY_ECDSA: | ||
3813 | case KEY_RSA: | ||
3814 | return sshkey_parse_private_pem_fileblob(blob, type, passphrase, | ||
3815 | keyp, commentp); | ||
3816 | #endif /* WITH_OPENSSL */ | ||
3817 | case KEY_ED25519: | ||
3818 | return sshkey_parse_private2(blob, type, passphrase, | ||
3819 | keyp, commentp); | ||
3820 | case KEY_UNSPEC: | ||
3821 | if ((r = sshkey_parse_private2(blob, type, passphrase, keyp, | ||
3822 | commentp)) == 0) | ||
3823 | return 0; | ||
3824 | #ifdef WITH_OPENSSL | ||
3825 | return sshkey_parse_private_pem_fileblob(blob, type, passphrase, | ||
3826 | keyp, commentp); | ||
3827 | #else | ||
3828 | return SSH_ERR_INVALID_FORMAT; | ||
3829 | #endif /* WITH_OPENSSL */ | ||
3830 | default: | ||
3831 | return SSH_ERR_KEY_TYPE_UNKNOWN; | ||
3832 | } | ||
3833 | } | ||
3834 | |||
3835 | int | ||
3836 | sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, | ||
3837 | const char *filename, struct sshkey **keyp, char **commentp) | ||
3838 | { | ||
3839 | int r; | ||
3840 | |||
3841 | if (keyp != NULL) | ||
3842 | *keyp = NULL; | ||
3843 | if (commentp != NULL) | ||
3844 | *commentp = NULL; | ||
3845 | |||
3846 | #ifdef WITH_SSH1 | ||
3847 | /* it's a SSH v1 key if the public key part is readable */ | ||
3848 | if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) { | ||
3849 | return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1, | ||
3850 | passphrase, keyp, commentp); | ||
3851 | } | ||
3852 | #endif /* WITH_SSH1 */ | ||
3853 | if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, | ||
3854 | passphrase, keyp, commentp)) == 0) | ||
3855 | return 0; | ||
3856 | return r; | ||
3857 | } | ||