sshkey.c 124 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946
  1. /* $OpenBSD: sshkey.c,v 1.111 2020/08/27 01:06:19 djm Exp $ */
  2. /*
  3. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
  4. * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
  5. * Copyright (c) 2010,2011 Damien Miller. All rights reserved.
  6. *
  7. * Redistribution and use in source and binary forms, with or without
  8. * modification, are permitted provided that the following conditions
  9. * are met:
  10. * 1. Redistributions of source code must retain the above copyright
  11. * notice, this list of conditions and the following disclaimer.
  12. * 2. Redistributions in binary form must reproduce the above copyright
  13. * notice, this list of conditions and the following disclaimer in the
  14. * documentation and/or other materials provided with the distribution.
  15. *
  16. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  17. * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  18. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  19. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  20. * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  21. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  22. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  23. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  24. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  25. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  26. */
  27. #include "includes.h"
  28. #include <sys/types.h>
  29. #include <netinet/in.h>
  30. #ifdef WITH_OPENSSL
  31. #include <openssl/evp.h>
  32. #include <openssl/err.h>
  33. #include <openssl/pem.h>
  34. #endif
  35. #include "crypto_api.h"
  36. #include <errno.h>
  37. #include <limits.h>
  38. #include <stdio.h>
  39. #include <string.h>
  40. #include <resolv.h>
  41. #include <time.h>
  42. #ifdef HAVE_UTIL_H
  43. #include <util.h>
  44. #endif /* HAVE_UTIL_H */
  45. #include "ssh2.h"
  46. #include "ssherr.h"
  47. #include "misc.h"
  48. #include "sshbuf.h"
  49. #include "cipher.h"
  50. #include "digest.h"
  51. #define SSHKEY_INTERNAL
  52. #include "sshkey.h"
  53. #include "match.h"
  54. #include "ssh-sk.h"
  55. #ifdef WITH_XMSS
  56. #include "sshkey-xmss.h"
  57. #include "xmss_fast.h"
  58. #endif
  59. #include "openbsd-compat/openssl-compat.h"
  60. /* openssh private key file format */
  61. #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
  62. #define MARK_END "-----END OPENSSH PRIVATE KEY-----\n"
  63. #define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1)
  64. #define MARK_END_LEN (sizeof(MARK_END) - 1)
  65. #define KDFNAME "bcrypt"
  66. #define AUTH_MAGIC "openssh-key-v1"
  67. #define SALT_LEN 16
  68. #define DEFAULT_CIPHERNAME "aes256-ctr"
  69. #define DEFAULT_ROUNDS 16
  70. /* Version identification string for SSH v1 identity files. */
  71. #define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n"
  72. /*
  73. * Constants relating to "shielding" support; protection of keys expected
  74. * to remain in memory for long durations
  75. */
  76. #define SSHKEY_SHIELD_PREKEY_LEN (16 * 1024)
  77. #define SSHKEY_SHIELD_CIPHER "aes256-ctr" /* XXX want AES-EME* */
  78. #define SSHKEY_SHIELD_PREKEY_HASH SSH_DIGEST_SHA512
  79. int sshkey_private_serialize_opt(struct sshkey *key,
  80. struct sshbuf *buf, enum sshkey_serialize_rep);
  81. static int sshkey_from_blob_internal(struct sshbuf *buf,
  82. struct sshkey **keyp, int allow_cert);
  83. /* Supported key types */
  84. struct keytype {
  85. const char *name;
  86. const char *shortname;
  87. const char *sigalg;
  88. int type;
  89. int nid;
  90. int cert;
  91. int sigonly;
  92. };
  93. static const struct keytype keytypes[] = {
  94. { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 },
  95. { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL,
  96. KEY_ED25519_CERT, 0, 1, 0 },
  97. { "sk-ssh-ed25519@openssh.com", "ED25519-SK", NULL,
  98. KEY_ED25519_SK, 0, 0, 0 },
  99. { "sk-ssh-ed25519-cert-v01@openssh.com", "ED25519-SK-CERT", NULL,
  100. KEY_ED25519_SK_CERT, 0, 1, 0 },
  101. #ifdef WITH_XMSS
  102. { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 },
  103. { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL,
  104. KEY_XMSS_CERT, 0, 1, 0 },
  105. #endif /* WITH_XMSS */
  106. #ifdef WITH_OPENSSL
  107. { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 },
  108. { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 },
  109. { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 },
  110. { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 },
  111. # ifdef OPENSSL_HAS_ECC
  112. { "ecdsa-sha2-nistp256", "ECDSA", NULL,
  113. KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
  114. { "ecdsa-sha2-nistp384", "ECDSA", NULL,
  115. KEY_ECDSA, NID_secp384r1, 0, 0 },
  116. # ifdef OPENSSL_HAS_NISTP521
  117. { "ecdsa-sha2-nistp521", "ECDSA", NULL,
  118. KEY_ECDSA, NID_secp521r1, 0, 0 },
  119. # endif /* OPENSSL_HAS_NISTP521 */
  120. { "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL,
  121. KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 0 },
  122. { "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL,
  123. KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 1 },
  124. # endif /* OPENSSL_HAS_ECC */
  125. { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL,
  126. KEY_RSA_CERT, 0, 1, 0 },
  127. { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT",
  128. "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
  129. { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT",
  130. "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
  131. { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL,
  132. KEY_DSA_CERT, 0, 1, 0 },
  133. # ifdef OPENSSL_HAS_ECC
  134. { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL,
  135. KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
  136. { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL,
  137. KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
  138. # ifdef OPENSSL_HAS_NISTP521
  139. { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL,
  140. KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
  141. # endif /* OPENSSL_HAS_NISTP521 */
  142. { "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-SK-CERT", NULL,
  143. KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
  144. # endif /* OPENSSL_HAS_ECC */
  145. #endif /* WITH_OPENSSL */
  146. { NULL, NULL, NULL, -1, -1, 0, 0 }
  147. };
  148. const char *
  149. sshkey_type(const struct sshkey *k)
  150. {
  151. const struct keytype *kt;
  152. for (kt = keytypes; kt->type != -1; kt++) {
  153. if (kt->type == k->type)
  154. return kt->shortname;
  155. }
  156. return "unknown";
  157. }
  158. static const char *
  159. sshkey_ssh_name_from_type_nid(int type, int nid)
  160. {
  161. const struct keytype *kt;
  162. for (kt = keytypes; kt->type != -1; kt++) {
  163. if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
  164. return kt->name;
  165. }
  166. return "ssh-unknown";
  167. }
  168. int
  169. sshkey_type_is_cert(int type)
  170. {
  171. const struct keytype *kt;
  172. for (kt = keytypes; kt->type != -1; kt++) {
  173. if (kt->type == type)
  174. return kt->cert;
  175. }
  176. return 0;
  177. }
  178. const char *
  179. sshkey_ssh_name(const struct sshkey *k)
  180. {
  181. return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
  182. }
  183. const char *
  184. sshkey_ssh_name_plain(const struct sshkey *k)
  185. {
  186. return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
  187. k->ecdsa_nid);
  188. }
  189. int
  190. sshkey_type_from_name(const char *name)
  191. {
  192. const struct keytype *kt;
  193. for (kt = keytypes; kt->type != -1; kt++) {
  194. /* Only allow shortname matches for plain key types */
  195. if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
  196. (!kt->cert && strcasecmp(kt->shortname, name) == 0))
  197. return kt->type;
  198. }
  199. return KEY_UNSPEC;
  200. }
  201. static int
  202. key_type_is_ecdsa_variant(int type)
  203. {
  204. switch (type) {
  205. case KEY_ECDSA:
  206. case KEY_ECDSA_CERT:
  207. case KEY_ECDSA_SK:
  208. case KEY_ECDSA_SK_CERT:
  209. return 1;
  210. }
  211. return 0;
  212. }
  213. int
  214. sshkey_ecdsa_nid_from_name(const char *name)
  215. {
  216. const struct keytype *kt;
  217. for (kt = keytypes; kt->type != -1; kt++) {
  218. if (!key_type_is_ecdsa_variant(kt->type))
  219. continue;
  220. if (kt->name != NULL && strcmp(name, kt->name) == 0)
  221. return kt->nid;
  222. }
  223. return -1;
  224. }
  225. char *
  226. sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
  227. {
  228. char *tmp, *ret = NULL;
  229. size_t nlen, rlen = 0;
  230. const struct keytype *kt;
  231. for (kt = keytypes; kt->type != -1; kt++) {
  232. if (kt->name == NULL)
  233. continue;
  234. if (!include_sigonly && kt->sigonly)
  235. continue;
  236. if ((certs_only && !kt->cert) || (plain_only && kt->cert))
  237. continue;
  238. if (ret != NULL)
  239. ret[rlen++] = sep;
  240. nlen = strlen(kt->name);
  241. if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
  242. free(ret);
  243. return NULL;
  244. }
  245. ret = tmp;
  246. memcpy(ret + rlen, kt->name, nlen + 1);
  247. rlen += nlen;
  248. }
  249. return ret;
  250. }
  251. int
  252. sshkey_names_valid2(const char *names, int allow_wildcard)
  253. {
  254. char *s, *cp, *p;
  255. const struct keytype *kt;
  256. int type;
  257. if (names == NULL || strcmp(names, "") == 0)
  258. return 0;
  259. if ((s = cp = strdup(names)) == NULL)
  260. return 0;
  261. for ((p = strsep(&cp, ",")); p && *p != '\0';
  262. (p = strsep(&cp, ","))) {
  263. type = sshkey_type_from_name(p);
  264. if (type == KEY_UNSPEC) {
  265. if (allow_wildcard) {
  266. /*
  267. * Try matching key types against the string.
  268. * If any has a positive or negative match then
  269. * the component is accepted.
  270. */
  271. for (kt = keytypes; kt->type != -1; kt++) {
  272. if (match_pattern_list(kt->name,
  273. p, 0) != 0)
  274. break;
  275. }
  276. if (kt->type != -1)
  277. continue;
  278. }
  279. free(s);
  280. return 0;
  281. }
  282. }
  283. free(s);
  284. return 1;
  285. }
  286. u_int
  287. sshkey_size(const struct sshkey *k)
  288. {
  289. #ifdef WITH_OPENSSL
  290. const BIGNUM *rsa_n, *dsa_p;
  291. #endif /* WITH_OPENSSL */
  292. switch (k->type) {
  293. #ifdef WITH_OPENSSL
  294. case KEY_RSA:
  295. case KEY_RSA_CERT:
  296. if (k->rsa == NULL)
  297. return 0;
  298. RSA_get0_key(k->rsa, &rsa_n, NULL, NULL);
  299. return BN_num_bits(rsa_n);
  300. case KEY_DSA:
  301. case KEY_DSA_CERT:
  302. if (k->dsa == NULL)
  303. return 0;
  304. DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL);
  305. return BN_num_bits(dsa_p);
  306. case KEY_ECDSA:
  307. case KEY_ECDSA_CERT:
  308. case KEY_ECDSA_SK:
  309. case KEY_ECDSA_SK_CERT:
  310. return sshkey_curve_nid_to_bits(k->ecdsa_nid);
  311. #endif /* WITH_OPENSSL */
  312. case KEY_ED25519:
  313. case KEY_ED25519_CERT:
  314. case KEY_ED25519_SK:
  315. case KEY_ED25519_SK_CERT:
  316. case KEY_XMSS:
  317. case KEY_XMSS_CERT:
  318. return 256; /* XXX */
  319. }
  320. return 0;
  321. }
  322. static int
  323. sshkey_type_is_valid_ca(int type)
  324. {
  325. switch (type) {
  326. case KEY_RSA:
  327. case KEY_DSA:
  328. case KEY_ECDSA:
  329. case KEY_ECDSA_SK:
  330. case KEY_ED25519:
  331. case KEY_ED25519_SK:
  332. case KEY_XMSS:
  333. return 1;
  334. default:
  335. return 0;
  336. }
  337. }
  338. int
  339. sshkey_is_private(const struct sshkey *k)
  340. {
  341. switch (k->type) {
  342. #ifdef WITH_OPENSSL
  343. case KEY_RSA_CERT:
  344. case KEY_RSA: {
  345. const BIGNUM *d;
  346. RSA_get0_key(k->rsa, NULL, NULL, &d);
  347. return d != NULL;
  348. }
  349. case KEY_DSA_CERT:
  350. case KEY_DSA: {
  351. const BIGNUM *priv_key;
  352. DSA_get0_key(k->dsa, NULL, &priv_key);
  353. return priv_key != NULL;
  354. }
  355. #ifdef OPENSSL_HAS_ECC
  356. case KEY_ECDSA_CERT:
  357. case KEY_ECDSA:
  358. return EC_KEY_get0_private_key(k->ecdsa) != NULL;
  359. #endif /* OPENSSL_HAS_ECC */
  360. #endif /* WITH_OPENSSL */
  361. case KEY_ED25519_CERT:
  362. case KEY_ED25519:
  363. return (k->ed25519_pk != NULL);
  364. default:
  365. /* fatal("key_is_private: bad key type %d", k->type); */
  366. return 0;
  367. }
  368. }
  369. int
  370. sshkey_is_cert(const struct sshkey *k)
  371. {
  372. if (k == NULL)
  373. return 0;
  374. return sshkey_type_is_cert(k->type);
  375. }
  376. int
  377. sshkey_is_sk(const struct sshkey *k)
  378. {
  379. if (k == NULL)
  380. return 0;
  381. switch (sshkey_type_plain(k->type)) {
  382. case KEY_ECDSA_SK:
  383. case KEY_ED25519_SK:
  384. return 1;
  385. default:
  386. return 0;
  387. }
  388. }
  389. /* Return the cert-less equivalent to a certified key type */
  390. int
  391. sshkey_type_plain(int type)
  392. {
  393. switch (type) {
  394. case KEY_RSA_CERT:
  395. return KEY_RSA;
  396. case KEY_DSA_CERT:
  397. return KEY_DSA;
  398. case KEY_ECDSA_CERT:
  399. return KEY_ECDSA;
  400. case KEY_ECDSA_SK_CERT:
  401. return KEY_ECDSA_SK;
  402. case KEY_ED25519_CERT:
  403. return KEY_ED25519;
  404. case KEY_ED25519_SK_CERT:
  405. return KEY_ED25519_SK;
  406. case KEY_XMSS_CERT:
  407. return KEY_XMSS;
  408. default:
  409. return type;
  410. }
  411. }
  412. #ifdef WITH_OPENSSL
  413. int
  414. sshkey_calculate_signature(EVP_PKEY *pkey, int hash_alg, u_char **sigp,
  415. int *lenp, const u_char *data, size_t datalen)
  416. {
  417. EVP_MD_CTX *ctx = NULL;
  418. u_char *sig = NULL;
  419. int ret, slen, len;
  420. if (sigp == NULL || lenp == NULL) {
  421. return SSH_ERR_INVALID_ARGUMENT;
  422. }
  423. slen = EVP_PKEY_size(pkey);
  424. if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
  425. return SSH_ERR_INVALID_ARGUMENT;
  426. len = slen;
  427. if ((sig = malloc(slen)) == NULL) {
  428. return SSH_ERR_ALLOC_FAIL;
  429. }
  430. if ((ctx = EVP_MD_CTX_new()) == NULL) {
  431. ret = SSH_ERR_ALLOC_FAIL;
  432. goto error;
  433. }
  434. if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
  435. EVP_SignUpdate(ctx, data, datalen) <= 0 ||
  436. EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
  437. debug("EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || EVP_SignUpdate(ctx, data, datalen) <= 0 || EVP_SignFinal(ctx, sig, &len, pkey) <= 0)");
  438. ret = SSH_ERR_LIBCRYPTO_ERROR;
  439. goto error;
  440. }
  441. *sigp = sig;
  442. *lenp = len;
  443. /* Now owned by the caller */
  444. sig = NULL;
  445. ret = 0;
  446. error:
  447. EVP_MD_CTX_free(ctx);
  448. free(sig);
  449. return ret;
  450. }
  451. int
  452. sshkey_verify_signature(EVP_PKEY *pkey, int hash_alg, const u_char *data,
  453. size_t datalen, u_char *sigbuf, int siglen)
  454. {
  455. EVP_MD_CTX *ctx = NULL;
  456. int ret;
  457. if ((ctx = EVP_MD_CTX_new()) == NULL) {
  458. return SSH_ERR_ALLOC_FAIL;
  459. }
  460. if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
  461. EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
  462. debug("(EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || EVP_VerifyUpdate(ctx, data, datalen) <= 0)");
  463. ret = SSH_ERR_LIBCRYPTO_ERROR;
  464. goto done;
  465. }
  466. ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
  467. switch (ret) {
  468. case 1:
  469. ret = 0;
  470. break;
  471. case 0:
  472. ret = SSH_ERR_SIGNATURE_INVALID;
  473. break;
  474. default:
  475. debug("ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey); switch (ret); ret != 0 or 1, default to error.");
  476. ret = SSH_ERR_LIBCRYPTO_ERROR;
  477. break;
  478. }
  479. done:
  480. EVP_MD_CTX_free(ctx);
  481. return ret;
  482. }
  483. /* XXX: these are really begging for a table-driven approach */
  484. int
  485. sshkey_curve_name_to_nid(const char *name)
  486. {
  487. if (strcmp(name, "nistp256") == 0)
  488. return NID_X9_62_prime256v1;
  489. else if (strcmp(name, "nistp384") == 0)
  490. return NID_secp384r1;
  491. # ifdef OPENSSL_HAS_NISTP521
  492. else if (strcmp(name, "nistp521") == 0)
  493. return NID_secp521r1;
  494. # endif /* OPENSSL_HAS_NISTP521 */
  495. else
  496. return -1;
  497. }
  498. u_int
  499. sshkey_curve_nid_to_bits(int nid)
  500. {
  501. switch (nid) {
  502. case NID_X9_62_prime256v1:
  503. return 256;
  504. case NID_secp384r1:
  505. return 384;
  506. # ifdef OPENSSL_HAS_NISTP521
  507. case NID_secp521r1:
  508. return 521;
  509. # endif /* OPENSSL_HAS_NISTP521 */
  510. default:
  511. return 0;
  512. }
  513. }
  514. int
  515. sshkey_ecdsa_bits_to_nid(int bits)
  516. {
  517. switch (bits) {
  518. case 256:
  519. return NID_X9_62_prime256v1;
  520. case 384:
  521. return NID_secp384r1;
  522. # ifdef OPENSSL_HAS_NISTP521
  523. case 521:
  524. return NID_secp521r1;
  525. # endif /* OPENSSL_HAS_NISTP521 */
  526. default:
  527. return -1;
  528. }
  529. }
  530. const char *
  531. sshkey_curve_nid_to_name(int nid)
  532. {
  533. switch (nid) {
  534. case NID_X9_62_prime256v1:
  535. return "nistp256";
  536. case NID_secp384r1:
  537. return "nistp384";
  538. # ifdef OPENSSL_HAS_NISTP521
  539. case NID_secp521r1:
  540. return "nistp521";
  541. # endif /* OPENSSL_HAS_NISTP521 */
  542. default:
  543. return NULL;
  544. }
  545. }
  546. int
  547. sshkey_ec_nid_to_hash_alg(int nid)
  548. {
  549. int kbits = sshkey_curve_nid_to_bits(nid);
  550. if (kbits <= 0)
  551. return -1;
  552. /* RFC5656 section 6.2.1 */
  553. if (kbits <= 256)
  554. return SSH_DIGEST_SHA256;
  555. else if (kbits <= 384)
  556. return SSH_DIGEST_SHA384;
  557. else
  558. return SSH_DIGEST_SHA512;
  559. }
  560. #endif /* WITH_OPENSSL */
  561. static void
  562. cert_free(struct sshkey_cert *cert)
  563. {
  564. u_int i;
  565. if (cert == NULL)
  566. return;
  567. sshbuf_free(cert->certblob);
  568. sshbuf_free(cert->critical);
  569. sshbuf_free(cert->extensions);
  570. free(cert->key_id);
  571. for (i = 0; i < cert->nprincipals; i++)
  572. free(cert->principals[i]);
  573. free(cert->principals);
  574. sshkey_free(cert->signature_key);
  575. free(cert->signature_type);
  576. freezero(cert, sizeof(*cert));
  577. }
  578. static struct sshkey_cert *
  579. cert_new(void)
  580. {
  581. struct sshkey_cert *cert;
  582. if ((cert = calloc(1, sizeof(*cert))) == NULL)
  583. return NULL;
  584. if ((cert->certblob = sshbuf_new()) == NULL ||
  585. (cert->critical = sshbuf_new()) == NULL ||
  586. (cert->extensions = sshbuf_new()) == NULL) {
  587. cert_free(cert);
  588. return NULL;
  589. }
  590. cert->key_id = NULL;
  591. cert->principals = NULL;
  592. cert->signature_key = NULL;
  593. cert->signature_type = NULL;
  594. return cert;
  595. }
  596. struct sshkey *
  597. sshkey_new(int type)
  598. {
  599. struct sshkey *k;
  600. #ifdef WITH_OPENSSL
  601. RSA *rsa;
  602. DSA *dsa;
  603. #endif /* WITH_OPENSSL */
  604. if ((k = calloc(1, sizeof(*k))) == NULL)
  605. return NULL;
  606. k->type = type;
  607. k->ecdsa = NULL;
  608. k->ecdsa_nid = -1;
  609. k->dsa = NULL;
  610. k->rsa = NULL;
  611. k->cert = NULL;
  612. k->ed25519_sk = NULL;
  613. k->ed25519_pk = NULL;
  614. k->xmss_sk = NULL;
  615. k->xmss_pk = NULL;
  616. switch (k->type) {
  617. #ifdef WITH_OPENSSL
  618. case KEY_RSA:
  619. case KEY_RSA_CERT:
  620. if ((rsa = RSA_new()) == NULL) {
  621. free(k);
  622. return NULL;
  623. }
  624. k->rsa = rsa;
  625. break;
  626. case KEY_DSA:
  627. case KEY_DSA_CERT:
  628. if ((dsa = DSA_new()) == NULL) {
  629. free(k);
  630. return NULL;
  631. }
  632. k->dsa = dsa;
  633. break;
  634. case KEY_ECDSA:
  635. case KEY_ECDSA_CERT:
  636. case KEY_ECDSA_SK:
  637. case KEY_ECDSA_SK_CERT:
  638. /* Cannot do anything until we know the group */
  639. break;
  640. #endif /* WITH_OPENSSL */
  641. case KEY_ED25519:
  642. case KEY_ED25519_CERT:
  643. case KEY_ED25519_SK:
  644. case KEY_ED25519_SK_CERT:
  645. case KEY_XMSS:
  646. case KEY_XMSS_CERT:
  647. /* no need to prealloc */
  648. break;
  649. case KEY_UNSPEC:
  650. break;
  651. default:
  652. free(k);
  653. return NULL;
  654. }
  655. if (sshkey_is_cert(k)) {
  656. if ((k->cert = cert_new()) == NULL) {
  657. sshkey_free(k);
  658. return NULL;
  659. }
  660. }
  661. return k;
  662. }
  663. void
  664. sshkey_free(struct sshkey *k)
  665. {
  666. if (k == NULL)
  667. return;
  668. switch (k->type) {
  669. #ifdef WITH_OPENSSL
  670. case KEY_RSA:
  671. case KEY_RSA_CERT:
  672. RSA_free(k->rsa);
  673. k->rsa = NULL;
  674. break;
  675. case KEY_DSA:
  676. case KEY_DSA_CERT:
  677. DSA_free(k->dsa);
  678. k->dsa = NULL;
  679. break;
  680. # ifdef OPENSSL_HAS_ECC
  681. case KEY_ECDSA_SK:
  682. case KEY_ECDSA_SK_CERT:
  683. free(k->sk_application);
  684. sshbuf_free(k->sk_key_handle);
  685. sshbuf_free(k->sk_reserved);
  686. /* FALLTHROUGH */
  687. case KEY_ECDSA:
  688. case KEY_ECDSA_CERT:
  689. EC_KEY_free(k->ecdsa);
  690. k->ecdsa = NULL;
  691. break;
  692. # endif /* OPENSSL_HAS_ECC */
  693. #endif /* WITH_OPENSSL */
  694. case KEY_ED25519_SK:
  695. case KEY_ED25519_SK_CERT:
  696. free(k->sk_application);
  697. sshbuf_free(k->sk_key_handle);
  698. sshbuf_free(k->sk_reserved);
  699. /* FALLTHROUGH */
  700. case KEY_ED25519:
  701. case KEY_ED25519_CERT:
  702. freezero(k->ed25519_pk, ED25519_PK_SZ);
  703. k->ed25519_pk = NULL;
  704. freezero(k->ed25519_sk, ED25519_SK_SZ);
  705. k->ed25519_sk = NULL;
  706. break;
  707. #ifdef WITH_XMSS
  708. case KEY_XMSS:
  709. case KEY_XMSS_CERT:
  710. freezero(k->xmss_pk, sshkey_xmss_pklen(k));
  711. k->xmss_pk = NULL;
  712. freezero(k->xmss_sk, sshkey_xmss_sklen(k));
  713. k->xmss_sk = NULL;
  714. sshkey_xmss_free_state(k);
  715. free(k->xmss_name);
  716. k->xmss_name = NULL;
  717. free(k->xmss_filename);
  718. k->xmss_filename = NULL;
  719. break;
  720. #endif /* WITH_XMSS */
  721. case KEY_UNSPEC:
  722. break;
  723. default:
  724. break;
  725. }
  726. if (sshkey_is_cert(k))
  727. cert_free(k->cert);
  728. freezero(k->shielded_private, k->shielded_len);
  729. freezero(k->shield_prekey, k->shield_prekey_len);
  730. freezero(k, sizeof(*k));
  731. }
  732. static int
  733. cert_compare(struct sshkey_cert *a, struct sshkey_cert *b)
  734. {
  735. if (a == NULL && b == NULL)
  736. return 1;
  737. if (a == NULL || b == NULL)
  738. return 0;
  739. if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
  740. return 0;
  741. if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
  742. sshbuf_len(a->certblob)) != 0)
  743. return 0;
  744. return 1;
  745. }
  746. /*
  747. * Compare public portions of key only, allowing comparisons between
  748. * certificates and plain keys too.
  749. */
  750. int
  751. sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
  752. {
  753. #if defined(WITH_OPENSSL)
  754. const BIGNUM *rsa_e_a, *rsa_n_a;
  755. const BIGNUM *rsa_e_b, *rsa_n_b;
  756. const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a;
  757. const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b;
  758. #endif /* WITH_OPENSSL */
  759. if (a == NULL || b == NULL ||
  760. sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
  761. return 0;
  762. switch (a->type) {
  763. #ifdef WITH_OPENSSL
  764. case KEY_RSA_CERT:
  765. case KEY_RSA:
  766. if (a->rsa == NULL || b->rsa == NULL)
  767. return 0;
  768. RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL);
  769. RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL);
  770. return BN_cmp(rsa_e_a, rsa_e_b) == 0 &&
  771. BN_cmp(rsa_n_a, rsa_n_b) == 0;
  772. case KEY_DSA_CERT:
  773. case KEY_DSA:
  774. if (a->dsa == NULL || b->dsa == NULL)
  775. return 0;
  776. DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a);
  777. DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b);
  778. DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL);
  779. DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL);
  780. return BN_cmp(dsa_p_a, dsa_p_b) == 0 &&
  781. BN_cmp(dsa_q_a, dsa_q_b) == 0 &&
  782. BN_cmp(dsa_g_a, dsa_g_b) == 0 &&
  783. BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0;
  784. # ifdef OPENSSL_HAS_ECC
  785. case KEY_ECDSA_SK:
  786. case KEY_ECDSA_SK_CERT:
  787. if (a->sk_application == NULL || b->sk_application == NULL)
  788. return 0;
  789. if (strcmp(a->sk_application, b->sk_application) != 0)
  790. return 0;
  791. /* FALLTHROUGH */
  792. case KEY_ECDSA_CERT:
  793. case KEY_ECDSA:
  794. if (a->ecdsa == NULL || b->ecdsa == NULL ||
  795. EC_KEY_get0_public_key(a->ecdsa) == NULL ||
  796. EC_KEY_get0_public_key(b->ecdsa) == NULL)
  797. return 0;
  798. if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
  799. EC_KEY_get0_group(b->ecdsa), NULL) != 0 ||
  800. EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
  801. EC_KEY_get0_public_key(a->ecdsa),
  802. EC_KEY_get0_public_key(b->ecdsa), NULL) != 0)
  803. return 0;
  804. return 1;
  805. # endif /* OPENSSL_HAS_ECC */
  806. #endif /* WITH_OPENSSL */
  807. case KEY_ED25519_SK:
  808. case KEY_ED25519_SK_CERT:
  809. if (a->sk_application == NULL || b->sk_application == NULL)
  810. return 0;
  811. if (strcmp(a->sk_application, b->sk_application) != 0)
  812. return 0;
  813. /* FALLTHROUGH */
  814. case KEY_ED25519:
  815. case KEY_ED25519_CERT:
  816. return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
  817. memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
  818. #ifdef WITH_XMSS
  819. case KEY_XMSS:
  820. case KEY_XMSS_CERT:
  821. return a->xmss_pk != NULL && b->xmss_pk != NULL &&
  822. sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) &&
  823. memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0;
  824. #endif /* WITH_XMSS */
  825. default:
  826. return 0;
  827. }
  828. /* NOTREACHED */
  829. }
  830. int
  831. sshkey_equal(const struct sshkey *a, const struct sshkey *b)
  832. {
  833. if (a == NULL || b == NULL || a->type != b->type)
  834. return 0;
  835. if (sshkey_is_cert(a)) {
  836. if (!cert_compare(a->cert, b->cert))
  837. return 0;
  838. }
  839. return sshkey_equal_public(a, b);
  840. }
  841. static int
  842. to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
  843. enum sshkey_serialize_rep opts)
  844. {
  845. int type, ret = SSH_ERR_INTERNAL_ERROR;
  846. const char *typename;
  847. #ifdef WITH_OPENSSL
  848. const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
  849. #endif /* WITH_OPENSSL */
  850. if (key == NULL)
  851. return SSH_ERR_INVALID_ARGUMENT;
  852. if (sshkey_is_cert(key)) {
  853. if (key->cert == NULL)
  854. return SSH_ERR_EXPECTED_CERT;
  855. if (sshbuf_len(key->cert->certblob) == 0)
  856. return SSH_ERR_KEY_LACKS_CERTBLOB;
  857. }
  858. type = force_plain ? sshkey_type_plain(key->type) : key->type;
  859. typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
  860. switch (type) {
  861. #ifdef WITH_OPENSSL
  862. case KEY_DSA_CERT:
  863. case KEY_ECDSA_CERT:
  864. case KEY_ECDSA_SK_CERT:
  865. case KEY_RSA_CERT:
  866. #endif /* WITH_OPENSSL */
  867. case KEY_ED25519_CERT:
  868. case KEY_ED25519_SK_CERT:
  869. #ifdef WITH_XMSS
  870. case KEY_XMSS_CERT:
  871. #endif /* WITH_XMSS */
  872. /* Use the existing blob */
  873. /* XXX modified flag? */
  874. if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
  875. return ret;
  876. break;
  877. #ifdef WITH_OPENSSL
  878. case KEY_DSA:
  879. if (key->dsa == NULL)
  880. return SSH_ERR_INVALID_ARGUMENT;
  881. DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
  882. DSA_get0_key(key->dsa, &dsa_pub_key, NULL);
  883. if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
  884. (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
  885. (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
  886. (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
  887. (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0)
  888. return ret;
  889. break;
  890. # ifdef OPENSSL_HAS_ECC
  891. case KEY_ECDSA:
  892. case KEY_ECDSA_SK:
  893. if (key->ecdsa == NULL)
  894. return SSH_ERR_INVALID_ARGUMENT;
  895. if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
  896. (ret = sshbuf_put_cstring(b,
  897. sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
  898. (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0)
  899. return ret;
  900. if (type == KEY_ECDSA_SK) {
  901. if ((ret = sshbuf_put_cstring(b,
  902. key->sk_application)) != 0)
  903. return ret;
  904. }
  905. break;
  906. # endif
  907. case KEY_RSA:
  908. if (key->rsa == NULL)
  909. return SSH_ERR_INVALID_ARGUMENT;
  910. RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL);
  911. if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
  912. (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
  913. (ret = sshbuf_put_bignum2(b, rsa_n)) != 0)
  914. return ret;
  915. break;
  916. #endif /* WITH_OPENSSL */
  917. case KEY_ED25519:
  918. case KEY_ED25519_SK:
  919. if (key->ed25519_pk == NULL)
  920. return SSH_ERR_INVALID_ARGUMENT;
  921. if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
  922. (ret = sshbuf_put_string(b,
  923. key->ed25519_pk, ED25519_PK_SZ)) != 0)
  924. return ret;
  925. if (type == KEY_ED25519_SK) {
  926. if ((ret = sshbuf_put_cstring(b,
  927. key->sk_application)) != 0)
  928. return ret;
  929. }
  930. break;
  931. #ifdef WITH_XMSS
  932. case KEY_XMSS:
  933. if (key->xmss_name == NULL || key->xmss_pk == NULL ||
  934. sshkey_xmss_pklen(key) == 0)
  935. return SSH_ERR_INVALID_ARGUMENT;
  936. if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
  937. (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
  938. (ret = sshbuf_put_string(b,
  939. key->xmss_pk, sshkey_xmss_pklen(key))) != 0 ||
  940. (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0)
  941. return ret;
  942. break;
  943. #endif /* WITH_XMSS */
  944. default:
  945. return SSH_ERR_KEY_TYPE_UNKNOWN;
  946. }
  947. return 0;
  948. }
  949. int
  950. sshkey_putb(const struct sshkey *key, struct sshbuf *b)
  951. {
  952. return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT);
  953. }
  954. int
  955. sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b,
  956. enum sshkey_serialize_rep opts)
  957. {
  958. struct sshbuf *tmp;
  959. int r;
  960. if ((tmp = sshbuf_new()) == NULL)
  961. return SSH_ERR_ALLOC_FAIL;
  962. r = to_blob_buf(key, tmp, 0, opts);
  963. if (r == 0)
  964. r = sshbuf_put_stringb(b, tmp);
  965. sshbuf_free(tmp);
  966. return r;
  967. }
  968. int
  969. sshkey_puts(const struct sshkey *key, struct sshbuf *b)
  970. {
  971. return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT);
  972. }
  973. int
  974. sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b)
  975. {
  976. return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT);
  977. }
  978. static int
  979. to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain,
  980. enum sshkey_serialize_rep opts)
  981. {
  982. int ret = SSH_ERR_INTERNAL_ERROR;
  983. size_t len;
  984. struct sshbuf *b = NULL;
  985. if (lenp != NULL)
  986. *lenp = 0;
  987. if (blobp != NULL)
  988. *blobp = NULL;
  989. if ((b = sshbuf_new()) == NULL)
  990. return SSH_ERR_ALLOC_FAIL;
  991. if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0)
  992. goto out;
  993. len = sshbuf_len(b);
  994. if (lenp != NULL)
  995. *lenp = len;
  996. if (blobp != NULL) {
  997. if ((*blobp = malloc(len)) == NULL) {
  998. ret = SSH_ERR_ALLOC_FAIL;
  999. goto out;
  1000. }
  1001. memcpy(*blobp, sshbuf_ptr(b), len);
  1002. }
  1003. ret = 0;
  1004. out:
  1005. sshbuf_free(b);
  1006. return ret;
  1007. }
  1008. int
  1009. sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
  1010. {
  1011. return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT);
  1012. }
  1013. int
  1014. sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
  1015. {
  1016. return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT);
  1017. }
  1018. int
  1019. sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
  1020. u_char **retp, size_t *lenp)
  1021. {
  1022. u_char *blob = NULL, *ret = NULL;
  1023. size_t blob_len = 0;
  1024. int r = SSH_ERR_INTERNAL_ERROR;
  1025. if (retp != NULL)
  1026. *retp = NULL;
  1027. if (lenp != NULL)
  1028. *lenp = 0;
  1029. if (ssh_digest_bytes(dgst_alg) == 0) {
  1030. r = SSH_ERR_INVALID_ARGUMENT;
  1031. goto out;
  1032. }
  1033. if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT))
  1034. != 0)
  1035. goto out;
  1036. if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
  1037. r = SSH_ERR_ALLOC_FAIL;
  1038. goto out;
  1039. }
  1040. if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
  1041. ret, SSH_DIGEST_MAX_LENGTH)) != 0)
  1042. goto out;
  1043. /* success */
  1044. if (retp != NULL) {
  1045. *retp = ret;
  1046. ret = NULL;
  1047. }
  1048. if (lenp != NULL)
  1049. *lenp = ssh_digest_bytes(dgst_alg);
  1050. r = 0;
  1051. out:
  1052. free(ret);
  1053. if (blob != NULL)
  1054. freezero(blob, blob_len);
  1055. return r;
  1056. }
  1057. static char *
  1058. fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
  1059. {
  1060. char *ret;
  1061. size_t plen = strlen(alg) + 1;
  1062. size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
  1063. if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
  1064. return NULL;
  1065. strlcpy(ret, alg, rlen);
  1066. strlcat(ret, ":", rlen);
  1067. if (dgst_raw_len == 0)
  1068. return ret;
  1069. if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) {
  1070. freezero(ret, rlen);
  1071. return NULL;
  1072. }
  1073. /* Trim padding characters from end */
  1074. ret[strcspn(ret, "=")] = '\0';
  1075. return ret;
  1076. }
  1077. static char *
  1078. fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
  1079. {
  1080. char *retval, hex[5];
  1081. size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
  1082. if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
  1083. return NULL;
  1084. strlcpy(retval, alg, rlen);
  1085. strlcat(retval, ":", rlen);
  1086. for (i = 0; i < dgst_raw_len; i++) {
  1087. snprintf(hex, sizeof(hex), "%s%02x",
  1088. i > 0 ? ":" : "", dgst_raw[i]);
  1089. strlcat(retval, hex, rlen);
  1090. }
  1091. return retval;
  1092. }
  1093. static char *
  1094. fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
  1095. {
  1096. char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
  1097. char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
  1098. 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
  1099. u_int i, j = 0, rounds, seed = 1;
  1100. char *retval;
  1101. rounds = (dgst_raw_len / 2) + 1;
  1102. if ((retval = calloc(rounds, 6)) == NULL)
  1103. return NULL;
  1104. retval[j++] = 'x';
  1105. for (i = 0; i < rounds; i++) {
  1106. u_int idx0, idx1, idx2, idx3, idx4;
  1107. if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
  1108. idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
  1109. seed) % 6;
  1110. idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
  1111. idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
  1112. (seed / 6)) % 6;
  1113. retval[j++] = vowels[idx0];
  1114. retval[j++] = consonants[idx1];
  1115. retval[j++] = vowels[idx2];
  1116. if ((i + 1) < rounds) {
  1117. idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
  1118. idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
  1119. retval[j++] = consonants[idx3];
  1120. retval[j++] = '-';
  1121. retval[j++] = consonants[idx4];
  1122. seed = ((seed * 5) +
  1123. ((((u_int)(dgst_raw[2 * i])) * 7) +
  1124. ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
  1125. }
  1126. } else {
  1127. idx0 = seed % 6;
  1128. idx1 = 16;
  1129. idx2 = seed / 6;
  1130. retval[j++] = vowels[idx0];
  1131. retval[j++] = consonants[idx1];
  1132. retval[j++] = vowels[idx2];
  1133. }
  1134. }
  1135. retval[j++] = 'x';
  1136. retval[j++] = '\0';
  1137. return retval;
  1138. }
  1139. /*
  1140. * Draw an ASCII-Art representing the fingerprint so human brain can
  1141. * profit from its built-in pattern recognition ability.
  1142. * This technique is called "random art" and can be found in some
  1143. * scientific publications like this original paper:
  1144. *
  1145. * "Hash Visualization: a New Technique to improve Real-World Security",
  1146. * Perrig A. and Song D., 1999, International Workshop on Cryptographic
  1147. * Techniques and E-Commerce (CrypTEC '99)
  1148. * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
  1149. *
  1150. * The subject came up in a talk by Dan Kaminsky, too.
  1151. *
  1152. * If you see the picture is different, the key is different.
  1153. * If the picture looks the same, you still know nothing.
  1154. *
  1155. * The algorithm used here is a worm crawling over a discrete plane,
  1156. * leaving a trace (augmenting the field) everywhere it goes.
  1157. * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
  1158. * makes the respective movement vector be ignored for this turn.
  1159. * Graphs are not unambiguous, because circles in graphs can be
  1160. * walked in either direction.
  1161. */
  1162. /*
  1163. * Field sizes for the random art. Have to be odd, so the starting point
  1164. * can be in the exact middle of the picture, and FLDBASE should be >=8 .
  1165. * Else pictures would be too dense, and drawing the frame would
  1166. * fail, too, because the key type would not fit in anymore.
  1167. */
  1168. #define FLDBASE 8
  1169. #define FLDSIZE_Y (FLDBASE + 1)
  1170. #define FLDSIZE_X (FLDBASE * 2 + 1)
  1171. static char *
  1172. fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
  1173. const struct sshkey *k)
  1174. {
  1175. /*
  1176. * Chars to be used after each other every time the worm
  1177. * intersects with itself. Matter of taste.
  1178. */
  1179. char *augmentation_string = " .o+=*BOX@%&#/^SE";
  1180. char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
  1181. u_char field[FLDSIZE_X][FLDSIZE_Y];
  1182. size_t i, tlen, hlen;
  1183. u_int b;
  1184. int x, y, r;
  1185. size_t len = strlen(augmentation_string) - 1;
  1186. if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
  1187. return NULL;
  1188. /* initialize field */
  1189. memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
  1190. x = FLDSIZE_X / 2;
  1191. y = FLDSIZE_Y / 2;
  1192. /* process raw key */
  1193. for (i = 0; i < dgst_raw_len; i++) {
  1194. int input;
  1195. /* each byte conveys four 2-bit move commands */
  1196. input = dgst_raw[i];
  1197. for (b = 0; b < 4; b++) {
  1198. /* evaluate 2 bit, rest is shifted later */
  1199. x += (input & 0x1) ? 1 : -1;
  1200. y += (input & 0x2) ? 1 : -1;
  1201. /* assure we are still in bounds */
  1202. x = MAXIMUM(x, 0);
  1203. y = MAXIMUM(y, 0);
  1204. x = MINIMUM(x, FLDSIZE_X - 1);
  1205. y = MINIMUM(y, FLDSIZE_Y - 1);
  1206. /* augment the field */
  1207. if (field[x][y] < len - 2)
  1208. field[x][y]++;
  1209. input = input >> 2;
  1210. }
  1211. }
  1212. /* mark starting point and end point*/
  1213. field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
  1214. field[x][y] = len;
  1215. /* assemble title */
  1216. r = snprintf(title, sizeof(title), "[%s %u]",
  1217. sshkey_type(k), sshkey_size(k));
  1218. /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
  1219. if (r < 0 || r > (int)sizeof(title))
  1220. r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
  1221. tlen = (r <= 0) ? 0 : strlen(title);
  1222. /* assemble hash ID. */
  1223. r = snprintf(hash, sizeof(hash), "[%s]", alg);
  1224. hlen = (r <= 0) ? 0 : strlen(hash);
  1225. /* output upper border */
  1226. p = retval;
  1227. *p++ = '+';
  1228. for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
  1229. *p++ = '-';
  1230. memcpy(p, title, tlen);
  1231. p += tlen;
  1232. for (i += tlen; i < FLDSIZE_X; i++)
  1233. *p++ = '-';
  1234. *p++ = '+';
  1235. *p++ = '\n';
  1236. /* output content */
  1237. for (y = 0; y < FLDSIZE_Y; y++) {
  1238. *p++ = '|';
  1239. for (x = 0; x < FLDSIZE_X; x++)
  1240. *p++ = augmentation_string[MINIMUM(field[x][y], len)];
  1241. *p++ = '|';
  1242. *p++ = '\n';
  1243. }
  1244. /* output lower border */
  1245. *p++ = '+';
  1246. for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
  1247. *p++ = '-';
  1248. memcpy(p, hash, hlen);
  1249. p += hlen;
  1250. for (i += hlen; i < FLDSIZE_X; i++)
  1251. *p++ = '-';
  1252. *p++ = '+';
  1253. return retval;
  1254. }
  1255. char *
  1256. sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
  1257. enum sshkey_fp_rep dgst_rep)
  1258. {
  1259. char *retval = NULL;
  1260. u_char *dgst_raw;
  1261. size_t dgst_raw_len;
  1262. if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
  1263. return NULL;
  1264. switch (dgst_rep) {
  1265. case SSH_FP_DEFAULT:
  1266. if (dgst_alg == SSH_DIGEST_MD5) {
  1267. retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
  1268. dgst_raw, dgst_raw_len);
  1269. } else {
  1270. retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
  1271. dgst_raw, dgst_raw_len);
  1272. }
  1273. break;
  1274. case SSH_FP_HEX:
  1275. retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
  1276. dgst_raw, dgst_raw_len);
  1277. break;
  1278. case SSH_FP_BASE64:
  1279. retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
  1280. dgst_raw, dgst_raw_len);
  1281. break;
  1282. case SSH_FP_BUBBLEBABBLE:
  1283. retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
  1284. break;
  1285. case SSH_FP_RANDOMART:
  1286. retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
  1287. dgst_raw, dgst_raw_len, k);
  1288. break;
  1289. default:
  1290. freezero(dgst_raw, dgst_raw_len);
  1291. return NULL;
  1292. }
  1293. freezero(dgst_raw, dgst_raw_len);
  1294. return retval;
  1295. }
  1296. static int
  1297. peek_type_nid(const char *s, size_t l, int *nid)
  1298. {
  1299. const struct keytype *kt;
  1300. for (kt = keytypes; kt->type != -1; kt++) {
  1301. if (kt->name == NULL || strlen(kt->name) != l)
  1302. continue;
  1303. if (memcmp(s, kt->name, l) == 0) {
  1304. *nid = -1;
  1305. if (key_type_is_ecdsa_variant(kt->type))
  1306. *nid = kt->nid;
  1307. return kt->type;
  1308. }
  1309. }
  1310. return KEY_UNSPEC;
  1311. }
  1312. /* XXX this can now be made const char * */
  1313. int
  1314. sshkey_read(struct sshkey *ret, char **cpp)
  1315. {
  1316. struct sshkey *k;
  1317. char *cp, *blobcopy;
  1318. size_t space;
  1319. int r, type, curve_nid = -1;
  1320. struct sshbuf *blob;
  1321. if (ret == NULL)
  1322. return SSH_ERR_INVALID_ARGUMENT;
  1323. switch (ret->type) {
  1324. case KEY_UNSPEC:
  1325. case KEY_RSA:
  1326. case KEY_DSA:
  1327. case KEY_ECDSA:
  1328. case KEY_ECDSA_SK:
  1329. case KEY_ED25519:
  1330. case KEY_ED25519_SK:
  1331. case KEY_DSA_CERT:
  1332. case KEY_ECDSA_CERT:
  1333. case KEY_ECDSA_SK_CERT:
  1334. case KEY_RSA_CERT:
  1335. case KEY_ED25519_CERT:
  1336. case KEY_ED25519_SK_CERT:
  1337. #ifdef WITH_XMSS
  1338. case KEY_XMSS:
  1339. case KEY_XMSS_CERT:
  1340. #endif /* WITH_XMSS */
  1341. break; /* ok */
  1342. default:
  1343. return SSH_ERR_INVALID_ARGUMENT;
  1344. }
  1345. /* Decode type */
  1346. cp = *cpp;
  1347. space = strcspn(cp, " \t");
  1348. if (space == strlen(cp))
  1349. return SSH_ERR_INVALID_FORMAT;
  1350. if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC)
  1351. return SSH_ERR_INVALID_FORMAT;
  1352. /* skip whitespace */
  1353. for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
  1354. ;
  1355. if (*cp == '\0')
  1356. return SSH_ERR_INVALID_FORMAT;
  1357. if (ret->type != KEY_UNSPEC && ret->type != type)
  1358. return SSH_ERR_KEY_TYPE_MISMATCH;
  1359. if ((blob = sshbuf_new()) == NULL)
  1360. return SSH_ERR_ALLOC_FAIL;
  1361. /* find end of keyblob and decode */
  1362. space = strcspn(cp, " \t");
  1363. if ((blobcopy = strndup(cp, space)) == NULL) {
  1364. sshbuf_free(blob);
  1365. return SSH_ERR_ALLOC_FAIL;
  1366. }
  1367. if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) {
  1368. free(blobcopy);
  1369. sshbuf_free(blob);
  1370. return r;
  1371. }
  1372. free(blobcopy);
  1373. if ((r = sshkey_fromb(blob, &k)) != 0) {
  1374. sshbuf_free(blob);
  1375. return r;
  1376. }
  1377. sshbuf_free(blob);
  1378. /* skip whitespace and leave cp at start of comment */
  1379. for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
  1380. ;
  1381. /* ensure type of blob matches type at start of line */
  1382. if (k->type != type) {
  1383. sshkey_free(k);
  1384. return SSH_ERR_KEY_TYPE_MISMATCH;
  1385. }
  1386. if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) {
  1387. sshkey_free(k);
  1388. return SSH_ERR_EC_CURVE_MISMATCH;
  1389. }
  1390. /* Fill in ret from parsed key */
  1391. ret->type = type;
  1392. if (sshkey_is_cert(ret)) {
  1393. if (!sshkey_is_cert(k)) {
  1394. sshkey_free(k);
  1395. return SSH_ERR_EXPECTED_CERT;
  1396. }
  1397. if (ret->cert != NULL)
  1398. cert_free(ret->cert);
  1399. ret->cert = k->cert;
  1400. k->cert = NULL;
  1401. }
  1402. switch (sshkey_type_plain(ret->type)) {
  1403. #ifdef WITH_OPENSSL
  1404. case KEY_RSA:
  1405. RSA_free(ret->rsa);
  1406. ret->rsa = k->rsa;
  1407. k->rsa = NULL;
  1408. #ifdef DEBUG_PK
  1409. RSA_print_fp(stderr, ret->rsa, 8);
  1410. #endif
  1411. break;
  1412. case KEY_DSA:
  1413. DSA_free(ret->dsa);
  1414. ret->dsa = k->dsa;
  1415. k->dsa = NULL;
  1416. #ifdef DEBUG_PK
  1417. DSA_print_fp(stderr, ret->dsa, 8);
  1418. #endif
  1419. break;
  1420. # ifdef OPENSSL_HAS_ECC
  1421. case KEY_ECDSA:
  1422. EC_KEY_free(ret->ecdsa);
  1423. ret->ecdsa = k->ecdsa;
  1424. ret->ecdsa_nid = k->ecdsa_nid;
  1425. k->ecdsa = NULL;
  1426. k->ecdsa_nid = -1;
  1427. #ifdef DEBUG_PK
  1428. sshkey_dump_ec_key(ret->ecdsa);
  1429. #endif
  1430. break;
  1431. case KEY_ECDSA_SK:
  1432. EC_KEY_free(ret->ecdsa);
  1433. ret->ecdsa = k->ecdsa;
  1434. ret->ecdsa_nid = k->ecdsa_nid;
  1435. ret->sk_application = k->sk_application;
  1436. k->ecdsa = NULL;
  1437. k->ecdsa_nid = -1;
  1438. k->sk_application = NULL;
  1439. #ifdef DEBUG_PK
  1440. sshkey_dump_ec_key(ret->ecdsa);
  1441. fprintf(stderr, "App: %s\n", ret->sk_application);
  1442. #endif
  1443. break;
  1444. # endif /* OPENSSL_HAS_ECC */
  1445. #endif /* WITH_OPENSSL */
  1446. case KEY_ED25519:
  1447. freezero(ret->ed25519_pk, ED25519_PK_SZ);
  1448. ret->ed25519_pk = k->ed25519_pk;
  1449. k->ed25519_pk = NULL;
  1450. #ifdef DEBUG_PK
  1451. /* XXX */
  1452. #endif
  1453. break;
  1454. case KEY_ED25519_SK:
  1455. freezero(ret->ed25519_pk, ED25519_PK_SZ);
  1456. ret->ed25519_pk = k->ed25519_pk;
  1457. ret->sk_application = k->sk_application;
  1458. k->ed25519_pk = NULL;
  1459. k->sk_application = NULL;
  1460. break;
  1461. #ifdef WITH_XMSS
  1462. case KEY_XMSS:
  1463. free(ret->xmss_pk);
  1464. ret->xmss_pk = k->xmss_pk;
  1465. k->xmss_pk = NULL;
  1466. free(ret->xmss_state);
  1467. ret->xmss_state = k->xmss_state;
  1468. k->xmss_state = NULL;
  1469. free(ret->xmss_name);
  1470. ret->xmss_name = k->xmss_name;
  1471. k->xmss_name = NULL;
  1472. free(ret->xmss_filename);
  1473. ret->xmss_filename = k->xmss_filename;
  1474. k->xmss_filename = NULL;
  1475. #ifdef DEBUG_PK
  1476. /* XXX */
  1477. #endif
  1478. break;
  1479. #endif /* WITH_XMSS */
  1480. default:
  1481. sshkey_free(k);
  1482. return SSH_ERR_INTERNAL_ERROR;
  1483. }
  1484. sshkey_free(k);
  1485. /* success */
  1486. *cpp = cp;
  1487. return 0;
  1488. }
  1489. int
  1490. sshkey_to_base64(const struct sshkey *key, char **b64p)
  1491. {
  1492. int r = SSH_ERR_INTERNAL_ERROR;
  1493. struct sshbuf *b = NULL;
  1494. char *uu = NULL;
  1495. if (b64p != NULL)
  1496. *b64p = NULL;
  1497. if ((b = sshbuf_new()) == NULL)
  1498. return SSH_ERR_ALLOC_FAIL;
  1499. if ((r = sshkey_putb(key, b)) != 0)
  1500. goto out;
  1501. if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) {
  1502. r = SSH_ERR_ALLOC_FAIL;
  1503. goto out;
  1504. }
  1505. /* Success */
  1506. if (b64p != NULL) {
  1507. *b64p = uu;
  1508. uu = NULL;
  1509. }
  1510. r = 0;
  1511. out:
  1512. sshbuf_free(b);
  1513. free(uu);
  1514. return r;
  1515. }
  1516. int
  1517. sshkey_format_text(const struct sshkey *key, struct sshbuf *b)
  1518. {
  1519. int r = SSH_ERR_INTERNAL_ERROR;
  1520. char *uu = NULL;
  1521. if ((r = sshkey_to_base64(key, &uu)) != 0)
  1522. goto out;
  1523. if ((r = sshbuf_putf(b, "%s %s",
  1524. sshkey_ssh_name(key), uu)) != 0)
  1525. goto out;
  1526. r = 0;
  1527. out:
  1528. free(uu);
  1529. return r;
  1530. }
  1531. int
  1532. sshkey_write(const struct sshkey *key, FILE *f)
  1533. {
  1534. struct sshbuf *b = NULL;
  1535. int r = SSH_ERR_INTERNAL_ERROR;
  1536. if ((b = sshbuf_new()) == NULL)
  1537. return SSH_ERR_ALLOC_FAIL;
  1538. if ((r = sshkey_format_text(key, b)) != 0)
  1539. goto out;
  1540. if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
  1541. if (feof(f))
  1542. errno = EPIPE;
  1543. r = SSH_ERR_SYSTEM_ERROR;
  1544. goto out;
  1545. }
  1546. /* Success */
  1547. r = 0;
  1548. out:
  1549. sshbuf_free(b);
  1550. return r;
  1551. }
  1552. const char *
  1553. sshkey_cert_type(const struct sshkey *k)
  1554. {
  1555. switch (k->cert->type) {
  1556. case SSH2_CERT_TYPE_USER:
  1557. return "user";
  1558. case SSH2_CERT_TYPE_HOST:
  1559. return "host";
  1560. default:
  1561. return "unknown";
  1562. }
  1563. }
  1564. #ifdef WITH_OPENSSL
  1565. static int
  1566. rsa_generate_private_key(u_int bits, RSA **rsap)
  1567. {
  1568. RSA *private = NULL;
  1569. BIGNUM *f4 = NULL;
  1570. int ret = SSH_ERR_INTERNAL_ERROR;
  1571. if (rsap == NULL)
  1572. return SSH_ERR_INVALID_ARGUMENT;
  1573. if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
  1574. bits > SSHBUF_MAX_BIGNUM * 8)
  1575. return SSH_ERR_KEY_LENGTH;
  1576. *rsap = NULL;
  1577. if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) {
  1578. ret = SSH_ERR_ALLOC_FAIL;
  1579. goto out;
  1580. }
  1581. if (!BN_set_word(f4, RSA_F4) ||
  1582. !RSA_generate_key_ex(private, bits, f4, NULL)) {
  1583. debug("!BN_set_word(f4, RSA_F4) || !RSA_generate_key_ex(private, bits, f4, NULL))");
  1584. ret = SSH_ERR_LIBCRYPTO_ERROR;
  1585. goto out;
  1586. }
  1587. *rsap = private;
  1588. private = NULL;
  1589. ret = 0;
  1590. out:
  1591. RSA_free(private);
  1592. BN_free(f4);
  1593. return ret;
  1594. }
  1595. static int
  1596. dsa_generate_private_key(u_int bits, DSA **dsap)
  1597. {
  1598. DSA *private;
  1599. int ret = SSH_ERR_INTERNAL_ERROR;
  1600. if (dsap == NULL)
  1601. return SSH_ERR_INVALID_ARGUMENT;
  1602. if (bits != 1024)
  1603. return SSH_ERR_KEY_LENGTH;
  1604. if ((private = DSA_new()) == NULL) {
  1605. ret = SSH_ERR_ALLOC_FAIL;
  1606. goto out;
  1607. }
  1608. *dsap = NULL;
  1609. if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
  1610. NULL, NULL) || !DSA_generate_key(private)) {
  1611. debug("(!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, NULL, NULL) || !DSA_generate_key(private))");
  1612. ret = SSH_ERR_LIBCRYPTO_ERROR;
  1613. goto out;
  1614. }
  1615. *dsap = private;
  1616. private = NULL;
  1617. ret = 0;
  1618. out:
  1619. DSA_free(private);
  1620. return ret;
  1621. }
  1622. # ifdef OPENSSL_HAS_ECC
  1623. int
  1624. sshkey_ecdsa_key_to_nid(EC_KEY *k)
  1625. {
  1626. EC_GROUP *eg;
  1627. int nids[] = {
  1628. NID_X9_62_prime256v1,
  1629. NID_secp384r1,
  1630. # ifdef OPENSSL_HAS_NISTP521
  1631. NID_secp521r1,
  1632. # endif /* OPENSSL_HAS_NISTP521 */
  1633. -1
  1634. };
  1635. int nid;
  1636. u_int i;
  1637. const EC_GROUP *g = EC_KEY_get0_group(k);
  1638. /*
  1639. * The group may be stored in a ASN.1 encoded private key in one of two
  1640. * ways: as a "named group", which is reconstituted by ASN.1 object ID
  1641. * or explicit group parameters encoded into the key blob. Only the
  1642. * "named group" case sets the group NID for us, but we can figure
  1643. * it out for the other case by comparing against all the groups that
  1644. * are supported.
  1645. */
  1646. if ((nid = EC_GROUP_get_curve_name(g)) > 0)
  1647. return nid;
  1648. for (i = 0; nids[i] != -1; i++) {
  1649. if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
  1650. return -1;
  1651. if (EC_GROUP_cmp(g, eg, NULL) == 0)
  1652. break;
  1653. EC_GROUP_free(eg);
  1654. }
  1655. if (nids[i] != -1) {
  1656. /* Use the group with the NID attached */
  1657. EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
  1658. if (EC_KEY_set_group(k, eg) != 1) {
  1659. EC_GROUP_free(eg);
  1660. return -1;
  1661. }
  1662. }
  1663. return nids[i];
  1664. }
  1665. static int
  1666. ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)
  1667. {
  1668. EC_KEY *private;
  1669. int ret = SSH_ERR_INTERNAL_ERROR;
  1670. if (nid == NULL || ecdsap == NULL)
  1671. return SSH_ERR_INVALID_ARGUMENT;
  1672. if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
  1673. return SSH_ERR_KEY_LENGTH;
  1674. *ecdsap = NULL;
  1675. if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
  1676. ret = SSH_ERR_ALLOC_FAIL;
  1677. goto out;
  1678. }
  1679. if (EC_KEY_generate_key(private) != 1) {
  1680. ret = SSH_ERR_LIBCRYPTO_ERROR;
  1681. goto out;
  1682. }
  1683. EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
  1684. *ecdsap = private;
  1685. private = NULL;
  1686. ret = 0;
  1687. out:
  1688. EC_KEY_free(private);
  1689. return ret;
  1690. }
  1691. # endif /* OPENSSL_HAS_ECC */
  1692. #endif /* WITH_OPENSSL */
  1693. int
  1694. sshkey_generate(int type, u_int bits, struct sshkey **keyp)
  1695. {
  1696. struct sshkey *k;
  1697. int ret = SSH_ERR_INTERNAL_ERROR;
  1698. if (keyp == NULL)
  1699. return SSH_ERR_INVALID_ARGUMENT;
  1700. *keyp = NULL;
  1701. if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
  1702. return SSH_ERR_ALLOC_FAIL;
  1703. switch (type) {
  1704. case KEY_ED25519:
  1705. if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
  1706. (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
  1707. ret = SSH_ERR_ALLOC_FAIL;
  1708. break;
  1709. }
  1710. crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
  1711. ret = 0;
  1712. break;
  1713. #ifdef WITH_XMSS
  1714. case KEY_XMSS:
  1715. ret = sshkey_xmss_generate_private_key(k, bits);
  1716. break;
  1717. #endif /* WITH_XMSS */
  1718. #ifdef WITH_OPENSSL
  1719. case KEY_DSA:
  1720. ret = dsa_generate_private_key(bits, &k->dsa);
  1721. break;
  1722. # ifdef OPENSSL_HAS_ECC
  1723. case KEY_ECDSA:
  1724. ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
  1725. &k->ecdsa);
  1726. break;
  1727. # endif /* OPENSSL_HAS_ECC */
  1728. case KEY_RSA:
  1729. ret = rsa_generate_private_key(bits, &k->rsa);
  1730. break;
  1731. #endif /* WITH_OPENSSL */
  1732. default:
  1733. ret = SSH_ERR_INVALID_ARGUMENT;
  1734. }
  1735. if (ret == 0) {
  1736. k->type = type;
  1737. *keyp = k;
  1738. } else
  1739. sshkey_free(k);
  1740. return ret;
  1741. }
  1742. int
  1743. sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
  1744. {
  1745. u_int i;
  1746. const struct sshkey_cert *from;
  1747. struct sshkey_cert *to;
  1748. int r = SSH_ERR_INTERNAL_ERROR;
  1749. if (to_key == NULL || (from = from_key->cert) == NULL)
  1750. return SSH_ERR_INVALID_ARGUMENT;
  1751. if ((to = cert_new()) == NULL)
  1752. return SSH_ERR_ALLOC_FAIL;
  1753. if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
  1754. (r = sshbuf_putb(to->critical, from->critical)) != 0 ||
  1755. (r = sshbuf_putb(to->extensions, from->extensions)) != 0)
  1756. goto out;
  1757. to->serial = from->serial;
  1758. to->type = from->type;
  1759. if (from->key_id == NULL)
  1760. to->key_id = NULL;
  1761. else if ((to->key_id = strdup(from->key_id)) == NULL) {
  1762. r = SSH_ERR_ALLOC_FAIL;
  1763. goto out;
  1764. }
  1765. to->valid_after = from->valid_after;
  1766. to->valid_before = from->valid_before;
  1767. if (from->signature_key == NULL)
  1768. to->signature_key = NULL;
  1769. else if ((r = sshkey_from_private(from->signature_key,
  1770. &to->signature_key)) != 0)
  1771. goto out;
  1772. if (from->signature_type != NULL &&
  1773. (to->signature_type = strdup(from->signature_type)) == NULL) {
  1774. r = SSH_ERR_ALLOC_FAIL;
  1775. goto out;
  1776. }
  1777. if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) {
  1778. r = SSH_ERR_INVALID_ARGUMENT;
  1779. goto out;
  1780. }
  1781. if (from->nprincipals > 0) {
  1782. if ((to->principals = calloc(from->nprincipals,
  1783. sizeof(*to->principals))) == NULL) {
  1784. r = SSH_ERR_ALLOC_FAIL;
  1785. goto out;
  1786. }
  1787. for (i = 0; i < from->nprincipals; i++) {
  1788. to->principals[i] = strdup(from->principals[i]);
  1789. if (to->principals[i] == NULL) {
  1790. to->nprincipals = i;
  1791. r = SSH_ERR_ALLOC_FAIL;
  1792. goto out;
  1793. }
  1794. }
  1795. }
  1796. to->nprincipals = from->nprincipals;
  1797. /* success */
  1798. cert_free(to_key->cert);
  1799. to_key->cert = to;
  1800. to = NULL;
  1801. r = 0;
  1802. out:
  1803. cert_free(to);
  1804. return r;
  1805. }
  1806. int
  1807. sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
  1808. {
  1809. struct sshkey *n = NULL;
  1810. int r = SSH_ERR_INTERNAL_ERROR;
  1811. #ifdef WITH_OPENSSL
  1812. const BIGNUM *rsa_n, *rsa_e;
  1813. BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL;
  1814. const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
  1815. BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL;
  1816. BIGNUM *dsa_pub_key_dup = NULL;
  1817. #endif /* WITH_OPENSSL */
  1818. *pkp = NULL;
  1819. if ((n = sshkey_new(k->type)) == NULL) {
  1820. r = SSH_ERR_ALLOC_FAIL;
  1821. goto out;
  1822. }
  1823. switch (k->type) {
  1824. #ifdef WITH_OPENSSL
  1825. case KEY_DSA:
  1826. case KEY_DSA_CERT:
  1827. DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
  1828. DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
  1829. if ((dsa_p_dup = BN_dup(dsa_p)) == NULL ||
  1830. (dsa_q_dup = BN_dup(dsa_q)) == NULL ||
  1831. (dsa_g_dup = BN_dup(dsa_g)) == NULL ||
  1832. (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) {
  1833. r = SSH_ERR_ALLOC_FAIL;
  1834. goto out;
  1835. }
  1836. if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) {
  1837. r = SSH_ERR_LIBCRYPTO_ERROR;
  1838. goto out;
  1839. }
  1840. dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */
  1841. if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) {
  1842. r = SSH_ERR_LIBCRYPTO_ERROR;
  1843. goto out;
  1844. }
  1845. dsa_pub_key_dup = NULL; /* transferred */
  1846. break;
  1847. # ifdef OPENSSL_HAS_ECC
  1848. case KEY_ECDSA:
  1849. case KEY_ECDSA_CERT:
  1850. case KEY_ECDSA_SK:
  1851. case KEY_ECDSA_SK_CERT:
  1852. n->ecdsa_nid = k->ecdsa_nid;
  1853. n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
  1854. if (n->ecdsa == NULL) {
  1855. r = SSH_ERR_ALLOC_FAIL;
  1856. goto out;
  1857. }
  1858. if (EC_KEY_set_public_key(n->ecdsa,
  1859. EC_KEY_get0_public_key(k->ecdsa)) != 1) {
  1860. r = SSH_ERR_LIBCRYPTO_ERROR;
  1861. goto out;
  1862. }
  1863. if (k->type != KEY_ECDSA_SK && k->type != KEY_ECDSA_SK_CERT)
  1864. break;
  1865. /* Append security-key application string */
  1866. if ((n->sk_application = strdup(k->sk_application)) == NULL)
  1867. goto out;
  1868. break;
  1869. # endif /* OPENSSL_HAS_ECC */
  1870. case KEY_RSA:
  1871. case KEY_RSA_CERT:
  1872. RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
  1873. if ((rsa_n_dup = BN_dup(rsa_n)) == NULL ||
  1874. (rsa_e_dup = BN_dup(rsa_e)) == NULL) {
  1875. r = SSH_ERR_ALLOC_FAIL;
  1876. goto out;
  1877. }
  1878. if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) {
  1879. r = SSH_ERR_LIBCRYPTO_ERROR;
  1880. goto out;
  1881. }
  1882. rsa_n_dup = rsa_e_dup = NULL; /* transferred */
  1883. break;
  1884. #endif /* WITH_OPENSSL */
  1885. case KEY_ED25519:
  1886. case KEY_ED25519_CERT:
  1887. case KEY_ED25519_SK:
  1888. case KEY_ED25519_SK_CERT:
  1889. if (k->ed25519_pk != NULL) {
  1890. if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
  1891. r = SSH_ERR_ALLOC_FAIL;
  1892. goto out;
  1893. }
  1894. memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
  1895. }
  1896. if (k->type != KEY_ED25519_SK &&
  1897. k->type != KEY_ED25519_SK_CERT)
  1898. break;
  1899. /* Append security-key application string */
  1900. if ((n->sk_application = strdup(k->sk_application)) == NULL)
  1901. goto out;
  1902. break;
  1903. #ifdef WITH_XMSS
  1904. case KEY_XMSS:
  1905. case KEY_XMSS_CERT:
  1906. if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0)
  1907. goto out;
  1908. if (k->xmss_pk != NULL) {
  1909. u_int32_t left;
  1910. size_t pklen = sshkey_xmss_pklen(k);
  1911. if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) {
  1912. r = SSH_ERR_INTERNAL_ERROR;
  1913. goto out;
  1914. }
  1915. if ((n->xmss_pk = malloc(pklen)) == NULL) {
  1916. r = SSH_ERR_ALLOC_FAIL;
  1917. goto out;
  1918. }
  1919. memcpy(n->xmss_pk, k->xmss_pk, pklen);
  1920. /* simulate number of signatures left on pubkey */
  1921. left = sshkey_xmss_signatures_left(k);
  1922. if (left)
  1923. sshkey_xmss_enable_maxsign(n, left);
  1924. }
  1925. break;
  1926. #endif /* WITH_XMSS */
  1927. default:
  1928. r = SSH_ERR_KEY_TYPE_UNKNOWN;
  1929. goto out;
  1930. }
  1931. if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0)
  1932. goto out;
  1933. /* success */
  1934. *pkp = n;
  1935. n = NULL;
  1936. r = 0;
  1937. out:
  1938. sshkey_free(n);
  1939. #ifdef WITH_OPENSSL
  1940. BN_clear_free(rsa_n_dup);
  1941. BN_clear_free(rsa_e_dup);
  1942. BN_clear_free(dsa_p_dup);
  1943. BN_clear_free(dsa_q_dup);
  1944. BN_clear_free(dsa_g_dup);
  1945. BN_clear_free(dsa_pub_key_dup);
  1946. #endif
  1947. return r;
  1948. }
  1949. int
  1950. sshkey_is_shielded(struct sshkey *k)
  1951. {
  1952. return k != NULL && k->shielded_private != NULL;
  1953. }
  1954. int
  1955. sshkey_shield_private(struct sshkey *k)
  1956. {
  1957. struct sshbuf *prvbuf = NULL;
  1958. u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH];
  1959. struct sshcipher_ctx *cctx = NULL;
  1960. const struct sshcipher *cipher;
  1961. size_t i, enclen = 0;
  1962. struct sshkey *kswap = NULL, tmp;
  1963. int r = SSH_ERR_INTERNAL_ERROR;
  1964. #ifdef DEBUG_PK
  1965. fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
  1966. #endif
  1967. if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
  1968. r = SSH_ERR_INVALID_ARGUMENT;
  1969. goto out;
  1970. }
  1971. if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
  1972. ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
  1973. r = SSH_ERR_INTERNAL_ERROR;
  1974. goto out;
  1975. }
  1976. /* Prepare a random pre-key, and from it an ephemeral key */
  1977. if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) {
  1978. r = SSH_ERR_ALLOC_FAIL;
  1979. goto out;
  1980. }
  1981. arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN);
  1982. if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
  1983. prekey, SSHKEY_SHIELD_PREKEY_LEN,
  1984. keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
  1985. goto out;
  1986. #ifdef DEBUG_PK
  1987. fprintf(stderr, "%s: key+iv\n", __func__);
  1988. sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
  1989. stderr);
  1990. #endif
  1991. if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
  1992. keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0)
  1993. goto out;
  1994. /* Serialise and encrypt the private key using the ephemeral key */
  1995. if ((prvbuf = sshbuf_new()) == NULL) {
  1996. r = SSH_ERR_ALLOC_FAIL;
  1997. goto out;
  1998. }
  1999. if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0)
  2000. goto out;
  2001. if ((r = sshkey_private_serialize_opt(k, prvbuf,
  2002. SSHKEY_SERIALIZE_SHIELD)) != 0)
  2003. goto out;
  2004. /* pad to cipher blocksize */
  2005. i = 0;
  2006. while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) {
  2007. if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0)
  2008. goto out;
  2009. }
  2010. #ifdef DEBUG_PK
  2011. fprintf(stderr, "%s: serialised\n", __func__);
  2012. sshbuf_dump(prvbuf, stderr);
  2013. #endif
  2014. /* encrypt */
  2015. enclen = sshbuf_len(prvbuf);
  2016. if ((enc = malloc(enclen)) == NULL) {
  2017. r = SSH_ERR_ALLOC_FAIL;
  2018. goto out;
  2019. }
  2020. if ((r = cipher_crypt(cctx, 0, enc,
  2021. sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0)
  2022. goto out;
  2023. #ifdef DEBUG_PK
  2024. fprintf(stderr, "%s: encrypted\n", __func__);
  2025. sshbuf_dump_data(enc, enclen, stderr);
  2026. #endif
  2027. /* Make a scrubbed, public-only copy of our private key argument */
  2028. if ((r = sshkey_from_private(k, &kswap)) != 0)
  2029. goto out;
  2030. /* Swap the private key out (it will be destroyed below) */
  2031. tmp = *kswap;
  2032. *kswap = *k;
  2033. *k = tmp;
  2034. /* Insert the shielded key into our argument */
  2035. k->shielded_private = enc;
  2036. k->shielded_len = enclen;
  2037. k->shield_prekey = prekey;
  2038. k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN;
  2039. enc = prekey = NULL; /* transferred */
  2040. enclen = 0;
  2041. /* preserve key fields that are required for correct operation */
  2042. k->sk_flags = kswap->sk_flags;
  2043. /* success */
  2044. r = 0;
  2045. out:
  2046. /* XXX behaviour on error - invalidate original private key? */
  2047. cipher_free(cctx);
  2048. explicit_bzero(keyiv, sizeof(keyiv));
  2049. explicit_bzero(&tmp, sizeof(tmp));
  2050. freezero(enc, enclen);
  2051. freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN);
  2052. sshkey_free(kswap);
  2053. sshbuf_free(prvbuf);
  2054. return r;
  2055. }
  2056. int
  2057. sshkey_unshield_private(struct sshkey *k)
  2058. {
  2059. struct sshbuf *prvbuf = NULL;
  2060. u_char pad, *cp, keyiv[SSH_DIGEST_MAX_LENGTH];
  2061. struct sshcipher_ctx *cctx = NULL;
  2062. const struct sshcipher *cipher;
  2063. size_t i;
  2064. struct sshkey *kswap = NULL, tmp;
  2065. int r = SSH_ERR_INTERNAL_ERROR;
  2066. #ifdef DEBUG_PK
  2067. fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
  2068. #endif
  2069. if (!sshkey_is_shielded(k))
  2070. return 0; /* nothing to do */
  2071. if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
  2072. r = SSH_ERR_INVALID_ARGUMENT;
  2073. goto out;
  2074. }
  2075. if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
  2076. ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
  2077. r = SSH_ERR_INTERNAL_ERROR;
  2078. goto out;
  2079. }
  2080. /* check size of shielded key blob */
  2081. if (k->shielded_len < cipher_blocksize(cipher) ||
  2082. (k->shielded_len % cipher_blocksize(cipher)) != 0) {
  2083. r = SSH_ERR_INVALID_FORMAT;
  2084. goto out;
  2085. }
  2086. /* Calculate the ephemeral key from the prekey */
  2087. if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
  2088. k->shield_prekey, k->shield_prekey_len,
  2089. keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
  2090. goto out;
  2091. if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
  2092. keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0)
  2093. goto out;
  2094. #ifdef DEBUG_PK
  2095. fprintf(stderr, "%s: key+iv\n", __func__);
  2096. sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
  2097. stderr);
  2098. #endif
  2099. /* Decrypt and parse the shielded private key using the ephemeral key */
  2100. if ((prvbuf = sshbuf_new()) == NULL) {
  2101. r = SSH_ERR_ALLOC_FAIL;
  2102. goto out;
  2103. }
  2104. if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0)
  2105. goto out;
  2106. /* decrypt */
  2107. #ifdef DEBUG_PK
  2108. fprintf(stderr, "%s: encrypted\n", __func__);
  2109. sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr);
  2110. #endif
  2111. if ((r = cipher_crypt(cctx, 0, cp,
  2112. k->shielded_private, k->shielded_len, 0, 0)) != 0)
  2113. goto out;
  2114. #ifdef DEBUG_PK
  2115. fprintf(stderr, "%s: serialised\n", __func__);
  2116. sshbuf_dump(prvbuf, stderr);
  2117. #endif
  2118. /* Parse private key */
  2119. if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0)
  2120. goto out;
  2121. /* Check deterministic padding */
  2122. i = 0;
  2123. while (sshbuf_len(prvbuf)) {
  2124. if ((r = sshbuf_get_u8(prvbuf, &pad)) != 0)
  2125. goto out;
  2126. if (pad != (++i & 0xff)) {
  2127. r = SSH_ERR_INVALID_FORMAT;
  2128. goto out;
  2129. }
  2130. }
  2131. /* Swap the parsed key back into place */
  2132. tmp = *kswap;
  2133. *kswap = *k;
  2134. *k = tmp;
  2135. /* success */
  2136. r = 0;
  2137. out:
  2138. cipher_free(cctx);
  2139. explicit_bzero(keyiv, sizeof(keyiv));
  2140. explicit_bzero(&tmp, sizeof(tmp));
  2141. sshkey_free(kswap);
  2142. sshbuf_free(prvbuf);
  2143. return r;
  2144. }
  2145. static int
  2146. cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
  2147. {
  2148. struct sshbuf *principals = NULL, *crit = NULL;
  2149. struct sshbuf *exts = NULL, *ca = NULL;
  2150. u_char *sig = NULL;
  2151. size_t signed_len = 0, slen = 0, kidlen = 0;
  2152. int ret = SSH_ERR_INTERNAL_ERROR;
  2153. /* Copy the entire key blob for verification and later serialisation */
  2154. if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
  2155. return ret;
  2156. /* Parse body of certificate up to signature */
  2157. if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
  2158. (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
  2159. (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
  2160. (ret = sshbuf_froms(b, &principals)) != 0 ||
  2161. (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
  2162. (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
  2163. (ret = sshbuf_froms(b, &crit)) != 0 ||
  2164. (ret = sshbuf_froms(b, &exts)) != 0 ||
  2165. (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
  2166. (ret = sshbuf_froms(b, &ca)) != 0) {
  2167. /* XXX debug print error for ret */
  2168. ret = SSH_ERR_INVALID_FORMAT;
  2169. goto out;
  2170. }
  2171. /* Signature is left in the buffer so we can calculate this length */
  2172. signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
  2173. if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
  2174. ret = SSH_ERR_INVALID_FORMAT;
  2175. goto out;
  2176. }
  2177. if (key->cert->type != SSH2_CERT_TYPE_USER &&
  2178. key->cert->type != SSH2_CERT_TYPE_HOST) {
  2179. ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
  2180. goto out;
  2181. }
  2182. /* Parse principals section */
  2183. while (sshbuf_len(principals) > 0) {
  2184. char *principal = NULL;
  2185. char **oprincipals = NULL;
  2186. if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
  2187. ret = SSH_ERR_INVALID_FORMAT;
  2188. goto out;
  2189. }
  2190. if ((ret = sshbuf_get_cstring(principals, &principal,
  2191. NULL)) != 0) {
  2192. ret = SSH_ERR_INVALID_FORMAT;
  2193. goto out;
  2194. }
  2195. oprincipals = key->cert->principals;
  2196. key->cert->principals = recallocarray(key->cert->principals,
  2197. key->cert->nprincipals, key->cert->nprincipals + 1,
  2198. sizeof(*key->cert->principals));
  2199. if (key->cert->principals == NULL) {
  2200. free(principal);
  2201. key->cert->principals = oprincipals;
  2202. ret = SSH_ERR_ALLOC_FAIL;
  2203. goto out;
  2204. }
  2205. key->cert->principals[key->cert->nprincipals++] = principal;
  2206. }
  2207. /*
  2208. * Stash a copies of the critical options and extensions sections
  2209. * for later use.
  2210. */
  2211. if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||
  2212. (exts != NULL &&
  2213. (ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
  2214. goto out;
  2215. /*
  2216. * Validate critical options and extensions sections format.
  2217. */
  2218. while (sshbuf_len(crit) != 0) {
  2219. if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
  2220. (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
  2221. sshbuf_reset(key->cert->critical);
  2222. ret = SSH_ERR_INVALID_FORMAT;
  2223. goto out;
  2224. }
  2225. }
  2226. while (exts != NULL && sshbuf_len(exts) != 0) {
  2227. if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 ||
  2228. (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) {
  2229. sshbuf_reset(key->cert->extensions);
  2230. ret = SSH_ERR_INVALID_FORMAT;
  2231. goto out;
  2232. }
  2233. }
  2234. /* Parse CA key and check signature */
  2235. if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
  2236. ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
  2237. goto out;
  2238. }
  2239. if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
  2240. ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
  2241. goto out;
  2242. }
  2243. if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
  2244. sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0)
  2245. goto out;
  2246. if ((ret = sshkey_get_sigtype(sig, slen,
  2247. &key->cert->signature_type)) != 0)
  2248. goto out;
  2249. /* Success */
  2250. ret = 0;
  2251. out:
  2252. sshbuf_free(ca);
  2253. sshbuf_free(crit);
  2254. sshbuf_free(exts);
  2255. sshbuf_free(principals);
  2256. free(sig);
  2257. return ret;
  2258. }
  2259. #ifdef WITH_OPENSSL
  2260. static int
  2261. check_rsa_length(const RSA *rsa)
  2262. {
  2263. const BIGNUM *rsa_n;
  2264. RSA_get0_key(rsa, &rsa_n, NULL, NULL);
  2265. if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
  2266. return SSH_ERR_KEY_LENGTH;
  2267. return 0;
  2268. }
  2269. #endif
  2270. static int
  2271. sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
  2272. int allow_cert)
  2273. {
  2274. int type, ret = SSH_ERR_INTERNAL_ERROR;
  2275. char *ktype = NULL, *curve = NULL, *xmss_name = NULL;
  2276. struct sshkey *key = NULL;
  2277. size_t len;
  2278. u_char *pk = NULL;
  2279. struct sshbuf *copy;
  2280. #if defined(WITH_OPENSSL)
  2281. BIGNUM *rsa_n = NULL, *rsa_e = NULL;
  2282. BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL;
  2283. # if defined(OPENSSL_HAS_ECC)
  2284. EC_POINT *q = NULL;
  2285. # endif /* OPENSSL_HAS_ECC */
  2286. #endif /* WITH_OPENSSL */
  2287. #ifdef DEBUG_PK /* XXX */
  2288. sshbuf_dump(b, stderr);
  2289. #endif
  2290. if (keyp != NULL)
  2291. *keyp = NULL;
  2292. if ((copy = sshbuf_fromb(b)) == NULL) {
  2293. ret = SSH_ERR_ALLOC_FAIL;
  2294. goto out;
  2295. }
  2296. if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
  2297. ret = SSH_ERR_INVALID_FORMAT;
  2298. goto out;
  2299. }
  2300. type = sshkey_type_from_name(ktype);
  2301. if (!allow_cert && sshkey_type_is_cert(type)) {
  2302. ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
  2303. goto out;
  2304. }
  2305. switch (type) {
  2306. #ifdef WITH_OPENSSL
  2307. case KEY_RSA_CERT:
  2308. /* Skip nonce */
  2309. if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
  2310. ret = SSH_ERR_INVALID_FORMAT;
  2311. goto out;
  2312. }
  2313. /* FALLTHROUGH */
  2314. case KEY_RSA:
  2315. if ((key = sshkey_new(type)) == NULL) {
  2316. ret = SSH_ERR_ALLOC_FAIL;
  2317. goto out;
  2318. }
  2319. if (sshbuf_get_bignum2(b, &rsa_e) != 0 ||
  2320. sshbuf_get_bignum2(b, &rsa_n) != 0) {
  2321. ret = SSH_ERR_INVALID_FORMAT;
  2322. goto out;
  2323. }
  2324. if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) {
  2325. ret = SSH_ERR_LIBCRYPTO_ERROR;
  2326. goto out;
  2327. }
  2328. rsa_n = rsa_e = NULL; /* transferred */
  2329. if ((ret = check_rsa_length(key->rsa)) != 0)
  2330. goto out;
  2331. #ifdef DEBUG_PK
  2332. RSA_print_fp(stderr, key->rsa, 8);
  2333. #endif
  2334. break;
  2335. case KEY_DSA_CERT:
  2336. /* Skip nonce */
  2337. if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
  2338. ret = SSH_ERR_INVALID_FORMAT;
  2339. goto out;
  2340. }
  2341. /* FALLTHROUGH */
  2342. case KEY_DSA:
  2343. if ((key = sshkey_new(type)) == NULL) {
  2344. ret = SSH_ERR_ALLOC_FAIL;
  2345. goto out;
  2346. }
  2347. if (sshbuf_get_bignum2(b, &dsa_p) != 0 ||
  2348. sshbuf_get_bignum2(b, &dsa_q) != 0 ||
  2349. sshbuf_get_bignum2(b, &dsa_g) != 0 ||
  2350. sshbuf_get_bignum2(b, &dsa_pub_key) != 0) {
  2351. ret = SSH_ERR_INVALID_FORMAT;
  2352. goto out;
  2353. }
  2354. if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) {
  2355. ret = SSH_ERR_LIBCRYPTO_ERROR;
  2356. goto out;
  2357. }
  2358. dsa_p = dsa_q = dsa_g = NULL; /* transferred */
  2359. if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) {
  2360. ret = SSH_ERR_LIBCRYPTO_ERROR;
  2361. goto out;
  2362. }
  2363. dsa_pub_key = NULL; /* transferred */
  2364. #ifdef DEBUG_PK
  2365. DSA_print_fp(stderr, key->dsa, 8);
  2366. #endif
  2367. break;
  2368. # ifdef OPENSSL_HAS_ECC
  2369. case KEY_ECDSA_CERT:
  2370. case KEY_ECDSA_SK_CERT:
  2371. /* Skip nonce */
  2372. if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
  2373. ret = SSH_ERR_INVALID_FORMAT;
  2374. goto out;
  2375. }
  2376. /* FALLTHROUGH */
  2377. case KEY_ECDSA:
  2378. case KEY_ECDSA_SK:
  2379. if ((key = sshkey_new(type)) == NULL) {
  2380. ret = SSH_ERR_ALLOC_FAIL;
  2381. goto out;
  2382. }
  2383. key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
  2384. if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
  2385. ret = SSH_ERR_INVALID_FORMAT;
  2386. goto out;
  2387. }
  2388. if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
  2389. ret = SSH_ERR_EC_CURVE_MISMATCH;
  2390. goto out;
  2391. }
  2392. EC_KEY_free(key->ecdsa);
  2393. if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
  2394. == NULL) {
  2395. ret = SSH_ERR_EC_CURVE_INVALID;
  2396. goto out;
  2397. }
  2398. if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
  2399. ret = SSH_ERR_ALLOC_FAIL;
  2400. goto out;
  2401. }
  2402. if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
  2403. ret = SSH_ERR_INVALID_FORMAT;
  2404. goto out;
  2405. }
  2406. if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
  2407. q) != 0) {
  2408. ret = SSH_ERR_KEY_INVALID_EC_VALUE;
  2409. goto out;
  2410. }
  2411. if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
  2412. /* XXX assume it is a allocation error */
  2413. ret = SSH_ERR_ALLOC_FAIL;
  2414. goto out;
  2415. }
  2416. #ifdef DEBUG_PK
  2417. sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
  2418. #endif
  2419. if (type == KEY_ECDSA_SK || type == KEY_ECDSA_SK_CERT) {
  2420. /* Parse additional security-key application string */
  2421. if (sshbuf_get_cstring(b, &key->sk_application,
  2422. NULL) != 0) {
  2423. ret = SSH_ERR_INVALID_FORMAT;
  2424. goto out;
  2425. }
  2426. #ifdef DEBUG_PK
  2427. fprintf(stderr, "App: %s\n", key->sk_application);
  2428. #endif
  2429. }
  2430. break;
  2431. # endif /* OPENSSL_HAS_ECC */
  2432. #endif /* WITH_OPENSSL */
  2433. case KEY_ED25519_CERT:
  2434. case KEY_ED25519_SK_CERT:
  2435. /* Skip nonce */
  2436. if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
  2437. ret = SSH_ERR_INVALID_FORMAT;
  2438. goto out;
  2439. }
  2440. /* FALLTHROUGH */
  2441. case KEY_ED25519:
  2442. case KEY_ED25519_SK:
  2443. if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
  2444. goto out;
  2445. if (len != ED25519_PK_SZ) {
  2446. ret = SSH_ERR_INVALID_FORMAT;
  2447. goto out;
  2448. }
  2449. if ((key = sshkey_new(type)) == NULL) {
  2450. ret = SSH_ERR_ALLOC_FAIL;
  2451. goto out;
  2452. }
  2453. if (type == KEY_ED25519_SK || type == KEY_ED25519_SK_CERT) {
  2454. /* Parse additional security-key application string */
  2455. if (sshbuf_get_cstring(b, &key->sk_application,
  2456. NULL) != 0) {
  2457. ret = SSH_ERR_INVALID_FORMAT;
  2458. goto out;
  2459. }
  2460. #ifdef DEBUG_PK
  2461. fprintf(stderr, "App: %s\n", key->sk_application);
  2462. #endif
  2463. }
  2464. key->ed25519_pk = pk;
  2465. pk = NULL;
  2466. break;
  2467. #ifdef WITH_XMSS
  2468. case KEY_XMSS_CERT:
  2469. /* Skip nonce */
  2470. if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
  2471. ret = SSH_ERR_INVALID_FORMAT;
  2472. goto out;
  2473. }
  2474. /* FALLTHROUGH */
  2475. case KEY_XMSS:
  2476. if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0)
  2477. goto out;
  2478. if ((key = sshkey_new(type)) == NULL) {
  2479. ret = SSH_ERR_ALLOC_FAIL;
  2480. goto out;
  2481. }
  2482. if ((ret = sshkey_xmss_init(key, xmss_name)) != 0)
  2483. goto out;
  2484. if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
  2485. goto out;
  2486. if (len == 0 || len != sshkey_xmss_pklen(key)) {
  2487. ret = SSH_ERR_INVALID_FORMAT;
  2488. goto out;
  2489. }
  2490. key->xmss_pk = pk;
  2491. pk = NULL;
  2492. if (type != KEY_XMSS_CERT &&
  2493. (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0)
  2494. goto out;
  2495. break;
  2496. #endif /* WITH_XMSS */
  2497. case KEY_UNSPEC:
  2498. default:
  2499. ret = SSH_ERR_KEY_TYPE_UNKNOWN;
  2500. goto out;
  2501. }
  2502. /* Parse certificate potion */
  2503. if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
  2504. goto out;
  2505. if (key != NULL && sshbuf_len(b) != 0) {
  2506. ret = SSH_ERR_INVALID_FORMAT;
  2507. goto out;
  2508. }
  2509. ret = 0;
  2510. if (keyp != NULL) {
  2511. *keyp = key;
  2512. key = NULL;
  2513. }
  2514. out:
  2515. sshbuf_free(copy);
  2516. sshkey_free(key);
  2517. free(xmss_name);
  2518. free(ktype);
  2519. free(curve);
  2520. free(pk);
  2521. #if defined(WITH_OPENSSL)
  2522. BN_clear_free(rsa_n);
  2523. BN_clear_free(rsa_e);
  2524. BN_clear_free(dsa_p);
  2525. BN_clear_free(dsa_q);
  2526. BN_clear_free(dsa_g);
  2527. BN_clear_free(dsa_pub_key);
  2528. # if defined(OPENSSL_HAS_ECC)
  2529. EC_POINT_free(q);
  2530. # endif /* OPENSSL_HAS_ECC */
  2531. #endif /* WITH_OPENSSL */
  2532. return ret;
  2533. }
  2534. int
  2535. sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp)
  2536. {
  2537. struct sshbuf *b;
  2538. int r;
  2539. if ((b = sshbuf_from(blob, blen)) == NULL)
  2540. return SSH_ERR_ALLOC_FAIL;
  2541. r = sshkey_from_blob_internal(b, keyp, 1);
  2542. sshbuf_free(b);
  2543. return r;
  2544. }
  2545. int
  2546. sshkey_fromb(struct sshbuf *b, struct sshkey **keyp)
  2547. {
  2548. return sshkey_from_blob_internal(b, keyp, 1);
  2549. }
  2550. int
  2551. sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
  2552. {
  2553. struct sshbuf *b;
  2554. int r;
  2555. if ((r = sshbuf_froms(buf, &b)) != 0)
  2556. return r;
  2557. r = sshkey_from_blob_internal(b, keyp, 1);
  2558. sshbuf_free(b);
  2559. return r;
  2560. }
  2561. int
  2562. sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
  2563. {
  2564. int r;
  2565. struct sshbuf *b = NULL;
  2566. char *sigtype = NULL;
  2567. if (sigtypep != NULL)
  2568. *sigtypep = NULL;
  2569. if ((b = sshbuf_from(sig, siglen)) == NULL)
  2570. return SSH_ERR_ALLOC_FAIL;
  2571. if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0)
  2572. goto out;
  2573. /* success */
  2574. if (sigtypep != NULL) {
  2575. *sigtypep = sigtype;
  2576. sigtype = NULL;
  2577. }
  2578. r = 0;
  2579. out:
  2580. free(sigtype);
  2581. sshbuf_free(b);
  2582. return r;
  2583. }
  2584. /*
  2585. *
  2586. * Checks whether a certificate's signature type is allowed.
  2587. * Returns 0 (success) if the certificate signature type appears in the
  2588. * "allowed" pattern-list, or the key is not a certificate to begin with.
  2589. * Otherwise returns a ssherr.h code.
  2590. */
  2591. int
  2592. sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed)
  2593. {
  2594. if (key == NULL || allowed == NULL)
  2595. return SSH_ERR_INVALID_ARGUMENT;
  2596. if (!sshkey_type_is_cert(key->type))
  2597. return 0;
  2598. if (key->cert == NULL || key->cert->signature_type == NULL)
  2599. return SSH_ERR_INVALID_ARGUMENT;
  2600. if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
  2601. return SSH_ERR_SIGN_ALG_UNSUPPORTED;
  2602. return 0;
  2603. }
  2604. /*
  2605. * Returns the expected signature algorithm for a given public key algorithm.
  2606. */
  2607. const char *
  2608. sshkey_sigalg_by_name(const char *name)
  2609. {
  2610. const struct keytype *kt;
  2611. for (kt = keytypes; kt->type != -1; kt++) {
  2612. if (strcmp(kt->name, name) != 0)
  2613. continue;
  2614. if (kt->sigalg != NULL)
  2615. return kt->sigalg;
  2616. if (!kt->cert)
  2617. return kt->name;
  2618. return sshkey_ssh_name_from_type_nid(
  2619. sshkey_type_plain(kt->type), kt->nid);
  2620. }
  2621. return NULL;
  2622. }
  2623. /*
  2624. * Verifies that the signature algorithm appearing inside the signature blob
  2625. * matches that which was requested.
  2626. */
  2627. int
  2628. sshkey_check_sigtype(const u_char *sig, size_t siglen,
  2629. const char *requested_alg)
  2630. {
  2631. const char *expected_alg;
  2632. char *sigtype = NULL;
  2633. int r;
  2634. if (requested_alg == NULL)
  2635. return 0;
  2636. if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL)
  2637. return SSH_ERR_INVALID_ARGUMENT;
  2638. if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0)
  2639. return r;
  2640. r = strcmp(expected_alg, sigtype) == 0;
  2641. free(sigtype);
  2642. return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED;
  2643. }
  2644. int
  2645. sshkey_sign(struct sshkey *key,
  2646. u_char **sigp, size_t *lenp,
  2647. const u_char *data, size_t datalen,
  2648. const char *alg, const char *sk_provider, const char *sk_pin, u_int compat)
  2649. {
  2650. int was_shielded = sshkey_is_shielded(key);
  2651. int r2, r = SSH_ERR_INTERNAL_ERROR;
  2652. if (sigp != NULL)
  2653. *sigp = NULL;
  2654. if (lenp != NULL)
  2655. *lenp = 0;
  2656. if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
  2657. return SSH_ERR_INVALID_ARGUMENT;
  2658. if ((r = sshkey_unshield_private(key)) != 0)
  2659. return r;
  2660. switch (key->type) {
  2661. #ifdef WITH_OPENSSL
  2662. case KEY_DSA_CERT:
  2663. case KEY_DSA:
  2664. r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
  2665. break;
  2666. # ifdef OPENSSL_HAS_ECC
  2667. case KEY_ECDSA_CERT:
  2668. case KEY_ECDSA:
  2669. r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
  2670. break;
  2671. # endif /* OPENSSL_HAS_ECC */
  2672. case KEY_RSA_CERT:
  2673. case KEY_RSA:
  2674. r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
  2675. break;
  2676. #endif /* WITH_OPENSSL */
  2677. case KEY_ED25519:
  2678. case KEY_ED25519_CERT:
  2679. r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
  2680. break;
  2681. case KEY_ED25519_SK:
  2682. case KEY_ED25519_SK_CERT:
  2683. case KEY_ECDSA_SK_CERT:
  2684. case KEY_ECDSA_SK:
  2685. r = sshsk_sign(sk_provider, key, sigp, lenp, data,
  2686. datalen, compat, sk_pin);
  2687. break;
  2688. #ifdef WITH_XMSS
  2689. case KEY_XMSS:
  2690. case KEY_XMSS_CERT:
  2691. r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat);
  2692. break;
  2693. #endif /* WITH_XMSS */
  2694. default:
  2695. r = SSH_ERR_KEY_TYPE_UNKNOWN;
  2696. break;
  2697. }
  2698. if (was_shielded && (r2 = sshkey_shield_private(key)) != 0)
  2699. return r2;
  2700. return r;
  2701. }
  2702. /*
  2703. * ssh_key_verify returns 0 for a correct signature and < 0 on error.
  2704. * If "alg" specified, then the signature must use that algorithm.
  2705. */
  2706. int
  2707. sshkey_verify(const struct sshkey *key,
  2708. const u_char *sig, size_t siglen,
  2709. const u_char *data, size_t dlen, const char *alg, u_int compat,
  2710. struct sshkey_sig_details **detailsp)
  2711. {
  2712. if (detailsp != NULL)
  2713. *detailsp = NULL;
  2714. if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
  2715. return SSH_ERR_INVALID_ARGUMENT;
  2716. switch (key->type) {
  2717. #ifdef WITH_OPENSSL
  2718. case KEY_DSA_CERT:
  2719. case KEY_DSA:
  2720. return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
  2721. # ifdef OPENSSL_HAS_ECC
  2722. case KEY_ECDSA_CERT:
  2723. case KEY_ECDSA:
  2724. return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
  2725. case KEY_ECDSA_SK_CERT:
  2726. case KEY_ECDSA_SK:
  2727. return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen,
  2728. compat, detailsp);
  2729. # endif /* OPENSSL_HAS_ECC */
  2730. case KEY_RSA_CERT:
  2731. case KEY_RSA:
  2732. return ssh_rsa_verify(key, sig, siglen, data, dlen, alg);
  2733. #endif /* WITH_OPENSSL */
  2734. case KEY_ED25519:
  2735. case KEY_ED25519_CERT:
  2736. return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
  2737. case KEY_ED25519_SK:
  2738. case KEY_ED25519_SK_CERT:
  2739. return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen,
  2740. compat, detailsp);
  2741. #ifdef WITH_XMSS
  2742. case KEY_XMSS:
  2743. case KEY_XMSS_CERT:
  2744. return ssh_xmss_verify(key, sig, siglen, data, dlen, compat);
  2745. #endif /* WITH_XMSS */
  2746. default:
  2747. return SSH_ERR_KEY_TYPE_UNKNOWN;
  2748. }
  2749. }
  2750. /* Convert a plain key to their _CERT equivalent */
  2751. int
  2752. sshkey_to_certified(struct sshkey *k)
  2753. {
  2754. int newtype;
  2755. switch (k->type) {
  2756. #ifdef WITH_OPENSSL
  2757. case KEY_RSA:
  2758. newtype = KEY_RSA_CERT;
  2759. break;
  2760. case KEY_DSA:
  2761. newtype = KEY_DSA_CERT;
  2762. break;
  2763. case KEY_ECDSA:
  2764. newtype = KEY_ECDSA_CERT;
  2765. break;
  2766. case KEY_ECDSA_SK:
  2767. newtype = KEY_ECDSA_SK_CERT;
  2768. break;
  2769. #endif /* WITH_OPENSSL */
  2770. case KEY_ED25519_SK:
  2771. newtype = KEY_ED25519_SK_CERT;
  2772. break;
  2773. case KEY_ED25519:
  2774. newtype = KEY_ED25519_CERT;
  2775. break;
  2776. #ifdef WITH_XMSS
  2777. case KEY_XMSS:
  2778. newtype = KEY_XMSS_CERT;
  2779. break;
  2780. #endif /* WITH_XMSS */
  2781. default:
  2782. return SSH_ERR_INVALID_ARGUMENT;
  2783. }
  2784. if ((k->cert = cert_new()) == NULL)
  2785. return SSH_ERR_ALLOC_FAIL;
  2786. k->type = newtype;
  2787. return 0;
  2788. }
  2789. /* Convert a certificate to its raw key equivalent */
  2790. int
  2791. sshkey_drop_cert(struct sshkey *k)
  2792. {
  2793. if (!sshkey_type_is_cert(k->type))
  2794. return SSH_ERR_KEY_TYPE_UNKNOWN;
  2795. cert_free(k->cert);
  2796. k->cert = NULL;
  2797. k->type = sshkey_type_plain(k->type);
  2798. return 0;
  2799. }
  2800. /* Sign a certified key, (re-)generating the signed certblob. */
  2801. int
  2802. sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
  2803. const char *sk_provider, const char *sk_pin,
  2804. sshkey_certify_signer *signer, void *signer_ctx)
  2805. {
  2806. struct sshbuf *principals = NULL;
  2807. u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
  2808. size_t i, ca_len, sig_len;
  2809. int ret = SSH_ERR_INTERNAL_ERROR;
  2810. struct sshbuf *cert = NULL;
  2811. char *sigtype = NULL;
  2812. #ifdef WITH_OPENSSL
  2813. const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
  2814. #endif /* WITH_OPENSSL */
  2815. if (k == NULL || k->cert == NULL ||
  2816. k->cert->certblob == NULL || ca == NULL)
  2817. return SSH_ERR_INVALID_ARGUMENT;
  2818. if (!sshkey_is_cert(k))
  2819. return SSH_ERR_KEY_TYPE_UNKNOWN;
  2820. if (!sshkey_type_is_valid_ca(ca->type))
  2821. return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
  2822. /*
  2823. * If no alg specified as argument but a signature_type was set,
  2824. * then prefer that. If both were specified, then they must match.
  2825. */
  2826. if (alg == NULL)
  2827. alg = k->cert->signature_type;
  2828. else if (k->cert->signature_type != NULL &&
  2829. strcmp(alg, k->cert->signature_type) != 0)
  2830. return SSH_ERR_INVALID_ARGUMENT;
  2831. /*
  2832. * If no signing algorithm or signature_type was specified and we're
  2833. * using a RSA key, then default to a good signature algorithm.
  2834. */
  2835. if (alg == NULL && ca->type == KEY_RSA)
  2836. alg = "rsa-sha2-512";
  2837. if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
  2838. return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
  2839. cert = k->cert->certblob; /* for readability */
  2840. sshbuf_reset(cert);
  2841. if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
  2842. goto out;
  2843. /* -v01 certs put nonce first */
  2844. arc4random_buf(&nonce, sizeof(nonce));
  2845. if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
  2846. goto out;
  2847. /* XXX this substantially duplicates to_blob(); refactor */
  2848. switch (k->type) {
  2849. #ifdef WITH_OPENSSL
  2850. case KEY_DSA_CERT:
  2851. DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
  2852. DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
  2853. if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 ||
  2854. (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 ||
  2855. (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 ||
  2856. (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0)
  2857. goto out;
  2858. break;
  2859. # ifdef OPENSSL_HAS_ECC
  2860. case KEY_ECDSA_CERT:
  2861. case KEY_ECDSA_SK_CERT:
  2862. if ((ret = sshbuf_put_cstring(cert,
  2863. sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
  2864. (ret = sshbuf_put_ec(cert,
  2865. EC_KEY_get0_public_key(k->ecdsa),
  2866. EC_KEY_get0_group(k->ecdsa))) != 0)
  2867. goto out;
  2868. if (k->type == KEY_ECDSA_SK_CERT) {
  2869. if ((ret = sshbuf_put_cstring(cert,
  2870. k->sk_application)) != 0)
  2871. goto out;
  2872. }
  2873. break;
  2874. # endif /* OPENSSL_HAS_ECC */
  2875. case KEY_RSA_CERT:
  2876. RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
  2877. if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 ||
  2878. (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0)
  2879. goto out;
  2880. break;
  2881. #endif /* WITH_OPENSSL */
  2882. case KEY_ED25519_CERT:
  2883. case KEY_ED25519_SK_CERT:
  2884. if ((ret = sshbuf_put_string(cert,
  2885. k->ed25519_pk, ED25519_PK_SZ)) != 0)
  2886. goto out;
  2887. if (k->type == KEY_ED25519_SK_CERT) {
  2888. if ((ret = sshbuf_put_cstring(cert,
  2889. k->sk_application)) != 0)
  2890. goto out;
  2891. }
  2892. break;
  2893. #ifdef WITH_XMSS
  2894. case KEY_XMSS_CERT:
  2895. if (k->xmss_name == NULL) {
  2896. ret = SSH_ERR_INVALID_ARGUMENT;
  2897. goto out;
  2898. }
  2899. if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) ||
  2900. (ret = sshbuf_put_string(cert,
  2901. k->xmss_pk, sshkey_xmss_pklen(k))) != 0)
  2902. goto out;
  2903. break;
  2904. #endif /* WITH_XMSS */
  2905. default:
  2906. ret = SSH_ERR_INVALID_ARGUMENT;
  2907. goto out;
  2908. }
  2909. if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
  2910. (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
  2911. (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
  2912. goto out;
  2913. if ((principals = sshbuf_new()) == NULL) {
  2914. ret = SSH_ERR_ALLOC_FAIL;
  2915. goto out;
  2916. }
  2917. for (i = 0; i < k->cert->nprincipals; i++) {
  2918. if ((ret = sshbuf_put_cstring(principals,
  2919. k->cert->principals[i])) != 0)
  2920. goto out;
  2921. }
  2922. if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
  2923. (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
  2924. (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
  2925. (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
  2926. (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
  2927. (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
  2928. (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
  2929. goto out;
  2930. /* Sign the whole mess */
  2931. if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
  2932. sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0)
  2933. goto out;
  2934. /* Check and update signature_type against what was actually used */
  2935. if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
  2936. goto out;
  2937. if (alg != NULL && strcmp(alg, sigtype) != 0) {
  2938. ret = SSH_ERR_SIGN_ALG_UNSUPPORTED;
  2939. goto out;
  2940. }
  2941. if (k->cert->signature_type == NULL) {
  2942. k->cert->signature_type = sigtype;
  2943. sigtype = NULL;
  2944. }
  2945. /* Append signature and we are done */
  2946. if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
  2947. goto out;
  2948. ret = 0;
  2949. out:
  2950. if (ret != 0)
  2951. sshbuf_reset(cert);
  2952. free(sig_blob);
  2953. free(ca_blob);
  2954. free(sigtype);
  2955. sshbuf_free(principals);
  2956. return ret;
  2957. }
  2958. static int
  2959. default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
  2960. const u_char *data, size_t datalen,
  2961. const char *alg, const char *sk_provider, const char *sk_pin,
  2962. u_int compat, void *ctx)
  2963. {
  2964. if (ctx != NULL)
  2965. return SSH_ERR_INVALID_ARGUMENT;
  2966. return sshkey_sign(key, sigp, lenp, data, datalen, alg,
  2967. sk_provider, sk_pin, compat);
  2968. }
  2969. int
  2970. sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg,
  2971. const char *sk_provider, const char *sk_pin)
  2972. {
  2973. return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin,
  2974. default_key_sign, NULL);
  2975. }
  2976. int
  2977. sshkey_cert_check_authority(const struct sshkey *k,
  2978. int want_host, int require_principal, int wildcard_pattern,
  2979. const char *name, const char **reason)
  2980. {
  2981. u_int i, principal_matches;
  2982. time_t now = time(NULL);
  2983. if (reason == NULL)
  2984. return SSH_ERR_INVALID_ARGUMENT;
  2985. if (!sshkey_is_cert(k)) {
  2986. *reason = "Key is not a certificate";
  2987. return SSH_ERR_KEY_CERT_INVALID;
  2988. }
  2989. if (want_host) {
  2990. if (k->cert->type != SSH2_CERT_TYPE_HOST) {
  2991. *reason = "Certificate invalid: not a host certificate";
  2992. return SSH_ERR_KEY_CERT_INVALID;
  2993. }
  2994. } else {
  2995. if (k->cert->type != SSH2_CERT_TYPE_USER) {
  2996. *reason = "Certificate invalid: not a user certificate";
  2997. return SSH_ERR_KEY_CERT_INVALID;
  2998. }
  2999. }
  3000. if (now < 0) {
  3001. /* yikes - system clock before epoch! */
  3002. *reason = "Certificate invalid: not yet valid";
  3003. return SSH_ERR_KEY_CERT_INVALID;
  3004. }
  3005. if ((u_int64_t)now < k->cert->valid_after) {
  3006. *reason = "Certificate invalid: not yet valid";
  3007. return SSH_ERR_KEY_CERT_INVALID;
  3008. }
  3009. if ((u_int64_t)now >= k->cert->valid_before) {
  3010. *reason = "Certificate invalid: expired";
  3011. return SSH_ERR_KEY_CERT_INVALID;
  3012. }
  3013. if (k->cert->nprincipals == 0) {
  3014. if (require_principal) {
  3015. *reason = "Certificate lacks principal list";
  3016. return SSH_ERR_KEY_CERT_INVALID;
  3017. }
  3018. } else if (name != NULL) {
  3019. principal_matches = 0;
  3020. for (i = 0; i < k->cert->nprincipals; i++) {
  3021. if (wildcard_pattern) {
  3022. if (match_pattern(k->cert->principals[i],
  3023. name)) {
  3024. principal_matches = 1;
  3025. break;
  3026. }
  3027. } else if (strcmp(name, k->cert->principals[i]) == 0) {
  3028. principal_matches = 1;
  3029. break;
  3030. }
  3031. }
  3032. if (!principal_matches) {
  3033. *reason = "Certificate invalid: name is not a listed "
  3034. "principal";
  3035. return SSH_ERR_KEY_CERT_INVALID;
  3036. }
  3037. }
  3038. return 0;
  3039. }
  3040. int
  3041. sshkey_cert_check_host(const struct sshkey *key, const char *host,
  3042. int wildcard_principals, const char *ca_sign_algorithms,
  3043. const char **reason)
  3044. {
  3045. int r;
  3046. if ((r = sshkey_cert_check_authority(key, 1, 0, wildcard_principals,
  3047. host, reason)) != 0)
  3048. return r;
  3049. if (sshbuf_len(key->cert->critical) != 0) {
  3050. *reason = "Certificate contains unsupported critical options";
  3051. return SSH_ERR_KEY_CERT_INVALID;
  3052. }
  3053. if (ca_sign_algorithms != NULL &&
  3054. (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) {
  3055. *reason = "Certificate signed with disallowed algorithm";
  3056. return SSH_ERR_KEY_CERT_INVALID;
  3057. }
  3058. return 0;
  3059. }
  3060. size_t
  3061. sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
  3062. {
  3063. char from[32], to[32], ret[128];
  3064. time_t tt;
  3065. struct tm *tm;
  3066. *from = *to = '\0';
  3067. if (cert->valid_after == 0 &&
  3068. cert->valid_before == 0xffffffffffffffffULL)
  3069. return strlcpy(s, "forever", l);
  3070. if (cert->valid_after != 0) {
  3071. /* XXX revisit INT_MAX in 2038 :) */
  3072. tt = cert->valid_after > INT_MAX ?
  3073. INT_MAX : cert->valid_after;
  3074. tm = localtime(&tt);
  3075. strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
  3076. }
  3077. if (cert->valid_before != 0xffffffffffffffffULL) {
  3078. /* XXX revisit INT_MAX in 2038 :) */
  3079. tt = cert->valid_before > INT_MAX ?
  3080. INT_MAX : cert->valid_before;
  3081. tm = localtime(&tt);
  3082. strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
  3083. }
  3084. if (cert->valid_after == 0)
  3085. snprintf(ret, sizeof(ret), "before %s", to);
  3086. else if (cert->valid_before == 0xffffffffffffffffULL)
  3087. snprintf(ret, sizeof(ret), "after %s", from);
  3088. else
  3089. snprintf(ret, sizeof(ret), "from %s to %s", from, to);
  3090. return strlcpy(s, ret, l);
  3091. }
  3092. int
  3093. sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf,
  3094. enum sshkey_serialize_rep opts)
  3095. {
  3096. int r = SSH_ERR_INTERNAL_ERROR;
  3097. int was_shielded = sshkey_is_shielded(key);
  3098. struct sshbuf *b = NULL;
  3099. #ifdef WITH_OPENSSL
  3100. const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q;
  3101. const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key;
  3102. #endif /* WITH_OPENSSL */
  3103. if ((r = sshkey_unshield_private(key)) != 0)
  3104. return r;
  3105. if ((b = sshbuf_new()) == NULL)
  3106. return SSH_ERR_ALLOC_FAIL;
  3107. if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
  3108. goto out;
  3109. switch (key->type) {
  3110. #ifdef WITH_OPENSSL
  3111. case KEY_RSA:
  3112. RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d);
  3113. RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
  3114. RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
  3115. if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 ||
  3116. (r = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
  3117. (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
  3118. (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
  3119. (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
  3120. (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
  3121. goto out;
  3122. break;
  3123. case KEY_RSA_CERT:
  3124. if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
  3125. r = SSH_ERR_INVALID_ARGUMENT;
  3126. goto out;
  3127. }
  3128. RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
  3129. RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
  3130. RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
  3131. if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
  3132. (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
  3133. (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
  3134. (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
  3135. (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
  3136. goto out;
  3137. break;
  3138. case KEY_DSA:
  3139. DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
  3140. DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key);
  3141. if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
  3142. (r = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
  3143. (r = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
  3144. (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 ||
  3145. (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
  3146. goto out;
  3147. break;
  3148. case KEY_DSA_CERT:
  3149. if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
  3150. r = SSH_ERR_INVALID_ARGUMENT;
  3151. goto out;
  3152. }
  3153. DSA_get0_key(key->dsa, NULL, &dsa_priv_key);
  3154. if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
  3155. (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
  3156. goto out;
  3157. break;
  3158. # ifdef OPENSSL_HAS_ECC
  3159. case KEY_ECDSA:
  3160. if ((r = sshbuf_put_cstring(b,
  3161. sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
  3162. (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
  3163. (r = sshbuf_put_bignum2(b,
  3164. EC_KEY_get0_private_key(key->ecdsa))) != 0)
  3165. goto out;
  3166. break;
  3167. case KEY_ECDSA_CERT:
  3168. if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
  3169. r = SSH_ERR_INVALID_ARGUMENT;
  3170. goto out;
  3171. }
  3172. if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
  3173. (r = sshbuf_put_bignum2(b,
  3174. EC_KEY_get0_private_key(key->ecdsa))) != 0)
  3175. goto out;
  3176. break;
  3177. case KEY_ECDSA_SK:
  3178. if ((r = sshbuf_put_cstring(b,
  3179. sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
  3180. (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
  3181. (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
  3182. (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
  3183. (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
  3184. (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
  3185. goto out;
  3186. break;
  3187. case KEY_ECDSA_SK_CERT:
  3188. if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
  3189. r = SSH_ERR_INVALID_ARGUMENT;
  3190. goto out;
  3191. }
  3192. if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
  3193. (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
  3194. (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
  3195. (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
  3196. (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
  3197. goto out;
  3198. break;
  3199. # endif /* OPENSSL_HAS_ECC */
  3200. #endif /* WITH_OPENSSL */
  3201. case KEY_ED25519:
  3202. if ((r = sshbuf_put_string(b, key->ed25519_pk,
  3203. ED25519_PK_SZ)) != 0 ||
  3204. (r = sshbuf_put_string(b, key->ed25519_sk,
  3205. ED25519_SK_SZ)) != 0)
  3206. goto out;
  3207. break;
  3208. case KEY_ED25519_CERT:
  3209. if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
  3210. r = SSH_ERR_INVALID_ARGUMENT;
  3211. goto out;
  3212. }
  3213. if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
  3214. (r = sshbuf_put_string(b, key->ed25519_pk,
  3215. ED25519_PK_SZ)) != 0 ||
  3216. (r = sshbuf_put_string(b, key->ed25519_sk,
  3217. ED25519_SK_SZ)) != 0)
  3218. goto out;
  3219. break;
  3220. case KEY_ED25519_SK:
  3221. if ((r = sshbuf_put_string(b, key->ed25519_pk,
  3222. ED25519_PK_SZ)) != 0 ||
  3223. (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
  3224. (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
  3225. (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
  3226. (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
  3227. goto out;
  3228. break;
  3229. case KEY_ED25519_SK_CERT:
  3230. if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
  3231. r = SSH_ERR_INVALID_ARGUMENT;
  3232. goto out;
  3233. }
  3234. if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
  3235. (r = sshbuf_put_string(b, key->ed25519_pk,
  3236. ED25519_PK_SZ)) != 0 ||
  3237. (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
  3238. (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
  3239. (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
  3240. (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
  3241. goto out;
  3242. break;
  3243. #ifdef WITH_XMSS
  3244. case KEY_XMSS:
  3245. if (key->xmss_name == NULL) {
  3246. r = SSH_ERR_INVALID_ARGUMENT;
  3247. goto out;
  3248. }
  3249. if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
  3250. (r = sshbuf_put_string(b, key->xmss_pk,
  3251. sshkey_xmss_pklen(key))) != 0 ||
  3252. (r = sshbuf_put_string(b, key->xmss_sk,
  3253. sshkey_xmss_sklen(key))) != 0 ||
  3254. (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
  3255. goto out;
  3256. break;
  3257. case KEY_XMSS_CERT:
  3258. if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 ||
  3259. key->xmss_name == NULL) {
  3260. r = SSH_ERR_INVALID_ARGUMENT;
  3261. goto out;
  3262. }
  3263. if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
  3264. (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
  3265. (r = sshbuf_put_string(b, key->xmss_pk,
  3266. sshkey_xmss_pklen(key))) != 0 ||
  3267. (r = sshbuf_put_string(b, key->xmss_sk,
  3268. sshkey_xmss_sklen(key))) != 0 ||
  3269. (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
  3270. goto out;
  3271. break;
  3272. #endif /* WITH_XMSS */
  3273. default:
  3274. r = SSH_ERR_INVALID_ARGUMENT;
  3275. goto out;
  3276. }
  3277. /*
  3278. * success (but we still need to append the output to buf after
  3279. * possibly re-shielding the private key)
  3280. */
  3281. r = 0;
  3282. out:
  3283. if (was_shielded)
  3284. r = sshkey_shield_private(key);
  3285. if (r == 0)
  3286. r = sshbuf_putb(buf, b);
  3287. sshbuf_free(b);
  3288. return r;
  3289. }
  3290. int
  3291. sshkey_private_serialize(struct sshkey *key, struct sshbuf *b)
  3292. {
  3293. return sshkey_private_serialize_opt(key, b,
  3294. SSHKEY_SERIALIZE_DEFAULT);
  3295. }
  3296. int
  3297. sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
  3298. {
  3299. char *tname = NULL, *curve = NULL, *xmss_name = NULL;
  3300. char *expect_sk_application = NULL;
  3301. struct sshkey *k = NULL;
  3302. size_t pklen = 0, sklen = 0;
  3303. int type, r = SSH_ERR_INTERNAL_ERROR;
  3304. u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
  3305. u_char *expect_ed25519_pk = NULL;
  3306. u_char *xmss_pk = NULL, *xmss_sk = NULL;
  3307. #ifdef WITH_OPENSSL
  3308. BIGNUM *exponent = NULL;
  3309. BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
  3310. BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL;
  3311. BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
  3312. BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
  3313. #endif /* WITH_OPENSSL */
  3314. if (kp != NULL)
  3315. *kp = NULL;
  3316. if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
  3317. goto out;
  3318. type = sshkey_type_from_name(tname);
  3319. if (sshkey_type_is_cert(type)) {
  3320. /*
  3321. * Certificate key private keys begin with the certificate
  3322. * itself. Make sure this matches the type of the enclosing
  3323. * private key.
  3324. */
  3325. if ((r = sshkey_froms(buf, &k)) != 0)
  3326. goto out;
  3327. if (k->type != type) {
  3328. r = SSH_ERR_KEY_CERT_MISMATCH;
  3329. goto out;
  3330. }
  3331. /* For ECDSA keys, the group must match too */
  3332. if (k->type == KEY_ECDSA &&
  3333. k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
  3334. r = SSH_ERR_KEY_CERT_MISMATCH;
  3335. goto out;
  3336. }
  3337. /*
  3338. * Several fields are redundant between certificate and
  3339. * private key body, we require these to match.
  3340. */
  3341. expect_sk_application = k->sk_application;
  3342. expect_ed25519_pk = k->ed25519_pk;
  3343. k->sk_application = NULL;
  3344. k->ed25519_pk = NULL;
  3345. } else {
  3346. if ((k = sshkey_new(type)) == NULL) {
  3347. r = SSH_ERR_ALLOC_FAIL;
  3348. goto out;
  3349. }
  3350. }
  3351. switch (type) {
  3352. #ifdef WITH_OPENSSL
  3353. case KEY_DSA:
  3354. if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 ||
  3355. (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 ||
  3356. (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 ||
  3357. (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0)
  3358. goto out;
  3359. if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) {
  3360. r = SSH_ERR_LIBCRYPTO_ERROR;
  3361. goto out;
  3362. }
  3363. dsa_p = dsa_q = dsa_g = NULL; /* transferred */
  3364. if (!DSA_set0_key(k->dsa, dsa_pub_key, NULL)) {
  3365. r = SSH_ERR_LIBCRYPTO_ERROR;
  3366. goto out;
  3367. }
  3368. dsa_pub_key = NULL; /* transferred */
  3369. /* FALLTHROUGH */
  3370. case KEY_DSA_CERT:
  3371. if ((r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
  3372. goto out;
  3373. if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
  3374. r = SSH_ERR_LIBCRYPTO_ERROR;
  3375. goto out;
  3376. }
  3377. dsa_priv_key = NULL; /* transferred */
  3378. break;
  3379. # ifdef OPENSSL_HAS_ECC
  3380. case KEY_ECDSA:
  3381. if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
  3382. r = SSH_ERR_INVALID_ARGUMENT;
  3383. goto out;
  3384. }
  3385. if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
  3386. goto out;
  3387. if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
  3388. r = SSH_ERR_EC_CURVE_MISMATCH;
  3389. goto out;
  3390. }
  3391. k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
  3392. if (k->ecdsa == NULL) {
  3393. r = SSH_ERR_LIBCRYPTO_ERROR;
  3394. goto out;
  3395. }
  3396. if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0)
  3397. goto out;
  3398. /* FALLTHROUGH */
  3399. case KEY_ECDSA_CERT:
  3400. if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0)
  3401. goto out;
  3402. if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
  3403. r = SSH_ERR_LIBCRYPTO_ERROR;
  3404. goto out;
  3405. }
  3406. if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
  3407. EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
  3408. (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
  3409. goto out;
  3410. break;
  3411. case KEY_ECDSA_SK:
  3412. if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
  3413. r = SSH_ERR_INVALID_ARGUMENT;
  3414. goto out;
  3415. }
  3416. if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
  3417. goto out;
  3418. if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
  3419. r = SSH_ERR_EC_CURVE_MISMATCH;
  3420. goto out;
  3421. }
  3422. if ((k->sk_key_handle = sshbuf_new()) == NULL ||
  3423. (k->sk_reserved = sshbuf_new()) == NULL) {
  3424. r = SSH_ERR_ALLOC_FAIL;
  3425. goto out;
  3426. }
  3427. k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
  3428. if (k->ecdsa == NULL) {
  3429. r = SSH_ERR_LIBCRYPTO_ERROR;
  3430. goto out;
  3431. }
  3432. if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
  3433. (r = sshbuf_get_cstring(buf, &k->sk_application,
  3434. NULL)) != 0 ||
  3435. (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
  3436. (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
  3437. (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
  3438. goto out;
  3439. if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
  3440. EC_KEY_get0_public_key(k->ecdsa))) != 0)
  3441. goto out;
  3442. break;
  3443. case KEY_ECDSA_SK_CERT:
  3444. if ((k->sk_key_handle = sshbuf_new()) == NULL ||
  3445. (k->sk_reserved = sshbuf_new()) == NULL) {
  3446. r = SSH_ERR_ALLOC_FAIL;
  3447. goto out;
  3448. }
  3449. if ((r = sshbuf_get_cstring(buf, &k->sk_application,
  3450. NULL)) != 0 ||
  3451. (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
  3452. (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
  3453. (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
  3454. goto out;
  3455. if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
  3456. EC_KEY_get0_public_key(k->ecdsa))) != 0)
  3457. goto out;
  3458. break;
  3459. # endif /* OPENSSL_HAS_ECC */
  3460. case KEY_RSA:
  3461. if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 ||
  3462. (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0)
  3463. goto out;
  3464. if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, NULL)) {
  3465. r = SSH_ERR_LIBCRYPTO_ERROR;
  3466. goto out;
  3467. }
  3468. rsa_n = rsa_e = NULL; /* transferred */
  3469. /* FALLTHROUGH */
  3470. case KEY_RSA_CERT:
  3471. if ((r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
  3472. (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 ||
  3473. (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
  3474. (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
  3475. goto out;
  3476. if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
  3477. r = SSH_ERR_LIBCRYPTO_ERROR;
  3478. goto out;
  3479. }
  3480. rsa_d = NULL; /* transferred */
  3481. if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
  3482. r = SSH_ERR_LIBCRYPTO_ERROR;
  3483. goto out;
  3484. }
  3485. rsa_p = rsa_q = NULL; /* transferred */
  3486. if ((r = check_rsa_length(k->rsa)) != 0)
  3487. goto out;
  3488. if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
  3489. goto out;
  3490. break;
  3491. #endif /* WITH_OPENSSL */
  3492. case KEY_ED25519:
  3493. case KEY_ED25519_CERT:
  3494. if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
  3495. (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
  3496. goto out;
  3497. if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
  3498. r = SSH_ERR_INVALID_FORMAT;
  3499. goto out;
  3500. }
  3501. k->ed25519_pk = ed25519_pk;
  3502. k->ed25519_sk = ed25519_sk;
  3503. ed25519_pk = ed25519_sk = NULL; /* transferred */
  3504. break;
  3505. case KEY_ED25519_SK:
  3506. case KEY_ED25519_SK_CERT:
  3507. if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
  3508. goto out;
  3509. if (pklen != ED25519_PK_SZ) {
  3510. r = SSH_ERR_INVALID_FORMAT;
  3511. goto out;
  3512. }
  3513. if ((k->sk_key_handle = sshbuf_new()) == NULL ||
  3514. (k->sk_reserved = sshbuf_new()) == NULL) {
  3515. r = SSH_ERR_ALLOC_FAIL;
  3516. goto out;
  3517. }
  3518. if ((r = sshbuf_get_cstring(buf, &k->sk_application,
  3519. NULL)) != 0 ||
  3520. (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
  3521. (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
  3522. (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
  3523. goto out;
  3524. k->ed25519_pk = ed25519_pk;
  3525. ed25519_pk = NULL; /* transferred */
  3526. break;
  3527. #ifdef WITH_XMSS
  3528. case KEY_XMSS:
  3529. case KEY_XMSS_CERT:
  3530. if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
  3531. (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
  3532. (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
  3533. goto out;
  3534. if (type == KEY_XMSS &&
  3535. (r = sshkey_xmss_init(k, xmss_name)) != 0)
  3536. goto out;
  3537. if (pklen != sshkey_xmss_pklen(k) ||
  3538. sklen != sshkey_xmss_sklen(k)) {
  3539. r = SSH_ERR_INVALID_FORMAT;
  3540. goto out;
  3541. }
  3542. k->xmss_pk = xmss_pk;
  3543. k->xmss_sk = xmss_sk;
  3544. xmss_pk = xmss_sk = NULL;
  3545. /* optional internal state */
  3546. if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
  3547. goto out;
  3548. break;
  3549. #endif /* WITH_XMSS */
  3550. default:
  3551. r = SSH_ERR_KEY_TYPE_UNKNOWN;
  3552. goto out;
  3553. }
  3554. #ifdef WITH_OPENSSL
  3555. /* enable blinding */
  3556. switch (k->type) {
  3557. case KEY_RSA:
  3558. case KEY_RSA_CERT:
  3559. if (RSA_blinding_on(k->rsa, NULL) != 1) {
  3560. r = SSH_ERR_LIBCRYPTO_ERROR;
  3561. goto out;
  3562. }
  3563. break;
  3564. }
  3565. #endif /* WITH_OPENSSL */
  3566. if ((expect_sk_application != NULL && (k->sk_application == NULL ||
  3567. strcmp(expect_sk_application, k->sk_application) != 0)) ||
  3568. (expect_ed25519_pk != NULL && (k->ed25519_pk == NULL ||
  3569. memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) {
  3570. r = SSH_ERR_KEY_CERT_MISMATCH;
  3571. goto out;
  3572. }
  3573. /* success */
  3574. r = 0;
  3575. if (kp != NULL) {
  3576. *kp = k;
  3577. k = NULL;
  3578. }
  3579. out:
  3580. free(tname);
  3581. free(curve);
  3582. #ifdef WITH_OPENSSL
  3583. BN_clear_free(exponent);
  3584. BN_clear_free(dsa_p);
  3585. BN_clear_free(dsa_q);
  3586. BN_clear_free(dsa_g);
  3587. BN_clear_free(dsa_pub_key);
  3588. BN_clear_free(dsa_priv_key);
  3589. BN_clear_free(rsa_n);
  3590. BN_clear_free(rsa_e);
  3591. BN_clear_free(rsa_d);
  3592. BN_clear_free(rsa_p);
  3593. BN_clear_free(rsa_q);
  3594. BN_clear_free(rsa_iqmp);
  3595. #endif /* WITH_OPENSSL */
  3596. sshkey_free(k);
  3597. freezero(ed25519_pk, pklen);
  3598. freezero(ed25519_sk, sklen);
  3599. free(xmss_name);
  3600. freezero(xmss_pk, pklen);
  3601. freezero(xmss_sk, sklen);
  3602. free(expect_sk_application);
  3603. free(expect_ed25519_pk);
  3604. return r;
  3605. }
  3606. #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
  3607. int
  3608. sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
  3609. {
  3610. EC_POINT *nq = NULL;
  3611. BIGNUM *order = NULL, *x = NULL, *y = NULL, *tmp = NULL;
  3612. int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
  3613. /*
  3614. * NB. This assumes OpenSSL has already verified that the public
  3615. * point lies on the curve. This is done by EC_POINT_oct2point()
  3616. * implicitly calling EC_POINT_is_on_curve(). If this code is ever
  3617. * reachable with public points not unmarshalled using
  3618. * EC_POINT_oct2point then the caller will need to explicitly check.
  3619. */
  3620. /*
  3621. * We shouldn't ever hit this case because bignum_get_ecpoint()
  3622. * refuses to load GF2m points.
  3623. */
  3624. if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
  3625. NID_X9_62_prime_field)
  3626. goto out;
  3627. /* Q != infinity */
  3628. if (EC_POINT_is_at_infinity(group, public))
  3629. goto out;
  3630. if ((x = BN_new()) == NULL ||
  3631. (y = BN_new()) == NULL ||
  3632. (order = BN_new()) == NULL ||
  3633. (tmp = BN_new()) == NULL) {
  3634. ret = SSH_ERR_ALLOC_FAIL;
  3635. goto out;
  3636. }
  3637. /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
  3638. if (EC_GROUP_get_order(group, order, NULL) != 1 ||
  3639. EC_POINT_get_affine_coordinates_GFp(group, public,
  3640. x, y, NULL) != 1) {
  3641. ret = SSH_ERR_LIBCRYPTO_ERROR;
  3642. goto out;
  3643. }
  3644. if (BN_num_bits(x) <= BN_num_bits(order) / 2 ||
  3645. BN_num_bits(y) <= BN_num_bits(order) / 2)
  3646. goto out;
  3647. /* nQ == infinity (n == order of subgroup) */
  3648. if ((nq = EC_POINT_new(group)) == NULL) {
  3649. ret = SSH_ERR_ALLOC_FAIL;
  3650. goto out;
  3651. }
  3652. if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) {
  3653. ret = SSH_ERR_LIBCRYPTO_ERROR;
  3654. goto out;
  3655. }
  3656. if (EC_POINT_is_at_infinity(group, nq) != 1)
  3657. goto out;
  3658. /* x < order - 1, y < order - 1 */
  3659. if (!BN_sub(tmp, order, BN_value_one())) {
  3660. ret = SSH_ERR_LIBCRYPTO_ERROR;
  3661. goto out;
  3662. }
  3663. if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0)
  3664. goto out;
  3665. ret = 0;
  3666. out:
  3667. BN_clear_free(x);
  3668. BN_clear_free(y);
  3669. BN_clear_free(order);
  3670. BN_clear_free(tmp);
  3671. EC_POINT_free(nq);
  3672. return ret;
  3673. }
  3674. int
  3675. sshkey_ec_validate_private(const EC_KEY *key)
  3676. {
  3677. BIGNUM *order = NULL, *tmp = NULL;
  3678. int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
  3679. if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) {
  3680. ret = SSH_ERR_ALLOC_FAIL;
  3681. goto out;
  3682. }
  3683. /* log2(private) > log2(order)/2 */
  3684. if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) {
  3685. ret = SSH_ERR_LIBCRYPTO_ERROR;
  3686. goto out;
  3687. }
  3688. if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
  3689. BN_num_bits(order) / 2)
  3690. goto out;
  3691. /* private < order - 1 */
  3692. if (!BN_sub(tmp, order, BN_value_one())) {
  3693. ret = SSH_ERR_LIBCRYPTO_ERROR;
  3694. goto out;
  3695. }
  3696. if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
  3697. goto out;
  3698. ret = 0;
  3699. out:
  3700. BN_clear_free(order);
  3701. BN_clear_free(tmp);
  3702. return ret;
  3703. }
  3704. void
  3705. sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
  3706. {
  3707. BIGNUM *x = NULL, *y = NULL;
  3708. if (point == NULL) {
  3709. fputs("point=(NULL)\n", stderr);
  3710. return;
  3711. }
  3712. if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) {
  3713. fprintf(stderr, "%s: BN_new failed\n", __func__);
  3714. goto out;
  3715. }
  3716. if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
  3717. NID_X9_62_prime_field) {
  3718. fprintf(stderr, "%s: group is not a prime field\n", __func__);
  3719. goto out;
  3720. }
  3721. if (EC_POINT_get_affine_coordinates_GFp(group, point,
  3722. x, y, NULL) != 1) {
  3723. fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
  3724. __func__);
  3725. goto out;
  3726. }
  3727. fputs("x=", stderr);
  3728. BN_print_fp(stderr, x);
  3729. fputs("\ny=", stderr);
  3730. BN_print_fp(stderr, y);
  3731. fputs("\n", stderr);
  3732. out:
  3733. BN_clear_free(x);
  3734. BN_clear_free(y);
  3735. }
  3736. void
  3737. sshkey_dump_ec_key(const EC_KEY *key)
  3738. {
  3739. const BIGNUM *exponent;
  3740. sshkey_dump_ec_point(EC_KEY_get0_group(key),
  3741. EC_KEY_get0_public_key(key));
  3742. fputs("exponent=", stderr);
  3743. if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
  3744. fputs("(NULL)", stderr);
  3745. else
  3746. BN_print_fp(stderr, EC_KEY_get0_private_key(key));
  3747. fputs("\n", stderr);
  3748. }
  3749. #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
  3750. static int
  3751. sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob,
  3752. const char *passphrase, const char *comment, const char *ciphername,
  3753. int rounds)
  3754. {
  3755. u_char *cp, *key = NULL, *pubkeyblob = NULL;
  3756. u_char salt[SALT_LEN];
  3757. char *b64 = NULL;
  3758. size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
  3759. u_int check;
  3760. int r = SSH_ERR_INTERNAL_ERROR;
  3761. struct sshcipher_ctx *ciphercontext = NULL;
  3762. const struct sshcipher *cipher;
  3763. const char *kdfname = KDFNAME;
  3764. struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL;
  3765. if (rounds <= 0)
  3766. rounds = DEFAULT_ROUNDS;
  3767. if (passphrase == NULL || !strlen(passphrase)) {
  3768. ciphername = "none";
  3769. kdfname = "none";
  3770. } else if (ciphername == NULL)
  3771. ciphername = DEFAULT_CIPHERNAME;
  3772. if ((cipher = cipher_by_name(ciphername)) == NULL) {
  3773. r = SSH_ERR_INVALID_ARGUMENT;
  3774. goto out;
  3775. }
  3776. if ((kdf = sshbuf_new()) == NULL ||
  3777. (encoded = sshbuf_new()) == NULL ||
  3778. (encrypted = sshbuf_new()) == NULL) {
  3779. r = SSH_ERR_ALLOC_FAIL;
  3780. goto out;
  3781. }
  3782. blocksize = cipher_blocksize(cipher);
  3783. keylen = cipher_keylen(cipher);
  3784. ivlen = cipher_ivlen(cipher);
  3785. authlen = cipher_authlen(cipher);
  3786. if ((key = calloc(1, keylen + ivlen)) == NULL) {
  3787. r = SSH_ERR_ALLOC_FAIL;
  3788. goto out;
  3789. }
  3790. if (strcmp(kdfname, "bcrypt") == 0) {
  3791. arc4random_buf(salt, SALT_LEN);
  3792. if (bcrypt_pbkdf(passphrase, strlen(passphrase),
  3793. salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
  3794. r = SSH_ERR_INVALID_ARGUMENT;
  3795. goto out;
  3796. }
  3797. if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 ||
  3798. (r = sshbuf_put_u32(kdf, rounds)) != 0)
  3799. goto out;
  3800. } else if (strcmp(kdfname, "none") != 0) {
  3801. /* Unsupported KDF type */
  3802. r = SSH_ERR_KEY_UNKNOWN_CIPHER;
  3803. goto out;
  3804. }
  3805. if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
  3806. key + keylen, ivlen, 1)) != 0)
  3807. goto out;
  3808. if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 ||
  3809. (r = sshbuf_put_cstring(encoded, ciphername)) != 0 ||
  3810. (r = sshbuf_put_cstring(encoded, kdfname)) != 0 ||
  3811. (r = sshbuf_put_stringb(encoded, kdf)) != 0 ||
  3812. (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */
  3813. (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 ||
  3814. (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
  3815. goto out;
  3816. /* set up the buffer that will be encrypted */
  3817. /* Random check bytes */
  3818. check = arc4random();
  3819. if ((r = sshbuf_put_u32(encrypted, check)) != 0 ||
  3820. (r = sshbuf_put_u32(encrypted, check)) != 0)
  3821. goto out;
  3822. /* append private key and comment*/
  3823. if ((r = sshkey_private_serialize_opt(prv, encrypted,
  3824. SSHKEY_SERIALIZE_FULL)) != 0 ||
  3825. (r = sshbuf_put_cstring(encrypted, comment)) != 0)
  3826. goto out;
  3827. /* padding */
  3828. i = 0;
  3829. while (sshbuf_len(encrypted) % blocksize) {
  3830. if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
  3831. goto out;
  3832. }
  3833. /* length in destination buffer */
  3834. if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
  3835. goto out;
  3836. /* encrypt */
  3837. if ((r = sshbuf_reserve(encoded,
  3838. sshbuf_len(encrypted) + authlen, &cp)) != 0)
  3839. goto out;
  3840. if ((r = cipher_crypt(ciphercontext, 0, cp,
  3841. sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
  3842. goto out;
  3843. sshbuf_reset(blob);
  3844. /* assemble uuencoded key */
  3845. if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 ||
  3846. (r = sshbuf_dtob64(encoded, blob, 1)) != 0 ||
  3847. (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
  3848. goto out;
  3849. /* success */
  3850. r = 0;
  3851. out:
  3852. sshbuf_free(kdf);
  3853. sshbuf_free(encoded);
  3854. sshbuf_free(encrypted);
  3855. cipher_free(ciphercontext);
  3856. explicit_bzero(salt, sizeof(salt));
  3857. if (key != NULL)
  3858. freezero(key, keylen + ivlen);
  3859. if (pubkeyblob != NULL)
  3860. freezero(pubkeyblob, pubkeylen);
  3861. if (b64 != NULL)
  3862. freezero(b64, strlen(b64));
  3863. return r;
  3864. }
  3865. static int
  3866. private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp)
  3867. {
  3868. const u_char *cp;
  3869. size_t encoded_len;
  3870. int r;
  3871. u_char last;
  3872. struct sshbuf *encoded = NULL, *decoded = NULL;
  3873. if (blob == NULL || decodedp == NULL)
  3874. return SSH_ERR_INVALID_ARGUMENT;
  3875. *decodedp = NULL;
  3876. if ((encoded = sshbuf_new()) == NULL ||
  3877. (decoded = sshbuf_new()) == NULL) {
  3878. r = SSH_ERR_ALLOC_FAIL;
  3879. goto out;
  3880. }
  3881. /* check preamble */
  3882. cp = sshbuf_ptr(blob);
  3883. encoded_len = sshbuf_len(blob);
  3884. if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) ||
  3885. memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
  3886. r = SSH_ERR_INVALID_FORMAT;
  3887. goto out;
  3888. }
  3889. cp += MARK_BEGIN_LEN;
  3890. encoded_len -= MARK_BEGIN_LEN;
  3891. /* Look for end marker, removing whitespace as we go */
  3892. while (encoded_len > 0) {
  3893. if (*cp != '\n' && *cp != '\r') {
  3894. if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
  3895. goto out;
  3896. }
  3897. last = *cp;
  3898. encoded_len--;
  3899. cp++;
  3900. if (last == '\n') {
  3901. if (encoded_len >= MARK_END_LEN &&
  3902. memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
  3903. /* \0 terminate */
  3904. if ((r = sshbuf_put_u8(encoded, 0)) != 0)
  3905. goto out;
  3906. break;
  3907. }
  3908. }
  3909. }
  3910. if (encoded_len == 0) {
  3911. r = SSH_ERR_INVALID_FORMAT;
  3912. goto out;
  3913. }
  3914. /* decode base64 */
  3915. if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
  3916. goto out;
  3917. /* check magic */
  3918. if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) ||
  3919. memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
  3920. r = SSH_ERR_INVALID_FORMAT;
  3921. goto out;
  3922. }
  3923. /* success */
  3924. *decodedp = decoded;
  3925. decoded = NULL;
  3926. r = 0;
  3927. out:
  3928. sshbuf_free(encoded);
  3929. sshbuf_free(decoded);
  3930. return r;
  3931. }
  3932. static int
  3933. private2_decrypt(struct sshbuf *decoded, const char *passphrase,
  3934. struct sshbuf **decryptedp, struct sshkey **pubkeyp)
  3935. {
  3936. char *ciphername = NULL, *kdfname = NULL;
  3937. const struct sshcipher *cipher = NULL;
  3938. int r = SSH_ERR_INTERNAL_ERROR;
  3939. size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0;
  3940. struct sshbuf *kdf = NULL, *decrypted = NULL;
  3941. struct sshcipher_ctx *ciphercontext = NULL;
  3942. struct sshkey *pubkey = NULL;
  3943. u_char *key = NULL, *salt = NULL, *dp;
  3944. u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
  3945. if (decoded == NULL || decryptedp == NULL || pubkeyp == NULL)
  3946. return SSH_ERR_INVALID_ARGUMENT;
  3947. *decryptedp = NULL;
  3948. *pubkeyp = NULL;
  3949. if ((decrypted = sshbuf_new()) == NULL) {
  3950. r = SSH_ERR_ALLOC_FAIL;
  3951. goto out;
  3952. }
  3953. /* parse public portion of key */
  3954. if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
  3955. (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 ||
  3956. (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 ||
  3957. (r = sshbuf_froms(decoded, &kdf)) != 0 ||
  3958. (r = sshbuf_get_u32(decoded, &nkeys)) != 0)
  3959. goto out;
  3960. if (nkeys != 1) {
  3961. /* XXX only one key supported at present */
  3962. r = SSH_ERR_INVALID_FORMAT;
  3963. goto out;
  3964. }
  3965. if ((r = sshkey_froms(decoded, &pubkey)) != 0 ||
  3966. (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
  3967. goto out;
  3968. if ((cipher = cipher_by_name(ciphername)) == NULL) {
  3969. r = SSH_ERR_KEY_UNKNOWN_CIPHER;
  3970. goto out;
  3971. }
  3972. if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
  3973. r = SSH_ERR_KEY_UNKNOWN_CIPHER;
  3974. goto out;
  3975. }
  3976. if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) {
  3977. r = SSH_ERR_INVALID_FORMAT;
  3978. goto out;
  3979. }
  3980. if ((passphrase == NULL || strlen(passphrase) == 0) &&
  3981. strcmp(kdfname, "none") != 0) {
  3982. /* passphrase required */
  3983. r = SSH_ERR_KEY_WRONG_PASSPHRASE;
  3984. goto out;
  3985. }
  3986. /* check size of encrypted key blob */
  3987. blocksize = cipher_blocksize(cipher);
  3988. if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
  3989. r = SSH_ERR_INVALID_FORMAT;
  3990. goto out;
  3991. }
  3992. /* setup key */
  3993. keylen = cipher_keylen(cipher);
  3994. ivlen = cipher_ivlen(cipher);
  3995. authlen = cipher_authlen(cipher);
  3996. if ((key = calloc(1, keylen + ivlen)) == NULL) {
  3997. r = SSH_ERR_ALLOC_FAIL;
  3998. goto out;
  3999. }
  4000. if (strcmp(kdfname, "bcrypt") == 0) {
  4001. if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 ||
  4002. (r = sshbuf_get_u32(kdf, &rounds)) != 0)
  4003. goto out;
  4004. if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
  4005. key, keylen + ivlen, rounds) < 0) {
  4006. r = SSH_ERR_INVALID_FORMAT;
  4007. goto out;
  4008. }
  4009. }
  4010. /* check that an appropriate amount of auth data is present */
  4011. if (sshbuf_len(decoded) < authlen ||
  4012. sshbuf_len(decoded) - authlen < encrypted_len) {
  4013. r = SSH_ERR_INVALID_FORMAT;
  4014. goto out;
  4015. }
  4016. /* decrypt private portion of key */
  4017. if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 ||
  4018. (r = cipher_init(&ciphercontext, cipher, key, keylen,
  4019. key + keylen, ivlen, 0)) != 0)
  4020. goto out;
  4021. if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
  4022. encrypted_len, 0, authlen)) != 0) {
  4023. /* an integrity error here indicates an incorrect passphrase */
  4024. if (r == SSH_ERR_MAC_INVALID)
  4025. r = SSH_ERR_KEY_WRONG_PASSPHRASE;
  4026. goto out;
  4027. }
  4028. if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
  4029. goto out;
  4030. /* there should be no trailing data */
  4031. if (sshbuf_len(decoded) != 0) {
  4032. r = SSH_ERR_INVALID_FORMAT;
  4033. goto out;
  4034. }
  4035. /* check check bytes */
  4036. if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 ||
  4037. (r = sshbuf_get_u32(decrypted, &check2)) != 0)
  4038. goto out;
  4039. if (check1 != check2) {
  4040. r = SSH_ERR_KEY_WRONG_PASSPHRASE;
  4041. goto out;
  4042. }
  4043. /* success */
  4044. *decryptedp = decrypted;
  4045. decrypted = NULL;
  4046. *pubkeyp = pubkey;
  4047. pubkey = NULL;
  4048. r = 0;
  4049. out:
  4050. cipher_free(ciphercontext);
  4051. free(ciphername);
  4052. free(kdfname);
  4053. sshkey_free(pubkey);
  4054. if (salt != NULL) {
  4055. explicit_bzero(salt, slen);
  4056. free(salt);
  4057. }
  4058. if (key != NULL) {
  4059. explicit_bzero(key, keylen + ivlen);
  4060. free(key);
  4061. }
  4062. sshbuf_free(kdf);
  4063. sshbuf_free(decrypted);
  4064. return r;
  4065. }
  4066. /* Check deterministic padding after private key */
  4067. static int
  4068. private2_check_padding(struct sshbuf *decrypted)
  4069. {
  4070. u_char pad;
  4071. size_t i;
  4072. int r = SSH_ERR_INTERNAL_ERROR;
  4073. i = 0;
  4074. while (sshbuf_len(decrypted)) {
  4075. if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
  4076. goto out;
  4077. if (pad != (++i & 0xff)) {
  4078. r = SSH_ERR_INVALID_FORMAT;
  4079. goto out;
  4080. }
  4081. }
  4082. /* success */
  4083. r = 0;
  4084. out:
  4085. explicit_bzero(&pad, sizeof(pad));
  4086. explicit_bzero(&i, sizeof(i));
  4087. return r;
  4088. }
  4089. static int
  4090. sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
  4091. struct sshkey **keyp, char **commentp)
  4092. {
  4093. char *comment = NULL;
  4094. int r = SSH_ERR_INTERNAL_ERROR;
  4095. struct sshbuf *decoded = NULL, *decrypted = NULL;
  4096. struct sshkey *k = NULL, *pubkey = NULL;
  4097. if (keyp != NULL)
  4098. *keyp = NULL;
  4099. if (commentp != NULL)
  4100. *commentp = NULL;
  4101. /* Undo base64 encoding and decrypt the private section */
  4102. if ((r = private2_uudecode(blob, &decoded)) != 0 ||
  4103. (r = private2_decrypt(decoded, passphrase,
  4104. &decrypted, &pubkey)) != 0)
  4105. goto out;
  4106. if (type != KEY_UNSPEC &&
  4107. sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
  4108. r = SSH_ERR_KEY_TYPE_MISMATCH;
  4109. goto out;
  4110. }
  4111. /* Load the private key and comment */
  4112. if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 ||
  4113. (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
  4114. goto out;
  4115. /* Check deterministic padding after private section */
  4116. if ((r = private2_check_padding(decrypted)) != 0)
  4117. goto out;
  4118. /* Check that the public key in the envelope matches the private key */
  4119. if (!sshkey_equal(pubkey, k)) {
  4120. r = SSH_ERR_INVALID_FORMAT;
  4121. goto out;
  4122. }
  4123. /* success */
  4124. r = 0;
  4125. if (keyp != NULL) {
  4126. *keyp = k;
  4127. k = NULL;
  4128. }
  4129. if (commentp != NULL) {
  4130. *commentp = comment;
  4131. comment = NULL;
  4132. }
  4133. out:
  4134. free(comment);
  4135. sshbuf_free(decoded);
  4136. sshbuf_free(decrypted);
  4137. sshkey_free(k);
  4138. sshkey_free(pubkey);
  4139. return r;
  4140. }
  4141. static int
  4142. sshkey_parse_private2_pubkey(struct sshbuf *blob, int type,
  4143. struct sshkey **keyp)
  4144. {
  4145. int r = SSH_ERR_INTERNAL_ERROR;
  4146. struct sshbuf *decoded = NULL;
  4147. struct sshkey *pubkey = NULL;
  4148. u_int nkeys = 0;
  4149. if (keyp != NULL)
  4150. *keyp = NULL;
  4151. if ((r = private2_uudecode(blob, &decoded)) != 0)
  4152. goto out;
  4153. /* parse public key from unencrypted envelope */
  4154. if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
  4155. (r = sshbuf_skip_string(decoded)) != 0 || /* cipher */
  4156. (r = sshbuf_skip_string(decoded)) != 0 || /* KDF alg */
  4157. (r = sshbuf_skip_string(decoded)) != 0 || /* KDF hint */
  4158. (r = sshbuf_get_u32(decoded, &nkeys)) != 0)
  4159. goto out;
  4160. if (nkeys != 1) {
  4161. /* XXX only one key supported at present */
  4162. r = SSH_ERR_INVALID_FORMAT;
  4163. goto out;
  4164. }
  4165. /* Parse the public key */
  4166. if ((r = sshkey_froms(decoded, &pubkey)) != 0)
  4167. goto out;
  4168. if (type != KEY_UNSPEC &&
  4169. sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
  4170. r = SSH_ERR_KEY_TYPE_MISMATCH;
  4171. goto out;
  4172. }
  4173. /* success */
  4174. r = 0;
  4175. if (keyp != NULL) {
  4176. *keyp = pubkey;
  4177. pubkey = NULL;
  4178. }
  4179. out:
  4180. sshbuf_free(decoded);
  4181. sshkey_free(pubkey);
  4182. return r;
  4183. }
  4184. #ifdef WITH_OPENSSL
  4185. /* convert SSH v2 key to PEM or PKCS#8 format */
  4186. static int
  4187. sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf,
  4188. int format, const char *_passphrase, const char *comment)
  4189. {
  4190. int was_shielded = sshkey_is_shielded(key);
  4191. int success, r;
  4192. int blen, len = strlen(_passphrase);
  4193. u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
  4194. const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
  4195. char *bptr;
  4196. BIO *bio = NULL;
  4197. struct sshbuf *blob;
  4198. EVP_PKEY *pkey = NULL;
  4199. if (len > 0 && len <= 4)
  4200. return SSH_ERR_PASSPHRASE_TOO_SHORT;
  4201. if ((blob = sshbuf_new()) == NULL)
  4202. return SSH_ERR_ALLOC_FAIL;
  4203. if ((bio = BIO_new(BIO_s_mem())) == NULL) {
  4204. r = SSH_ERR_ALLOC_FAIL;
  4205. goto out;
  4206. }
  4207. if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) {
  4208. r = SSH_ERR_ALLOC_FAIL;
  4209. goto out;
  4210. }
  4211. if ((r = sshkey_unshield_private(key)) != 0)
  4212. goto out;
  4213. switch (key->type) {
  4214. case KEY_DSA:
  4215. if (format == SSHKEY_PRIVATE_PEM) {
  4216. success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
  4217. cipher, passphrase, len, NULL, NULL);
  4218. } else {
  4219. success = EVP_PKEY_set1_DSA(pkey, key->dsa);
  4220. }
  4221. break;
  4222. #ifdef OPENSSL_HAS_ECC
  4223. case KEY_ECDSA:
  4224. if (format == SSHKEY_PRIVATE_PEM) {
  4225. success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
  4226. cipher, passphrase, len, NULL, NULL);
  4227. } else {
  4228. success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
  4229. }
  4230. break;
  4231. #endif
  4232. case KEY_RSA:
  4233. if (format == SSHKEY_PRIVATE_PEM) {
  4234. success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
  4235. cipher, passphrase, len, NULL, NULL);
  4236. } else {
  4237. success = EVP_PKEY_set1_RSA(pkey, key->rsa);
  4238. }
  4239. break;
  4240. default:
  4241. success = 0;
  4242. break;
  4243. }
  4244. if (success == 0) {
  4245. r = SSH_ERR_LIBCRYPTO_ERROR;
  4246. goto out;
  4247. }
  4248. if (format == SSHKEY_PRIVATE_PKCS8) {
  4249. if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
  4250. passphrase, len, NULL, NULL)) == 0) {
  4251. r = SSH_ERR_LIBCRYPTO_ERROR;
  4252. goto out;
  4253. }
  4254. }
  4255. if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
  4256. r = SSH_ERR_INTERNAL_ERROR;
  4257. goto out;
  4258. }
  4259. if ((r = sshbuf_put(blob, bptr, blen)) != 0)
  4260. goto out;
  4261. r = 0;
  4262. out:
  4263. if (was_shielded)
  4264. r = sshkey_shield_private(key);
  4265. if (r == 0)
  4266. r = sshbuf_putb(buf, blob);
  4267. EVP_PKEY_free(pkey);
  4268. sshbuf_free(blob);
  4269. BIO_free(bio);
  4270. return r;
  4271. }
  4272. #endif /* WITH_OPENSSL */
  4273. /* Serialise "key" to buffer "blob" */
  4274. int
  4275. sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
  4276. const char *passphrase, const char *comment,
  4277. int format, const char *openssh_format_cipher, int openssh_format_rounds)
  4278. {
  4279. switch (key->type) {
  4280. #ifdef WITH_OPENSSL
  4281. case KEY_DSA:
  4282. case KEY_ECDSA:
  4283. case KEY_RSA:
  4284. break; /* see below */
  4285. #endif /* WITH_OPENSSL */
  4286. case KEY_ED25519:
  4287. case KEY_ED25519_SK:
  4288. #ifdef WITH_XMSS
  4289. case KEY_XMSS:
  4290. #endif /* WITH_XMSS */
  4291. #ifdef WITH_OPENSSL
  4292. case KEY_ECDSA_SK:
  4293. #endif /* WITH_OPENSSL */
  4294. return sshkey_private_to_blob2(key, blob, passphrase,
  4295. comment, openssh_format_cipher, openssh_format_rounds);
  4296. default:
  4297. return SSH_ERR_KEY_TYPE_UNKNOWN;
  4298. }
  4299. #ifdef WITH_OPENSSL
  4300. switch (format) {
  4301. case SSHKEY_PRIVATE_OPENSSH:
  4302. return sshkey_private_to_blob2(key, blob, passphrase,
  4303. comment, openssh_format_cipher, openssh_format_rounds);
  4304. case SSHKEY_PRIVATE_PEM:
  4305. case SSHKEY_PRIVATE_PKCS8:
  4306. return sshkey_private_to_blob_pem_pkcs8(key, blob,
  4307. format, passphrase, comment);
  4308. default:
  4309. return SSH_ERR_INVALID_ARGUMENT;
  4310. }
  4311. #endif /* WITH_OPENSSL */
  4312. }
  4313. #ifdef WITH_OPENSSL
  4314. static int
  4315. translate_libcrypto_error(unsigned long pem_err)
  4316. {
  4317. int pem_reason = ERR_GET_REASON(pem_err);
  4318. switch (ERR_GET_LIB(pem_err)) {
  4319. case ERR_LIB_PEM:
  4320. switch (pem_reason) {
  4321. case PEM_R_BAD_PASSWORD_READ:
  4322. case PEM_R_PROBLEMS_GETTING_PASSWORD:
  4323. case PEM_R_BAD_DECRYPT:
  4324. return SSH_ERR_KEY_WRONG_PASSPHRASE;
  4325. default:
  4326. return SSH_ERR_INVALID_FORMAT;
  4327. }
  4328. case ERR_LIB_EVP:
  4329. switch (pem_reason) {
  4330. case EVP_R_BAD_DECRYPT:
  4331. return SSH_ERR_KEY_WRONG_PASSPHRASE;
  4332. #ifdef EVP_R_BN_DECODE_ERROR
  4333. case EVP_R_BN_DECODE_ERROR:
  4334. #endif
  4335. case EVP_R_DECODE_ERROR:
  4336. #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
  4337. case EVP_R_PRIVATE_KEY_DECODE_ERROR:
  4338. #endif
  4339. return SSH_ERR_INVALID_FORMAT;
  4340. default:
  4341. return SSH_ERR_LIBCRYPTO_ERROR;
  4342. }
  4343. case ERR_LIB_ASN1:
  4344. return SSH_ERR_INVALID_FORMAT;
  4345. }
  4346. return SSH_ERR_LIBCRYPTO_ERROR;
  4347. }
  4348. static void
  4349. clear_libcrypto_errors(void)
  4350. {
  4351. while (ERR_get_error() != 0)
  4352. ;
  4353. }
  4354. /*
  4355. * Translate OpenSSL error codes to determine whether
  4356. * passphrase is required/incorrect.
  4357. */
  4358. static int
  4359. convert_libcrypto_error(void)
  4360. {
  4361. /*
  4362. * Some password errors are reported at the beginning
  4363. * of the error queue.
  4364. */
  4365. if (translate_libcrypto_error(ERR_peek_error()) ==
  4366. SSH_ERR_KEY_WRONG_PASSPHRASE)
  4367. return SSH_ERR_KEY_WRONG_PASSPHRASE;
  4368. return translate_libcrypto_error(ERR_peek_last_error());
  4369. }
  4370. static int
  4371. pem_passphrase_cb(char *buf, int size, int rwflag, void *u)
  4372. {
  4373. char *p = (char *)u;
  4374. size_t len;
  4375. if (p == NULL || (len = strlen(p)) == 0)
  4376. return -1;
  4377. if (size < 0 || len > (size_t)size)
  4378. return -1;
  4379. memcpy(buf, p, len);
  4380. return (int)len;
  4381. }
  4382. static int
  4383. sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
  4384. const char *passphrase, struct sshkey **keyp)
  4385. {
  4386. EVP_PKEY *pk = NULL;
  4387. struct sshkey *prv = NULL;
  4388. BIO *bio = NULL;
  4389. int r;
  4390. if (keyp != NULL)
  4391. *keyp = NULL;
  4392. if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
  4393. return SSH_ERR_ALLOC_FAIL;
  4394. if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
  4395. (int)sshbuf_len(blob)) {
  4396. r = SSH_ERR_ALLOC_FAIL;
  4397. goto out;
  4398. }
  4399. clear_libcrypto_errors();
  4400. if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb,
  4401. (char *)passphrase)) == NULL) {
  4402. /*
  4403. * libcrypto may return various ASN.1 errors when attempting
  4404. * to parse a key with an incorrect passphrase.
  4405. * Treat all format errors as "incorrect passphrase" if a
  4406. * passphrase was supplied.
  4407. */
  4408. if (passphrase != NULL && *passphrase != '\0')
  4409. r = SSH_ERR_KEY_WRONG_PASSPHRASE;
  4410. else
  4411. r = convert_libcrypto_error();
  4412. goto out;
  4413. }
  4414. if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA &&
  4415. (type == KEY_UNSPEC || type == KEY_RSA)) {
  4416. if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
  4417. r = SSH_ERR_ALLOC_FAIL;
  4418. goto out;
  4419. }
  4420. prv->rsa = EVP_PKEY_get1_RSA(pk);
  4421. prv->type = KEY_RSA;
  4422. #ifdef DEBUG_PK
  4423. RSA_print_fp(stderr, prv->rsa, 8);
  4424. #endif
  4425. if (RSA_blinding_on(prv->rsa, NULL) != 1) {
  4426. r = SSH_ERR_LIBCRYPTO_ERROR;
  4427. goto out;
  4428. }
  4429. if ((r = check_rsa_length(prv->rsa)) != 0)
  4430. goto out;
  4431. } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA &&
  4432. (type == KEY_UNSPEC || type == KEY_DSA)) {
  4433. if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
  4434. r = SSH_ERR_ALLOC_FAIL;
  4435. goto out;
  4436. }
  4437. prv->dsa = EVP_PKEY_get1_DSA(pk);
  4438. prv->type = KEY_DSA;
  4439. #ifdef DEBUG_PK
  4440. DSA_print_fp(stderr, prv->dsa, 8);
  4441. #endif
  4442. #ifdef OPENSSL_HAS_ECC
  4443. } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC &&
  4444. (type == KEY_UNSPEC || type == KEY_ECDSA)) {
  4445. if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
  4446. r = SSH_ERR_ALLOC_FAIL;
  4447. goto out;
  4448. }
  4449. prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
  4450. prv->type = KEY_ECDSA;
  4451. prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
  4452. if (prv->ecdsa_nid == -1 ||
  4453. sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
  4454. sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
  4455. EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
  4456. sshkey_ec_validate_private(prv->ecdsa) != 0) {
  4457. r = SSH_ERR_INVALID_FORMAT;
  4458. goto out;
  4459. }
  4460. # ifdef DEBUG_PK
  4461. if (prv != NULL && prv->ecdsa != NULL)
  4462. sshkey_dump_ec_key(prv->ecdsa);
  4463. # endif
  4464. #endif /* OPENSSL_HAS_ECC */
  4465. } else {
  4466. r = SSH_ERR_INVALID_FORMAT;
  4467. goto out;
  4468. }
  4469. r = 0;
  4470. if (keyp != NULL) {
  4471. *keyp = prv;
  4472. prv = NULL;
  4473. }
  4474. out:
  4475. BIO_free(bio);
  4476. EVP_PKEY_free(pk);
  4477. sshkey_free(prv);
  4478. return r;
  4479. }
  4480. #endif /* WITH_OPENSSL */
  4481. int
  4482. sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
  4483. const char *passphrase, struct sshkey **keyp, char **commentp)
  4484. {
  4485. int r = SSH_ERR_INTERNAL_ERROR;
  4486. if (keyp != NULL)
  4487. *keyp = NULL;
  4488. if (commentp != NULL)
  4489. *commentp = NULL;
  4490. switch (type) {
  4491. case KEY_ED25519:
  4492. case KEY_XMSS:
  4493. /* No fallback for new-format-only keys */
  4494. return sshkey_parse_private2(blob, type, passphrase,
  4495. keyp, commentp);
  4496. default:
  4497. r = sshkey_parse_private2(blob, type, passphrase, keyp,
  4498. commentp);
  4499. /* Only fallback to PEM parser if a format error occurred. */
  4500. if (r != SSH_ERR_INVALID_FORMAT)
  4501. return r;
  4502. #ifdef WITH_OPENSSL
  4503. return sshkey_parse_private_pem_fileblob(blob, type,
  4504. passphrase, keyp);
  4505. #else
  4506. return SSH_ERR_INVALID_FORMAT;
  4507. #endif /* WITH_OPENSSL */
  4508. }
  4509. }
  4510. int
  4511. sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
  4512. struct sshkey **keyp, char **commentp)
  4513. {
  4514. if (keyp != NULL)
  4515. *keyp = NULL;
  4516. if (commentp != NULL)
  4517. *commentp = NULL;
  4518. return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
  4519. passphrase, keyp, commentp);
  4520. }
  4521. void
  4522. sshkey_sig_details_free(struct sshkey_sig_details *details)
  4523. {
  4524. freezero(details, sizeof(*details));
  4525. }
  4526. int
  4527. sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type,
  4528. struct sshkey **pubkeyp)
  4529. {
  4530. int r = SSH_ERR_INTERNAL_ERROR;
  4531. if (pubkeyp != NULL)
  4532. *pubkeyp = NULL;
  4533. /* only new-format private keys bundle a public key inside */
  4534. if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0)
  4535. return r;
  4536. return 0;
  4537. }
  4538. #ifdef WITH_XMSS
  4539. /*
  4540. * serialize the key with the current state and forward the state
  4541. * maxsign times.
  4542. */
  4543. int
  4544. sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
  4545. u_int32_t maxsign, sshkey_printfn *pr)
  4546. {
  4547. int r, rupdate;
  4548. if (maxsign == 0 ||
  4549. sshkey_type_plain(k->type) != KEY_XMSS)
  4550. return sshkey_private_serialize_opt(k, b,
  4551. SSHKEY_SERIALIZE_DEFAULT);
  4552. if ((r = sshkey_xmss_get_state(k, pr)) != 0 ||
  4553. (r = sshkey_private_serialize_opt(k, b,
  4554. SSHKEY_SERIALIZE_STATE)) != 0 ||
  4555. (r = sshkey_xmss_forward_state(k, maxsign)) != 0)
  4556. goto out;
  4557. r = 0;
  4558. out:
  4559. if ((rupdate = sshkey_xmss_update_state(k, pr)) != 0) {
  4560. if (r == 0)
  4561. r = rupdate;
  4562. }
  4563. return r;
  4564. }
  4565. u_int32_t
  4566. sshkey_signatures_left(const struct sshkey *k)
  4567. {
  4568. if (sshkey_type_plain(k->type) == KEY_XMSS)
  4569. return sshkey_xmss_signatures_left(k);
  4570. return 0;
  4571. }
  4572. int
  4573. sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
  4574. {
  4575. if (sshkey_type_plain(k->type) != KEY_XMSS)
  4576. return SSH_ERR_INVALID_ARGUMENT;
  4577. return sshkey_xmss_enable_maxsign(k, maxsign);
  4578. }
  4579. int
  4580. sshkey_set_filename(struct sshkey *k, const char *filename)
  4581. {
  4582. if (k == NULL)
  4583. return SSH_ERR_INVALID_ARGUMENT;
  4584. if (sshkey_type_plain(k->type) != KEY_XMSS)
  4585. return 0;
  4586. if (filename == NULL)
  4587. return SSH_ERR_INVALID_ARGUMENT;
  4588. if ((k->xmss_filename = strdup(filename)) == NULL)
  4589. return SSH_ERR_ALLOC_FAIL;
  4590. return 0;
  4591. }
  4592. #else
  4593. int
  4594. sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
  4595. u_int32_t maxsign, sshkey_printfn *pr)
  4596. {
  4597. return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT);
  4598. }
  4599. u_int32_t
  4600. sshkey_signatures_left(const struct sshkey *k)
  4601. {
  4602. return 0;
  4603. }
  4604. int
  4605. sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
  4606. {
  4607. return SSH_ERR_INVALID_ARGUMENT;
  4608. }
  4609. int
  4610. sshkey_set_filename(struct sshkey *k, const char *filename)
  4611. {
  4612. if (k == NULL)
  4613. return SSH_ERR_INVALID_ARGUMENT;
  4614. return 0;
  4615. }
  4616. #endif /* WITH_XMSS */