File: | src/usr.bin/ssh/ssh-keygen/../sshkey.c |
Warning: | line 2195, column 7 Although the value stored to 'ret' is used in the enclosing expression, the value is never actually read from 'ret' |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: sshkey.c,v 1.120 2022/01/06 22:05:42 djm Exp $ */ |
2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
5 | * Copyright (c) 2010,2011 Damien Miller. All rights reserved. |
6 | * |
7 | * Redistribution and use in source and binary forms, with or without |
8 | * modification, are permitted provided that the following conditions |
9 | * are met: |
10 | * 1. Redistributions of source code must retain the above copyright |
11 | * notice, this list of conditions and the following disclaimer. |
12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in the |
14 | * documentation and/or other materials provided with the distribution. |
15 | * |
16 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
17 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
18 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
19 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
20 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
21 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
22 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
23 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
25 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
26 | */ |
27 | |
28 | #include <sys/types.h> |
29 | #include <netinet/in.h> |
30 | |
31 | #ifdef WITH_OPENSSL1 |
32 | #include <openssl/evp.h> |
33 | #include <openssl/err.h> |
34 | #include <openssl/pem.h> |
35 | #endif |
36 | |
37 | #include "crypto_api.h" |
38 | |
39 | #include <errno(*__errno()).h> |
40 | #include <stdio.h> |
41 | #include <string.h> |
42 | #include <util.h> |
43 | #include <limits.h> |
44 | #include <resolv.h> |
45 | |
46 | #include "ssh2.h" |
47 | #include "ssherr.h" |
48 | #include "misc.h" |
49 | #include "sshbuf.h" |
50 | #include "cipher.h" |
51 | #include "digest.h" |
52 | #define SSHKEY_INTERNAL |
53 | #include "sshkey.h" |
54 | #include "match.h" |
55 | #include "ssh-sk.h" |
56 | |
57 | #ifdef WITH_XMSS |
58 | #include "sshkey-xmss.h" |
59 | #include "xmss_fast.h" |
60 | #endif |
61 | |
62 | /* openssh private key file format */ |
63 | #define MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n" "-----BEGIN OPENSSH PRIVATE KEY-----\n" |
64 | #define MARK_END"-----END OPENSSH PRIVATE KEY-----\n" "-----END OPENSSH PRIVATE KEY-----\n" |
65 | #define MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) (sizeof(MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) |
66 | #define MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1) (sizeof(MARK_END"-----END OPENSSH PRIVATE KEY-----\n") - 1) |
67 | #define KDFNAME"bcrypt" "bcrypt" |
68 | #define AUTH_MAGIC"openssh-key-v1" "openssh-key-v1" |
69 | #define SALT_LEN16 16 |
70 | #define DEFAULT_CIPHERNAME"aes256-ctr" "aes256-ctr" |
71 | #define DEFAULT_ROUNDS16 16 |
72 | |
73 | /* Version identification string for SSH v1 identity files. */ |
74 | #define LEGACY_BEGIN"SSH PRIVATE KEY FILE FORMAT 1.1\n" "SSH PRIVATE KEY FILE FORMAT 1.1\n" |
75 | |
76 | /* |
77 | * Constants relating to "shielding" support; protection of keys expected |
78 | * to remain in memory for long durations |
79 | */ |
80 | #define SSHKEY_SHIELD_PREKEY_LEN(16 * 1024) (16 * 1024) |
81 | #define SSHKEY_SHIELD_CIPHER"aes256-ctr" "aes256-ctr" /* XXX want AES-EME* */ |
82 | #define SSHKEY_SHIELD_PREKEY_HASH4 SSH_DIGEST_SHA5124 |
83 | |
84 | int sshkey_private_serialize_opt(struct sshkey *key, |
85 | struct sshbuf *buf, enum sshkey_serialize_rep); |
86 | static int sshkey_from_blob_internal(struct sshbuf *buf, |
87 | struct sshkey **keyp, int allow_cert); |
88 | |
89 | /* Supported key types */ |
90 | struct keytype { |
91 | const char *name; |
92 | const char *shortname; |
93 | const char *sigalg; |
94 | int type; |
95 | int nid; |
96 | int cert; |
97 | int sigonly; |
98 | }; |
99 | static const struct keytype keytypes[] = { |
100 | { "ssh-ed25519", "ED25519", NULL((void*)0), KEY_ED25519, 0, 0, 0 }, |
101 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL((void*)0), |
102 | KEY_ED25519_CERT, 0, 1, 0 }, |
103 | { "sk-ssh-ed25519@openssh.com", "ED25519-SK", NULL((void*)0), |
104 | KEY_ED25519_SK, 0, 0, 0 }, |
105 | { "sk-ssh-ed25519-cert-v01@openssh.com", "ED25519-SK-CERT", NULL((void*)0), |
106 | KEY_ED25519_SK_CERT, 0, 1, 0 }, |
107 | #ifdef WITH_XMSS |
108 | { "ssh-xmss@openssh.com", "XMSS", NULL((void*)0), KEY_XMSS, 0, 0, 0 }, |
109 | { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL((void*)0), |
110 | KEY_XMSS_CERT, 0, 1, 0 }, |
111 | #endif /* WITH_XMSS */ |
112 | #ifdef WITH_OPENSSL1 |
113 | { "ssh-rsa", "RSA", NULL((void*)0), KEY_RSA, 0, 0, 0 }, |
114 | { "rsa-sha2-256", "RSA", NULL((void*)0), KEY_RSA, 0, 0, 1 }, |
115 | { "rsa-sha2-512", "RSA", NULL((void*)0), KEY_RSA, 0, 0, 1 }, |
116 | { "ssh-dss", "DSA", NULL((void*)0), KEY_DSA, 0, 0, 0 }, |
117 | { "ecdsa-sha2-nistp256", "ECDSA", NULL((void*)0), |
118 | KEY_ECDSA, NID_X9_62_prime256v1415, 0, 0 }, |
119 | { "ecdsa-sha2-nistp384", "ECDSA", NULL((void*)0), |
120 | KEY_ECDSA, NID_secp384r1715, 0, 0 }, |
121 | { "ecdsa-sha2-nistp521", "ECDSA", NULL((void*)0), |
122 | KEY_ECDSA, NID_secp521r1716, 0, 0 }, |
123 | { "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL((void*)0), |
124 | KEY_ECDSA_SK, NID_X9_62_prime256v1415, 0, 0 }, |
125 | { "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL((void*)0), |
126 | KEY_ECDSA_SK, NID_X9_62_prime256v1415, 0, 1 }, |
127 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL((void*)0), |
128 | KEY_RSA_CERT, 0, 1, 0 }, |
129 | { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT", |
130 | "rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 }, |
131 | { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT", |
132 | "rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 }, |
133 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL((void*)0), |
134 | KEY_DSA_CERT, 0, 1, 0 }, |
135 | { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL((void*)0), |
136 | KEY_ECDSA_CERT, NID_X9_62_prime256v1415, 1, 0 }, |
137 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL((void*)0), |
138 | KEY_ECDSA_CERT, NID_secp384r1715, 1, 0 }, |
139 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL((void*)0), |
140 | KEY_ECDSA_CERT, NID_secp521r1716, 1, 0 }, |
141 | { "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-SK-CERT", NULL((void*)0), |
142 | KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1415, 1, 0 }, |
143 | #endif /* WITH_OPENSSL */ |
144 | { NULL((void*)0), NULL((void*)0), NULL((void*)0), -1, -1, 0, 0 } |
145 | }; |
146 | |
147 | const char * |
148 | sshkey_type(const struct sshkey *k) |
149 | { |
150 | const struct keytype *kt; |
151 | |
152 | for (kt = keytypes; kt->type != -1; kt++) { |
153 | if (kt->type == k->type) |
154 | return kt->shortname; |
155 | } |
156 | return "unknown"; |
157 | } |
158 | |
159 | static const char * |
160 | sshkey_ssh_name_from_type_nid(int type, int nid) |
161 | { |
162 | const struct keytype *kt; |
163 | |
164 | for (kt = keytypes; kt->type != -1; kt++) { |
165 | if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) |
166 | return kt->name; |
167 | } |
168 | return "ssh-unknown"; |
169 | } |
170 | |
171 | int |
172 | sshkey_type_is_cert(int type) |
173 | { |
174 | const struct keytype *kt; |
175 | |
176 | for (kt = keytypes; kt->type != -1; kt++) { |
177 | if (kt->type == type) |
178 | return kt->cert; |
179 | } |
180 | return 0; |
181 | } |
182 | |
183 | const char * |
184 | sshkey_ssh_name(const struct sshkey *k) |
185 | { |
186 | return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); |
187 | } |
188 | |
189 | const char * |
190 | sshkey_ssh_name_plain(const struct sshkey *k) |
191 | { |
192 | return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), |
193 | k->ecdsa_nid); |
194 | } |
195 | |
196 | int |
197 | sshkey_type_from_name(const char *name) |
198 | { |
199 | const struct keytype *kt; |
200 | |
201 | for (kt = keytypes; kt->type != -1; kt++) { |
202 | /* Only allow shortname matches for plain key types */ |
203 | if ((kt->name != NULL((void*)0) && strcmp(name, kt->name) == 0) || |
204 | (!kt->cert && strcasecmp(kt->shortname, name) == 0)) |
205 | return kt->type; |
206 | } |
207 | return KEY_UNSPEC; |
208 | } |
209 | |
210 | static int |
211 | key_type_is_ecdsa_variant(int type) |
212 | { |
213 | switch (type) { |
214 | case KEY_ECDSA: |
215 | case KEY_ECDSA_CERT: |
216 | case KEY_ECDSA_SK: |
217 | case KEY_ECDSA_SK_CERT: |
218 | return 1; |
219 | } |
220 | return 0; |
221 | } |
222 | |
223 | int |
224 | sshkey_ecdsa_nid_from_name(const char *name) |
225 | { |
226 | const struct keytype *kt; |
227 | |
228 | for (kt = keytypes; kt->type != -1; kt++) { |
229 | if (!key_type_is_ecdsa_variant(kt->type)) |
230 | continue; |
231 | if (kt->name != NULL((void*)0) && strcmp(name, kt->name) == 0) |
232 | return kt->nid; |
233 | } |
234 | return -1; |
235 | } |
236 | |
237 | int |
238 | sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs) |
239 | { |
240 | int ktype; |
241 | |
242 | if (sigalgs == NULL((void*)0) || *sigalgs == '\0' || |
243 | (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC) |
244 | return 0; |
245 | else if (ktype == KEY_RSA) { |
246 | return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 || |
247 | match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 || |
248 | match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1; |
249 | } else if (ktype == KEY_RSA_CERT) { |
250 | return match_pattern_list("ssh-rsa-cert-v01@openssh.com", |
251 | sigalgs, 0) == 1 || |
252 | match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", |
253 | sigalgs, 0) == 1 || |
254 | match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", |
255 | sigalgs, 0) == 1; |
256 | } else |
257 | return match_pattern_list(keyname, sigalgs, 0) == 1; |
258 | } |
259 | |
260 | char * |
261 | sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) |
262 | { |
263 | char *tmp, *ret = NULL((void*)0); |
264 | size_t nlen, rlen = 0; |
265 | const struct keytype *kt; |
266 | |
267 | for (kt = keytypes; kt->type != -1; kt++) { |
268 | if (kt->name == NULL((void*)0)) |
269 | continue; |
270 | if (!include_sigonly && kt->sigonly) |
271 | continue; |
272 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) |
273 | continue; |
274 | if (ret != NULL((void*)0)) |
275 | ret[rlen++] = sep; |
276 | nlen = strlen(kt->name); |
277 | if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL((void*)0)) { |
278 | free(ret); |
279 | return NULL((void*)0); |
280 | } |
281 | ret = tmp; |
282 | memcpy(ret + rlen, kt->name, nlen + 1); |
283 | rlen += nlen; |
284 | } |
285 | return ret; |
286 | } |
287 | |
288 | int |
289 | sshkey_names_valid2(const char *names, int allow_wildcard) |
290 | { |
291 | char *s, *cp, *p; |
292 | const struct keytype *kt; |
293 | int type; |
294 | |
295 | if (names == NULL((void*)0) || strcmp(names, "") == 0) |
296 | return 0; |
297 | if ((s = cp = strdup(names)) == NULL((void*)0)) |
298 | return 0; |
299 | for ((p = strsep(&cp, ",")); p && *p != '\0'; |
300 | (p = strsep(&cp, ","))) { |
301 | type = sshkey_type_from_name(p); |
302 | if (type == KEY_UNSPEC) { |
303 | if (allow_wildcard) { |
304 | /* |
305 | * Try matching key types against the string. |
306 | * If any has a positive or negative match then |
307 | * the component is accepted. |
308 | */ |
309 | for (kt = keytypes; kt->type != -1; kt++) { |
310 | if (match_pattern_list(kt->name, |
311 | p, 0) != 0) |
312 | break; |
313 | } |
314 | if (kt->type != -1) |
315 | continue; |
316 | } |
317 | free(s); |
318 | return 0; |
319 | } |
320 | } |
321 | free(s); |
322 | return 1; |
323 | } |
324 | |
325 | u_int |
326 | sshkey_size(const struct sshkey *k) |
327 | { |
328 | #ifdef WITH_OPENSSL1 |
329 | const BIGNUM *rsa_n, *dsa_p; |
330 | #endif /* WITH_OPENSSL */ |
331 | |
332 | switch (k->type) { |
333 | #ifdef WITH_OPENSSL1 |
334 | case KEY_RSA: |
335 | case KEY_RSA_CERT: |
336 | if (k->rsa == NULL((void*)0)) |
337 | return 0; |
338 | RSA_get0_key(k->rsa, &rsa_n, NULL((void*)0), NULL((void*)0)); |
339 | return BN_num_bits(rsa_n); |
340 | case KEY_DSA: |
341 | case KEY_DSA_CERT: |
342 | if (k->dsa == NULL((void*)0)) |
343 | return 0; |
344 | DSA_get0_pqg(k->dsa, &dsa_p, NULL((void*)0), NULL((void*)0)); |
345 | return BN_num_bits(dsa_p); |
346 | case KEY_ECDSA: |
347 | case KEY_ECDSA_CERT: |
348 | case KEY_ECDSA_SK: |
349 | case KEY_ECDSA_SK_CERT: |
350 | return sshkey_curve_nid_to_bits(k->ecdsa_nid); |
351 | #endif /* WITH_OPENSSL */ |
352 | case KEY_ED25519: |
353 | case KEY_ED25519_CERT: |
354 | case KEY_ED25519_SK: |
355 | case KEY_ED25519_SK_CERT: |
356 | case KEY_XMSS: |
357 | case KEY_XMSS_CERT: |
358 | return 256; /* XXX */ |
359 | } |
360 | return 0; |
361 | } |
362 | |
363 | static int |
364 | sshkey_type_is_valid_ca(int type) |
365 | { |
366 | switch (type) { |
367 | case KEY_RSA: |
368 | case KEY_DSA: |
369 | case KEY_ECDSA: |
370 | case KEY_ECDSA_SK: |
371 | case KEY_ED25519: |
372 | case KEY_ED25519_SK: |
373 | case KEY_XMSS: |
374 | return 1; |
375 | default: |
376 | return 0; |
377 | } |
378 | } |
379 | |
380 | int |
381 | sshkey_is_cert(const struct sshkey *k) |
382 | { |
383 | if (k == NULL((void*)0)) |
384 | return 0; |
385 | return sshkey_type_is_cert(k->type); |
386 | } |
387 | |
388 | int |
389 | sshkey_is_sk(const struct sshkey *k) |
390 | { |
391 | if (k == NULL((void*)0)) |
392 | return 0; |
393 | switch (sshkey_type_plain(k->type)) { |
394 | case KEY_ECDSA_SK: |
395 | case KEY_ED25519_SK: |
396 | return 1; |
397 | default: |
398 | return 0; |
399 | } |
400 | } |
401 | |
402 | /* Return the cert-less equivalent to a certified key type */ |
403 | int |
404 | sshkey_type_plain(int type) |
405 | { |
406 | switch (type) { |
407 | case KEY_RSA_CERT: |
408 | return KEY_RSA; |
409 | case KEY_DSA_CERT: |
410 | return KEY_DSA; |
411 | case KEY_ECDSA_CERT: |
412 | return KEY_ECDSA; |
413 | case KEY_ECDSA_SK_CERT: |
414 | return KEY_ECDSA_SK; |
415 | case KEY_ED25519_CERT: |
416 | return KEY_ED25519; |
417 | case KEY_ED25519_SK_CERT: |
418 | return KEY_ED25519_SK; |
419 | case KEY_XMSS_CERT: |
420 | return KEY_XMSS; |
421 | default: |
422 | return type; |
423 | } |
424 | } |
425 | |
426 | #ifdef WITH_OPENSSL1 |
427 | /* XXX: these are really begging for a table-driven approach */ |
428 | int |
429 | sshkey_curve_name_to_nid(const char *name) |
430 | { |
431 | if (strcmp(name, "nistp256") == 0) |
432 | return NID_X9_62_prime256v1415; |
433 | else if (strcmp(name, "nistp384") == 0) |
434 | return NID_secp384r1715; |
435 | else if (strcmp(name, "nistp521") == 0) |
436 | return NID_secp521r1716; |
437 | else |
438 | return -1; |
439 | } |
440 | |
441 | u_int |
442 | sshkey_curve_nid_to_bits(int nid) |
443 | { |
444 | switch (nid) { |
445 | case NID_X9_62_prime256v1415: |
446 | return 256; |
447 | case NID_secp384r1715: |
448 | return 384; |
449 | case NID_secp521r1716: |
450 | return 521; |
451 | default: |
452 | return 0; |
453 | } |
454 | } |
455 | |
456 | int |
457 | sshkey_ecdsa_bits_to_nid(int bits) |
458 | { |
459 | switch (bits) { |
460 | case 256: |
461 | return NID_X9_62_prime256v1415; |
462 | case 384: |
463 | return NID_secp384r1715; |
464 | case 521: |
465 | return NID_secp521r1716; |
466 | default: |
467 | return -1; |
468 | } |
469 | } |
470 | |
471 | const char * |
472 | sshkey_curve_nid_to_name(int nid) |
473 | { |
474 | switch (nid) { |
475 | case NID_X9_62_prime256v1415: |
476 | return "nistp256"; |
477 | case NID_secp384r1715: |
478 | return "nistp384"; |
479 | case NID_secp521r1716: |
480 | return "nistp521"; |
481 | default: |
482 | return NULL((void*)0); |
483 | } |
484 | } |
485 | |
486 | int |
487 | sshkey_ec_nid_to_hash_alg(int nid) |
488 | { |
489 | int kbits = sshkey_curve_nid_to_bits(nid); |
490 | |
491 | if (kbits <= 0) |
492 | return -1; |
493 | |
494 | /* RFC5656 section 6.2.1 */ |
495 | if (kbits <= 256) |
496 | return SSH_DIGEST_SHA2562; |
497 | else if (kbits <= 384) |
498 | return SSH_DIGEST_SHA3843; |
499 | else |
500 | return SSH_DIGEST_SHA5124; |
501 | } |
502 | #endif /* WITH_OPENSSL */ |
503 | |
504 | static void |
505 | cert_free(struct sshkey_cert *cert) |
506 | { |
507 | u_int i; |
508 | |
509 | if (cert == NULL((void*)0)) |
510 | return; |
511 | sshbuf_free(cert->certblob); |
512 | sshbuf_free(cert->critical); |
513 | sshbuf_free(cert->extensions); |
514 | free(cert->key_id); |
515 | for (i = 0; i < cert->nprincipals; i++) |
516 | free(cert->principals[i]); |
517 | free(cert->principals); |
518 | sshkey_free(cert->signature_key); |
519 | free(cert->signature_type); |
520 | freezero(cert, sizeof(*cert)); |
521 | } |
522 | |
523 | static struct sshkey_cert * |
524 | cert_new(void) |
525 | { |
526 | struct sshkey_cert *cert; |
527 | |
528 | if ((cert = calloc(1, sizeof(*cert))) == NULL((void*)0)) |
529 | return NULL((void*)0); |
530 | if ((cert->certblob = sshbuf_new()) == NULL((void*)0) || |
531 | (cert->critical = sshbuf_new()) == NULL((void*)0) || |
532 | (cert->extensions = sshbuf_new()) == NULL((void*)0)) { |
533 | cert_free(cert); |
534 | return NULL((void*)0); |
535 | } |
536 | cert->key_id = NULL((void*)0); |
537 | cert->principals = NULL((void*)0); |
538 | cert->signature_key = NULL((void*)0); |
539 | cert->signature_type = NULL((void*)0); |
540 | return cert; |
541 | } |
542 | |
543 | struct sshkey * |
544 | sshkey_new(int type) |
545 | { |
546 | struct sshkey *k; |
547 | #ifdef WITH_OPENSSL1 |
548 | RSA *rsa; |
549 | DSA *dsa; |
550 | #endif /* WITH_OPENSSL */ |
551 | |
552 | if ((k = calloc(1, sizeof(*k))) == NULL((void*)0)) |
553 | return NULL((void*)0); |
554 | k->type = type; |
555 | k->ecdsa = NULL((void*)0); |
556 | k->ecdsa_nid = -1; |
557 | k->dsa = NULL((void*)0); |
558 | k->rsa = NULL((void*)0); |
559 | k->cert = NULL((void*)0); |
560 | k->ed25519_sk = NULL((void*)0); |
561 | k->ed25519_pk = NULL((void*)0); |
562 | k->xmss_sk = NULL((void*)0); |
563 | k->xmss_pk = NULL((void*)0); |
564 | switch (k->type) { |
565 | #ifdef WITH_OPENSSL1 |
566 | case KEY_RSA: |
567 | case KEY_RSA_CERT: |
568 | if ((rsa = RSA_new()) == NULL((void*)0)) { |
569 | free(k); |
570 | return NULL((void*)0); |
571 | } |
572 | k->rsa = rsa; |
573 | break; |
574 | case KEY_DSA: |
575 | case KEY_DSA_CERT: |
576 | if ((dsa = DSA_new()) == NULL((void*)0)) { |
577 | free(k); |
578 | return NULL((void*)0); |
579 | } |
580 | k->dsa = dsa; |
581 | break; |
582 | case KEY_ECDSA: |
583 | case KEY_ECDSA_CERT: |
584 | case KEY_ECDSA_SK: |
585 | case KEY_ECDSA_SK_CERT: |
586 | /* Cannot do anything until we know the group */ |
587 | break; |
588 | #endif /* WITH_OPENSSL */ |
589 | case KEY_ED25519: |
590 | case KEY_ED25519_CERT: |
591 | case KEY_ED25519_SK: |
592 | case KEY_ED25519_SK_CERT: |
593 | case KEY_XMSS: |
594 | case KEY_XMSS_CERT: |
595 | /* no need to prealloc */ |
596 | break; |
597 | case KEY_UNSPEC: |
598 | break; |
599 | default: |
600 | free(k); |
601 | return NULL((void*)0); |
602 | } |
603 | |
604 | if (sshkey_is_cert(k)) { |
605 | if ((k->cert = cert_new()) == NULL((void*)0)) { |
606 | sshkey_free(k); |
607 | return NULL((void*)0); |
608 | } |
609 | } |
610 | |
611 | return k; |
612 | } |
613 | |
614 | void |
615 | sshkey_free(struct sshkey *k) |
616 | { |
617 | if (k == NULL((void*)0)) |
618 | return; |
619 | switch (k->type) { |
620 | #ifdef WITH_OPENSSL1 |
621 | case KEY_RSA: |
622 | case KEY_RSA_CERT: |
623 | RSA_free(k->rsa); |
624 | k->rsa = NULL((void*)0); |
625 | break; |
626 | case KEY_DSA: |
627 | case KEY_DSA_CERT: |
628 | DSA_free(k->dsa); |
629 | k->dsa = NULL((void*)0); |
630 | break; |
631 | case KEY_ECDSA_SK: |
632 | case KEY_ECDSA_SK_CERT: |
633 | free(k->sk_application); |
634 | sshbuf_free(k->sk_key_handle); |
635 | sshbuf_free(k->sk_reserved); |
636 | /* FALLTHROUGH */ |
637 | case KEY_ECDSA: |
638 | case KEY_ECDSA_CERT: |
639 | EC_KEY_free(k->ecdsa); |
640 | k->ecdsa = NULL((void*)0); |
641 | break; |
642 | #endif /* WITH_OPENSSL */ |
643 | case KEY_ED25519_SK: |
644 | case KEY_ED25519_SK_CERT: |
645 | free(k->sk_application); |
646 | sshbuf_free(k->sk_key_handle); |
647 | sshbuf_free(k->sk_reserved); |
648 | /* FALLTHROUGH */ |
649 | case KEY_ED25519: |
650 | case KEY_ED25519_CERT: |
651 | freezero(k->ed25519_pk, ED25519_PK_SZ32U); |
652 | k->ed25519_pk = NULL((void*)0); |
653 | freezero(k->ed25519_sk, ED25519_SK_SZ64U); |
654 | k->ed25519_sk = NULL((void*)0); |
655 | break; |
656 | #ifdef WITH_XMSS |
657 | case KEY_XMSS: |
658 | case KEY_XMSS_CERT: |
659 | freezero(k->xmss_pk, sshkey_xmss_pklen(k)); |
660 | k->xmss_pk = NULL((void*)0); |
661 | freezero(k->xmss_sk, sshkey_xmss_sklen(k)); |
662 | k->xmss_sk = NULL((void*)0); |
663 | sshkey_xmss_free_state(k); |
664 | free(k->xmss_name); |
665 | k->xmss_name = NULL((void*)0); |
666 | free(k->xmss_filename); |
667 | k->xmss_filename = NULL((void*)0); |
668 | break; |
669 | #endif /* WITH_XMSS */ |
670 | case KEY_UNSPEC: |
671 | break; |
672 | default: |
673 | break; |
674 | } |
675 | if (sshkey_is_cert(k)) |
676 | cert_free(k->cert); |
677 | freezero(k->shielded_private, k->shielded_len); |
678 | freezero(k->shield_prekey, k->shield_prekey_len); |
679 | freezero(k, sizeof(*k)); |
680 | } |
681 | |
682 | static int |
683 | cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) |
684 | { |
685 | if (a == NULL((void*)0) && b == NULL((void*)0)) |
686 | return 1; |
687 | if (a == NULL((void*)0) || b == NULL((void*)0)) |
688 | return 0; |
689 | if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) |
690 | return 0; |
691 | if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), |
692 | sshbuf_len(a->certblob)) != 0) |
693 | return 0; |
694 | return 1; |
695 | } |
696 | |
697 | /* |
698 | * Compare public portions of key only, allowing comparisons between |
699 | * certificates and plain keys too. |
700 | */ |
701 | int |
702 | sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) |
703 | { |
704 | #ifdef WITH_OPENSSL1 |
705 | const BIGNUM *rsa_e_a, *rsa_n_a; |
706 | const BIGNUM *rsa_e_b, *rsa_n_b; |
707 | const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a; |
708 | const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b; |
709 | #endif /* WITH_OPENSSL */ |
710 | |
711 | if (a == NULL((void*)0) || b == NULL((void*)0) || |
712 | sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) |
713 | return 0; |
714 | |
715 | switch (a->type) { |
716 | #ifdef WITH_OPENSSL1 |
717 | case KEY_RSA_CERT: |
718 | case KEY_RSA: |
719 | if (a->rsa == NULL((void*)0) || b->rsa == NULL((void*)0)) |
720 | return 0; |
721 | RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL((void*)0)); |
722 | RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL((void*)0)); |
723 | return BN_cmp(rsa_e_a, rsa_e_b) == 0 && |
724 | BN_cmp(rsa_n_a, rsa_n_b) == 0; |
725 | case KEY_DSA_CERT: |
726 | case KEY_DSA: |
727 | if (a->dsa == NULL((void*)0) || b->dsa == NULL((void*)0)) |
728 | return 0; |
729 | DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a); |
730 | DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b); |
731 | DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL((void*)0)); |
732 | DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL((void*)0)); |
733 | return BN_cmp(dsa_p_a, dsa_p_b) == 0 && |
734 | BN_cmp(dsa_q_a, dsa_q_b) == 0 && |
735 | BN_cmp(dsa_g_a, dsa_g_b) == 0 && |
736 | BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0; |
737 | case KEY_ECDSA_SK: |
738 | case KEY_ECDSA_SK_CERT: |
739 | if (a->sk_application == NULL((void*)0) || b->sk_application == NULL((void*)0)) |
740 | return 0; |
741 | if (strcmp(a->sk_application, b->sk_application) != 0) |
742 | return 0; |
743 | /* FALLTHROUGH */ |
744 | case KEY_ECDSA_CERT: |
745 | case KEY_ECDSA: |
746 | if (a->ecdsa == NULL((void*)0) || b->ecdsa == NULL((void*)0) || |
747 | EC_KEY_get0_public_key(a->ecdsa) == NULL((void*)0) || |
748 | EC_KEY_get0_public_key(b->ecdsa) == NULL((void*)0)) |
749 | return 0; |
750 | if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), |
751 | EC_KEY_get0_group(b->ecdsa), NULL((void*)0)) != 0 || |
752 | EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), |
753 | EC_KEY_get0_public_key(a->ecdsa), |
754 | EC_KEY_get0_public_key(b->ecdsa), NULL((void*)0)) != 0) |
755 | return 0; |
756 | return 1; |
757 | #endif /* WITH_OPENSSL */ |
758 | case KEY_ED25519_SK: |
759 | case KEY_ED25519_SK_CERT: |
760 | if (a->sk_application == NULL((void*)0) || b->sk_application == NULL((void*)0)) |
761 | return 0; |
762 | if (strcmp(a->sk_application, b->sk_application) != 0) |
763 | return 0; |
764 | /* FALLTHROUGH */ |
765 | case KEY_ED25519: |
766 | case KEY_ED25519_CERT: |
767 | return a->ed25519_pk != NULL((void*)0) && b->ed25519_pk != NULL((void*)0) && |
768 | memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ32U) == 0; |
769 | #ifdef WITH_XMSS |
770 | case KEY_XMSS: |
771 | case KEY_XMSS_CERT: |
772 | return a->xmss_pk != NULL((void*)0) && b->xmss_pk != NULL((void*)0) && |
773 | sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) && |
774 | memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0; |
775 | #endif /* WITH_XMSS */ |
776 | default: |
777 | return 0; |
778 | } |
779 | /* NOTREACHED */ |
780 | } |
781 | |
782 | int |
783 | sshkey_equal(const struct sshkey *a, const struct sshkey *b) |
784 | { |
785 | if (a == NULL((void*)0) || b == NULL((void*)0) || a->type != b->type) |
786 | return 0; |
787 | if (sshkey_is_cert(a)) { |
788 | if (!cert_compare(a->cert, b->cert)) |
789 | return 0; |
790 | } |
791 | return sshkey_equal_public(a, b); |
792 | } |
793 | |
794 | static int |
795 | to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, |
796 | enum sshkey_serialize_rep opts) |
797 | { |
798 | int type, ret = SSH_ERR_INTERNAL_ERROR-1; |
799 | const char *typename; |
800 | #ifdef WITH_OPENSSL1 |
801 | const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; |
802 | #endif /* WITH_OPENSSL */ |
803 | |
804 | if (key == NULL((void*)0)) |
805 | return SSH_ERR_INVALID_ARGUMENT-10; |
806 | |
807 | if (sshkey_is_cert(key)) { |
808 | if (key->cert == NULL((void*)0)) |
809 | return SSH_ERR_EXPECTED_CERT-16; |
810 | if (sshbuf_len(key->cert->certblob) == 0) |
811 | return SSH_ERR_KEY_LACKS_CERTBLOB-17; |
812 | } |
813 | type = force_plain ? sshkey_type_plain(key->type) : key->type; |
814 | typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); |
815 | |
816 | switch (type) { |
817 | #ifdef WITH_OPENSSL1 |
818 | case KEY_DSA_CERT: |
819 | case KEY_ECDSA_CERT: |
820 | case KEY_ECDSA_SK_CERT: |
821 | case KEY_RSA_CERT: |
822 | #endif /* WITH_OPENSSL */ |
823 | case KEY_ED25519_CERT: |
824 | case KEY_ED25519_SK_CERT: |
825 | #ifdef WITH_XMSS |
826 | case KEY_XMSS_CERT: |
827 | #endif /* WITH_XMSS */ |
828 | /* Use the existing blob */ |
829 | /* XXX modified flag? */ |
830 | if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) |
831 | return ret; |
832 | break; |
833 | #ifdef WITH_OPENSSL1 |
834 | case KEY_DSA: |
835 | if (key->dsa == NULL((void*)0)) |
836 | return SSH_ERR_INVALID_ARGUMENT-10; |
837 | DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); |
838 | DSA_get0_key(key->dsa, &dsa_pub_key, NULL((void*)0)); |
839 | if ((ret = sshbuf_put_cstring(b, typename)) != 0 || |
840 | (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 || |
841 | (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 || |
842 | (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 || |
843 | (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0) |
844 | return ret; |
845 | break; |
846 | case KEY_ECDSA: |
847 | case KEY_ECDSA_SK: |
848 | if (key->ecdsa == NULL((void*)0)) |
849 | return SSH_ERR_INVALID_ARGUMENT-10; |
850 | if ((ret = sshbuf_put_cstring(b, typename)) != 0 || |
851 | (ret = sshbuf_put_cstring(b, |
852 | sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || |
853 | (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0) |
854 | return ret; |
855 | if (type == KEY_ECDSA_SK) { |
856 | if ((ret = sshbuf_put_cstring(b, |
857 | key->sk_application)) != 0) |
858 | return ret; |
859 | } |
860 | break; |
861 | case KEY_RSA: |
862 | if (key->rsa == NULL((void*)0)) |
863 | return SSH_ERR_INVALID_ARGUMENT-10; |
864 | RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL((void*)0)); |
865 | if ((ret = sshbuf_put_cstring(b, typename)) != 0 || |
866 | (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 || |
867 | (ret = sshbuf_put_bignum2(b, rsa_n)) != 0) |
868 | return ret; |
869 | break; |
870 | #endif /* WITH_OPENSSL */ |
871 | case KEY_ED25519: |
872 | case KEY_ED25519_SK: |
873 | if (key->ed25519_pk == NULL((void*)0)) |
874 | return SSH_ERR_INVALID_ARGUMENT-10; |
875 | if ((ret = sshbuf_put_cstring(b, typename)) != 0 || |
876 | (ret = sshbuf_put_string(b, |
877 | key->ed25519_pk, ED25519_PK_SZ32U)) != 0) |
878 | return ret; |
879 | if (type == KEY_ED25519_SK) { |
880 | if ((ret = sshbuf_put_cstring(b, |
881 | key->sk_application)) != 0) |
882 | return ret; |
883 | } |
884 | break; |
885 | #ifdef WITH_XMSS |
886 | case KEY_XMSS: |
887 | if (key->xmss_name == NULL((void*)0) || key->xmss_pk == NULL((void*)0) || |
888 | sshkey_xmss_pklen(key) == 0) |
889 | return SSH_ERR_INVALID_ARGUMENT-10; |
890 | if ((ret = sshbuf_put_cstring(b, typename)) != 0 || |
891 | (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 || |
892 | (ret = sshbuf_put_string(b, |
893 | key->xmss_pk, sshkey_xmss_pklen(key))) != 0 || |
894 | (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0) |
895 | return ret; |
896 | break; |
897 | #endif /* WITH_XMSS */ |
898 | default: |
899 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
900 | } |
901 | return 0; |
902 | } |
903 | |
904 | int |
905 | sshkey_putb(const struct sshkey *key, struct sshbuf *b) |
906 | { |
907 | return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); |
908 | } |
909 | |
910 | int |
911 | sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, |
912 | enum sshkey_serialize_rep opts) |
913 | { |
914 | struct sshbuf *tmp; |
915 | int r; |
916 | |
917 | if ((tmp = sshbuf_new()) == NULL((void*)0)) |
918 | return SSH_ERR_ALLOC_FAIL-2; |
919 | r = to_blob_buf(key, tmp, 0, opts); |
920 | if (r == 0) |
921 | r = sshbuf_put_stringb(b, tmp); |
922 | sshbuf_free(tmp); |
923 | return r; |
924 | } |
925 | |
926 | int |
927 | sshkey_puts(const struct sshkey *key, struct sshbuf *b) |
928 | { |
929 | return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); |
930 | } |
931 | |
932 | int |
933 | sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) |
934 | { |
935 | return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); |
936 | } |
937 | |
938 | static int |
939 | to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, |
940 | enum sshkey_serialize_rep opts) |
941 | { |
942 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
943 | size_t len; |
944 | struct sshbuf *b = NULL((void*)0); |
945 | |
946 | if (lenp != NULL((void*)0)) |
947 | *lenp = 0; |
948 | if (blobp != NULL((void*)0)) |
949 | *blobp = NULL((void*)0); |
950 | if ((b = sshbuf_new()) == NULL((void*)0)) |
951 | return SSH_ERR_ALLOC_FAIL-2; |
952 | if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) |
953 | goto out; |
954 | len = sshbuf_len(b); |
955 | if (lenp != NULL((void*)0)) |
956 | *lenp = len; |
957 | if (blobp != NULL((void*)0)) { |
958 | if ((*blobp = malloc(len)) == NULL((void*)0)) { |
959 | ret = SSH_ERR_ALLOC_FAIL-2; |
960 | goto out; |
961 | } |
962 | memcpy(*blobp, sshbuf_ptr(b), len); |
963 | } |
964 | ret = 0; |
965 | out: |
966 | sshbuf_free(b); |
967 | return ret; |
968 | } |
969 | |
970 | int |
971 | sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) |
972 | { |
973 | return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); |
974 | } |
975 | |
976 | int |
977 | sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) |
978 | { |
979 | return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); |
980 | } |
981 | |
982 | int |
983 | sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, |
984 | u_char **retp, size_t *lenp) |
985 | { |
986 | u_char *blob = NULL((void*)0), *ret = NULL((void*)0); |
987 | size_t blob_len = 0; |
988 | int r = SSH_ERR_INTERNAL_ERROR-1; |
989 | |
990 | if (retp != NULL((void*)0)) |
991 | *retp = NULL((void*)0); |
992 | if (lenp != NULL((void*)0)) |
993 | *lenp = 0; |
994 | if (ssh_digest_bytes(dgst_alg) == 0) { |
995 | r = SSH_ERR_INVALID_ARGUMENT-10; |
996 | goto out; |
997 | } |
998 | if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) |
999 | != 0) |
1000 | goto out; |
1001 | if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH64)) == NULL((void*)0)) { |
1002 | r = SSH_ERR_ALLOC_FAIL-2; |
1003 | goto out; |
1004 | } |
1005 | if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, |
1006 | ret, SSH_DIGEST_MAX_LENGTH64)) != 0) |
1007 | goto out; |
1008 | /* success */ |
1009 | if (retp != NULL((void*)0)) { |
1010 | *retp = ret; |
1011 | ret = NULL((void*)0); |
1012 | } |
1013 | if (lenp != NULL((void*)0)) |
1014 | *lenp = ssh_digest_bytes(dgst_alg); |
1015 | r = 0; |
1016 | out: |
1017 | free(ret); |
1018 | if (blob != NULL((void*)0)) |
1019 | freezero(blob, blob_len); |
1020 | return r; |
1021 | } |
1022 | |
1023 | static char * |
1024 | fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) |
1025 | { |
1026 | char *ret; |
1027 | size_t plen = strlen(alg) + 1; |
1028 | size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; |
1029 | |
1030 | if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL((void*)0)) |
1031 | return NULL((void*)0); |
1032 | strlcpy(ret, alg, rlen); |
1033 | strlcat(ret, ":", rlen); |
1034 | if (dgst_raw_len == 0) |
1035 | return ret; |
1036 | if (b64_ntop__b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) { |
1037 | freezero(ret, rlen); |
1038 | return NULL((void*)0); |
1039 | } |
1040 | /* Trim padding characters from end */ |
1041 | ret[strcspn(ret, "=")] = '\0'; |
1042 | return ret; |
1043 | } |
1044 | |
1045 | static char * |
1046 | fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) |
1047 | { |
1048 | char *retval, hex[5]; |
1049 | size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; |
1050 | |
1051 | if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL((void*)0)) |
1052 | return NULL((void*)0); |
1053 | strlcpy(retval, alg, rlen); |
1054 | strlcat(retval, ":", rlen); |
1055 | for (i = 0; i < dgst_raw_len; i++) { |
1056 | snprintf(hex, sizeof(hex), "%s%02x", |
1057 | i > 0 ? ":" : "", dgst_raw[i]); |
1058 | strlcat(retval, hex, rlen); |
1059 | } |
1060 | return retval; |
1061 | } |
1062 | |
1063 | static char * |
1064 | fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) |
1065 | { |
1066 | char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; |
1067 | char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', |
1068 | 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; |
1069 | u_int i, j = 0, rounds, seed = 1; |
1070 | char *retval; |
1071 | |
1072 | rounds = (dgst_raw_len / 2) + 1; |
1073 | if ((retval = calloc(rounds, 6)) == NULL((void*)0)) |
1074 | return NULL((void*)0); |
1075 | retval[j++] = 'x'; |
1076 | for (i = 0; i < rounds; i++) { |
1077 | u_int idx0, idx1, idx2, idx3, idx4; |
1078 | if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { |
1079 | idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + |
1080 | seed) % 6; |
1081 | idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; |
1082 | idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + |
1083 | (seed / 6)) % 6; |
1084 | retval[j++] = vowels[idx0]; |
1085 | retval[j++] = consonants[idx1]; |
1086 | retval[j++] = vowels[idx2]; |
1087 | if ((i + 1) < rounds) { |
1088 | idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; |
1089 | idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; |
1090 | retval[j++] = consonants[idx3]; |
1091 | retval[j++] = '-'; |
1092 | retval[j++] = consonants[idx4]; |
1093 | seed = ((seed * 5) + |
1094 | ((((u_int)(dgst_raw[2 * i])) * 7) + |
1095 | ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; |
1096 | } |
1097 | } else { |
1098 | idx0 = seed % 6; |
1099 | idx1 = 16; |
1100 | idx2 = seed / 6; |
1101 | retval[j++] = vowels[idx0]; |
1102 | retval[j++] = consonants[idx1]; |
1103 | retval[j++] = vowels[idx2]; |
1104 | } |
1105 | } |
1106 | retval[j++] = 'x'; |
1107 | retval[j++] = '\0'; |
1108 | return retval; |
1109 | } |
1110 | |
1111 | /* |
1112 | * Draw an ASCII-Art representing the fingerprint so human brain can |
1113 | * profit from its built-in pattern recognition ability. |
1114 | * This technique is called "random art" and can be found in some |
1115 | * scientific publications like this original paper: |
1116 | * |
1117 | * "Hash Visualization: a New Technique to improve Real-World Security", |
1118 | * Perrig A. and Song D., 1999, International Workshop on Cryptographic |
1119 | * Techniques and E-Commerce (CrypTEC '99) |
1120 | * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf |
1121 | * |
1122 | * The subject came up in a talk by Dan Kaminsky, too. |
1123 | * |
1124 | * If you see the picture is different, the key is different. |
1125 | * If the picture looks the same, you still know nothing. |
1126 | * |
1127 | * The algorithm used here is a worm crawling over a discrete plane, |
1128 | * leaving a trace (augmenting the field) everywhere it goes. |
1129 | * Movement is taken from dgst_raw 2bit-wise. Bumping into walls |
1130 | * makes the respective movement vector be ignored for this turn. |
1131 | * Graphs are not unambiguous, because circles in graphs can be |
1132 | * walked in either direction. |
1133 | */ |
1134 | |
1135 | /* |
1136 | * Field sizes for the random art. Have to be odd, so the starting point |
1137 | * can be in the exact middle of the picture, and FLDBASE should be >=8 . |
1138 | * Else pictures would be too dense, and drawing the frame would |
1139 | * fail, too, because the key type would not fit in anymore. |
1140 | */ |
1141 | #define FLDBASE8 8 |
1142 | #define FLDSIZE_Y(8 + 1) (FLDBASE8 + 1) |
1143 | #define FLDSIZE_X(8 * 2 + 1) (FLDBASE8 * 2 + 1) |
1144 | static char * |
1145 | fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, |
1146 | const struct sshkey *k) |
1147 | { |
1148 | /* |
1149 | * Chars to be used after each other every time the worm |
1150 | * intersects with itself. Matter of taste. |
1151 | */ |
1152 | char *augmentation_string = " .o+=*BOX@%&#/^SE"; |
1153 | char *retval, *p, title[FLDSIZE_X(8 * 2 + 1)], hash[FLDSIZE_X(8 * 2 + 1)]; |
1154 | u_char field[FLDSIZE_X(8 * 2 + 1)][FLDSIZE_Y(8 + 1)]; |
1155 | size_t i, tlen, hlen; |
1156 | u_int b; |
1157 | int x, y, r; |
1158 | size_t len = strlen(augmentation_string) - 1; |
1159 | |
1160 | if ((retval = calloc((FLDSIZE_X(8 * 2 + 1) + 3), (FLDSIZE_Y(8 + 1) + 2))) == NULL((void*)0)) |
1161 | return NULL((void*)0); |
1162 | |
1163 | /* initialize field */ |
1164 | memset(field, 0, FLDSIZE_X(8 * 2 + 1) * FLDSIZE_Y(8 + 1) * sizeof(char)); |
1165 | x = FLDSIZE_X(8 * 2 + 1) / 2; |
1166 | y = FLDSIZE_Y(8 + 1) / 2; |
1167 | |
1168 | /* process raw key */ |
1169 | for (i = 0; i < dgst_raw_len; i++) { |
1170 | int input; |
1171 | /* each byte conveys four 2-bit move commands */ |
1172 | input = dgst_raw[i]; |
1173 | for (b = 0; b < 4; b++) { |
1174 | /* evaluate 2 bit, rest is shifted later */ |
1175 | x += (input & 0x1) ? 1 : -1; |
1176 | y += (input & 0x2) ? 1 : -1; |
1177 | |
1178 | /* assure we are still in bounds */ |
1179 | x = MAXIMUM(x, 0)(((x) > (0)) ? (x) : (0)); |
1180 | y = MAXIMUM(y, 0)(((y) > (0)) ? (y) : (0)); |
1181 | x = MINIMUM(x, FLDSIZE_X - 1)(((x) < ((8 * 2 + 1) - 1)) ? (x) : ((8 * 2 + 1) - 1)); |
1182 | y = MINIMUM(y, FLDSIZE_Y - 1)(((y) < ((8 + 1) - 1)) ? (y) : ((8 + 1) - 1)); |
1183 | |
1184 | /* augment the field */ |
1185 | if (field[x][y] < len - 2) |
1186 | field[x][y]++; |
1187 | input = input >> 2; |
1188 | } |
1189 | } |
1190 | |
1191 | /* mark starting point and end point*/ |
1192 | field[FLDSIZE_X(8 * 2 + 1) / 2][FLDSIZE_Y(8 + 1) / 2] = len - 1; |
1193 | field[x][y] = len; |
1194 | |
1195 | /* assemble title */ |
1196 | r = snprintf(title, sizeof(title), "[%s %u]", |
1197 | sshkey_type(k), sshkey_size(k)); |
1198 | /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ |
1199 | if (r < 0 || r > (int)sizeof(title)) |
1200 | r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); |
1201 | tlen = (r <= 0) ? 0 : strlen(title); |
1202 | |
1203 | /* assemble hash ID. */ |
1204 | r = snprintf(hash, sizeof(hash), "[%s]", alg); |
1205 | hlen = (r <= 0) ? 0 : strlen(hash); |
1206 | |
1207 | /* output upper border */ |
1208 | p = retval; |
1209 | *p++ = '+'; |
1210 | for (i = 0; i < (FLDSIZE_X(8 * 2 + 1) - tlen) / 2; i++) |
1211 | *p++ = '-'; |
1212 | memcpy(p, title, tlen); |
1213 | p += tlen; |
1214 | for (i += tlen; i < FLDSIZE_X(8 * 2 + 1); i++) |
1215 | *p++ = '-'; |
1216 | *p++ = '+'; |
1217 | *p++ = '\n'; |
1218 | |
1219 | /* output content */ |
1220 | for (y = 0; y < FLDSIZE_Y(8 + 1); y++) { |
1221 | *p++ = '|'; |
1222 | for (x = 0; x < FLDSIZE_X(8 * 2 + 1); x++) |
1223 | *p++ = augmentation_string[MINIMUM(field[x][y], len)(((field[x][y]) < (len)) ? (field[x][y]) : (len))]; |
1224 | *p++ = '|'; |
1225 | *p++ = '\n'; |
1226 | } |
1227 | |
1228 | /* output lower border */ |
1229 | *p++ = '+'; |
1230 | for (i = 0; i < (FLDSIZE_X(8 * 2 + 1) - hlen) / 2; i++) |
1231 | *p++ = '-'; |
1232 | memcpy(p, hash, hlen); |
1233 | p += hlen; |
1234 | for (i += hlen; i < FLDSIZE_X(8 * 2 + 1); i++) |
1235 | *p++ = '-'; |
1236 | *p++ = '+'; |
1237 | |
1238 | return retval; |
1239 | } |
1240 | |
1241 | char * |
1242 | sshkey_fingerprint(const struct sshkey *k, int dgst_alg, |
1243 | enum sshkey_fp_rep dgst_rep) |
1244 | { |
1245 | char *retval = NULL((void*)0); |
1246 | u_char *dgst_raw; |
1247 | size_t dgst_raw_len; |
1248 | |
1249 | if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) |
1250 | return NULL((void*)0); |
1251 | switch (dgst_rep) { |
1252 | case SSH_FP_DEFAULT: |
1253 | if (dgst_alg == SSH_DIGEST_MD50) { |
1254 | retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), |
1255 | dgst_raw, dgst_raw_len); |
1256 | } else { |
1257 | retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), |
1258 | dgst_raw, dgst_raw_len); |
1259 | } |
1260 | break; |
1261 | case SSH_FP_HEX: |
1262 | retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), |
1263 | dgst_raw, dgst_raw_len); |
1264 | break; |
1265 | case SSH_FP_BASE64: |
1266 | retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), |
1267 | dgst_raw, dgst_raw_len); |
1268 | break; |
1269 | case SSH_FP_BUBBLEBABBLE: |
1270 | retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); |
1271 | break; |
1272 | case SSH_FP_RANDOMART: |
1273 | retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), |
1274 | dgst_raw, dgst_raw_len, k); |
1275 | break; |
1276 | default: |
1277 | freezero(dgst_raw, dgst_raw_len); |
1278 | return NULL((void*)0); |
1279 | } |
1280 | freezero(dgst_raw, dgst_raw_len); |
1281 | return retval; |
1282 | } |
1283 | |
1284 | static int |
1285 | peek_type_nid(const char *s, size_t l, int *nid) |
1286 | { |
1287 | const struct keytype *kt; |
1288 | |
1289 | for (kt = keytypes; kt->type != -1; kt++) { |
1290 | if (kt->name == NULL((void*)0) || strlen(kt->name) != l) |
1291 | continue; |
1292 | if (memcmp(s, kt->name, l) == 0) { |
1293 | *nid = -1; |
1294 | if (key_type_is_ecdsa_variant(kt->type)) |
1295 | *nid = kt->nid; |
1296 | return kt->type; |
1297 | } |
1298 | } |
1299 | return KEY_UNSPEC; |
1300 | } |
1301 | |
1302 | /* XXX this can now be made const char * */ |
1303 | int |
1304 | sshkey_read(struct sshkey *ret, char **cpp) |
1305 | { |
1306 | struct sshkey *k; |
1307 | char *cp, *blobcopy; |
1308 | size_t space; |
1309 | int r, type, curve_nid = -1; |
1310 | struct sshbuf *blob; |
1311 | |
1312 | if (ret == NULL((void*)0)) |
1313 | return SSH_ERR_INVALID_ARGUMENT-10; |
1314 | |
1315 | switch (ret->type) { |
1316 | case KEY_UNSPEC: |
1317 | case KEY_RSA: |
1318 | case KEY_DSA: |
1319 | case KEY_ECDSA: |
1320 | case KEY_ECDSA_SK: |
1321 | case KEY_ED25519: |
1322 | case KEY_ED25519_SK: |
1323 | case KEY_DSA_CERT: |
1324 | case KEY_ECDSA_CERT: |
1325 | case KEY_ECDSA_SK_CERT: |
1326 | case KEY_RSA_CERT: |
1327 | case KEY_ED25519_CERT: |
1328 | case KEY_ED25519_SK_CERT: |
1329 | #ifdef WITH_XMSS |
1330 | case KEY_XMSS: |
1331 | case KEY_XMSS_CERT: |
1332 | #endif /* WITH_XMSS */ |
1333 | break; /* ok */ |
1334 | default: |
1335 | return SSH_ERR_INVALID_ARGUMENT-10; |
1336 | } |
1337 | |
1338 | /* Decode type */ |
1339 | cp = *cpp; |
1340 | space = strcspn(cp, " \t"); |
1341 | if (space == strlen(cp)) |
1342 | return SSH_ERR_INVALID_FORMAT-4; |
1343 | if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) |
1344 | return SSH_ERR_INVALID_FORMAT-4; |
1345 | |
1346 | /* skip whitespace */ |
1347 | for (cp += space; *cp == ' ' || *cp == '\t'; cp++) |
1348 | ; |
1349 | if (*cp == '\0') |
1350 | return SSH_ERR_INVALID_FORMAT-4; |
1351 | if (ret->type != KEY_UNSPEC && ret->type != type) |
1352 | return SSH_ERR_KEY_TYPE_MISMATCH-13; |
1353 | if ((blob = sshbuf_new()) == NULL((void*)0)) |
1354 | return SSH_ERR_ALLOC_FAIL-2; |
1355 | |
1356 | /* find end of keyblob and decode */ |
1357 | space = strcspn(cp, " \t"); |
1358 | if ((blobcopy = strndup(cp, space)) == NULL((void*)0)) { |
1359 | sshbuf_free(blob); |
1360 | return SSH_ERR_ALLOC_FAIL-2; |
1361 | } |
1362 | if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { |
1363 | free(blobcopy); |
1364 | sshbuf_free(blob); |
1365 | return r; |
1366 | } |
1367 | free(blobcopy); |
1368 | if ((r = sshkey_fromb(blob, &k)) != 0) { |
1369 | sshbuf_free(blob); |
1370 | return r; |
1371 | } |
1372 | sshbuf_free(blob); |
1373 | |
1374 | /* skip whitespace and leave cp at start of comment */ |
1375 | for (cp += space; *cp == ' ' || *cp == '\t'; cp++) |
1376 | ; |
1377 | |
1378 | /* ensure type of blob matches type at start of line */ |
1379 | if (k->type != type) { |
1380 | sshkey_free(k); |
1381 | return SSH_ERR_KEY_TYPE_MISMATCH-13; |
1382 | } |
1383 | if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) { |
1384 | sshkey_free(k); |
1385 | return SSH_ERR_EC_CURVE_MISMATCH-15; |
1386 | } |
1387 | |
1388 | /* Fill in ret from parsed key */ |
1389 | ret->type = type; |
1390 | if (sshkey_is_cert(ret)) { |
1391 | if (!sshkey_is_cert(k)) { |
1392 | sshkey_free(k); |
1393 | return SSH_ERR_EXPECTED_CERT-16; |
1394 | } |
1395 | if (ret->cert != NULL((void*)0)) |
1396 | cert_free(ret->cert); |
1397 | ret->cert = k->cert; |
1398 | k->cert = NULL((void*)0); |
1399 | } |
1400 | switch (sshkey_type_plain(ret->type)) { |
1401 | #ifdef WITH_OPENSSL1 |
1402 | case KEY_RSA: |
1403 | RSA_free(ret->rsa); |
1404 | ret->rsa = k->rsa; |
1405 | k->rsa = NULL((void*)0); |
1406 | #ifdef DEBUG_PK |
1407 | RSA_print_fp(stderr(&__sF[2]), ret->rsa, 8); |
1408 | #endif |
1409 | break; |
1410 | case KEY_DSA: |
1411 | DSA_free(ret->dsa); |
1412 | ret->dsa = k->dsa; |
1413 | k->dsa = NULL((void*)0); |
1414 | #ifdef DEBUG_PK |
1415 | DSA_print_fp(stderr(&__sF[2]), ret->dsa, 8); |
1416 | #endif |
1417 | break; |
1418 | case KEY_ECDSA: |
1419 | EC_KEY_free(ret->ecdsa); |
1420 | ret->ecdsa = k->ecdsa; |
1421 | ret->ecdsa_nid = k->ecdsa_nid; |
1422 | k->ecdsa = NULL((void*)0); |
1423 | k->ecdsa_nid = -1; |
1424 | #ifdef DEBUG_PK |
1425 | sshkey_dump_ec_key(ret->ecdsa); |
1426 | #endif |
1427 | break; |
1428 | case KEY_ECDSA_SK: |
1429 | EC_KEY_free(ret->ecdsa); |
1430 | ret->ecdsa = k->ecdsa; |
1431 | ret->ecdsa_nid = k->ecdsa_nid; |
1432 | ret->sk_application = k->sk_application; |
1433 | k->ecdsa = NULL((void*)0); |
1434 | k->ecdsa_nid = -1; |
1435 | k->sk_application = NULL((void*)0); |
1436 | #ifdef DEBUG_PK |
1437 | sshkey_dump_ec_key(ret->ecdsa); |
1438 | fprintf(stderr(&__sF[2]), "App: %s\n", ret->sk_application); |
1439 | #endif |
1440 | break; |
1441 | #endif /* WITH_OPENSSL */ |
1442 | case KEY_ED25519: |
1443 | freezero(ret->ed25519_pk, ED25519_PK_SZ32U); |
1444 | ret->ed25519_pk = k->ed25519_pk; |
1445 | k->ed25519_pk = NULL((void*)0); |
1446 | #ifdef DEBUG_PK |
1447 | /* XXX */ |
1448 | #endif |
1449 | break; |
1450 | case KEY_ED25519_SK: |
1451 | freezero(ret->ed25519_pk, ED25519_PK_SZ32U); |
1452 | ret->ed25519_pk = k->ed25519_pk; |
1453 | ret->sk_application = k->sk_application; |
1454 | k->ed25519_pk = NULL((void*)0); |
1455 | k->sk_application = NULL((void*)0); |
1456 | break; |
1457 | #ifdef WITH_XMSS |
1458 | case KEY_XMSS: |
1459 | free(ret->xmss_pk); |
1460 | ret->xmss_pk = k->xmss_pk; |
1461 | k->xmss_pk = NULL((void*)0); |
1462 | free(ret->xmss_state); |
1463 | ret->xmss_state = k->xmss_state; |
1464 | k->xmss_state = NULL((void*)0); |
1465 | free(ret->xmss_name); |
1466 | ret->xmss_name = k->xmss_name; |
1467 | k->xmss_name = NULL((void*)0); |
1468 | free(ret->xmss_filename); |
1469 | ret->xmss_filename = k->xmss_filename; |
1470 | k->xmss_filename = NULL((void*)0); |
1471 | #ifdef DEBUG_PK |
1472 | /* XXX */ |
1473 | #endif |
1474 | break; |
1475 | #endif /* WITH_XMSS */ |
1476 | default: |
1477 | sshkey_free(k); |
1478 | return SSH_ERR_INTERNAL_ERROR-1; |
1479 | } |
1480 | sshkey_free(k); |
1481 | |
1482 | /* success */ |
1483 | *cpp = cp; |
1484 | return 0; |
1485 | } |
1486 | |
1487 | int |
1488 | sshkey_to_base64(const struct sshkey *key, char **b64p) |
1489 | { |
1490 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1491 | struct sshbuf *b = NULL((void*)0); |
1492 | char *uu = NULL((void*)0); |
1493 | |
1494 | if (b64p != NULL((void*)0)) |
1495 | *b64p = NULL((void*)0); |
1496 | if ((b = sshbuf_new()) == NULL((void*)0)) |
1497 | return SSH_ERR_ALLOC_FAIL-2; |
1498 | if ((r = sshkey_putb(key, b)) != 0) |
1499 | goto out; |
1500 | if ((uu = sshbuf_dtob64_string(b, 0)) == NULL((void*)0)) { |
1501 | r = SSH_ERR_ALLOC_FAIL-2; |
1502 | goto out; |
1503 | } |
1504 | /* Success */ |
1505 | if (b64p != NULL((void*)0)) { |
1506 | *b64p = uu; |
1507 | uu = NULL((void*)0); |
1508 | } |
1509 | r = 0; |
1510 | out: |
1511 | sshbuf_free(b); |
1512 | free(uu); |
1513 | return r; |
1514 | } |
1515 | |
1516 | int |
1517 | sshkey_format_text(const struct sshkey *key, struct sshbuf *b) |
1518 | { |
1519 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1520 | char *uu = NULL((void*)0); |
1521 | |
1522 | if ((r = sshkey_to_base64(key, &uu)) != 0) |
1523 | goto out; |
1524 | if ((r = sshbuf_putf(b, "%s %s", |
1525 | sshkey_ssh_name(key), uu)) != 0) |
1526 | goto out; |
1527 | r = 0; |
1528 | out: |
1529 | free(uu); |
1530 | return r; |
1531 | } |
1532 | |
1533 | int |
1534 | sshkey_write(const struct sshkey *key, FILE *f) |
1535 | { |
1536 | struct sshbuf *b = NULL((void*)0); |
1537 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1538 | |
1539 | if ((b = sshbuf_new()) == NULL((void*)0)) |
1540 | return SSH_ERR_ALLOC_FAIL-2; |
1541 | if ((r = sshkey_format_text(key, b)) != 0) |
1542 | goto out; |
1543 | if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { |
1544 | if (feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof )(f))) |
1545 | errno(*__errno()) = EPIPE32; |
1546 | r = SSH_ERR_SYSTEM_ERROR-24; |
1547 | goto out; |
1548 | } |
1549 | /* Success */ |
1550 | r = 0; |
1551 | out: |
1552 | sshbuf_free(b); |
1553 | return r; |
1554 | } |
1555 | |
1556 | const char * |
1557 | sshkey_cert_type(const struct sshkey *k) |
1558 | { |
1559 | switch (k->cert->type) { |
1560 | case SSH2_CERT_TYPE_USER1: |
1561 | return "user"; |
1562 | case SSH2_CERT_TYPE_HOST2: |
1563 | return "host"; |
1564 | default: |
1565 | return "unknown"; |
1566 | } |
1567 | } |
1568 | |
1569 | #ifdef WITH_OPENSSL1 |
1570 | static int |
1571 | rsa_generate_private_key(u_int bits, RSA **rsap) |
1572 | { |
1573 | RSA *private = NULL((void*)0); |
1574 | BIGNUM *f4 = NULL((void*)0); |
1575 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
1576 | |
1577 | if (rsap == NULL((void*)0)) |
1578 | return SSH_ERR_INVALID_ARGUMENT-10; |
1579 | if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE1024 || |
1580 | bits > SSHBUF_MAX_BIGNUM(16384 / 8) * 8) |
1581 | return SSH_ERR_KEY_LENGTH-56; |
1582 | *rsap = NULL((void*)0); |
1583 | if ((private = RSA_new()) == NULL((void*)0) || (f4 = BN_new()) == NULL((void*)0)) { |
1584 | ret = SSH_ERR_ALLOC_FAIL-2; |
1585 | goto out; |
1586 | } |
1587 | if (!BN_set_word(f4, RSA_F40x10001L) || |
1588 | !RSA_generate_key_ex(private, bits, f4, NULL((void*)0))) { |
1589 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
1590 | goto out; |
1591 | } |
1592 | *rsap = private; |
1593 | private = NULL((void*)0); |
1594 | ret = 0; |
1595 | out: |
1596 | RSA_free(private); |
1597 | BN_free(f4); |
1598 | return ret; |
1599 | } |
1600 | |
1601 | static int |
1602 | dsa_generate_private_key(u_int bits, DSA **dsap) |
1603 | { |
1604 | DSA *private; |
1605 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
1606 | |
1607 | if (dsap == NULL((void*)0)) |
1608 | return SSH_ERR_INVALID_ARGUMENT-10; |
1609 | if (bits != 1024) |
1610 | return SSH_ERR_KEY_LENGTH-56; |
1611 | if ((private = DSA_new()) == NULL((void*)0)) { |
1612 | ret = SSH_ERR_ALLOC_FAIL-2; |
1613 | goto out; |
1614 | } |
1615 | *dsap = NULL((void*)0); |
1616 | if (!DSA_generate_parameters_ex(private, bits, NULL((void*)0), 0, NULL((void*)0), |
1617 | NULL((void*)0), NULL((void*)0)) || !DSA_generate_key(private)) { |
1618 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
1619 | goto out; |
1620 | } |
1621 | *dsap = private; |
1622 | private = NULL((void*)0); |
1623 | ret = 0; |
1624 | out: |
1625 | DSA_free(private); |
1626 | return ret; |
1627 | } |
1628 | |
1629 | int |
1630 | sshkey_ecdsa_key_to_nid(EC_KEY *k) |
1631 | { |
1632 | EC_GROUP *eg; |
1633 | int nids[] = { |
1634 | NID_X9_62_prime256v1415, |
1635 | NID_secp384r1715, |
1636 | NID_secp521r1716, |
1637 | -1 |
1638 | }; |
1639 | int nid; |
1640 | u_int i; |
1641 | const EC_GROUP *g = EC_KEY_get0_group(k); |
1642 | |
1643 | /* |
1644 | * The group may be stored in a ASN.1 encoded private key in one of two |
1645 | * ways: as a "named group", which is reconstituted by ASN.1 object ID |
1646 | * or explicit group parameters encoded into the key blob. Only the |
1647 | * "named group" case sets the group NID for us, but we can figure |
1648 | * it out for the other case by comparing against all the groups that |
1649 | * are supported. |
1650 | */ |
1651 | if ((nid = EC_GROUP_get_curve_name(g)) > 0) |
1652 | return nid; |
1653 | for (i = 0; nids[i] != -1; i++) { |
1654 | if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL((void*)0)) |
1655 | return -1; |
1656 | if (EC_GROUP_cmp(g, eg, NULL((void*)0)) == 0) |
1657 | break; |
1658 | EC_GROUP_free(eg); |
1659 | } |
1660 | if (nids[i] != -1) { |
1661 | /* Use the group with the NID attached */ |
1662 | EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE0x001); |
1663 | if (EC_KEY_set_group(k, eg) != 1) { |
1664 | EC_GROUP_free(eg); |
1665 | return -1; |
1666 | } |
1667 | } |
1668 | return nids[i]; |
1669 | } |
1670 | |
1671 | static int |
1672 | ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) |
1673 | { |
1674 | EC_KEY *private; |
1675 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
1676 | |
1677 | if (nid == NULL((void*)0) || ecdsap == NULL((void*)0)) |
1678 | return SSH_ERR_INVALID_ARGUMENT-10; |
1679 | if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) |
1680 | return SSH_ERR_KEY_LENGTH-56; |
1681 | *ecdsap = NULL((void*)0); |
1682 | if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL((void*)0)) { |
1683 | ret = SSH_ERR_ALLOC_FAIL-2; |
1684 | goto out; |
1685 | } |
1686 | if (EC_KEY_generate_key(private) != 1) { |
1687 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
1688 | goto out; |
1689 | } |
1690 | EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE0x001); |
1691 | *ecdsap = private; |
1692 | private = NULL((void*)0); |
1693 | ret = 0; |
1694 | out: |
1695 | EC_KEY_free(private); |
1696 | return ret; |
1697 | } |
1698 | #endif /* WITH_OPENSSL */ |
1699 | |
1700 | int |
1701 | sshkey_generate(int type, u_int bits, struct sshkey **keyp) |
1702 | { |
1703 | struct sshkey *k; |
1704 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
1705 | |
1706 | if (keyp == NULL((void*)0)) |
1707 | return SSH_ERR_INVALID_ARGUMENT-10; |
1708 | *keyp = NULL((void*)0); |
1709 | if ((k = sshkey_new(KEY_UNSPEC)) == NULL((void*)0)) |
1710 | return SSH_ERR_ALLOC_FAIL-2; |
1711 | switch (type) { |
1712 | case KEY_ED25519: |
1713 | if ((k->ed25519_pk = malloc(ED25519_PK_SZ32U)) == NULL((void*)0) || |
1714 | (k->ed25519_sk = malloc(ED25519_SK_SZ64U)) == NULL((void*)0)) { |
1715 | ret = SSH_ERR_ALLOC_FAIL-2; |
1716 | break; |
1717 | } |
1718 | crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); |
1719 | ret = 0; |
1720 | break; |
1721 | #ifdef WITH_XMSS |
1722 | case KEY_XMSS: |
1723 | ret = sshkey_xmss_generate_private_key(k, bits); |
1724 | break; |
1725 | #endif /* WITH_XMSS */ |
1726 | #ifdef WITH_OPENSSL1 |
1727 | case KEY_DSA: |
1728 | ret = dsa_generate_private_key(bits, &k->dsa); |
1729 | break; |
1730 | case KEY_ECDSA: |
1731 | ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid, |
1732 | &k->ecdsa); |
1733 | break; |
1734 | case KEY_RSA: |
1735 | ret = rsa_generate_private_key(bits, &k->rsa); |
1736 | break; |
1737 | #endif /* WITH_OPENSSL */ |
1738 | default: |
1739 | ret = SSH_ERR_INVALID_ARGUMENT-10; |
1740 | } |
1741 | if (ret == 0) { |
1742 | k->type = type; |
1743 | *keyp = k; |
1744 | } else |
1745 | sshkey_free(k); |
1746 | return ret; |
1747 | } |
1748 | |
1749 | int |
1750 | sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) |
1751 | { |
1752 | u_int i; |
1753 | const struct sshkey_cert *from; |
1754 | struct sshkey_cert *to; |
1755 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1756 | |
1757 | if (to_key == NULL((void*)0) || (from = from_key->cert) == NULL((void*)0)) |
1758 | return SSH_ERR_INVALID_ARGUMENT-10; |
1759 | |
1760 | if ((to = cert_new()) == NULL((void*)0)) |
1761 | return SSH_ERR_ALLOC_FAIL-2; |
1762 | |
1763 | if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || |
1764 | (r = sshbuf_putb(to->critical, from->critical)) != 0 || |
1765 | (r = sshbuf_putb(to->extensions, from->extensions)) != 0) |
1766 | goto out; |
1767 | |
1768 | to->serial = from->serial; |
1769 | to->type = from->type; |
1770 | if (from->key_id == NULL((void*)0)) |
1771 | to->key_id = NULL((void*)0); |
1772 | else if ((to->key_id = strdup(from->key_id)) == NULL((void*)0)) { |
1773 | r = SSH_ERR_ALLOC_FAIL-2; |
1774 | goto out; |
1775 | } |
1776 | to->valid_after = from->valid_after; |
1777 | to->valid_before = from->valid_before; |
1778 | if (from->signature_key == NULL((void*)0)) |
1779 | to->signature_key = NULL((void*)0); |
1780 | else if ((r = sshkey_from_private(from->signature_key, |
1781 | &to->signature_key)) != 0) |
1782 | goto out; |
1783 | if (from->signature_type != NULL((void*)0) && |
1784 | (to->signature_type = strdup(from->signature_type)) == NULL((void*)0)) { |
1785 | r = SSH_ERR_ALLOC_FAIL-2; |
1786 | goto out; |
1787 | } |
1788 | if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS256) { |
1789 | r = SSH_ERR_INVALID_ARGUMENT-10; |
1790 | goto out; |
1791 | } |
1792 | if (from->nprincipals > 0) { |
1793 | if ((to->principals = calloc(from->nprincipals, |
1794 | sizeof(*to->principals))) == NULL((void*)0)) { |
1795 | r = SSH_ERR_ALLOC_FAIL-2; |
1796 | goto out; |
1797 | } |
1798 | for (i = 0; i < from->nprincipals; i++) { |
1799 | to->principals[i] = strdup(from->principals[i]); |
1800 | if (to->principals[i] == NULL((void*)0)) { |
1801 | to->nprincipals = i; |
1802 | r = SSH_ERR_ALLOC_FAIL-2; |
1803 | goto out; |
1804 | } |
1805 | } |
1806 | } |
1807 | to->nprincipals = from->nprincipals; |
1808 | |
1809 | /* success */ |
1810 | cert_free(to_key->cert); |
1811 | to_key->cert = to; |
1812 | to = NULL((void*)0); |
1813 | r = 0; |
1814 | out: |
1815 | cert_free(to); |
1816 | return r; |
1817 | } |
1818 | |
1819 | int |
1820 | sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) |
1821 | { |
1822 | struct sshkey *n = NULL((void*)0); |
1823 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1824 | #ifdef WITH_OPENSSL1 |
1825 | const BIGNUM *rsa_n, *rsa_e; |
1826 | BIGNUM *rsa_n_dup = NULL((void*)0), *rsa_e_dup = NULL((void*)0); |
1827 | const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; |
1828 | BIGNUM *dsa_p_dup = NULL((void*)0), *dsa_q_dup = NULL((void*)0), *dsa_g_dup = NULL((void*)0); |
1829 | BIGNUM *dsa_pub_key_dup = NULL((void*)0); |
1830 | #endif /* WITH_OPENSSL */ |
1831 | |
1832 | *pkp = NULL((void*)0); |
1833 | if ((n = sshkey_new(k->type)) == NULL((void*)0)) { |
1834 | r = SSH_ERR_ALLOC_FAIL-2; |
1835 | goto out; |
1836 | } |
1837 | switch (k->type) { |
1838 | #ifdef WITH_OPENSSL1 |
1839 | case KEY_DSA: |
1840 | case KEY_DSA_CERT: |
1841 | DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); |
1842 | DSA_get0_key(k->dsa, &dsa_pub_key, NULL((void*)0)); |
1843 | if ((dsa_p_dup = BN_dup(dsa_p)) == NULL((void*)0) || |
1844 | (dsa_q_dup = BN_dup(dsa_q)) == NULL((void*)0) || |
1845 | (dsa_g_dup = BN_dup(dsa_g)) == NULL((void*)0) || |
1846 | (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL((void*)0)) { |
1847 | r = SSH_ERR_ALLOC_FAIL-2; |
1848 | goto out; |
1849 | } |
1850 | if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) { |
1851 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
1852 | goto out; |
1853 | } |
1854 | dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL((void*)0); /* transferred */ |
1855 | if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL((void*)0))) { |
1856 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
1857 | goto out; |
1858 | } |
1859 | dsa_pub_key_dup = NULL((void*)0); /* transferred */ |
1860 | |
1861 | break; |
1862 | case KEY_ECDSA: |
1863 | case KEY_ECDSA_CERT: |
1864 | case KEY_ECDSA_SK: |
1865 | case KEY_ECDSA_SK_CERT: |
1866 | n->ecdsa_nid = k->ecdsa_nid; |
1867 | n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); |
1868 | if (n->ecdsa == NULL((void*)0)) { |
1869 | r = SSH_ERR_ALLOC_FAIL-2; |
1870 | goto out; |
1871 | } |
1872 | if (EC_KEY_set_public_key(n->ecdsa, |
1873 | EC_KEY_get0_public_key(k->ecdsa)) != 1) { |
1874 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
1875 | goto out; |
1876 | } |
1877 | if (k->type != KEY_ECDSA_SK && k->type != KEY_ECDSA_SK_CERT) |
1878 | break; |
1879 | /* Append security-key application string */ |
1880 | if ((n->sk_application = strdup(k->sk_application)) == NULL((void*)0)) |
1881 | goto out; |
1882 | break; |
1883 | case KEY_RSA: |
1884 | case KEY_RSA_CERT: |
1885 | RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL((void*)0)); |
1886 | if ((rsa_n_dup = BN_dup(rsa_n)) == NULL((void*)0) || |
1887 | (rsa_e_dup = BN_dup(rsa_e)) == NULL((void*)0)) { |
1888 | r = SSH_ERR_ALLOC_FAIL-2; |
1889 | goto out; |
1890 | } |
1891 | if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL((void*)0))) { |
1892 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
1893 | goto out; |
1894 | } |
1895 | rsa_n_dup = rsa_e_dup = NULL((void*)0); /* transferred */ |
1896 | break; |
1897 | #endif /* WITH_OPENSSL */ |
1898 | case KEY_ED25519: |
1899 | case KEY_ED25519_CERT: |
1900 | case KEY_ED25519_SK: |
1901 | case KEY_ED25519_SK_CERT: |
1902 | if (k->ed25519_pk != NULL((void*)0)) { |
1903 | if ((n->ed25519_pk = malloc(ED25519_PK_SZ32U)) == NULL((void*)0)) { |
1904 | r = SSH_ERR_ALLOC_FAIL-2; |
1905 | goto out; |
1906 | } |
1907 | memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ32U); |
1908 | } |
1909 | if (k->type != KEY_ED25519_SK && |
1910 | k->type != KEY_ED25519_SK_CERT) |
1911 | break; |
1912 | /* Append security-key application string */ |
1913 | if ((n->sk_application = strdup(k->sk_application)) == NULL((void*)0)) |
1914 | goto out; |
1915 | break; |
1916 | #ifdef WITH_XMSS |
1917 | case KEY_XMSS: |
1918 | case KEY_XMSS_CERT: |
1919 | if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0) |
1920 | goto out; |
1921 | if (k->xmss_pk != NULL((void*)0)) { |
1922 | u_int32_t left; |
1923 | size_t pklen = sshkey_xmss_pklen(k); |
1924 | if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) { |
1925 | r = SSH_ERR_INTERNAL_ERROR-1; |
1926 | goto out; |
1927 | } |
1928 | if ((n->xmss_pk = malloc(pklen)) == NULL((void*)0)) { |
1929 | r = SSH_ERR_ALLOC_FAIL-2; |
1930 | goto out; |
1931 | } |
1932 | memcpy(n->xmss_pk, k->xmss_pk, pklen); |
1933 | /* simulate number of signatures left on pubkey */ |
1934 | left = sshkey_xmss_signatures_left(k); |
1935 | if (left) |
1936 | sshkey_xmss_enable_maxsign(n, left); |
1937 | } |
1938 | break; |
1939 | #endif /* WITH_XMSS */ |
1940 | default: |
1941 | r = SSH_ERR_KEY_TYPE_UNKNOWN-14; |
1942 | goto out; |
1943 | } |
1944 | if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) |
1945 | goto out; |
1946 | /* success */ |
1947 | *pkp = n; |
1948 | n = NULL((void*)0); |
1949 | r = 0; |
1950 | out: |
1951 | sshkey_free(n); |
1952 | #ifdef WITH_OPENSSL1 |
1953 | BN_clear_free(rsa_n_dup); |
1954 | BN_clear_free(rsa_e_dup); |
1955 | BN_clear_free(dsa_p_dup); |
1956 | BN_clear_free(dsa_q_dup); |
1957 | BN_clear_free(dsa_g_dup); |
1958 | BN_clear_free(dsa_pub_key_dup); |
1959 | #endif /* WITH_OPENSSL */ |
1960 | |
1961 | return r; |
1962 | } |
1963 | |
1964 | int |
1965 | sshkey_is_shielded(struct sshkey *k) |
1966 | { |
1967 | return k != NULL((void*)0) && k->shielded_private != NULL((void*)0); |
1968 | } |
1969 | |
1970 | int |
1971 | sshkey_shield_private(struct sshkey *k) |
1972 | { |
1973 | struct sshbuf *prvbuf = NULL((void*)0); |
1974 | u_char *prekey = NULL((void*)0), *enc = NULL((void*)0), keyiv[SSH_DIGEST_MAX_LENGTH64]; |
1975 | struct sshcipher_ctx *cctx = NULL((void*)0); |
1976 | const struct sshcipher *cipher; |
1977 | size_t i, enclen = 0; |
1978 | struct sshkey *kswap = NULL((void*)0), tmp; |
1979 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1980 | |
1981 | #ifdef DEBUG_PK |
1982 | fprintf(stderr(&__sF[2]), "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); |
1983 | #endif |
1984 | if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER"aes256-ctr")) == NULL((void*)0)) { |
1985 | r = SSH_ERR_INVALID_ARGUMENT-10; |
1986 | goto out; |
1987 | } |
1988 | if (cipher_keylen(cipher) + cipher_ivlen(cipher) > |
1989 | ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4)) { |
1990 | r = SSH_ERR_INTERNAL_ERROR-1; |
1991 | goto out; |
1992 | } |
1993 | |
1994 | /* Prepare a random pre-key, and from it an ephemeral key */ |
1995 | if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN(16 * 1024))) == NULL((void*)0)) { |
1996 | r = SSH_ERR_ALLOC_FAIL-2; |
1997 | goto out; |
1998 | } |
1999 | arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024)); |
2000 | if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH4, |
2001 | prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024), |
2002 | keyiv, SSH_DIGEST_MAX_LENGTH64)) != 0) |
2003 | goto out; |
2004 | #ifdef DEBUG_PK |
2005 | fprintf(stderr(&__sF[2]), "%s: key+iv\n", __func__); |
2006 | sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4), |
2007 | stderr(&__sF[2])); |
2008 | #endif |
2009 | if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), |
2010 | keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0) |
2011 | goto out; |
2012 | |
2013 | /* Serialise and encrypt the private key using the ephemeral key */ |
2014 | if ((prvbuf = sshbuf_new()) == NULL((void*)0)) { |
2015 | r = SSH_ERR_ALLOC_FAIL-2; |
2016 | goto out; |
2017 | } |
2018 | if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0) |
2019 | goto out; |
2020 | if ((r = sshkey_private_serialize_opt(k, prvbuf, |
2021 | SSHKEY_SERIALIZE_SHIELD)) != 0) |
2022 | goto out; |
2023 | /* pad to cipher blocksize */ |
2024 | i = 0; |
2025 | while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) { |
2026 | if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0) |
2027 | goto out; |
2028 | } |
2029 | #ifdef DEBUG_PK |
2030 | fprintf(stderr(&__sF[2]), "%s: serialised\n", __func__); |
2031 | sshbuf_dump(prvbuf, stderr(&__sF[2])); |
2032 | #endif |
2033 | /* encrypt */ |
2034 | enclen = sshbuf_len(prvbuf); |
2035 | if ((enc = malloc(enclen)) == NULL((void*)0)) { |
2036 | r = SSH_ERR_ALLOC_FAIL-2; |
2037 | goto out; |
2038 | } |
2039 | if ((r = cipher_crypt(cctx, 0, enc, |
2040 | sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0) |
2041 | goto out; |
2042 | #ifdef DEBUG_PK |
2043 | fprintf(stderr(&__sF[2]), "%s: encrypted\n", __func__); |
2044 | sshbuf_dump_data(enc, enclen, stderr(&__sF[2])); |
2045 | #endif |
2046 | |
2047 | /* Make a scrubbed, public-only copy of our private key argument */ |
2048 | if ((r = sshkey_from_private(k, &kswap)) != 0) |
2049 | goto out; |
2050 | |
2051 | /* Swap the private key out (it will be destroyed below) */ |
2052 | tmp = *kswap; |
2053 | *kswap = *k; |
2054 | *k = tmp; |
2055 | |
2056 | /* Insert the shielded key into our argument */ |
2057 | k->shielded_private = enc; |
2058 | k->shielded_len = enclen; |
2059 | k->shield_prekey = prekey; |
2060 | k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN(16 * 1024); |
2061 | enc = prekey = NULL((void*)0); /* transferred */ |
2062 | enclen = 0; |
2063 | |
2064 | /* preserve key fields that are required for correct operation */ |
2065 | k->sk_flags = kswap->sk_flags; |
2066 | |
2067 | /* success */ |
2068 | r = 0; |
2069 | |
2070 | out: |
2071 | /* XXX behaviour on error - invalidate original private key? */ |
2072 | cipher_free(cctx); |
2073 | explicit_bzero(keyiv, sizeof(keyiv)); |
2074 | explicit_bzero(&tmp, sizeof(tmp)); |
2075 | freezero(enc, enclen); |
2076 | freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024)); |
2077 | sshkey_free(kswap); |
2078 | sshbuf_free(prvbuf); |
2079 | return r; |
2080 | } |
2081 | |
2082 | int |
2083 | sshkey_unshield_private(struct sshkey *k) |
2084 | { |
2085 | struct sshbuf *prvbuf = NULL((void*)0); |
2086 | u_char pad, *cp, keyiv[SSH_DIGEST_MAX_LENGTH64]; |
2087 | struct sshcipher_ctx *cctx = NULL((void*)0); |
2088 | const struct sshcipher *cipher; |
2089 | size_t i; |
2090 | struct sshkey *kswap = NULL((void*)0), tmp; |
2091 | int r = SSH_ERR_INTERNAL_ERROR-1; |
2092 | |
2093 | #ifdef DEBUG_PK |
2094 | fprintf(stderr(&__sF[2]), "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); |
2095 | #endif |
2096 | if (!sshkey_is_shielded(k)) |
2097 | return 0; /* nothing to do */ |
2098 | |
2099 | if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER"aes256-ctr")) == NULL((void*)0)) { |
2100 | r = SSH_ERR_INVALID_ARGUMENT-10; |
2101 | goto out; |
2102 | } |
2103 | if (cipher_keylen(cipher) + cipher_ivlen(cipher) > |
2104 | ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4)) { |
2105 | r = SSH_ERR_INTERNAL_ERROR-1; |
2106 | goto out; |
2107 | } |
2108 | /* check size of shielded key blob */ |
2109 | if (k->shielded_len < cipher_blocksize(cipher) || |
2110 | (k->shielded_len % cipher_blocksize(cipher)) != 0) { |
2111 | r = SSH_ERR_INVALID_FORMAT-4; |
2112 | goto out; |
2113 | } |
2114 | |
2115 | /* Calculate the ephemeral key from the prekey */ |
2116 | if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH4, |
2117 | k->shield_prekey, k->shield_prekey_len, |
2118 | keyiv, SSH_DIGEST_MAX_LENGTH64)) != 0) |
2119 | goto out; |
2120 | if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), |
2121 | keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0) |
2122 | goto out; |
2123 | #ifdef DEBUG_PK |
2124 | fprintf(stderr(&__sF[2]), "%s: key+iv\n", __func__); |
2125 | sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4), |
2126 | stderr(&__sF[2])); |
2127 | #endif |
2128 | |
2129 | /* Decrypt and parse the shielded private key using the ephemeral key */ |
2130 | if ((prvbuf = sshbuf_new()) == NULL((void*)0)) { |
2131 | r = SSH_ERR_ALLOC_FAIL-2; |
2132 | goto out; |
2133 | } |
2134 | if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0) |
2135 | goto out; |
2136 | /* decrypt */ |
2137 | #ifdef DEBUG_PK |
2138 | fprintf(stderr(&__sF[2]), "%s: encrypted\n", __func__); |
2139 | sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr(&__sF[2])); |
2140 | #endif |
2141 | if ((r = cipher_crypt(cctx, 0, cp, |
2142 | k->shielded_private, k->shielded_len, 0, 0)) != 0) |
2143 | goto out; |
2144 | #ifdef DEBUG_PK |
2145 | fprintf(stderr(&__sF[2]), "%s: serialised\n", __func__); |
2146 | sshbuf_dump(prvbuf, stderr(&__sF[2])); |
2147 | #endif |
2148 | /* Parse private key */ |
2149 | if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0) |
2150 | goto out; |
2151 | /* Check deterministic padding */ |
2152 | i = 0; |
2153 | while (sshbuf_len(prvbuf)) { |
2154 | if ((r = sshbuf_get_u8(prvbuf, &pad)) != 0) |
2155 | goto out; |
2156 | if (pad != (++i & 0xff)) { |
2157 | r = SSH_ERR_INVALID_FORMAT-4; |
2158 | goto out; |
2159 | } |
2160 | } |
2161 | |
2162 | /* Swap the parsed key back into place */ |
2163 | tmp = *kswap; |
2164 | *kswap = *k; |
2165 | *k = tmp; |
2166 | |
2167 | /* success */ |
2168 | r = 0; |
2169 | |
2170 | out: |
2171 | cipher_free(cctx); |
2172 | explicit_bzero(keyiv, sizeof(keyiv)); |
2173 | explicit_bzero(&tmp, sizeof(tmp)); |
2174 | sshkey_free(kswap); |
2175 | sshbuf_free(prvbuf); |
2176 | return r; |
2177 | } |
2178 | |
2179 | static int |
2180 | cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) |
2181 | { |
2182 | struct sshbuf *principals = NULL((void*)0), *crit = NULL((void*)0); |
2183 | struct sshbuf *exts = NULL((void*)0), *ca = NULL((void*)0); |
2184 | u_char *sig = NULL((void*)0); |
2185 | size_t signed_len = 0, slen = 0, kidlen = 0; |
2186 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
2187 | |
2188 | /* Copy the entire key blob for verification and later serialisation */ |
2189 | if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) |
2190 | return ret; |
2191 | |
2192 | /* Parse body of certificate up to signature */ |
2193 | if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || |
2194 | (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || |
2195 | (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || |
Although the value stored to 'ret' is used in the enclosing expression, the value is never actually read from 'ret' | |
2196 | (ret = sshbuf_froms(b, &principals)) != 0 || |
2197 | (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || |
2198 | (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || |
2199 | (ret = sshbuf_froms(b, &crit)) != 0 || |
2200 | (ret = sshbuf_froms(b, &exts)) != 0 || |
2201 | (ret = sshbuf_get_string_direct(b, NULL((void*)0), NULL((void*)0))) != 0 || |
2202 | (ret = sshbuf_froms(b, &ca)) != 0) { |
2203 | /* XXX debug print error for ret */ |
2204 | ret = SSH_ERR_INVALID_FORMAT-4; |
2205 | goto out; |
2206 | } |
2207 | |
2208 | /* Signature is left in the buffer so we can calculate this length */ |
2209 | signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); |
2210 | |
2211 | if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { |
2212 | ret = SSH_ERR_INVALID_FORMAT-4; |
2213 | goto out; |
2214 | } |
2215 | |
2216 | if (key->cert->type != SSH2_CERT_TYPE_USER1 && |
2217 | key->cert->type != SSH2_CERT_TYPE_HOST2) { |
2218 | ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE-18; |
2219 | goto out; |
2220 | } |
2221 | |
2222 | /* Parse principals section */ |
2223 | while (sshbuf_len(principals) > 0) { |
2224 | char *principal = NULL((void*)0); |
2225 | char **oprincipals = NULL((void*)0); |
2226 | |
2227 | if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS256) { |
2228 | ret = SSH_ERR_INVALID_FORMAT-4; |
2229 | goto out; |
2230 | } |
2231 | if ((ret = sshbuf_get_cstring(principals, &principal, |
2232 | NULL((void*)0))) != 0) { |
2233 | ret = SSH_ERR_INVALID_FORMAT-4; |
2234 | goto out; |
2235 | } |
2236 | oprincipals = key->cert->principals; |
2237 | key->cert->principals = recallocarray(key->cert->principals, |
2238 | key->cert->nprincipals, key->cert->nprincipals + 1, |
2239 | sizeof(*key->cert->principals)); |
2240 | if (key->cert->principals == NULL((void*)0)) { |
2241 | free(principal); |
2242 | key->cert->principals = oprincipals; |
2243 | ret = SSH_ERR_ALLOC_FAIL-2; |
2244 | goto out; |
2245 | } |
2246 | key->cert->principals[key->cert->nprincipals++] = principal; |
2247 | } |
2248 | |
2249 | /* |
2250 | * Stash a copies of the critical options and extensions sections |
2251 | * for later use. |
2252 | */ |
2253 | if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || |
2254 | (exts != NULL((void*)0) && |
2255 | (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) |
2256 | goto out; |
2257 | |
2258 | /* |
2259 | * Validate critical options and extensions sections format. |
2260 | */ |
2261 | while (sshbuf_len(crit) != 0) { |
2262 | if ((ret = sshbuf_get_string_direct(crit, NULL((void*)0), NULL((void*)0))) != 0 || |
2263 | (ret = sshbuf_get_string_direct(crit, NULL((void*)0), NULL((void*)0))) != 0) { |
2264 | sshbuf_reset(key->cert->critical); |
2265 | ret = SSH_ERR_INVALID_FORMAT-4; |
2266 | goto out; |
2267 | } |
2268 | } |
2269 | while (exts != NULL((void*)0) && sshbuf_len(exts) != 0) { |
2270 | if ((ret = sshbuf_get_string_direct(exts, NULL((void*)0), NULL((void*)0))) != 0 || |
2271 | (ret = sshbuf_get_string_direct(exts, NULL((void*)0), NULL((void*)0))) != 0) { |
2272 | sshbuf_reset(key->cert->extensions); |
2273 | ret = SSH_ERR_INVALID_FORMAT-4; |
2274 | goto out; |
2275 | } |
2276 | } |
2277 | |
2278 | /* Parse CA key and check signature */ |
2279 | if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { |
2280 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
2281 | goto out; |
2282 | } |
2283 | if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { |
2284 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
2285 | goto out; |
2286 | } |
2287 | if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, |
2288 | sshbuf_ptr(key->cert->certblob), signed_len, NULL((void*)0), 0, NULL((void*)0))) != 0) |
2289 | goto out; |
2290 | if ((ret = sshkey_get_sigtype(sig, slen, |
2291 | &key->cert->signature_type)) != 0) |
2292 | goto out; |
2293 | |
2294 | /* Success */ |
2295 | ret = 0; |
2296 | out: |
2297 | sshbuf_free(ca); |
2298 | sshbuf_free(crit); |
2299 | sshbuf_free(exts); |
2300 | sshbuf_free(principals); |
2301 | free(sig); |
2302 | return ret; |
2303 | } |
2304 | |
2305 | #ifdef WITH_OPENSSL1 |
2306 | static int |
2307 | check_rsa_length(const RSA *rsa) |
2308 | { |
2309 | const BIGNUM *rsa_n; |
2310 | |
2311 | RSA_get0_key(rsa, &rsa_n, NULL((void*)0), NULL((void*)0)); |
2312 | if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE1024) |
2313 | return SSH_ERR_KEY_LENGTH-56; |
2314 | return 0; |
2315 | } |
2316 | #endif /* WITH_OPENSSL */ |
2317 | |
2318 | static int |
2319 | sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, |
2320 | int allow_cert) |
2321 | { |
2322 | int type, ret = SSH_ERR_INTERNAL_ERROR-1; |
2323 | char *ktype = NULL((void*)0), *curve = NULL((void*)0), *xmss_name = NULL((void*)0); |
2324 | struct sshkey *key = NULL((void*)0); |
2325 | size_t len; |
2326 | u_char *pk = NULL((void*)0); |
2327 | struct sshbuf *copy; |
2328 | #ifdef WITH_OPENSSL1 |
2329 | EC_POINT *q = NULL((void*)0); |
2330 | BIGNUM *rsa_n = NULL((void*)0), *rsa_e = NULL((void*)0); |
2331 | BIGNUM *dsa_p = NULL((void*)0), *dsa_q = NULL((void*)0), *dsa_g = NULL((void*)0), *dsa_pub_key = NULL((void*)0); |
2332 | #endif /* WITH_OPENSSL */ |
2333 | |
2334 | #ifdef DEBUG_PK /* XXX */ |
2335 | sshbuf_dump(b, stderr(&__sF[2])); |
2336 | #endif |
2337 | if (keyp != NULL((void*)0)) |
2338 | *keyp = NULL((void*)0); |
2339 | if ((copy = sshbuf_fromb(b)) == NULL((void*)0)) { |
2340 | ret = SSH_ERR_ALLOC_FAIL-2; |
2341 | goto out; |
2342 | } |
2343 | if (sshbuf_get_cstring(b, &ktype, NULL((void*)0)) != 0) { |
2344 | ret = SSH_ERR_INVALID_FORMAT-4; |
2345 | goto out; |
2346 | } |
2347 | |
2348 | type = sshkey_type_from_name(ktype); |
2349 | if (!allow_cert && sshkey_type_is_cert(type)) { |
2350 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
2351 | goto out; |
2352 | } |
2353 | switch (type) { |
2354 | #ifdef WITH_OPENSSL1 |
2355 | case KEY_RSA_CERT: |
2356 | /* Skip nonce */ |
2357 | if (sshbuf_get_string_direct(b, NULL((void*)0), NULL((void*)0)) != 0) { |
2358 | ret = SSH_ERR_INVALID_FORMAT-4; |
2359 | goto out; |
2360 | } |
2361 | /* FALLTHROUGH */ |
2362 | case KEY_RSA: |
2363 | if ((key = sshkey_new(type)) == NULL((void*)0)) { |
2364 | ret = SSH_ERR_ALLOC_FAIL-2; |
2365 | goto out; |
2366 | } |
2367 | if (sshbuf_get_bignum2(b, &rsa_e) != 0 || |
2368 | sshbuf_get_bignum2(b, &rsa_n) != 0) { |
2369 | ret = SSH_ERR_INVALID_FORMAT-4; |
2370 | goto out; |
2371 | } |
2372 | if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL((void*)0))) { |
2373 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
2374 | goto out; |
2375 | } |
2376 | rsa_n = rsa_e = NULL((void*)0); /* transferred */ |
2377 | if ((ret = check_rsa_length(key->rsa)) != 0) |
2378 | goto out; |
2379 | #ifdef DEBUG_PK |
2380 | RSA_print_fp(stderr(&__sF[2]), key->rsa, 8); |
2381 | #endif |
2382 | break; |
2383 | case KEY_DSA_CERT: |
2384 | /* Skip nonce */ |
2385 | if (sshbuf_get_string_direct(b, NULL((void*)0), NULL((void*)0)) != 0) { |
2386 | ret = SSH_ERR_INVALID_FORMAT-4; |
2387 | goto out; |
2388 | } |
2389 | /* FALLTHROUGH */ |
2390 | case KEY_DSA: |
2391 | if ((key = sshkey_new(type)) == NULL((void*)0)) { |
2392 | ret = SSH_ERR_ALLOC_FAIL-2; |
2393 | goto out; |
2394 | } |
2395 | if (sshbuf_get_bignum2(b, &dsa_p) != 0 || |
2396 | sshbuf_get_bignum2(b, &dsa_q) != 0 || |
2397 | sshbuf_get_bignum2(b, &dsa_g) != 0 || |
2398 | sshbuf_get_bignum2(b, &dsa_pub_key) != 0) { |
2399 | ret = SSH_ERR_INVALID_FORMAT-4; |
2400 | goto out; |
2401 | } |
2402 | if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) { |
2403 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
2404 | goto out; |
2405 | } |
2406 | dsa_p = dsa_q = dsa_g = NULL((void*)0); /* transferred */ |
2407 | if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL((void*)0))) { |
2408 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
2409 | goto out; |
2410 | } |
2411 | dsa_pub_key = NULL((void*)0); /* transferred */ |
2412 | #ifdef DEBUG_PK |
2413 | DSA_print_fp(stderr(&__sF[2]), key->dsa, 8); |
2414 | #endif |
2415 | break; |
2416 | case KEY_ECDSA_CERT: |
2417 | case KEY_ECDSA_SK_CERT: |
2418 | /* Skip nonce */ |
2419 | if (sshbuf_get_string_direct(b, NULL((void*)0), NULL((void*)0)) != 0) { |
2420 | ret = SSH_ERR_INVALID_FORMAT-4; |
2421 | goto out; |
2422 | } |
2423 | /* FALLTHROUGH */ |
2424 | case KEY_ECDSA: |
2425 | case KEY_ECDSA_SK: |
2426 | if ((key = sshkey_new(type)) == NULL((void*)0)) { |
2427 | ret = SSH_ERR_ALLOC_FAIL-2; |
2428 | goto out; |
2429 | } |
2430 | key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype); |
2431 | if (sshbuf_get_cstring(b, &curve, NULL((void*)0)) != 0) { |
2432 | ret = SSH_ERR_INVALID_FORMAT-4; |
2433 | goto out; |
2434 | } |
2435 | if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { |
2436 | ret = SSH_ERR_EC_CURVE_MISMATCH-15; |
2437 | goto out; |
2438 | } |
2439 | EC_KEY_free(key->ecdsa); |
2440 | if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) |
2441 | == NULL((void*)0)) { |
2442 | ret = SSH_ERR_EC_CURVE_INVALID-12; |
2443 | goto out; |
2444 | } |
2445 | if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL((void*)0)) { |
2446 | ret = SSH_ERR_ALLOC_FAIL-2; |
2447 | goto out; |
2448 | } |
2449 | if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) { |
2450 | ret = SSH_ERR_INVALID_FORMAT-4; |
2451 | goto out; |
2452 | } |
2453 | if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa), |
2454 | q) != 0) { |
2455 | ret = SSH_ERR_KEY_INVALID_EC_VALUE-20; |
2456 | goto out; |
2457 | } |
2458 | if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { |
2459 | /* XXX assume it is a allocation error */ |
2460 | ret = SSH_ERR_ALLOC_FAIL-2; |
2461 | goto out; |
2462 | } |
2463 | #ifdef DEBUG_PK |
2464 | sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); |
2465 | #endif |
2466 | if (type == KEY_ECDSA_SK || type == KEY_ECDSA_SK_CERT) { |
2467 | /* Parse additional security-key application string */ |
2468 | if (sshbuf_get_cstring(b, &key->sk_application, |
2469 | NULL((void*)0)) != 0) { |
2470 | ret = SSH_ERR_INVALID_FORMAT-4; |
2471 | goto out; |
2472 | } |
2473 | #ifdef DEBUG_PK |
2474 | fprintf(stderr(&__sF[2]), "App: %s\n", key->sk_application); |
2475 | #endif |
2476 | } |
2477 | break; |
2478 | #endif /* WITH_OPENSSL */ |
2479 | case KEY_ED25519_CERT: |
2480 | case KEY_ED25519_SK_CERT: |
2481 | /* Skip nonce */ |
2482 | if (sshbuf_get_string_direct(b, NULL((void*)0), NULL((void*)0)) != 0) { |
2483 | ret = SSH_ERR_INVALID_FORMAT-4; |
2484 | goto out; |
2485 | } |
2486 | /* FALLTHROUGH */ |
2487 | case KEY_ED25519: |
2488 | case KEY_ED25519_SK: |
2489 | if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) |
2490 | goto out; |
2491 | if (len != ED25519_PK_SZ32U) { |
2492 | ret = SSH_ERR_INVALID_FORMAT-4; |
2493 | goto out; |
2494 | } |
2495 | if ((key = sshkey_new(type)) == NULL((void*)0)) { |
2496 | ret = SSH_ERR_ALLOC_FAIL-2; |
2497 | goto out; |
2498 | } |
2499 | if (type == KEY_ED25519_SK || type == KEY_ED25519_SK_CERT) { |
2500 | /* Parse additional security-key application string */ |
2501 | if (sshbuf_get_cstring(b, &key->sk_application, |
2502 | NULL((void*)0)) != 0) { |
2503 | ret = SSH_ERR_INVALID_FORMAT-4; |
2504 | goto out; |
2505 | } |
2506 | #ifdef DEBUG_PK |
2507 | fprintf(stderr(&__sF[2]), "App: %s\n", key->sk_application); |
2508 | #endif |
2509 | } |
2510 | key->ed25519_pk = pk; |
2511 | pk = NULL((void*)0); |
2512 | break; |
2513 | #ifdef WITH_XMSS |
2514 | case KEY_XMSS_CERT: |
2515 | /* Skip nonce */ |
2516 | if (sshbuf_get_string_direct(b, NULL((void*)0), NULL((void*)0)) != 0) { |
2517 | ret = SSH_ERR_INVALID_FORMAT-4; |
2518 | goto out; |
2519 | } |
2520 | /* FALLTHROUGH */ |
2521 | case KEY_XMSS: |
2522 | if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL((void*)0))) != 0) |
2523 | goto out; |
2524 | if ((key = sshkey_new(type)) == NULL((void*)0)) { |
2525 | ret = SSH_ERR_ALLOC_FAIL-2; |
2526 | goto out; |
2527 | } |
2528 | if ((ret = sshkey_xmss_init(key, xmss_name)) != 0) |
2529 | goto out; |
2530 | if ((ret = sshbuf_get_string(b, &pk, &len)) != 0) |
2531 | goto out; |
2532 | if (len == 0 || len != sshkey_xmss_pklen(key)) { |
2533 | ret = SSH_ERR_INVALID_FORMAT-4; |
2534 | goto out; |
2535 | } |
2536 | key->xmss_pk = pk; |
2537 | pk = NULL((void*)0); |
2538 | if (type != KEY_XMSS_CERT && |
2539 | (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0) |
2540 | goto out; |
2541 | break; |
2542 | #endif /* WITH_XMSS */ |
2543 | case KEY_UNSPEC: |
2544 | default: |
2545 | ret = SSH_ERR_KEY_TYPE_UNKNOWN-14; |
2546 | goto out; |
2547 | } |
2548 | |
2549 | /* Parse certificate potion */ |
2550 | if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) |
2551 | goto out; |
2552 | |
2553 | if (key != NULL((void*)0) && sshbuf_len(b) != 0) { |
2554 | ret = SSH_ERR_INVALID_FORMAT-4; |
2555 | goto out; |
2556 | } |
2557 | ret = 0; |
2558 | if (keyp != NULL((void*)0)) { |
2559 | *keyp = key; |
2560 | key = NULL((void*)0); |
2561 | } |
2562 | out: |
2563 | sshbuf_free(copy); |
2564 | sshkey_free(key); |
2565 | free(xmss_name); |
2566 | free(ktype); |
2567 | free(curve); |
2568 | free(pk); |
2569 | #ifdef WITH_OPENSSL1 |
2570 | EC_POINT_free(q); |
2571 | BN_clear_free(rsa_n); |
2572 | BN_clear_free(rsa_e); |
2573 | BN_clear_free(dsa_p); |
2574 | BN_clear_free(dsa_q); |
2575 | BN_clear_free(dsa_g); |
2576 | BN_clear_free(dsa_pub_key); |
2577 | #endif /* WITH_OPENSSL */ |
2578 | return ret; |
2579 | } |
2580 | |
2581 | int |
2582 | sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) |
2583 | { |
2584 | struct sshbuf *b; |
2585 | int r; |
2586 | |
2587 | if ((b = sshbuf_from(blob, blen)) == NULL((void*)0)) |
2588 | return SSH_ERR_ALLOC_FAIL-2; |
2589 | r = sshkey_from_blob_internal(b, keyp, 1); |
2590 | sshbuf_free(b); |
2591 | return r; |
2592 | } |
2593 | |
2594 | int |
2595 | sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) |
2596 | { |
2597 | return sshkey_from_blob_internal(b, keyp, 1); |
2598 | } |
2599 | |
2600 | int |
2601 | sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) |
2602 | { |
2603 | struct sshbuf *b; |
2604 | int r; |
2605 | |
2606 | if ((r = sshbuf_froms(buf, &b)) != 0) |
2607 | return r; |
2608 | r = sshkey_from_blob_internal(b, keyp, 1); |
2609 | sshbuf_free(b); |
2610 | return r; |
2611 | } |
2612 | |
2613 | int |
2614 | sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) |
2615 | { |
2616 | int r; |
2617 | struct sshbuf *b = NULL((void*)0); |
2618 | char *sigtype = NULL((void*)0); |
2619 | |
2620 | if (sigtypep != NULL((void*)0)) |
2621 | *sigtypep = NULL((void*)0); |
2622 | if ((b = sshbuf_from(sig, siglen)) == NULL((void*)0)) |
2623 | return SSH_ERR_ALLOC_FAIL-2; |
2624 | if ((r = sshbuf_get_cstring(b, &sigtype, NULL((void*)0))) != 0) |
2625 | goto out; |
2626 | /* success */ |
2627 | if (sigtypep != NULL((void*)0)) { |
2628 | *sigtypep = sigtype; |
2629 | sigtype = NULL((void*)0); |
2630 | } |
2631 | r = 0; |
2632 | out: |
2633 | free(sigtype); |
2634 | sshbuf_free(b); |
2635 | return r; |
2636 | } |
2637 | |
2638 | /* |
2639 | * |
2640 | * Checks whether a certificate's signature type is allowed. |
2641 | * Returns 0 (success) if the certificate signature type appears in the |
2642 | * "allowed" pattern-list, or the key is not a certificate to begin with. |
2643 | * Otherwise returns a ssherr.h code. |
2644 | */ |
2645 | int |
2646 | sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) |
2647 | { |
2648 | if (key == NULL((void*)0) || allowed == NULL((void*)0)) |
2649 | return SSH_ERR_INVALID_ARGUMENT-10; |
2650 | if (!sshkey_type_is_cert(key->type)) |
2651 | return 0; |
2652 | if (key->cert == NULL((void*)0) || key->cert->signature_type == NULL((void*)0)) |
2653 | return SSH_ERR_INVALID_ARGUMENT-10; |
2654 | if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) |
2655 | return SSH_ERR_SIGN_ALG_UNSUPPORTED-58; |
2656 | return 0; |
2657 | } |
2658 | |
2659 | /* |
2660 | * Returns the expected signature algorithm for a given public key algorithm. |
2661 | */ |
2662 | const char * |
2663 | sshkey_sigalg_by_name(const char *name) |
2664 | { |
2665 | const struct keytype *kt; |
2666 | |
2667 | for (kt = keytypes; kt->type != -1; kt++) { |
2668 | if (strcmp(kt->name, name) != 0) |
2669 | continue; |
2670 | if (kt->sigalg != NULL((void*)0)) |
2671 | return kt->sigalg; |
2672 | if (!kt->cert) |
2673 | return kt->name; |
2674 | return sshkey_ssh_name_from_type_nid( |
2675 | sshkey_type_plain(kt->type), kt->nid); |
2676 | } |
2677 | return NULL((void*)0); |
2678 | } |
2679 | |
2680 | /* |
2681 | * Verifies that the signature algorithm appearing inside the signature blob |
2682 | * matches that which was requested. |
2683 | */ |
2684 | int |
2685 | sshkey_check_sigtype(const u_char *sig, size_t siglen, |
2686 | const char *requested_alg) |
2687 | { |
2688 | const char *expected_alg; |
2689 | char *sigtype = NULL((void*)0); |
2690 | int r; |
2691 | |
2692 | if (requested_alg == NULL((void*)0)) |
2693 | return 0; |
2694 | if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL((void*)0)) |
2695 | return SSH_ERR_INVALID_ARGUMENT-10; |
2696 | if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) |
2697 | return r; |
2698 | r = strcmp(expected_alg, sigtype) == 0; |
2699 | free(sigtype); |
2700 | return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED-58; |
2701 | } |
2702 | |
2703 | int |
2704 | sshkey_sign(struct sshkey *key, |
2705 | u_char **sigp, size_t *lenp, |
2706 | const u_char *data, size_t datalen, |
2707 | const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) |
2708 | { |
2709 | int was_shielded = sshkey_is_shielded(key); |
2710 | int r2, r = SSH_ERR_INTERNAL_ERROR-1; |
2711 | |
2712 | if (sigp != NULL((void*)0)) |
2713 | *sigp = NULL((void*)0); |
2714 | if (lenp != NULL((void*)0)) |
2715 | *lenp = 0; |
2716 | if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE(1 << 20)) |
2717 | return SSH_ERR_INVALID_ARGUMENT-10; |
2718 | if ((r = sshkey_unshield_private(key)) != 0) |
2719 | return r; |
2720 | switch (key->type) { |
2721 | #ifdef WITH_OPENSSL1 |
2722 | case KEY_DSA_CERT: |
2723 | case KEY_DSA: |
2724 | r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat); |
2725 | break; |
2726 | case KEY_ECDSA_CERT: |
2727 | case KEY_ECDSA: |
2728 | r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); |
2729 | break; |
2730 | case KEY_RSA_CERT: |
2731 | case KEY_RSA: |
2732 | r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); |
2733 | break; |
2734 | #endif /* WITH_OPENSSL */ |
2735 | case KEY_ED25519: |
2736 | case KEY_ED25519_CERT: |
2737 | r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); |
2738 | break; |
2739 | case KEY_ED25519_SK: |
2740 | case KEY_ED25519_SK_CERT: |
2741 | case KEY_ECDSA_SK_CERT: |
2742 | case KEY_ECDSA_SK: |
2743 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, |
2744 | datalen, compat, sk_pin); |
2745 | break; |
2746 | #ifdef WITH_XMSS |
2747 | case KEY_XMSS: |
2748 | case KEY_XMSS_CERT: |
2749 | r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat); |
2750 | break; |
2751 | #endif /* WITH_XMSS */ |
2752 | default: |
2753 | r = SSH_ERR_KEY_TYPE_UNKNOWN-14; |
2754 | break; |
2755 | } |
2756 | if (was_shielded && (r2 = sshkey_shield_private(key)) != 0) |
2757 | return r2; |
2758 | return r; |
2759 | } |
2760 | |
2761 | /* |
2762 | * ssh_key_verify returns 0 for a correct signature and < 0 on error. |
2763 | * If "alg" specified, then the signature must use that algorithm. |
2764 | */ |
2765 | int |
2766 | sshkey_verify(const struct sshkey *key, |
2767 | const u_char *sig, size_t siglen, |
2768 | const u_char *data, size_t dlen, const char *alg, u_int compat, |
2769 | struct sshkey_sig_details **detailsp) |
2770 | { |
2771 | if (detailsp != NULL((void*)0)) |
2772 | *detailsp = NULL((void*)0); |
2773 | if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE(1 << 20)) |
2774 | return SSH_ERR_INVALID_ARGUMENT-10; |
2775 | switch (key->type) { |
2776 | #ifdef WITH_OPENSSL1 |
2777 | case KEY_DSA_CERT: |
2778 | case KEY_DSA: |
2779 | return ssh_dss_verify(key, sig, siglen, data, dlen, compat); |
2780 | case KEY_ECDSA_CERT: |
2781 | case KEY_ECDSA: |
2782 | return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat); |
2783 | case KEY_ECDSA_SK_CERT: |
2784 | case KEY_ECDSA_SK: |
2785 | return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen, |
2786 | compat, detailsp); |
2787 | case KEY_RSA_CERT: |
2788 | case KEY_RSA: |
2789 | return ssh_rsa_verify(key, sig, siglen, data, dlen, alg); |
2790 | #endif /* WITH_OPENSSL */ |
2791 | case KEY_ED25519: |
2792 | case KEY_ED25519_CERT: |
2793 | return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); |
2794 | case KEY_ED25519_SK: |
2795 | case KEY_ED25519_SK_CERT: |
2796 | return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen, |
2797 | compat, detailsp); |
2798 | #ifdef WITH_XMSS |
2799 | case KEY_XMSS: |
2800 | case KEY_XMSS_CERT: |
2801 | return ssh_xmss_verify(key, sig, siglen, data, dlen, compat); |
2802 | #endif /* WITH_XMSS */ |
2803 | default: |
2804 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
2805 | } |
2806 | } |
2807 | |
2808 | /* Convert a plain key to their _CERT equivalent */ |
2809 | int |
2810 | sshkey_to_certified(struct sshkey *k) |
2811 | { |
2812 | int newtype; |
2813 | |
2814 | switch (k->type) { |
2815 | #ifdef WITH_OPENSSL1 |
2816 | case KEY_RSA: |
2817 | newtype = KEY_RSA_CERT; |
2818 | break; |
2819 | case KEY_DSA: |
2820 | newtype = KEY_DSA_CERT; |
2821 | break; |
2822 | case KEY_ECDSA: |
2823 | newtype = KEY_ECDSA_CERT; |
2824 | break; |
2825 | case KEY_ECDSA_SK: |
2826 | newtype = KEY_ECDSA_SK_CERT; |
2827 | break; |
2828 | #endif /* WITH_OPENSSL */ |
2829 | case KEY_ED25519_SK: |
2830 | newtype = KEY_ED25519_SK_CERT; |
2831 | break; |
2832 | case KEY_ED25519: |
2833 | newtype = KEY_ED25519_CERT; |
2834 | break; |
2835 | #ifdef WITH_XMSS |
2836 | case KEY_XMSS: |
2837 | newtype = KEY_XMSS_CERT; |
2838 | break; |
2839 | #endif /* WITH_XMSS */ |
2840 | default: |
2841 | return SSH_ERR_INVALID_ARGUMENT-10; |
2842 | } |
2843 | if ((k->cert = cert_new()) == NULL((void*)0)) |
2844 | return SSH_ERR_ALLOC_FAIL-2; |
2845 | k->type = newtype; |
2846 | return 0; |
2847 | } |
2848 | |
2849 | /* Convert a certificate to its raw key equivalent */ |
2850 | int |
2851 | sshkey_drop_cert(struct sshkey *k) |
2852 | { |
2853 | if (!sshkey_type_is_cert(k->type)) |
2854 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
2855 | cert_free(k->cert); |
2856 | k->cert = NULL((void*)0); |
2857 | k->type = sshkey_type_plain(k->type); |
2858 | return 0; |
2859 | } |
2860 | |
2861 | /* Sign a certified key, (re-)generating the signed certblob. */ |
2862 | int |
2863 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, |
2864 | const char *sk_provider, const char *sk_pin, |
2865 | sshkey_certify_signer *signer, void *signer_ctx) |
2866 | { |
2867 | struct sshbuf *principals = NULL((void*)0); |
2868 | u_char *ca_blob = NULL((void*)0), *sig_blob = NULL((void*)0), nonce[32]; |
2869 | size_t i, ca_len, sig_len; |
2870 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
2871 | struct sshbuf *cert = NULL((void*)0); |
2872 | char *sigtype = NULL((void*)0); |
2873 | #ifdef WITH_OPENSSL1 |
2874 | const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; |
2875 | #endif /* WITH_OPENSSL */ |
2876 | |
2877 | if (k == NULL((void*)0) || k->cert == NULL((void*)0) || |
2878 | k->cert->certblob == NULL((void*)0) || ca == NULL((void*)0)) |
2879 | return SSH_ERR_INVALID_ARGUMENT-10; |
2880 | if (!sshkey_is_cert(k)) |
2881 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
2882 | if (!sshkey_type_is_valid_ca(ca->type)) |
2883 | return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
2884 | |
2885 | /* |
2886 | * If no alg specified as argument but a signature_type was set, |
2887 | * then prefer that. If both were specified, then they must match. |
2888 | */ |
2889 | if (alg == NULL((void*)0)) |
2890 | alg = k->cert->signature_type; |
2891 | else if (k->cert->signature_type != NULL((void*)0) && |
2892 | strcmp(alg, k->cert->signature_type) != 0) |
2893 | return SSH_ERR_INVALID_ARGUMENT-10; |
2894 | |
2895 | /* |
2896 | * If no signing algorithm or signature_type was specified and we're |
2897 | * using a RSA key, then default to a good signature algorithm. |
2898 | */ |
2899 | if (alg == NULL((void*)0) && ca->type == KEY_RSA) |
2900 | alg = "rsa-sha2-512"; |
2901 | |
2902 | if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) |
2903 | return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
2904 | |
2905 | cert = k->cert->certblob; /* for readability */ |
2906 | sshbuf_reset(cert); |
2907 | if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) |
2908 | goto out; |
2909 | |
2910 | /* -v01 certs put nonce first */ |
2911 | arc4random_buf(&nonce, sizeof(nonce)); |
2912 | if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) |
2913 | goto out; |
2914 | |
2915 | /* XXX this substantially duplicates to_blob(); refactor */ |
2916 | switch (k->type) { |
2917 | #ifdef WITH_OPENSSL1 |
2918 | case KEY_DSA_CERT: |
2919 | DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g); |
2920 | DSA_get0_key(k->dsa, &dsa_pub_key, NULL((void*)0)); |
2921 | if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 || |
2922 | (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 || |
2923 | (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 || |
2924 | (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0) |
2925 | goto out; |
2926 | break; |
2927 | case KEY_ECDSA_CERT: |
2928 | case KEY_ECDSA_SK_CERT: |
2929 | if ((ret = sshbuf_put_cstring(cert, |
2930 | sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 || |
2931 | (ret = sshbuf_put_ec(cert, |
2932 | EC_KEY_get0_public_key(k->ecdsa), |
2933 | EC_KEY_get0_group(k->ecdsa))) != 0) |
2934 | goto out; |
2935 | if (k->type == KEY_ECDSA_SK_CERT) { |
2936 | if ((ret = sshbuf_put_cstring(cert, |
2937 | k->sk_application)) != 0) |
2938 | goto out; |
2939 | } |
2940 | break; |
2941 | case KEY_RSA_CERT: |
2942 | RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL((void*)0)); |
2943 | if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 || |
2944 | (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0) |
2945 | goto out; |
2946 | break; |
2947 | #endif /* WITH_OPENSSL */ |
2948 | case KEY_ED25519_CERT: |
2949 | case KEY_ED25519_SK_CERT: |
2950 | if ((ret = sshbuf_put_string(cert, |
2951 | k->ed25519_pk, ED25519_PK_SZ32U)) != 0) |
2952 | goto out; |
2953 | if (k->type == KEY_ED25519_SK_CERT) { |
2954 | if ((ret = sshbuf_put_cstring(cert, |
2955 | k->sk_application)) != 0) |
2956 | goto out; |
2957 | } |
2958 | break; |
2959 | #ifdef WITH_XMSS |
2960 | case KEY_XMSS_CERT: |
2961 | if (k->xmss_name == NULL((void*)0)) { |
2962 | ret = SSH_ERR_INVALID_ARGUMENT-10; |
2963 | goto out; |
2964 | } |
2965 | if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) || |
2966 | (ret = sshbuf_put_string(cert, |
2967 | k->xmss_pk, sshkey_xmss_pklen(k))) != 0) |
2968 | goto out; |
2969 | break; |
2970 | #endif /* WITH_XMSS */ |
2971 | default: |
2972 | ret = SSH_ERR_INVALID_ARGUMENT-10; |
2973 | goto out; |
2974 | } |
2975 | |
2976 | if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || |
2977 | (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || |
2978 | (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) |
2979 | goto out; |
2980 | |
2981 | if ((principals = sshbuf_new()) == NULL((void*)0)) { |
2982 | ret = SSH_ERR_ALLOC_FAIL-2; |
2983 | goto out; |
2984 | } |
2985 | for (i = 0; i < k->cert->nprincipals; i++) { |
2986 | if ((ret = sshbuf_put_cstring(principals, |
2987 | k->cert->principals[i])) != 0) |
2988 | goto out; |
2989 | } |
2990 | if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || |
2991 | (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || |
2992 | (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || |
2993 | (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || |
2994 | (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || |
2995 | (ret = sshbuf_put_string(cert, NULL((void*)0), 0)) != 0 || /* Reserved */ |
2996 | (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) |
2997 | goto out; |
2998 | |
2999 | /* Sign the whole mess */ |
3000 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
3001 | sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) |
3002 | goto out; |
3003 | /* Check and update signature_type against what was actually used */ |
3004 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) |
3005 | goto out; |
3006 | if (alg != NULL((void*)0) && strcmp(alg, sigtype) != 0) { |
3007 | ret = SSH_ERR_SIGN_ALG_UNSUPPORTED-58; |
3008 | goto out; |
3009 | } |
3010 | if (k->cert->signature_type == NULL((void*)0)) { |
3011 | k->cert->signature_type = sigtype; |
3012 | sigtype = NULL((void*)0); |
3013 | } |
3014 | /* Append signature and we are done */ |
3015 | if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) |
3016 | goto out; |
3017 | ret = 0; |
3018 | out: |
3019 | if (ret != 0) |
3020 | sshbuf_reset(cert); |
3021 | free(sig_blob); |
3022 | free(ca_blob); |
3023 | free(sigtype); |
3024 | sshbuf_free(principals); |
3025 | return ret; |
3026 | } |
3027 | |
3028 | static int |
3029 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, |
3030 | const u_char *data, size_t datalen, |
3031 | const char *alg, const char *sk_provider, const char *sk_pin, |
3032 | u_int compat, void *ctx) |
3033 | { |
3034 | if (ctx != NULL((void*)0)) |
3035 | return SSH_ERR_INVALID_ARGUMENT-10; |
3036 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, |
3037 | sk_provider, sk_pin, compat); |
3038 | } |
3039 | |
3040 | int |
3041 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, |
3042 | const char *sk_provider, const char *sk_pin) |
3043 | { |
3044 | return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, |
3045 | default_key_sign, NULL((void*)0)); |
3046 | } |
3047 | |
3048 | int |
3049 | sshkey_cert_check_authority(const struct sshkey *k, |
3050 | int want_host, int require_principal, int wildcard_pattern, |
3051 | uint64_t verify_time, const char *name, const char **reason) |
3052 | { |
3053 | u_int i, principal_matches; |
3054 | |
3055 | if (reason == NULL((void*)0)) |
3056 | return SSH_ERR_INVALID_ARGUMENT-10; |
3057 | if (!sshkey_is_cert(k)) { |
3058 | *reason = "Key is not a certificate"; |
3059 | return SSH_ERR_KEY_CERT_INVALID-25; |
3060 | } |
3061 | if (want_host) { |
3062 | if (k->cert->type != SSH2_CERT_TYPE_HOST2) { |
3063 | *reason = "Certificate invalid: not a host certificate"; |
3064 | return SSH_ERR_KEY_CERT_INVALID-25; |
3065 | } |
3066 | } else { |
3067 | if (k->cert->type != SSH2_CERT_TYPE_USER1) { |
3068 | *reason = "Certificate invalid: not a user certificate"; |
3069 | return SSH_ERR_KEY_CERT_INVALID-25; |
3070 | } |
3071 | } |
3072 | if (verify_time < k->cert->valid_after) { |
3073 | *reason = "Certificate invalid: not yet valid"; |
3074 | return SSH_ERR_KEY_CERT_INVALID-25; |
3075 | } |
3076 | if (verify_time >= k->cert->valid_before) { |
3077 | *reason = "Certificate invalid: expired"; |
3078 | return SSH_ERR_KEY_CERT_INVALID-25; |
3079 | } |
3080 | if (k->cert->nprincipals == 0) { |
3081 | if (require_principal) { |
3082 | *reason = "Certificate lacks principal list"; |
3083 | return SSH_ERR_KEY_CERT_INVALID-25; |
3084 | } |
3085 | } else if (name != NULL((void*)0)) { |
3086 | principal_matches = 0; |
3087 | for (i = 0; i < k->cert->nprincipals; i++) { |
3088 | if (wildcard_pattern) { |
3089 | if (match_pattern(k->cert->principals[i], |
3090 | name)) { |
3091 | principal_matches = 1; |
3092 | break; |
3093 | } |
3094 | } else if (strcmp(name, k->cert->principals[i]) == 0) { |
3095 | principal_matches = 1; |
3096 | break; |
3097 | } |
3098 | } |
3099 | if (!principal_matches) { |
3100 | *reason = "Certificate invalid: name is not a listed " |
3101 | "principal"; |
3102 | return SSH_ERR_KEY_CERT_INVALID-25; |
3103 | } |
3104 | } |
3105 | return 0; |
3106 | } |
3107 | |
3108 | int |
3109 | sshkey_cert_check_authority_now(const struct sshkey *k, |
3110 | int want_host, int require_principal, int wildcard_pattern, |
3111 | const char *name, const char **reason) |
3112 | { |
3113 | time_t now; |
3114 | |
3115 | if ((now = time(NULL((void*)0))) < 0) { |
3116 | /* yikes - system clock before epoch! */ |
3117 | *reason = "Certificate invalid: not yet valid"; |
3118 | return SSH_ERR_KEY_CERT_INVALID-25; |
3119 | } |
3120 | return sshkey_cert_check_authority(k, want_host, require_principal, |
3121 | wildcard_pattern, (uint64_t)now, name, reason); |
3122 | } |
3123 | |
3124 | int |
3125 | sshkey_cert_check_host(const struct sshkey *key, const char *host, |
3126 | int wildcard_principals, const char *ca_sign_algorithms, |
3127 | const char **reason) |
3128 | { |
3129 | int r; |
3130 | |
3131 | if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals, |
3132 | host, reason)) != 0) |
3133 | return r; |
3134 | if (sshbuf_len(key->cert->critical) != 0) { |
3135 | *reason = "Certificate contains unsupported critical options"; |
3136 | return SSH_ERR_KEY_CERT_INVALID-25; |
3137 | } |
3138 | if (ca_sign_algorithms != NULL((void*)0) && |
3139 | (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) { |
3140 | *reason = "Certificate signed with disallowed algorithm"; |
3141 | return SSH_ERR_KEY_CERT_INVALID-25; |
3142 | } |
3143 | return 0; |
3144 | } |
3145 | |
3146 | size_t |
3147 | sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) |
3148 | { |
3149 | char from[32], to[32], ret[128]; |
3150 | |
3151 | *from = *to = '\0'; |
3152 | if (cert->valid_after == 0 && |
3153 | cert->valid_before == 0xffffffffffffffffULL) |
3154 | return strlcpy(s, "forever", l); |
3155 | |
3156 | if (cert->valid_after != 0) |
3157 | format_absolute_time(cert->valid_after, from, sizeof(from)); |
3158 | if (cert->valid_before != 0xffffffffffffffffULL) |
3159 | format_absolute_time(cert->valid_before, to, sizeof(to)); |
3160 | |
3161 | if (cert->valid_after == 0) |
3162 | snprintf(ret, sizeof(ret), "before %s", to); |
3163 | else if (cert->valid_before == 0xffffffffffffffffULL) |
3164 | snprintf(ret, sizeof(ret), "after %s", from); |
3165 | else |
3166 | snprintf(ret, sizeof(ret), "from %s to %s", from, to); |
3167 | |
3168 | return strlcpy(s, ret, l); |
3169 | } |
3170 | |
3171 | int |
3172 | sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, |
3173 | enum sshkey_serialize_rep opts) |
3174 | { |
3175 | int r = SSH_ERR_INTERNAL_ERROR-1; |
3176 | int was_shielded = sshkey_is_shielded(key); |
3177 | struct sshbuf *b = NULL((void*)0); |
3178 | #ifdef WITH_OPENSSL1 |
3179 | const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q; |
3180 | const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key; |
3181 | #endif /* WITH_OPENSSL */ |
3182 | |
3183 | if ((r = sshkey_unshield_private(key)) != 0) |
3184 | return r; |
3185 | if ((b = sshbuf_new()) == NULL((void*)0)) |
3186 | return SSH_ERR_ALLOC_FAIL-2; |
3187 | if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) |
3188 | goto out; |
3189 | switch (key->type) { |
3190 | #ifdef WITH_OPENSSL1 |
3191 | case KEY_RSA: |
3192 | RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d); |
3193 | RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); |
3194 | RSA_get0_crt_params(key->rsa, NULL((void*)0), NULL((void*)0), &rsa_iqmp); |
3195 | if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 || |
3196 | (r = sshbuf_put_bignum2(b, rsa_e)) != 0 || |
3197 | (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || |
3198 | (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || |
3199 | (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || |
3200 | (r = sshbuf_put_bignum2(b, rsa_q)) != 0) |
3201 | goto out; |
3202 | break; |
3203 | case KEY_RSA_CERT: |
3204 | if (key->cert == NULL((void*)0) || sshbuf_len(key->cert->certblob) == 0) { |
3205 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3206 | goto out; |
3207 | } |
3208 | RSA_get0_key(key->rsa, NULL((void*)0), NULL((void*)0), &rsa_d); |
3209 | RSA_get0_factors(key->rsa, &rsa_p, &rsa_q); |
3210 | RSA_get0_crt_params(key->rsa, NULL((void*)0), NULL((void*)0), &rsa_iqmp); |
3211 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || |
3212 | (r = sshbuf_put_bignum2(b, rsa_d)) != 0 || |
3213 | (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 || |
3214 | (r = sshbuf_put_bignum2(b, rsa_p)) != 0 || |
3215 | (r = sshbuf_put_bignum2(b, rsa_q)) != 0) |
3216 | goto out; |
3217 | break; |
3218 | case KEY_DSA: |
3219 | DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g); |
3220 | DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key); |
3221 | if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 || |
3222 | (r = sshbuf_put_bignum2(b, dsa_q)) != 0 || |
3223 | (r = sshbuf_put_bignum2(b, dsa_g)) != 0 || |
3224 | (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 || |
3225 | (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) |
3226 | goto out; |
3227 | break; |
3228 | case KEY_DSA_CERT: |
3229 | if (key->cert == NULL((void*)0) || sshbuf_len(key->cert->certblob) == 0) { |
3230 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3231 | goto out; |
3232 | } |
3233 | DSA_get0_key(key->dsa, NULL((void*)0), &dsa_priv_key); |
3234 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || |
3235 | (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0) |
3236 | goto out; |
3237 | break; |
3238 | case KEY_ECDSA: |
3239 | if ((r = sshbuf_put_cstring(b, |
3240 | sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || |
3241 | (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || |
3242 | (r = sshbuf_put_bignum2(b, |
3243 | EC_KEY_get0_private_key(key->ecdsa))) != 0) |
3244 | goto out; |
3245 | break; |
3246 | case KEY_ECDSA_CERT: |
3247 | if (key->cert == NULL((void*)0) || sshbuf_len(key->cert->certblob) == 0) { |
3248 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3249 | goto out; |
3250 | } |
3251 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || |
3252 | (r = sshbuf_put_bignum2(b, |
3253 | EC_KEY_get0_private_key(key->ecdsa))) != 0) |
3254 | goto out; |
3255 | break; |
3256 | case KEY_ECDSA_SK: |
3257 | if ((r = sshbuf_put_cstring(b, |
3258 | sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 || |
3259 | (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 || |
3260 | (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || |
3261 | (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || |
3262 | (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || |
3263 | (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) |
3264 | goto out; |
3265 | break; |
3266 | case KEY_ECDSA_SK_CERT: |
3267 | if (key->cert == NULL((void*)0) || sshbuf_len(key->cert->certblob) == 0) { |
3268 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3269 | goto out; |
3270 | } |
3271 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || |
3272 | (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || |
3273 | (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || |
3274 | (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || |
3275 | (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) |
3276 | goto out; |
3277 | break; |
3278 | #endif /* WITH_OPENSSL */ |
3279 | case KEY_ED25519: |
3280 | if ((r = sshbuf_put_string(b, key->ed25519_pk, |
3281 | ED25519_PK_SZ32U)) != 0 || |
3282 | (r = sshbuf_put_string(b, key->ed25519_sk, |
3283 | ED25519_SK_SZ64U)) != 0) |
3284 | goto out; |
3285 | break; |
3286 | case KEY_ED25519_CERT: |
3287 | if (key->cert == NULL((void*)0) || sshbuf_len(key->cert->certblob) == 0) { |
3288 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3289 | goto out; |
3290 | } |
3291 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || |
3292 | (r = sshbuf_put_string(b, key->ed25519_pk, |
3293 | ED25519_PK_SZ32U)) != 0 || |
3294 | (r = sshbuf_put_string(b, key->ed25519_sk, |
3295 | ED25519_SK_SZ64U)) != 0) |
3296 | goto out; |
3297 | break; |
3298 | case KEY_ED25519_SK: |
3299 | if ((r = sshbuf_put_string(b, key->ed25519_pk, |
3300 | ED25519_PK_SZ32U)) != 0 || |
3301 | (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || |
3302 | (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || |
3303 | (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || |
3304 | (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) |
3305 | goto out; |
3306 | break; |
3307 | case KEY_ED25519_SK_CERT: |
3308 | if (key->cert == NULL((void*)0) || sshbuf_len(key->cert->certblob) == 0) { |
3309 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3310 | goto out; |
3311 | } |
3312 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || |
3313 | (r = sshbuf_put_string(b, key->ed25519_pk, |
3314 | ED25519_PK_SZ32U)) != 0 || |
3315 | (r = sshbuf_put_cstring(b, key->sk_application)) != 0 || |
3316 | (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || |
3317 | (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || |
3318 | (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) |
3319 | goto out; |
3320 | break; |
3321 | #ifdef WITH_XMSS |
3322 | case KEY_XMSS: |
3323 | if (key->xmss_name == NULL((void*)0)) { |
3324 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3325 | goto out; |
3326 | } |
3327 | if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || |
3328 | (r = sshbuf_put_string(b, key->xmss_pk, |
3329 | sshkey_xmss_pklen(key))) != 0 || |
3330 | (r = sshbuf_put_string(b, key->xmss_sk, |
3331 | sshkey_xmss_sklen(key))) != 0 || |
3332 | (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) |
3333 | goto out; |
3334 | break; |
3335 | case KEY_XMSS_CERT: |
3336 | if (key->cert == NULL((void*)0) || sshbuf_len(key->cert->certblob) == 0 || |
3337 | key->xmss_name == NULL((void*)0)) { |
3338 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3339 | goto out; |
3340 | } |
3341 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 || |
3342 | (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 || |
3343 | (r = sshbuf_put_string(b, key->xmss_pk, |
3344 | sshkey_xmss_pklen(key))) != 0 || |
3345 | (r = sshbuf_put_string(b, key->xmss_sk, |
3346 | sshkey_xmss_sklen(key))) != 0 || |
3347 | (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0) |
3348 | goto out; |
3349 | break; |
3350 | #endif /* WITH_XMSS */ |
3351 | default: |
3352 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3353 | goto out; |
3354 | } |
3355 | /* |
3356 | * success (but we still need to append the output to buf after |
3357 | * possibly re-shielding the private key) |
3358 | */ |
3359 | r = 0; |
3360 | out: |
3361 | if (was_shielded) |
3362 | r = sshkey_shield_private(key); |
3363 | if (r == 0) |
3364 | r = sshbuf_putb(buf, b); |
3365 | sshbuf_free(b); |
3366 | |
3367 | return r; |
3368 | } |
3369 | |
3370 | int |
3371 | sshkey_private_serialize(struct sshkey *key, struct sshbuf *b) |
3372 | { |
3373 | return sshkey_private_serialize_opt(key, b, |
3374 | SSHKEY_SERIALIZE_DEFAULT); |
3375 | } |
3376 | |
3377 | int |
3378 | sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) |
3379 | { |
3380 | char *tname = NULL((void*)0), *curve = NULL((void*)0), *xmss_name = NULL((void*)0); |
3381 | char *expect_sk_application = NULL((void*)0); |
3382 | struct sshkey *k = NULL((void*)0); |
3383 | size_t pklen = 0, sklen = 0; |
3384 | int type, r = SSH_ERR_INTERNAL_ERROR-1; |
3385 | u_char *ed25519_pk = NULL((void*)0), *ed25519_sk = NULL((void*)0); |
3386 | u_char *expect_ed25519_pk = NULL((void*)0); |
3387 | u_char *xmss_pk = NULL((void*)0), *xmss_sk = NULL((void*)0); |
3388 | #ifdef WITH_OPENSSL1 |
3389 | BIGNUM *exponent = NULL((void*)0); |
3390 | BIGNUM *rsa_n = NULL((void*)0), *rsa_e = NULL((void*)0), *rsa_d = NULL((void*)0); |
3391 | BIGNUM *rsa_iqmp = NULL((void*)0), *rsa_p = NULL((void*)0), *rsa_q = NULL((void*)0); |
3392 | BIGNUM *dsa_p = NULL((void*)0), *dsa_q = NULL((void*)0), *dsa_g = NULL((void*)0); |
3393 | BIGNUM *dsa_pub_key = NULL((void*)0), *dsa_priv_key = NULL((void*)0); |
3394 | #endif /* WITH_OPENSSL */ |
3395 | |
3396 | if (kp != NULL((void*)0)) |
3397 | *kp = NULL((void*)0); |
3398 | if ((r = sshbuf_get_cstring(buf, &tname, NULL((void*)0))) != 0) |
3399 | goto out; |
3400 | type = sshkey_type_from_name(tname); |
3401 | if (sshkey_type_is_cert(type)) { |
3402 | /* |
3403 | * Certificate key private keys begin with the certificate |
3404 | * itself. Make sure this matches the type of the enclosing |
3405 | * private key. |
3406 | */ |
3407 | if ((r = sshkey_froms(buf, &k)) != 0) |
3408 | goto out; |
3409 | if (k->type != type) { |
3410 | r = SSH_ERR_KEY_CERT_MISMATCH-45; |
3411 | goto out; |
3412 | } |
3413 | /* For ECDSA keys, the group must match too */ |
3414 | if (k->type == KEY_ECDSA && |
3415 | k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { |
3416 | r = SSH_ERR_KEY_CERT_MISMATCH-45; |
3417 | goto out; |
3418 | } |
3419 | /* |
3420 | * Several fields are redundant between certificate and |
3421 | * private key body, we require these to match. |
3422 | */ |
3423 | expect_sk_application = k->sk_application; |
3424 | expect_ed25519_pk = k->ed25519_pk; |
3425 | k->sk_application = NULL((void*)0); |
3426 | k->ed25519_pk = NULL((void*)0); |
3427 | } else { |
3428 | if ((k = sshkey_new(type)) == NULL((void*)0)) { |
3429 | r = SSH_ERR_ALLOC_FAIL-2; |
3430 | goto out; |
3431 | } |
3432 | } |
3433 | switch (type) { |
3434 | #ifdef WITH_OPENSSL1 |
3435 | case KEY_DSA: |
3436 | if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 || |
3437 | (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 || |
3438 | (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 || |
3439 | (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0) |
3440 | goto out; |
3441 | if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) { |
3442 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3443 | goto out; |
3444 | } |
3445 | dsa_p = dsa_q = dsa_g = NULL((void*)0); /* transferred */ |
3446 | if (!DSA_set0_key(k->dsa, dsa_pub_key, NULL((void*)0))) { |
3447 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3448 | goto out; |
3449 | } |
3450 | dsa_pub_key = NULL((void*)0); /* transferred */ |
3451 | /* FALLTHROUGH */ |
3452 | case KEY_DSA_CERT: |
3453 | if ((r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) |
3454 | goto out; |
3455 | if (!DSA_set0_key(k->dsa, NULL((void*)0), dsa_priv_key)) { |
3456 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3457 | goto out; |
3458 | } |
3459 | dsa_priv_key = NULL((void*)0); /* transferred */ |
3460 | break; |
3461 | case KEY_ECDSA: |
3462 | if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { |
3463 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3464 | goto out; |
3465 | } |
3466 | if ((r = sshbuf_get_cstring(buf, &curve, NULL((void*)0))) != 0) |
3467 | goto out; |
3468 | if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { |
3469 | r = SSH_ERR_EC_CURVE_MISMATCH-15; |
3470 | goto out; |
3471 | } |
3472 | k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); |
3473 | if (k->ecdsa == NULL((void*)0)) { |
3474 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3475 | goto out; |
3476 | } |
3477 | if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0) |
3478 | goto out; |
3479 | /* FALLTHROUGH */ |
3480 | case KEY_ECDSA_CERT: |
3481 | if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0) |
3482 | goto out; |
3483 | if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { |
3484 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3485 | goto out; |
3486 | } |
3487 | if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), |
3488 | EC_KEY_get0_public_key(k->ecdsa))) != 0 || |
3489 | (r = sshkey_ec_validate_private(k->ecdsa)) != 0) |
3490 | goto out; |
3491 | break; |
3492 | case KEY_ECDSA_SK: |
3493 | if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) { |
3494 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3495 | goto out; |
3496 | } |
3497 | if ((r = sshbuf_get_cstring(buf, &curve, NULL((void*)0))) != 0) |
3498 | goto out; |
3499 | if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) { |
3500 | r = SSH_ERR_EC_CURVE_MISMATCH-15; |
3501 | goto out; |
3502 | } |
3503 | if ((k->sk_key_handle = sshbuf_new()) == NULL((void*)0) || |
3504 | (k->sk_reserved = sshbuf_new()) == NULL((void*)0)) { |
3505 | r = SSH_ERR_ALLOC_FAIL-2; |
3506 | goto out; |
3507 | } |
3508 | k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); |
3509 | if (k->ecdsa == NULL((void*)0)) { |
3510 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3511 | goto out; |
3512 | } |
3513 | if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 || |
3514 | (r = sshbuf_get_cstring(buf, &k->sk_application, |
3515 | NULL((void*)0))) != 0 || |
3516 | (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || |
3517 | (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || |
3518 | (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) |
3519 | goto out; |
3520 | if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), |
3521 | EC_KEY_get0_public_key(k->ecdsa))) != 0) |
3522 | goto out; |
3523 | break; |
3524 | case KEY_ECDSA_SK_CERT: |
3525 | if ((k->sk_key_handle = sshbuf_new()) == NULL((void*)0) || |
3526 | (k->sk_reserved = sshbuf_new()) == NULL((void*)0)) { |
3527 | r = SSH_ERR_ALLOC_FAIL-2; |
3528 | goto out; |
3529 | } |
3530 | if ((r = sshbuf_get_cstring(buf, &k->sk_application, |
3531 | NULL((void*)0))) != 0 || |
3532 | (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || |
3533 | (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || |
3534 | (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) |
3535 | goto out; |
3536 | if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa), |
3537 | EC_KEY_get0_public_key(k->ecdsa))) != 0) |
3538 | goto out; |
3539 | break; |
3540 | case KEY_RSA: |
3541 | if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 || |
3542 | (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0) |
3543 | goto out; |
3544 | if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, NULL((void*)0))) { |
3545 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3546 | goto out; |
3547 | } |
3548 | rsa_n = rsa_e = NULL((void*)0); /* transferred */ |
3549 | /* FALLTHROUGH */ |
3550 | case KEY_RSA_CERT: |
3551 | if ((r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 || |
3552 | (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 || |
3553 | (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || |
3554 | (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) |
3555 | goto out; |
3556 | if (!RSA_set0_key(k->rsa, NULL((void*)0), NULL((void*)0), rsa_d)) { |
3557 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3558 | goto out; |
3559 | } |
3560 | rsa_d = NULL((void*)0); /* transferred */ |
3561 | if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) { |
3562 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3563 | goto out; |
3564 | } |
3565 | rsa_p = rsa_q = NULL((void*)0); /* transferred */ |
3566 | if ((r = check_rsa_length(k->rsa)) != 0) |
3567 | goto out; |
3568 | if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) |
3569 | goto out; |
3570 | break; |
3571 | #endif /* WITH_OPENSSL */ |
3572 | case KEY_ED25519: |
3573 | case KEY_ED25519_CERT: |
3574 | if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || |
3575 | (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) |
3576 | goto out; |
3577 | if (pklen != ED25519_PK_SZ32U || sklen != ED25519_SK_SZ64U) { |
3578 | r = SSH_ERR_INVALID_FORMAT-4; |
3579 | goto out; |
3580 | } |
3581 | k->ed25519_pk = ed25519_pk; |
3582 | k->ed25519_sk = ed25519_sk; |
3583 | ed25519_pk = ed25519_sk = NULL((void*)0); /* transferred */ |
3584 | break; |
3585 | case KEY_ED25519_SK: |
3586 | case KEY_ED25519_SK_CERT: |
3587 | if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0) |
3588 | goto out; |
3589 | if (pklen != ED25519_PK_SZ32U) { |
3590 | r = SSH_ERR_INVALID_FORMAT-4; |
3591 | goto out; |
3592 | } |
3593 | if ((k->sk_key_handle = sshbuf_new()) == NULL((void*)0) || |
3594 | (k->sk_reserved = sshbuf_new()) == NULL((void*)0)) { |
3595 | r = SSH_ERR_ALLOC_FAIL-2; |
3596 | goto out; |
3597 | } |
3598 | if ((r = sshbuf_get_cstring(buf, &k->sk_application, |
3599 | NULL((void*)0))) != 0 || |
3600 | (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || |
3601 | (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || |
3602 | (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) |
3603 | goto out; |
3604 | k->ed25519_pk = ed25519_pk; |
3605 | ed25519_pk = NULL((void*)0); /* transferred */ |
3606 | break; |
3607 | #ifdef WITH_XMSS |
3608 | case KEY_XMSS: |
3609 | case KEY_XMSS_CERT: |
3610 | if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL((void*)0))) != 0 || |
3611 | (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || |
3612 | (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) |
3613 | goto out; |
3614 | if (type == KEY_XMSS && |
3615 | (r = sshkey_xmss_init(k, xmss_name)) != 0) |
3616 | goto out; |
3617 | if (pklen != sshkey_xmss_pklen(k) || |
3618 | sklen != sshkey_xmss_sklen(k)) { |
3619 | r = SSH_ERR_INVALID_FORMAT-4; |
3620 | goto out; |
3621 | } |
3622 | k->xmss_pk = xmss_pk; |
3623 | k->xmss_sk = xmss_sk; |
3624 | xmss_pk = xmss_sk = NULL((void*)0); |
3625 | /* optional internal state */ |
3626 | if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0) |
3627 | goto out; |
3628 | break; |
3629 | #endif /* WITH_XMSS */ |
3630 | default: |
3631 | r = SSH_ERR_KEY_TYPE_UNKNOWN-14; |
3632 | goto out; |
3633 | } |
3634 | #ifdef WITH_OPENSSL1 |
3635 | /* enable blinding */ |
3636 | switch (k->type) { |
3637 | case KEY_RSA: |
3638 | case KEY_RSA_CERT: |
3639 | if (RSA_blinding_on(k->rsa, NULL((void*)0)) != 1) { |
3640 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3641 | goto out; |
3642 | } |
3643 | break; |
3644 | } |
3645 | #endif /* WITH_OPENSSL */ |
3646 | if ((expect_sk_application != NULL((void*)0) && (k->sk_application == NULL((void*)0) || |
3647 | strcmp(expect_sk_application, k->sk_application) != 0)) || |
3648 | (expect_ed25519_pk != NULL((void*)0) && (k->ed25519_pk == NULL((void*)0) || |
3649 | memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ32U) != 0))) { |
3650 | r = SSH_ERR_KEY_CERT_MISMATCH-45; |
3651 | goto out; |
3652 | } |
3653 | /* success */ |
3654 | r = 0; |
3655 | if (kp != NULL((void*)0)) { |
3656 | *kp = k; |
3657 | k = NULL((void*)0); |
3658 | } |
3659 | out: |
3660 | free(tname); |
3661 | free(curve); |
3662 | #ifdef WITH_OPENSSL1 |
3663 | BN_clear_free(exponent); |
3664 | BN_clear_free(dsa_p); |
3665 | BN_clear_free(dsa_q); |
3666 | BN_clear_free(dsa_g); |
3667 | BN_clear_free(dsa_pub_key); |
3668 | BN_clear_free(dsa_priv_key); |
3669 | BN_clear_free(rsa_n); |
3670 | BN_clear_free(rsa_e); |
3671 | BN_clear_free(rsa_d); |
3672 | BN_clear_free(rsa_p); |
3673 | BN_clear_free(rsa_q); |
3674 | BN_clear_free(rsa_iqmp); |
3675 | #endif /* WITH_OPENSSL */ |
3676 | sshkey_free(k); |
3677 | freezero(ed25519_pk, pklen); |
3678 | freezero(ed25519_sk, sklen); |
3679 | free(xmss_name); |
3680 | freezero(xmss_pk, pklen); |
3681 | freezero(xmss_sk, sklen); |
3682 | free(expect_sk_application); |
3683 | free(expect_ed25519_pk); |
3684 | return r; |
3685 | } |
3686 | |
3687 | #ifdef WITH_OPENSSL1 |
3688 | int |
3689 | sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) |
3690 | { |
3691 | EC_POINT *nq = NULL((void*)0); |
3692 | BIGNUM *order = NULL((void*)0), *x = NULL((void*)0), *y = NULL((void*)0), *tmp = NULL((void*)0); |
3693 | int ret = SSH_ERR_KEY_INVALID_EC_VALUE-20; |
3694 | |
3695 | /* |
3696 | * NB. This assumes OpenSSL has already verified that the public |
3697 | * point lies on the curve. This is done by EC_POINT_oct2point() |
3698 | * implicitly calling EC_POINT_is_on_curve(). If this code is ever |
3699 | * reachable with public points not unmarshalled using |
3700 | * EC_POINT_oct2point then the caller will need to explicitly check. |
3701 | */ |
3702 | |
3703 | /* |
3704 | * We shouldn't ever hit this case because bignum_get_ecpoint() |
3705 | * refuses to load GF2m points. |
3706 | */ |
3707 | if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != |
3708 | NID_X9_62_prime_field406) |
3709 | goto out; |
3710 | |
3711 | /* Q != infinity */ |
3712 | if (EC_POINT_is_at_infinity(group, public)) |
3713 | goto out; |
3714 | |
3715 | if ((x = BN_new()) == NULL((void*)0) || |
3716 | (y = BN_new()) == NULL((void*)0) || |
3717 | (order = BN_new()) == NULL((void*)0) || |
3718 | (tmp = BN_new()) == NULL((void*)0)) { |
3719 | ret = SSH_ERR_ALLOC_FAIL-2; |
3720 | goto out; |
3721 | } |
3722 | |
3723 | /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ |
3724 | if (EC_GROUP_get_order(group, order, NULL((void*)0)) != 1 || |
3725 | EC_POINT_get_affine_coordinates_GFp(group, public, |
3726 | x, y, NULL((void*)0)) != 1) { |
3727 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
3728 | goto out; |
3729 | } |
3730 | if (BN_num_bits(x) <= BN_num_bits(order) / 2 || |
3731 | BN_num_bits(y) <= BN_num_bits(order) / 2) |
3732 | goto out; |
3733 | |
3734 | /* nQ == infinity (n == order of subgroup) */ |
3735 | if ((nq = EC_POINT_new(group)) == NULL((void*)0)) { |
3736 | ret = SSH_ERR_ALLOC_FAIL-2; |
3737 | goto out; |
3738 | } |
3739 | if (EC_POINT_mul(group, nq, NULL((void*)0), public, order, NULL((void*)0)) != 1) { |
3740 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
3741 | goto out; |
3742 | } |
3743 | if (EC_POINT_is_at_infinity(group, nq) != 1) |
3744 | goto out; |
3745 | |
3746 | /* x < order - 1, y < order - 1 */ |
3747 | if (!BN_sub(tmp, order, BN_value_one())) { |
3748 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
3749 | goto out; |
3750 | } |
3751 | if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) |
3752 | goto out; |
3753 | ret = 0; |
3754 | out: |
3755 | BN_clear_free(x); |
3756 | BN_clear_free(y); |
3757 | BN_clear_free(order); |
3758 | BN_clear_free(tmp); |
3759 | EC_POINT_free(nq); |
3760 | return ret; |
3761 | } |
3762 | |
3763 | int |
3764 | sshkey_ec_validate_private(const EC_KEY *key) |
3765 | { |
3766 | BIGNUM *order = NULL((void*)0), *tmp = NULL((void*)0); |
3767 | int ret = SSH_ERR_KEY_INVALID_EC_VALUE-20; |
3768 | |
3769 | if ((order = BN_new()) == NULL((void*)0) || (tmp = BN_new()) == NULL((void*)0)) { |
3770 | ret = SSH_ERR_ALLOC_FAIL-2; |
3771 | goto out; |
3772 | } |
3773 | |
3774 | /* log2(private) > log2(order)/2 */ |
3775 | if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL((void*)0)) != 1) { |
3776 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
3777 | goto out; |
3778 | } |
3779 | if (BN_num_bits(EC_KEY_get0_private_key(key)) <= |
3780 | BN_num_bits(order) / 2) |
3781 | goto out; |
3782 | |
3783 | /* private < order - 1 */ |
3784 | if (!BN_sub(tmp, order, BN_value_one())) { |
3785 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
3786 | goto out; |
3787 | } |
3788 | if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) |
3789 | goto out; |
3790 | ret = 0; |
3791 | out: |
3792 | BN_clear_free(order); |
3793 | BN_clear_free(tmp); |
3794 | return ret; |
3795 | } |
3796 | |
3797 | void |
3798 | sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) |
3799 | { |
3800 | BIGNUM *x = NULL((void*)0), *y = NULL((void*)0); |
3801 | |
3802 | if (point == NULL((void*)0)) { |
3803 | fputs("point=(NULL)\n", stderr(&__sF[2])); |
3804 | return; |
3805 | } |
3806 | if ((x = BN_new()) == NULL((void*)0) || (y = BN_new()) == NULL((void*)0)) { |
3807 | fprintf(stderr(&__sF[2]), "%s: BN_new failed\n", __func__); |
3808 | goto out; |
3809 | } |
3810 | if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != |
3811 | NID_X9_62_prime_field406) { |
3812 | fprintf(stderr(&__sF[2]), "%s: group is not a prime field\n", __func__); |
3813 | goto out; |
3814 | } |
3815 | if (EC_POINT_get_affine_coordinates_GFp(group, point, |
3816 | x, y, NULL((void*)0)) != 1) { |
3817 | fprintf(stderr(&__sF[2]), "%s: EC_POINT_get_affine_coordinates_GFp\n", |
3818 | __func__); |
3819 | goto out; |
3820 | } |
3821 | fputs("x=", stderr(&__sF[2])); |
3822 | BN_print_fp(stderr(&__sF[2]), x); |
3823 | fputs("\ny=", stderr(&__sF[2])); |
3824 | BN_print_fp(stderr(&__sF[2]), y); |
3825 | fputs("\n", stderr(&__sF[2])); |
3826 | out: |
3827 | BN_clear_free(x); |
3828 | BN_clear_free(y); |
3829 | } |
3830 | |
3831 | void |
3832 | sshkey_dump_ec_key(const EC_KEY *key) |
3833 | { |
3834 | const BIGNUM *exponent; |
3835 | |
3836 | sshkey_dump_ec_point(EC_KEY_get0_group(key), |
3837 | EC_KEY_get0_public_key(key)); |
3838 | fputs("exponent=", stderr(&__sF[2])); |
3839 | if ((exponent = EC_KEY_get0_private_key(key)) == NULL((void*)0)) |
3840 | fputs("(NULL)", stderr(&__sF[2])); |
3841 | else |
3842 | BN_print_fp(stderr(&__sF[2]), EC_KEY_get0_private_key(key)); |
3843 | fputs("\n", stderr(&__sF[2])); |
3844 | } |
3845 | #endif /* WITH_OPENSSL */ |
3846 | |
3847 | static int |
3848 | sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob, |
3849 | const char *passphrase, const char *comment, const char *ciphername, |
3850 | int rounds) |
3851 | { |
3852 | u_char *cp, *key = NULL((void*)0), *pubkeyblob = NULL((void*)0); |
3853 | u_char salt[SALT_LEN16]; |
3854 | char *b64 = NULL((void*)0); |
3855 | size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; |
3856 | u_int check; |
3857 | int r = SSH_ERR_INTERNAL_ERROR-1; |
3858 | struct sshcipher_ctx *ciphercontext = NULL((void*)0); |
3859 | const struct sshcipher *cipher; |
3860 | const char *kdfname = KDFNAME"bcrypt"; |
3861 | struct sshbuf *encoded = NULL((void*)0), *encrypted = NULL((void*)0), *kdf = NULL((void*)0); |
3862 | |
3863 | if (rounds <= 0) |
3864 | rounds = DEFAULT_ROUNDS16; |
3865 | if (passphrase == NULL((void*)0) || !strlen(passphrase)) { |
3866 | ciphername = "none"; |
3867 | kdfname = "none"; |
3868 | } else if (ciphername == NULL((void*)0)) |
3869 | ciphername = DEFAULT_CIPHERNAME"aes256-ctr"; |
3870 | if ((cipher = cipher_by_name(ciphername)) == NULL((void*)0)) { |
3871 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3872 | goto out; |
3873 | } |
3874 | |
3875 | if ((kdf = sshbuf_new()) == NULL((void*)0) || |
3876 | (encoded = sshbuf_new()) == NULL((void*)0) || |
3877 | (encrypted = sshbuf_new()) == NULL((void*)0)) { |
3878 | r = SSH_ERR_ALLOC_FAIL-2; |
3879 | goto out; |
3880 | } |
3881 | blocksize = cipher_blocksize(cipher); |
3882 | keylen = cipher_keylen(cipher); |
3883 | ivlen = cipher_ivlen(cipher); |
3884 | authlen = cipher_authlen(cipher); |
3885 | if ((key = calloc(1, keylen + ivlen)) == NULL((void*)0)) { |
3886 | r = SSH_ERR_ALLOC_FAIL-2; |
3887 | goto out; |
3888 | } |
3889 | if (strcmp(kdfname, "bcrypt") == 0) { |
3890 | arc4random_buf(salt, SALT_LEN16); |
3891 | if (bcrypt_pbkdf(passphrase, strlen(passphrase), |
3892 | salt, SALT_LEN16, key, keylen + ivlen, rounds) < 0) { |
3893 | r = SSH_ERR_INVALID_ARGUMENT-10; |
3894 | goto out; |
3895 | } |
3896 | if ((r = sshbuf_put_string(kdf, salt, SALT_LEN16)) != 0 || |
3897 | (r = sshbuf_put_u32(kdf, rounds)) != 0) |
3898 | goto out; |
3899 | } else if (strcmp(kdfname, "none") != 0) { |
3900 | /* Unsupported KDF type */ |
3901 | r = SSH_ERR_KEY_UNKNOWN_CIPHER-42; |
3902 | goto out; |
3903 | } |
3904 | if ((r = cipher_init(&ciphercontext, cipher, key, keylen, |
3905 | key + keylen, ivlen, 1)) != 0) |
3906 | goto out; |
3907 | |
3908 | if ((r = sshbuf_put(encoded, AUTH_MAGIC"openssh-key-v1", sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 || |
3909 | (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || |
3910 | (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || |
3911 | (r = sshbuf_put_stringb(encoded, kdf)) != 0 || |
3912 | (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ |
3913 | (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || |
3914 | (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) |
3915 | goto out; |
3916 | |
3917 | /* set up the buffer that will be encrypted */ |
3918 | |
3919 | /* Random check bytes */ |
3920 | check = arc4random(); |
3921 | if ((r = sshbuf_put_u32(encrypted, check)) != 0 || |
3922 | (r = sshbuf_put_u32(encrypted, check)) != 0) |
3923 | goto out; |
3924 | |
3925 | /* append private key and comment*/ |
3926 | if ((r = sshkey_private_serialize_opt(prv, encrypted, |
3927 | SSHKEY_SERIALIZE_FULL)) != 0 || |
3928 | (r = sshbuf_put_cstring(encrypted, comment)) != 0) |
3929 | goto out; |
3930 | |
3931 | /* padding */ |
3932 | i = 0; |
3933 | while (sshbuf_len(encrypted) % blocksize) { |
3934 | if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) |
3935 | goto out; |
3936 | } |
3937 | |
3938 | /* length in destination buffer */ |
3939 | if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) |
3940 | goto out; |
3941 | |
3942 | /* encrypt */ |
3943 | if ((r = sshbuf_reserve(encoded, |
3944 | sshbuf_len(encrypted) + authlen, &cp)) != 0) |
3945 | goto out; |
3946 | if ((r = cipher_crypt(ciphercontext, 0, cp, |
3947 | sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) |
3948 | goto out; |
3949 | |
3950 | sshbuf_reset(blob); |
3951 | |
3952 | /* assemble uuencoded key */ |
3953 | if ((r = sshbuf_put(blob, MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n", MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1))) != 0 || |
3954 | (r = sshbuf_dtob64(encoded, blob, 1)) != 0 || |
3955 | (r = sshbuf_put(blob, MARK_END"-----END OPENSSH PRIVATE KEY-----\n", MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1))) != 0) |
3956 | goto out; |
3957 | |
3958 | /* success */ |
3959 | r = 0; |
3960 | |
3961 | out: |
3962 | sshbuf_free(kdf); |
3963 | sshbuf_free(encoded); |
3964 | sshbuf_free(encrypted); |
3965 | cipher_free(ciphercontext); |
3966 | explicit_bzero(salt, sizeof(salt)); |
3967 | if (key != NULL((void*)0)) |
3968 | freezero(key, keylen + ivlen); |
3969 | if (pubkeyblob != NULL((void*)0)) |
3970 | freezero(pubkeyblob, pubkeylen); |
3971 | if (b64 != NULL((void*)0)) |
3972 | freezero(b64, strlen(b64)); |
3973 | return r; |
3974 | } |
3975 | |
3976 | static int |
3977 | private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp) |
3978 | { |
3979 | const u_char *cp; |
3980 | size_t encoded_len; |
3981 | int r; |
3982 | u_char last; |
3983 | struct sshbuf *encoded = NULL((void*)0), *decoded = NULL((void*)0); |
3984 | |
3985 | if (blob == NULL((void*)0) || decodedp == NULL((void*)0)) |
3986 | return SSH_ERR_INVALID_ARGUMENT-10; |
3987 | |
3988 | *decodedp = NULL((void*)0); |
3989 | |
3990 | if ((encoded = sshbuf_new()) == NULL((void*)0) || |
3991 | (decoded = sshbuf_new()) == NULL((void*)0)) { |
3992 | r = SSH_ERR_ALLOC_FAIL-2; |
3993 | goto out; |
3994 | } |
3995 | |
3996 | /* check preamble */ |
3997 | cp = sshbuf_ptr(blob); |
3998 | encoded_len = sshbuf_len(blob); |
3999 | if (encoded_len < (MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) + MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1)) || |
4000 | memcmp(cp, MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n", MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1)) != 0) { |
4001 | r = SSH_ERR_INVALID_FORMAT-4; |
4002 | goto out; |
4003 | } |
4004 | cp += MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1); |
4005 | encoded_len -= MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1); |
4006 | |
4007 | /* Look for end marker, removing whitespace as we go */ |
4008 | while (encoded_len > 0) { |
4009 | if (*cp != '\n' && *cp != '\r') { |
4010 | if ((r = sshbuf_put_u8(encoded, *cp)) != 0) |
4011 | goto out; |
4012 | } |
4013 | last = *cp; |
4014 | encoded_len--; |
4015 | cp++; |
4016 | if (last == '\n') { |
4017 | if (encoded_len >= MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1) && |
4018 | memcmp(cp, MARK_END"-----END OPENSSH PRIVATE KEY-----\n", MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1)) == 0) { |
4019 | /* \0 terminate */ |
4020 | if ((r = sshbuf_put_u8(encoded, 0)) != 0) |
4021 | goto out; |
4022 | break; |
4023 | } |
4024 | } |
4025 | } |
4026 | if (encoded_len == 0) { |
4027 | r = SSH_ERR_INVALID_FORMAT-4; |
4028 | goto out; |
4029 | } |
4030 | |
4031 | /* decode base64 */ |
4032 | if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) |
4033 | goto out; |
4034 | |
4035 | /* check magic */ |
4036 | if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC"openssh-key-v1") || |
4037 | memcmp(sshbuf_ptr(decoded), AUTH_MAGIC"openssh-key-v1", sizeof(AUTH_MAGIC"openssh-key-v1"))) { |
4038 | r = SSH_ERR_INVALID_FORMAT-4; |
4039 | goto out; |
4040 | } |
4041 | /* success */ |
4042 | *decodedp = decoded; |
4043 | decoded = NULL((void*)0); |
4044 | r = 0; |
4045 | out: |
4046 | sshbuf_free(encoded); |
4047 | sshbuf_free(decoded); |
4048 | return r; |
4049 | } |
4050 | |
4051 | static int |
4052 | private2_decrypt(struct sshbuf *decoded, const char *passphrase, |
4053 | struct sshbuf **decryptedp, struct sshkey **pubkeyp) |
4054 | { |
4055 | char *ciphername = NULL((void*)0), *kdfname = NULL((void*)0); |
4056 | const struct sshcipher *cipher = NULL((void*)0); |
4057 | int r = SSH_ERR_INTERNAL_ERROR-1; |
4058 | size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0; |
4059 | struct sshbuf *kdf = NULL((void*)0), *decrypted = NULL((void*)0); |
4060 | struct sshcipher_ctx *ciphercontext = NULL((void*)0); |
4061 | struct sshkey *pubkey = NULL((void*)0); |
4062 | u_char *key = NULL((void*)0), *salt = NULL((void*)0), *dp; |
4063 | u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; |
4064 | |
4065 | if (decoded == NULL((void*)0) || decryptedp == NULL((void*)0) || pubkeyp == NULL((void*)0)) |
4066 | return SSH_ERR_INVALID_ARGUMENT-10; |
4067 | |
4068 | *decryptedp = NULL((void*)0); |
4069 | *pubkeyp = NULL((void*)0); |
4070 | |
4071 | if ((decrypted = sshbuf_new()) == NULL((void*)0)) { |
4072 | r = SSH_ERR_ALLOC_FAIL-2; |
4073 | goto out; |
4074 | } |
4075 | |
4076 | /* parse public portion of key */ |
4077 | if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 || |
4078 | (r = sshbuf_get_cstring(decoded, &ciphername, NULL((void*)0))) != 0 || |
4079 | (r = sshbuf_get_cstring(decoded, &kdfname, NULL((void*)0))) != 0 || |
4080 | (r = sshbuf_froms(decoded, &kdf)) != 0 || |
4081 | (r = sshbuf_get_u32(decoded, &nkeys)) != 0) |
4082 | goto out; |
4083 | |
4084 | if (nkeys != 1) { |
4085 | /* XXX only one key supported at present */ |
4086 | r = SSH_ERR_INVALID_FORMAT-4; |
4087 | goto out; |
4088 | } |
4089 | |
4090 | if ((r = sshkey_froms(decoded, &pubkey)) != 0 || |
4091 | (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) |
4092 | goto out; |
4093 | |
4094 | if ((cipher = cipher_by_name(ciphername)) == NULL((void*)0)) { |
4095 | r = SSH_ERR_KEY_UNKNOWN_CIPHER-42; |
4096 | goto out; |
4097 | } |
4098 | if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { |
4099 | r = SSH_ERR_KEY_UNKNOWN_CIPHER-42; |
4100 | goto out; |
4101 | } |
4102 | if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) { |
4103 | r = SSH_ERR_INVALID_FORMAT-4; |
4104 | goto out; |
4105 | } |
4106 | if ((passphrase == NULL((void*)0) || strlen(passphrase) == 0) && |
4107 | strcmp(kdfname, "none") != 0) { |
4108 | /* passphrase required */ |
4109 | r = SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
4110 | goto out; |
4111 | } |
4112 | |
4113 | /* check size of encrypted key blob */ |
4114 | blocksize = cipher_blocksize(cipher); |
4115 | if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { |
4116 | r = SSH_ERR_INVALID_FORMAT-4; |
4117 | goto out; |
4118 | } |
4119 | |
4120 | /* setup key */ |
4121 | keylen = cipher_keylen(cipher); |
4122 | ivlen = cipher_ivlen(cipher); |
4123 | authlen = cipher_authlen(cipher); |
4124 | if ((key = calloc(1, keylen + ivlen)) == NULL((void*)0)) { |
4125 | r = SSH_ERR_ALLOC_FAIL-2; |
4126 | goto out; |
4127 | } |
4128 | if (strcmp(kdfname, "bcrypt") == 0) { |
4129 | if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || |
4130 | (r = sshbuf_get_u32(kdf, &rounds)) != 0) |
4131 | goto out; |
4132 | if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, |
4133 | key, keylen + ivlen, rounds) < 0) { |
4134 | r = SSH_ERR_INVALID_FORMAT-4; |
4135 | goto out; |
4136 | } |
4137 | } |
4138 | |
4139 | /* check that an appropriate amount of auth data is present */ |
4140 | if (sshbuf_len(decoded) < authlen || |
4141 | sshbuf_len(decoded) - authlen < encrypted_len) { |
4142 | r = SSH_ERR_INVALID_FORMAT-4; |
4143 | goto out; |
4144 | } |
4145 | |
4146 | /* decrypt private portion of key */ |
4147 | if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || |
4148 | (r = cipher_init(&ciphercontext, cipher, key, keylen, |
4149 | key + keylen, ivlen, 0)) != 0) |
4150 | goto out; |
4151 | if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), |
4152 | encrypted_len, 0, authlen)) != 0) { |
4153 | /* an integrity error here indicates an incorrect passphrase */ |
4154 | if (r == SSH_ERR_MAC_INVALID-30) |
4155 | r = SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
4156 | goto out; |
4157 | } |
4158 | if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) |
4159 | goto out; |
4160 | /* there should be no trailing data */ |
4161 | if (sshbuf_len(decoded) != 0) { |
4162 | r = SSH_ERR_INVALID_FORMAT-4; |
4163 | goto out; |
4164 | } |
4165 | |
4166 | /* check check bytes */ |
4167 | if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || |
4168 | (r = sshbuf_get_u32(decrypted, &check2)) != 0) |
4169 | goto out; |
4170 | if (check1 != check2) { |
4171 | r = SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
4172 | goto out; |
4173 | } |
4174 | /* success */ |
4175 | *decryptedp = decrypted; |
4176 | decrypted = NULL((void*)0); |
4177 | *pubkeyp = pubkey; |
4178 | pubkey = NULL((void*)0); |
4179 | r = 0; |
4180 | out: |
4181 | cipher_free(ciphercontext); |
4182 | free(ciphername); |
4183 | free(kdfname); |
4184 | sshkey_free(pubkey); |
4185 | if (salt != NULL((void*)0)) { |
4186 | explicit_bzero(salt, slen); |
4187 | free(salt); |
4188 | } |
4189 | if (key != NULL((void*)0)) { |
4190 | explicit_bzero(key, keylen + ivlen); |
4191 | free(key); |
4192 | } |
4193 | sshbuf_free(kdf); |
4194 | sshbuf_free(decrypted); |
4195 | return r; |
4196 | } |
4197 | |
4198 | /* Check deterministic padding after private key */ |
4199 | static int |
4200 | private2_check_padding(struct sshbuf *decrypted) |
4201 | { |
4202 | u_char pad; |
4203 | size_t i; |
4204 | int r = SSH_ERR_INTERNAL_ERROR-1; |
4205 | |
4206 | i = 0; |
4207 | while (sshbuf_len(decrypted)) { |
4208 | if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) |
4209 | goto out; |
4210 | if (pad != (++i & 0xff)) { |
4211 | r = SSH_ERR_INVALID_FORMAT-4; |
4212 | goto out; |
4213 | } |
4214 | } |
4215 | /* success */ |
4216 | r = 0; |
4217 | out: |
4218 | explicit_bzero(&pad, sizeof(pad)); |
4219 | explicit_bzero(&i, sizeof(i)); |
4220 | return r; |
4221 | } |
4222 | |
4223 | static int |
4224 | sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, |
4225 | struct sshkey **keyp, char **commentp) |
4226 | { |
4227 | char *comment = NULL((void*)0); |
4228 | int r = SSH_ERR_INTERNAL_ERROR-1; |
4229 | struct sshbuf *decoded = NULL((void*)0), *decrypted = NULL((void*)0); |
4230 | struct sshkey *k = NULL((void*)0), *pubkey = NULL((void*)0); |
4231 | |
4232 | if (keyp != NULL((void*)0)) |
4233 | *keyp = NULL((void*)0); |
4234 | if (commentp != NULL((void*)0)) |
4235 | *commentp = NULL((void*)0); |
4236 | |
4237 | /* Undo base64 encoding and decrypt the private section */ |
4238 | if ((r = private2_uudecode(blob, &decoded)) != 0 || |
4239 | (r = private2_decrypt(decoded, passphrase, |
4240 | &decrypted, &pubkey)) != 0) |
4241 | goto out; |
4242 | |
4243 | if (type != KEY_UNSPEC && |
4244 | sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { |
4245 | r = SSH_ERR_KEY_TYPE_MISMATCH-13; |
4246 | goto out; |
4247 | } |
4248 | |
4249 | /* Load the private key and comment */ |
4250 | if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || |
4251 | (r = sshbuf_get_cstring(decrypted, &comment, NULL((void*)0))) != 0) |
4252 | goto out; |
4253 | |
4254 | /* Check deterministic padding after private section */ |
4255 | if ((r = private2_check_padding(decrypted)) != 0) |
4256 | goto out; |
4257 | |
4258 | /* Check that the public key in the envelope matches the private key */ |
4259 | if (!sshkey_equal(pubkey, k)) { |
4260 | r = SSH_ERR_INVALID_FORMAT-4; |
4261 | goto out; |
4262 | } |
4263 | |
4264 | /* success */ |
4265 | r = 0; |
4266 | if (keyp != NULL((void*)0)) { |
4267 | *keyp = k; |
4268 | k = NULL((void*)0); |
4269 | } |
4270 | if (commentp != NULL((void*)0)) { |
4271 | *commentp = comment; |
4272 | comment = NULL((void*)0); |
4273 | } |
4274 | out: |
4275 | free(comment); |
4276 | sshbuf_free(decoded); |
4277 | sshbuf_free(decrypted); |
4278 | sshkey_free(k); |
4279 | sshkey_free(pubkey); |
4280 | return r; |
4281 | } |
4282 | |
4283 | static int |
4284 | sshkey_parse_private2_pubkey(struct sshbuf *blob, int type, |
4285 | struct sshkey **keyp) |
4286 | { |
4287 | int r = SSH_ERR_INTERNAL_ERROR-1; |
4288 | struct sshbuf *decoded = NULL((void*)0); |
4289 | struct sshkey *pubkey = NULL((void*)0); |
4290 | u_int nkeys = 0; |
4291 | |
4292 | if (keyp != NULL((void*)0)) |
4293 | *keyp = NULL((void*)0); |
4294 | |
4295 | if ((r = private2_uudecode(blob, &decoded)) != 0) |
4296 | goto out; |
4297 | /* parse public key from unencrypted envelope */ |
4298 | if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 || |
4299 | (r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void*)0), ((void*)0))) != 0 || /* cipher */ |
4300 | (r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void*)0), ((void*)0))) != 0 || /* KDF alg */ |
4301 | (r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void*)0), ((void*)0))) != 0 || /* KDF hint */ |
4302 | (r = sshbuf_get_u32(decoded, &nkeys)) != 0) |
4303 | goto out; |
4304 | |
4305 | if (nkeys != 1) { |
4306 | /* XXX only one key supported at present */ |
4307 | r = SSH_ERR_INVALID_FORMAT-4; |
4308 | goto out; |
4309 | } |
4310 | |
4311 | /* Parse the public key */ |
4312 | if ((r = sshkey_froms(decoded, &pubkey)) != 0) |
4313 | goto out; |
4314 | |
4315 | if (type != KEY_UNSPEC && |
4316 | sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { |
4317 | r = SSH_ERR_KEY_TYPE_MISMATCH-13; |
4318 | goto out; |
4319 | } |
4320 | |
4321 | /* success */ |
4322 | r = 0; |
4323 | if (keyp != NULL((void*)0)) { |
4324 | *keyp = pubkey; |
4325 | pubkey = NULL((void*)0); |
4326 | } |
4327 | out: |
4328 | sshbuf_free(decoded); |
4329 | sshkey_free(pubkey); |
4330 | return r; |
4331 | } |
4332 | |
4333 | #ifdef WITH_OPENSSL1 |
4334 | /* convert SSH v2 key to PEM or PKCS#8 format */ |
4335 | static int |
4336 | sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, |
4337 | int format, const char *_passphrase, const char *comment) |
4338 | { |
4339 | int was_shielded = sshkey_is_shielded(key); |
4340 | int success, r; |
4341 | int blen, len = strlen(_passphrase); |
4342 | u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL((void*)0); |
4343 | const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL((void*)0); |
4344 | char *bptr; |
4345 | BIO *bio = NULL((void*)0); |
4346 | struct sshbuf *blob; |
4347 | EVP_PKEY *pkey = NULL((void*)0); |
4348 | |
4349 | if (len > 0 && len <= 4) |
4350 | return SSH_ERR_PASSPHRASE_TOO_SHORT-40; |
4351 | if ((blob = sshbuf_new()) == NULL((void*)0)) |
4352 | return SSH_ERR_ALLOC_FAIL-2; |
4353 | if ((bio = BIO_new(BIO_s_mem())) == NULL((void*)0)) { |
4354 | r = SSH_ERR_ALLOC_FAIL-2; |
4355 | goto out; |
4356 | } |
4357 | if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL((void*)0)) { |
4358 | r = SSH_ERR_ALLOC_FAIL-2; |
4359 | goto out; |
4360 | } |
4361 | if ((r = sshkey_unshield_private(key)) != 0) |
4362 | goto out; |
4363 | |
4364 | switch (key->type) { |
4365 | case KEY_DSA: |
4366 | if (format == SSHKEY_PRIVATE_PEM) { |
4367 | success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, |
4368 | cipher, passphrase, len, NULL((void*)0), NULL((void*)0)); |
4369 | } else { |
4370 | success = EVP_PKEY_set1_DSA(pkey, key->dsa); |
4371 | } |
4372 | break; |
4373 | case KEY_ECDSA: |
4374 | if (format == SSHKEY_PRIVATE_PEM) { |
4375 | success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, |
4376 | cipher, passphrase, len, NULL((void*)0), NULL((void*)0)); |
4377 | } else { |
4378 | success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa); |
4379 | } |
4380 | break; |
4381 | case KEY_RSA: |
4382 | if (format == SSHKEY_PRIVATE_PEM) { |
4383 | success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, |
4384 | cipher, passphrase, len, NULL((void*)0), NULL((void*)0)); |
4385 | } else { |
4386 | success = EVP_PKEY_set1_RSA(pkey, key->rsa); |
4387 | } |
4388 | break; |
4389 | default: |
4390 | success = 0; |
4391 | break; |
4392 | } |
4393 | if (success == 0) { |
4394 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
4395 | goto out; |
4396 | } |
4397 | if (format == SSHKEY_PRIVATE_PKCS8) { |
4398 | if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher, |
4399 | passphrase, len, NULL((void*)0), NULL((void*)0))) == 0) { |
4400 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
4401 | goto out; |
4402 | } |
4403 | } |
4404 | if ((blen = BIO_get_mem_data(bio, &bptr)BIO_ctrl(bio,3,0,(char *)&bptr)) <= 0) { |
4405 | r = SSH_ERR_INTERNAL_ERROR-1; |
4406 | goto out; |
4407 | } |
4408 | if ((r = sshbuf_put(blob, bptr, blen)) != 0) |
4409 | goto out; |
4410 | r = 0; |
4411 | out: |
4412 | if (was_shielded) |
4413 | r = sshkey_shield_private(key); |
4414 | if (r == 0) |
4415 | r = sshbuf_putb(buf, blob); |
4416 | |
4417 | EVP_PKEY_free(pkey); |
4418 | sshbuf_free(blob); |
4419 | BIO_free(bio); |
4420 | return r; |
4421 | } |
4422 | #endif /* WITH_OPENSSL */ |
4423 | |
4424 | /* Serialise "key" to buffer "blob" */ |
4425 | int |
4426 | sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, |
4427 | const char *passphrase, const char *comment, |
4428 | int format, const char *openssh_format_cipher, int openssh_format_rounds) |
4429 | { |
4430 | switch (key->type) { |
4431 | #ifdef WITH_OPENSSL1 |
4432 | case KEY_DSA: |
4433 | case KEY_ECDSA: |
4434 | case KEY_RSA: |
4435 | break; /* see below */ |
4436 | #endif /* WITH_OPENSSL */ |
4437 | case KEY_ED25519: |
4438 | case KEY_ED25519_SK: |
4439 | #ifdef WITH_XMSS |
4440 | case KEY_XMSS: |
4441 | #endif /* WITH_XMSS */ |
4442 | #ifdef WITH_OPENSSL1 |
4443 | case KEY_ECDSA_SK: |
4444 | #endif /* WITH_OPENSSL */ |
4445 | return sshkey_private_to_blob2(key, blob, passphrase, |
4446 | comment, openssh_format_cipher, openssh_format_rounds); |
4447 | default: |
4448 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
4449 | } |
4450 | |
4451 | #ifdef WITH_OPENSSL1 |
4452 | switch (format) { |
4453 | case SSHKEY_PRIVATE_OPENSSH: |
4454 | return sshkey_private_to_blob2(key, blob, passphrase, |
4455 | comment, openssh_format_cipher, openssh_format_rounds); |
4456 | case SSHKEY_PRIVATE_PEM: |
4457 | case SSHKEY_PRIVATE_PKCS8: |
4458 | return sshkey_private_to_blob_pem_pkcs8(key, blob, |
4459 | format, passphrase, comment); |
4460 | default: |
4461 | return SSH_ERR_INVALID_ARGUMENT-10; |
4462 | } |
4463 | #endif /* WITH_OPENSSL */ |
4464 | } |
4465 | |
4466 | #ifdef WITH_OPENSSL1 |
4467 | static int |
4468 | translate_libcrypto_error(unsigned long pem_err) |
4469 | { |
4470 | int pem_reason = ERR_GET_REASON(pem_err)(int)((pem_err)&0xfffL); |
4471 | |
4472 | switch (ERR_GET_LIB(pem_err)(int)((((unsigned long)pem_err)>>24L)&0xffL)) { |
4473 | case ERR_LIB_PEM9: |
4474 | switch (pem_reason) { |
4475 | case PEM_R_BAD_PASSWORD_READ104: |
4476 | case PEM_R_PROBLEMS_GETTING_PASSWORD109: |
4477 | case PEM_R_BAD_DECRYPT101: |
4478 | return SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
4479 | default: |
4480 | return SSH_ERR_INVALID_FORMAT-4; |
4481 | } |
4482 | case ERR_LIB_EVP6: |
4483 | switch (pem_reason) { |
4484 | case EVP_R_BAD_DECRYPT100: |
4485 | return SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
4486 | #ifdef EVP_R_BN_DECODE_ERROR112 |
4487 | case EVP_R_BN_DECODE_ERROR112: |
4488 | #endif |
4489 | case EVP_R_DECODE_ERROR114: |
4490 | #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR145 |
4491 | case EVP_R_PRIVATE_KEY_DECODE_ERROR145: |
4492 | #endif |
4493 | return SSH_ERR_INVALID_FORMAT-4; |
4494 | default: |
4495 | return SSH_ERR_LIBCRYPTO_ERROR-22; |
4496 | } |
4497 | case ERR_LIB_ASN113: |
4498 | return SSH_ERR_INVALID_FORMAT-4; |
4499 | } |
4500 | return SSH_ERR_LIBCRYPTO_ERROR-22; |
4501 | } |
4502 | |
4503 | static void |
4504 | clear_libcrypto_errors(void) |
4505 | { |
4506 | while (ERR_get_error() != 0) |
4507 | ; |
4508 | } |
4509 | |
4510 | /* |
4511 | * Translate OpenSSL error codes to determine whether |
4512 | * passphrase is required/incorrect. |
4513 | */ |
4514 | static int |
4515 | convert_libcrypto_error(void) |
4516 | { |
4517 | /* |
4518 | * Some password errors are reported at the beginning |
4519 | * of the error queue. |
4520 | */ |
4521 | if (translate_libcrypto_error(ERR_peek_error()) == |
4522 | SSH_ERR_KEY_WRONG_PASSPHRASE-43) |
4523 | return SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
4524 | return translate_libcrypto_error(ERR_peek_last_error()); |
4525 | } |
4526 | |
4527 | static int |
4528 | sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, |
4529 | const char *passphrase, struct sshkey **keyp) |
4530 | { |
4531 | EVP_PKEY *pk = NULL((void*)0); |
4532 | struct sshkey *prv = NULL((void*)0); |
4533 | BIO *bio = NULL((void*)0); |
4534 | int r; |
4535 | |
4536 | if (keyp != NULL((void*)0)) |
4537 | *keyp = NULL((void*)0); |
4538 | |
4539 | if ((bio = BIO_new(BIO_s_mem())) == NULL((void*)0) || sshbuf_len(blob) > INT_MAX2147483647) |
4540 | return SSH_ERR_ALLOC_FAIL-2; |
4541 | if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != |
4542 | (int)sshbuf_len(blob)) { |
4543 | r = SSH_ERR_ALLOC_FAIL-2; |
4544 | goto out; |
4545 | } |
4546 | |
4547 | clear_libcrypto_errors(); |
4548 | if ((pk = PEM_read_bio_PrivateKey(bio, NULL((void*)0), NULL((void*)0), |
4549 | (char *)passphrase)) == NULL((void*)0)) { |
4550 | /* |
4551 | * libcrypto may return various ASN.1 errors when attempting |
4552 | * to parse a key with an incorrect passphrase. |
4553 | * Treat all format errors as "incorrect passphrase" if a |
4554 | * passphrase was supplied. |
4555 | */ |
4556 | if (passphrase != NULL((void*)0) && *passphrase != '\0') |
4557 | r = SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
4558 | else |
4559 | r = convert_libcrypto_error(); |
4560 | goto out; |
4561 | } |
4562 | if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA6 && |
4563 | (type == KEY_UNSPEC || type == KEY_RSA)) { |
4564 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void*)0)) { |
4565 | r = SSH_ERR_ALLOC_FAIL-2; |
4566 | goto out; |
4567 | } |
4568 | prv->rsa = EVP_PKEY_get1_RSA(pk); |
4569 | prv->type = KEY_RSA; |
4570 | #ifdef DEBUG_PK |
4571 | RSA_print_fp(stderr(&__sF[2]), prv->rsa, 8); |
4572 | #endif |
4573 | if (RSA_blinding_on(prv->rsa, NULL((void*)0)) != 1) { |
4574 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
4575 | goto out; |
4576 | } |
4577 | if ((r = check_rsa_length(prv->rsa)) != 0) |
4578 | goto out; |
4579 | } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA116 && |
4580 | (type == KEY_UNSPEC || type == KEY_DSA)) { |
4581 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void*)0)) { |
4582 | r = SSH_ERR_ALLOC_FAIL-2; |
4583 | goto out; |
4584 | } |
4585 | prv->dsa = EVP_PKEY_get1_DSA(pk); |
4586 | prv->type = KEY_DSA; |
4587 | #ifdef DEBUG_PK |
4588 | DSA_print_fp(stderr(&__sF[2]), prv->dsa, 8); |
4589 | #endif |
4590 | } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC408 && |
4591 | (type == KEY_UNSPEC || type == KEY_ECDSA)) { |
4592 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void*)0)) { |
4593 | r = SSH_ERR_ALLOC_FAIL-2; |
4594 | goto out; |
4595 | } |
4596 | prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); |
4597 | prv->type = KEY_ECDSA; |
4598 | prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); |
4599 | if (prv->ecdsa_nid == -1 || |
4600 | sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL((void*)0) || |
4601 | sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), |
4602 | EC_KEY_get0_public_key(prv->ecdsa)) != 0 || |
4603 | sshkey_ec_validate_private(prv->ecdsa) != 0) { |
4604 | r = SSH_ERR_INVALID_FORMAT-4; |
4605 | goto out; |
4606 | } |
4607 | #ifdef DEBUG_PK |
4608 | if (prv != NULL((void*)0) && prv->ecdsa != NULL((void*)0)) |
4609 | sshkey_dump_ec_key(prv->ecdsa); |
4610 | #endif |
4611 | } else { |
4612 | r = SSH_ERR_INVALID_FORMAT-4; |
4613 | goto out; |
4614 | } |
4615 | r = 0; |
4616 | if (keyp != NULL((void*)0)) { |
4617 | *keyp = prv; |
4618 | prv = NULL((void*)0); |
4619 | } |
4620 | out: |
4621 | BIO_free(bio); |
4622 | EVP_PKEY_free(pk); |
4623 | sshkey_free(prv); |
4624 | return r; |
4625 | } |
4626 | #endif /* WITH_OPENSSL */ |
4627 | |
4628 | int |
4629 | sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, |
4630 | const char *passphrase, struct sshkey **keyp, char **commentp) |
4631 | { |
4632 | int r = SSH_ERR_INTERNAL_ERROR-1; |
4633 | |
4634 | if (keyp != NULL((void*)0)) |
4635 | *keyp = NULL((void*)0); |
4636 | if (commentp != NULL((void*)0)) |
4637 | *commentp = NULL((void*)0); |
4638 | |
4639 | switch (type) { |
4640 | case KEY_ED25519: |
4641 | case KEY_XMSS: |
4642 | /* No fallback for new-format-only keys */ |
4643 | return sshkey_parse_private2(blob, type, passphrase, |
4644 | keyp, commentp); |
4645 | default: |
4646 | r = sshkey_parse_private2(blob, type, passphrase, keyp, |
4647 | commentp); |
4648 | /* Only fallback to PEM parser if a format error occurred. */ |
4649 | if (r != SSH_ERR_INVALID_FORMAT-4) |
4650 | return r; |
4651 | #ifdef WITH_OPENSSL1 |
4652 | return sshkey_parse_private_pem_fileblob(blob, type, |
4653 | passphrase, keyp); |
4654 | #else |
4655 | return SSH_ERR_INVALID_FORMAT-4; |
4656 | #endif /* WITH_OPENSSL */ |
4657 | } |
4658 | } |
4659 | |
4660 | int |
4661 | sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, |
4662 | struct sshkey **keyp, char **commentp) |
4663 | { |
4664 | if (keyp != NULL((void*)0)) |
4665 | *keyp = NULL((void*)0); |
4666 | if (commentp != NULL((void*)0)) |
4667 | *commentp = NULL((void*)0); |
4668 | |
4669 | return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, |
4670 | passphrase, keyp, commentp); |
4671 | } |
4672 | |
4673 | void |
4674 | sshkey_sig_details_free(struct sshkey_sig_details *details) |
4675 | { |
4676 | freezero(details, sizeof(*details)); |
4677 | } |
4678 | |
4679 | int |
4680 | sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type, |
4681 | struct sshkey **pubkeyp) |
4682 | { |
4683 | int r = SSH_ERR_INTERNAL_ERROR-1; |
4684 | |
4685 | if (pubkeyp != NULL((void*)0)) |
4686 | *pubkeyp = NULL((void*)0); |
4687 | /* only new-format private keys bundle a public key inside */ |
4688 | if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0) |
4689 | return r; |
4690 | return 0; |
4691 | } |
4692 | |
4693 | #ifdef WITH_XMSS |
4694 | /* |
4695 | * serialize the key with the current state and forward the state |
4696 | * maxsign times. |
4697 | */ |
4698 | int |
4699 | sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, |
4700 | u_int32_t maxsign, int printerror) |
4701 | { |
4702 | int r, rupdate; |
4703 | |
4704 | if (maxsign == 0 || |
4705 | sshkey_type_plain(k->type) != KEY_XMSS) |
4706 | return sshkey_private_serialize_opt(k, b, |
4707 | SSHKEY_SERIALIZE_DEFAULT); |
4708 | if ((r = sshkey_xmss_get_state(k, printerror)) != 0 || |
4709 | (r = sshkey_private_serialize_opt(k, b, |
4710 | SSHKEY_SERIALIZE_STATE)) != 0 || |
4711 | (r = sshkey_xmss_forward_state(k, maxsign)) != 0) |
4712 | goto out; |
4713 | r = 0; |
4714 | out: |
4715 | if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) { |
4716 | if (r == 0) |
4717 | r = rupdate; |
4718 | } |
4719 | return r; |
4720 | } |
4721 | |
4722 | u_int32_t |
4723 | sshkey_signatures_left(const struct sshkey *k) |
4724 | { |
4725 | if (sshkey_type_plain(k->type) == KEY_XMSS) |
4726 | return sshkey_xmss_signatures_left(k); |
4727 | return 0; |
4728 | } |
4729 | |
4730 | int |
4731 | sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) |
4732 | { |
4733 | if (sshkey_type_plain(k->type) != KEY_XMSS) |
4734 | return SSH_ERR_INVALID_ARGUMENT-10; |
4735 | return sshkey_xmss_enable_maxsign(k, maxsign); |
4736 | } |
4737 | |
4738 | int |
4739 | sshkey_set_filename(struct sshkey *k, const char *filename) |
4740 | { |
4741 | if (k == NULL((void*)0)) |
4742 | return SSH_ERR_INVALID_ARGUMENT-10; |
4743 | if (sshkey_type_plain(k->type) != KEY_XMSS) |
4744 | return 0; |
4745 | if (filename == NULL((void*)0)) |
4746 | return SSH_ERR_INVALID_ARGUMENT-10; |
4747 | if ((k->xmss_filename = strdup(filename)) == NULL((void*)0)) |
4748 | return SSH_ERR_ALLOC_FAIL-2; |
4749 | return 0; |
4750 | } |
4751 | #else |
4752 | int |
4753 | sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, |
4754 | u_int32_t maxsign, int printerror) |
4755 | { |
4756 | return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); |
4757 | } |
4758 | |
4759 | u_int32_t |
4760 | sshkey_signatures_left(const struct sshkey *k) |
4761 | { |
4762 | return 0; |
4763 | } |
4764 | |
4765 | int |
4766 | sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) |
4767 | { |
4768 | return SSH_ERR_INVALID_ARGUMENT-10; |
4769 | } |
4770 | |
4771 | int |
4772 | sshkey_set_filename(struct sshkey *k, const char *filename) |
4773 | { |
4774 | if (k == NULL((void*)0)) |
4775 | return SSH_ERR_INVALID_ARGUMENT-10; |
4776 | return 0; |
4777 | } |
4778 | #endif /* WITH_XMSS */ |