File: | src/usr.bin/ssh/ssh/../sshkey.c |
Warning: | line 1746, column 7 Although the value stored to 'ret' is used in the enclosing expression, the value is never actually read from 'ret' |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: sshkey.c,v 1.142 2024/01/11 01:45:36 djm Exp $ */ |
2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
5 | * Copyright (c) 2010,2011 Damien Miller. All rights reserved. |
6 | * |
7 | * Redistribution and use in source and binary forms, with or without |
8 | * modification, are permitted provided that the following conditions |
9 | * are met: |
10 | * 1. Redistributions of source code must retain the above copyright |
11 | * notice, this list of conditions and the following disclaimer. |
12 | * 2. Redistributions in binary form must reproduce the above copyright |
13 | * notice, this list of conditions and the following disclaimer in the |
14 | * documentation and/or other materials provided with the distribution. |
15 | * |
16 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
17 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
18 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
19 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
20 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
21 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
22 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
23 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
24 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
25 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
26 | */ |
27 | |
28 | #include <sys/types.h> |
29 | #include <netinet/in.h> |
30 | |
31 | #ifdef WITH_OPENSSL1 |
32 | #include <openssl/evp.h> |
33 | #include <openssl/err.h> |
34 | #include <openssl/pem.h> |
35 | #endif |
36 | |
37 | #include "crypto_api.h" |
38 | |
39 | #include <errno(*__errno()).h> |
40 | #include <stdio.h> |
41 | #include <stdlib.h> |
42 | #include <string.h> |
43 | #include <util.h> |
44 | #include <limits.h> |
45 | #include <resolv.h> |
46 | |
47 | #include "ssh2.h" |
48 | #include "ssherr.h" |
49 | #include "misc.h" |
50 | #include "sshbuf.h" |
51 | #include "cipher.h" |
52 | #include "digest.h" |
53 | #define SSHKEY_INTERNAL |
54 | #include "sshkey.h" |
55 | #include "match.h" |
56 | #include "ssh-sk.h" |
57 | |
58 | #ifdef WITH_XMSS |
59 | #include "sshkey-xmss.h" |
60 | #include "xmss_fast.h" |
61 | #endif |
62 | |
63 | /* openssh private key file format */ |
64 | #define MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n" "-----BEGIN OPENSSH PRIVATE KEY-----\n" |
65 | #define MARK_END"-----END OPENSSH PRIVATE KEY-----\n" "-----END OPENSSH PRIVATE KEY-----\n" |
66 | #define MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) (sizeof(MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) |
67 | #define MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1) (sizeof(MARK_END"-----END OPENSSH PRIVATE KEY-----\n") - 1) |
68 | #define KDFNAME"bcrypt" "bcrypt" |
69 | #define AUTH_MAGIC"openssh-key-v1" "openssh-key-v1" |
70 | #define SALT_LEN16 16 |
71 | #define DEFAULT_CIPHERNAME"aes256-ctr" "aes256-ctr" |
72 | #define DEFAULT_ROUNDS24 24 |
73 | |
74 | /* Version identification string for SSH v1 identity files. */ |
75 | #define LEGACY_BEGIN"SSH PRIVATE KEY FILE FORMAT 1.1\n" "SSH PRIVATE KEY FILE FORMAT 1.1\n" |
76 | |
77 | /* |
78 | * Constants relating to "shielding" support; protection of keys expected |
79 | * to remain in memory for long durations |
80 | */ |
81 | #define SSHKEY_SHIELD_PREKEY_LEN(16 * 1024) (16 * 1024) |
82 | #define SSHKEY_SHIELD_CIPHER"aes256-ctr" "aes256-ctr" /* XXX want AES-EME* */ |
83 | #define SSHKEY_SHIELD_PREKEY_HASH4 SSH_DIGEST_SHA5124 |
84 | |
85 | int sshkey_private_serialize_opt(struct sshkey *key, |
86 | struct sshbuf *buf, enum sshkey_serialize_rep); |
87 | static int sshkey_from_blob_internal(struct sshbuf *buf, |
88 | struct sshkey **keyp, int allow_cert); |
89 | |
90 | /* Supported key types */ |
91 | extern const struct sshkey_impl sshkey_ed25519_impl; |
92 | extern const struct sshkey_impl sshkey_ed25519_cert_impl; |
93 | extern const struct sshkey_impl sshkey_ed25519_sk_impl; |
94 | extern const struct sshkey_impl sshkey_ed25519_sk_cert_impl; |
95 | #ifdef WITH_OPENSSL1 |
96 | extern const struct sshkey_impl sshkey_ecdsa_sk_impl; |
97 | extern const struct sshkey_impl sshkey_ecdsa_sk_cert_impl; |
98 | extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_impl; |
99 | extern const struct sshkey_impl sshkey_ecdsa_nistp256_impl; |
100 | extern const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl; |
101 | extern const struct sshkey_impl sshkey_ecdsa_nistp384_impl; |
102 | extern const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl; |
103 | extern const struct sshkey_impl sshkey_ecdsa_nistp521_impl; |
104 | extern const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl; |
105 | extern const struct sshkey_impl sshkey_rsa_impl; |
106 | extern const struct sshkey_impl sshkey_rsa_cert_impl; |
107 | extern const struct sshkey_impl sshkey_rsa_sha256_impl; |
108 | extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl; |
109 | extern const struct sshkey_impl sshkey_rsa_sha512_impl; |
110 | extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl; |
111 | # ifdef WITH_DSA1 |
112 | extern const struct sshkey_impl sshkey_dss_impl; |
113 | extern const struct sshkey_impl sshkey_dsa_cert_impl; |
114 | # endif |
115 | #endif /* WITH_OPENSSL */ |
116 | #ifdef WITH_XMSS |
117 | extern const struct sshkey_impl sshkey_xmss_impl; |
118 | extern const struct sshkey_impl sshkey_xmss_cert_impl; |
119 | #endif |
120 | |
121 | const struct sshkey_impl * const keyimpls[] = { |
122 | &sshkey_ed25519_impl, |
123 | &sshkey_ed25519_cert_impl, |
124 | &sshkey_ed25519_sk_impl, |
125 | &sshkey_ed25519_sk_cert_impl, |
126 | #ifdef WITH_OPENSSL1 |
127 | &sshkey_ecdsa_nistp256_impl, |
128 | &sshkey_ecdsa_nistp256_cert_impl, |
129 | &sshkey_ecdsa_nistp384_impl, |
130 | &sshkey_ecdsa_nistp384_cert_impl, |
131 | &sshkey_ecdsa_nistp521_impl, |
132 | &sshkey_ecdsa_nistp521_cert_impl, |
133 | &sshkey_ecdsa_sk_impl, |
134 | &sshkey_ecdsa_sk_cert_impl, |
135 | &sshkey_ecdsa_sk_webauthn_impl, |
136 | # ifdef WITH_DSA1 |
137 | &sshkey_dss_impl, |
138 | &sshkey_dsa_cert_impl, |
139 | # endif |
140 | &sshkey_rsa_impl, |
141 | &sshkey_rsa_cert_impl, |
142 | &sshkey_rsa_sha256_impl, |
143 | &sshkey_rsa_sha256_cert_impl, |
144 | &sshkey_rsa_sha512_impl, |
145 | &sshkey_rsa_sha512_cert_impl, |
146 | #endif /* WITH_OPENSSL */ |
147 | #ifdef WITH_XMSS |
148 | &sshkey_xmss_impl, |
149 | &sshkey_xmss_cert_impl, |
150 | #endif |
151 | NULL((void *)0) |
152 | }; |
153 | |
154 | static const struct sshkey_impl * |
155 | sshkey_impl_from_type(int type) |
156 | { |
157 | int i; |
158 | |
159 | for (i = 0; keyimpls[i] != NULL((void *)0); i++) { |
160 | if (keyimpls[i]->type == type) |
161 | return keyimpls[i]; |
162 | } |
163 | return NULL((void *)0); |
164 | } |
165 | |
166 | static const struct sshkey_impl * |
167 | sshkey_impl_from_type_nid(int type, int nid) |
168 | { |
169 | int i; |
170 | |
171 | for (i = 0; keyimpls[i] != NULL((void *)0); i++) { |
172 | if (keyimpls[i]->type == type && |
173 | (keyimpls[i]->nid == 0 || keyimpls[i]->nid == nid)) |
174 | return keyimpls[i]; |
175 | } |
176 | return NULL((void *)0); |
177 | } |
178 | |
179 | static const struct sshkey_impl * |
180 | sshkey_impl_from_key(const struct sshkey *k) |
181 | { |
182 | if (k == NULL((void *)0)) |
183 | return NULL((void *)0); |
184 | return sshkey_impl_from_type_nid(k->type, k->ecdsa_nid); |
185 | } |
186 | |
187 | const char * |
188 | sshkey_type(const struct sshkey *k) |
189 | { |
190 | const struct sshkey_impl *impl; |
191 | |
192 | if ((impl = sshkey_impl_from_key(k)) == NULL((void *)0)) |
193 | return "unknown"; |
194 | return impl->shortname; |
195 | } |
196 | |
197 | static const char * |
198 | sshkey_ssh_name_from_type_nid(int type, int nid) |
199 | { |
200 | const struct sshkey_impl *impl; |
201 | |
202 | if ((impl = sshkey_impl_from_type_nid(type, nid)) == NULL((void *)0)) |
203 | return "ssh-unknown"; |
204 | return impl->name; |
205 | } |
206 | |
207 | int |
208 | sshkey_type_is_cert(int type) |
209 | { |
210 | const struct sshkey_impl *impl; |
211 | |
212 | if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0)) |
213 | return 0; |
214 | return impl->cert; |
215 | } |
216 | |
217 | const char * |
218 | sshkey_ssh_name(const struct sshkey *k) |
219 | { |
220 | return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid); |
221 | } |
222 | |
223 | const char * |
224 | sshkey_ssh_name_plain(const struct sshkey *k) |
225 | { |
226 | return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type), |
227 | k->ecdsa_nid); |
228 | } |
229 | |
230 | int |
231 | sshkey_type_from_name(const char *name) |
232 | { |
233 | int i; |
234 | const struct sshkey_impl *impl; |
235 | |
236 | for (i = 0; keyimpls[i] != NULL((void *)0); i++) { |
237 | impl = keyimpls[i]; |
238 | /* Only allow shortname matches for plain key types */ |
239 | if ((impl->name != NULL((void *)0) && strcmp(name, impl->name) == 0) || |
240 | (!impl->cert && strcasecmp(impl->shortname, name) == 0)) |
241 | return impl->type; |
242 | } |
243 | return KEY_UNSPEC; |
244 | } |
245 | |
246 | static int |
247 | key_type_is_ecdsa_variant(int type) |
248 | { |
249 | switch (type) { |
250 | case KEY_ECDSA: |
251 | case KEY_ECDSA_CERT: |
252 | case KEY_ECDSA_SK: |
253 | case KEY_ECDSA_SK_CERT: |
254 | return 1; |
255 | } |
256 | return 0; |
257 | } |
258 | |
259 | int |
260 | sshkey_ecdsa_nid_from_name(const char *name) |
261 | { |
262 | int i; |
263 | |
264 | for (i = 0; keyimpls[i] != NULL((void *)0); i++) { |
265 | if (!key_type_is_ecdsa_variant(keyimpls[i]->type)) |
266 | continue; |
267 | if (keyimpls[i]->name != NULL((void *)0) && |
268 | strcmp(name, keyimpls[i]->name) == 0) |
269 | return keyimpls[i]->nid; |
270 | } |
271 | return -1; |
272 | } |
273 | |
274 | int |
275 | sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs) |
276 | { |
277 | int ktype; |
278 | |
279 | if (sigalgs == NULL((void *)0) || *sigalgs == '\0' || |
280 | (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC) |
281 | return 0; |
282 | else if (ktype == KEY_RSA) { |
283 | return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 || |
284 | match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 || |
285 | match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1; |
286 | } else if (ktype == KEY_RSA_CERT) { |
287 | return match_pattern_list("ssh-rsa-cert-v01@openssh.com", |
288 | sigalgs, 0) == 1 || |
289 | match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", |
290 | sigalgs, 0) == 1 || |
291 | match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", |
292 | sigalgs, 0) == 1; |
293 | } else |
294 | return match_pattern_list(keyname, sigalgs, 0) == 1; |
295 | } |
296 | |
297 | char * |
298 | sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) |
299 | { |
300 | char *tmp, *ret = NULL((void *)0); |
301 | size_t i, nlen, rlen = 0; |
302 | const struct sshkey_impl *impl; |
303 | |
304 | for (i = 0; keyimpls[i] != NULL((void *)0); i++) { |
305 | impl = keyimpls[i]; |
306 | if (impl->name == NULL((void *)0)) |
307 | continue; |
308 | if (!include_sigonly && impl->sigonly) |
309 | continue; |
310 | if ((certs_only && !impl->cert) || (plain_only && impl->cert)) |
311 | continue; |
312 | if (ret != NULL((void *)0)) |
313 | ret[rlen++] = sep; |
314 | nlen = strlen(impl->name); |
315 | if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL((void *)0)) { |
316 | free(ret); |
317 | return NULL((void *)0); |
318 | } |
319 | ret = tmp; |
320 | memcpy(ret + rlen, impl->name, nlen + 1); |
321 | rlen += nlen; |
322 | } |
323 | return ret; |
324 | } |
325 | |
326 | int |
327 | sshkey_names_valid2(const char *names, int allow_wildcard, int plain_only) |
328 | { |
329 | char *s, *cp, *p; |
330 | const struct sshkey_impl *impl; |
331 | int i, type; |
332 | |
333 | if (names == NULL((void *)0) || strcmp(names, "") == 0) |
334 | return 0; |
335 | if ((s = cp = strdup(names)) == NULL((void *)0)) |
336 | return 0; |
337 | for ((p = strsep(&cp, ",")); p && *p != '\0'; |
338 | (p = strsep(&cp, ","))) { |
339 | type = sshkey_type_from_name(p); |
340 | if (type == KEY_UNSPEC) { |
341 | if (allow_wildcard) { |
342 | /* |
343 | * Try matching key types against the string. |
344 | * If any has a positive or negative match then |
345 | * the component is accepted. |
346 | */ |
347 | impl = NULL((void *)0); |
348 | for (i = 0; keyimpls[i] != NULL((void *)0); i++) { |
349 | if (match_pattern_list( |
350 | keyimpls[i]->name, p, 0) != 0) { |
351 | impl = keyimpls[i]; |
352 | break; |
353 | } |
354 | } |
355 | if (impl != NULL((void *)0)) |
356 | continue; |
357 | } |
358 | free(s); |
359 | return 0; |
360 | } else if (plain_only && sshkey_type_is_cert(type)) { |
361 | free(s); |
362 | return 0; |
363 | } |
364 | } |
365 | free(s); |
366 | return 1; |
367 | } |
368 | |
369 | u_int |
370 | sshkey_size(const struct sshkey *k) |
371 | { |
372 | const struct sshkey_impl *impl; |
373 | |
374 | if ((impl = sshkey_impl_from_key(k)) == NULL((void *)0)) |
375 | return 0; |
376 | if (impl->funcs->size != NULL((void *)0)) |
377 | return impl->funcs->size(k); |
378 | return impl->keybits; |
379 | } |
380 | |
381 | static int |
382 | sshkey_type_is_valid_ca(int type) |
383 | { |
384 | const struct sshkey_impl *impl; |
385 | |
386 | if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0)) |
387 | return 0; |
388 | /* All non-certificate types may act as CAs */ |
389 | return !impl->cert; |
390 | } |
391 | |
392 | int |
393 | sshkey_is_cert(const struct sshkey *k) |
394 | { |
395 | if (k == NULL((void *)0)) |
396 | return 0; |
397 | return sshkey_type_is_cert(k->type); |
398 | } |
399 | |
400 | int |
401 | sshkey_is_sk(const struct sshkey *k) |
402 | { |
403 | if (k == NULL((void *)0)) |
404 | return 0; |
405 | switch (sshkey_type_plain(k->type)) { |
406 | case KEY_ECDSA_SK: |
407 | case KEY_ED25519_SK: |
408 | return 1; |
409 | default: |
410 | return 0; |
411 | } |
412 | } |
413 | |
414 | /* Return the cert-less equivalent to a certified key type */ |
415 | int |
416 | sshkey_type_plain(int type) |
417 | { |
418 | switch (type) { |
419 | case KEY_RSA_CERT: |
420 | return KEY_RSA; |
421 | case KEY_DSA_CERT: |
422 | return KEY_DSA; |
423 | case KEY_ECDSA_CERT: |
424 | return KEY_ECDSA; |
425 | case KEY_ECDSA_SK_CERT: |
426 | return KEY_ECDSA_SK; |
427 | case KEY_ED25519_CERT: |
428 | return KEY_ED25519; |
429 | case KEY_ED25519_SK_CERT: |
430 | return KEY_ED25519_SK; |
431 | case KEY_XMSS_CERT: |
432 | return KEY_XMSS; |
433 | default: |
434 | return type; |
435 | } |
436 | } |
437 | |
438 | /* Return the cert equivalent to a plain key type */ |
439 | static int |
440 | sshkey_type_certified(int type) |
441 | { |
442 | switch (type) { |
443 | case KEY_RSA: |
444 | return KEY_RSA_CERT; |
445 | case KEY_DSA: |
446 | return KEY_DSA_CERT; |
447 | case KEY_ECDSA: |
448 | return KEY_ECDSA_CERT; |
449 | case KEY_ECDSA_SK: |
450 | return KEY_ECDSA_SK_CERT; |
451 | case KEY_ED25519: |
452 | return KEY_ED25519_CERT; |
453 | case KEY_ED25519_SK: |
454 | return KEY_ED25519_SK_CERT; |
455 | case KEY_XMSS: |
456 | return KEY_XMSS_CERT; |
457 | default: |
458 | return -1; |
459 | } |
460 | } |
461 | |
462 | #ifdef WITH_OPENSSL1 |
463 | /* XXX: these are really begging for a table-driven approach */ |
464 | int |
465 | sshkey_curve_name_to_nid(const char *name) |
466 | { |
467 | if (strcmp(name, "nistp256") == 0) |
468 | return NID_X9_62_prime256v1415; |
469 | else if (strcmp(name, "nistp384") == 0) |
470 | return NID_secp384r1715; |
471 | else if (strcmp(name, "nistp521") == 0) |
472 | return NID_secp521r1716; |
473 | else |
474 | return -1; |
475 | } |
476 | |
477 | u_int |
478 | sshkey_curve_nid_to_bits(int nid) |
479 | { |
480 | switch (nid) { |
481 | case NID_X9_62_prime256v1415: |
482 | return 256; |
483 | case NID_secp384r1715: |
484 | return 384; |
485 | case NID_secp521r1716: |
486 | return 521; |
487 | default: |
488 | return 0; |
489 | } |
490 | } |
491 | |
492 | int |
493 | sshkey_ecdsa_bits_to_nid(int bits) |
494 | { |
495 | switch (bits) { |
496 | case 256: |
497 | return NID_X9_62_prime256v1415; |
498 | case 384: |
499 | return NID_secp384r1715; |
500 | case 521: |
501 | return NID_secp521r1716; |
502 | default: |
503 | return -1; |
504 | } |
505 | } |
506 | |
507 | const char * |
508 | sshkey_curve_nid_to_name(int nid) |
509 | { |
510 | switch (nid) { |
511 | case NID_X9_62_prime256v1415: |
512 | return "nistp256"; |
513 | case NID_secp384r1715: |
514 | return "nistp384"; |
515 | case NID_secp521r1716: |
516 | return "nistp521"; |
517 | default: |
518 | return NULL((void *)0); |
519 | } |
520 | } |
521 | |
522 | int |
523 | sshkey_ec_nid_to_hash_alg(int nid) |
524 | { |
525 | int kbits = sshkey_curve_nid_to_bits(nid); |
526 | |
527 | if (kbits <= 0) |
528 | return -1; |
529 | |
530 | /* RFC5656 section 6.2.1 */ |
531 | if (kbits <= 256) |
532 | return SSH_DIGEST_SHA2562; |
533 | else if (kbits <= 384) |
534 | return SSH_DIGEST_SHA3843; |
535 | else |
536 | return SSH_DIGEST_SHA5124; |
537 | } |
538 | #endif /* WITH_OPENSSL */ |
539 | |
540 | static void |
541 | cert_free(struct sshkey_cert *cert) |
542 | { |
543 | u_int i; |
544 | |
545 | if (cert == NULL((void *)0)) |
546 | return; |
547 | sshbuf_free(cert->certblob); |
548 | sshbuf_free(cert->critical); |
549 | sshbuf_free(cert->extensions); |
550 | free(cert->key_id); |
551 | for (i = 0; i < cert->nprincipals; i++) |
552 | free(cert->principals[i]); |
553 | free(cert->principals); |
554 | sshkey_free(cert->signature_key); |
555 | free(cert->signature_type); |
556 | freezero(cert, sizeof(*cert)); |
557 | } |
558 | |
559 | static struct sshkey_cert * |
560 | cert_new(void) |
561 | { |
562 | struct sshkey_cert *cert; |
563 | |
564 | if ((cert = calloc(1, sizeof(*cert))) == NULL((void *)0)) |
565 | return NULL((void *)0); |
566 | if ((cert->certblob = sshbuf_new()) == NULL((void *)0) || |
567 | (cert->critical = sshbuf_new()) == NULL((void *)0) || |
568 | (cert->extensions = sshbuf_new()) == NULL((void *)0)) { |
569 | cert_free(cert); |
570 | return NULL((void *)0); |
571 | } |
572 | cert->key_id = NULL((void *)0); |
573 | cert->principals = NULL((void *)0); |
574 | cert->signature_key = NULL((void *)0); |
575 | cert->signature_type = NULL((void *)0); |
576 | return cert; |
577 | } |
578 | |
579 | struct sshkey * |
580 | sshkey_new(int type) |
581 | { |
582 | struct sshkey *k; |
583 | const struct sshkey_impl *impl = NULL((void *)0); |
584 | |
585 | if (type != KEY_UNSPEC && |
586 | (impl = sshkey_impl_from_type(type)) == NULL((void *)0)) |
587 | return NULL((void *)0); |
588 | |
589 | /* All non-certificate types may act as CAs */ |
590 | if ((k = calloc(1, sizeof(*k))) == NULL((void *)0)) |
591 | return NULL((void *)0); |
592 | k->type = type; |
593 | k->ecdsa_nid = -1; |
594 | if (impl != NULL((void *)0) && impl->funcs->alloc != NULL((void *)0)) { |
595 | if (impl->funcs->alloc(k) != 0) { |
596 | free(k); |
597 | return NULL((void *)0); |
598 | } |
599 | } |
600 | if (sshkey_is_cert(k)) { |
601 | if ((k->cert = cert_new()) == NULL((void *)0)) { |
602 | sshkey_free(k); |
603 | return NULL((void *)0); |
604 | } |
605 | } |
606 | |
607 | return k; |
608 | } |
609 | |
610 | /* Frees common FIDO fields */ |
611 | void |
612 | sshkey_sk_cleanup(struct sshkey *k) |
613 | { |
614 | free(k->sk_application); |
615 | sshbuf_free(k->sk_key_handle); |
616 | sshbuf_free(k->sk_reserved); |
617 | k->sk_application = NULL((void *)0); |
618 | k->sk_key_handle = k->sk_reserved = NULL((void *)0); |
619 | } |
620 | |
621 | static void |
622 | sshkey_free_contents(struct sshkey *k) |
623 | { |
624 | const struct sshkey_impl *impl; |
625 | |
626 | if (k == NULL((void *)0)) |
627 | return; |
628 | if ((impl = sshkey_impl_from_type(k->type)) != NULL((void *)0) && |
629 | impl->funcs->cleanup != NULL((void *)0)) |
630 | impl->funcs->cleanup(k); |
631 | if (sshkey_is_cert(k)) |
632 | cert_free(k->cert); |
633 | freezero(k->shielded_private, k->shielded_len); |
634 | freezero(k->shield_prekey, k->shield_prekey_len); |
635 | } |
636 | |
637 | void |
638 | sshkey_free(struct sshkey *k) |
639 | { |
640 | sshkey_free_contents(k); |
641 | freezero(k, sizeof(*k)); |
642 | } |
643 | |
644 | static int |
645 | cert_compare(struct sshkey_cert *a, struct sshkey_cert *b) |
646 | { |
647 | if (a == NULL((void *)0) && b == NULL((void *)0)) |
648 | return 1; |
649 | if (a == NULL((void *)0) || b == NULL((void *)0)) |
650 | return 0; |
651 | if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob)) |
652 | return 0; |
653 | if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob), |
654 | sshbuf_len(a->certblob)) != 0) |
655 | return 0; |
656 | return 1; |
657 | } |
658 | |
659 | /* Compares FIDO-specific pubkey fields only */ |
660 | int |
661 | sshkey_sk_fields_equal(const struct sshkey *a, const struct sshkey *b) |
662 | { |
663 | if (a->sk_application == NULL((void *)0) || b->sk_application == NULL((void *)0)) |
664 | return 0; |
665 | if (strcmp(a->sk_application, b->sk_application) != 0) |
666 | return 0; |
667 | return 1; |
668 | } |
669 | |
670 | /* |
671 | * Compare public portions of key only, allowing comparisons between |
672 | * certificates and plain keys too. |
673 | */ |
674 | int |
675 | sshkey_equal_public(const struct sshkey *a, const struct sshkey *b) |
676 | { |
677 | const struct sshkey_impl *impl; |
678 | |
679 | if (a == NULL((void *)0) || b == NULL((void *)0) || |
680 | sshkey_type_plain(a->type) != sshkey_type_plain(b->type)) |
681 | return 0; |
682 | if ((impl = sshkey_impl_from_type(a->type)) == NULL((void *)0)) |
683 | return 0; |
684 | return impl->funcs->equal(a, b); |
685 | } |
686 | |
687 | int |
688 | sshkey_equal(const struct sshkey *a, const struct sshkey *b) |
689 | { |
690 | if (a == NULL((void *)0) || b == NULL((void *)0) || a->type != b->type) |
691 | return 0; |
692 | if (sshkey_is_cert(a)) { |
693 | if (!cert_compare(a->cert, b->cert)) |
694 | return 0; |
695 | } |
696 | return sshkey_equal_public(a, b); |
697 | } |
698 | |
699 | |
700 | /* Serialise common FIDO key parts */ |
701 | int |
702 | sshkey_serialize_sk(const struct sshkey *key, struct sshbuf *b) |
703 | { |
704 | int r; |
705 | |
706 | if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0) |
707 | return r; |
708 | |
709 | return 0; |
710 | } |
711 | |
712 | static int |
713 | to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain, |
714 | enum sshkey_serialize_rep opts) |
715 | { |
716 | int type, ret = SSH_ERR_INTERNAL_ERROR-1; |
717 | const char *typename; |
718 | const struct sshkey_impl *impl; |
719 | |
720 | if (key == NULL((void *)0)) |
721 | return SSH_ERR_INVALID_ARGUMENT-10; |
722 | |
723 | type = force_plain ? sshkey_type_plain(key->type) : key->type; |
724 | |
725 | if (sshkey_type_is_cert(type)) { |
726 | if (key->cert == NULL((void *)0)) |
727 | return SSH_ERR_EXPECTED_CERT-16; |
728 | if (sshbuf_len(key->cert->certblob) == 0) |
729 | return SSH_ERR_KEY_LACKS_CERTBLOB-17; |
730 | /* Use the existing blob */ |
731 | if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0) |
732 | return ret; |
733 | return 0; |
734 | } |
735 | if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0)) |
736 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
737 | |
738 | typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid); |
739 | if ((ret = sshbuf_put_cstring(b, typename)) != 0) |
740 | return ret; |
741 | return impl->funcs->serialize_public(key, b, opts); |
742 | } |
743 | |
744 | int |
745 | sshkey_putb(const struct sshkey *key, struct sshbuf *b) |
746 | { |
747 | return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT); |
748 | } |
749 | |
750 | int |
751 | sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b, |
752 | enum sshkey_serialize_rep opts) |
753 | { |
754 | struct sshbuf *tmp; |
755 | int r; |
756 | |
757 | if ((tmp = sshbuf_new()) == NULL((void *)0)) |
758 | return SSH_ERR_ALLOC_FAIL-2; |
759 | r = to_blob_buf(key, tmp, 0, opts); |
760 | if (r == 0) |
761 | r = sshbuf_put_stringb(b, tmp); |
762 | sshbuf_free(tmp); |
763 | return r; |
764 | } |
765 | |
766 | int |
767 | sshkey_puts(const struct sshkey *key, struct sshbuf *b) |
768 | { |
769 | return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT); |
770 | } |
771 | |
772 | int |
773 | sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b) |
774 | { |
775 | return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT); |
776 | } |
777 | |
778 | static int |
779 | to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain, |
780 | enum sshkey_serialize_rep opts) |
781 | { |
782 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
783 | size_t len; |
784 | struct sshbuf *b = NULL((void *)0); |
785 | |
786 | if (lenp != NULL((void *)0)) |
787 | *lenp = 0; |
788 | if (blobp != NULL((void *)0)) |
789 | *blobp = NULL((void *)0); |
790 | if ((b = sshbuf_new()) == NULL((void *)0)) |
791 | return SSH_ERR_ALLOC_FAIL-2; |
792 | if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0) |
793 | goto out; |
794 | len = sshbuf_len(b); |
795 | if (lenp != NULL((void *)0)) |
796 | *lenp = len; |
797 | if (blobp != NULL((void *)0)) { |
798 | if ((*blobp = malloc(len)) == NULL((void *)0)) { |
799 | ret = SSH_ERR_ALLOC_FAIL-2; |
800 | goto out; |
801 | } |
802 | memcpy(*blobp, sshbuf_ptr(b), len); |
803 | } |
804 | ret = 0; |
805 | out: |
806 | sshbuf_free(b); |
807 | return ret; |
808 | } |
809 | |
810 | int |
811 | sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) |
812 | { |
813 | return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT); |
814 | } |
815 | |
816 | int |
817 | sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) |
818 | { |
819 | return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT); |
820 | } |
821 | |
822 | int |
823 | sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, |
824 | u_char **retp, size_t *lenp) |
825 | { |
826 | u_char *blob = NULL((void *)0), *ret = NULL((void *)0); |
827 | size_t blob_len = 0; |
828 | int r = SSH_ERR_INTERNAL_ERROR-1; |
829 | |
830 | if (retp != NULL((void *)0)) |
831 | *retp = NULL((void *)0); |
832 | if (lenp != NULL((void *)0)) |
833 | *lenp = 0; |
834 | if (ssh_digest_bytes(dgst_alg) == 0) { |
835 | r = SSH_ERR_INVALID_ARGUMENT-10; |
836 | goto out; |
837 | } |
838 | if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT)) |
839 | != 0) |
840 | goto out; |
841 | if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH64)) == NULL((void *)0)) { |
842 | r = SSH_ERR_ALLOC_FAIL-2; |
843 | goto out; |
844 | } |
845 | if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, |
846 | ret, SSH_DIGEST_MAX_LENGTH64)) != 0) |
847 | goto out; |
848 | /* success */ |
849 | if (retp != NULL((void *)0)) { |
850 | *retp = ret; |
851 | ret = NULL((void *)0); |
852 | } |
853 | if (lenp != NULL((void *)0)) |
854 | *lenp = ssh_digest_bytes(dgst_alg); |
855 | r = 0; |
856 | out: |
857 | free(ret); |
858 | if (blob != NULL((void *)0)) |
859 | freezero(blob, blob_len); |
860 | return r; |
861 | } |
862 | |
863 | static char * |
864 | fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) |
865 | { |
866 | char *ret; |
867 | size_t plen = strlen(alg) + 1; |
868 | size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; |
869 | |
870 | if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL((void *)0)) |
871 | return NULL((void *)0); |
872 | strlcpy(ret, alg, rlen); |
873 | strlcat(ret, ":", rlen); |
874 | if (dgst_raw_len == 0) |
875 | return ret; |
876 | if (b64_ntop__b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) { |
877 | freezero(ret, rlen); |
878 | return NULL((void *)0); |
879 | } |
880 | /* Trim padding characters from end */ |
881 | ret[strcspn(ret, "=")] = '\0'; |
882 | return ret; |
883 | } |
884 | |
885 | static char * |
886 | fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) |
887 | { |
888 | char *retval, hex[5]; |
889 | size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; |
890 | |
891 | if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL((void *)0)) |
892 | return NULL((void *)0); |
893 | strlcpy(retval, alg, rlen); |
894 | strlcat(retval, ":", rlen); |
895 | for (i = 0; i < dgst_raw_len; i++) { |
896 | snprintf(hex, sizeof(hex), "%s%02x", |
897 | i > 0 ? ":" : "", dgst_raw[i]); |
898 | strlcat(retval, hex, rlen); |
899 | } |
900 | return retval; |
901 | } |
902 | |
903 | static char * |
904 | fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) |
905 | { |
906 | char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; |
907 | char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', |
908 | 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; |
909 | u_int i, j = 0, rounds, seed = 1; |
910 | char *retval; |
911 | |
912 | rounds = (dgst_raw_len / 2) + 1; |
913 | if ((retval = calloc(rounds, 6)) == NULL((void *)0)) |
914 | return NULL((void *)0); |
915 | retval[j++] = 'x'; |
916 | for (i = 0; i < rounds; i++) { |
917 | u_int idx0, idx1, idx2, idx3, idx4; |
918 | if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { |
919 | idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + |
920 | seed) % 6; |
921 | idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; |
922 | idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + |
923 | (seed / 6)) % 6; |
924 | retval[j++] = vowels[idx0]; |
925 | retval[j++] = consonants[idx1]; |
926 | retval[j++] = vowels[idx2]; |
927 | if ((i + 1) < rounds) { |
928 | idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; |
929 | idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; |
930 | retval[j++] = consonants[idx3]; |
931 | retval[j++] = '-'; |
932 | retval[j++] = consonants[idx4]; |
933 | seed = ((seed * 5) + |
934 | ((((u_int)(dgst_raw[2 * i])) * 7) + |
935 | ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; |
936 | } |
937 | } else { |
938 | idx0 = seed % 6; |
939 | idx1 = 16; |
940 | idx2 = seed / 6; |
941 | retval[j++] = vowels[idx0]; |
942 | retval[j++] = consonants[idx1]; |
943 | retval[j++] = vowels[idx2]; |
944 | } |
945 | } |
946 | retval[j++] = 'x'; |
947 | retval[j++] = '\0'; |
948 | return retval; |
949 | } |
950 | |
951 | /* |
952 | * Draw an ASCII-Art representing the fingerprint so human brain can |
953 | * profit from its built-in pattern recognition ability. |
954 | * This technique is called "random art" and can be found in some |
955 | * scientific publications like this original paper: |
956 | * |
957 | * "Hash Visualization: a New Technique to improve Real-World Security", |
958 | * Perrig A. and Song D., 1999, International Workshop on Cryptographic |
959 | * Techniques and E-Commerce (CrypTEC '99) |
960 | * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf |
961 | * |
962 | * The subject came up in a talk by Dan Kaminsky, too. |
963 | * |
964 | * If you see the picture is different, the key is different. |
965 | * If the picture looks the same, you still know nothing. |
966 | * |
967 | * The algorithm used here is a worm crawling over a discrete plane, |
968 | * leaving a trace (augmenting the field) everywhere it goes. |
969 | * Movement is taken from dgst_raw 2bit-wise. Bumping into walls |
970 | * makes the respective movement vector be ignored for this turn. |
971 | * Graphs are not unambiguous, because circles in graphs can be |
972 | * walked in either direction. |
973 | */ |
974 | |
975 | /* |
976 | * Field sizes for the random art. Have to be odd, so the starting point |
977 | * can be in the exact middle of the picture, and FLDBASE should be >=8 . |
978 | * Else pictures would be too dense, and drawing the frame would |
979 | * fail, too, because the key type would not fit in anymore. |
980 | */ |
981 | #define FLDBASE8 8 |
982 | #define FLDSIZE_Y(8 + 1) (FLDBASE8 + 1) |
983 | #define FLDSIZE_X(8 * 2 + 1) (FLDBASE8 * 2 + 1) |
984 | static char * |
985 | fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, |
986 | const struct sshkey *k) |
987 | { |
988 | /* |
989 | * Chars to be used after each other every time the worm |
990 | * intersects with itself. Matter of taste. |
991 | */ |
992 | char *augmentation_string = " .o+=*BOX@%&#/^SE"; |
993 | char *retval, *p, title[FLDSIZE_X(8 * 2 + 1)], hash[FLDSIZE_X(8 * 2 + 1)]; |
994 | u_char field[FLDSIZE_X(8 * 2 + 1)][FLDSIZE_Y(8 + 1)]; |
995 | size_t i, tlen, hlen; |
996 | u_int b; |
997 | int x, y, r; |
998 | size_t len = strlen(augmentation_string) - 1; |
999 | |
1000 | if ((retval = calloc((FLDSIZE_X(8 * 2 + 1) + 3), (FLDSIZE_Y(8 + 1) + 2))) == NULL((void *)0)) |
1001 | return NULL((void *)0); |
1002 | |
1003 | /* initialize field */ |
1004 | memset(field, 0, FLDSIZE_X(8 * 2 + 1) * FLDSIZE_Y(8 + 1) * sizeof(char)); |
1005 | x = FLDSIZE_X(8 * 2 + 1) / 2; |
1006 | y = FLDSIZE_Y(8 + 1) / 2; |
1007 | |
1008 | /* process raw key */ |
1009 | for (i = 0; i < dgst_raw_len; i++) { |
1010 | int input; |
1011 | /* each byte conveys four 2-bit move commands */ |
1012 | input = dgst_raw[i]; |
1013 | for (b = 0; b < 4; b++) { |
1014 | /* evaluate 2 bit, rest is shifted later */ |
1015 | x += (input & 0x1) ? 1 : -1; |
1016 | y += (input & 0x2) ? 1 : -1; |
1017 | |
1018 | /* assure we are still in bounds */ |
1019 | x = MAXIMUM(x, 0)(((x) > (0)) ? (x) : (0)); |
1020 | y = MAXIMUM(y, 0)(((y) > (0)) ? (y) : (0)); |
1021 | x = MINIMUM(x, FLDSIZE_X - 1)(((x) < ((8 * 2 + 1) - 1)) ? (x) : ((8 * 2 + 1) - 1)); |
1022 | y = MINIMUM(y, FLDSIZE_Y - 1)(((y) < ((8 + 1) - 1)) ? (y) : ((8 + 1) - 1)); |
1023 | |
1024 | /* augment the field */ |
1025 | if (field[x][y] < len - 2) |
1026 | field[x][y]++; |
1027 | input = input >> 2; |
1028 | } |
1029 | } |
1030 | |
1031 | /* mark starting point and end point*/ |
1032 | field[FLDSIZE_X(8 * 2 + 1) / 2][FLDSIZE_Y(8 + 1) / 2] = len - 1; |
1033 | field[x][y] = len; |
1034 | |
1035 | /* assemble title */ |
1036 | r = snprintf(title, sizeof(title), "[%s %u]", |
1037 | sshkey_type(k), sshkey_size(k)); |
1038 | /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ |
1039 | if (r < 0 || r > (int)sizeof(title)) |
1040 | r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); |
1041 | tlen = (r <= 0) ? 0 : strlen(title); |
1042 | |
1043 | /* assemble hash ID. */ |
1044 | r = snprintf(hash, sizeof(hash), "[%s]", alg); |
1045 | hlen = (r <= 0) ? 0 : strlen(hash); |
1046 | |
1047 | /* output upper border */ |
1048 | p = retval; |
1049 | *p++ = '+'; |
1050 | for (i = 0; i < (FLDSIZE_X(8 * 2 + 1) - tlen) / 2; i++) |
1051 | *p++ = '-'; |
1052 | memcpy(p, title, tlen); |
1053 | p += tlen; |
1054 | for (i += tlen; i < FLDSIZE_X(8 * 2 + 1); i++) |
1055 | *p++ = '-'; |
1056 | *p++ = '+'; |
1057 | *p++ = '\n'; |
1058 | |
1059 | /* output content */ |
1060 | for (y = 0; y < FLDSIZE_Y(8 + 1); y++) { |
1061 | *p++ = '|'; |
1062 | for (x = 0; x < FLDSIZE_X(8 * 2 + 1); x++) |
1063 | *p++ = augmentation_string[MINIMUM(field[x][y], len)(((field[x][y]) < (len)) ? (field[x][y]) : (len))]; |
1064 | *p++ = '|'; |
1065 | *p++ = '\n'; |
1066 | } |
1067 | |
1068 | /* output lower border */ |
1069 | *p++ = '+'; |
1070 | for (i = 0; i < (FLDSIZE_X(8 * 2 + 1) - hlen) / 2; i++) |
1071 | *p++ = '-'; |
1072 | memcpy(p, hash, hlen); |
1073 | p += hlen; |
1074 | for (i += hlen; i < FLDSIZE_X(8 * 2 + 1); i++) |
1075 | *p++ = '-'; |
1076 | *p++ = '+'; |
1077 | |
1078 | return retval; |
1079 | } |
1080 | |
1081 | char * |
1082 | sshkey_fingerprint(const struct sshkey *k, int dgst_alg, |
1083 | enum sshkey_fp_rep dgst_rep) |
1084 | { |
1085 | char *retval = NULL((void *)0); |
1086 | u_char *dgst_raw; |
1087 | size_t dgst_raw_len; |
1088 | |
1089 | if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) |
1090 | return NULL((void *)0); |
1091 | switch (dgst_rep) { |
1092 | case SSH_FP_DEFAULT: |
1093 | if (dgst_alg == SSH_DIGEST_MD50) { |
1094 | retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), |
1095 | dgst_raw, dgst_raw_len); |
1096 | } else { |
1097 | retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), |
1098 | dgst_raw, dgst_raw_len); |
1099 | } |
1100 | break; |
1101 | case SSH_FP_HEX: |
1102 | retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), |
1103 | dgst_raw, dgst_raw_len); |
1104 | break; |
1105 | case SSH_FP_BASE64: |
1106 | retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), |
1107 | dgst_raw, dgst_raw_len); |
1108 | break; |
1109 | case SSH_FP_BUBBLEBABBLE: |
1110 | retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); |
1111 | break; |
1112 | case SSH_FP_RANDOMART: |
1113 | retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), |
1114 | dgst_raw, dgst_raw_len, k); |
1115 | break; |
1116 | default: |
1117 | freezero(dgst_raw, dgst_raw_len); |
1118 | return NULL((void *)0); |
1119 | } |
1120 | freezero(dgst_raw, dgst_raw_len); |
1121 | return retval; |
1122 | } |
1123 | |
1124 | static int |
1125 | peek_type_nid(const char *s, size_t l, int *nid) |
1126 | { |
1127 | const struct sshkey_impl *impl; |
1128 | int i; |
1129 | |
1130 | for (i = 0; keyimpls[i] != NULL((void *)0); i++) { |
1131 | impl = keyimpls[i]; |
1132 | if (impl->name == NULL((void *)0) || strlen(impl->name) != l) |
1133 | continue; |
1134 | if (memcmp(s, impl->name, l) == 0) { |
1135 | *nid = -1; |
1136 | if (key_type_is_ecdsa_variant(impl->type)) |
1137 | *nid = impl->nid; |
1138 | return impl->type; |
1139 | } |
1140 | } |
1141 | return KEY_UNSPEC; |
1142 | } |
1143 | |
1144 | /* XXX this can now be made const char * */ |
1145 | int |
1146 | sshkey_read(struct sshkey *ret, char **cpp) |
1147 | { |
1148 | struct sshkey *k; |
1149 | char *cp, *blobcopy; |
1150 | size_t space; |
1151 | int r, type, curve_nid = -1; |
1152 | struct sshbuf *blob; |
1153 | |
1154 | if (ret == NULL((void *)0)) |
1155 | return SSH_ERR_INVALID_ARGUMENT-10; |
1156 | if (ret->type != KEY_UNSPEC && sshkey_impl_from_type(ret->type) == NULL((void *)0)) |
1157 | return SSH_ERR_INVALID_ARGUMENT-10; |
1158 | |
1159 | /* Decode type */ |
1160 | cp = *cpp; |
1161 | space = strcspn(cp, " \t"); |
1162 | if (space == strlen(cp)) |
1163 | return SSH_ERR_INVALID_FORMAT-4; |
1164 | if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC) |
1165 | return SSH_ERR_INVALID_FORMAT-4; |
1166 | |
1167 | /* skip whitespace */ |
1168 | for (cp += space; *cp == ' ' || *cp == '\t'; cp++) |
1169 | ; |
1170 | if (*cp == '\0') |
1171 | return SSH_ERR_INVALID_FORMAT-4; |
1172 | if (ret->type != KEY_UNSPEC && ret->type != type) |
1173 | return SSH_ERR_KEY_TYPE_MISMATCH-13; |
1174 | if ((blob = sshbuf_new()) == NULL((void *)0)) |
1175 | return SSH_ERR_ALLOC_FAIL-2; |
1176 | |
1177 | /* find end of keyblob and decode */ |
1178 | space = strcspn(cp, " \t"); |
1179 | if ((blobcopy = strndup(cp, space)) == NULL((void *)0)) { |
1180 | sshbuf_free(blob); |
1181 | return SSH_ERR_ALLOC_FAIL-2; |
1182 | } |
1183 | if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) { |
1184 | free(blobcopy); |
1185 | sshbuf_free(blob); |
1186 | return r; |
1187 | } |
1188 | free(blobcopy); |
1189 | if ((r = sshkey_fromb(blob, &k)) != 0) { |
1190 | sshbuf_free(blob); |
1191 | return r; |
1192 | } |
1193 | sshbuf_free(blob); |
1194 | |
1195 | /* skip whitespace and leave cp at start of comment */ |
1196 | for (cp += space; *cp == ' ' || *cp == '\t'; cp++) |
1197 | ; |
1198 | |
1199 | /* ensure type of blob matches type at start of line */ |
1200 | if (k->type != type) { |
1201 | sshkey_free(k); |
1202 | return SSH_ERR_KEY_TYPE_MISMATCH-13; |
1203 | } |
1204 | if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) { |
1205 | sshkey_free(k); |
1206 | return SSH_ERR_EC_CURVE_MISMATCH-15; |
1207 | } |
1208 | |
1209 | /* Fill in ret from parsed key */ |
1210 | sshkey_free_contents(ret); |
1211 | *ret = *k; |
1212 | freezero(k, sizeof(*k)); |
1213 | |
1214 | /* success */ |
1215 | *cpp = cp; |
1216 | return 0; |
1217 | } |
1218 | |
1219 | int |
1220 | sshkey_to_base64(const struct sshkey *key, char **b64p) |
1221 | { |
1222 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1223 | struct sshbuf *b = NULL((void *)0); |
1224 | char *uu = NULL((void *)0); |
1225 | |
1226 | if (b64p != NULL((void *)0)) |
1227 | *b64p = NULL((void *)0); |
1228 | if ((b = sshbuf_new()) == NULL((void *)0)) |
1229 | return SSH_ERR_ALLOC_FAIL-2; |
1230 | if ((r = sshkey_putb(key, b)) != 0) |
1231 | goto out; |
1232 | if ((uu = sshbuf_dtob64_string(b, 0)) == NULL((void *)0)) { |
1233 | r = SSH_ERR_ALLOC_FAIL-2; |
1234 | goto out; |
1235 | } |
1236 | /* Success */ |
1237 | if (b64p != NULL((void *)0)) { |
1238 | *b64p = uu; |
1239 | uu = NULL((void *)0); |
1240 | } |
1241 | r = 0; |
1242 | out: |
1243 | sshbuf_free(b); |
1244 | free(uu); |
1245 | return r; |
1246 | } |
1247 | |
1248 | int |
1249 | sshkey_format_text(const struct sshkey *key, struct sshbuf *b) |
1250 | { |
1251 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1252 | char *uu = NULL((void *)0); |
1253 | |
1254 | if ((r = sshkey_to_base64(key, &uu)) != 0) |
1255 | goto out; |
1256 | if ((r = sshbuf_putf(b, "%s %s", |
1257 | sshkey_ssh_name(key), uu)) != 0) |
1258 | goto out; |
1259 | r = 0; |
1260 | out: |
1261 | free(uu); |
1262 | return r; |
1263 | } |
1264 | |
1265 | int |
1266 | sshkey_write(const struct sshkey *key, FILE *f) |
1267 | { |
1268 | struct sshbuf *b = NULL((void *)0); |
1269 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1270 | |
1271 | if ((b = sshbuf_new()) == NULL((void *)0)) |
1272 | return SSH_ERR_ALLOC_FAIL-2; |
1273 | if ((r = sshkey_format_text(key, b)) != 0) |
1274 | goto out; |
1275 | if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) { |
1276 | if (feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof )(f))) |
1277 | errno(*__errno()) = EPIPE32; |
1278 | r = SSH_ERR_SYSTEM_ERROR-24; |
1279 | goto out; |
1280 | } |
1281 | /* Success */ |
1282 | r = 0; |
1283 | out: |
1284 | sshbuf_free(b); |
1285 | return r; |
1286 | } |
1287 | |
1288 | const char * |
1289 | sshkey_cert_type(const struct sshkey *k) |
1290 | { |
1291 | switch (k->cert->type) { |
1292 | case SSH2_CERT_TYPE_USER1: |
1293 | return "user"; |
1294 | case SSH2_CERT_TYPE_HOST2: |
1295 | return "host"; |
1296 | default: |
1297 | return "unknown"; |
1298 | } |
1299 | } |
1300 | |
1301 | int |
1302 | sshkey_check_rsa_length(const struct sshkey *k, int min_size) |
1303 | { |
1304 | #ifdef WITH_OPENSSL1 |
1305 | const BIGNUM *rsa_n; |
1306 | int nbits; |
1307 | |
1308 | if (k == NULL((void *)0) || k->rsa == NULL((void *)0) || |
1309 | (k->type != KEY_RSA && k->type != KEY_RSA_CERT)) |
1310 | return 0; |
1311 | RSA_get0_key(k->rsa, &rsa_n, NULL((void *)0), NULL((void *)0)); |
1312 | nbits = BN_num_bits(rsa_n); |
1313 | if (nbits < SSH_RSA_MINIMUM_MODULUS_SIZE1024 || |
1314 | (min_size > 0 && nbits < min_size)) |
1315 | return SSH_ERR_KEY_LENGTH-56; |
1316 | #endif /* WITH_OPENSSL */ |
1317 | return 0; |
1318 | } |
1319 | |
1320 | #ifdef WITH_OPENSSL1 |
1321 | int |
1322 | sshkey_ecdsa_key_to_nid(EC_KEY *k) |
1323 | { |
1324 | EC_GROUP *eg; |
1325 | int nids[] = { |
1326 | NID_X9_62_prime256v1415, |
1327 | NID_secp384r1715, |
1328 | NID_secp521r1716, |
1329 | -1 |
1330 | }; |
1331 | int nid; |
1332 | u_int i; |
1333 | const EC_GROUP *g = EC_KEY_get0_group(k); |
1334 | |
1335 | /* |
1336 | * The group may be stored in a ASN.1 encoded private key in one of two |
1337 | * ways: as a "named group", which is reconstituted by ASN.1 object ID |
1338 | * or explicit group parameters encoded into the key blob. Only the |
1339 | * "named group" case sets the group NID for us, but we can figure |
1340 | * it out for the other case by comparing against all the groups that |
1341 | * are supported. |
1342 | */ |
1343 | if ((nid = EC_GROUP_get_curve_name(g)) > 0) |
1344 | return nid; |
1345 | for (i = 0; nids[i] != -1; i++) { |
1346 | if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL((void *)0)) |
1347 | return -1; |
1348 | if (EC_GROUP_cmp(g, eg, NULL((void *)0)) == 0) |
1349 | break; |
1350 | EC_GROUP_free(eg); |
1351 | } |
1352 | if (nids[i] != -1) { |
1353 | /* Use the group with the NID attached */ |
1354 | EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE0x001); |
1355 | if (EC_KEY_set_group(k, eg) != 1) { |
1356 | EC_GROUP_free(eg); |
1357 | return -1; |
1358 | } |
1359 | } |
1360 | return nids[i]; |
1361 | } |
1362 | #endif /* WITH_OPENSSL */ |
1363 | |
1364 | int |
1365 | sshkey_generate(int type, u_int bits, struct sshkey **keyp) |
1366 | { |
1367 | struct sshkey *k; |
1368 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
1369 | const struct sshkey_impl *impl; |
1370 | |
1371 | if (keyp == NULL((void *)0) || sshkey_type_is_cert(type)) |
1372 | return SSH_ERR_INVALID_ARGUMENT-10; |
1373 | *keyp = NULL((void *)0); |
1374 | if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0)) |
1375 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
1376 | if (impl->funcs->generate == NULL((void *)0)) |
1377 | return SSH_ERR_FEATURE_UNSUPPORTED-59; |
1378 | if ((k = sshkey_new(KEY_UNSPEC)) == NULL((void *)0)) |
1379 | return SSH_ERR_ALLOC_FAIL-2; |
1380 | k->type = type; |
1381 | if ((ret = impl->funcs->generate(k, bits)) != 0) { |
1382 | sshkey_free(k); |
1383 | return ret; |
1384 | } |
1385 | /* success */ |
1386 | *keyp = k; |
1387 | return 0; |
1388 | } |
1389 | |
1390 | int |
1391 | sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key) |
1392 | { |
1393 | u_int i; |
1394 | const struct sshkey_cert *from; |
1395 | struct sshkey_cert *to; |
1396 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1397 | |
1398 | if (to_key == NULL((void *)0) || (from = from_key->cert) == NULL((void *)0)) |
1399 | return SSH_ERR_INVALID_ARGUMENT-10; |
1400 | |
1401 | if ((to = cert_new()) == NULL((void *)0)) |
1402 | return SSH_ERR_ALLOC_FAIL-2; |
1403 | |
1404 | if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 || |
1405 | (r = sshbuf_putb(to->critical, from->critical)) != 0 || |
1406 | (r = sshbuf_putb(to->extensions, from->extensions)) != 0) |
1407 | goto out; |
1408 | |
1409 | to->serial = from->serial; |
1410 | to->type = from->type; |
1411 | if (from->key_id == NULL((void *)0)) |
1412 | to->key_id = NULL((void *)0); |
1413 | else if ((to->key_id = strdup(from->key_id)) == NULL((void *)0)) { |
1414 | r = SSH_ERR_ALLOC_FAIL-2; |
1415 | goto out; |
1416 | } |
1417 | to->valid_after = from->valid_after; |
1418 | to->valid_before = from->valid_before; |
1419 | if (from->signature_key == NULL((void *)0)) |
1420 | to->signature_key = NULL((void *)0); |
1421 | else if ((r = sshkey_from_private(from->signature_key, |
1422 | &to->signature_key)) != 0) |
1423 | goto out; |
1424 | if (from->signature_type != NULL((void *)0) && |
1425 | (to->signature_type = strdup(from->signature_type)) == NULL((void *)0)) { |
1426 | r = SSH_ERR_ALLOC_FAIL-2; |
1427 | goto out; |
1428 | } |
1429 | if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS256) { |
1430 | r = SSH_ERR_INVALID_ARGUMENT-10; |
1431 | goto out; |
1432 | } |
1433 | if (from->nprincipals > 0) { |
1434 | if ((to->principals = calloc(from->nprincipals, |
1435 | sizeof(*to->principals))) == NULL((void *)0)) { |
1436 | r = SSH_ERR_ALLOC_FAIL-2; |
1437 | goto out; |
1438 | } |
1439 | for (i = 0; i < from->nprincipals; i++) { |
1440 | to->principals[i] = strdup(from->principals[i]); |
1441 | if (to->principals[i] == NULL((void *)0)) { |
1442 | to->nprincipals = i; |
1443 | r = SSH_ERR_ALLOC_FAIL-2; |
1444 | goto out; |
1445 | } |
1446 | } |
1447 | } |
1448 | to->nprincipals = from->nprincipals; |
1449 | |
1450 | /* success */ |
1451 | cert_free(to_key->cert); |
1452 | to_key->cert = to; |
1453 | to = NULL((void *)0); |
1454 | r = 0; |
1455 | out: |
1456 | cert_free(to); |
1457 | return r; |
1458 | } |
1459 | |
1460 | int |
1461 | sshkey_copy_public_sk(const struct sshkey *from, struct sshkey *to) |
1462 | { |
1463 | /* Append security-key application string */ |
1464 | if ((to->sk_application = strdup(from->sk_application)) == NULL((void *)0)) |
1465 | return SSH_ERR_ALLOC_FAIL-2; |
1466 | return 0; |
1467 | } |
1468 | |
1469 | int |
1470 | sshkey_from_private(const struct sshkey *k, struct sshkey **pkp) |
1471 | { |
1472 | struct sshkey *n = NULL((void *)0); |
1473 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1474 | const struct sshkey_impl *impl; |
1475 | |
1476 | *pkp = NULL((void *)0); |
1477 | if ((impl = sshkey_impl_from_key(k)) == NULL((void *)0)) |
1478 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
1479 | if ((n = sshkey_new(k->type)) == NULL((void *)0)) { |
1480 | r = SSH_ERR_ALLOC_FAIL-2; |
1481 | goto out; |
1482 | } |
1483 | if ((r = impl->funcs->copy_public(k, n)) != 0) |
1484 | goto out; |
1485 | if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0) |
1486 | goto out; |
1487 | /* success */ |
1488 | *pkp = n; |
1489 | n = NULL((void *)0); |
1490 | r = 0; |
1491 | out: |
1492 | sshkey_free(n); |
1493 | return r; |
1494 | } |
1495 | |
1496 | int |
1497 | sshkey_is_shielded(struct sshkey *k) |
1498 | { |
1499 | return k != NULL((void *)0) && k->shielded_private != NULL((void *)0); |
1500 | } |
1501 | |
1502 | int |
1503 | sshkey_shield_private(struct sshkey *k) |
1504 | { |
1505 | struct sshbuf *prvbuf = NULL((void *)0); |
1506 | u_char *prekey = NULL((void *)0), *enc = NULL((void *)0), keyiv[SSH_DIGEST_MAX_LENGTH64]; |
1507 | struct sshcipher_ctx *cctx = NULL((void *)0); |
1508 | const struct sshcipher *cipher; |
1509 | size_t i, enclen = 0; |
1510 | struct sshkey *kswap = NULL((void *)0), tmp; |
1511 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1512 | |
1513 | #ifdef DEBUG_PK |
1514 | fprintf(stderr(&__sF[2]), "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); |
1515 | #endif |
1516 | if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER"aes256-ctr")) == NULL((void *)0)) { |
1517 | r = SSH_ERR_INVALID_ARGUMENT-10; |
1518 | goto out; |
1519 | } |
1520 | if (cipher_keylen(cipher) + cipher_ivlen(cipher) > |
1521 | ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4)) { |
1522 | r = SSH_ERR_INTERNAL_ERROR-1; |
1523 | goto out; |
1524 | } |
1525 | |
1526 | /* Prepare a random pre-key, and from it an ephemeral key */ |
1527 | if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN(16 * 1024))) == NULL((void *)0)) { |
1528 | r = SSH_ERR_ALLOC_FAIL-2; |
1529 | goto out; |
1530 | } |
1531 | arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024)); |
1532 | if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH4, |
1533 | prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024), |
1534 | keyiv, SSH_DIGEST_MAX_LENGTH64)) != 0) |
1535 | goto out; |
1536 | #ifdef DEBUG_PK |
1537 | fprintf(stderr(&__sF[2]), "%s: key+iv\n", __func__); |
1538 | sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4), |
1539 | stderr(&__sF[2])); |
1540 | #endif |
1541 | if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), |
1542 | keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0) |
1543 | goto out; |
1544 | |
1545 | /* Serialise and encrypt the private key using the ephemeral key */ |
1546 | if ((prvbuf = sshbuf_new()) == NULL((void *)0)) { |
1547 | r = SSH_ERR_ALLOC_FAIL-2; |
1548 | goto out; |
1549 | } |
1550 | if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0) |
1551 | goto out; |
1552 | if ((r = sshkey_private_serialize_opt(k, prvbuf, |
1553 | SSHKEY_SERIALIZE_SHIELD)) != 0) |
1554 | goto out; |
1555 | /* pad to cipher blocksize */ |
1556 | i = 0; |
1557 | while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) { |
1558 | if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0) |
1559 | goto out; |
1560 | } |
1561 | #ifdef DEBUG_PK |
1562 | fprintf(stderr(&__sF[2]), "%s: serialised\n", __func__); |
1563 | sshbuf_dump(prvbuf, stderr(&__sF[2])); |
1564 | #endif |
1565 | /* encrypt */ |
1566 | enclen = sshbuf_len(prvbuf); |
1567 | if ((enc = malloc(enclen)) == NULL((void *)0)) { |
1568 | r = SSH_ERR_ALLOC_FAIL-2; |
1569 | goto out; |
1570 | } |
1571 | if ((r = cipher_crypt(cctx, 0, enc, |
1572 | sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0) |
1573 | goto out; |
1574 | #ifdef DEBUG_PK |
1575 | fprintf(stderr(&__sF[2]), "%s: encrypted\n", __func__); |
1576 | sshbuf_dump_data(enc, enclen, stderr(&__sF[2])); |
1577 | #endif |
1578 | |
1579 | /* Make a scrubbed, public-only copy of our private key argument */ |
1580 | if ((r = sshkey_from_private(k, &kswap)) != 0) |
1581 | goto out; |
1582 | |
1583 | /* Swap the private key out (it will be destroyed below) */ |
1584 | tmp = *kswap; |
1585 | *kswap = *k; |
1586 | *k = tmp; |
1587 | |
1588 | /* Insert the shielded key into our argument */ |
1589 | k->shielded_private = enc; |
1590 | k->shielded_len = enclen; |
1591 | k->shield_prekey = prekey; |
1592 | k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN(16 * 1024); |
1593 | enc = prekey = NULL((void *)0); /* transferred */ |
1594 | enclen = 0; |
1595 | |
1596 | /* preserve key fields that are required for correct operation */ |
1597 | k->sk_flags = kswap->sk_flags; |
1598 | |
1599 | /* success */ |
1600 | r = 0; |
1601 | |
1602 | out: |
1603 | /* XXX behaviour on error - invalidate original private key? */ |
1604 | cipher_free(cctx); |
1605 | explicit_bzero(keyiv, sizeof(keyiv)); |
1606 | explicit_bzero(&tmp, sizeof(tmp)); |
1607 | freezero(enc, enclen); |
1608 | freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024)); |
1609 | sshkey_free(kswap); |
1610 | sshbuf_free(prvbuf); |
1611 | return r; |
1612 | } |
1613 | |
1614 | /* Check deterministic padding after private key */ |
1615 | static int |
1616 | private2_check_padding(struct sshbuf *decrypted) |
1617 | { |
1618 | u_char pad; |
1619 | size_t i; |
1620 | int r; |
1621 | |
1622 | i = 0; |
1623 | while (sshbuf_len(decrypted)) { |
1624 | if ((r = sshbuf_get_u8(decrypted, &pad)) != 0) |
1625 | goto out; |
1626 | if (pad != (++i & 0xff)) { |
1627 | r = SSH_ERR_INVALID_FORMAT-4; |
1628 | goto out; |
1629 | } |
1630 | } |
1631 | /* success */ |
1632 | r = 0; |
1633 | out: |
1634 | explicit_bzero(&pad, sizeof(pad)); |
1635 | explicit_bzero(&i, sizeof(i)); |
1636 | return r; |
1637 | } |
1638 | |
1639 | int |
1640 | sshkey_unshield_private(struct sshkey *k) |
1641 | { |
1642 | struct sshbuf *prvbuf = NULL((void *)0); |
1643 | u_char *cp, keyiv[SSH_DIGEST_MAX_LENGTH64]; |
1644 | struct sshcipher_ctx *cctx = NULL((void *)0); |
1645 | const struct sshcipher *cipher; |
1646 | struct sshkey *kswap = NULL((void *)0), tmp; |
1647 | int r = SSH_ERR_INTERNAL_ERROR-1; |
1648 | |
1649 | #ifdef DEBUG_PK |
1650 | fprintf(stderr(&__sF[2]), "%s: entering for %s\n", __func__, sshkey_ssh_name(k)); |
1651 | #endif |
1652 | if (!sshkey_is_shielded(k)) |
1653 | return 0; /* nothing to do */ |
1654 | |
1655 | if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER"aes256-ctr")) == NULL((void *)0)) { |
1656 | r = SSH_ERR_INVALID_ARGUMENT-10; |
1657 | goto out; |
1658 | } |
1659 | if (cipher_keylen(cipher) + cipher_ivlen(cipher) > |
1660 | ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4)) { |
1661 | r = SSH_ERR_INTERNAL_ERROR-1; |
1662 | goto out; |
1663 | } |
1664 | /* check size of shielded key blob */ |
1665 | if (k->shielded_len < cipher_blocksize(cipher) || |
1666 | (k->shielded_len % cipher_blocksize(cipher)) != 0) { |
1667 | r = SSH_ERR_INVALID_FORMAT-4; |
1668 | goto out; |
1669 | } |
1670 | |
1671 | /* Calculate the ephemeral key from the prekey */ |
1672 | if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH4, |
1673 | k->shield_prekey, k->shield_prekey_len, |
1674 | keyiv, SSH_DIGEST_MAX_LENGTH64)) != 0) |
1675 | goto out; |
1676 | if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher), |
1677 | keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0) |
1678 | goto out; |
1679 | #ifdef DEBUG_PK |
1680 | fprintf(stderr(&__sF[2]), "%s: key+iv\n", __func__); |
1681 | sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4), |
1682 | stderr(&__sF[2])); |
1683 | #endif |
1684 | |
1685 | /* Decrypt and parse the shielded private key using the ephemeral key */ |
1686 | if ((prvbuf = sshbuf_new()) == NULL((void *)0)) { |
1687 | r = SSH_ERR_ALLOC_FAIL-2; |
1688 | goto out; |
1689 | } |
1690 | if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0) |
1691 | goto out; |
1692 | /* decrypt */ |
1693 | #ifdef DEBUG_PK |
1694 | fprintf(stderr(&__sF[2]), "%s: encrypted\n", __func__); |
1695 | sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr(&__sF[2])); |
1696 | #endif |
1697 | if ((r = cipher_crypt(cctx, 0, cp, |
1698 | k->shielded_private, k->shielded_len, 0, 0)) != 0) |
1699 | goto out; |
1700 | #ifdef DEBUG_PK |
1701 | fprintf(stderr(&__sF[2]), "%s: serialised\n", __func__); |
1702 | sshbuf_dump(prvbuf, stderr(&__sF[2])); |
1703 | #endif |
1704 | /* Parse private key */ |
1705 | if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0) |
1706 | goto out; |
1707 | |
1708 | if ((r = private2_check_padding(prvbuf)) != 0) |
1709 | goto out; |
1710 | |
1711 | /* Swap the parsed key back into place */ |
1712 | tmp = *kswap; |
1713 | *kswap = *k; |
1714 | *k = tmp; |
1715 | |
1716 | /* success */ |
1717 | r = 0; |
1718 | |
1719 | out: |
1720 | cipher_free(cctx); |
1721 | explicit_bzero(keyiv, sizeof(keyiv)); |
1722 | explicit_bzero(&tmp, sizeof(tmp)); |
1723 | sshkey_free(kswap); |
1724 | sshbuf_free(prvbuf); |
1725 | return r; |
1726 | } |
1727 | |
1728 | static int |
1729 | cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) |
1730 | { |
1731 | struct sshbuf *principals = NULL((void *)0), *crit = NULL((void *)0); |
1732 | struct sshbuf *exts = NULL((void *)0), *ca = NULL((void *)0); |
1733 | u_char *sig = NULL((void *)0); |
1734 | size_t signed_len = 0, slen = 0, kidlen = 0; |
1735 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
1736 | |
1737 | /* Copy the entire key blob for verification and later serialisation */ |
1738 | if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0) |
1739 | return ret; |
1740 | |
1741 | /* Parse body of certificate up to signature */ |
1742 | if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 || |
1743 | (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 || |
1744 | (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 || |
1745 | (ret = sshbuf_froms(b, &principals)) != 0 || |
1746 | (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 || |
Although the value stored to 'ret' is used in the enclosing expression, the value is never actually read from 'ret' | |
1747 | (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 || |
1748 | (ret = sshbuf_froms(b, &crit)) != 0 || |
1749 | (ret = sshbuf_froms(b, &exts)) != 0 || |
1750 | (ret = sshbuf_get_string_direct(b, NULL((void *)0), NULL((void *)0))) != 0 || |
1751 | (ret = sshbuf_froms(b, &ca)) != 0) { |
1752 | /* XXX debug print error for ret */ |
1753 | ret = SSH_ERR_INVALID_FORMAT-4; |
1754 | goto out; |
1755 | } |
1756 | |
1757 | /* Signature is left in the buffer so we can calculate this length */ |
1758 | signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b); |
1759 | |
1760 | if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) { |
1761 | ret = SSH_ERR_INVALID_FORMAT-4; |
1762 | goto out; |
1763 | } |
1764 | |
1765 | if (key->cert->type != SSH2_CERT_TYPE_USER1 && |
1766 | key->cert->type != SSH2_CERT_TYPE_HOST2) { |
1767 | ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE-18; |
1768 | goto out; |
1769 | } |
1770 | |
1771 | /* Parse principals section */ |
1772 | while (sshbuf_len(principals) > 0) { |
1773 | char *principal = NULL((void *)0); |
1774 | char **oprincipals = NULL((void *)0); |
1775 | |
1776 | if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS256) { |
1777 | ret = SSH_ERR_INVALID_FORMAT-4; |
1778 | goto out; |
1779 | } |
1780 | if ((ret = sshbuf_get_cstring(principals, &principal, |
1781 | NULL((void *)0))) != 0) { |
1782 | ret = SSH_ERR_INVALID_FORMAT-4; |
1783 | goto out; |
1784 | } |
1785 | oprincipals = key->cert->principals; |
1786 | key->cert->principals = recallocarray(key->cert->principals, |
1787 | key->cert->nprincipals, key->cert->nprincipals + 1, |
1788 | sizeof(*key->cert->principals)); |
1789 | if (key->cert->principals == NULL((void *)0)) { |
1790 | free(principal); |
1791 | key->cert->principals = oprincipals; |
1792 | ret = SSH_ERR_ALLOC_FAIL-2; |
1793 | goto out; |
1794 | } |
1795 | key->cert->principals[key->cert->nprincipals++] = principal; |
1796 | } |
1797 | |
1798 | /* |
1799 | * Stash a copies of the critical options and extensions sections |
1800 | * for later use. |
1801 | */ |
1802 | if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 || |
1803 | (exts != NULL((void *)0) && |
1804 | (ret = sshbuf_putb(key->cert->extensions, exts)) != 0)) |
1805 | goto out; |
1806 | |
1807 | /* |
1808 | * Validate critical options and extensions sections format. |
1809 | */ |
1810 | while (sshbuf_len(crit) != 0) { |
1811 | if ((ret = sshbuf_get_string_direct(crit, NULL((void *)0), NULL((void *)0))) != 0 || |
1812 | (ret = sshbuf_get_string_direct(crit, NULL((void *)0), NULL((void *)0))) != 0) { |
1813 | sshbuf_reset(key->cert->critical); |
1814 | ret = SSH_ERR_INVALID_FORMAT-4; |
1815 | goto out; |
1816 | } |
1817 | } |
1818 | while (exts != NULL((void *)0) && sshbuf_len(exts) != 0) { |
1819 | if ((ret = sshbuf_get_string_direct(exts, NULL((void *)0), NULL((void *)0))) != 0 || |
1820 | (ret = sshbuf_get_string_direct(exts, NULL((void *)0), NULL((void *)0))) != 0) { |
1821 | sshbuf_reset(key->cert->extensions); |
1822 | ret = SSH_ERR_INVALID_FORMAT-4; |
1823 | goto out; |
1824 | } |
1825 | } |
1826 | |
1827 | /* Parse CA key and check signature */ |
1828 | if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) { |
1829 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
1830 | goto out; |
1831 | } |
1832 | if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) { |
1833 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
1834 | goto out; |
1835 | } |
1836 | if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, |
1837 | sshbuf_ptr(key->cert->certblob), signed_len, NULL((void *)0), 0, NULL((void *)0))) != 0) |
1838 | goto out; |
1839 | if ((ret = sshkey_get_sigtype(sig, slen, |
1840 | &key->cert->signature_type)) != 0) |
1841 | goto out; |
1842 | |
1843 | /* Success */ |
1844 | ret = 0; |
1845 | out: |
1846 | sshbuf_free(ca); |
1847 | sshbuf_free(crit); |
1848 | sshbuf_free(exts); |
1849 | sshbuf_free(principals); |
1850 | free(sig); |
1851 | return ret; |
1852 | } |
1853 | |
1854 | int |
1855 | sshkey_deserialize_sk(struct sshbuf *b, struct sshkey *key) |
1856 | { |
1857 | /* Parse additional security-key application string */ |
1858 | if (sshbuf_get_cstring(b, &key->sk_application, NULL((void *)0)) != 0) |
1859 | return SSH_ERR_INVALID_FORMAT-4; |
1860 | return 0; |
1861 | } |
1862 | |
1863 | static int |
1864 | sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, |
1865 | int allow_cert) |
1866 | { |
1867 | int type, ret = SSH_ERR_INTERNAL_ERROR-1; |
1868 | char *ktype = NULL((void *)0); |
1869 | struct sshkey *key = NULL((void *)0); |
1870 | struct sshbuf *copy; |
1871 | const struct sshkey_impl *impl; |
1872 | |
1873 | #ifdef DEBUG_PK /* XXX */ |
1874 | sshbuf_dump(b, stderr(&__sF[2])); |
1875 | #endif |
1876 | if (keyp != NULL((void *)0)) |
1877 | *keyp = NULL((void *)0); |
1878 | if ((copy = sshbuf_fromb(b)) == NULL((void *)0)) { |
1879 | ret = SSH_ERR_ALLOC_FAIL-2; |
1880 | goto out; |
1881 | } |
1882 | if (sshbuf_get_cstring(b, &ktype, NULL((void *)0)) != 0) { |
1883 | ret = SSH_ERR_INVALID_FORMAT-4; |
1884 | goto out; |
1885 | } |
1886 | |
1887 | type = sshkey_type_from_name(ktype); |
1888 | if (!allow_cert && sshkey_type_is_cert(type)) { |
1889 | ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
1890 | goto out; |
1891 | } |
1892 | if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0)) { |
1893 | ret = SSH_ERR_KEY_TYPE_UNKNOWN-14; |
1894 | goto out; |
1895 | } |
1896 | if ((key = sshkey_new(type)) == NULL((void *)0)) { |
1897 | ret = SSH_ERR_ALLOC_FAIL-2; |
1898 | goto out; |
1899 | } |
1900 | if (sshkey_type_is_cert(type)) { |
1901 | /* Skip nonce that precedes all certificates */ |
1902 | if (sshbuf_get_string_direct(b, NULL((void *)0), NULL((void *)0)) != 0) { |
1903 | ret = SSH_ERR_INVALID_FORMAT-4; |
1904 | goto out; |
1905 | } |
1906 | } |
1907 | if ((ret = impl->funcs->deserialize_public(ktype, b, key)) != 0) |
1908 | goto out; |
1909 | |
1910 | /* Parse certificate potion */ |
1911 | if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0) |
1912 | goto out; |
1913 | |
1914 | if (key != NULL((void *)0) && sshbuf_len(b) != 0) { |
1915 | ret = SSH_ERR_INVALID_FORMAT-4; |
1916 | goto out; |
1917 | } |
1918 | ret = 0; |
1919 | if (keyp != NULL((void *)0)) { |
1920 | *keyp = key; |
1921 | key = NULL((void *)0); |
1922 | } |
1923 | out: |
1924 | sshbuf_free(copy); |
1925 | sshkey_free(key); |
1926 | free(ktype); |
1927 | return ret; |
1928 | } |
1929 | |
1930 | int |
1931 | sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp) |
1932 | { |
1933 | struct sshbuf *b; |
1934 | int r; |
1935 | |
1936 | if ((b = sshbuf_from(blob, blen)) == NULL((void *)0)) |
1937 | return SSH_ERR_ALLOC_FAIL-2; |
1938 | r = sshkey_from_blob_internal(b, keyp, 1); |
1939 | sshbuf_free(b); |
1940 | return r; |
1941 | } |
1942 | |
1943 | int |
1944 | sshkey_fromb(struct sshbuf *b, struct sshkey **keyp) |
1945 | { |
1946 | return sshkey_from_blob_internal(b, keyp, 1); |
1947 | } |
1948 | |
1949 | int |
1950 | sshkey_froms(struct sshbuf *buf, struct sshkey **keyp) |
1951 | { |
1952 | struct sshbuf *b; |
1953 | int r; |
1954 | |
1955 | if ((r = sshbuf_froms(buf, &b)) != 0) |
1956 | return r; |
1957 | r = sshkey_from_blob_internal(b, keyp, 1); |
1958 | sshbuf_free(b); |
1959 | return r; |
1960 | } |
1961 | |
1962 | int |
1963 | sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep) |
1964 | { |
1965 | int r; |
1966 | struct sshbuf *b = NULL((void *)0); |
1967 | char *sigtype = NULL((void *)0); |
1968 | |
1969 | if (sigtypep != NULL((void *)0)) |
1970 | *sigtypep = NULL((void *)0); |
1971 | if ((b = sshbuf_from(sig, siglen)) == NULL((void *)0)) |
1972 | return SSH_ERR_ALLOC_FAIL-2; |
1973 | if ((r = sshbuf_get_cstring(b, &sigtype, NULL((void *)0))) != 0) |
1974 | goto out; |
1975 | /* success */ |
1976 | if (sigtypep != NULL((void *)0)) { |
1977 | *sigtypep = sigtype; |
1978 | sigtype = NULL((void *)0); |
1979 | } |
1980 | r = 0; |
1981 | out: |
1982 | free(sigtype); |
1983 | sshbuf_free(b); |
1984 | return r; |
1985 | } |
1986 | |
1987 | /* |
1988 | * |
1989 | * Checks whether a certificate's signature type is allowed. |
1990 | * Returns 0 (success) if the certificate signature type appears in the |
1991 | * "allowed" pattern-list, or the key is not a certificate to begin with. |
1992 | * Otherwise returns a ssherr.h code. |
1993 | */ |
1994 | int |
1995 | sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed) |
1996 | { |
1997 | if (key == NULL((void *)0) || allowed == NULL((void *)0)) |
1998 | return SSH_ERR_INVALID_ARGUMENT-10; |
1999 | if (!sshkey_type_is_cert(key->type)) |
2000 | return 0; |
2001 | if (key->cert == NULL((void *)0) || key->cert->signature_type == NULL((void *)0)) |
2002 | return SSH_ERR_INVALID_ARGUMENT-10; |
2003 | if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1) |
2004 | return SSH_ERR_SIGN_ALG_UNSUPPORTED-58; |
2005 | return 0; |
2006 | } |
2007 | |
2008 | /* |
2009 | * Returns the expected signature algorithm for a given public key algorithm. |
2010 | */ |
2011 | const char * |
2012 | sshkey_sigalg_by_name(const char *name) |
2013 | { |
2014 | const struct sshkey_impl *impl; |
2015 | int i; |
2016 | |
2017 | for (i = 0; keyimpls[i] != NULL((void *)0); i++) { |
2018 | impl = keyimpls[i]; |
2019 | if (strcmp(impl->name, name) != 0) |
2020 | continue; |
2021 | if (impl->sigalg != NULL((void *)0)) |
2022 | return impl->sigalg; |
2023 | if (!impl->cert) |
2024 | return impl->name; |
2025 | return sshkey_ssh_name_from_type_nid( |
2026 | sshkey_type_plain(impl->type), impl->nid); |
2027 | } |
2028 | return NULL((void *)0); |
2029 | } |
2030 | |
2031 | /* |
2032 | * Verifies that the signature algorithm appearing inside the signature blob |
2033 | * matches that which was requested. |
2034 | */ |
2035 | int |
2036 | sshkey_check_sigtype(const u_char *sig, size_t siglen, |
2037 | const char *requested_alg) |
2038 | { |
2039 | const char *expected_alg; |
2040 | char *sigtype = NULL((void *)0); |
2041 | int r; |
2042 | |
2043 | if (requested_alg == NULL((void *)0)) |
2044 | return 0; |
2045 | if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL((void *)0)) |
2046 | return SSH_ERR_INVALID_ARGUMENT-10; |
2047 | if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) |
2048 | return r; |
2049 | r = strcmp(expected_alg, sigtype) == 0; |
2050 | free(sigtype); |
2051 | return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED-58; |
2052 | } |
2053 | |
2054 | int |
2055 | sshkey_sign(struct sshkey *key, |
2056 | u_char **sigp, size_t *lenp, |
2057 | const u_char *data, size_t datalen, |
2058 | const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) |
2059 | { |
2060 | int was_shielded = sshkey_is_shielded(key); |
2061 | int r2, r = SSH_ERR_INTERNAL_ERROR-1; |
2062 | const struct sshkey_impl *impl; |
2063 | |
2064 | if (sigp != NULL((void *)0)) |
2065 | *sigp = NULL((void *)0); |
2066 | if (lenp != NULL((void *)0)) |
2067 | *lenp = 0; |
2068 | if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE(1 << 20)) |
2069 | return SSH_ERR_INVALID_ARGUMENT-10; |
2070 | if ((impl = sshkey_impl_from_key(key)) == NULL((void *)0)) |
2071 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
2072 | if ((r = sshkey_unshield_private(key)) != 0) |
2073 | return r; |
2074 | if (sshkey_is_sk(key)) { |
2075 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, |
2076 | datalen, compat, sk_pin); |
2077 | } else { |
2078 | if (impl->funcs->sign == NULL((void *)0)) |
2079 | r = SSH_ERR_SIGN_ALG_UNSUPPORTED-58; |
2080 | else { |
2081 | r = impl->funcs->sign(key, sigp, lenp, data, datalen, |
2082 | alg, sk_provider, sk_pin, compat); |
2083 | } |
2084 | } |
2085 | if (was_shielded && (r2 = sshkey_shield_private(key)) != 0) |
2086 | return r2; |
2087 | return r; |
2088 | } |
2089 | |
2090 | /* |
2091 | * ssh_key_verify returns 0 for a correct signature and < 0 on error. |
2092 | * If "alg" specified, then the signature must use that algorithm. |
2093 | */ |
2094 | int |
2095 | sshkey_verify(const struct sshkey *key, |
2096 | const u_char *sig, size_t siglen, |
2097 | const u_char *data, size_t dlen, const char *alg, u_int compat, |
2098 | struct sshkey_sig_details **detailsp) |
2099 | { |
2100 | const struct sshkey_impl *impl; |
2101 | |
2102 | if (detailsp != NULL((void *)0)) |
2103 | *detailsp = NULL((void *)0); |
2104 | if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE(1 << 20)) |
2105 | return SSH_ERR_INVALID_ARGUMENT-10; |
2106 | if ((impl = sshkey_impl_from_key(key)) == NULL((void *)0)) |
2107 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
2108 | return impl->funcs->verify(key, sig, siglen, data, dlen, |
2109 | alg, compat, detailsp); |
2110 | } |
2111 | |
2112 | /* Convert a plain key to their _CERT equivalent */ |
2113 | int |
2114 | sshkey_to_certified(struct sshkey *k) |
2115 | { |
2116 | int newtype; |
2117 | |
2118 | if ((newtype = sshkey_type_certified(k->type)) == -1) |
2119 | return SSH_ERR_INVALID_ARGUMENT-10; |
2120 | if ((k->cert = cert_new()) == NULL((void *)0)) |
2121 | return SSH_ERR_ALLOC_FAIL-2; |
2122 | k->type = newtype; |
2123 | return 0; |
2124 | } |
2125 | |
2126 | /* Convert a certificate to its raw key equivalent */ |
2127 | int |
2128 | sshkey_drop_cert(struct sshkey *k) |
2129 | { |
2130 | if (!sshkey_type_is_cert(k->type)) |
2131 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
2132 | cert_free(k->cert); |
2133 | k->cert = NULL((void *)0); |
2134 | k->type = sshkey_type_plain(k->type); |
2135 | return 0; |
2136 | } |
2137 | |
2138 | /* Sign a certified key, (re-)generating the signed certblob. */ |
2139 | int |
2140 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, |
2141 | const char *sk_provider, const char *sk_pin, |
2142 | sshkey_certify_signer *signer, void *signer_ctx) |
2143 | { |
2144 | const struct sshkey_impl *impl; |
2145 | struct sshbuf *principals = NULL((void *)0); |
2146 | u_char *ca_blob = NULL((void *)0), *sig_blob = NULL((void *)0), nonce[32]; |
2147 | size_t i, ca_len, sig_len; |
2148 | int ret = SSH_ERR_INTERNAL_ERROR-1; |
2149 | struct sshbuf *cert = NULL((void *)0); |
2150 | char *sigtype = NULL((void *)0); |
2151 | |
2152 | if (k == NULL((void *)0) || k->cert == NULL((void *)0) || |
2153 | k->cert->certblob == NULL((void *)0) || ca == NULL((void *)0)) |
2154 | return SSH_ERR_INVALID_ARGUMENT-10; |
2155 | if (!sshkey_is_cert(k)) |
2156 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
2157 | if (!sshkey_type_is_valid_ca(ca->type)) |
2158 | return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
2159 | if ((impl = sshkey_impl_from_key(k)) == NULL((void *)0)) |
2160 | return SSH_ERR_INTERNAL_ERROR-1; |
2161 | |
2162 | /* |
2163 | * If no alg specified as argument but a signature_type was set, |
2164 | * then prefer that. If both were specified, then they must match. |
2165 | */ |
2166 | if (alg == NULL((void *)0)) |
2167 | alg = k->cert->signature_type; |
2168 | else if (k->cert->signature_type != NULL((void *)0) && |
2169 | strcmp(alg, k->cert->signature_type) != 0) |
2170 | return SSH_ERR_INVALID_ARGUMENT-10; |
2171 | |
2172 | /* |
2173 | * If no signing algorithm or signature_type was specified and we're |
2174 | * using a RSA key, then default to a good signature algorithm. |
2175 | */ |
2176 | if (alg == NULL((void *)0) && ca->type == KEY_RSA) |
2177 | alg = "rsa-sha2-512"; |
2178 | |
2179 | if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0) |
2180 | return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19; |
2181 | |
2182 | cert = k->cert->certblob; /* for readability */ |
2183 | sshbuf_reset(cert); |
2184 | if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0) |
2185 | goto out; |
2186 | |
2187 | /* -v01 certs put nonce first */ |
2188 | arc4random_buf(&nonce, sizeof(nonce)); |
2189 | if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0) |
2190 | goto out; |
2191 | |
2192 | /* Public key next */ |
2193 | if ((ret = impl->funcs->serialize_public(k, cert, |
2194 | SSHKEY_SERIALIZE_DEFAULT)) != 0) |
2195 | goto out; |
2196 | |
2197 | /* Then remaining cert fields */ |
2198 | if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 || |
2199 | (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 || |
2200 | (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0) |
2201 | goto out; |
2202 | |
2203 | if ((principals = sshbuf_new()) == NULL((void *)0)) { |
2204 | ret = SSH_ERR_ALLOC_FAIL-2; |
2205 | goto out; |
2206 | } |
2207 | for (i = 0; i < k->cert->nprincipals; i++) { |
2208 | if ((ret = sshbuf_put_cstring(principals, |
2209 | k->cert->principals[i])) != 0) |
2210 | goto out; |
2211 | } |
2212 | if ((ret = sshbuf_put_stringb(cert, principals)) != 0 || |
2213 | (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 || |
2214 | (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 || |
2215 | (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 || |
2216 | (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 || |
2217 | (ret = sshbuf_put_string(cert, NULL((void *)0), 0)) != 0 || /* Reserved */ |
2218 | (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0) |
2219 | goto out; |
2220 | |
2221 | /* Sign the whole mess */ |
2222 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
2223 | sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) |
2224 | goto out; |
2225 | /* Check and update signature_type against what was actually used */ |
2226 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) |
2227 | goto out; |
2228 | if (alg != NULL((void *)0) && strcmp(alg, sigtype) != 0) { |
2229 | ret = SSH_ERR_SIGN_ALG_UNSUPPORTED-58; |
2230 | goto out; |
2231 | } |
2232 | if (k->cert->signature_type == NULL((void *)0)) { |
2233 | k->cert->signature_type = sigtype; |
2234 | sigtype = NULL((void *)0); |
2235 | } |
2236 | /* Append signature and we are done */ |
2237 | if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0) |
2238 | goto out; |
2239 | ret = 0; |
2240 | out: |
2241 | if (ret != 0) |
2242 | sshbuf_reset(cert); |
2243 | free(sig_blob); |
2244 | free(ca_blob); |
2245 | free(sigtype); |
2246 | sshbuf_free(principals); |
2247 | return ret; |
2248 | } |
2249 | |
2250 | static int |
2251 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, |
2252 | const u_char *data, size_t datalen, |
2253 | const char *alg, const char *sk_provider, const char *sk_pin, |
2254 | u_int compat, void *ctx) |
2255 | { |
2256 | if (ctx != NULL((void *)0)) |
2257 | return SSH_ERR_INVALID_ARGUMENT-10; |
2258 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, |
2259 | sk_provider, sk_pin, compat); |
2260 | } |
2261 | |
2262 | int |
2263 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, |
2264 | const char *sk_provider, const char *sk_pin) |
2265 | { |
2266 | return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, |
2267 | default_key_sign, NULL((void *)0)); |
2268 | } |
2269 | |
2270 | int |
2271 | sshkey_cert_check_authority(const struct sshkey *k, |
2272 | int want_host, int require_principal, int wildcard_pattern, |
2273 | uint64_t verify_time, const char *name, const char **reason) |
2274 | { |
2275 | u_int i, principal_matches; |
2276 | |
2277 | if (reason == NULL((void *)0)) |
2278 | return SSH_ERR_INVALID_ARGUMENT-10; |
2279 | if (!sshkey_is_cert(k)) { |
2280 | *reason = "Key is not a certificate"; |
2281 | return SSH_ERR_KEY_CERT_INVALID-25; |
2282 | } |
2283 | if (want_host) { |
2284 | if (k->cert->type != SSH2_CERT_TYPE_HOST2) { |
2285 | *reason = "Certificate invalid: not a host certificate"; |
2286 | return SSH_ERR_KEY_CERT_INVALID-25; |
2287 | } |
2288 | } else { |
2289 | if (k->cert->type != SSH2_CERT_TYPE_USER1) { |
2290 | *reason = "Certificate invalid: not a user certificate"; |
2291 | return SSH_ERR_KEY_CERT_INVALID-25; |
2292 | } |
2293 | } |
2294 | if (verify_time < k->cert->valid_after) { |
2295 | *reason = "Certificate invalid: not yet valid"; |
2296 | return SSH_ERR_KEY_CERT_INVALID-25; |
2297 | } |
2298 | if (verify_time >= k->cert->valid_before) { |
2299 | *reason = "Certificate invalid: expired"; |
2300 | return SSH_ERR_KEY_CERT_INVALID-25; |
2301 | } |
2302 | if (k->cert->nprincipals == 0) { |
2303 | if (require_principal) { |
2304 | *reason = "Certificate lacks principal list"; |
2305 | return SSH_ERR_KEY_CERT_INVALID-25; |
2306 | } |
2307 | } else if (name != NULL((void *)0)) { |
2308 | principal_matches = 0; |
2309 | for (i = 0; i < k->cert->nprincipals; i++) { |
2310 | if (wildcard_pattern) { |
2311 | if (match_pattern(k->cert->principals[i], |
2312 | name)) { |
2313 | principal_matches = 1; |
2314 | break; |
2315 | } |
2316 | } else if (strcmp(name, k->cert->principals[i]) == 0) { |
2317 | principal_matches = 1; |
2318 | break; |
2319 | } |
2320 | } |
2321 | if (!principal_matches) { |
2322 | *reason = "Certificate invalid: name is not a listed " |
2323 | "principal"; |
2324 | return SSH_ERR_KEY_CERT_INVALID-25; |
2325 | } |
2326 | } |
2327 | return 0; |
2328 | } |
2329 | |
2330 | int |
2331 | sshkey_cert_check_authority_now(const struct sshkey *k, |
2332 | int want_host, int require_principal, int wildcard_pattern, |
2333 | const char *name, const char **reason) |
2334 | { |
2335 | time_t now; |
2336 | |
2337 | if ((now = time(NULL((void *)0))) < 0) { |
2338 | /* yikes - system clock before epoch! */ |
2339 | *reason = "Certificate invalid: not yet valid"; |
2340 | return SSH_ERR_KEY_CERT_INVALID-25; |
2341 | } |
2342 | return sshkey_cert_check_authority(k, want_host, require_principal, |
2343 | wildcard_pattern, (uint64_t)now, name, reason); |
2344 | } |
2345 | |
2346 | int |
2347 | sshkey_cert_check_host(const struct sshkey *key, const char *host, |
2348 | int wildcard_principals, const char *ca_sign_algorithms, |
2349 | const char **reason) |
2350 | { |
2351 | int r; |
2352 | |
2353 | if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals, |
2354 | host, reason)) != 0) |
2355 | return r; |
2356 | if (sshbuf_len(key->cert->critical) != 0) { |
2357 | *reason = "Certificate contains unsupported critical options"; |
2358 | return SSH_ERR_KEY_CERT_INVALID-25; |
2359 | } |
2360 | if (ca_sign_algorithms != NULL((void *)0) && |
2361 | (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) { |
2362 | *reason = "Certificate signed with disallowed algorithm"; |
2363 | return SSH_ERR_KEY_CERT_INVALID-25; |
2364 | } |
2365 | return 0; |
2366 | } |
2367 | |
2368 | size_t |
2369 | sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l) |
2370 | { |
2371 | char from[32], to[32], ret[128]; |
2372 | |
2373 | *from = *to = '\0'; |
2374 | if (cert->valid_after == 0 && |
2375 | cert->valid_before == 0xffffffffffffffffULL) |
2376 | return strlcpy(s, "forever", l); |
2377 | |
2378 | if (cert->valid_after != 0) |
2379 | format_absolute_time(cert->valid_after, from, sizeof(from)); |
2380 | if (cert->valid_before != 0xffffffffffffffffULL) |
2381 | format_absolute_time(cert->valid_before, to, sizeof(to)); |
2382 | |
2383 | if (cert->valid_after == 0) |
2384 | snprintf(ret, sizeof(ret), "before %s", to); |
2385 | else if (cert->valid_before == 0xffffffffffffffffULL) |
2386 | snprintf(ret, sizeof(ret), "after %s", from); |
2387 | else |
2388 | snprintf(ret, sizeof(ret), "from %s to %s", from, to); |
2389 | |
2390 | return strlcpy(s, ret, l); |
2391 | } |
2392 | |
2393 | /* Common serialization for FIDO private keys */ |
2394 | int |
2395 | sshkey_serialize_private_sk(const struct sshkey *key, struct sshbuf *b) |
2396 | { |
2397 | int r; |
2398 | |
2399 | if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0 || |
2400 | (r = sshbuf_put_u8(b, key->sk_flags)) != 0 || |
2401 | (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 || |
2402 | (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0) |
2403 | return r; |
2404 | |
2405 | return 0; |
2406 | } |
2407 | |
2408 | int |
2409 | sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf, |
2410 | enum sshkey_serialize_rep opts) |
2411 | { |
2412 | int r = SSH_ERR_INTERNAL_ERROR-1; |
2413 | int was_shielded = sshkey_is_shielded(key); |
2414 | struct sshbuf *b = NULL((void *)0); |
2415 | const struct sshkey_impl *impl; |
2416 | |
2417 | if ((impl = sshkey_impl_from_key(key)) == NULL((void *)0)) |
2418 | return SSH_ERR_INTERNAL_ERROR-1; |
2419 | if ((r = sshkey_unshield_private(key)) != 0) |
2420 | return r; |
2421 | if ((b = sshbuf_new()) == NULL((void *)0)) |
2422 | return SSH_ERR_ALLOC_FAIL-2; |
2423 | if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0) |
2424 | goto out; |
2425 | if (sshkey_is_cert(key)) { |
2426 | if (key->cert == NULL((void *)0) || |
2427 | sshbuf_len(key->cert->certblob) == 0) { |
2428 | r = SSH_ERR_INVALID_ARGUMENT-10; |
2429 | goto out; |
2430 | } |
2431 | if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0) |
2432 | goto out; |
2433 | } |
2434 | if ((r = impl->funcs->serialize_private(key, b, opts)) != 0) |
2435 | goto out; |
2436 | |
2437 | /* |
2438 | * success (but we still need to append the output to buf after |
2439 | * possibly re-shielding the private key) |
2440 | */ |
2441 | r = 0; |
2442 | out: |
2443 | if (was_shielded) |
2444 | r = sshkey_shield_private(key); |
2445 | if (r == 0) |
2446 | r = sshbuf_putb(buf, b); |
2447 | sshbuf_free(b); |
2448 | |
2449 | return r; |
2450 | } |
2451 | |
2452 | int |
2453 | sshkey_private_serialize(struct sshkey *key, struct sshbuf *b) |
2454 | { |
2455 | return sshkey_private_serialize_opt(key, b, |
2456 | SSHKEY_SERIALIZE_DEFAULT); |
2457 | } |
2458 | |
2459 | /* Shared deserialization of FIDO private key components */ |
2460 | int |
2461 | sshkey_private_deserialize_sk(struct sshbuf *buf, struct sshkey *k) |
2462 | { |
2463 | int r; |
2464 | |
2465 | if ((k->sk_key_handle = sshbuf_new()) == NULL((void *)0) || |
2466 | (k->sk_reserved = sshbuf_new()) == NULL((void *)0)) |
2467 | return SSH_ERR_ALLOC_FAIL-2; |
2468 | if ((r = sshbuf_get_cstring(buf, &k->sk_application, NULL((void *)0))) != 0 || |
2469 | (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 || |
2470 | (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 || |
2471 | (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0) |
2472 | return r; |
2473 | |
2474 | return 0; |
2475 | } |
2476 | |
2477 | int |
2478 | sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) |
2479 | { |
2480 | const struct sshkey_impl *impl; |
2481 | char *tname = NULL((void *)0); |
2482 | char *expect_sk_application = NULL((void *)0); |
2483 | u_char *expect_ed25519_pk = NULL((void *)0); |
2484 | struct sshkey *k = NULL((void *)0); |
2485 | int type, r = SSH_ERR_INTERNAL_ERROR-1; |
2486 | |
2487 | if (kp != NULL((void *)0)) |
2488 | *kp = NULL((void *)0); |
2489 | if ((r = sshbuf_get_cstring(buf, &tname, NULL((void *)0))) != 0) |
2490 | goto out; |
2491 | type = sshkey_type_from_name(tname); |
2492 | if (sshkey_type_is_cert(type)) { |
2493 | /* |
2494 | * Certificate key private keys begin with the certificate |
2495 | * itself. Make sure this matches the type of the enclosing |
2496 | * private key. |
2497 | */ |
2498 | if ((r = sshkey_froms(buf, &k)) != 0) |
2499 | goto out; |
2500 | if (k->type != type) { |
2501 | r = SSH_ERR_KEY_CERT_MISMATCH-45; |
2502 | goto out; |
2503 | } |
2504 | /* For ECDSA keys, the group must match too */ |
2505 | if (k->type == KEY_ECDSA && |
2506 | k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { |
2507 | r = SSH_ERR_KEY_CERT_MISMATCH-45; |
2508 | goto out; |
2509 | } |
2510 | /* |
2511 | * Several fields are redundant between certificate and |
2512 | * private key body, we require these to match. |
2513 | */ |
2514 | expect_sk_application = k->sk_application; |
2515 | expect_ed25519_pk = k->ed25519_pk; |
2516 | k->sk_application = NULL((void *)0); |
2517 | k->ed25519_pk = NULL((void *)0); |
2518 | /* XXX xmss too or refactor */ |
2519 | } else { |
2520 | if ((k = sshkey_new(type)) == NULL((void *)0)) { |
2521 | r = SSH_ERR_ALLOC_FAIL-2; |
2522 | goto out; |
2523 | } |
2524 | } |
2525 | if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0)) { |
2526 | r = SSH_ERR_INTERNAL_ERROR-1; |
2527 | goto out; |
2528 | } |
2529 | if ((r = impl->funcs->deserialize_private(tname, buf, k)) != 0) |
2530 | goto out; |
2531 | |
2532 | /* XXX xmss too or refactor */ |
2533 | if ((expect_sk_application != NULL((void *)0) && (k->sk_application == NULL((void *)0) || |
2534 | strcmp(expect_sk_application, k->sk_application) != 0)) || |
2535 | (expect_ed25519_pk != NULL((void *)0) && (k->ed25519_pk == NULL((void *)0) || |
2536 | memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ32U) != 0))) { |
2537 | r = SSH_ERR_KEY_CERT_MISMATCH-45; |
2538 | goto out; |
2539 | } |
2540 | /* success */ |
2541 | r = 0; |
2542 | if (kp != NULL((void *)0)) { |
2543 | *kp = k; |
2544 | k = NULL((void *)0); |
2545 | } |
2546 | out: |
2547 | free(tname); |
2548 | sshkey_free(k); |
2549 | free(expect_sk_application); |
2550 | free(expect_ed25519_pk); |
2551 | return r; |
2552 | } |
2553 | |
2554 | #ifdef WITH_OPENSSL1 |
2555 | int |
2556 | sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) |
2557 | { |
2558 | EC_POINT *nq = NULL((void *)0); |
2559 | BIGNUM *order = NULL((void *)0), *x = NULL((void *)0), *y = NULL((void *)0), *tmp = NULL((void *)0); |
2560 | int ret = SSH_ERR_KEY_INVALID_EC_VALUE-20; |
2561 | |
2562 | /* |
2563 | * NB. This assumes OpenSSL has already verified that the public |
2564 | * point lies on the curve. This is done by EC_POINT_oct2point() |
2565 | * implicitly calling EC_POINT_is_on_curve(). If this code is ever |
2566 | * reachable with public points not unmarshalled using |
2567 | * EC_POINT_oct2point then the caller will need to explicitly check. |
2568 | */ |
2569 | |
2570 | /* |
2571 | * We shouldn't ever hit this case because bignum_get_ecpoint() |
2572 | * refuses to load GF2m points. |
2573 | */ |
2574 | if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != |
2575 | NID_X9_62_prime_field406) |
2576 | goto out; |
2577 | |
2578 | /* Q != infinity */ |
2579 | if (EC_POINT_is_at_infinity(group, public)) |
2580 | goto out; |
2581 | |
2582 | if ((x = BN_new()) == NULL((void *)0) || |
2583 | (y = BN_new()) == NULL((void *)0) || |
2584 | (order = BN_new()) == NULL((void *)0) || |
2585 | (tmp = BN_new()) == NULL((void *)0)) { |
2586 | ret = SSH_ERR_ALLOC_FAIL-2; |
2587 | goto out; |
2588 | } |
2589 | |
2590 | /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ |
2591 | if (EC_GROUP_get_order(group, order, NULL((void *)0)) != 1 || |
2592 | EC_POINT_get_affine_coordinates_GFp(group, public, |
2593 | x, y, NULL((void *)0)) != 1) { |
2594 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
2595 | goto out; |
2596 | } |
2597 | if (BN_num_bits(x) <= BN_num_bits(order) / 2 || |
2598 | BN_num_bits(y) <= BN_num_bits(order) / 2) |
2599 | goto out; |
2600 | |
2601 | /* nQ == infinity (n == order of subgroup) */ |
2602 | if ((nq = EC_POINT_new(group)) == NULL((void *)0)) { |
2603 | ret = SSH_ERR_ALLOC_FAIL-2; |
2604 | goto out; |
2605 | } |
2606 | if (EC_POINT_mul(group, nq, NULL((void *)0), public, order, NULL((void *)0)) != 1) { |
2607 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
2608 | goto out; |
2609 | } |
2610 | if (EC_POINT_is_at_infinity(group, nq) != 1) |
2611 | goto out; |
2612 | |
2613 | /* x < order - 1, y < order - 1 */ |
2614 | if (!BN_sub(tmp, order, BN_value_one())) { |
2615 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
2616 | goto out; |
2617 | } |
2618 | if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0) |
2619 | goto out; |
2620 | ret = 0; |
2621 | out: |
2622 | BN_clear_free(x); |
2623 | BN_clear_free(y); |
2624 | BN_clear_free(order); |
2625 | BN_clear_free(tmp); |
2626 | EC_POINT_free(nq); |
2627 | return ret; |
2628 | } |
2629 | |
2630 | int |
2631 | sshkey_ec_validate_private(const EC_KEY *key) |
2632 | { |
2633 | BIGNUM *order = NULL((void *)0), *tmp = NULL((void *)0); |
2634 | int ret = SSH_ERR_KEY_INVALID_EC_VALUE-20; |
2635 | |
2636 | if ((order = BN_new()) == NULL((void *)0) || (tmp = BN_new()) == NULL((void *)0)) { |
2637 | ret = SSH_ERR_ALLOC_FAIL-2; |
2638 | goto out; |
2639 | } |
2640 | |
2641 | /* log2(private) > log2(order)/2 */ |
2642 | if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL((void *)0)) != 1) { |
2643 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
2644 | goto out; |
2645 | } |
2646 | if (BN_num_bits(EC_KEY_get0_private_key(key)) <= |
2647 | BN_num_bits(order) / 2) |
2648 | goto out; |
2649 | |
2650 | /* private < order - 1 */ |
2651 | if (!BN_sub(tmp, order, BN_value_one())) { |
2652 | ret = SSH_ERR_LIBCRYPTO_ERROR-22; |
2653 | goto out; |
2654 | } |
2655 | if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) |
2656 | goto out; |
2657 | ret = 0; |
2658 | out: |
2659 | BN_clear_free(order); |
2660 | BN_clear_free(tmp); |
2661 | return ret; |
2662 | } |
2663 | |
2664 | void |
2665 | sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) |
2666 | { |
2667 | BIGNUM *x = NULL((void *)0), *y = NULL((void *)0); |
2668 | |
2669 | if (point == NULL((void *)0)) { |
2670 | fputs("point=(NULL)\n", stderr(&__sF[2])); |
2671 | return; |
2672 | } |
2673 | if ((x = BN_new()) == NULL((void *)0) || (y = BN_new()) == NULL((void *)0)) { |
2674 | fprintf(stderr(&__sF[2]), "%s: BN_new failed\n", __func__); |
2675 | goto out; |
2676 | } |
2677 | if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != |
2678 | NID_X9_62_prime_field406) { |
2679 | fprintf(stderr(&__sF[2]), "%s: group is not a prime field\n", __func__); |
2680 | goto out; |
2681 | } |
2682 | if (EC_POINT_get_affine_coordinates_GFp(group, point, |
2683 | x, y, NULL((void *)0)) != 1) { |
2684 | fprintf(stderr(&__sF[2]), "%s: EC_POINT_get_affine_coordinates_GFp\n", |
2685 | __func__); |
2686 | goto out; |
2687 | } |
2688 | fputs("x=", stderr(&__sF[2])); |
2689 | BN_print_fp(stderr(&__sF[2]), x); |
2690 | fputs("\ny=", stderr(&__sF[2])); |
2691 | BN_print_fp(stderr(&__sF[2]), y); |
2692 | fputs("\n", stderr(&__sF[2])); |
2693 | out: |
2694 | BN_clear_free(x); |
2695 | BN_clear_free(y); |
2696 | } |
2697 | |
2698 | void |
2699 | sshkey_dump_ec_key(const EC_KEY *key) |
2700 | { |
2701 | const BIGNUM *exponent; |
2702 | |
2703 | sshkey_dump_ec_point(EC_KEY_get0_group(key), |
2704 | EC_KEY_get0_public_key(key)); |
2705 | fputs("exponent=", stderr(&__sF[2])); |
2706 | if ((exponent = EC_KEY_get0_private_key(key)) == NULL((void *)0)) |
2707 | fputs("(NULL)", stderr(&__sF[2])); |
2708 | else |
2709 | BN_print_fp(stderr(&__sF[2]), EC_KEY_get0_private_key(key)); |
2710 | fputs("\n", stderr(&__sF[2])); |
2711 | } |
2712 | #endif /* WITH_OPENSSL */ |
2713 | |
2714 | static int |
2715 | sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob, |
2716 | const char *passphrase, const char *comment, const char *ciphername, |
2717 | int rounds) |
2718 | { |
2719 | u_char *cp, *key = NULL((void *)0), *pubkeyblob = NULL((void *)0); |
2720 | u_char salt[SALT_LEN16]; |
2721 | size_t i, pubkeylen, keylen, ivlen, blocksize, authlen; |
2722 | u_int check; |
2723 | int r = SSH_ERR_INTERNAL_ERROR-1; |
2724 | struct sshcipher_ctx *ciphercontext = NULL((void *)0); |
2725 | const struct sshcipher *cipher; |
2726 | const char *kdfname = KDFNAME"bcrypt"; |
2727 | struct sshbuf *encoded = NULL((void *)0), *encrypted = NULL((void *)0), *kdf = NULL((void *)0); |
2728 | |
2729 | if (rounds <= 0) |
2730 | rounds = DEFAULT_ROUNDS24; |
2731 | if (passphrase == NULL((void *)0) || !strlen(passphrase)) { |
2732 | ciphername = "none"; |
2733 | kdfname = "none"; |
2734 | } else if (ciphername == NULL((void *)0)) |
2735 | ciphername = DEFAULT_CIPHERNAME"aes256-ctr"; |
2736 | if ((cipher = cipher_by_name(ciphername)) == NULL((void *)0)) { |
2737 | r = SSH_ERR_INVALID_ARGUMENT-10; |
2738 | goto out; |
2739 | } |
2740 | |
2741 | if ((kdf = sshbuf_new()) == NULL((void *)0) || |
2742 | (encoded = sshbuf_new()) == NULL((void *)0) || |
2743 | (encrypted = sshbuf_new()) == NULL((void *)0)) { |
2744 | r = SSH_ERR_ALLOC_FAIL-2; |
2745 | goto out; |
2746 | } |
2747 | blocksize = cipher_blocksize(cipher); |
2748 | keylen = cipher_keylen(cipher); |
2749 | ivlen = cipher_ivlen(cipher); |
2750 | authlen = cipher_authlen(cipher); |
2751 | if ((key = calloc(1, keylen + ivlen)) == NULL((void *)0)) { |
2752 | r = SSH_ERR_ALLOC_FAIL-2; |
2753 | goto out; |
2754 | } |
2755 | if (strcmp(kdfname, "bcrypt") == 0) { |
2756 | arc4random_buf(salt, SALT_LEN16); |
2757 | if (bcrypt_pbkdf(passphrase, strlen(passphrase), |
2758 | salt, SALT_LEN16, key, keylen + ivlen, rounds) < 0) { |
2759 | r = SSH_ERR_INVALID_ARGUMENT-10; |
2760 | goto out; |
2761 | } |
2762 | if ((r = sshbuf_put_string(kdf, salt, SALT_LEN16)) != 0 || |
2763 | (r = sshbuf_put_u32(kdf, rounds)) != 0) |
2764 | goto out; |
2765 | } else if (strcmp(kdfname, "none") != 0) { |
2766 | /* Unsupported KDF type */ |
2767 | r = SSH_ERR_KEY_UNKNOWN_CIPHER-42; |
2768 | goto out; |
2769 | } |
2770 | if ((r = cipher_init(&ciphercontext, cipher, key, keylen, |
2771 | key + keylen, ivlen, 1)) != 0) |
2772 | goto out; |
2773 | |
2774 | if ((r = sshbuf_put(encoded, AUTH_MAGIC"openssh-key-v1", sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 || |
2775 | (r = sshbuf_put_cstring(encoded, ciphername)) != 0 || |
2776 | (r = sshbuf_put_cstring(encoded, kdfname)) != 0 || |
2777 | (r = sshbuf_put_stringb(encoded, kdf)) != 0 || |
2778 | (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */ |
2779 | (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 || |
2780 | (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0) |
2781 | goto out; |
2782 | |
2783 | /* set up the buffer that will be encrypted */ |
2784 | |
2785 | /* Random check bytes */ |
2786 | check = arc4random(); |
2787 | if ((r = sshbuf_put_u32(encrypted, check)) != 0 || |
2788 | (r = sshbuf_put_u32(encrypted, check)) != 0) |
2789 | goto out; |
2790 | |
2791 | /* append private key and comment*/ |
2792 | if ((r = sshkey_private_serialize_opt(prv, encrypted, |
2793 | SSHKEY_SERIALIZE_FULL)) != 0 || |
2794 | (r = sshbuf_put_cstring(encrypted, comment)) != 0) |
2795 | goto out; |
2796 | |
2797 | /* padding */ |
2798 | i = 0; |
2799 | while (sshbuf_len(encrypted) % blocksize) { |
2800 | if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0) |
2801 | goto out; |
2802 | } |
2803 | |
2804 | /* length in destination buffer */ |
2805 | if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0) |
2806 | goto out; |
2807 | |
2808 | /* encrypt */ |
2809 | if ((r = sshbuf_reserve(encoded, |
2810 | sshbuf_len(encrypted) + authlen, &cp)) != 0) |
2811 | goto out; |
2812 | if ((r = cipher_crypt(ciphercontext, 0, cp, |
2813 | sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0) |
2814 | goto out; |
2815 | |
2816 | sshbuf_reset(blob); |
2817 | |
2818 | /* assemble uuencoded key */ |
2819 | if ((r = sshbuf_put(blob, MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n", MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1))) != 0 || |
2820 | (r = sshbuf_dtob64(encoded, blob, 1)) != 0 || |
2821 | (r = sshbuf_put(blob, MARK_END"-----END OPENSSH PRIVATE KEY-----\n", MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1))) != 0) |
2822 | goto out; |
2823 | |
2824 | /* success */ |
2825 | r = 0; |
2826 | |
2827 | out: |
2828 | sshbuf_free(kdf); |
2829 | sshbuf_free(encoded); |
2830 | sshbuf_free(encrypted); |
2831 | cipher_free(ciphercontext); |
2832 | explicit_bzero(salt, sizeof(salt)); |
2833 | if (key != NULL((void *)0)) |
2834 | freezero(key, keylen + ivlen); |
2835 | if (pubkeyblob != NULL((void *)0)) |
2836 | freezero(pubkeyblob, pubkeylen); |
2837 | return r; |
2838 | } |
2839 | |
2840 | static int |
2841 | private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp) |
2842 | { |
2843 | const u_char *cp; |
2844 | size_t encoded_len; |
2845 | int r; |
2846 | u_char last; |
2847 | struct sshbuf *encoded = NULL((void *)0), *decoded = NULL((void *)0); |
2848 | |
2849 | if (blob == NULL((void *)0) || decodedp == NULL((void *)0)) |
2850 | return SSH_ERR_INVALID_ARGUMENT-10; |
2851 | |
2852 | *decodedp = NULL((void *)0); |
2853 | |
2854 | if ((encoded = sshbuf_new()) == NULL((void *)0) || |
2855 | (decoded = sshbuf_new()) == NULL((void *)0)) { |
2856 | r = SSH_ERR_ALLOC_FAIL-2; |
2857 | goto out; |
2858 | } |
2859 | |
2860 | /* check preamble */ |
2861 | cp = sshbuf_ptr(blob); |
2862 | encoded_len = sshbuf_len(blob); |
2863 | if (encoded_len < (MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) + MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1)) || |
2864 | memcmp(cp, MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n", MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1)) != 0) { |
2865 | r = SSH_ERR_INVALID_FORMAT-4; |
2866 | goto out; |
2867 | } |
2868 | cp += MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1); |
2869 | encoded_len -= MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1); |
2870 | |
2871 | /* Look for end marker, removing whitespace as we go */ |
2872 | while (encoded_len > 0) { |
2873 | if (*cp != '\n' && *cp != '\r') { |
2874 | if ((r = sshbuf_put_u8(encoded, *cp)) != 0) |
2875 | goto out; |
2876 | } |
2877 | last = *cp; |
2878 | encoded_len--; |
2879 | cp++; |
2880 | if (last == '\n') { |
2881 | if (encoded_len >= MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1) && |
2882 | memcmp(cp, MARK_END"-----END OPENSSH PRIVATE KEY-----\n", MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1)) == 0) { |
2883 | /* \0 terminate */ |
2884 | if ((r = sshbuf_put_u8(encoded, 0)) != 0) |
2885 | goto out; |
2886 | break; |
2887 | } |
2888 | } |
2889 | } |
2890 | if (encoded_len == 0) { |
2891 | r = SSH_ERR_INVALID_FORMAT-4; |
2892 | goto out; |
2893 | } |
2894 | |
2895 | /* decode base64 */ |
2896 | if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0) |
2897 | goto out; |
2898 | |
2899 | /* check magic */ |
2900 | if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC"openssh-key-v1") || |
2901 | memcmp(sshbuf_ptr(decoded), AUTH_MAGIC"openssh-key-v1", sizeof(AUTH_MAGIC"openssh-key-v1"))) { |
2902 | r = SSH_ERR_INVALID_FORMAT-4; |
2903 | goto out; |
2904 | } |
2905 | /* success */ |
2906 | *decodedp = decoded; |
2907 | decoded = NULL((void *)0); |
2908 | r = 0; |
2909 | out: |
2910 | sshbuf_free(encoded); |
2911 | sshbuf_free(decoded); |
2912 | return r; |
2913 | } |
2914 | |
2915 | static int |
2916 | private2_decrypt(struct sshbuf *decoded, const char *passphrase, |
2917 | struct sshbuf **decryptedp, struct sshkey **pubkeyp) |
2918 | { |
2919 | char *ciphername = NULL((void *)0), *kdfname = NULL((void *)0); |
2920 | const struct sshcipher *cipher = NULL((void *)0); |
2921 | int r = SSH_ERR_INTERNAL_ERROR-1; |
2922 | size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0; |
2923 | struct sshbuf *kdf = NULL((void *)0), *decrypted = NULL((void *)0); |
2924 | struct sshcipher_ctx *ciphercontext = NULL((void *)0); |
2925 | struct sshkey *pubkey = NULL((void *)0); |
2926 | u_char *key = NULL((void *)0), *salt = NULL((void *)0), *dp; |
2927 | u_int blocksize, rounds, nkeys, encrypted_len, check1, check2; |
2928 | |
2929 | if (decoded == NULL((void *)0) || decryptedp == NULL((void *)0) || pubkeyp == NULL((void *)0)) |
2930 | return SSH_ERR_INVALID_ARGUMENT-10; |
2931 | |
2932 | *decryptedp = NULL((void *)0); |
2933 | *pubkeyp = NULL((void *)0); |
2934 | |
2935 | if ((decrypted = sshbuf_new()) == NULL((void *)0)) { |
2936 | r = SSH_ERR_ALLOC_FAIL-2; |
2937 | goto out; |
2938 | } |
2939 | |
2940 | /* parse public portion of key */ |
2941 | if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 || |
2942 | (r = sshbuf_get_cstring(decoded, &ciphername, NULL((void *)0))) != 0 || |
2943 | (r = sshbuf_get_cstring(decoded, &kdfname, NULL((void *)0))) != 0 || |
2944 | (r = sshbuf_froms(decoded, &kdf)) != 0 || |
2945 | (r = sshbuf_get_u32(decoded, &nkeys)) != 0) |
2946 | goto out; |
2947 | |
2948 | if (nkeys != 1) { |
2949 | /* XXX only one key supported at present */ |
2950 | r = SSH_ERR_INVALID_FORMAT-4; |
2951 | goto out; |
2952 | } |
2953 | |
2954 | if ((r = sshkey_froms(decoded, &pubkey)) != 0 || |
2955 | (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0) |
2956 | goto out; |
2957 | |
2958 | if ((cipher = cipher_by_name(ciphername)) == NULL((void *)0)) { |
2959 | r = SSH_ERR_KEY_UNKNOWN_CIPHER-42; |
2960 | goto out; |
2961 | } |
2962 | if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) { |
2963 | r = SSH_ERR_KEY_UNKNOWN_CIPHER-42; |
2964 | goto out; |
2965 | } |
2966 | if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) { |
2967 | r = SSH_ERR_INVALID_FORMAT-4; |
2968 | goto out; |
2969 | } |
2970 | if ((passphrase == NULL((void *)0) || strlen(passphrase) == 0) && |
2971 | strcmp(kdfname, "none") != 0) { |
2972 | /* passphrase required */ |
2973 | r = SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
2974 | goto out; |
2975 | } |
2976 | |
2977 | /* check size of encrypted key blob */ |
2978 | blocksize = cipher_blocksize(cipher); |
2979 | if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) { |
2980 | r = SSH_ERR_INVALID_FORMAT-4; |
2981 | goto out; |
2982 | } |
2983 | |
2984 | /* setup key */ |
2985 | keylen = cipher_keylen(cipher); |
2986 | ivlen = cipher_ivlen(cipher); |
2987 | authlen = cipher_authlen(cipher); |
2988 | if ((key = calloc(1, keylen + ivlen)) == NULL((void *)0)) { |
2989 | r = SSH_ERR_ALLOC_FAIL-2; |
2990 | goto out; |
2991 | } |
2992 | if (strcmp(kdfname, "bcrypt") == 0) { |
2993 | if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 || |
2994 | (r = sshbuf_get_u32(kdf, &rounds)) != 0) |
2995 | goto out; |
2996 | if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen, |
2997 | key, keylen + ivlen, rounds) < 0) { |
2998 | r = SSH_ERR_INVALID_FORMAT-4; |
2999 | goto out; |
3000 | } |
3001 | } |
3002 | |
3003 | /* check that an appropriate amount of auth data is present */ |
3004 | if (sshbuf_len(decoded) < authlen || |
3005 | sshbuf_len(decoded) - authlen < encrypted_len) { |
3006 | r = SSH_ERR_INVALID_FORMAT-4; |
3007 | goto out; |
3008 | } |
3009 | |
3010 | /* decrypt private portion of key */ |
3011 | if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 || |
3012 | (r = cipher_init(&ciphercontext, cipher, key, keylen, |
3013 | key + keylen, ivlen, 0)) != 0) |
3014 | goto out; |
3015 | if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded), |
3016 | encrypted_len, 0, authlen)) != 0) { |
3017 | /* an integrity error here indicates an incorrect passphrase */ |
3018 | if (r == SSH_ERR_MAC_INVALID-30) |
3019 | r = SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
3020 | goto out; |
3021 | } |
3022 | if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0) |
3023 | goto out; |
3024 | /* there should be no trailing data */ |
3025 | if (sshbuf_len(decoded) != 0) { |
3026 | r = SSH_ERR_INVALID_FORMAT-4; |
3027 | goto out; |
3028 | } |
3029 | |
3030 | /* check check bytes */ |
3031 | if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 || |
3032 | (r = sshbuf_get_u32(decrypted, &check2)) != 0) |
3033 | goto out; |
3034 | if (check1 != check2) { |
3035 | r = SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
3036 | goto out; |
3037 | } |
3038 | /* success */ |
3039 | *decryptedp = decrypted; |
3040 | decrypted = NULL((void *)0); |
3041 | *pubkeyp = pubkey; |
3042 | pubkey = NULL((void *)0); |
3043 | r = 0; |
3044 | out: |
3045 | cipher_free(ciphercontext); |
3046 | free(ciphername); |
3047 | free(kdfname); |
3048 | sshkey_free(pubkey); |
3049 | if (salt != NULL((void *)0)) { |
3050 | explicit_bzero(salt, slen); |
3051 | free(salt); |
3052 | } |
3053 | if (key != NULL((void *)0)) { |
3054 | explicit_bzero(key, keylen + ivlen); |
3055 | free(key); |
3056 | } |
3057 | sshbuf_free(kdf); |
3058 | sshbuf_free(decrypted); |
3059 | return r; |
3060 | } |
3061 | |
3062 | static int |
3063 | sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, |
3064 | struct sshkey **keyp, char **commentp) |
3065 | { |
3066 | char *comment = NULL((void *)0); |
3067 | int r = SSH_ERR_INTERNAL_ERROR-1; |
3068 | struct sshbuf *decoded = NULL((void *)0), *decrypted = NULL((void *)0); |
3069 | struct sshkey *k = NULL((void *)0), *pubkey = NULL((void *)0); |
3070 | |
3071 | if (keyp != NULL((void *)0)) |
3072 | *keyp = NULL((void *)0); |
3073 | if (commentp != NULL((void *)0)) |
3074 | *commentp = NULL((void *)0); |
3075 | |
3076 | /* Undo base64 encoding and decrypt the private section */ |
3077 | if ((r = private2_uudecode(blob, &decoded)) != 0 || |
3078 | (r = private2_decrypt(decoded, passphrase, |
3079 | &decrypted, &pubkey)) != 0) |
3080 | goto out; |
3081 | |
3082 | if (type != KEY_UNSPEC && |
3083 | sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { |
3084 | r = SSH_ERR_KEY_TYPE_MISMATCH-13; |
3085 | goto out; |
3086 | } |
3087 | |
3088 | /* Load the private key and comment */ |
3089 | if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 || |
3090 | (r = sshbuf_get_cstring(decrypted, &comment, NULL((void *)0))) != 0) |
3091 | goto out; |
3092 | |
3093 | /* Check deterministic padding after private section */ |
3094 | if ((r = private2_check_padding(decrypted)) != 0) |
3095 | goto out; |
3096 | |
3097 | /* Check that the public key in the envelope matches the private key */ |
3098 | if (!sshkey_equal(pubkey, k)) { |
3099 | r = SSH_ERR_INVALID_FORMAT-4; |
3100 | goto out; |
3101 | } |
3102 | |
3103 | /* success */ |
3104 | r = 0; |
3105 | if (keyp != NULL((void *)0)) { |
3106 | *keyp = k; |
3107 | k = NULL((void *)0); |
3108 | } |
3109 | if (commentp != NULL((void *)0)) { |
3110 | *commentp = comment; |
3111 | comment = NULL((void *)0); |
3112 | } |
3113 | out: |
3114 | free(comment); |
3115 | sshbuf_free(decoded); |
3116 | sshbuf_free(decrypted); |
3117 | sshkey_free(k); |
3118 | sshkey_free(pubkey); |
3119 | return r; |
3120 | } |
3121 | |
3122 | static int |
3123 | sshkey_parse_private2_pubkey(struct sshbuf *blob, int type, |
3124 | struct sshkey **keyp) |
3125 | { |
3126 | int r = SSH_ERR_INTERNAL_ERROR-1; |
3127 | struct sshbuf *decoded = NULL((void *)0); |
3128 | struct sshkey *pubkey = NULL((void *)0); |
3129 | u_int nkeys = 0; |
3130 | |
3131 | if (keyp != NULL((void *)0)) |
3132 | *keyp = NULL((void *)0); |
3133 | |
3134 | if ((r = private2_uudecode(blob, &decoded)) != 0) |
3135 | goto out; |
3136 | /* parse public key from unencrypted envelope */ |
3137 | if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 || |
3138 | (r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void *)0), ((void *)0))) != 0 || /* cipher */ |
3139 | (r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void *)0), ((void *)0))) != 0 || /* KDF alg */ |
3140 | (r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void *)0), ((void *)0))) != 0 || /* KDF hint */ |
3141 | (r = sshbuf_get_u32(decoded, &nkeys)) != 0) |
3142 | goto out; |
3143 | |
3144 | if (nkeys != 1) { |
3145 | /* XXX only one key supported at present */ |
3146 | r = SSH_ERR_INVALID_FORMAT-4; |
3147 | goto out; |
3148 | } |
3149 | |
3150 | /* Parse the public key */ |
3151 | if ((r = sshkey_froms(decoded, &pubkey)) != 0) |
3152 | goto out; |
3153 | |
3154 | if (type != KEY_UNSPEC && |
3155 | sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) { |
3156 | r = SSH_ERR_KEY_TYPE_MISMATCH-13; |
3157 | goto out; |
3158 | } |
3159 | |
3160 | /* success */ |
3161 | r = 0; |
3162 | if (keyp != NULL((void *)0)) { |
3163 | *keyp = pubkey; |
3164 | pubkey = NULL((void *)0); |
3165 | } |
3166 | out: |
3167 | sshbuf_free(decoded); |
3168 | sshkey_free(pubkey); |
3169 | return r; |
3170 | } |
3171 | |
3172 | #ifdef WITH_OPENSSL1 |
3173 | /* convert SSH v2 key to PEM or PKCS#8 format */ |
3174 | static int |
3175 | sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, |
3176 | int format, const char *_passphrase, const char *comment) |
3177 | { |
3178 | int was_shielded = sshkey_is_shielded(key); |
3179 | int success, r; |
3180 | int blen, len = strlen(_passphrase); |
3181 | u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL((void *)0); |
3182 | const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL((void *)0); |
3183 | char *bptr; |
3184 | BIO *bio = NULL((void *)0); |
3185 | struct sshbuf *blob; |
3186 | EVP_PKEY *pkey = NULL((void *)0); |
3187 | |
3188 | if (len > 0 && len <= 4) |
3189 | return SSH_ERR_PASSPHRASE_TOO_SHORT-40; |
3190 | if ((blob = sshbuf_new()) == NULL((void *)0)) |
3191 | return SSH_ERR_ALLOC_FAIL-2; |
3192 | if ((bio = BIO_new(BIO_s_mem())) == NULL((void *)0)) { |
3193 | r = SSH_ERR_ALLOC_FAIL-2; |
3194 | goto out; |
3195 | } |
3196 | if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL((void *)0)) { |
3197 | r = SSH_ERR_ALLOC_FAIL-2; |
3198 | goto out; |
3199 | } |
3200 | if ((r = sshkey_unshield_private(key)) != 0) |
3201 | goto out; |
3202 | |
3203 | switch (key->type) { |
3204 | #ifdef WITH_DSA1 |
3205 | case KEY_DSA: |
3206 | if (format == SSHKEY_PRIVATE_PEM) { |
3207 | success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, |
3208 | cipher, passphrase, len, NULL((void *)0), NULL((void *)0)); |
3209 | } else { |
3210 | success = EVP_PKEY_set1_DSA(pkey, key->dsa); |
3211 | } |
3212 | break; |
3213 | #endif |
3214 | case KEY_ECDSA: |
3215 | if (format == SSHKEY_PRIVATE_PEM) { |
3216 | success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, |
3217 | cipher, passphrase, len, NULL((void *)0), NULL((void *)0)); |
3218 | } else { |
3219 | success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa); |
3220 | } |
3221 | break; |
3222 | case KEY_RSA: |
3223 | if (format == SSHKEY_PRIVATE_PEM) { |
3224 | success = PEM_write_bio_RSAPrivateKey(bio, key->rsa, |
3225 | cipher, passphrase, len, NULL((void *)0), NULL((void *)0)); |
3226 | } else { |
3227 | success = EVP_PKEY_set1_RSA(pkey, key->rsa); |
3228 | } |
3229 | break; |
3230 | default: |
3231 | success = 0; |
3232 | break; |
3233 | } |
3234 | if (success == 0) { |
3235 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3236 | goto out; |
3237 | } |
3238 | if (format == SSHKEY_PRIVATE_PKCS8) { |
3239 | if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher, |
3240 | passphrase, len, NULL((void *)0), NULL((void *)0))) == 0) { |
3241 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3242 | goto out; |
3243 | } |
3244 | } |
3245 | if ((blen = BIO_get_mem_data(bio, &bptr)BIO_ctrl(bio,3,0,(char *)&bptr)) <= 0) { |
3246 | r = SSH_ERR_INTERNAL_ERROR-1; |
3247 | goto out; |
3248 | } |
3249 | if ((r = sshbuf_put(blob, bptr, blen)) != 0) |
3250 | goto out; |
3251 | r = 0; |
3252 | out: |
3253 | if (was_shielded) |
3254 | r = sshkey_shield_private(key); |
3255 | if (r == 0) |
3256 | r = sshbuf_putb(buf, blob); |
3257 | |
3258 | EVP_PKEY_free(pkey); |
3259 | sshbuf_free(blob); |
3260 | BIO_free(bio); |
3261 | return r; |
3262 | } |
3263 | #endif /* WITH_OPENSSL */ |
3264 | |
3265 | /* Serialise "key" to buffer "blob" */ |
3266 | int |
3267 | sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob, |
3268 | const char *passphrase, const char *comment, |
3269 | int format, const char *openssh_format_cipher, int openssh_format_rounds) |
3270 | { |
3271 | switch (key->type) { |
3272 | #ifdef WITH_OPENSSL1 |
3273 | case KEY_DSA: |
3274 | case KEY_ECDSA: |
3275 | case KEY_RSA: |
3276 | break; /* see below */ |
3277 | #endif /* WITH_OPENSSL */ |
3278 | case KEY_ED25519: |
3279 | case KEY_ED25519_SK: |
3280 | #ifdef WITH_XMSS |
3281 | case KEY_XMSS: |
3282 | #endif /* WITH_XMSS */ |
3283 | #ifdef WITH_OPENSSL1 |
3284 | case KEY_ECDSA_SK: |
3285 | #endif /* WITH_OPENSSL */ |
3286 | return sshkey_private_to_blob2(key, blob, passphrase, |
3287 | comment, openssh_format_cipher, openssh_format_rounds); |
3288 | default: |
3289 | return SSH_ERR_KEY_TYPE_UNKNOWN-14; |
3290 | } |
3291 | |
3292 | #ifdef WITH_OPENSSL1 |
3293 | switch (format) { |
3294 | case SSHKEY_PRIVATE_OPENSSH: |
3295 | return sshkey_private_to_blob2(key, blob, passphrase, |
3296 | comment, openssh_format_cipher, openssh_format_rounds); |
3297 | case SSHKEY_PRIVATE_PEM: |
3298 | case SSHKEY_PRIVATE_PKCS8: |
3299 | return sshkey_private_to_blob_pem_pkcs8(key, blob, |
3300 | format, passphrase, comment); |
3301 | default: |
3302 | return SSH_ERR_INVALID_ARGUMENT-10; |
3303 | } |
3304 | #endif /* WITH_OPENSSL */ |
3305 | } |
3306 | |
3307 | #ifdef WITH_OPENSSL1 |
3308 | static int |
3309 | translate_libcrypto_error(unsigned long pem_err) |
3310 | { |
3311 | int pem_reason = ERR_GET_REASON(pem_err)(int)((pem_err)&0xfffL); |
3312 | |
3313 | switch (ERR_GET_LIB(pem_err)(int)((((unsigned long)pem_err)>>24L)&0xffL)) { |
3314 | case ERR_LIB_PEM9: |
3315 | switch (pem_reason) { |
3316 | case PEM_R_BAD_PASSWORD_READ104: |
3317 | case PEM_R_PROBLEMS_GETTING_PASSWORD109: |
3318 | case PEM_R_BAD_DECRYPT101: |
3319 | return SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
3320 | default: |
3321 | return SSH_ERR_INVALID_FORMAT-4; |
3322 | } |
3323 | case ERR_LIB_EVP6: |
3324 | switch (pem_reason) { |
3325 | case EVP_R_BAD_DECRYPT100: |
3326 | return SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
3327 | #ifdef EVP_R_BN_DECODE_ERROR112 |
3328 | case EVP_R_BN_DECODE_ERROR112: |
3329 | #endif |
3330 | case EVP_R_DECODE_ERROR114: |
3331 | #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR145 |
3332 | case EVP_R_PRIVATE_KEY_DECODE_ERROR145: |
3333 | #endif |
3334 | return SSH_ERR_INVALID_FORMAT-4; |
3335 | default: |
3336 | return SSH_ERR_LIBCRYPTO_ERROR-22; |
3337 | } |
3338 | case ERR_LIB_ASN113: |
3339 | return SSH_ERR_INVALID_FORMAT-4; |
3340 | } |
3341 | return SSH_ERR_LIBCRYPTO_ERROR-22; |
3342 | } |
3343 | |
3344 | static void |
3345 | clear_libcrypto_errors(void) |
3346 | { |
3347 | while (ERR_get_error() != 0) |
3348 | ; |
3349 | } |
3350 | |
3351 | /* |
3352 | * Translate OpenSSL error codes to determine whether |
3353 | * passphrase is required/incorrect. |
3354 | */ |
3355 | static int |
3356 | convert_libcrypto_error(void) |
3357 | { |
3358 | /* |
3359 | * Some password errors are reported at the beginning |
3360 | * of the error queue. |
3361 | */ |
3362 | if (translate_libcrypto_error(ERR_peek_error()) == |
3363 | SSH_ERR_KEY_WRONG_PASSPHRASE-43) |
3364 | return SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
3365 | return translate_libcrypto_error(ERR_peek_last_error()); |
3366 | } |
3367 | |
3368 | static int |
3369 | sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, |
3370 | const char *passphrase, struct sshkey **keyp) |
3371 | { |
3372 | EVP_PKEY *pk = NULL((void *)0); |
3373 | struct sshkey *prv = NULL((void *)0); |
3374 | BIO *bio = NULL((void *)0); |
3375 | int r; |
3376 | |
3377 | if (keyp != NULL((void *)0)) |
3378 | *keyp = NULL((void *)0); |
3379 | |
3380 | if ((bio = BIO_new(BIO_s_mem())) == NULL((void *)0) || sshbuf_len(blob) > INT_MAX0x7fffffff) |
3381 | return SSH_ERR_ALLOC_FAIL-2; |
3382 | if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) != |
3383 | (int)sshbuf_len(blob)) { |
3384 | r = SSH_ERR_ALLOC_FAIL-2; |
3385 | goto out; |
3386 | } |
3387 | |
3388 | clear_libcrypto_errors(); |
3389 | if ((pk = PEM_read_bio_PrivateKey(bio, NULL((void *)0), NULL((void *)0), |
3390 | (char *)passphrase)) == NULL((void *)0)) { |
3391 | /* |
3392 | * libcrypto may return various ASN.1 errors when attempting |
3393 | * to parse a key with an incorrect passphrase. |
3394 | * Treat all format errors as "incorrect passphrase" if a |
3395 | * passphrase was supplied. |
3396 | */ |
3397 | if (passphrase != NULL((void *)0) && *passphrase != '\0') |
3398 | r = SSH_ERR_KEY_WRONG_PASSPHRASE-43; |
3399 | else |
3400 | r = convert_libcrypto_error(); |
3401 | goto out; |
3402 | } |
3403 | if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA6 && |
3404 | (type == KEY_UNSPEC || type == KEY_RSA)) { |
3405 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void *)0)) { |
3406 | r = SSH_ERR_ALLOC_FAIL-2; |
3407 | goto out; |
3408 | } |
3409 | prv->rsa = EVP_PKEY_get1_RSA(pk); |
3410 | prv->type = KEY_RSA; |
3411 | #ifdef DEBUG_PK |
3412 | RSA_print_fp(stderr(&__sF[2]), prv->rsa, 8); |
3413 | #endif |
3414 | if (RSA_blinding_on(prv->rsa, NULL((void *)0)) != 1) { |
3415 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3416 | goto out; |
3417 | } |
3418 | if ((r = sshkey_check_rsa_length(prv, 0)) != 0) |
3419 | goto out; |
3420 | #ifdef WITH_DSA1 |
3421 | } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA116 && |
3422 | (type == KEY_UNSPEC || type == KEY_DSA)) { |
3423 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void *)0)) { |
3424 | r = SSH_ERR_ALLOC_FAIL-2; |
3425 | goto out; |
3426 | } |
3427 | prv->dsa = EVP_PKEY_get1_DSA(pk); |
3428 | prv->type = KEY_DSA; |
3429 | #ifdef DEBUG_PK |
3430 | DSA_print_fp(stderr(&__sF[2]), prv->dsa, 8); |
3431 | #endif |
3432 | #endif |
3433 | } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC408 && |
3434 | (type == KEY_UNSPEC || type == KEY_ECDSA)) { |
3435 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void *)0)) { |
3436 | r = SSH_ERR_ALLOC_FAIL-2; |
3437 | goto out; |
3438 | } |
3439 | prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk); |
3440 | prv->type = KEY_ECDSA; |
3441 | prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa); |
3442 | if (prv->ecdsa_nid == -1 || |
3443 | sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL((void *)0) || |
3444 | sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa), |
3445 | EC_KEY_get0_public_key(prv->ecdsa)) != 0 || |
3446 | sshkey_ec_validate_private(prv->ecdsa) != 0) { |
3447 | r = SSH_ERR_INVALID_FORMAT-4; |
3448 | goto out; |
3449 | } |
3450 | #ifdef DEBUG_PK |
3451 | if (prv != NULL((void *)0) && prv->ecdsa != NULL((void *)0)) |
3452 | sshkey_dump_ec_key(prv->ecdsa); |
3453 | #endif |
3454 | } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_ED25519952 && |
3455 | (type == KEY_UNSPEC || type == KEY_ED25519)) { |
3456 | size_t len; |
3457 | |
3458 | if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void *)0) || |
3459 | (prv->ed25519_sk = calloc(1, ED25519_SK_SZ64U)) == NULL((void *)0) || |
3460 | (prv->ed25519_pk = calloc(1, ED25519_PK_SZ32U)) == NULL((void *)0)) { |
3461 | r = SSH_ERR_ALLOC_FAIL-2; |
3462 | goto out; |
3463 | } |
3464 | prv->type = KEY_ED25519; |
3465 | len = ED25519_PK_SZ32U; |
3466 | if (!EVP_PKEY_get_raw_public_key(pk, prv->ed25519_pk, &len)) { |
3467 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3468 | goto out; |
3469 | } |
3470 | if (len != ED25519_PK_SZ32U) { |
3471 | r = SSH_ERR_INVALID_FORMAT-4; |
3472 | goto out; |
3473 | } |
3474 | len = ED25519_SK_SZ64U - ED25519_PK_SZ32U; |
3475 | if (!EVP_PKEY_get_raw_private_key(pk, prv->ed25519_sk, &len)) { |
3476 | r = SSH_ERR_LIBCRYPTO_ERROR-22; |
3477 | goto out; |
3478 | } |
3479 | if (len != ED25519_SK_SZ64U - ED25519_PK_SZ32U) { |
3480 | r = SSH_ERR_INVALID_FORMAT-4; |
3481 | goto out; |
3482 | } |
3483 | /* Append the public key to our private key */ |
3484 | memcpy(prv->ed25519_sk + (ED25519_SK_SZ64U - ED25519_PK_SZ32U), |
3485 | prv->ed25519_pk, ED25519_PK_SZ32U); |
3486 | #ifdef DEBUG_PK |
3487 | sshbuf_dump_data(prv->ed25519_sk, ED25519_SK_SZ64U, stderr(&__sF[2])); |
3488 | #endif |
3489 | } else { |
3490 | r = SSH_ERR_INVALID_FORMAT-4; |
3491 | goto out; |
3492 | } |
3493 | r = 0; |
3494 | if (keyp != NULL((void *)0)) { |
3495 | *keyp = prv; |
3496 | prv = NULL((void *)0); |
3497 | } |
3498 | out: |
3499 | BIO_free(bio); |
3500 | EVP_PKEY_free(pk); |
3501 | sshkey_free(prv); |
3502 | return r; |
3503 | } |
3504 | #endif /* WITH_OPENSSL */ |
3505 | |
3506 | int |
3507 | sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, |
3508 | const char *passphrase, struct sshkey **keyp, char **commentp) |
3509 | { |
3510 | int r = SSH_ERR_INTERNAL_ERROR-1; |
3511 | |
3512 | if (keyp != NULL((void *)0)) |
3513 | *keyp = NULL((void *)0); |
3514 | if (commentp != NULL((void *)0)) |
3515 | *commentp = NULL((void *)0); |
3516 | |
3517 | switch (type) { |
3518 | case KEY_XMSS: |
3519 | /* No fallback for new-format-only keys */ |
3520 | return sshkey_parse_private2(blob, type, passphrase, |
3521 | keyp, commentp); |
3522 | default: |
3523 | r = sshkey_parse_private2(blob, type, passphrase, keyp, |
3524 | commentp); |
3525 | /* Only fallback to PEM parser if a format error occurred. */ |
3526 | if (r != SSH_ERR_INVALID_FORMAT-4) |
3527 | return r; |
3528 | #ifdef WITH_OPENSSL1 |
3529 | return sshkey_parse_private_pem_fileblob(blob, type, |
3530 | passphrase, keyp); |
3531 | #else |
3532 | return SSH_ERR_INVALID_FORMAT-4; |
3533 | #endif /* WITH_OPENSSL */ |
3534 | } |
3535 | } |
3536 | |
3537 | int |
3538 | sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase, |
3539 | struct sshkey **keyp, char **commentp) |
3540 | { |
3541 | if (keyp != NULL((void *)0)) |
3542 | *keyp = NULL((void *)0); |
3543 | if (commentp != NULL((void *)0)) |
3544 | *commentp = NULL((void *)0); |
3545 | |
3546 | return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC, |
3547 | passphrase, keyp, commentp); |
3548 | } |
3549 | |
3550 | void |
3551 | sshkey_sig_details_free(struct sshkey_sig_details *details) |
3552 | { |
3553 | freezero(details, sizeof(*details)); |
3554 | } |
3555 | |
3556 | int |
3557 | sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type, |
3558 | struct sshkey **pubkeyp) |
3559 | { |
3560 | int r = SSH_ERR_INTERNAL_ERROR-1; |
3561 | |
3562 | if (pubkeyp != NULL((void *)0)) |
3563 | *pubkeyp = NULL((void *)0); |
3564 | /* only new-format private keys bundle a public key inside */ |
3565 | if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0) |
3566 | return r; |
3567 | return 0; |
3568 | } |
3569 | |
3570 | #ifdef WITH_XMSS |
3571 | /* |
3572 | * serialize the key with the current state and forward the state |
3573 | * maxsign times. |
3574 | */ |
3575 | int |
3576 | sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, |
3577 | u_int32_t maxsign, int printerror) |
3578 | { |
3579 | int r, rupdate; |
3580 | |
3581 | if (maxsign == 0 || |
3582 | sshkey_type_plain(k->type) != KEY_XMSS) |
3583 | return sshkey_private_serialize_opt(k, b, |
3584 | SSHKEY_SERIALIZE_DEFAULT); |
3585 | if ((r = sshkey_xmss_get_state(k, printerror)) != 0 || |
3586 | (r = sshkey_private_serialize_opt(k, b, |
3587 | SSHKEY_SERIALIZE_STATE)) != 0 || |
3588 | (r = sshkey_xmss_forward_state(k, maxsign)) != 0) |
3589 | goto out; |
3590 | r = 0; |
3591 | out: |
3592 | if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) { |
3593 | if (r == 0) |
3594 | r = rupdate; |
3595 | } |
3596 | return r; |
3597 | } |
3598 | |
3599 | u_int32_t |
3600 | sshkey_signatures_left(const struct sshkey *k) |
3601 | { |
3602 | if (sshkey_type_plain(k->type) == KEY_XMSS) |
3603 | return sshkey_xmss_signatures_left(k); |
3604 | return 0; |
3605 | } |
3606 | |
3607 | int |
3608 | sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) |
3609 | { |
3610 | if (sshkey_type_plain(k->type) != KEY_XMSS) |
3611 | return SSH_ERR_INVALID_ARGUMENT-10; |
3612 | return sshkey_xmss_enable_maxsign(k, maxsign); |
3613 | } |
3614 | |
3615 | int |
3616 | sshkey_set_filename(struct sshkey *k, const char *filename) |
3617 | { |
3618 | if (k == NULL((void *)0)) |
3619 | return SSH_ERR_INVALID_ARGUMENT-10; |
3620 | if (sshkey_type_plain(k->type) != KEY_XMSS) |
3621 | return 0; |
3622 | if (filename == NULL((void *)0)) |
3623 | return SSH_ERR_INVALID_ARGUMENT-10; |
3624 | if ((k->xmss_filename = strdup(filename)) == NULL((void *)0)) |
3625 | return SSH_ERR_ALLOC_FAIL-2; |
3626 | return 0; |
3627 | } |
3628 | #else |
3629 | int |
3630 | sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b, |
3631 | u_int32_t maxsign, int printerror) |
3632 | { |
3633 | return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT); |
3634 | } |
3635 | |
3636 | u_int32_t |
3637 | sshkey_signatures_left(const struct sshkey *k) |
3638 | { |
3639 | return 0; |
3640 | } |
3641 | |
3642 | int |
3643 | sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign) |
3644 | { |
3645 | return SSH_ERR_INVALID_ARGUMENT-10; |
3646 | } |
3647 | |
3648 | int |
3649 | sshkey_set_filename(struct sshkey *k, const char *filename) |
3650 | { |
3651 | if (k == NULL((void *)0)) |
3652 | return SSH_ERR_INVALID_ARGUMENT-10; |
3653 | return 0; |
3654 | } |
3655 | #endif /* WITH_XMSS */ |