blob: e1e882b72617bc8b26335880c0fb7c5f64ebac66 [file] [log] [blame]
djm@openbsd.orgedbb6fe2018-10-09 05:42:23 +00001/* $OpenBSD: sshkey.c,v 1.71 2018/10/09 05:42:23 djm Exp $ */
Damien Miller86687062014-07-02 15:28:02 +10002/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
5 * Copyright (c) 2010,2011 Damien Miller. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 */
27
28#include "includes.h"
29
Damien Miller86687062014-07-02 15:28:02 +100030#include <sys/types.h>
djm@openbsd.org56d1c832014-12-21 22:27:55 +000031#include <netinet/in.h>
Damien Miller86687062014-07-02 15:28:02 +100032
djm@openbsd.org54924b52015-01-14 10:46:28 +000033#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +100034#include <openssl/evp.h>
35#include <openssl/err.h>
36#include <openssl/pem.h>
djm@openbsd.org54924b52015-01-14 10:46:28 +000037#endif
Damien Miller86687062014-07-02 15:28:02 +100038
39#include "crypto_api.h"
40
41#include <errno.h>
deraadt@openbsd.org2ae4f332015-01-16 06:40:12 +000042#include <limits.h>
Damien Miller86687062014-07-02 15:28:02 +100043#include <stdio.h>
44#include <string.h>
Damien Millerd16bdd82014-12-22 10:18:09 +110045#include <resolv.h>
Damien Miller82b24822014-07-02 17:43:41 +100046#ifdef HAVE_UTIL_H
Damien Miller86687062014-07-02 15:28:02 +100047#include <util.h>
Damien Miller82b24822014-07-02 17:43:41 +100048#endif /* HAVE_UTIL_H */
Damien Miller86687062014-07-02 15:28:02 +100049
50#include "ssh2.h"
51#include "ssherr.h"
52#include "misc.h"
53#include "sshbuf.h"
Damien Miller86687062014-07-02 15:28:02 +100054#include "cipher.h"
55#include "digest.h"
56#define SSHKEY_INTERNAL
57#include "sshkey.h"
markus@openbsd.org1b11ea72018-02-23 15:58:37 +000058#include "sshkey-xmss.h"
djm@openbsd.org1f729f02015-01-13 07:39:19 +000059#include "match.h"
Damien Miller86687062014-07-02 15:28:02 +100060
markus@openbsd.org1b11ea72018-02-23 15:58:37 +000061#include "xmss_fast.h"
62
Damien Miller48f54b92018-09-13 12:13:50 +100063#include "openbsd-compat/openssl-compat.h"
64
Damien Miller86687062014-07-02 15:28:02 +100065/* openssh private key file format */
66#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
67#define MARK_END "-----END OPENSSH PRIVATE KEY-----\n"
68#define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1)
69#define MARK_END_LEN (sizeof(MARK_END) - 1)
70#define KDFNAME "bcrypt"
71#define AUTH_MAGIC "openssh-key-v1"
72#define SALT_LEN 16
djm@openbsd.org0f345532017-08-12 06:42:52 +000073#define DEFAULT_CIPHERNAME "aes256-ctr"
Damien Miller86687062014-07-02 15:28:02 +100074#define DEFAULT_ROUNDS 16
75
76/* Version identification string for SSH v1 identity files. */
77#define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n"
78
markus@openbsd.org1b11ea72018-02-23 15:58:37 +000079int sshkey_private_serialize_opt(const struct sshkey *key,
80 struct sshbuf *buf, enum sshkey_serialize_rep);
djm@openbsd.org60b18252015-01-26 02:59:11 +000081static int sshkey_from_blob_internal(struct sshbuf *buf,
Damien Miller86687062014-07-02 15:28:02 +100082 struct sshkey **keyp, int allow_cert);
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +000083static int get_sigtype(const u_char *sig, size_t siglen, char **sigtypep);
Damien Miller86687062014-07-02 15:28:02 +100084
85/* Supported key types */
86struct keytype {
87 const char *name;
88 const char *shortname;
djm@openbsd.org4ba0d542018-07-03 11:39:54 +000089 const char *sigalg;
Damien Miller86687062014-07-02 15:28:02 +100090 int type;
91 int nid;
92 int cert;
markus@openbsd.org76c9fbb2015-12-04 16:41:28 +000093 int sigonly;
Damien Miller86687062014-07-02 15:28:02 +100094};
95static const struct keytype keytypes[] = {
djm@openbsd.org4ba0d542018-07-03 11:39:54 +000096 { "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 },
97 { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL,
markus@openbsd.org76c9fbb2015-12-04 16:41:28 +000098 KEY_ED25519_CERT, 0, 1, 0 },
markus@openbsd.org1b11ea72018-02-23 15:58:37 +000099#ifdef WITH_XMSS
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000100 { "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 },
101 { "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL,
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000102 KEY_XMSS_CERT, 0, 1, 0 },
103#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +1000104#ifdef WITH_OPENSSL
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000105 { "ssh-rsa", "RSA", NULL, KEY_RSA, 0, 0, 0 },
106 { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 },
107 { "rsa-sha2-512", "RSA", NULL, KEY_RSA, 0, 0, 1 },
108 { "ssh-dss", "DSA", NULL, KEY_DSA, 0, 0, 0 },
Damien Miller86687062014-07-02 15:28:02 +1000109# ifdef OPENSSL_HAS_ECC
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000110 { "ecdsa-sha2-nistp256", "ECDSA", NULL,
111 KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
112 { "ecdsa-sha2-nistp384", "ECDSA", NULL,
113 KEY_ECDSA, NID_secp384r1, 0, 0 },
Damien Miller86687062014-07-02 15:28:02 +1000114# ifdef OPENSSL_HAS_NISTP521
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000115 { "ecdsa-sha2-nistp521", "ECDSA", NULL,
116 KEY_ECDSA, NID_secp521r1, 0, 0 },
Damien Miller86687062014-07-02 15:28:02 +1000117# endif /* OPENSSL_HAS_NISTP521 */
118# endif /* OPENSSL_HAS_ECC */
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000119 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL,
120 KEY_RSA_CERT, 0, 1, 0 },
121 { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT",
122 "ssh-rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
123 { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT",
124 "ssh-rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
125 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL,
126 KEY_DSA_CERT, 0, 1, 0 },
127 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL,
128 KEY_RSA_CERT, 0, 1, 0 },
129 { "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT",
130 "ssh-rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
131 { "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT",
132 "ssh-rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
133 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL,
134 KEY_DSA_CERT, 0, 1, 0 },
Damien Miller86687062014-07-02 15:28:02 +1000135# ifdef OPENSSL_HAS_ECC
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000136 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL,
markus@openbsd.org76c9fbb2015-12-04 16:41:28 +0000137 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000138 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL,
markus@openbsd.org76c9fbb2015-12-04 16:41:28 +0000139 KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
Damien Miller86687062014-07-02 15:28:02 +1000140# ifdef OPENSSL_HAS_NISTP521
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000141 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL,
142 KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
Damien Miller86687062014-07-02 15:28:02 +1000143# endif /* OPENSSL_HAS_NISTP521 */
144# endif /* OPENSSL_HAS_ECC */
Damien Miller86687062014-07-02 15:28:02 +1000145#endif /* WITH_OPENSSL */
djm@openbsd.org4ba0d542018-07-03 11:39:54 +0000146 { NULL, NULL, NULL, -1, -1, 0, 0 }
Damien Miller86687062014-07-02 15:28:02 +1000147};
148
149const char *
150sshkey_type(const struct sshkey *k)
151{
152 const struct keytype *kt;
153
154 for (kt = keytypes; kt->type != -1; kt++) {
155 if (kt->type == k->type)
156 return kt->shortname;
157 }
158 return "unknown";
159}
160
161static const char *
162sshkey_ssh_name_from_type_nid(int type, int nid)
163{
164 const struct keytype *kt;
165
166 for (kt = keytypes; kt->type != -1; kt++) {
167 if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
168 return kt->name;
169 }
170 return "ssh-unknown";
171}
172
173int
174sshkey_type_is_cert(int type)
175{
176 const struct keytype *kt;
177
178 for (kt = keytypes; kt->type != -1; kt++) {
179 if (kt->type == type)
180 return kt->cert;
181 }
182 return 0;
183}
184
185const char *
186sshkey_ssh_name(const struct sshkey *k)
187{
188 return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
189}
190
191const char *
192sshkey_ssh_name_plain(const struct sshkey *k)
193{
194 return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
195 k->ecdsa_nid);
196}
197
198int
199sshkey_type_from_name(const char *name)
200{
201 const struct keytype *kt;
202
203 for (kt = keytypes; kt->type != -1; kt++) {
204 /* Only allow shortname matches for plain key types */
205 if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
206 (!kt->cert && strcasecmp(kt->shortname, name) == 0))
207 return kt->type;
208 }
209 return KEY_UNSPEC;
210}
211
212int
213sshkey_ecdsa_nid_from_name(const char *name)
214{
215 const struct keytype *kt;
216
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +0000217 for (kt = keytypes; kt->type != -1; kt++) {
218 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
219 continue;
220 if (kt->name != NULL && strcmp(name, kt->name) == 0)
221 return kt->nid;
222 }
Damien Miller86687062014-07-02 15:28:02 +1000223 return -1;
224}
225
226char *
djm@openbsd.org183ba552017-03-10 04:07:20 +0000227sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
Damien Miller86687062014-07-02 15:28:02 +1000228{
229 char *tmp, *ret = NULL;
230 size_t nlen, rlen = 0;
231 const struct keytype *kt;
232
233 for (kt = keytypes; kt->type != -1; kt++) {
djm@openbsd.org183ba552017-03-10 04:07:20 +0000234 if (kt->name == NULL)
235 continue;
236 if (!include_sigonly && kt->sigonly)
Damien Miller86687062014-07-02 15:28:02 +1000237 continue;
238 if ((certs_only && !kt->cert) || (plain_only && kt->cert))
239 continue;
240 if (ret != NULL)
djm@openbsd.org130f5df2016-09-12 23:31:27 +0000241 ret[rlen++] = sep;
Damien Miller86687062014-07-02 15:28:02 +1000242 nlen = strlen(kt->name);
243 if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
244 free(ret);
245 return NULL;
246 }
247 ret = tmp;
248 memcpy(ret + rlen, kt->name, nlen + 1);
249 rlen += nlen;
250 }
251 return ret;
252}
253
254int
djm@openbsd.org1f729f02015-01-13 07:39:19 +0000255sshkey_names_valid2(const char *names, int allow_wildcard)
Damien Miller86687062014-07-02 15:28:02 +1000256{
257 char *s, *cp, *p;
djm@openbsd.org1f729f02015-01-13 07:39:19 +0000258 const struct keytype *kt;
259 int type;
Damien Miller86687062014-07-02 15:28:02 +1000260
261 if (names == NULL || strcmp(names, "") == 0)
262 return 0;
263 if ((s = cp = strdup(names)) == NULL)
264 return 0;
265 for ((p = strsep(&cp, ",")); p && *p != '\0';
266 (p = strsep(&cp, ","))) {
djm@openbsd.org1f729f02015-01-13 07:39:19 +0000267 type = sshkey_type_from_name(p);
djm@openbsd.org1f729f02015-01-13 07:39:19 +0000268 if (type == KEY_UNSPEC) {
269 if (allow_wildcard) {
270 /*
271 * Try matching key types against the string.
272 * If any has a positive or negative match then
273 * the component is accepted.
274 */
275 for (kt = keytypes; kt->type != -1; kt++) {
djm@openbsd.org1f729f02015-01-13 07:39:19 +0000276 if (match_pattern_list(kt->name,
djm@openbsd.orge661a862015-05-04 06:10:48 +0000277 p, 0) != 0)
djm@openbsd.org1f729f02015-01-13 07:39:19 +0000278 break;
279 }
280 if (kt->type != -1)
281 continue;
282 }
Damien Miller86687062014-07-02 15:28:02 +1000283 free(s);
284 return 0;
285 }
286 }
287 free(s);
288 return 1;
289}
290
291u_int
292sshkey_size(const struct sshkey *k)
293{
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000294#ifdef WITH_OPENSSL
295 const BIGNUM *rsa_n, *dsa_p;
296#endif /* WITH_OPENSSL */
297
Damien Miller86687062014-07-02 15:28:02 +1000298 switch (k->type) {
299#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +1000300 case KEY_RSA:
Damien Miller86687062014-07-02 15:28:02 +1000301 case KEY_RSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000302 if (k->rsa == NULL)
303 return 0;
304 RSA_get0_key(k->rsa, &rsa_n, NULL, NULL);
305 return BN_num_bits(rsa_n);
Damien Miller86687062014-07-02 15:28:02 +1000306 case KEY_DSA:
Damien Miller86687062014-07-02 15:28:02 +1000307 case KEY_DSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000308 if (k->dsa == NULL)
309 return 0;
310 DSA_get0_pqg(k->dsa, &dsa_p, NULL, NULL);
311 return BN_num_bits(dsa_p);
Damien Miller86687062014-07-02 15:28:02 +1000312 case KEY_ECDSA:
313 case KEY_ECDSA_CERT:
314 return sshkey_curve_nid_to_bits(k->ecdsa_nid);
315#endif /* WITH_OPENSSL */
316 case KEY_ED25519:
317 case KEY_ED25519_CERT:
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000318 case KEY_XMSS:
319 case KEY_XMSS_CERT:
Damien Miller86687062014-07-02 15:28:02 +1000320 return 256; /* XXX */
321 }
322 return 0;
323}
324
Damien Miller86687062014-07-02 15:28:02 +1000325static int
326sshkey_type_is_valid_ca(int type)
327{
328 switch (type) {
329 case KEY_RSA:
330 case KEY_DSA:
331 case KEY_ECDSA:
332 case KEY_ED25519:
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000333 case KEY_XMSS:
Damien Miller86687062014-07-02 15:28:02 +1000334 return 1;
335 default:
336 return 0;
337 }
338}
339
340int
341sshkey_is_cert(const struct sshkey *k)
342{
343 if (k == NULL)
344 return 0;
345 return sshkey_type_is_cert(k->type);
346}
347
348/* Return the cert-less equivalent to a certified key type */
349int
350sshkey_type_plain(int type)
351{
352 switch (type) {
Damien Miller86687062014-07-02 15:28:02 +1000353 case KEY_RSA_CERT:
354 return KEY_RSA;
Damien Miller86687062014-07-02 15:28:02 +1000355 case KEY_DSA_CERT:
356 return KEY_DSA;
357 case KEY_ECDSA_CERT:
358 return KEY_ECDSA;
359 case KEY_ED25519_CERT:
360 return KEY_ED25519;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000361 case KEY_XMSS_CERT:
362 return KEY_XMSS;
Damien Miller86687062014-07-02 15:28:02 +1000363 default:
364 return type;
365 }
366}
367
368#ifdef WITH_OPENSSL
369/* XXX: these are really begging for a table-driven approach */
370int
371sshkey_curve_name_to_nid(const char *name)
372{
373 if (strcmp(name, "nistp256") == 0)
374 return NID_X9_62_prime256v1;
375 else if (strcmp(name, "nistp384") == 0)
376 return NID_secp384r1;
377# ifdef OPENSSL_HAS_NISTP521
378 else if (strcmp(name, "nistp521") == 0)
379 return NID_secp521r1;
380# endif /* OPENSSL_HAS_NISTP521 */
381 else
382 return -1;
383}
384
385u_int
386sshkey_curve_nid_to_bits(int nid)
387{
388 switch (nid) {
389 case NID_X9_62_prime256v1:
390 return 256;
391 case NID_secp384r1:
392 return 384;
393# ifdef OPENSSL_HAS_NISTP521
394 case NID_secp521r1:
395 return 521;
396# endif /* OPENSSL_HAS_NISTP521 */
397 default:
398 return 0;
399 }
400}
401
402int
403sshkey_ecdsa_bits_to_nid(int bits)
404{
405 switch (bits) {
406 case 256:
407 return NID_X9_62_prime256v1;
408 case 384:
409 return NID_secp384r1;
410# ifdef OPENSSL_HAS_NISTP521
411 case 521:
412 return NID_secp521r1;
413# endif /* OPENSSL_HAS_NISTP521 */
414 default:
415 return -1;
416 }
417}
418
419const char *
420sshkey_curve_nid_to_name(int nid)
421{
422 switch (nid) {
423 case NID_X9_62_prime256v1:
424 return "nistp256";
425 case NID_secp384r1:
426 return "nistp384";
427# ifdef OPENSSL_HAS_NISTP521
428 case NID_secp521r1:
429 return "nistp521";
430# endif /* OPENSSL_HAS_NISTP521 */
431 default:
432 return NULL;
433 }
434}
435
436int
437sshkey_ec_nid_to_hash_alg(int nid)
438{
439 int kbits = sshkey_curve_nid_to_bits(nid);
440
441 if (kbits <= 0)
442 return -1;
443
444 /* RFC5656 section 6.2.1 */
445 if (kbits <= 256)
446 return SSH_DIGEST_SHA256;
447 else if (kbits <= 384)
448 return SSH_DIGEST_SHA384;
449 else
450 return SSH_DIGEST_SHA512;
451}
452#endif /* WITH_OPENSSL */
453
454static void
455cert_free(struct sshkey_cert *cert)
456{
457 u_int i;
458
459 if (cert == NULL)
460 return;
mmcc@openbsd.org52d70782015-12-11 04:21:11 +0000461 sshbuf_free(cert->certblob);
462 sshbuf_free(cert->critical);
463 sshbuf_free(cert->extensions);
mmcc@openbsd.orgd59ce082015-12-10 17:08:40 +0000464 free(cert->key_id);
Damien Miller86687062014-07-02 15:28:02 +1000465 for (i = 0; i < cert->nprincipals; i++)
466 free(cert->principals[i]);
mmcc@openbsd.orgd59ce082015-12-10 17:08:40 +0000467 free(cert->principals);
mmcc@openbsd.org89540b62015-12-11 02:31:47 +0000468 sshkey_free(cert->signature_key);
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +0000469 free(cert->signature_type);
jsing@openbsd.org4270efa2018-02-14 16:03:32 +0000470 freezero(cert, sizeof(*cert));
Damien Miller86687062014-07-02 15:28:02 +1000471}
472
473static struct sshkey_cert *
474cert_new(void)
475{
476 struct sshkey_cert *cert;
477
478 if ((cert = calloc(1, sizeof(*cert))) == NULL)
479 return NULL;
480 if ((cert->certblob = sshbuf_new()) == NULL ||
481 (cert->critical = sshbuf_new()) == NULL ||
482 (cert->extensions = sshbuf_new()) == NULL) {
483 cert_free(cert);
484 return NULL;
485 }
486 cert->key_id = NULL;
487 cert->principals = NULL;
488 cert->signature_key = NULL;
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +0000489 cert->signature_type = NULL;
Damien Miller86687062014-07-02 15:28:02 +1000490 return cert;
491}
492
493struct sshkey *
494sshkey_new(int type)
495{
496 struct sshkey *k;
497#ifdef WITH_OPENSSL
498 RSA *rsa;
499 DSA *dsa;
500#endif /* WITH_OPENSSL */
501
502 if ((k = calloc(1, sizeof(*k))) == NULL)
503 return NULL;
504 k->type = type;
505 k->ecdsa = NULL;
506 k->ecdsa_nid = -1;
507 k->dsa = NULL;
508 k->rsa = NULL;
509 k->cert = NULL;
510 k->ed25519_sk = NULL;
511 k->ed25519_pk = NULL;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000512 k->xmss_sk = NULL;
513 k->xmss_pk = NULL;
Damien Miller86687062014-07-02 15:28:02 +1000514 switch (k->type) {
515#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +1000516 case KEY_RSA:
Damien Miller86687062014-07-02 15:28:02 +1000517 case KEY_RSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000518 if ((rsa = RSA_new()) == NULL) {
Damien Miller86687062014-07-02 15:28:02 +1000519 free(k);
520 return NULL;
521 }
522 k->rsa = rsa;
523 break;
524 case KEY_DSA:
Damien Miller86687062014-07-02 15:28:02 +1000525 case KEY_DSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000526 if ((dsa = DSA_new()) == NULL) {
Damien Miller86687062014-07-02 15:28:02 +1000527 free(k);
528 return NULL;
529 }
530 k->dsa = dsa;
531 break;
532 case KEY_ECDSA:
533 case KEY_ECDSA_CERT:
534 /* Cannot do anything until we know the group */
535 break;
536#endif /* WITH_OPENSSL */
537 case KEY_ED25519:
538 case KEY_ED25519_CERT:
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000539 case KEY_XMSS:
540 case KEY_XMSS_CERT:
Damien Miller86687062014-07-02 15:28:02 +1000541 /* no need to prealloc */
542 break;
543 case KEY_UNSPEC:
544 break;
545 default:
546 free(k);
547 return NULL;
Damien Miller86687062014-07-02 15:28:02 +1000548 }
549
550 if (sshkey_is_cert(k)) {
551 if ((k->cert = cert_new()) == NULL) {
552 sshkey_free(k);
553 return NULL;
554 }
555 }
556
557 return k;
558}
559
Damien Miller86687062014-07-02 15:28:02 +1000560void
561sshkey_free(struct sshkey *k)
562{
563 if (k == NULL)
564 return;
565 switch (k->type) {
566#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +1000567 case KEY_RSA:
Damien Miller86687062014-07-02 15:28:02 +1000568 case KEY_RSA_CERT:
jsing@openbsd.org7cd31632018-02-07 02:06:50 +0000569 RSA_free(k->rsa);
Damien Miller86687062014-07-02 15:28:02 +1000570 k->rsa = NULL;
571 break;
572 case KEY_DSA:
Damien Miller86687062014-07-02 15:28:02 +1000573 case KEY_DSA_CERT:
jsing@openbsd.org7cd31632018-02-07 02:06:50 +0000574 DSA_free(k->dsa);
Damien Miller86687062014-07-02 15:28:02 +1000575 k->dsa = NULL;
576 break;
577# ifdef OPENSSL_HAS_ECC
578 case KEY_ECDSA:
579 case KEY_ECDSA_CERT:
jsing@openbsd.org7cd31632018-02-07 02:06:50 +0000580 EC_KEY_free(k->ecdsa);
Damien Miller86687062014-07-02 15:28:02 +1000581 k->ecdsa = NULL;
582 break;
583# endif /* OPENSSL_HAS_ECC */
584#endif /* WITH_OPENSSL */
585 case KEY_ED25519:
586 case KEY_ED25519_CERT:
jsing@openbsd.org4270efa2018-02-14 16:03:32 +0000587 freezero(k->ed25519_pk, ED25519_PK_SZ);
588 k->ed25519_pk = NULL;
589 freezero(k->ed25519_sk, ED25519_SK_SZ);
590 k->ed25519_sk = NULL;
Damien Miller86687062014-07-02 15:28:02 +1000591 break;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000592#ifdef WITH_XMSS
593 case KEY_XMSS:
594 case KEY_XMSS_CERT:
595 freezero(k->xmss_pk, sshkey_xmss_pklen(k));
596 k->xmss_pk = NULL;
597 freezero(k->xmss_sk, sshkey_xmss_sklen(k));
598 k->xmss_sk = NULL;
599 sshkey_xmss_free_state(k);
600 free(k->xmss_name);
601 k->xmss_name = NULL;
602 free(k->xmss_filename);
603 k->xmss_filename = NULL;
604 break;
605#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +1000606 case KEY_UNSPEC:
607 break;
608 default:
609 break;
610 }
611 if (sshkey_is_cert(k))
612 cert_free(k->cert);
jsing@openbsd.org4270efa2018-02-14 16:03:32 +0000613 freezero(k, sizeof(*k));
Damien Miller86687062014-07-02 15:28:02 +1000614}
615
616static int
617cert_compare(struct sshkey_cert *a, struct sshkey_cert *b)
618{
619 if (a == NULL && b == NULL)
620 return 1;
621 if (a == NULL || b == NULL)
622 return 0;
623 if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
624 return 0;
625 if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
626 sshbuf_len(a->certblob)) != 0)
627 return 0;
628 return 1;
629}
630
631/*
632 * Compare public portions of key only, allowing comparisons between
633 * certificates and plain keys too.
634 */
635int
636sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
637{
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000638#if defined(WITH_OPENSSL)
639 const BIGNUM *rsa_e_a, *rsa_n_a;
640 const BIGNUM *rsa_e_b, *rsa_n_b;
641 const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a;
642 const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b;
643# if defined(OPENSSL_HAS_ECC)
Damien Miller86687062014-07-02 15:28:02 +1000644 BN_CTX *bnctx;
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000645# endif /* OPENSSL_HAS_ECC */
646#endif /* WITH_OPENSSL */
Damien Miller86687062014-07-02 15:28:02 +1000647
648 if (a == NULL || b == NULL ||
649 sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
650 return 0;
651
652 switch (a->type) {
653#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +1000654 case KEY_RSA_CERT:
655 case KEY_RSA:
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000656 if (a->rsa == NULL || b->rsa == NULL)
657 return 0;
658 RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL);
659 RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL);
660 return BN_cmp(rsa_e_a, rsa_e_b) == 0 &&
661 BN_cmp(rsa_n_a, rsa_n_b) == 0;
Damien Miller86687062014-07-02 15:28:02 +1000662 case KEY_DSA_CERT:
663 case KEY_DSA:
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000664 if (a->dsa == NULL || b->dsa == NULL)
665 return 0;
666 DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a);
667 DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b);
668 DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL);
669 DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL);
670 return BN_cmp(dsa_p_a, dsa_p_b) == 0 &&
671 BN_cmp(dsa_q_a, dsa_q_b) == 0 &&
672 BN_cmp(dsa_g_a, dsa_g_b) == 0 &&
673 BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0;
Damien Miller86687062014-07-02 15:28:02 +1000674# ifdef OPENSSL_HAS_ECC
675 case KEY_ECDSA_CERT:
676 case KEY_ECDSA:
677 if (a->ecdsa == NULL || b->ecdsa == NULL ||
678 EC_KEY_get0_public_key(a->ecdsa) == NULL ||
679 EC_KEY_get0_public_key(b->ecdsa) == NULL)
680 return 0;
681 if ((bnctx = BN_CTX_new()) == NULL)
682 return 0;
683 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
684 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
685 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
686 EC_KEY_get0_public_key(a->ecdsa),
687 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
688 BN_CTX_free(bnctx);
689 return 0;
690 }
691 BN_CTX_free(bnctx);
692 return 1;
693# endif /* OPENSSL_HAS_ECC */
694#endif /* WITH_OPENSSL */
695 case KEY_ED25519:
696 case KEY_ED25519_CERT:
697 return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
698 memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000699#ifdef WITH_XMSS
700 case KEY_XMSS:
701 case KEY_XMSS_CERT:
702 return a->xmss_pk != NULL && b->xmss_pk != NULL &&
703 sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) &&
704 memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0;
705#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +1000706 default:
707 return 0;
708 }
709 /* NOTREACHED */
710}
711
712int
713sshkey_equal(const struct sshkey *a, const struct sshkey *b)
714{
715 if (a == NULL || b == NULL || a->type != b->type)
716 return 0;
717 if (sshkey_is_cert(a)) {
718 if (!cert_compare(a->cert, b->cert))
719 return 0;
720 }
721 return sshkey_equal_public(a, b);
722}
723
724static int
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000725to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
726 enum sshkey_serialize_rep opts)
Damien Miller86687062014-07-02 15:28:02 +1000727{
728 int type, ret = SSH_ERR_INTERNAL_ERROR;
729 const char *typename;
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000730#ifdef WITH_OPENSSL
731 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
732#endif /* WITH_OPENSSL */
Damien Miller86687062014-07-02 15:28:02 +1000733
734 if (key == NULL)
735 return SSH_ERR_INVALID_ARGUMENT;
736
djm@openbsd.orgd80fbe42015-05-21 04:55:51 +0000737 if (sshkey_is_cert(key)) {
738 if (key->cert == NULL)
739 return SSH_ERR_EXPECTED_CERT;
740 if (sshbuf_len(key->cert->certblob) == 0)
741 return SSH_ERR_KEY_LACKS_CERTBLOB;
742 }
Damien Miller86687062014-07-02 15:28:02 +1000743 type = force_plain ? sshkey_type_plain(key->type) : key->type;
744 typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
745
746 switch (type) {
747#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +1000748 case KEY_DSA_CERT:
749 case KEY_ECDSA_CERT:
750 case KEY_RSA_CERT:
751#endif /* WITH_OPENSSL */
752 case KEY_ED25519_CERT:
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000753#ifdef WITH_XMSS
754 case KEY_XMSS_CERT:
755#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +1000756 /* Use the existing blob */
757 /* XXX modified flag? */
758 if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
759 return ret;
760 break;
761#ifdef WITH_OPENSSL
762 case KEY_DSA:
763 if (key->dsa == NULL)
764 return SSH_ERR_INVALID_ARGUMENT;
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000765 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
766 DSA_get0_key(key->dsa, &dsa_pub_key, NULL);
Damien Miller86687062014-07-02 15:28:02 +1000767 if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000768 (ret = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
769 (ret = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
770 (ret = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
771 (ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0)
Damien Miller86687062014-07-02 15:28:02 +1000772 return ret;
773 break;
Darren Tuckerd1a04212014-07-19 07:23:55 +1000774# ifdef OPENSSL_HAS_ECC
Damien Miller86687062014-07-02 15:28:02 +1000775 case KEY_ECDSA:
776 if (key->ecdsa == NULL)
777 return SSH_ERR_INVALID_ARGUMENT;
778 if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
779 (ret = sshbuf_put_cstring(b,
780 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
781 (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0)
782 return ret;
783 break;
Darren Tuckerd1a04212014-07-19 07:23:55 +1000784# endif
Damien Miller86687062014-07-02 15:28:02 +1000785 case KEY_RSA:
786 if (key->rsa == NULL)
787 return SSH_ERR_INVALID_ARGUMENT;
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000788 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL);
Damien Miller86687062014-07-02 15:28:02 +1000789 if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
djm@openbsd.org482d23b2018-09-13 02:08:33 +0000790 (ret = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
791 (ret = sshbuf_put_bignum2(b, rsa_n)) != 0)
Damien Miller86687062014-07-02 15:28:02 +1000792 return ret;
793 break;
794#endif /* WITH_OPENSSL */
795 case KEY_ED25519:
796 if (key->ed25519_pk == NULL)
797 return SSH_ERR_INVALID_ARGUMENT;
798 if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
799 (ret = sshbuf_put_string(b,
800 key->ed25519_pk, ED25519_PK_SZ)) != 0)
801 return ret;
802 break;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000803#ifdef WITH_XMSS
804 case KEY_XMSS:
805 if (key->xmss_name == NULL || key->xmss_pk == NULL ||
806 sshkey_xmss_pklen(key) == 0)
807 return SSH_ERR_INVALID_ARGUMENT;
808 if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
809 (ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
810 (ret = sshbuf_put_string(b,
811 key->xmss_pk, sshkey_xmss_pklen(key))) != 0 ||
812 (ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0)
813 return ret;
814 break;
815#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +1000816 default:
817 return SSH_ERR_KEY_TYPE_UNKNOWN;
818 }
819 return 0;
820}
821
822int
djm@openbsd.org60b18252015-01-26 02:59:11 +0000823sshkey_putb(const struct sshkey *key, struct sshbuf *b)
Damien Miller86687062014-07-02 15:28:02 +1000824{
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000825 return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT);
Damien Miller86687062014-07-02 15:28:02 +1000826}
827
828int
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000829sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b,
830 enum sshkey_serialize_rep opts)
djm@openbsd.org60b18252015-01-26 02:59:11 +0000831{
832 struct sshbuf *tmp;
833 int r;
834
835 if ((tmp = sshbuf_new()) == NULL)
836 return SSH_ERR_ALLOC_FAIL;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000837 r = to_blob_buf(key, tmp, 0, opts);
djm@openbsd.org60b18252015-01-26 02:59:11 +0000838 if (r == 0)
839 r = sshbuf_put_stringb(b, tmp);
840 sshbuf_free(tmp);
841 return r;
842}
843
844int
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000845sshkey_puts(const struct sshkey *key, struct sshbuf *b)
846{
847 return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT);
848}
849
850int
djm@openbsd.org60b18252015-01-26 02:59:11 +0000851sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b)
Damien Miller86687062014-07-02 15:28:02 +1000852{
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000853 return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT);
Damien Miller86687062014-07-02 15:28:02 +1000854}
855
856static int
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000857to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain,
858 enum sshkey_serialize_rep opts)
Damien Miller86687062014-07-02 15:28:02 +1000859{
860 int ret = SSH_ERR_INTERNAL_ERROR;
861 size_t len;
862 struct sshbuf *b = NULL;
863
864 if (lenp != NULL)
865 *lenp = 0;
866 if (blobp != NULL)
867 *blobp = NULL;
868 if ((b = sshbuf_new()) == NULL)
869 return SSH_ERR_ALLOC_FAIL;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000870 if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0)
Damien Miller86687062014-07-02 15:28:02 +1000871 goto out;
872 len = sshbuf_len(b);
873 if (lenp != NULL)
874 *lenp = len;
875 if (blobp != NULL) {
876 if ((*blobp = malloc(len)) == NULL) {
877 ret = SSH_ERR_ALLOC_FAIL;
878 goto out;
879 }
880 memcpy(*blobp, sshbuf_ptr(b), len);
881 }
882 ret = 0;
883 out:
884 sshbuf_free(b);
885 return ret;
886}
887
888int
889sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
890{
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000891 return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT);
Damien Miller86687062014-07-02 15:28:02 +1000892}
893
894int
895sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
896{
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000897 return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT);
Damien Miller86687062014-07-02 15:28:02 +1000898}
899
900int
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000901sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
Damien Miller86687062014-07-02 15:28:02 +1000902 u_char **retp, size_t *lenp)
903{
904 u_char *blob = NULL, *ret = NULL;
905 size_t blob_len = 0;
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000906 int r = SSH_ERR_INTERNAL_ERROR;
Damien Miller86687062014-07-02 15:28:02 +1000907
908 if (retp != NULL)
909 *retp = NULL;
910 if (lenp != NULL)
911 *lenp = 0;
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000912 if (ssh_digest_bytes(dgst_alg) == 0) {
Damien Miller86687062014-07-02 15:28:02 +1000913 r = SSH_ERR_INVALID_ARGUMENT;
914 goto out;
915 }
markus@openbsd.org1b11ea72018-02-23 15:58:37 +0000916 if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT))
917 != 0)
Damien Miller86687062014-07-02 15:28:02 +1000918 goto out;
919 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
920 r = SSH_ERR_ALLOC_FAIL;
921 goto out;
922 }
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000923 if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
Damien Miller86687062014-07-02 15:28:02 +1000924 ret, SSH_DIGEST_MAX_LENGTH)) != 0)
925 goto out;
926 /* success */
927 if (retp != NULL) {
928 *retp = ret;
929 ret = NULL;
930 }
931 if (lenp != NULL)
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000932 *lenp = ssh_digest_bytes(dgst_alg);
Damien Miller86687062014-07-02 15:28:02 +1000933 r = 0;
934 out:
935 free(ret);
936 if (blob != NULL) {
937 explicit_bzero(blob, blob_len);
938 free(blob);
939 }
940 return r;
941}
942
943static char *
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000944fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
Damien Miller86687062014-07-02 15:28:02 +1000945{
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000946 char *ret;
947 size_t plen = strlen(alg) + 1;
948 size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
949 int r;
Damien Miller86687062014-07-02 15:28:02 +1000950
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000951 if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
Damien Miller86687062014-07-02 15:28:02 +1000952 return NULL;
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000953 strlcpy(ret, alg, rlen);
954 strlcat(ret, ":", rlen);
955 if (dgst_raw_len == 0)
956 return ret;
957 if ((r = b64_ntop(dgst_raw, dgst_raw_len,
958 ret + plen, rlen - plen)) == -1) {
jsing@openbsd.org4270efa2018-02-14 16:03:32 +0000959 freezero(ret, rlen);
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000960 return NULL;
Damien Miller86687062014-07-02 15:28:02 +1000961 }
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000962 /* Trim padding characters from end */
963 ret[strcspn(ret, "=")] = '\0';
964 return ret;
965}
Damien Miller86687062014-07-02 15:28:02 +1000966
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000967static char *
968fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
969{
970 char *retval, hex[5];
971 size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
972
973 if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
974 return NULL;
975 strlcpy(retval, alg, rlen);
976 strlcat(retval, ":", rlen);
977 for (i = 0; i < dgst_raw_len; i++) {
978 snprintf(hex, sizeof(hex), "%s%02x",
979 i > 0 ? ":" : "", dgst_raw[i]);
980 strlcat(retval, hex, rlen);
981 }
Damien Miller86687062014-07-02 15:28:02 +1000982 return retval;
983}
984
985static char *
986fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
987{
988 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
989 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
990 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
991 u_int i, j = 0, rounds, seed = 1;
992 char *retval;
993
994 rounds = (dgst_raw_len / 2) + 1;
995 if ((retval = calloc(rounds, 6)) == NULL)
996 return NULL;
997 retval[j++] = 'x';
998 for (i = 0; i < rounds; i++) {
999 u_int idx0, idx1, idx2, idx3, idx4;
1000 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
1001 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
1002 seed) % 6;
1003 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
1004 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
1005 (seed / 6)) % 6;
1006 retval[j++] = vowels[idx0];
1007 retval[j++] = consonants[idx1];
1008 retval[j++] = vowels[idx2];
1009 if ((i + 1) < rounds) {
1010 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
1011 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
1012 retval[j++] = consonants[idx3];
1013 retval[j++] = '-';
1014 retval[j++] = consonants[idx4];
1015 seed = ((seed * 5) +
1016 ((((u_int)(dgst_raw[2 * i])) * 7) +
1017 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
1018 }
1019 } else {
1020 idx0 = seed % 6;
1021 idx1 = 16;
1022 idx2 = seed / 6;
1023 retval[j++] = vowels[idx0];
1024 retval[j++] = consonants[idx1];
1025 retval[j++] = vowels[idx2];
1026 }
1027 }
1028 retval[j++] = 'x';
1029 retval[j++] = '\0';
1030 return retval;
1031}
1032
1033/*
1034 * Draw an ASCII-Art representing the fingerprint so human brain can
1035 * profit from its built-in pattern recognition ability.
1036 * This technique is called "random art" and can be found in some
1037 * scientific publications like this original paper:
1038 *
1039 * "Hash Visualization: a New Technique to improve Real-World Security",
1040 * Perrig A. and Song D., 1999, International Workshop on Cryptographic
1041 * Techniques and E-Commerce (CrypTEC '99)
1042 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
1043 *
1044 * The subject came up in a talk by Dan Kaminsky, too.
1045 *
1046 * If you see the picture is different, the key is different.
1047 * If the picture looks the same, you still know nothing.
1048 *
1049 * The algorithm used here is a worm crawling over a discrete plane,
1050 * leaving a trace (augmenting the field) everywhere it goes.
1051 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
1052 * makes the respective movement vector be ignored for this turn.
1053 * Graphs are not unambiguous, because circles in graphs can be
1054 * walked in either direction.
1055 */
1056
1057/*
1058 * Field sizes for the random art. Have to be odd, so the starting point
1059 * can be in the exact middle of the picture, and FLDBASE should be >=8 .
1060 * Else pictures would be too dense, and drawing the frame would
1061 * fail, too, because the key type would not fit in anymore.
1062 */
1063#define FLDBASE 8
1064#define FLDSIZE_Y (FLDBASE + 1)
1065#define FLDSIZE_X (FLDBASE * 2 + 1)
1066static char *
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001067fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
Damien Miller86687062014-07-02 15:28:02 +10001068 const struct sshkey *k)
1069{
1070 /*
1071 * Chars to be used after each other every time the worm
1072 * intersects with itself. Matter of taste.
1073 */
1074 char *augmentation_string = " .o+=*BOX@%&#/^SE";
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001075 char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
Damien Miller86687062014-07-02 15:28:02 +10001076 u_char field[FLDSIZE_X][FLDSIZE_Y];
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001077 size_t i, tlen, hlen;
Damien Miller86687062014-07-02 15:28:02 +10001078 u_int b;
Damien Miller61e28e52014-07-03 21:22:22 +10001079 int x, y, r;
Damien Miller86687062014-07-02 15:28:02 +10001080 size_t len = strlen(augmentation_string) - 1;
1081
1082 if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
1083 return NULL;
1084
1085 /* initialize field */
1086 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
1087 x = FLDSIZE_X / 2;
1088 y = FLDSIZE_Y / 2;
1089
1090 /* process raw key */
1091 for (i = 0; i < dgst_raw_len; i++) {
1092 int input;
1093 /* each byte conveys four 2-bit move commands */
1094 input = dgst_raw[i];
1095 for (b = 0; b < 4; b++) {
1096 /* evaluate 2 bit, rest is shifted later */
1097 x += (input & 0x1) ? 1 : -1;
1098 y += (input & 0x2) ? 1 : -1;
1099
1100 /* assure we are still in bounds */
deraadt@openbsd.org9136ec12016-09-12 01:22:38 +00001101 x = MAXIMUM(x, 0);
1102 y = MAXIMUM(y, 0);
1103 x = MINIMUM(x, FLDSIZE_X - 1);
1104 y = MINIMUM(y, FLDSIZE_Y - 1);
Damien Miller86687062014-07-02 15:28:02 +10001105
1106 /* augment the field */
1107 if (field[x][y] < len - 2)
1108 field[x][y]++;
1109 input = input >> 2;
1110 }
1111 }
1112
1113 /* mark starting point and end point*/
1114 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
1115 field[x][y] = len;
1116
Damien Miller61e28e52014-07-03 21:22:22 +10001117 /* assemble title */
1118 r = snprintf(title, sizeof(title), "[%s %u]",
1119 sshkey_type(k), sshkey_size(k));
1120 /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
1121 if (r < 0 || r > (int)sizeof(title))
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001122 r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
1123 tlen = (r <= 0) ? 0 : strlen(title);
1124
1125 /* assemble hash ID. */
1126 r = snprintf(hash, sizeof(hash), "[%s]", alg);
1127 hlen = (r <= 0) ? 0 : strlen(hash);
Damien Miller86687062014-07-02 15:28:02 +10001128
1129 /* output upper border */
Damien Miller61e28e52014-07-03 21:22:22 +10001130 p = retval;
1131 *p++ = '+';
1132 for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
1133 *p++ = '-';
1134 memcpy(p, title, tlen);
1135 p += tlen;
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001136 for (i += tlen; i < FLDSIZE_X; i++)
Damien Miller86687062014-07-02 15:28:02 +10001137 *p++ = '-';
1138 *p++ = '+';
1139 *p++ = '\n';
1140
1141 /* output content */
1142 for (y = 0; y < FLDSIZE_Y; y++) {
1143 *p++ = '|';
1144 for (x = 0; x < FLDSIZE_X; x++)
deraadt@openbsd.org9136ec12016-09-12 01:22:38 +00001145 *p++ = augmentation_string[MINIMUM(field[x][y], len)];
Damien Miller86687062014-07-02 15:28:02 +10001146 *p++ = '|';
1147 *p++ = '\n';
1148 }
1149
1150 /* output lower border */
1151 *p++ = '+';
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001152 for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
1153 *p++ = '-';
1154 memcpy(p, hash, hlen);
1155 p += hlen;
1156 for (i += hlen; i < FLDSIZE_X; i++)
Damien Miller86687062014-07-02 15:28:02 +10001157 *p++ = '-';
1158 *p++ = '+';
1159
1160 return retval;
1161}
1162
1163char *
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001164sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
Damien Miller86687062014-07-02 15:28:02 +10001165 enum sshkey_fp_rep dgst_rep)
1166{
1167 char *retval = NULL;
1168 u_char *dgst_raw;
1169 size_t dgst_raw_len;
1170
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001171 if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
Damien Miller86687062014-07-02 15:28:02 +10001172 return NULL;
1173 switch (dgst_rep) {
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001174 case SSH_FP_DEFAULT:
1175 if (dgst_alg == SSH_DIGEST_MD5) {
1176 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1177 dgst_raw, dgst_raw_len);
1178 } else {
1179 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1180 dgst_raw, dgst_raw_len);
1181 }
1182 break;
Damien Miller86687062014-07-02 15:28:02 +10001183 case SSH_FP_HEX:
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001184 retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1185 dgst_raw, dgst_raw_len);
1186 break;
1187 case SSH_FP_BASE64:
1188 retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1189 dgst_raw, dgst_raw_len);
Damien Miller86687062014-07-02 15:28:02 +10001190 break;
1191 case SSH_FP_BUBBLEBABBLE:
1192 retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
1193 break;
1194 case SSH_FP_RANDOMART:
djm@openbsd.org56d1c832014-12-21 22:27:55 +00001195 retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
1196 dgst_raw, dgst_raw_len, k);
Damien Miller86687062014-07-02 15:28:02 +10001197 break;
1198 default:
1199 explicit_bzero(dgst_raw, dgst_raw_len);
1200 free(dgst_raw);
1201 return NULL;
1202 }
1203 explicit_bzero(dgst_raw, dgst_raw_len);
1204 free(dgst_raw);
1205 return retval;
1206}
1207
djm@openbsd.org94b4e2d2018-03-02 02:08:03 +00001208static int
1209peek_type_nid(const char *s, size_t l, int *nid)
1210{
1211 const struct keytype *kt;
Damien Miller86687062014-07-02 15:28:02 +10001212
djm@openbsd.org94b4e2d2018-03-02 02:08:03 +00001213 for (kt = keytypes; kt->type != -1; kt++) {
1214 if (kt->name == NULL || strlen(kt->name) != l)
1215 continue;
1216 if (memcmp(s, kt->name, l) == 0) {
1217 *nid = -1;
1218 if (kt->type == KEY_ECDSA || kt->type == KEY_ECDSA_CERT)
1219 *nid = kt->nid;
1220 return kt->type;
1221 }
1222 }
1223 return KEY_UNSPEC;
1224}
1225
1226/* XXX this can now be made const char * */
Damien Miller86687062014-07-02 15:28:02 +10001227int
1228sshkey_read(struct sshkey *ret, char **cpp)
1229{
1230 struct sshkey *k;
djm@openbsd.org94b4e2d2018-03-02 02:08:03 +00001231 char *cp, *blobcopy;
1232 size_t space;
Damien Miller86687062014-07-02 15:28:02 +10001233 int r, type, curve_nid = -1;
1234 struct sshbuf *blob;
Damien Miller86687062014-07-02 15:28:02 +10001235
dtucker@openbsd.org7fadbb62017-03-10 03:48:57 +00001236 if (ret == NULL)
1237 return SSH_ERR_INVALID_ARGUMENT;
1238
Damien Miller86687062014-07-02 15:28:02 +10001239 switch (ret->type) {
Damien Miller86687062014-07-02 15:28:02 +10001240 case KEY_UNSPEC:
1241 case KEY_RSA:
1242 case KEY_DSA:
1243 case KEY_ECDSA:
1244 case KEY_ED25519:
Damien Miller86687062014-07-02 15:28:02 +10001245 case KEY_DSA_CERT:
1246 case KEY_ECDSA_CERT:
1247 case KEY_RSA_CERT:
1248 case KEY_ED25519_CERT:
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00001249#ifdef WITH_XMSS
1250 case KEY_XMSS:
1251 case KEY_XMSS_CERT:
1252#endif /* WITH_XMSS */
djm@openbsd.org94b4e2d2018-03-02 02:08:03 +00001253 break; /* ok */
Damien Miller86687062014-07-02 15:28:02 +10001254 default:
1255 return SSH_ERR_INVALID_ARGUMENT;
1256 }
djm@openbsd.org94b4e2d2018-03-02 02:08:03 +00001257
1258 /* Decode type */
1259 cp = *cpp;
1260 space = strcspn(cp, " \t");
1261 if (space == strlen(cp))
1262 return SSH_ERR_INVALID_FORMAT;
1263 if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC)
1264 return SSH_ERR_INVALID_FORMAT;
1265
1266 /* skip whitespace */
1267 for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
1268 ;
1269 if (*cp == '\0')
1270 return SSH_ERR_INVALID_FORMAT;
1271 if (ret->type != KEY_UNSPEC && ret->type != type)
1272 return SSH_ERR_KEY_TYPE_MISMATCH;
1273 if ((blob = sshbuf_new()) == NULL)
1274 return SSH_ERR_ALLOC_FAIL;
1275
1276 /* find end of keyblob and decode */
1277 space = strcspn(cp, " \t");
1278 if ((blobcopy = strndup(cp, space)) == NULL) {
1279 sshbuf_free(blob);
1280 return SSH_ERR_ALLOC_FAIL;
1281 }
1282 if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) {
1283 free(blobcopy);
1284 sshbuf_free(blob);
1285 return r;
1286 }
1287 free(blobcopy);
1288 if ((r = sshkey_fromb(blob, &k)) != 0) {
1289 sshbuf_free(blob);
1290 return r;
1291 }
1292 sshbuf_free(blob);
1293
1294 /* skip whitespace and leave cp at start of comment */
1295 for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
1296 ;
1297
1298 /* ensure type of blob matches type at start of line */
1299 if (k->type != type) {
1300 sshkey_free(k);
1301 return SSH_ERR_KEY_TYPE_MISMATCH;
1302 }
1303 if (sshkey_type_plain(type) == KEY_ECDSA && curve_nid != k->ecdsa_nid) {
1304 sshkey_free(k);
1305 return SSH_ERR_EC_CURVE_MISMATCH;
1306 }
1307
1308 /* Fill in ret from parsed key */
1309 ret->type = type;
1310 if (sshkey_is_cert(ret)) {
1311 if (!sshkey_is_cert(k)) {
1312 sshkey_free(k);
1313 return SSH_ERR_EXPECTED_CERT;
1314 }
1315 if (ret->cert != NULL)
1316 cert_free(ret->cert);
1317 ret->cert = k->cert;
1318 k->cert = NULL;
1319 }
1320 switch (sshkey_type_plain(ret->type)) {
1321#ifdef WITH_OPENSSL
1322 case KEY_RSA:
1323 RSA_free(ret->rsa);
1324 ret->rsa = k->rsa;
1325 k->rsa = NULL;
1326#ifdef DEBUG_PK
1327 RSA_print_fp(stderr, ret->rsa, 8);
1328#endif
1329 break;
1330 case KEY_DSA:
1331 DSA_free(ret->dsa);
1332 ret->dsa = k->dsa;
1333 k->dsa = NULL;
1334#ifdef DEBUG_PK
1335 DSA_print_fp(stderr, ret->dsa, 8);
1336#endif
1337 break;
1338# ifdef OPENSSL_HAS_ECC
1339 case KEY_ECDSA:
1340 EC_KEY_free(ret->ecdsa);
1341 ret->ecdsa = k->ecdsa;
1342 ret->ecdsa_nid = k->ecdsa_nid;
1343 k->ecdsa = NULL;
1344 k->ecdsa_nid = -1;
1345#ifdef DEBUG_PK
1346 sshkey_dump_ec_key(ret->ecdsa);
1347#endif
1348 break;
1349# endif /* OPENSSL_HAS_ECC */
1350#endif /* WITH_OPENSSL */
1351 case KEY_ED25519:
1352 freezero(ret->ed25519_pk, ED25519_PK_SZ);
1353 ret->ed25519_pk = k->ed25519_pk;
1354 k->ed25519_pk = NULL;
1355#ifdef DEBUG_PK
1356 /* XXX */
1357#endif
1358 break;
1359#ifdef WITH_XMSS
1360 case KEY_XMSS:
1361 free(ret->xmss_pk);
1362 ret->xmss_pk = k->xmss_pk;
1363 k->xmss_pk = NULL;
1364 free(ret->xmss_state);
1365 ret->xmss_state = k->xmss_state;
1366 k->xmss_state = NULL;
1367 free(ret->xmss_name);
1368 ret->xmss_name = k->xmss_name;
1369 k->xmss_name = NULL;
1370 free(ret->xmss_filename);
1371 ret->xmss_filename = k->xmss_filename;
1372 k->xmss_filename = NULL;
1373#ifdef DEBUG_PK
1374 /* XXX */
1375#endif
1376 break;
1377#endif /* WITH_XMSS */
1378 default:
1379 sshkey_free(k);
1380 return SSH_ERR_INTERNAL_ERROR;
1381 }
1382 sshkey_free(k);
1383
1384 /* success */
1385 *cpp = cp;
1386 return 0;
Damien Miller86687062014-07-02 15:28:02 +10001387}
1388
djm@openbsd.org94b4e2d2018-03-02 02:08:03 +00001389
Damien Miller86687062014-07-02 15:28:02 +10001390int
djm@openbsd.orgd80fbe42015-05-21 04:55:51 +00001391sshkey_to_base64(const struct sshkey *key, char **b64p)
Damien Miller86687062014-07-02 15:28:02 +10001392{
djm@openbsd.orgd80fbe42015-05-21 04:55:51 +00001393 int r = SSH_ERR_INTERNAL_ERROR;
1394 struct sshbuf *b = NULL;
Damien Miller86687062014-07-02 15:28:02 +10001395 char *uu = NULL;
djm@openbsd.orgd80fbe42015-05-21 04:55:51 +00001396
1397 if (b64p != NULL)
1398 *b64p = NULL;
1399 if ((b = sshbuf_new()) == NULL)
1400 return SSH_ERR_ALLOC_FAIL;
1401 if ((r = sshkey_putb(key, b)) != 0)
1402 goto out;
1403 if ((uu = sshbuf_dtob64(b)) == NULL) {
1404 r = SSH_ERR_ALLOC_FAIL;
1405 goto out;
1406 }
1407 /* Success */
1408 if (b64p != NULL) {
1409 *b64p = uu;
1410 uu = NULL;
1411 }
1412 r = 0;
1413 out:
1414 sshbuf_free(b);
1415 free(uu);
1416 return r;
1417}
1418
djm@openbsd.org2076e4a2017-06-09 06:40:24 +00001419int
djm@openbsd.orgd80fbe42015-05-21 04:55:51 +00001420sshkey_format_text(const struct sshkey *key, struct sshbuf *b)
1421{
1422 int r = SSH_ERR_INTERNAL_ERROR;
1423 char *uu = NULL;
1424
djm@openbsd.org873d3e72017-04-30 23:18:44 +00001425 if ((r = sshkey_to_base64(key, &uu)) != 0)
1426 goto out;
1427 if ((r = sshbuf_putf(b, "%s %s",
1428 sshkey_ssh_name(key), uu)) != 0)
1429 goto out;
djm@openbsd.orgd80fbe42015-05-21 04:55:51 +00001430 r = 0;
1431 out:
1432 free(uu);
1433 return r;
1434}
1435
1436int
1437sshkey_write(const struct sshkey *key, FILE *f)
1438{
1439 struct sshbuf *b = NULL;
1440 int r = SSH_ERR_INTERNAL_ERROR;
1441
1442 if ((b = sshbuf_new()) == NULL)
1443 return SSH_ERR_ALLOC_FAIL;
1444 if ((r = sshkey_format_text(key, b)) != 0)
1445 goto out;
1446 if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
1447 if (feof(f))
1448 errno = EPIPE;
1449 r = SSH_ERR_SYSTEM_ERROR;
1450 goto out;
1451 }
1452 /* Success */
1453 r = 0;
1454 out:
1455 sshbuf_free(b);
1456 return r;
Damien Miller86687062014-07-02 15:28:02 +10001457}
1458
1459const char *
1460sshkey_cert_type(const struct sshkey *k)
1461{
1462 switch (k->cert->type) {
1463 case SSH2_CERT_TYPE_USER:
1464 return "user";
1465 case SSH2_CERT_TYPE_HOST:
1466 return "host";
1467 default:
1468 return "unknown";
1469 }
1470}
1471
1472#ifdef WITH_OPENSSL
1473static int
1474rsa_generate_private_key(u_int bits, RSA **rsap)
1475{
1476 RSA *private = NULL;
1477 BIGNUM *f4 = NULL;
1478 int ret = SSH_ERR_INTERNAL_ERROR;
1479
djm@openbsd.orgbd636f42017-05-07 23:15:59 +00001480 if (rsap == NULL)
Damien Miller86687062014-07-02 15:28:02 +10001481 return SSH_ERR_INVALID_ARGUMENT;
djm@openbsd.orgbd636f42017-05-07 23:15:59 +00001482 if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
1483 bits > SSHBUF_MAX_BIGNUM * 8)
1484 return SSH_ERR_KEY_LENGTH;
Damien Miller86687062014-07-02 15:28:02 +10001485 *rsap = NULL;
1486 if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) {
1487 ret = SSH_ERR_ALLOC_FAIL;
1488 goto out;
1489 }
1490 if (!BN_set_word(f4, RSA_F4) ||
1491 !RSA_generate_key_ex(private, bits, f4, NULL)) {
1492 ret = SSH_ERR_LIBCRYPTO_ERROR;
1493 goto out;
1494 }
1495 *rsap = private;
1496 private = NULL;
1497 ret = 0;
1498 out:
jsing@openbsd.org7cd31632018-02-07 02:06:50 +00001499 RSA_free(private);
1500 BN_free(f4);
Damien Miller86687062014-07-02 15:28:02 +10001501 return ret;
1502}
1503
1504static int
1505dsa_generate_private_key(u_int bits, DSA **dsap)
1506{
1507 DSA *private;
1508 int ret = SSH_ERR_INTERNAL_ERROR;
1509
djm@openbsd.orgbd636f42017-05-07 23:15:59 +00001510 if (dsap == NULL)
Damien Miller86687062014-07-02 15:28:02 +10001511 return SSH_ERR_INVALID_ARGUMENT;
djm@openbsd.orgbd636f42017-05-07 23:15:59 +00001512 if (bits != 1024)
1513 return SSH_ERR_KEY_LENGTH;
Damien Miller86687062014-07-02 15:28:02 +10001514 if ((private = DSA_new()) == NULL) {
1515 ret = SSH_ERR_ALLOC_FAIL;
1516 goto out;
1517 }
1518 *dsap = NULL;
1519 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
1520 NULL, NULL) || !DSA_generate_key(private)) {
Damien Miller86687062014-07-02 15:28:02 +10001521 ret = SSH_ERR_LIBCRYPTO_ERROR;
1522 goto out;
1523 }
1524 *dsap = private;
1525 private = NULL;
1526 ret = 0;
1527 out:
jsing@openbsd.org7cd31632018-02-07 02:06:50 +00001528 DSA_free(private);
Damien Miller86687062014-07-02 15:28:02 +10001529 return ret;
1530}
1531
1532# ifdef OPENSSL_HAS_ECC
1533int
1534sshkey_ecdsa_key_to_nid(EC_KEY *k)
1535{
1536 EC_GROUP *eg;
1537 int nids[] = {
1538 NID_X9_62_prime256v1,
1539 NID_secp384r1,
1540# ifdef OPENSSL_HAS_NISTP521
1541 NID_secp521r1,
1542# endif /* OPENSSL_HAS_NISTP521 */
1543 -1
1544 };
1545 int nid;
1546 u_int i;
1547 BN_CTX *bnctx;
1548 const EC_GROUP *g = EC_KEY_get0_group(k);
1549
1550 /*
1551 * The group may be stored in a ASN.1 encoded private key in one of two
1552 * ways: as a "named group", which is reconstituted by ASN.1 object ID
1553 * or explicit group parameters encoded into the key blob. Only the
1554 * "named group" case sets the group NID for us, but we can figure
1555 * it out for the other case by comparing against all the groups that
1556 * are supported.
1557 */
1558 if ((nid = EC_GROUP_get_curve_name(g)) > 0)
1559 return nid;
1560 if ((bnctx = BN_CTX_new()) == NULL)
1561 return -1;
1562 for (i = 0; nids[i] != -1; i++) {
1563 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) {
1564 BN_CTX_free(bnctx);
1565 return -1;
1566 }
1567 if (EC_GROUP_cmp(g, eg, bnctx) == 0)
1568 break;
1569 EC_GROUP_free(eg);
1570 }
1571 BN_CTX_free(bnctx);
1572 if (nids[i] != -1) {
1573 /* Use the group with the NID attached */
1574 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
1575 if (EC_KEY_set_group(k, eg) != 1) {
1576 EC_GROUP_free(eg);
1577 return -1;
1578 }
1579 }
1580 return nids[i];
1581}
1582
1583static int
1584ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)
1585{
1586 EC_KEY *private;
1587 int ret = SSH_ERR_INTERNAL_ERROR;
1588
djm@openbsd.org5f02bb12017-05-08 06:11:06 +00001589 if (nid == NULL || ecdsap == NULL)
Damien Miller86687062014-07-02 15:28:02 +10001590 return SSH_ERR_INVALID_ARGUMENT;
djm@openbsd.org5f02bb12017-05-08 06:11:06 +00001591 if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
1592 return SSH_ERR_KEY_LENGTH;
Damien Miller86687062014-07-02 15:28:02 +10001593 *ecdsap = NULL;
1594 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
1595 ret = SSH_ERR_ALLOC_FAIL;
1596 goto out;
1597 }
1598 if (EC_KEY_generate_key(private) != 1) {
1599 ret = SSH_ERR_LIBCRYPTO_ERROR;
1600 goto out;
1601 }
1602 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
1603 *ecdsap = private;
1604 private = NULL;
1605 ret = 0;
1606 out:
jsing@openbsd.org7cd31632018-02-07 02:06:50 +00001607 EC_KEY_free(private);
Damien Miller86687062014-07-02 15:28:02 +10001608 return ret;
1609}
1610# endif /* OPENSSL_HAS_ECC */
1611#endif /* WITH_OPENSSL */
1612
1613int
1614sshkey_generate(int type, u_int bits, struct sshkey **keyp)
1615{
1616 struct sshkey *k;
1617 int ret = SSH_ERR_INTERNAL_ERROR;
1618
1619 if (keyp == NULL)
1620 return SSH_ERR_INVALID_ARGUMENT;
1621 *keyp = NULL;
1622 if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
1623 return SSH_ERR_ALLOC_FAIL;
1624 switch (type) {
1625 case KEY_ED25519:
1626 if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
1627 (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
1628 ret = SSH_ERR_ALLOC_FAIL;
1629 break;
1630 }
1631 crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
1632 ret = 0;
1633 break;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00001634#ifdef WITH_XMSS
1635 case KEY_XMSS:
1636 ret = sshkey_xmss_generate_private_key(k, bits);
1637 break;
1638#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10001639#ifdef WITH_OPENSSL
1640 case KEY_DSA:
1641 ret = dsa_generate_private_key(bits, &k->dsa);
1642 break;
1643# ifdef OPENSSL_HAS_ECC
1644 case KEY_ECDSA:
1645 ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
1646 &k->ecdsa);
1647 break;
1648# endif /* OPENSSL_HAS_ECC */
1649 case KEY_RSA:
Damien Miller86687062014-07-02 15:28:02 +10001650 ret = rsa_generate_private_key(bits, &k->rsa);
1651 break;
1652#endif /* WITH_OPENSSL */
1653 default:
1654 ret = SSH_ERR_INVALID_ARGUMENT;
1655 }
1656 if (ret == 0) {
1657 k->type = type;
1658 *keyp = k;
1659 } else
1660 sshkey_free(k);
1661 return ret;
1662}
1663
1664int
1665sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
1666{
1667 u_int i;
1668 const struct sshkey_cert *from;
1669 struct sshkey_cert *to;
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001670 int r = SSH_ERR_INTERNAL_ERROR;
Damien Miller86687062014-07-02 15:28:02 +10001671
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001672 if (to_key == NULL || (from = from_key->cert) == NULL)
Damien Miller86687062014-07-02 15:28:02 +10001673 return SSH_ERR_INVALID_ARGUMENT;
1674
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001675 if ((to = cert_new()) == NULL)
Damien Miller86687062014-07-02 15:28:02 +10001676 return SSH_ERR_ALLOC_FAIL;
1677
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001678 if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
1679 (r = sshbuf_putb(to->critical, from->critical)) != 0 ||
1680 (r = sshbuf_putb(to->extensions, from->extensions)) != 0)
1681 goto out;
Damien Miller86687062014-07-02 15:28:02 +10001682
1683 to->serial = from->serial;
1684 to->type = from->type;
1685 if (from->key_id == NULL)
1686 to->key_id = NULL;
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001687 else if ((to->key_id = strdup(from->key_id)) == NULL) {
1688 r = SSH_ERR_ALLOC_FAIL;
1689 goto out;
1690 }
Damien Miller86687062014-07-02 15:28:02 +10001691 to->valid_after = from->valid_after;
1692 to->valid_before = from->valid_before;
1693 if (from->signature_key == NULL)
1694 to->signature_key = NULL;
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001695 else if ((r = sshkey_from_private(from->signature_key,
Damien Miller86687062014-07-02 15:28:02 +10001696 &to->signature_key)) != 0)
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001697 goto out;
1698 if (from->signature_type != NULL &&
1699 (to->signature_type = strdup(from->signature_type)) == NULL) {
1700 r = SSH_ERR_ALLOC_FAIL;
1701 goto out;
1702 }
1703 if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) {
1704 r = SSH_ERR_INVALID_ARGUMENT;
1705 goto out;
1706 }
Damien Miller86687062014-07-02 15:28:02 +10001707 if (from->nprincipals > 0) {
1708 if ((to->principals = calloc(from->nprincipals,
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001709 sizeof(*to->principals))) == NULL) {
1710 r = SSH_ERR_ALLOC_FAIL;
1711 goto out;
1712 }
Damien Miller86687062014-07-02 15:28:02 +10001713 for (i = 0; i < from->nprincipals; i++) {
1714 to->principals[i] = strdup(from->principals[i]);
1715 if (to->principals[i] == NULL) {
1716 to->nprincipals = i;
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001717 r = SSH_ERR_ALLOC_FAIL;
1718 goto out;
Damien Miller86687062014-07-02 15:28:02 +10001719 }
1720 }
1721 }
1722 to->nprincipals = from->nprincipals;
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001723
1724 /* success */
1725 cert_free(to_key->cert);
1726 to_key->cert = to;
1727 to = NULL;
1728 r = 0;
1729 out:
1730 cert_free(to);
1731 return r;
Damien Miller86687062014-07-02 15:28:02 +10001732}
1733
1734int
1735sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1736{
1737 struct sshkey *n = NULL;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001738 int r = SSH_ERR_INTERNAL_ERROR;
1739#ifdef WITH_OPENSSL
1740 const BIGNUM *rsa_n, *rsa_e;
1741 BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL;
1742 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
1743 BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL;
1744 BIGNUM *dsa_pub_key_dup = NULL;
1745#endif /* WITH_OPENSSL */
Damien Miller86687062014-07-02 15:28:02 +10001746
djm@openbsd.org1a2663a2015-10-15 23:08:23 +00001747 *pkp = NULL;
Damien Miller86687062014-07-02 15:28:02 +10001748 switch (k->type) {
1749#ifdef WITH_OPENSSL
1750 case KEY_DSA:
Damien Miller86687062014-07-02 15:28:02 +10001751 case KEY_DSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001752 if ((n = sshkey_new(k->type)) == NULL) {
1753 r = SSH_ERR_ALLOC_FAIL;
1754 goto out;
Damien Miller86687062014-07-02 15:28:02 +10001755 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001756
1757 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
1758 DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
1759 if ((dsa_p_dup = BN_dup(dsa_p)) == NULL ||
1760 (dsa_q_dup = BN_dup(dsa_q)) == NULL ||
1761 (dsa_g_dup = BN_dup(dsa_g)) == NULL ||
1762 (dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) {
1763 r = SSH_ERR_ALLOC_FAIL;
1764 goto out;
1765 }
1766 if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) {
1767 r = SSH_ERR_LIBCRYPTO_ERROR;
1768 goto out;
1769 }
1770 dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */
1771 if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL)) {
1772 r = SSH_ERR_LIBCRYPTO_ERROR;
1773 goto out;
1774 }
1775 dsa_pub_key_dup = NULL; /* transferred */
1776
Damien Miller86687062014-07-02 15:28:02 +10001777 break;
1778# ifdef OPENSSL_HAS_ECC
1779 case KEY_ECDSA:
1780 case KEY_ECDSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001781 if ((n = sshkey_new(k->type)) == NULL) {
1782 r = SSH_ERR_ALLOC_FAIL;
1783 goto out;
1784 }
Damien Miller86687062014-07-02 15:28:02 +10001785 n->ecdsa_nid = k->ecdsa_nid;
1786 n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
1787 if (n->ecdsa == NULL) {
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001788 r = SSH_ERR_ALLOC_FAIL;
1789 goto out;
Damien Miller86687062014-07-02 15:28:02 +10001790 }
1791 if (EC_KEY_set_public_key(n->ecdsa,
1792 EC_KEY_get0_public_key(k->ecdsa)) != 1) {
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001793 r = SSH_ERR_LIBCRYPTO_ERROR;
1794 goto out;
Damien Miller86687062014-07-02 15:28:02 +10001795 }
1796 break;
1797# endif /* OPENSSL_HAS_ECC */
1798 case KEY_RSA:
Damien Miller86687062014-07-02 15:28:02 +10001799 case KEY_RSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001800 if ((n = sshkey_new(k->type)) == NULL) {
1801 r = SSH_ERR_ALLOC_FAIL;
1802 goto out;
Damien Miller86687062014-07-02 15:28:02 +10001803 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001804 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
1805 if ((rsa_n_dup = BN_dup(rsa_n)) == NULL ||
1806 (rsa_e_dup = BN_dup(rsa_e)) == NULL) {
1807 r = SSH_ERR_ALLOC_FAIL;
1808 goto out;
1809 }
1810 if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL)) {
1811 r = SSH_ERR_LIBCRYPTO_ERROR;
1812 goto out;
1813 }
1814 rsa_n_dup = rsa_e_dup = NULL; /* transferred */
Damien Miller86687062014-07-02 15:28:02 +10001815 break;
1816#endif /* WITH_OPENSSL */
1817 case KEY_ED25519:
1818 case KEY_ED25519_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001819 if ((n = sshkey_new(k->type)) == NULL) {
1820 r = SSH_ERR_ALLOC_FAIL;
1821 goto out;
1822 }
Damien Miller86687062014-07-02 15:28:02 +10001823 if (k->ed25519_pk != NULL) {
1824 if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001825 r = SSH_ERR_ALLOC_FAIL;
1826 goto out;
Damien Miller86687062014-07-02 15:28:02 +10001827 }
1828 memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
1829 }
1830 break;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00001831#ifdef WITH_XMSS
1832 case KEY_XMSS:
1833 case KEY_XMSS_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001834 if ((n = sshkey_new(k->type)) == NULL) {
1835 r = SSH_ERR_ALLOC_FAIL;
1836 goto out;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00001837 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001838 if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0)
1839 goto out;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00001840 if (k->xmss_pk != NULL) {
1841 size_t pklen = sshkey_xmss_pklen(k);
1842 if (pklen == 0 || sshkey_xmss_pklen(n) != pklen) {
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001843 r = SSH_ERR_INTERNAL_ERROR;
1844 goto out;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00001845 }
1846 if ((n->xmss_pk = malloc(pklen)) == NULL) {
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001847 r = SSH_ERR_ALLOC_FAIL;
1848 goto out;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00001849 }
1850 memcpy(n->xmss_pk, k->xmss_pk, pklen);
1851 }
1852 break;
1853#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10001854 default:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001855 r = SSH_ERR_KEY_TYPE_UNKNOWN;
1856 goto out;
Damien Miller86687062014-07-02 15:28:02 +10001857 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001858 if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0)
1859 goto out;
1860 /* success */
Damien Miller86687062014-07-02 15:28:02 +10001861 *pkp = n;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001862 n = NULL;
1863 r = 0;
1864 out:
1865 sshkey_free(n);
Darren Tuckercce8cbe2018-09-15 19:44:06 +10001866#ifdef WITH_OPENSSL
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001867 BN_clear_free(rsa_n_dup);
1868 BN_clear_free(rsa_e_dup);
1869 BN_clear_free(dsa_p_dup);
1870 BN_clear_free(dsa_q_dup);
1871 BN_clear_free(dsa_g_dup);
1872 BN_clear_free(dsa_pub_key_dup);
Darren Tuckercce8cbe2018-09-15 19:44:06 +10001873#endif
djm@openbsd.org482d23b2018-09-13 02:08:33 +00001874
1875 return r;
Damien Miller86687062014-07-02 15:28:02 +10001876}
1877
1878static int
djm@openbsd.org60b18252015-01-26 02:59:11 +00001879cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
Damien Miller86687062014-07-02 15:28:02 +10001880{
djm@openbsd.org60b18252015-01-26 02:59:11 +00001881 struct sshbuf *principals = NULL, *crit = NULL;
1882 struct sshbuf *exts = NULL, *ca = NULL;
1883 u_char *sig = NULL;
1884 size_t signed_len = 0, slen = 0, kidlen = 0;
Damien Miller86687062014-07-02 15:28:02 +10001885 int ret = SSH_ERR_INTERNAL_ERROR;
Damien Miller86687062014-07-02 15:28:02 +10001886
1887 /* Copy the entire key blob for verification and later serialisation */
djm@openbsd.org60b18252015-01-26 02:59:11 +00001888 if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10001889 return ret;
1890
djm@openbsd.orgc28fc622015-07-03 03:43:18 +00001891 /* Parse body of certificate up to signature */
1892 if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
Damien Miller86687062014-07-02 15:28:02 +10001893 (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
1894 (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001895 (ret = sshbuf_froms(b, &principals)) != 0 ||
Damien Miller86687062014-07-02 15:28:02 +10001896 (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
1897 (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001898 (ret = sshbuf_froms(b, &crit)) != 0 ||
djm@openbsd.orgc28fc622015-07-03 03:43:18 +00001899 (ret = sshbuf_froms(b, &exts)) != 0 ||
Damien Miller86687062014-07-02 15:28:02 +10001900 (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
djm@openbsd.org60b18252015-01-26 02:59:11 +00001901 (ret = sshbuf_froms(b, &ca)) != 0) {
Damien Miller86687062014-07-02 15:28:02 +10001902 /* XXX debug print error for ret */
1903 ret = SSH_ERR_INVALID_FORMAT;
1904 goto out;
1905 }
1906
1907 /* Signature is left in the buffer so we can calculate this length */
1908 signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
1909
1910 if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
1911 ret = SSH_ERR_INVALID_FORMAT;
1912 goto out;
1913 }
1914
1915 if (key->cert->type != SSH2_CERT_TYPE_USER &&
1916 key->cert->type != SSH2_CERT_TYPE_HOST) {
1917 ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
1918 goto out;
1919 }
1920
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001921 /* Parse principals section */
1922 while (sshbuf_len(principals) > 0) {
1923 char *principal = NULL;
1924 char **oprincipals = NULL;
1925
Damien Miller86687062014-07-02 15:28:02 +10001926 if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
1927 ret = SSH_ERR_INVALID_FORMAT;
1928 goto out;
1929 }
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001930 if ((ret = sshbuf_get_cstring(principals, &principal,
1931 NULL)) != 0) {
Damien Miller86687062014-07-02 15:28:02 +10001932 ret = SSH_ERR_INVALID_FORMAT;
1933 goto out;
1934 }
1935 oprincipals = key->cert->principals;
deraadt@openbsd.org9e509d42017-05-31 09:15:42 +00001936 key->cert->principals = recallocarray(key->cert->principals,
1937 key->cert->nprincipals, key->cert->nprincipals + 1,
1938 sizeof(*key->cert->principals));
Damien Miller86687062014-07-02 15:28:02 +10001939 if (key->cert->principals == NULL) {
1940 free(principal);
1941 key->cert->principals = oprincipals;
1942 ret = SSH_ERR_ALLOC_FAIL;
1943 goto out;
1944 }
1945 key->cert->principals[key->cert->nprincipals++] = principal;
1946 }
1947
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001948 /*
1949 * Stash a copies of the critical options and extensions sections
1950 * for later use.
1951 */
1952 if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||
1953 (exts != NULL &&
1954 (ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
Damien Miller86687062014-07-02 15:28:02 +10001955 goto out;
1956
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001957 /*
1958 * Validate critical options and extensions sections format.
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001959 */
1960 while (sshbuf_len(crit) != 0) {
1961 if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
1962 (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
1963 sshbuf_reset(key->cert->critical);
Damien Miller86687062014-07-02 15:28:02 +10001964 ret = SSH_ERR_INVALID_FORMAT;
1965 goto out;
1966 }
1967 }
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001968 while (exts != NULL && sshbuf_len(exts) != 0) {
1969 if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 ||
1970 (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) {
1971 sshbuf_reset(key->cert->extensions);
Damien Miller86687062014-07-02 15:28:02 +10001972 ret = SSH_ERR_INVALID_FORMAT;
1973 goto out;
1974 }
1975 }
Damien Miller86687062014-07-02 15:28:02 +10001976
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001977 /* Parse CA key and check signature */
djm@openbsd.org60b18252015-01-26 02:59:11 +00001978 if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
Damien Miller86687062014-07-02 15:28:02 +10001979 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
1980 goto out;
1981 }
1982 if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
1983 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
1984 goto out;
1985 }
Damien Miller86687062014-07-02 15:28:02 +10001986 if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
djm@openbsd.org04c7e282017-12-18 02:25:15 +00001987 sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10001988 goto out;
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00001989 if ((ret = get_sigtype(sig, slen, &key->cert->signature_type)) != 0)
1990 goto out;
Damien Miller86687062014-07-02 15:28:02 +10001991
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001992 /* Success */
1993 ret = 0;
Damien Miller86687062014-07-02 15:28:02 +10001994 out:
djm@openbsd.org60b18252015-01-26 02:59:11 +00001995 sshbuf_free(ca);
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00001996 sshbuf_free(crit);
1997 sshbuf_free(exts);
1998 sshbuf_free(principals);
Damien Miller86687062014-07-02 15:28:02 +10001999 free(sig);
2000 return ret;
2001}
2002
Darren Tuckercce8cbe2018-09-15 19:44:06 +10002003#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +10002004static int
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002005check_rsa_length(const RSA *rsa)
2006{
2007 const BIGNUM *rsa_n;
2008
2009 RSA_get0_key(rsa, &rsa_n, NULL, NULL);
2010 if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
2011 return SSH_ERR_KEY_LENGTH;
2012 return 0;
2013}
Darren Tuckercce8cbe2018-09-15 19:44:06 +10002014#endif
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002015
2016static int
djm@openbsd.org60b18252015-01-26 02:59:11 +00002017sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
2018 int allow_cert)
Damien Miller86687062014-07-02 15:28:02 +10002019{
djm@openbsd.org54924b52015-01-14 10:46:28 +00002020 int type, ret = SSH_ERR_INTERNAL_ERROR;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002021 char *ktype = NULL, *curve = NULL, *xmss_name = NULL;
Damien Miller86687062014-07-02 15:28:02 +10002022 struct sshkey *key = NULL;
2023 size_t len;
2024 u_char *pk = NULL;
djm@openbsd.org60b18252015-01-26 02:59:11 +00002025 struct sshbuf *copy;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002026#if defined(WITH_OPENSSL)
2027 BIGNUM *rsa_n = NULL, *rsa_e = NULL;
2028 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL;
2029# if defined(OPENSSL_HAS_ECC)
Damien Miller86687062014-07-02 15:28:02 +10002030 EC_POINT *q = NULL;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002031# endif /* OPENSSL_HAS_ECC */
2032#endif /* WITH_OPENSSL */
Damien Miller86687062014-07-02 15:28:02 +10002033
2034#ifdef DEBUG_PK /* XXX */
djm@openbsd.org60b18252015-01-26 02:59:11 +00002035 sshbuf_dump(b, stderr);
Damien Miller86687062014-07-02 15:28:02 +10002036#endif
djm@openbsd.orgdce19bf2016-04-09 12:39:30 +00002037 if (keyp != NULL)
2038 *keyp = NULL;
djm@openbsd.org60b18252015-01-26 02:59:11 +00002039 if ((copy = sshbuf_fromb(b)) == NULL) {
2040 ret = SSH_ERR_ALLOC_FAIL;
2041 goto out;
2042 }
Damien Miller86687062014-07-02 15:28:02 +10002043 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
2044 ret = SSH_ERR_INVALID_FORMAT;
2045 goto out;
2046 }
2047
2048 type = sshkey_type_from_name(ktype);
Damien Miller86687062014-07-02 15:28:02 +10002049 if (!allow_cert && sshkey_type_is_cert(type)) {
2050 ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2051 goto out;
2052 }
2053 switch (type) {
2054#ifdef WITH_OPENSSL
2055 case KEY_RSA_CERT:
djm@openbsd.org60b18252015-01-26 02:59:11 +00002056 /* Skip nonce */
Damien Miller86687062014-07-02 15:28:02 +10002057 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2058 ret = SSH_ERR_INVALID_FORMAT;
2059 goto out;
2060 }
2061 /* FALLTHROUGH */
2062 case KEY_RSA:
Damien Miller86687062014-07-02 15:28:02 +10002063 if ((key = sshkey_new(type)) == NULL) {
2064 ret = SSH_ERR_ALLOC_FAIL;
2065 goto out;
2066 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002067 if ((rsa_e = BN_new()) == NULL ||
2068 (rsa_n = BN_new()) == NULL) {
2069 ret = SSH_ERR_ALLOC_FAIL;
2070 goto out;
2071 }
2072 if (sshbuf_get_bignum2(b, rsa_e) != 0 ||
2073 sshbuf_get_bignum2(b, rsa_n) != 0) {
Damien Miller86687062014-07-02 15:28:02 +10002074 ret = SSH_ERR_INVALID_FORMAT;
2075 goto out;
2076 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002077 if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) {
2078 ret = SSH_ERR_LIBCRYPTO_ERROR;
djm@openbsd.orgbd636f42017-05-07 23:15:59 +00002079 goto out;
2080 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002081 rsa_n = rsa_e = NULL; /* transferred */
2082 if ((ret = check_rsa_length(key->rsa)) != 0)
2083 goto out;
Damien Miller86687062014-07-02 15:28:02 +10002084#ifdef DEBUG_PK
2085 RSA_print_fp(stderr, key->rsa, 8);
2086#endif
2087 break;
2088 case KEY_DSA_CERT:
djm@openbsd.org60b18252015-01-26 02:59:11 +00002089 /* Skip nonce */
Damien Miller86687062014-07-02 15:28:02 +10002090 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2091 ret = SSH_ERR_INVALID_FORMAT;
2092 goto out;
2093 }
2094 /* FALLTHROUGH */
2095 case KEY_DSA:
Damien Miller86687062014-07-02 15:28:02 +10002096 if ((key = sshkey_new(type)) == NULL) {
2097 ret = SSH_ERR_ALLOC_FAIL;
2098 goto out;
2099 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002100 if ((dsa_p = BN_new()) == NULL ||
2101 (dsa_q = BN_new()) == NULL ||
2102 (dsa_g = BN_new()) == NULL ||
2103 (dsa_pub_key = BN_new()) == NULL) {
2104 ret = SSH_ERR_ALLOC_FAIL;
2105 goto out;
2106 }
2107 if (sshbuf_get_bignum2(b, dsa_p) != 0 ||
2108 sshbuf_get_bignum2(b, dsa_q) != 0 ||
2109 sshbuf_get_bignum2(b, dsa_g) != 0 ||
2110 sshbuf_get_bignum2(b, dsa_pub_key) != 0) {
Damien Miller86687062014-07-02 15:28:02 +10002111 ret = SSH_ERR_INVALID_FORMAT;
2112 goto out;
2113 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002114 if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) {
2115 ret = SSH_ERR_LIBCRYPTO_ERROR;
2116 goto out;
2117 }
2118 dsa_p = dsa_q = dsa_g = NULL; /* transferred */
2119 if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) {
2120 ret = SSH_ERR_LIBCRYPTO_ERROR;
2121 goto out;
2122 }
2123 dsa_pub_key = NULL; /* transferred */
Damien Miller86687062014-07-02 15:28:02 +10002124#ifdef DEBUG_PK
2125 DSA_print_fp(stderr, key->dsa, 8);
2126#endif
2127 break;
2128 case KEY_ECDSA_CERT:
djm@openbsd.org60b18252015-01-26 02:59:11 +00002129 /* Skip nonce */
Damien Miller86687062014-07-02 15:28:02 +10002130 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2131 ret = SSH_ERR_INVALID_FORMAT;
2132 goto out;
2133 }
2134 /* FALLTHROUGH */
2135# ifdef OPENSSL_HAS_ECC
2136 case KEY_ECDSA:
2137 if ((key = sshkey_new(type)) == NULL) {
2138 ret = SSH_ERR_ALLOC_FAIL;
2139 goto out;
2140 }
djm@openbsd.org54924b52015-01-14 10:46:28 +00002141 key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
Damien Miller86687062014-07-02 15:28:02 +10002142 if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
2143 ret = SSH_ERR_INVALID_FORMAT;
2144 goto out;
2145 }
2146 if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
2147 ret = SSH_ERR_EC_CURVE_MISMATCH;
2148 goto out;
2149 }
jsing@openbsd.org7cd31632018-02-07 02:06:50 +00002150 EC_KEY_free(key->ecdsa);
Damien Miller86687062014-07-02 15:28:02 +10002151 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
2152 == NULL) {
2153 ret = SSH_ERR_EC_CURVE_INVALID;
2154 goto out;
2155 }
2156 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
2157 ret = SSH_ERR_ALLOC_FAIL;
2158 goto out;
2159 }
2160 if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
2161 ret = SSH_ERR_INVALID_FORMAT;
2162 goto out;
2163 }
2164 if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
2165 q) != 0) {
2166 ret = SSH_ERR_KEY_INVALID_EC_VALUE;
2167 goto out;
2168 }
2169 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
2170 /* XXX assume it is a allocation error */
2171 ret = SSH_ERR_ALLOC_FAIL;
2172 goto out;
2173 }
2174#ifdef DEBUG_PK
2175 sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
2176#endif
2177 break;
2178# endif /* OPENSSL_HAS_ECC */
2179#endif /* WITH_OPENSSL */
2180 case KEY_ED25519_CERT:
djm@openbsd.org60b18252015-01-26 02:59:11 +00002181 /* Skip nonce */
Damien Miller86687062014-07-02 15:28:02 +10002182 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2183 ret = SSH_ERR_INVALID_FORMAT;
2184 goto out;
2185 }
2186 /* FALLTHROUGH */
2187 case KEY_ED25519:
2188 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
2189 goto out;
2190 if (len != ED25519_PK_SZ) {
2191 ret = SSH_ERR_INVALID_FORMAT;
2192 goto out;
2193 }
2194 if ((key = sshkey_new(type)) == NULL) {
2195 ret = SSH_ERR_ALLOC_FAIL;
2196 goto out;
2197 }
2198 key->ed25519_pk = pk;
2199 pk = NULL;
2200 break;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002201#ifdef WITH_XMSS
2202 case KEY_XMSS_CERT:
2203 /* Skip nonce */
2204 if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2205 ret = SSH_ERR_INVALID_FORMAT;
2206 goto out;
2207 }
2208 /* FALLTHROUGH */
2209 case KEY_XMSS:
2210 if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0)
2211 goto out;
2212 if ((key = sshkey_new(type)) == NULL) {
2213 ret = SSH_ERR_ALLOC_FAIL;
2214 goto out;
2215 }
2216 if ((ret = sshkey_xmss_init(key, xmss_name)) != 0)
2217 goto out;
2218 if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
2219 goto out;
2220 if (len == 0 || len != sshkey_xmss_pklen(key)) {
2221 ret = SSH_ERR_INVALID_FORMAT;
2222 goto out;
2223 }
2224 key->xmss_pk = pk;
2225 pk = NULL;
2226 if (type != KEY_XMSS_CERT &&
2227 (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0)
2228 goto out;
2229 break;
2230#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10002231 case KEY_UNSPEC:
Damien Miller86687062014-07-02 15:28:02 +10002232 default:
2233 ret = SSH_ERR_KEY_TYPE_UNKNOWN;
2234 goto out;
2235 }
2236
2237 /* Parse certificate potion */
djm@openbsd.org60b18252015-01-26 02:59:11 +00002238 if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10002239 goto out;
2240
2241 if (key != NULL && sshbuf_len(b) != 0) {
2242 ret = SSH_ERR_INVALID_FORMAT;
2243 goto out;
2244 }
2245 ret = 0;
djm@openbsd.orgdce19bf2016-04-09 12:39:30 +00002246 if (keyp != NULL) {
2247 *keyp = key;
2248 key = NULL;
2249 }
Damien Miller86687062014-07-02 15:28:02 +10002250 out:
djm@openbsd.org60b18252015-01-26 02:59:11 +00002251 sshbuf_free(copy);
Damien Miller86687062014-07-02 15:28:02 +10002252 sshkey_free(key);
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002253 free(xmss_name);
Damien Miller86687062014-07-02 15:28:02 +10002254 free(ktype);
2255 free(curve);
2256 free(pk);
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002257#if defined(WITH_OPENSSL)
2258 BN_clear_free(rsa_n);
2259 BN_clear_free(rsa_e);
2260 BN_clear_free(dsa_p);
2261 BN_clear_free(dsa_q);
2262 BN_clear_free(dsa_g);
2263 BN_clear_free(dsa_pub_key);
2264# if defined(OPENSSL_HAS_ECC)
jsing@openbsd.org7cd31632018-02-07 02:06:50 +00002265 EC_POINT_free(q);
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002266# endif /* OPENSSL_HAS_ECC */
2267#endif /* WITH_OPENSSL */
Damien Miller86687062014-07-02 15:28:02 +10002268 return ret;
2269}
2270
2271int
2272sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp)
2273{
djm@openbsd.org60b18252015-01-26 02:59:11 +00002274 struct sshbuf *b;
2275 int r;
2276
2277 if ((b = sshbuf_from(blob, blen)) == NULL)
2278 return SSH_ERR_ALLOC_FAIL;
2279 r = sshkey_from_blob_internal(b, keyp, 1);
2280 sshbuf_free(b);
2281 return r;
2282}
2283
2284int
2285sshkey_fromb(struct sshbuf *b, struct sshkey **keyp)
2286{
2287 return sshkey_from_blob_internal(b, keyp, 1);
2288}
2289
2290int
2291sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
2292{
2293 struct sshbuf *b;
2294 int r;
2295
2296 if ((r = sshbuf_froms(buf, &b)) != 0)
2297 return r;
2298 r = sshkey_from_blob_internal(b, keyp, 1);
2299 sshbuf_free(b);
2300 return r;
Damien Miller86687062014-07-02 15:28:02 +10002301}
2302
djm@openbsd.org4ba0d542018-07-03 11:39:54 +00002303static int
2304get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
djm@openbsd.org931c78d2017-12-18 02:22:29 +00002305{
2306 int r;
2307 struct sshbuf *b = NULL;
2308 char *sigtype = NULL;
2309
2310 if (sigtypep != NULL)
2311 *sigtypep = NULL;
2312 if ((b = sshbuf_from(sig, siglen)) == NULL)
2313 return SSH_ERR_ALLOC_FAIL;
2314 if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0)
2315 goto out;
2316 /* success */
2317 if (sigtypep != NULL) {
2318 *sigtypep = sigtype;
2319 sigtype = NULL;
2320 }
2321 r = 0;
2322 out:
2323 free(sigtype);
2324 sshbuf_free(b);
2325 return r;
2326}
2327
djm@openbsd.org4ba0d542018-07-03 11:39:54 +00002328/*
djm@openbsd.orgba9e7882018-09-12 01:32:54 +00002329 *
2330 * Checks whether a certificate's signature type is allowed.
2331 * Returns 0 (success) if the certificate signature type appears in the
2332 * "allowed" pattern-list, or the key is not a certificate to begin with.
2333 * Otherwise returns a ssherr.h code.
2334 */
2335int
2336sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed)
2337{
2338 if (key == NULL || allowed == NULL)
2339 return SSH_ERR_INVALID_ARGUMENT;
2340 if (!sshkey_type_is_cert(key->type))
2341 return 0;
2342 if (key->cert == NULL || key->cert->signature_type == NULL)
2343 return SSH_ERR_INVALID_ARGUMENT;
2344 if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
2345 return SSH_ERR_SIGN_ALG_UNSUPPORTED;
2346 return 0;
2347}
2348
2349/*
djm@openbsd.org4ba0d542018-07-03 11:39:54 +00002350 * Returns the expected signature algorithm for a given public key algorithm.
2351 */
djm@openbsd.orgb4d4eda2018-07-03 13:20:25 +00002352const char *
2353sshkey_sigalg_by_name(const char *name)
djm@openbsd.org4ba0d542018-07-03 11:39:54 +00002354{
2355 const struct keytype *kt;
2356
2357 for (kt = keytypes; kt->type != -1; kt++) {
2358 if (strcmp(kt->name, name) != 0)
2359 continue;
2360 if (kt->sigalg != NULL)
2361 return kt->sigalg;
2362 if (!kt->cert)
2363 return kt->name;
2364 return sshkey_ssh_name_from_type_nid(
2365 sshkey_type_plain(kt->type), kt->nid);
2366 }
2367 return NULL;
2368}
2369
2370/*
2371 * Verifies that the signature algorithm appearing inside the signature blob
2372 * matches that which was requested.
2373 */
2374int
2375sshkey_check_sigtype(const u_char *sig, size_t siglen,
2376 const char *requested_alg)
2377{
2378 const char *expected_alg;
2379 char *sigtype = NULL;
2380 int r;
2381
2382 if (requested_alg == NULL)
2383 return 0;
djm@openbsd.orgb4d4eda2018-07-03 13:20:25 +00002384 if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL)
djm@openbsd.org4ba0d542018-07-03 11:39:54 +00002385 return SSH_ERR_INVALID_ARGUMENT;
2386 if ((r = get_sigtype(sig, siglen, &sigtype)) != 0)
2387 return r;
2388 r = strcmp(expected_alg, sigtype) == 0;
2389 free(sigtype);
2390 return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED;
2391}
2392
djm@openbsd.org931c78d2017-12-18 02:22:29 +00002393int
Damien Miller86687062014-07-02 15:28:02 +10002394sshkey_sign(const struct sshkey *key,
2395 u_char **sigp, size_t *lenp,
markus@openbsd.org76c9fbb2015-12-04 16:41:28 +00002396 const u_char *data, size_t datalen, const char *alg, u_int compat)
Damien Miller86687062014-07-02 15:28:02 +10002397{
2398 if (sigp != NULL)
2399 *sigp = NULL;
2400 if (lenp != NULL)
2401 *lenp = 0;
2402 if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2403 return SSH_ERR_INVALID_ARGUMENT;
2404 switch (key->type) {
2405#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +10002406 case KEY_DSA_CERT:
2407 case KEY_DSA:
2408 return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
2409# ifdef OPENSSL_HAS_ECC
2410 case KEY_ECDSA_CERT:
2411 case KEY_ECDSA:
2412 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2413# endif /* OPENSSL_HAS_ECC */
Damien Miller86687062014-07-02 15:28:02 +10002414 case KEY_RSA_CERT:
2415 case KEY_RSA:
markus@openbsd.org76c9fbb2015-12-04 16:41:28 +00002416 return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
Damien Miller86687062014-07-02 15:28:02 +10002417#endif /* WITH_OPENSSL */
2418 case KEY_ED25519:
2419 case KEY_ED25519_CERT:
2420 return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002421#ifdef WITH_XMSS
2422 case KEY_XMSS:
2423 case KEY_XMSS_CERT:
2424 return ssh_xmss_sign(key, sigp, lenp, data, datalen, compat);
2425#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10002426 default:
2427 return SSH_ERR_KEY_TYPE_UNKNOWN;
2428 }
2429}
2430
2431/*
2432 * ssh_key_verify returns 0 for a correct signature and < 0 on error.
djm@openbsd.org04c7e282017-12-18 02:25:15 +00002433 * If "alg" specified, then the signature must use that algorithm.
Damien Miller86687062014-07-02 15:28:02 +10002434 */
2435int
2436sshkey_verify(const struct sshkey *key,
2437 const u_char *sig, size_t siglen,
djm@openbsd.org04c7e282017-12-18 02:25:15 +00002438 const u_char *data, size_t dlen, const char *alg, u_int compat)
Damien Miller86687062014-07-02 15:28:02 +10002439{
djm@openbsd.org4cf87f42014-12-10 01:24:09 +00002440 if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
Damien Miller86687062014-07-02 15:28:02 +10002441 return SSH_ERR_INVALID_ARGUMENT;
2442 switch (key->type) {
2443#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +10002444 case KEY_DSA_CERT:
2445 case KEY_DSA:
2446 return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
2447# ifdef OPENSSL_HAS_ECC
2448 case KEY_ECDSA_CERT:
2449 case KEY_ECDSA:
2450 return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2451# endif /* OPENSSL_HAS_ECC */
Damien Miller86687062014-07-02 15:28:02 +10002452 case KEY_RSA_CERT:
2453 case KEY_RSA:
djm@openbsd.org04c7e282017-12-18 02:25:15 +00002454 return ssh_rsa_verify(key, sig, siglen, data, dlen, alg);
Damien Miller86687062014-07-02 15:28:02 +10002455#endif /* WITH_OPENSSL */
2456 case KEY_ED25519:
2457 case KEY_ED25519_CERT:
2458 return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002459#ifdef WITH_XMSS
2460 case KEY_XMSS:
2461 case KEY_XMSS_CERT:
2462 return ssh_xmss_verify(key, sig, siglen, data, dlen, compat);
2463#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10002464 default:
2465 return SSH_ERR_KEY_TYPE_UNKNOWN;
2466 }
2467}
2468
Damien Miller86687062014-07-02 15:28:02 +10002469/* Convert a plain key to their _CERT equivalent */
2470int
djm@openbsd.orgc28fc622015-07-03 03:43:18 +00002471sshkey_to_certified(struct sshkey *k)
Damien Miller86687062014-07-02 15:28:02 +10002472{
2473 int newtype;
2474
2475 switch (k->type) {
2476#ifdef WITH_OPENSSL
2477 case KEY_RSA:
djm@openbsd.orgc28fc622015-07-03 03:43:18 +00002478 newtype = KEY_RSA_CERT;
Damien Miller86687062014-07-02 15:28:02 +10002479 break;
2480 case KEY_DSA:
djm@openbsd.orgc28fc622015-07-03 03:43:18 +00002481 newtype = KEY_DSA_CERT;
Damien Miller86687062014-07-02 15:28:02 +10002482 break;
2483 case KEY_ECDSA:
Damien Miller86687062014-07-02 15:28:02 +10002484 newtype = KEY_ECDSA_CERT;
2485 break;
2486#endif /* WITH_OPENSSL */
2487 case KEY_ED25519:
Damien Miller86687062014-07-02 15:28:02 +10002488 newtype = KEY_ED25519_CERT;
2489 break;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002490#ifdef WITH_XMSS
2491 case KEY_XMSS:
2492 newtype = KEY_XMSS_CERT;
2493 break;
2494#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10002495 default:
2496 return SSH_ERR_INVALID_ARGUMENT;
2497 }
2498 if ((k->cert = cert_new()) == NULL)
2499 return SSH_ERR_ALLOC_FAIL;
2500 k->type = newtype;
2501 return 0;
2502}
2503
2504/* Convert a certificate to its raw key equivalent */
2505int
2506sshkey_drop_cert(struct sshkey *k)
2507{
2508 if (!sshkey_type_is_cert(k->type))
2509 return SSH_ERR_KEY_TYPE_UNKNOWN;
2510 cert_free(k->cert);
2511 k->cert = NULL;
2512 k->type = sshkey_type_plain(k->type);
2513 return 0;
2514}
2515
2516/* Sign a certified key, (re-)generating the signed certblob. */
2517int
djm@openbsd.orga98339e2017-06-28 01:09:22 +00002518sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
2519 sshkey_certify_signer *signer, void *signer_ctx)
Damien Miller86687062014-07-02 15:28:02 +10002520{
2521 struct sshbuf *principals = NULL;
2522 u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
2523 size_t i, ca_len, sig_len;
2524 int ret = SSH_ERR_INTERNAL_ERROR;
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00002525 struct sshbuf *cert = NULL;
2526 char *sigtype = NULL;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002527#ifdef WITH_OPENSSL
2528 const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
2529#endif /* WITH_OPENSSL */
Damien Miller86687062014-07-02 15:28:02 +10002530
2531 if (k == NULL || k->cert == NULL ||
2532 k->cert->certblob == NULL || ca == NULL)
2533 return SSH_ERR_INVALID_ARGUMENT;
2534 if (!sshkey_is_cert(k))
2535 return SSH_ERR_KEY_TYPE_UNKNOWN;
2536 if (!sshkey_type_is_valid_ca(ca->type))
2537 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2538
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00002539 /*
2540 * If no alg specified as argument but a signature_type was set,
2541 * then prefer that. If both were specified, then they must match.
2542 */
2543 if (alg == NULL)
2544 alg = k->cert->signature_type;
2545 else if (k->cert->signature_type != NULL &&
2546 strcmp(alg, k->cert->signature_type) != 0)
2547 return SSH_ERR_INVALID_ARGUMENT;
2548
Damien Miller86687062014-07-02 15:28:02 +10002549 if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
2550 return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2551
2552 cert = k->cert->certblob; /* for readability */
2553 sshbuf_reset(cert);
2554 if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
2555 goto out;
2556
2557 /* -v01 certs put nonce first */
2558 arc4random_buf(&nonce, sizeof(nonce));
djm@openbsd.orgc28fc622015-07-03 03:43:18 +00002559 if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2560 goto out;
Damien Miller86687062014-07-02 15:28:02 +10002561
2562 /* XXX this substantially duplicates to_blob(); refactor */
2563 switch (k->type) {
2564#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +10002565 case KEY_DSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002566 DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
2567 DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
2568 if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 ||
2569 (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 ||
2570 (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 ||
2571 (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10002572 goto out;
2573 break;
2574# ifdef OPENSSL_HAS_ECC
2575 case KEY_ECDSA_CERT:
2576 if ((ret = sshbuf_put_cstring(cert,
2577 sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
2578 (ret = sshbuf_put_ec(cert,
2579 EC_KEY_get0_public_key(k->ecdsa),
2580 EC_KEY_get0_group(k->ecdsa))) != 0)
2581 goto out;
2582 break;
2583# endif /* OPENSSL_HAS_ECC */
Damien Miller86687062014-07-02 15:28:02 +10002584 case KEY_RSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002585 RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
2586 if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 ||
2587 (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10002588 goto out;
2589 break;
2590#endif /* WITH_OPENSSL */
2591 case KEY_ED25519_CERT:
2592 if ((ret = sshbuf_put_string(cert,
2593 k->ed25519_pk, ED25519_PK_SZ)) != 0)
2594 goto out;
2595 break;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002596#ifdef WITH_XMSS
2597 case KEY_XMSS_CERT:
2598 if (k->xmss_name == NULL) {
2599 ret = SSH_ERR_INVALID_ARGUMENT;
2600 goto out;
2601 }
2602 if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) ||
2603 (ret = sshbuf_put_string(cert,
2604 k->xmss_pk, sshkey_xmss_pklen(k))) != 0)
2605 goto out;
2606 break;
2607#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10002608 default:
2609 ret = SSH_ERR_INVALID_ARGUMENT;
djm@openbsd.org55e5bde2015-03-06 01:40:56 +00002610 goto out;
Damien Miller86687062014-07-02 15:28:02 +10002611 }
2612
djm@openbsd.orgc28fc622015-07-03 03:43:18 +00002613 if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
2614 (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
Damien Miller86687062014-07-02 15:28:02 +10002615 (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2616 goto out;
2617
2618 if ((principals = sshbuf_new()) == NULL) {
2619 ret = SSH_ERR_ALLOC_FAIL;
2620 goto out;
2621 }
2622 for (i = 0; i < k->cert->nprincipals; i++) {
2623 if ((ret = sshbuf_put_cstring(principals,
2624 k->cert->principals[i])) != 0)
2625 goto out;
2626 }
2627 if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
2628 (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
2629 (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
djm@openbsd.orgc28fc622015-07-03 03:43:18 +00002630 (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
2631 (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
2632 (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
Damien Miller86687062014-07-02 15:28:02 +10002633 (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2634 goto out;
2635
2636 /* Sign the whole mess */
djm@openbsd.orga98339e2017-06-28 01:09:22 +00002637 if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2638 sshbuf_len(cert), alg, 0, signer_ctx)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10002639 goto out;
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00002640 /* Check and update signature_type against what was actually used */
2641 if ((ret = get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
2642 goto out;
2643 if (alg != NULL && strcmp(alg, sigtype) != 0) {
2644 ret = SSH_ERR_SIGN_ALG_UNSUPPORTED;
2645 goto out;
2646 }
2647 if (k->cert->signature_type == NULL) {
2648 k->cert->signature_type = sigtype;
2649 sigtype = NULL;
2650 }
Damien Miller86687062014-07-02 15:28:02 +10002651 /* Append signature and we are done */
2652 if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
2653 goto out;
2654 ret = 0;
2655 out:
2656 if (ret != 0)
2657 sshbuf_reset(cert);
mmcc@openbsd.orgd59ce082015-12-10 17:08:40 +00002658 free(sig_blob);
2659 free(ca_blob);
djm@openbsd.orga70fd4a2018-09-12 01:31:30 +00002660 free(sigtype);
mmcc@openbsd.org52d70782015-12-11 04:21:11 +00002661 sshbuf_free(principals);
Damien Miller86687062014-07-02 15:28:02 +10002662 return ret;
2663}
2664
djm@openbsd.orga98339e2017-06-28 01:09:22 +00002665static int
2666default_key_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
2667 const u_char *data, size_t datalen,
2668 const char *alg, u_int compat, void *ctx)
2669{
2670 if (ctx != NULL)
2671 return SSH_ERR_INVALID_ARGUMENT;
2672 return sshkey_sign(key, sigp, lenp, data, datalen, alg, compat);
2673}
2674
2675int
2676sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
2677{
2678 return sshkey_certify_custom(k, ca, alg, default_key_sign, NULL);
2679}
2680
Damien Miller86687062014-07-02 15:28:02 +10002681int
2682sshkey_cert_check_authority(const struct sshkey *k,
2683 int want_host, int require_principal,
2684 const char *name, const char **reason)
2685{
2686 u_int i, principal_matches;
2687 time_t now = time(NULL);
2688
2689 if (reason != NULL)
2690 *reason = NULL;
2691
2692 if (want_host) {
2693 if (k->cert->type != SSH2_CERT_TYPE_HOST) {
2694 *reason = "Certificate invalid: not a host certificate";
2695 return SSH_ERR_KEY_CERT_INVALID;
2696 }
2697 } else {
2698 if (k->cert->type != SSH2_CERT_TYPE_USER) {
2699 *reason = "Certificate invalid: not a user certificate";
2700 return SSH_ERR_KEY_CERT_INVALID;
2701 }
2702 }
2703 if (now < 0) {
2704 /* yikes - system clock before epoch! */
2705 *reason = "Certificate invalid: not yet valid";
2706 return SSH_ERR_KEY_CERT_INVALID;
2707 }
2708 if ((u_int64_t)now < k->cert->valid_after) {
2709 *reason = "Certificate invalid: not yet valid";
2710 return SSH_ERR_KEY_CERT_INVALID;
2711 }
2712 if ((u_int64_t)now >= k->cert->valid_before) {
2713 *reason = "Certificate invalid: expired";
2714 return SSH_ERR_KEY_CERT_INVALID;
2715 }
2716 if (k->cert->nprincipals == 0) {
2717 if (require_principal) {
2718 *reason = "Certificate lacks principal list";
2719 return SSH_ERR_KEY_CERT_INVALID;
2720 }
2721 } else if (name != NULL) {
2722 principal_matches = 0;
2723 for (i = 0; i < k->cert->nprincipals; i++) {
2724 if (strcmp(name, k->cert->principals[i]) == 0) {
2725 principal_matches = 1;
2726 break;
2727 }
2728 }
2729 if (!principal_matches) {
2730 *reason = "Certificate invalid: name is not a listed "
2731 "principal";
2732 return SSH_ERR_KEY_CERT_INVALID;
2733 }
2734 }
2735 return 0;
2736}
2737
djm@openbsd.org499cf362015-11-19 01:08:55 +00002738size_t
2739sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
2740{
2741 char from[32], to[32], ret[64];
2742 time_t tt;
2743 struct tm *tm;
2744
2745 *from = *to = '\0';
2746 if (cert->valid_after == 0 &&
2747 cert->valid_before == 0xffffffffffffffffULL)
2748 return strlcpy(s, "forever", l);
2749
2750 if (cert->valid_after != 0) {
2751 /* XXX revisit INT_MAX in 2038 :) */
2752 tt = cert->valid_after > INT_MAX ?
2753 INT_MAX : cert->valid_after;
2754 tm = localtime(&tt);
2755 strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
2756 }
2757 if (cert->valid_before != 0xffffffffffffffffULL) {
2758 /* XXX revisit INT_MAX in 2038 :) */
2759 tt = cert->valid_before > INT_MAX ?
2760 INT_MAX : cert->valid_before;
2761 tm = localtime(&tt);
2762 strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
2763 }
2764
2765 if (cert->valid_after == 0)
2766 snprintf(ret, sizeof(ret), "before %s", to);
2767 else if (cert->valid_before == 0xffffffffffffffffULL)
2768 snprintf(ret, sizeof(ret), "after %s", from);
2769 else
2770 snprintf(ret, sizeof(ret), "from %s to %s", from, to);
2771
2772 return strlcpy(s, ret, l);
2773}
2774
Damien Miller86687062014-07-02 15:28:02 +10002775int
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002776sshkey_private_serialize_opt(const struct sshkey *key, struct sshbuf *b,
2777 enum sshkey_serialize_rep opts)
Damien Miller86687062014-07-02 15:28:02 +10002778{
2779 int r = SSH_ERR_INTERNAL_ERROR;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002780#ifdef WITH_OPENSSL
2781 const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q;
2782 const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key;
2783#endif /* WITH_OPENSSL */
Damien Miller86687062014-07-02 15:28:02 +10002784
2785 if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
2786 goto out;
2787 switch (key->type) {
2788#ifdef WITH_OPENSSL
2789 case KEY_RSA:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002790 RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d);
2791 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
2792 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
2793 if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 ||
2794 (r = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
2795 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
2796 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
2797 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
2798 (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10002799 goto out;
2800 break;
Damien Miller86687062014-07-02 15:28:02 +10002801 case KEY_RSA_CERT:
2802 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2803 r = SSH_ERR_INVALID_ARGUMENT;
2804 goto out;
2805 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002806 RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
2807 RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
2808 RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
Damien Miller86687062014-07-02 15:28:02 +10002809 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002810 (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
2811 (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
2812 (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
2813 (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10002814 goto out;
2815 break;
2816 case KEY_DSA:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002817 DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
2818 DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key);
2819 if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
2820 (r = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
2821 (r = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
2822 (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 ||
2823 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10002824 goto out;
2825 break;
Damien Miller86687062014-07-02 15:28:02 +10002826 case KEY_DSA_CERT:
2827 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2828 r = SSH_ERR_INVALID_ARGUMENT;
2829 goto out;
2830 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002831 DSA_get0_key(key->dsa, NULL, &dsa_priv_key);
Damien Miller86687062014-07-02 15:28:02 +10002832 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002833 (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10002834 goto out;
2835 break;
2836# ifdef OPENSSL_HAS_ECC
2837 case KEY_ECDSA:
2838 if ((r = sshbuf_put_cstring(b,
2839 sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
2840 (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
2841 (r = sshbuf_put_bignum2(b,
2842 EC_KEY_get0_private_key(key->ecdsa))) != 0)
2843 goto out;
2844 break;
2845 case KEY_ECDSA_CERT:
2846 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2847 r = SSH_ERR_INVALID_ARGUMENT;
2848 goto out;
2849 }
2850 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2851 (r = sshbuf_put_bignum2(b,
2852 EC_KEY_get0_private_key(key->ecdsa))) != 0)
2853 goto out;
2854 break;
2855# endif /* OPENSSL_HAS_ECC */
2856#endif /* WITH_OPENSSL */
2857 case KEY_ED25519:
2858 if ((r = sshbuf_put_string(b, key->ed25519_pk,
2859 ED25519_PK_SZ)) != 0 ||
2860 (r = sshbuf_put_string(b, key->ed25519_sk,
2861 ED25519_SK_SZ)) != 0)
2862 goto out;
2863 break;
2864 case KEY_ED25519_CERT:
2865 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2866 r = SSH_ERR_INVALID_ARGUMENT;
2867 goto out;
2868 }
2869 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2870 (r = sshbuf_put_string(b, key->ed25519_pk,
2871 ED25519_PK_SZ)) != 0 ||
2872 (r = sshbuf_put_string(b, key->ed25519_sk,
2873 ED25519_SK_SZ)) != 0)
2874 goto out;
2875 break;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002876#ifdef WITH_XMSS
2877 case KEY_XMSS:
2878 if (key->xmss_name == NULL) {
2879 r = SSH_ERR_INVALID_ARGUMENT;
2880 goto out;
2881 }
2882 if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
2883 (r = sshbuf_put_string(b, key->xmss_pk,
2884 sshkey_xmss_pklen(key))) != 0 ||
2885 (r = sshbuf_put_string(b, key->xmss_sk,
2886 sshkey_xmss_sklen(key))) != 0 ||
2887 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
2888 goto out;
2889 break;
2890 case KEY_XMSS_CERT:
2891 if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 ||
2892 key->xmss_name == NULL) {
2893 r = SSH_ERR_INVALID_ARGUMENT;
2894 goto out;
2895 }
2896 if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2897 (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
2898 (r = sshbuf_put_string(b, key->xmss_pk,
2899 sshkey_xmss_pklen(key))) != 0 ||
2900 (r = sshbuf_put_string(b, key->xmss_sk,
2901 sshkey_xmss_sklen(key))) != 0 ||
2902 (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
2903 goto out;
2904 break;
2905#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10002906 default:
2907 r = SSH_ERR_INVALID_ARGUMENT;
2908 goto out;
2909 }
2910 /* success */
2911 r = 0;
2912 out:
2913 return r;
2914}
2915
2916int
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002917sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2918{
2919 return sshkey_private_serialize_opt(key, b,
2920 SSHKEY_SERIALIZE_DEFAULT);
2921}
2922
2923int
Damien Miller86687062014-07-02 15:28:02 +10002924sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2925{
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002926 char *tname = NULL, *curve = NULL, *xmss_name = NULL;
Damien Miller86687062014-07-02 15:28:02 +10002927 struct sshkey *k = NULL;
djm@openbsd.org60b18252015-01-26 02:59:11 +00002928 size_t pklen = 0, sklen = 0;
Damien Miller86687062014-07-02 15:28:02 +10002929 int type, r = SSH_ERR_INTERNAL_ERROR;
2930 u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00002931 u_char *xmss_pk = NULL, *xmss_sk = NULL;
Damien Miller86687062014-07-02 15:28:02 +10002932#ifdef WITH_OPENSSL
2933 BIGNUM *exponent = NULL;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002934 BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
2935 BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL;
2936 BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
2937 BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
Damien Miller86687062014-07-02 15:28:02 +10002938#endif /* WITH_OPENSSL */
2939
2940 if (kp != NULL)
2941 *kp = NULL;
2942 if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
2943 goto out;
2944 type = sshkey_type_from_name(tname);
2945 switch (type) {
2946#ifdef WITH_OPENSSL
2947 case KEY_DSA:
djm@openbsd.org6da046f2018-09-14 04:17:44 +00002948 if ((k = sshkey_new(type)) == NULL) {
Damien Miller86687062014-07-02 15:28:02 +10002949 r = SSH_ERR_ALLOC_FAIL;
2950 goto out;
2951 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002952 if ((dsa_p = BN_new()) == NULL ||
2953 (dsa_q = BN_new()) == NULL ||
2954 (dsa_g = BN_new()) == NULL ||
2955 (dsa_pub_key = BN_new()) == NULL ||
2956 (dsa_priv_key = BN_new()) == NULL) {
2957 r = SSH_ERR_ALLOC_FAIL;
Damien Miller86687062014-07-02 15:28:02 +10002958 goto out;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002959 }
2960 if ((r = sshbuf_get_bignum2(buf, dsa_p)) != 0 ||
2961 (r = sshbuf_get_bignum2(buf, dsa_q)) != 0 ||
2962 (r = sshbuf_get_bignum2(buf, dsa_g)) != 0 ||
2963 (r = sshbuf_get_bignum2(buf, dsa_pub_key)) != 0 ||
2964 (r = sshbuf_get_bignum2(buf, dsa_priv_key)) != 0)
2965 goto out;
2966 if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) {
2967 r = SSH_ERR_LIBCRYPTO_ERROR;
2968 goto out;
2969 }
2970 dsa_p = dsa_q = dsa_g = NULL; /* transferred */
2971 if (!DSA_set0_key(k->dsa, dsa_pub_key, dsa_priv_key)) {
2972 r = SSH_ERR_LIBCRYPTO_ERROR;
2973 goto out;
2974 }
2975 dsa_pub_key = dsa_priv_key = NULL; /* transferred */
Damien Miller86687062014-07-02 15:28:02 +10002976 break;
Damien Miller86687062014-07-02 15:28:02 +10002977 case KEY_DSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002978 if ((dsa_priv_key = BN_new()) == NULL) {
2979 r = SSH_ERR_ALLOC_FAIL;
Damien Miller86687062014-07-02 15:28:02 +10002980 goto out;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00002981 }
2982 if ((r = sshkey_froms(buf, &k)) != 0 ||
2983 (r = sshbuf_get_bignum2(buf, dsa_priv_key)) != 0)
2984 goto out;
2985 if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
2986 r = SSH_ERR_LIBCRYPTO_ERROR;
2987 goto out;
2988 }
2989 dsa_priv_key = NULL; /* transferred */
Damien Miller86687062014-07-02 15:28:02 +10002990 break;
2991# ifdef OPENSSL_HAS_ECC
2992 case KEY_ECDSA:
djm@openbsd.org6da046f2018-09-14 04:17:44 +00002993 if ((k = sshkey_new(type)) == NULL) {
Damien Miller86687062014-07-02 15:28:02 +10002994 r = SSH_ERR_ALLOC_FAIL;
2995 goto out;
2996 }
2997 if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
2998 r = SSH_ERR_INVALID_ARGUMENT;
2999 goto out;
3000 }
3001 if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
3002 goto out;
3003 if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
3004 r = SSH_ERR_EC_CURVE_MISMATCH;
3005 goto out;
3006 }
3007 k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
3008 if (k->ecdsa == NULL || (exponent = BN_new()) == NULL) {
3009 r = SSH_ERR_LIBCRYPTO_ERROR;
3010 goto out;
3011 }
3012 if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
3013 (r = sshbuf_get_bignum2(buf, exponent)))
3014 goto out;
3015 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
3016 r = SSH_ERR_LIBCRYPTO_ERROR;
3017 goto out;
3018 }
3019 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
jsg@openbsd.orgf3a3ea12015-09-02 07:51:12 +00003020 EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
Damien Miller86687062014-07-02 15:28:02 +10003021 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
3022 goto out;
3023 break;
3024 case KEY_ECDSA_CERT:
3025 if ((exponent = BN_new()) == NULL) {
3026 r = SSH_ERR_LIBCRYPTO_ERROR;
3027 goto out;
3028 }
djm@openbsd.org60b18252015-01-26 02:59:11 +00003029 if ((r = sshkey_froms(buf, &k)) != 0 ||
Damien Miller86687062014-07-02 15:28:02 +10003030 (r = sshbuf_get_bignum2(buf, exponent)) != 0)
3031 goto out;
3032 if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
3033 r = SSH_ERR_LIBCRYPTO_ERROR;
3034 goto out;
3035 }
3036 if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
jsg@openbsd.orgf3a3ea12015-09-02 07:51:12 +00003037 EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
Damien Miller86687062014-07-02 15:28:02 +10003038 (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
3039 goto out;
3040 break;
3041# endif /* OPENSSL_HAS_ECC */
3042 case KEY_RSA:
djm@openbsd.org6da046f2018-09-14 04:17:44 +00003043 if ((k = sshkey_new(type)) == NULL) {
Damien Miller86687062014-07-02 15:28:02 +10003044 r = SSH_ERR_ALLOC_FAIL;
3045 goto out;
3046 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003047 if ((rsa_n = BN_new()) == NULL ||
3048 (rsa_e = BN_new()) == NULL ||
3049 (rsa_d = BN_new()) == NULL ||
3050 (rsa_iqmp = BN_new()) == NULL ||
3051 (rsa_p = BN_new()) == NULL ||
3052 (rsa_q = BN_new()) == NULL) {
3053 r = SSH_ERR_ALLOC_FAIL;
djm@openbsd.orgbd636f42017-05-07 23:15:59 +00003054 goto out;
3055 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003056 if ((r = sshbuf_get_bignum2(buf, rsa_n)) != 0 ||
3057 (r = sshbuf_get_bignum2(buf, rsa_e)) != 0 ||
3058 (r = sshbuf_get_bignum2(buf, rsa_d)) != 0 ||
3059 (r = sshbuf_get_bignum2(buf, rsa_iqmp)) != 0 ||
3060 (r = sshbuf_get_bignum2(buf, rsa_p)) != 0 ||
3061 (r = sshbuf_get_bignum2(buf, rsa_q)) != 0)
3062 goto out;
3063 if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, rsa_d)) {
3064 r = SSH_ERR_LIBCRYPTO_ERROR;
3065 goto out;
3066 }
3067 rsa_n = rsa_e = rsa_d = NULL; /* transferred */
3068 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
3069 r = SSH_ERR_LIBCRYPTO_ERROR;
3070 goto out;
3071 }
3072 rsa_p = rsa_q = NULL; /* transferred */
3073 if ((r = check_rsa_length(k->rsa)) != 0)
3074 goto out;
3075 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
3076 goto out;
Damien Miller86687062014-07-02 15:28:02 +10003077 break;
Damien Miller86687062014-07-02 15:28:02 +10003078 case KEY_RSA_CERT:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003079 if ((rsa_d = BN_new()) == NULL ||
3080 (rsa_iqmp = BN_new()) == NULL ||
3081 (rsa_p = BN_new()) == NULL ||
3082 (rsa_q = BN_new()) == NULL) {
3083 r = SSH_ERR_ALLOC_FAIL;
djm@openbsd.orgbd636f42017-05-07 23:15:59 +00003084 goto out;
3085 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003086 if ((r = sshkey_froms(buf, &k)) != 0 ||
3087 (r = sshbuf_get_bignum2(buf, rsa_d)) != 0 ||
3088 (r = sshbuf_get_bignum2(buf, rsa_iqmp)) != 0 ||
3089 (r = sshbuf_get_bignum2(buf, rsa_p)) != 0 ||
3090 (r = sshbuf_get_bignum2(buf, rsa_q)) != 0)
3091 goto out;
3092 if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
3093 r = SSH_ERR_LIBCRYPTO_ERROR;
3094 goto out;
3095 }
3096 rsa_d = NULL; /* transferred */
3097 if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
3098 r = SSH_ERR_LIBCRYPTO_ERROR;
3099 goto out;
3100 }
3101 rsa_p = rsa_q = NULL; /* transferred */
3102 if ((r = check_rsa_length(k->rsa)) != 0)
3103 goto out;
3104 if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
3105 goto out;
Damien Miller86687062014-07-02 15:28:02 +10003106 break;
3107#endif /* WITH_OPENSSL */
3108 case KEY_ED25519:
djm@openbsd.org6da046f2018-09-14 04:17:44 +00003109 if ((k = sshkey_new(type)) == NULL) {
Damien Miller86687062014-07-02 15:28:02 +10003110 r = SSH_ERR_ALLOC_FAIL;
3111 goto out;
3112 }
3113 if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
3114 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
3115 goto out;
3116 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
3117 r = SSH_ERR_INVALID_FORMAT;
3118 goto out;
3119 }
3120 k->ed25519_pk = ed25519_pk;
3121 k->ed25519_sk = ed25519_sk;
3122 ed25519_pk = ed25519_sk = NULL;
3123 break;
3124 case KEY_ED25519_CERT:
djm@openbsd.org60b18252015-01-26 02:59:11 +00003125 if ((r = sshkey_froms(buf, &k)) != 0 ||
Damien Miller86687062014-07-02 15:28:02 +10003126 (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
3127 (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
3128 goto out;
3129 if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
3130 r = SSH_ERR_INVALID_FORMAT;
3131 goto out;
3132 }
3133 k->ed25519_pk = ed25519_pk;
3134 k->ed25519_sk = ed25519_sk;
3135 ed25519_pk = ed25519_sk = NULL;
3136 break;
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00003137#ifdef WITH_XMSS
3138 case KEY_XMSS:
djm@openbsd.org6da046f2018-09-14 04:17:44 +00003139 if ((k = sshkey_new(type)) == NULL) {
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00003140 r = SSH_ERR_ALLOC_FAIL;
3141 goto out;
3142 }
3143 if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
3144 (r = sshkey_xmss_init(k, xmss_name)) != 0 ||
3145 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
3146 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
3147 goto out;
3148 if (pklen != sshkey_xmss_pklen(k) ||
3149 sklen != sshkey_xmss_sklen(k)) {
3150 r = SSH_ERR_INVALID_FORMAT;
3151 goto out;
3152 }
3153 k->xmss_pk = xmss_pk;
3154 k->xmss_sk = xmss_sk;
3155 xmss_pk = xmss_sk = NULL;
3156 /* optional internal state */
3157 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
3158 goto out;
3159 break;
3160 case KEY_XMSS_CERT:
3161 if ((r = sshkey_froms(buf, &k)) != 0 ||
markus@openbsd.org27979da2018-03-22 07:05:48 +00003162 (r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00003163 (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
3164 (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
3165 goto out;
markus@openbsd.org27979da2018-03-22 07:05:48 +00003166 if (strcmp(xmss_name, k->xmss_name)) {
3167 r = SSH_ERR_INVALID_FORMAT;
3168 goto out;
3169 }
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00003170 if (pklen != sshkey_xmss_pklen(k) ||
3171 sklen != sshkey_xmss_sklen(k)) {
3172 r = SSH_ERR_INVALID_FORMAT;
3173 goto out;
3174 }
3175 k->xmss_pk = xmss_pk;
3176 k->xmss_sk = xmss_sk;
3177 xmss_pk = xmss_sk = NULL;
3178 /* optional internal state */
3179 if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
3180 goto out;
3181 break;
3182#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10003183 default:
3184 r = SSH_ERR_KEY_TYPE_UNKNOWN;
3185 goto out;
3186 }
3187#ifdef WITH_OPENSSL
3188 /* enable blinding */
3189 switch (k->type) {
3190 case KEY_RSA:
Damien Miller86687062014-07-02 15:28:02 +10003191 case KEY_RSA_CERT:
Damien Miller86687062014-07-02 15:28:02 +10003192 if (RSA_blinding_on(k->rsa, NULL) != 1) {
3193 r = SSH_ERR_LIBCRYPTO_ERROR;
3194 goto out;
3195 }
3196 break;
3197 }
3198#endif /* WITH_OPENSSL */
3199 /* success */
3200 r = 0;
3201 if (kp != NULL) {
3202 *kp = k;
3203 k = NULL;
3204 }
3205 out:
3206 free(tname);
3207 free(curve);
3208#ifdef WITH_OPENSSL
jsing@openbsd.org7cd31632018-02-07 02:06:50 +00003209 BN_clear_free(exponent);
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003210 BN_clear_free(dsa_p);
3211 BN_clear_free(dsa_q);
3212 BN_clear_free(dsa_g);
3213 BN_clear_free(dsa_pub_key);
3214 BN_clear_free(dsa_priv_key);
3215 BN_clear_free(rsa_n);
3216 BN_clear_free(rsa_e);
3217 BN_clear_free(rsa_d);
3218 BN_clear_free(rsa_p);
3219 BN_clear_free(rsa_q);
3220 BN_clear_free(rsa_iqmp);
Damien Miller86687062014-07-02 15:28:02 +10003221#endif /* WITH_OPENSSL */
3222 sshkey_free(k);
jsing@openbsd.org4270efa2018-02-14 16:03:32 +00003223 freezero(ed25519_pk, pklen);
3224 freezero(ed25519_sk, sklen);
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00003225 free(xmss_name);
3226 freezero(xmss_pk, pklen);
3227 freezero(xmss_sk, sklen);
Damien Miller86687062014-07-02 15:28:02 +10003228 return r;
3229}
3230
3231#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
3232int
3233sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
3234{
3235 BN_CTX *bnctx;
3236 EC_POINT *nq = NULL;
3237 BIGNUM *order, *x, *y, *tmp;
3238 int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
3239
djm@openbsd.orga571dbc2016-10-04 21:34:40 +00003240 /*
3241 * NB. This assumes OpenSSL has already verified that the public
3242 * point lies on the curve. This is done by EC_POINT_oct2point()
3243 * implicitly calling EC_POINT_is_on_curve(). If this code is ever
3244 * reachable with public points not unmarshalled using
3245 * EC_POINT_oct2point then the caller will need to explicitly check.
3246 */
3247
Damien Miller86687062014-07-02 15:28:02 +10003248 if ((bnctx = BN_CTX_new()) == NULL)
3249 return SSH_ERR_ALLOC_FAIL;
3250 BN_CTX_start(bnctx);
3251
3252 /*
3253 * We shouldn't ever hit this case because bignum_get_ecpoint()
3254 * refuses to load GF2m points.
3255 */
3256 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
3257 NID_X9_62_prime_field)
3258 goto out;
3259
3260 /* Q != infinity */
3261 if (EC_POINT_is_at_infinity(group, public))
3262 goto out;
3263
3264 if ((x = BN_CTX_get(bnctx)) == NULL ||
3265 (y = BN_CTX_get(bnctx)) == NULL ||
3266 (order = BN_CTX_get(bnctx)) == NULL ||
3267 (tmp = BN_CTX_get(bnctx)) == NULL) {
3268 ret = SSH_ERR_ALLOC_FAIL;
3269 goto out;
3270 }
3271
3272 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
3273 if (EC_GROUP_get_order(group, order, bnctx) != 1 ||
3274 EC_POINT_get_affine_coordinates_GFp(group, public,
3275 x, y, bnctx) != 1) {
3276 ret = SSH_ERR_LIBCRYPTO_ERROR;
3277 goto out;
3278 }
3279 if (BN_num_bits(x) <= BN_num_bits(order) / 2 ||
3280 BN_num_bits(y) <= BN_num_bits(order) / 2)
3281 goto out;
3282
3283 /* nQ == infinity (n == order of subgroup) */
3284 if ((nq = EC_POINT_new(group)) == NULL) {
3285 ret = SSH_ERR_ALLOC_FAIL;
3286 goto out;
3287 }
3288 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) {
3289 ret = SSH_ERR_LIBCRYPTO_ERROR;
3290 goto out;
3291 }
3292 if (EC_POINT_is_at_infinity(group, nq) != 1)
3293 goto out;
3294
3295 /* x < order - 1, y < order - 1 */
3296 if (!BN_sub(tmp, order, BN_value_one())) {
3297 ret = SSH_ERR_LIBCRYPTO_ERROR;
3298 goto out;
3299 }
3300 if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0)
3301 goto out;
3302 ret = 0;
3303 out:
3304 BN_CTX_free(bnctx);
jsing@openbsd.org7cd31632018-02-07 02:06:50 +00003305 EC_POINT_free(nq);
Damien Miller86687062014-07-02 15:28:02 +10003306 return ret;
3307}
3308
3309int
3310sshkey_ec_validate_private(const EC_KEY *key)
3311{
3312 BN_CTX *bnctx;
3313 BIGNUM *order, *tmp;
3314 int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
3315
3316 if ((bnctx = BN_CTX_new()) == NULL)
3317 return SSH_ERR_ALLOC_FAIL;
3318 BN_CTX_start(bnctx);
3319
3320 if ((order = BN_CTX_get(bnctx)) == NULL ||
3321 (tmp = BN_CTX_get(bnctx)) == NULL) {
3322 ret = SSH_ERR_ALLOC_FAIL;
3323 goto out;
3324 }
3325
3326 /* log2(private) > log2(order)/2 */
3327 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) {
3328 ret = SSH_ERR_LIBCRYPTO_ERROR;
3329 goto out;
3330 }
3331 if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
3332 BN_num_bits(order) / 2)
3333 goto out;
3334
3335 /* private < order - 1 */
3336 if (!BN_sub(tmp, order, BN_value_one())) {
3337 ret = SSH_ERR_LIBCRYPTO_ERROR;
3338 goto out;
3339 }
3340 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
3341 goto out;
3342 ret = 0;
3343 out:
3344 BN_CTX_free(bnctx);
3345 return ret;
3346}
3347
3348void
3349sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
3350{
3351 BIGNUM *x, *y;
3352 BN_CTX *bnctx;
3353
3354 if (point == NULL) {
3355 fputs("point=(NULL)\n", stderr);
3356 return;
3357 }
3358 if ((bnctx = BN_CTX_new()) == NULL) {
3359 fprintf(stderr, "%s: BN_CTX_new failed\n", __func__);
3360 return;
3361 }
3362 BN_CTX_start(bnctx);
3363 if ((x = BN_CTX_get(bnctx)) == NULL ||
3364 (y = BN_CTX_get(bnctx)) == NULL) {
3365 fprintf(stderr, "%s: BN_CTX_get failed\n", __func__);
3366 return;
3367 }
3368 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
3369 NID_X9_62_prime_field) {
3370 fprintf(stderr, "%s: group is not a prime field\n", __func__);
3371 return;
3372 }
3373 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y,
3374 bnctx) != 1) {
3375 fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
3376 __func__);
3377 return;
3378 }
3379 fputs("x=", stderr);
3380 BN_print_fp(stderr, x);
3381 fputs("\ny=", stderr);
3382 BN_print_fp(stderr, y);
3383 fputs("\n", stderr);
3384 BN_CTX_free(bnctx);
3385}
3386
3387void
3388sshkey_dump_ec_key(const EC_KEY *key)
3389{
3390 const BIGNUM *exponent;
3391
3392 sshkey_dump_ec_point(EC_KEY_get0_group(key),
3393 EC_KEY_get0_public_key(key));
3394 fputs("exponent=", stderr);
3395 if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
3396 fputs("(NULL)", stderr);
3397 else
3398 BN_print_fp(stderr, EC_KEY_get0_private_key(key));
3399 fputs("\n", stderr);
3400}
3401#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
3402
3403static int
3404sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob,
3405 const char *passphrase, const char *comment, const char *ciphername,
3406 int rounds)
3407{
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00003408 u_char *cp, *key = NULL, *pubkeyblob = NULL;
Damien Miller86687062014-07-02 15:28:02 +10003409 u_char salt[SALT_LEN];
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00003410 char *b64 = NULL;
Damien Miller86687062014-07-02 15:28:02 +10003411 size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
3412 u_int check;
3413 int r = SSH_ERR_INTERNAL_ERROR;
djm@openbsd.org4706c1d2016-08-03 05:41:57 +00003414 struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller86687062014-07-02 15:28:02 +10003415 const struct sshcipher *cipher;
3416 const char *kdfname = KDFNAME;
3417 struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL;
3418
Damien Miller86687062014-07-02 15:28:02 +10003419 if (rounds <= 0)
3420 rounds = DEFAULT_ROUNDS;
3421 if (passphrase == NULL || !strlen(passphrase)) {
3422 ciphername = "none";
3423 kdfname = "none";
3424 } else if (ciphername == NULL)
3425 ciphername = DEFAULT_CIPHERNAME;
Damien Miller86687062014-07-02 15:28:02 +10003426 if ((cipher = cipher_by_name(ciphername)) == NULL) {
djm@openbsd.orgcdccebd2017-04-30 23:15:04 +00003427 r = SSH_ERR_INVALID_ARGUMENT;
Damien Miller86687062014-07-02 15:28:02 +10003428 goto out;
3429 }
3430
3431 if ((kdf = sshbuf_new()) == NULL ||
3432 (encoded = sshbuf_new()) == NULL ||
3433 (encrypted = sshbuf_new()) == NULL) {
3434 r = SSH_ERR_ALLOC_FAIL;
3435 goto out;
3436 }
3437 blocksize = cipher_blocksize(cipher);
3438 keylen = cipher_keylen(cipher);
3439 ivlen = cipher_ivlen(cipher);
3440 authlen = cipher_authlen(cipher);
3441 if ((key = calloc(1, keylen + ivlen)) == NULL) {
3442 r = SSH_ERR_ALLOC_FAIL;
3443 goto out;
3444 }
3445 if (strcmp(kdfname, "bcrypt") == 0) {
3446 arc4random_buf(salt, SALT_LEN);
3447 if (bcrypt_pbkdf(passphrase, strlen(passphrase),
3448 salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
3449 r = SSH_ERR_INVALID_ARGUMENT;
3450 goto out;
3451 }
3452 if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 ||
3453 (r = sshbuf_put_u32(kdf, rounds)) != 0)
3454 goto out;
3455 } else if (strcmp(kdfname, "none") != 0) {
3456 /* Unsupported KDF type */
3457 r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3458 goto out;
3459 }
3460 if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
3461 key + keylen, ivlen, 1)) != 0)
3462 goto out;
3463
3464 if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 ||
3465 (r = sshbuf_put_cstring(encoded, ciphername)) != 0 ||
3466 (r = sshbuf_put_cstring(encoded, kdfname)) != 0 ||
3467 (r = sshbuf_put_stringb(encoded, kdf)) != 0 ||
3468 (r = sshbuf_put_u32(encoded, 1)) != 0 || /* number of keys */
3469 (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 ||
3470 (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
3471 goto out;
3472
3473 /* set up the buffer that will be encrypted */
3474
3475 /* Random check bytes */
3476 check = arc4random();
3477 if ((r = sshbuf_put_u32(encrypted, check)) != 0 ||
3478 (r = sshbuf_put_u32(encrypted, check)) != 0)
3479 goto out;
3480
3481 /* append private key and comment*/
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00003482 if ((r = sshkey_private_serialize_opt(prv, encrypted,
3483 SSHKEY_SERIALIZE_FULL)) != 0 ||
Damien Miller86687062014-07-02 15:28:02 +10003484 (r = sshbuf_put_cstring(encrypted, comment)) != 0)
3485 goto out;
3486
3487 /* padding */
3488 i = 0;
3489 while (sshbuf_len(encrypted) % blocksize) {
3490 if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
3491 goto out;
3492 }
3493
3494 /* length in destination buffer */
3495 if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
3496 goto out;
3497
3498 /* encrypt */
3499 if ((r = sshbuf_reserve(encoded,
3500 sshbuf_len(encrypted) + authlen, &cp)) != 0)
3501 goto out;
djm@openbsd.org4706c1d2016-08-03 05:41:57 +00003502 if ((r = cipher_crypt(ciphercontext, 0, cp,
Damien Miller86687062014-07-02 15:28:02 +10003503 sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
3504 goto out;
3505
3506 /* uuencode */
3507 if ((b64 = sshbuf_dtob64(encoded)) == NULL) {
3508 r = SSH_ERR_ALLOC_FAIL;
3509 goto out;
3510 }
3511
3512 sshbuf_reset(blob);
3513 if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0)
3514 goto out;
3515 for (i = 0; i < strlen(b64); i++) {
3516 if ((r = sshbuf_put_u8(blob, b64[i])) != 0)
3517 goto out;
3518 /* insert line breaks */
3519 if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
3520 goto out;
3521 }
3522 if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
3523 goto out;
3524 if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
3525 goto out;
3526
3527 /* success */
3528 r = 0;
3529
3530 out:
3531 sshbuf_free(kdf);
3532 sshbuf_free(encoded);
3533 sshbuf_free(encrypted);
djm@openbsd.org4706c1d2016-08-03 05:41:57 +00003534 cipher_free(ciphercontext);
Damien Miller86687062014-07-02 15:28:02 +10003535 explicit_bzero(salt, sizeof(salt));
3536 if (key != NULL) {
3537 explicit_bzero(key, keylen + ivlen);
3538 free(key);
3539 }
3540 if (pubkeyblob != NULL) {
3541 explicit_bzero(pubkeyblob, pubkeylen);
3542 free(pubkeyblob);
3543 }
3544 if (b64 != NULL) {
3545 explicit_bzero(b64, strlen(b64));
3546 free(b64);
3547 }
3548 return r;
3549}
3550
3551static int
3552sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
3553 struct sshkey **keyp, char **commentp)
3554{
3555 char *comment = NULL, *ciphername = NULL, *kdfname = NULL;
3556 const struct sshcipher *cipher = NULL;
3557 const u_char *cp;
3558 int r = SSH_ERR_INTERNAL_ERROR;
3559 size_t encoded_len;
djm@openbsd.org63ebf012015-05-08 03:17:49 +00003560 size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0;
Damien Miller86687062014-07-02 15:28:02 +10003561 struct sshbuf *encoded = NULL, *decoded = NULL;
3562 struct sshbuf *kdf = NULL, *decrypted = NULL;
djm@openbsd.org4706c1d2016-08-03 05:41:57 +00003563 struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller86687062014-07-02 15:28:02 +10003564 struct sshkey *k = NULL;
3565 u_char *key = NULL, *salt = NULL, *dp, pad, last;
3566 u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
3567
Damien Miller86687062014-07-02 15:28:02 +10003568 if (keyp != NULL)
3569 *keyp = NULL;
3570 if (commentp != NULL)
3571 *commentp = NULL;
3572
3573 if ((encoded = sshbuf_new()) == NULL ||
3574 (decoded = sshbuf_new()) == NULL ||
3575 (decrypted = sshbuf_new()) == NULL) {
3576 r = SSH_ERR_ALLOC_FAIL;
3577 goto out;
3578 }
3579
3580 /* check preamble */
3581 cp = sshbuf_ptr(blob);
3582 encoded_len = sshbuf_len(blob);
3583 if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) ||
3584 memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
3585 r = SSH_ERR_INVALID_FORMAT;
3586 goto out;
3587 }
3588 cp += MARK_BEGIN_LEN;
3589 encoded_len -= MARK_BEGIN_LEN;
3590
3591 /* Look for end marker, removing whitespace as we go */
3592 while (encoded_len > 0) {
3593 if (*cp != '\n' && *cp != '\r') {
3594 if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
3595 goto out;
3596 }
3597 last = *cp;
3598 encoded_len--;
3599 cp++;
3600 if (last == '\n') {
3601 if (encoded_len >= MARK_END_LEN &&
3602 memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
3603 /* \0 terminate */
3604 if ((r = sshbuf_put_u8(encoded, 0)) != 0)
3605 goto out;
3606 break;
3607 }
3608 }
3609 }
3610 if (encoded_len == 0) {
3611 r = SSH_ERR_INVALID_FORMAT;
3612 goto out;
3613 }
3614
3615 /* decode base64 */
djm@openbsd.org3cc1fbb2014-10-08 21:45:48 +00003616 if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
Damien Miller86687062014-07-02 15:28:02 +10003617 goto out;
3618
3619 /* check magic */
3620 if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) ||
3621 memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
3622 r = SSH_ERR_INVALID_FORMAT;
3623 goto out;
3624 }
3625 /* parse public portion of key */
3626 if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
3627 (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 ||
3628 (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 ||
3629 (r = sshbuf_froms(decoded, &kdf)) != 0 ||
3630 (r = sshbuf_get_u32(decoded, &nkeys)) != 0 ||
3631 (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */
3632 (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
3633 goto out;
3634
3635 if ((cipher = cipher_by_name(ciphername)) == NULL) {
3636 r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3637 goto out;
3638 }
3639 if ((passphrase == NULL || strlen(passphrase) == 0) &&
3640 strcmp(ciphername, "none") != 0) {
3641 /* passphrase required */
3642 r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3643 goto out;
3644 }
3645 if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
3646 r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3647 goto out;
3648 }
3649 if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) {
3650 r = SSH_ERR_INVALID_FORMAT;
3651 goto out;
3652 }
3653 if (nkeys != 1) {
3654 /* XXX only one key supported */
3655 r = SSH_ERR_INVALID_FORMAT;
3656 goto out;
3657 }
3658
3659 /* check size of encrypted key blob */
3660 blocksize = cipher_blocksize(cipher);
3661 if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
3662 r = SSH_ERR_INVALID_FORMAT;
3663 goto out;
3664 }
3665
3666 /* setup key */
3667 keylen = cipher_keylen(cipher);
3668 ivlen = cipher_ivlen(cipher);
djm@openbsd.org63ebf012015-05-08 03:17:49 +00003669 authlen = cipher_authlen(cipher);
Damien Miller86687062014-07-02 15:28:02 +10003670 if ((key = calloc(1, keylen + ivlen)) == NULL) {
3671 r = SSH_ERR_ALLOC_FAIL;
3672 goto out;
3673 }
3674 if (strcmp(kdfname, "bcrypt") == 0) {
3675 if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 ||
3676 (r = sshbuf_get_u32(kdf, &rounds)) != 0)
3677 goto out;
3678 if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
3679 key, keylen + ivlen, rounds) < 0) {
3680 r = SSH_ERR_INVALID_FORMAT;
3681 goto out;
3682 }
3683 }
3684
djm@openbsd.org63ebf012015-05-08 03:17:49 +00003685 /* check that an appropriate amount of auth data is present */
3686 if (sshbuf_len(decoded) < encrypted_len + authlen) {
3687 r = SSH_ERR_INVALID_FORMAT;
3688 goto out;
3689 }
3690
Damien Miller86687062014-07-02 15:28:02 +10003691 /* decrypt private portion of key */
3692 if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 ||
3693 (r = cipher_init(&ciphercontext, cipher, key, keylen,
3694 key + keylen, ivlen, 0)) != 0)
3695 goto out;
djm@openbsd.org4706c1d2016-08-03 05:41:57 +00003696 if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
djm@openbsd.org63ebf012015-05-08 03:17:49 +00003697 encrypted_len, 0, authlen)) != 0) {
Damien Miller86687062014-07-02 15:28:02 +10003698 /* an integrity error here indicates an incorrect passphrase */
3699 if (r == SSH_ERR_MAC_INVALID)
3700 r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3701 goto out;
3702 }
djm@openbsd.org63ebf012015-05-08 03:17:49 +00003703 if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
Damien Miller86687062014-07-02 15:28:02 +10003704 goto out;
3705 /* there should be no trailing data */
3706 if (sshbuf_len(decoded) != 0) {
3707 r = SSH_ERR_INVALID_FORMAT;
3708 goto out;
3709 }
3710
3711 /* check check bytes */
3712 if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 ||
3713 (r = sshbuf_get_u32(decrypted, &check2)) != 0)
3714 goto out;
3715 if (check1 != check2) {
3716 r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3717 goto out;
3718 }
3719
3720 /* Load the private key and comment */
3721 if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 ||
3722 (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
3723 goto out;
3724
3725 /* Check deterministic padding */
3726 i = 0;
3727 while (sshbuf_len(decrypted)) {
3728 if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
3729 goto out;
3730 if (pad != (++i & 0xff)) {
3731 r = SSH_ERR_INVALID_FORMAT;
3732 goto out;
3733 }
3734 }
3735
3736 /* XXX decode pubkey and check against private */
3737
3738 /* success */
3739 r = 0;
3740 if (keyp != NULL) {
3741 *keyp = k;
3742 k = NULL;
3743 }
3744 if (commentp != NULL) {
3745 *commentp = comment;
3746 comment = NULL;
3747 }
3748 out:
3749 pad = 0;
djm@openbsd.org4706c1d2016-08-03 05:41:57 +00003750 cipher_free(ciphercontext);
Damien Miller86687062014-07-02 15:28:02 +10003751 free(ciphername);
3752 free(kdfname);
3753 free(comment);
3754 if (salt != NULL) {
3755 explicit_bzero(salt, slen);
3756 free(salt);
3757 }
3758 if (key != NULL) {
3759 explicit_bzero(key, keylen + ivlen);
3760 free(key);
3761 }
3762 sshbuf_free(encoded);
3763 sshbuf_free(decoded);
3764 sshbuf_free(kdf);
3765 sshbuf_free(decrypted);
3766 sshkey_free(k);
3767 return r;
3768}
3769
Damien Miller86687062014-07-02 15:28:02 +10003770
3771#ifdef WITH_OPENSSL
3772/* convert SSH v2 key in OpenSSL PEM format */
3773static int
3774sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
3775 const char *_passphrase, const char *comment)
3776{
3777 int success, r;
3778 int blen, len = strlen(_passphrase);
3779 u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
Darren Tucker8fed0a52017-03-29 10:16:15 +11003780 const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
djm@openbsd.org224f1932017-10-13 06:24:51 +00003781 char *bptr;
Damien Miller86687062014-07-02 15:28:02 +10003782 BIO *bio = NULL;
3783
3784 if (len > 0 && len <= 4)
3785 return SSH_ERR_PASSPHRASE_TOO_SHORT;
3786 if ((bio = BIO_new(BIO_s_mem())) == NULL)
3787 return SSH_ERR_ALLOC_FAIL;
3788
3789 switch (key->type) {
3790 case KEY_DSA:
3791 success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
3792 cipher, passphrase, len, NULL, NULL);
3793 break;
3794#ifdef OPENSSL_HAS_ECC
3795 case KEY_ECDSA:
3796 success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
3797 cipher, passphrase, len, NULL, NULL);
3798 break;
3799#endif
3800 case KEY_RSA:
3801 success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
3802 cipher, passphrase, len, NULL, NULL);
3803 break;
3804 default:
3805 success = 0;
3806 break;
3807 }
3808 if (success == 0) {
3809 r = SSH_ERR_LIBCRYPTO_ERROR;
3810 goto out;
3811 }
3812 if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
3813 r = SSH_ERR_INTERNAL_ERROR;
3814 goto out;
3815 }
3816 if ((r = sshbuf_put(blob, bptr, blen)) != 0)
3817 goto out;
3818 r = 0;
3819 out:
3820 BIO_free(bio);
3821 return r;
3822}
3823#endif /* WITH_OPENSSL */
3824
3825/* Serialise "key" to buffer "blob" */
3826int
3827sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
3828 const char *passphrase, const char *comment,
3829 int force_new_format, const char *new_format_cipher, int new_format_rounds)
3830{
3831 switch (key->type) {
markus@openbsd.orgf067cca2015-01-12 13:29:27 +00003832#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +10003833 case KEY_DSA:
3834 case KEY_ECDSA:
3835 case KEY_RSA:
3836 if (force_new_format) {
3837 return sshkey_private_to_blob2(key, blob, passphrase,
3838 comment, new_format_cipher, new_format_rounds);
3839 }
3840 return sshkey_private_pem_to_blob(key, blob,
3841 passphrase, comment);
3842#endif /* WITH_OPENSSL */
3843 case KEY_ED25519:
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00003844#ifdef WITH_XMSS
3845 case KEY_XMSS:
3846#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10003847 return sshkey_private_to_blob2(key, blob, passphrase,
3848 comment, new_format_cipher, new_format_rounds);
3849 default:
3850 return SSH_ERR_KEY_TYPE_UNKNOWN;
3851 }
3852}
3853
Damien Miller86687062014-07-02 15:28:02 +10003854
3855#ifdef WITH_OPENSSL
djm@openbsd.org1195f4c2015-01-08 10:14:08 +00003856static int
djm@openbsd.org2076e4a2017-06-09 06:40:24 +00003857translate_libcrypto_error(unsigned long pem_err)
3858{
3859 int pem_reason = ERR_GET_REASON(pem_err);
3860
3861 switch (ERR_GET_LIB(pem_err)) {
3862 case ERR_LIB_PEM:
3863 switch (pem_reason) {
3864 case PEM_R_BAD_PASSWORD_READ:
3865 case PEM_R_PROBLEMS_GETTING_PASSWORD:
3866 case PEM_R_BAD_DECRYPT:
3867 return SSH_ERR_KEY_WRONG_PASSPHRASE;
3868 default:
3869 return SSH_ERR_INVALID_FORMAT;
3870 }
3871 case ERR_LIB_EVP:
3872 switch (pem_reason) {
3873 case EVP_R_BAD_DECRYPT:
3874 return SSH_ERR_KEY_WRONG_PASSPHRASE;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003875#ifdef EVP_R_BN_DECODE_ERROR
djm@openbsd.org2076e4a2017-06-09 06:40:24 +00003876 case EVP_R_BN_DECODE_ERROR:
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003877#endif
djm@openbsd.org2076e4a2017-06-09 06:40:24 +00003878 case EVP_R_DECODE_ERROR:
3879#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
3880 case EVP_R_PRIVATE_KEY_DECODE_ERROR:
3881#endif
3882 return SSH_ERR_INVALID_FORMAT;
3883 default:
3884 return SSH_ERR_LIBCRYPTO_ERROR;
3885 }
3886 case ERR_LIB_ASN1:
3887 return SSH_ERR_INVALID_FORMAT;
3888 }
3889 return SSH_ERR_LIBCRYPTO_ERROR;
3890}
3891
3892static void
3893clear_libcrypto_errors(void)
3894{
3895 while (ERR_get_error() != 0)
3896 ;
3897}
3898
3899/*
3900 * Translate OpenSSL error codes to determine whether
3901 * passphrase is required/incorrect.
3902 */
3903static int
3904convert_libcrypto_error(void)
3905{
3906 /*
3907 * Some password errors are reported at the beginning
3908 * of the error queue.
3909 */
3910 if (translate_libcrypto_error(ERR_peek_error()) ==
3911 SSH_ERR_KEY_WRONG_PASSPHRASE)
3912 return SSH_ERR_KEY_WRONG_PASSPHRASE;
3913 return translate_libcrypto_error(ERR_peek_last_error());
3914}
3915
3916static int
Damien Miller86687062014-07-02 15:28:02 +10003917sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
djm@openbsd.org1195f4c2015-01-08 10:14:08 +00003918 const char *passphrase, struct sshkey **keyp)
Damien Miller86687062014-07-02 15:28:02 +10003919{
3920 EVP_PKEY *pk = NULL;
3921 struct sshkey *prv = NULL;
Damien Miller86687062014-07-02 15:28:02 +10003922 BIO *bio = NULL;
3923 int r;
3924
djm@openbsd.orgdce19bf2016-04-09 12:39:30 +00003925 if (keyp != NULL)
3926 *keyp = NULL;
Damien Miller86687062014-07-02 15:28:02 +10003927
3928 if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
3929 return SSH_ERR_ALLOC_FAIL;
3930 if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
3931 (int)sshbuf_len(blob)) {
3932 r = SSH_ERR_ALLOC_FAIL;
3933 goto out;
3934 }
3935
djm@openbsd.org2076e4a2017-06-09 06:40:24 +00003936 clear_libcrypto_errors();
Damien Miller86687062014-07-02 15:28:02 +10003937 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
3938 (char *)passphrase)) == NULL) {
djm@openbsd.orgedbb6fe2018-10-09 05:42:23 +00003939 /*
3940 * libcrypto may return various ASN.1 errors when attempting
3941 * to parse a key with an incorrect passphrase.
3942 * Treat all format errors as "incorrect passphrase" if a
3943 * passphrase was supplied.
3944 */
3945 if (passphrase != NULL && *passphrase != '\0')
3946 r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3947 else
3948 r = convert_libcrypto_error();
Damien Miller86687062014-07-02 15:28:02 +10003949 goto out;
3950 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003951 if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA &&
Damien Miller86687062014-07-02 15:28:02 +10003952 (type == KEY_UNSPEC || type == KEY_RSA)) {
3953 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
3954 r = SSH_ERR_ALLOC_FAIL;
3955 goto out;
3956 }
3957 prv->rsa = EVP_PKEY_get1_RSA(pk);
3958 prv->type = KEY_RSA;
Damien Miller86687062014-07-02 15:28:02 +10003959#ifdef DEBUG_PK
3960 RSA_print_fp(stderr, prv->rsa, 8);
3961#endif
3962 if (RSA_blinding_on(prv->rsa, NULL) != 1) {
3963 r = SSH_ERR_LIBCRYPTO_ERROR;
3964 goto out;
3965 }
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003966 if ((r = check_rsa_length(prv->rsa)) != 0)
djm@openbsd.orgbd636f42017-05-07 23:15:59 +00003967 goto out;
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003968 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA &&
Damien Miller86687062014-07-02 15:28:02 +10003969 (type == KEY_UNSPEC || type == KEY_DSA)) {
3970 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
3971 r = SSH_ERR_ALLOC_FAIL;
3972 goto out;
3973 }
3974 prv->dsa = EVP_PKEY_get1_DSA(pk);
3975 prv->type = KEY_DSA;
Damien Miller86687062014-07-02 15:28:02 +10003976#ifdef DEBUG_PK
3977 DSA_print_fp(stderr, prv->dsa, 8);
3978#endif
3979#ifdef OPENSSL_HAS_ECC
djm@openbsd.org482d23b2018-09-13 02:08:33 +00003980 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC &&
Damien Miller86687062014-07-02 15:28:02 +10003981 (type == KEY_UNSPEC || type == KEY_ECDSA)) {
3982 if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
3983 r = SSH_ERR_ALLOC_FAIL;
3984 goto out;
3985 }
3986 prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
3987 prv->type = KEY_ECDSA;
3988 prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
3989 if (prv->ecdsa_nid == -1 ||
3990 sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
3991 sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
3992 EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
3993 sshkey_ec_validate_private(prv->ecdsa) != 0) {
3994 r = SSH_ERR_INVALID_FORMAT;
3995 goto out;
3996 }
Damien Miller86687062014-07-02 15:28:02 +10003997# ifdef DEBUG_PK
3998 if (prv != NULL && prv->ecdsa != NULL)
3999 sshkey_dump_ec_key(prv->ecdsa);
4000# endif
4001#endif /* OPENSSL_HAS_ECC */
4002 } else {
4003 r = SSH_ERR_INVALID_FORMAT;
4004 goto out;
4005 }
Damien Miller86687062014-07-02 15:28:02 +10004006 r = 0;
djm@openbsd.orgdce19bf2016-04-09 12:39:30 +00004007 if (keyp != NULL) {
4008 *keyp = prv;
4009 prv = NULL;
4010 }
Damien Miller86687062014-07-02 15:28:02 +10004011 out:
4012 BIO_free(bio);
jsing@openbsd.org7cd31632018-02-07 02:06:50 +00004013 EVP_PKEY_free(pk);
mmcc@openbsd.org89540b62015-12-11 02:31:47 +00004014 sshkey_free(prv);
Damien Miller86687062014-07-02 15:28:02 +10004015 return r;
4016}
4017#endif /* WITH_OPENSSL */
4018
4019int
4020sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
4021 const char *passphrase, struct sshkey **keyp, char **commentp)
4022{
djm@openbsd.org155d5402017-02-10 04:34:50 +00004023 int r = SSH_ERR_INTERNAL_ERROR;
4024
djm@openbsd.orgdce19bf2016-04-09 12:39:30 +00004025 if (keyp != NULL)
4026 *keyp = NULL;
Damien Miller86687062014-07-02 15:28:02 +10004027 if (commentp != NULL)
4028 *commentp = NULL;
4029
4030 switch (type) {
markus@openbsd.orgf067cca2015-01-12 13:29:27 +00004031#ifdef WITH_OPENSSL
Damien Miller86687062014-07-02 15:28:02 +10004032 case KEY_DSA:
4033 case KEY_ECDSA:
4034 case KEY_RSA:
djm@openbsd.org1195f4c2015-01-08 10:14:08 +00004035 return sshkey_parse_private_pem_fileblob(blob, type,
4036 passphrase, keyp);
Damien Miller86687062014-07-02 15:28:02 +10004037#endif /* WITH_OPENSSL */
4038 case KEY_ED25519:
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00004039#ifdef WITH_XMSS
4040 case KEY_XMSS:
4041#endif /* WITH_XMSS */
Damien Miller86687062014-07-02 15:28:02 +10004042 return sshkey_parse_private2(blob, type, passphrase,
4043 keyp, commentp);
4044 case KEY_UNSPEC:
djm@openbsd.org155d5402017-02-10 04:34:50 +00004045 r = sshkey_parse_private2(blob, type, passphrase, keyp,
4046 commentp);
4047 /* Do not fallback to PEM parser if only passphrase is wrong. */
4048 if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE)
4049 return r;
Damien Miller86687062014-07-02 15:28:02 +10004050#ifdef WITH_OPENSSL
djm@openbsd.org1195f4c2015-01-08 10:14:08 +00004051 return sshkey_parse_private_pem_fileblob(blob, type,
4052 passphrase, keyp);
Damien Miller86687062014-07-02 15:28:02 +10004053#else
4054 return SSH_ERR_INVALID_FORMAT;
4055#endif /* WITH_OPENSSL */
4056 default:
4057 return SSH_ERR_KEY_TYPE_UNKNOWN;
4058 }
4059}
4060
4061int
4062sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
tim@openbsd.org3c019a92015-09-13 14:39:16 +00004063 struct sshkey **keyp, char **commentp)
Damien Miller86687062014-07-02 15:28:02 +10004064{
Damien Miller86687062014-07-02 15:28:02 +10004065 if (keyp != NULL)
4066 *keyp = NULL;
4067 if (commentp != NULL)
4068 *commentp = NULL;
4069
tim@openbsd.org3c019a92015-09-13 14:39:16 +00004070 return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
4071 passphrase, keyp, commentp);
Damien Miller86687062014-07-02 15:28:02 +10004072}
markus@openbsd.org1b11ea72018-02-23 15:58:37 +00004073
4074#ifdef WITH_XMSS
4075/*
4076 * serialize the key with the current state and forward the state
4077 * maxsign times.
4078 */
4079int
4080sshkey_private_serialize_maxsign(const struct sshkey *k, struct sshbuf *b,
4081 u_int32_t maxsign, sshkey_printfn *pr)
4082{
4083 int r, rupdate;
4084
4085 if (maxsign == 0 ||
4086 sshkey_type_plain(k->type) != KEY_XMSS)
4087 return sshkey_private_serialize_opt(k, b,
4088 SSHKEY_SERIALIZE_DEFAULT);
4089 if ((r = sshkey_xmss_get_state(k, pr)) != 0 ||
4090 (r = sshkey_private_serialize_opt(k, b,
4091 SSHKEY_SERIALIZE_STATE)) != 0 ||
4092 (r = sshkey_xmss_forward_state(k, maxsign)) != 0)
4093 goto out;
4094 r = 0;
4095out:
4096 if ((rupdate = sshkey_xmss_update_state(k, pr)) != 0) {
4097 if (r == 0)
4098 r = rupdate;
4099 }
4100 return r;
4101}
4102
4103u_int32_t
4104sshkey_signatures_left(const struct sshkey *k)
4105{
4106 if (sshkey_type_plain(k->type) == KEY_XMSS)
4107 return sshkey_xmss_signatures_left(k);
4108 return 0;
4109}
4110
4111int
4112sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
4113{
4114 if (sshkey_type_plain(k->type) != KEY_XMSS)
4115 return SSH_ERR_INVALID_ARGUMENT;
4116 return sshkey_xmss_enable_maxsign(k, maxsign);
4117}
4118
4119int
4120sshkey_set_filename(struct sshkey *k, const char *filename)
4121{
4122 if (k == NULL)
4123 return SSH_ERR_INVALID_ARGUMENT;
4124 if (sshkey_type_plain(k->type) != KEY_XMSS)
4125 return 0;
4126 if (filename == NULL)
4127 return SSH_ERR_INVALID_ARGUMENT;
4128 if ((k->xmss_filename = strdup(filename)) == NULL)
4129 return SSH_ERR_ALLOC_FAIL;
4130 return 0;
4131}
4132#else
4133int
4134sshkey_private_serialize_maxsign(const struct sshkey *k, struct sshbuf *b,
4135 u_int32_t maxsign, sshkey_printfn *pr)
4136{
4137 return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT);
4138}
4139
4140u_int32_t
4141sshkey_signatures_left(const struct sshkey *k)
4142{
4143 return 0;
4144}
4145
4146int
4147sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
4148{
4149 return SSH_ERR_INVALID_ARGUMENT;
4150}
4151
4152int
4153sshkey_set_filename(struct sshkey *k, const char *filename)
4154{
4155 if (k == NULL)
4156 return SSH_ERR_INVALID_ARGUMENT;
4157 return 0;
4158}
4159#endif /* WITH_XMSS */