Blame - sshkey.c - platform/external/openssh

blob: 53a7674b5e74b5f869fbe889cb01ce8684578460 [file] [log] [blame]

djm@openbsd.org	183ba55	2017-03-10 04:07:20 +0000	[diff] [blame^]	1	/* $OpenBSD: sshkey.c,v 1.45 2017/03/10 04:07:20 djm Exp $ */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2	/*
				3	* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
				4	* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
				5	* Copyright (c) 2010,2011 Damien Miller. All rights reserved.
				6	*
				7	* Redistribution and use in source and binary forms, with or without
				8	* modification, are permitted provided that the following conditions
				9	* are met:
				10	* 1. Redistributions of source code must retain the above copyright
				11	* notice, this list of conditions and the following disclaimer.
				12	* 2. Redistributions in binary form must reproduce the above copyright
				13	* notice, this list of conditions and the following disclaimer in the
				14	* documentation and/or other materials provided with the distribution.
				15	*
				16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
				26	*/
				27
				28	#include "includes.h"
				29
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	30	#include <sys/types.h>
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	31	#include <netinet/in.h>
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	32
djm@openbsd.org	54924b5	2015-01-14 10:46:28 +0000	[diff] [blame]	33	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	34	#include <openssl/evp.h>
				35	#include <openssl/err.h>
				36	#include <openssl/pem.h>
djm@openbsd.org	54924b5	2015-01-14 10:46:28 +0000	[diff] [blame]	37	#endif
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	38
				39	#include "crypto_api.h"
				40
				41	#include <errno.h>
deraadt@openbsd.org	2ae4f33	2015-01-16 06:40:12 +0000	[diff] [blame]	42	#include <limits.h>
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	43	#include <stdio.h>
				44	#include <string.h>
Damien Miller	d16bdd8	2014-12-22 10:18:09 +1100	[diff] [blame]	45	#include <resolv.h>
Damien Miller	82b2482	2014-07-02 17:43:41 +1000	[diff] [blame]	46	#ifdef HAVE_UTIL_H
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	47	#include <util.h>
Damien Miller	82b2482	2014-07-02 17:43:41 +1000	[diff] [blame]	48	#endif /* HAVE_UTIL_H */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	49
				50	#include "ssh2.h"
				51	#include "ssherr.h"
				52	#include "misc.h"
				53	#include "sshbuf.h"
				54	#include "rsa.h"
				55	#include "cipher.h"
				56	#include "digest.h"
				57	#define SSHKEY_INTERNAL
				58	#include "sshkey.h"
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	59	#include "match.h"
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	60
				61	/* openssh private key file format */
				62	#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
				63	#define MARK_END "-----END OPENSSH PRIVATE KEY-----\n"
				64	#define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1)
				65	#define MARK_END_LEN (sizeof(MARK_END) - 1)
				66	#define KDFNAME "bcrypt"
				67	#define AUTH_MAGIC "openssh-key-v1"
				68	#define SALT_LEN 16
				69	#define DEFAULT_CIPHERNAME "aes256-cbc"
				70	#define DEFAULT_ROUNDS 16
				71
				72	/* Version identification string for SSH v1 identity files. */
				73	#define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n"
				74
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	75	static int sshkey_from_blob_internal(struct sshbuf *buf,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	76	struct sshkey **keyp, int allow_cert);
				77
				78	/* Supported key types */
				79	struct keytype {
				80	const char *name;
				81	const char *shortname;
				82	int type;
				83	int nid;
				84	int cert;
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	85	int sigonly;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	86	};
				87	static const struct keytype keytypes[] = {
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	88	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	89	{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	90	KEY_ED25519_CERT, 0, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	91	#ifdef WITH_OPENSSL
dtucker@openbsd.org	ecc3589	2017-02-17 02:31:14 +0000	[diff] [blame]	92	# ifdef WITH_SSH1
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	93	{ NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
dtucker@openbsd.org	ecc3589	2017-02-17 02:31:14 +0000	[diff] [blame]	94	# endif
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	95	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
				96	{ "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
				97	{ "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
				98	{ "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	99	# ifdef OPENSSL_HAS_ECC
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	100	{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
				101	{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	102	# ifdef OPENSSL_HAS_NISTP521
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	103	{ "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	104	# endif /* OPENSSL_HAS_NISTP521 */
				105	# endif /* OPENSSL_HAS_ECC */
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	106	{ "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
				107	{ "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	108	# ifdef OPENSSL_HAS_ECC
				109	{ "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	110	KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	111	{ "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	112	KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	113	# ifdef OPENSSL_HAS_NISTP521
				114	{ "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	115	KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	116	# endif /* OPENSSL_HAS_NISTP521 */
				117	# endif /* OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	118	#endif /* WITH_OPENSSL */
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	119	{ NULL, NULL, -1, -1, 0, 0 }
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	120	};
				121
				122	const char *
				123	sshkey_type(const struct sshkey *k)
				124	{
				125	const struct keytype *kt;
				126
				127	for (kt = keytypes; kt->type != -1; kt++) {
				128	if (kt->type == k->type)
				129	return kt->shortname;
				130	}
				131	return "unknown";
				132	}
				133
				134	static const char *
				135	sshkey_ssh_name_from_type_nid(int type, int nid)
				136	{
				137	const struct keytype *kt;
				138
				139	for (kt = keytypes; kt->type != -1; kt++) {
				140	if (kt->type == type && (kt->nid == 0 \|\| kt->nid == nid))
				141	return kt->name;
				142	}
				143	return "ssh-unknown";
				144	}
				145
				146	int
				147	sshkey_type_is_cert(int type)
				148	{
				149	const struct keytype *kt;
				150
				151	for (kt = keytypes; kt->type != -1; kt++) {
				152	if (kt->type == type)
				153	return kt->cert;
				154	}
				155	return 0;
				156	}
				157
				158	const char *
				159	sshkey_ssh_name(const struct sshkey *k)
				160	{
				161	return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
				162	}
				163
				164	const char *
				165	sshkey_ssh_name_plain(const struct sshkey *k)
				166	{
				167	return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
				168	k->ecdsa_nid);
				169	}
				170
				171	int
				172	sshkey_type_from_name(const char *name)
				173	{
				174	const struct keytype *kt;
				175
				176	for (kt = keytypes; kt->type != -1; kt++) {
				177	/* Only allow shortname matches for plain key types */
				178	if ((kt->name != NULL && strcmp(name, kt->name) == 0) \|\|
				179	(!kt->cert && strcasecmp(kt->shortname, name) == 0))
				180	return kt->type;
				181	}
				182	return KEY_UNSPEC;
				183	}
				184
				185	int
				186	sshkey_ecdsa_nid_from_name(const char *name)
				187	{
				188	const struct keytype *kt;
				189
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	190	for (kt = keytypes; kt->type != -1; kt++) {
				191	if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
				192	continue;
				193	if (kt->name != NULL && strcmp(name, kt->name) == 0)
				194	return kt->nid;
				195	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	196	return -1;
				197	}
				198
				199	char *
djm@openbsd.org	183ba55	2017-03-10 04:07:20 +0000	[diff] [blame^]	200	sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	201	{
				202	char tmp, ret = NULL;
				203	size_t nlen, rlen = 0;
				204	const struct keytype *kt;
				205
				206	for (kt = keytypes; kt->type != -1; kt++) {
djm@openbsd.org	183ba55	2017-03-10 04:07:20 +0000	[diff] [blame^]	207	if (kt->name == NULL)
				208	continue;
				209	if (!include_sigonly && kt->sigonly)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	210	continue;
				211	if ((certs_only && !kt->cert) \|\| (plain_only && kt->cert))
				212	continue;
				213	if (ret != NULL)
djm@openbsd.org	130f5df	2016-09-12 23:31:27 +0000	[diff] [blame]	214	ret[rlen++] = sep;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	215	nlen = strlen(kt->name);
				216	if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
				217	free(ret);
				218	return NULL;
				219	}
				220	ret = tmp;
				221	memcpy(ret + rlen, kt->name, nlen + 1);
				222	rlen += nlen;
				223	}
				224	return ret;
				225	}
				226
				227	int
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	228	sshkey_names_valid2(const char *names, int allow_wildcard)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	229	{
				230	char s, cp, *p;
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	231	const struct keytype *kt;
				232	int type;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	233
				234	if (names == NULL \|\| strcmp(names, "") == 0)
				235	return 0;
				236	if ((s = cp = strdup(names)) == NULL)
				237	return 0;
				238	for ((p = strsep(&cp, ",")); p && *p != '\0';
				239	(p = strsep(&cp, ","))) {
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	240	type = sshkey_type_from_name(p);
				241	if (type == KEY_RSA1) {
				242	free(s);
				243	return 0;
				244	}
				245	if (type == KEY_UNSPEC) {
				246	if (allow_wildcard) {
				247	/*
				248	* Try matching key types against the string.
				249	* If any has a positive or negative match then
				250	* the component is accepted.
				251	*/
				252	for (kt = keytypes; kt->type != -1; kt++) {
				253	if (kt->type == KEY_RSA1)
				254	continue;
				255	if (match_pattern_list(kt->name,
djm@openbsd.org	e661a86	2015-05-04 06:10:48 +0000	[diff] [blame]	256	p, 0) != 0)
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	257	break;
				258	}
				259	if (kt->type != -1)
				260	continue;
				261	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	262	free(s);
				263	return 0;
				264	}
				265	}
				266	free(s);
				267	return 1;
				268	}
				269
				270	u_int
				271	sshkey_size(const struct sshkey *k)
				272	{
				273	switch (k->type) {
				274	#ifdef WITH_OPENSSL
				275	case KEY_RSA1:
				276	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	277	case KEY_RSA_CERT:
				278	return BN_num_bits(k->rsa->n);
				279	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	280	case KEY_DSA_CERT:
				281	return BN_num_bits(k->dsa->p);
				282	case KEY_ECDSA:
				283	case KEY_ECDSA_CERT:
				284	return sshkey_curve_nid_to_bits(k->ecdsa_nid);
				285	#endif /* WITH_OPENSSL */
				286	case KEY_ED25519:
				287	case KEY_ED25519_CERT:
				288	return 256; /* XXX */
				289	}
				290	return 0;
				291	}
				292
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	293	static int
				294	sshkey_type_is_valid_ca(int type)
				295	{
				296	switch (type) {
				297	case KEY_RSA:
				298	case KEY_DSA:
				299	case KEY_ECDSA:
				300	case KEY_ED25519:
				301	return 1;
				302	default:
				303	return 0;
				304	}
				305	}
				306
				307	int
				308	sshkey_is_cert(const struct sshkey *k)
				309	{
				310	if (k == NULL)
				311	return 0;
				312	return sshkey_type_is_cert(k->type);
				313	}
				314
				315	/* Return the cert-less equivalent to a certified key type */
				316	int
				317	sshkey_type_plain(int type)
				318	{
				319	switch (type) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	320	case KEY_RSA_CERT:
				321	return KEY_RSA;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	322	case KEY_DSA_CERT:
				323	return KEY_DSA;
				324	case KEY_ECDSA_CERT:
				325	return KEY_ECDSA;
				326	case KEY_ED25519_CERT:
				327	return KEY_ED25519;
				328	default:
				329	return type;
				330	}
				331	}
				332
				333	#ifdef WITH_OPENSSL
				334	/* XXX: these are really begging for a table-driven approach */
				335	int
				336	sshkey_curve_name_to_nid(const char *name)
				337	{
				338	if (strcmp(name, "nistp256") == 0)
				339	return NID_X9_62_prime256v1;
				340	else if (strcmp(name, "nistp384") == 0)
				341	return NID_secp384r1;
				342	# ifdef OPENSSL_HAS_NISTP521
				343	else if (strcmp(name, "nistp521") == 0)
				344	return NID_secp521r1;
				345	# endif /* OPENSSL_HAS_NISTP521 */
				346	else
				347	return -1;
				348	}
				349
				350	u_int
				351	sshkey_curve_nid_to_bits(int nid)
				352	{
				353	switch (nid) {
				354	case NID_X9_62_prime256v1:
				355	return 256;
				356	case NID_secp384r1:
				357	return 384;
				358	# ifdef OPENSSL_HAS_NISTP521
				359	case NID_secp521r1:
				360	return 521;
				361	# endif /* OPENSSL_HAS_NISTP521 */
				362	default:
				363	return 0;
				364	}
				365	}
				366
				367	int
				368	sshkey_ecdsa_bits_to_nid(int bits)
				369	{
				370	switch (bits) {
				371	case 256:
				372	return NID_X9_62_prime256v1;
				373	case 384:
				374	return NID_secp384r1;
				375	# ifdef OPENSSL_HAS_NISTP521
				376	case 521:
				377	return NID_secp521r1;
				378	# endif /* OPENSSL_HAS_NISTP521 */
				379	default:
				380	return -1;
				381	}
				382	}
				383
				384	const char *
				385	sshkey_curve_nid_to_name(int nid)
				386	{
				387	switch (nid) {
				388	case NID_X9_62_prime256v1:
				389	return "nistp256";
				390	case NID_secp384r1:
				391	return "nistp384";
				392	# ifdef OPENSSL_HAS_NISTP521
				393	case NID_secp521r1:
				394	return "nistp521";
				395	# endif /* OPENSSL_HAS_NISTP521 */
				396	default:
				397	return NULL;
				398	}
				399	}
				400
				401	int
				402	sshkey_ec_nid_to_hash_alg(int nid)
				403	{
				404	int kbits = sshkey_curve_nid_to_bits(nid);
				405
				406	if (kbits <= 0)
				407	return -1;
				408
				409	/* RFC5656 section 6.2.1 */
				410	if (kbits <= 256)
				411	return SSH_DIGEST_SHA256;
				412	else if (kbits <= 384)
				413	return SSH_DIGEST_SHA384;
				414	else
				415	return SSH_DIGEST_SHA512;
				416	}
				417	#endif /* WITH_OPENSSL */
				418
				419	static void
				420	cert_free(struct sshkey_cert *cert)
				421	{
				422	u_int i;
				423
				424	if (cert == NULL)
				425	return;
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	426	sshbuf_free(cert->certblob);
				427	sshbuf_free(cert->critical);
				428	sshbuf_free(cert->extensions);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame]	429	free(cert->key_id);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	430	for (i = 0; i < cert->nprincipals; i++)
				431	free(cert->principals[i]);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame]	432	free(cert->principals);
mmcc@openbsd.org	89540b6	2015-12-11 02:31:47 +0000	[diff] [blame]	433	sshkey_free(cert->signature_key);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	434	explicit_bzero(cert, sizeof(*cert));
				435	free(cert);
				436	}
				437
				438	static struct sshkey_cert *
				439	cert_new(void)
				440	{
				441	struct sshkey_cert *cert;
				442
				443	if ((cert = calloc(1, sizeof(*cert))) == NULL)
				444	return NULL;
				445	if ((cert->certblob = sshbuf_new()) == NULL \|\|
				446	(cert->critical = sshbuf_new()) == NULL \|\|
				447	(cert->extensions = sshbuf_new()) == NULL) {
				448	cert_free(cert);
				449	return NULL;
				450	}
				451	cert->key_id = NULL;
				452	cert->principals = NULL;
				453	cert->signature_key = NULL;
				454	return cert;
				455	}
				456
				457	struct sshkey *
				458	sshkey_new(int type)
				459	{
				460	struct sshkey *k;
				461	#ifdef WITH_OPENSSL
				462	RSA *rsa;
				463	DSA *dsa;
				464	#endif /* WITH_OPENSSL */
				465
				466	if ((k = calloc(1, sizeof(*k))) == NULL)
				467	return NULL;
				468	k->type = type;
				469	k->ecdsa = NULL;
				470	k->ecdsa_nid = -1;
				471	k->dsa = NULL;
				472	k->rsa = NULL;
				473	k->cert = NULL;
				474	k->ed25519_sk = NULL;
				475	k->ed25519_pk = NULL;
				476	switch (k->type) {
				477	#ifdef WITH_OPENSSL
				478	case KEY_RSA1:
				479	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	480	case KEY_RSA_CERT:
				481	if ((rsa = RSA_new()) == NULL \|\|
				482	(rsa->n = BN_new()) == NULL \|\|
				483	(rsa->e = BN_new()) == NULL) {
				484	if (rsa != NULL)
				485	RSA_free(rsa);
				486	free(k);
				487	return NULL;
				488	}
				489	k->rsa = rsa;
				490	break;
				491	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	492	case KEY_DSA_CERT:
				493	if ((dsa = DSA_new()) == NULL \|\|
				494	(dsa->p = BN_new()) == NULL \|\|
				495	(dsa->q = BN_new()) == NULL \|\|
				496	(dsa->g = BN_new()) == NULL \|\|
				497	(dsa->pub_key = BN_new()) == NULL) {
				498	if (dsa != NULL)
				499	DSA_free(dsa);
				500	free(k);
				501	return NULL;
				502	}
				503	k->dsa = dsa;
				504	break;
				505	case KEY_ECDSA:
				506	case KEY_ECDSA_CERT:
				507	/* Cannot do anything until we know the group */
				508	break;
				509	#endif /* WITH_OPENSSL */
				510	case KEY_ED25519:
				511	case KEY_ED25519_CERT:
				512	/* no need to prealloc */
				513	break;
				514	case KEY_UNSPEC:
				515	break;
				516	default:
				517	free(k);
				518	return NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	519	}
				520
				521	if (sshkey_is_cert(k)) {
				522	if ((k->cert = cert_new()) == NULL) {
				523	sshkey_free(k);
				524	return NULL;
				525	}
				526	}
				527
				528	return k;
				529	}
				530
				531	int
				532	sshkey_add_private(struct sshkey *k)
				533	{
				534	switch (k->type) {
				535	#ifdef WITH_OPENSSL
				536	case KEY_RSA1:
				537	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	538	case KEY_RSA_CERT:
				539	#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
				540	if (bn_maybe_alloc_failed(k->rsa->d) \|\|
				541	bn_maybe_alloc_failed(k->rsa->iqmp) \|\|
				542	bn_maybe_alloc_failed(k->rsa->q) \|\|
				543	bn_maybe_alloc_failed(k->rsa->p) \|\|
				544	bn_maybe_alloc_failed(k->rsa->dmq1) \|\|
				545	bn_maybe_alloc_failed(k->rsa->dmp1))
				546	return SSH_ERR_ALLOC_FAIL;
				547	break;
				548	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	549	case KEY_DSA_CERT:
				550	if (bn_maybe_alloc_failed(k->dsa->priv_key))
				551	return SSH_ERR_ALLOC_FAIL;
				552	break;
				553	#undef bn_maybe_alloc_failed
				554	case KEY_ECDSA:
				555	case KEY_ECDSA_CERT:
				556	/* Cannot do anything until we know the group */
				557	break;
				558	#endif /* WITH_OPENSSL */
				559	case KEY_ED25519:
				560	case KEY_ED25519_CERT:
				561	/* no need to prealloc */
				562	break;
				563	case KEY_UNSPEC:
				564	break;
				565	default:
				566	return SSH_ERR_INVALID_ARGUMENT;
				567	}
				568	return 0;
				569	}
				570
				571	struct sshkey *
				572	sshkey_new_private(int type)
				573	{
				574	struct sshkey *k = sshkey_new(type);
				575
				576	if (k == NULL)
				577	return NULL;
				578	if (sshkey_add_private(k) != 0) {
				579	sshkey_free(k);
				580	return NULL;
				581	}
				582	return k;
				583	}
				584
				585	void
				586	sshkey_free(struct sshkey *k)
				587	{
				588	if (k == NULL)
				589	return;
				590	switch (k->type) {
				591	#ifdef WITH_OPENSSL
				592	case KEY_RSA1:
				593	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	594	case KEY_RSA_CERT:
				595	if (k->rsa != NULL)
				596	RSA_free(k->rsa);
				597	k->rsa = NULL;
				598	break;
				599	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	600	case KEY_DSA_CERT:
				601	if (k->dsa != NULL)
				602	DSA_free(k->dsa);
				603	k->dsa = NULL;
				604	break;
				605	# ifdef OPENSSL_HAS_ECC
				606	case KEY_ECDSA:
				607	case KEY_ECDSA_CERT:
				608	if (k->ecdsa != NULL)
				609	EC_KEY_free(k->ecdsa);
				610	k->ecdsa = NULL;
				611	break;
				612	# endif /* OPENSSL_HAS_ECC */
				613	#endif /* WITH_OPENSSL */
				614	case KEY_ED25519:
				615	case KEY_ED25519_CERT:
				616	if (k->ed25519_pk) {
				617	explicit_bzero(k->ed25519_pk, ED25519_PK_SZ);
				618	free(k->ed25519_pk);
				619	k->ed25519_pk = NULL;
				620	}
				621	if (k->ed25519_sk) {
				622	explicit_bzero(k->ed25519_sk, ED25519_SK_SZ);
				623	free(k->ed25519_sk);
				624	k->ed25519_sk = NULL;
				625	}
				626	break;
				627	case KEY_UNSPEC:
				628	break;
				629	default:
				630	break;
				631	}
				632	if (sshkey_is_cert(k))
				633	cert_free(k->cert);
				634	explicit_bzero(k, sizeof(*k));
				635	free(k);
				636	}
				637
				638	static int
				639	cert_compare(struct sshkey_cert a, struct sshkey_cert b)
				640	{
				641	if (a == NULL && b == NULL)
				642	return 1;
				643	if (a == NULL \|\| b == NULL)
				644	return 0;
				645	if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
				646	return 0;
				647	if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
				648	sshbuf_len(a->certblob)) != 0)
				649	return 0;
				650	return 1;
				651	}
				652
				653	/*
				654	* Compare public portions of key only, allowing comparisons between
				655	* certificates and plain keys too.
				656	*/
				657	int
				658	sshkey_equal_public(const struct sshkey a, const struct sshkey b)
				659	{
Darren Tucker	948a177	2014-07-22 01:07:11 +1000	[diff] [blame]	660	#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	661	BN_CTX *bnctx;
Darren Tucker	948a177	2014-07-22 01:07:11 +1000	[diff] [blame]	662	#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	663
				664	if (a == NULL \|\| b == NULL \|\|
				665	sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
				666	return 0;
				667
				668	switch (a->type) {
				669	#ifdef WITH_OPENSSL
				670	case KEY_RSA1:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	671	case KEY_RSA_CERT:
				672	case KEY_RSA:
				673	return a->rsa != NULL && b->rsa != NULL &&
				674	BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
				675	BN_cmp(a->rsa->n, b->rsa->n) == 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	676	case KEY_DSA_CERT:
				677	case KEY_DSA:
				678	return a->dsa != NULL && b->dsa != NULL &&
				679	BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
				680	BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
				681	BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
				682	BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
				683	# ifdef OPENSSL_HAS_ECC
				684	case KEY_ECDSA_CERT:
				685	case KEY_ECDSA:
				686	if (a->ecdsa == NULL \|\| b->ecdsa == NULL \|\|
				687	EC_KEY_get0_public_key(a->ecdsa) == NULL \|\|
				688	EC_KEY_get0_public_key(b->ecdsa) == NULL)
				689	return 0;
				690	if ((bnctx = BN_CTX_new()) == NULL)
				691	return 0;
				692	if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
				693	EC_KEY_get0_group(b->ecdsa), bnctx) != 0 \|\|
				694	EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
				695	EC_KEY_get0_public_key(a->ecdsa),
				696	EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
				697	BN_CTX_free(bnctx);
				698	return 0;
				699	}
				700	BN_CTX_free(bnctx);
				701	return 1;
				702	# endif /* OPENSSL_HAS_ECC */
				703	#endif /* WITH_OPENSSL */
				704	case KEY_ED25519:
				705	case KEY_ED25519_CERT:
				706	return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
				707	memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
				708	default:
				709	return 0;
				710	}
				711	/* NOTREACHED */
				712	}
				713
				714	int
				715	sshkey_equal(const struct sshkey a, const struct sshkey b)
				716	{
				717	if (a == NULL \|\| b == NULL \|\| a->type != b->type)
				718	return 0;
				719	if (sshkey_is_cert(a)) {
				720	if (!cert_compare(a->cert, b->cert))
				721	return 0;
				722	}
				723	return sshkey_equal_public(a, b);
				724	}
				725
				726	static int
				727	to_blob_buf(const struct sshkey key, struct sshbuf b, int force_plain)
				728	{
				729	int type, ret = SSH_ERR_INTERNAL_ERROR;
				730	const char *typename;
				731
				732	if (key == NULL)
				733	return SSH_ERR_INVALID_ARGUMENT;
				734
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	735	if (sshkey_is_cert(key)) {
				736	if (key->cert == NULL)
				737	return SSH_ERR_EXPECTED_CERT;
				738	if (sshbuf_len(key->cert->certblob) == 0)
				739	return SSH_ERR_KEY_LACKS_CERTBLOB;
				740	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	741	type = force_plain ? sshkey_type_plain(key->type) : key->type;
				742	typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
				743
				744	switch (type) {
				745	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	746	case KEY_DSA_CERT:
				747	case KEY_ECDSA_CERT:
				748	case KEY_RSA_CERT:
				749	#endif /* WITH_OPENSSL */
				750	case KEY_ED25519_CERT:
				751	/* Use the existing blob */
				752	/* XXX modified flag? */
				753	if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
				754	return ret;
				755	break;
				756	#ifdef WITH_OPENSSL
				757	case KEY_DSA:
				758	if (key->dsa == NULL)
				759	return SSH_ERR_INVALID_ARGUMENT;
				760	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
				761	(ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 \|\|
				762	(ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 \|\|
				763	(ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 \|\|
				764	(ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0)
				765	return ret;
				766	break;
Darren Tucker	d1a0421	2014-07-19 07:23:55 +1000	[diff] [blame]	767	# ifdef OPENSSL_HAS_ECC
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	768	case KEY_ECDSA:
				769	if (key->ecdsa == NULL)
				770	return SSH_ERR_INVALID_ARGUMENT;
				771	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
				772	(ret = sshbuf_put_cstring(b,
				773	sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 \|\|
				774	(ret = sshbuf_put_eckey(b, key->ecdsa)) != 0)
				775	return ret;
				776	break;
Darren Tucker	d1a0421	2014-07-19 07:23:55 +1000	[diff] [blame]	777	# endif
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	778	case KEY_RSA:
				779	if (key->rsa == NULL)
				780	return SSH_ERR_INVALID_ARGUMENT;
				781	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
				782	(ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 \|\|
				783	(ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0)
				784	return ret;
				785	break;
				786	#endif /* WITH_OPENSSL */
				787	case KEY_ED25519:
				788	if (key->ed25519_pk == NULL)
				789	return SSH_ERR_INVALID_ARGUMENT;
				790	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
				791	(ret = sshbuf_put_string(b,
				792	key->ed25519_pk, ED25519_PK_SZ)) != 0)
				793	return ret;
				794	break;
				795	default:
				796	return SSH_ERR_KEY_TYPE_UNKNOWN;
				797	}
				798	return 0;
				799	}
				800
				801	int
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	802	sshkey_putb(const struct sshkey key, struct sshbuf b)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	803	{
				804	return to_blob_buf(key, b, 0);
				805	}
				806
				807	int
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	808	sshkey_puts(const struct sshkey key, struct sshbuf b)
				809	{
				810	struct sshbuf *tmp;
				811	int r;
				812
				813	if ((tmp = sshbuf_new()) == NULL)
				814	return SSH_ERR_ALLOC_FAIL;
				815	r = to_blob_buf(key, tmp, 0);
				816	if (r == 0)
				817	r = sshbuf_put_stringb(b, tmp);
				818	sshbuf_free(tmp);
				819	return r;
				820	}
				821
				822	int
				823	sshkey_putb_plain(const struct sshkey key, struct sshbuf b)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	824	{
				825	return to_blob_buf(key, b, 1);
				826	}
				827
				828	static int
				829	to_blob(const struct sshkey key, u_char blobp, size_t lenp, int force_plain)
				830	{
				831	int ret = SSH_ERR_INTERNAL_ERROR;
				832	size_t len;
				833	struct sshbuf *b = NULL;
				834
				835	if (lenp != NULL)
				836	*lenp = 0;
				837	if (blobp != NULL)
				838	*blobp = NULL;
				839	if ((b = sshbuf_new()) == NULL)
				840	return SSH_ERR_ALLOC_FAIL;
				841	if ((ret = to_blob_buf(key, b, force_plain)) != 0)
				842	goto out;
				843	len = sshbuf_len(b);
				844	if (lenp != NULL)
				845	*lenp = len;
				846	if (blobp != NULL) {
				847	if ((*blobp = malloc(len)) == NULL) {
				848	ret = SSH_ERR_ALLOC_FAIL;
				849	goto out;
				850	}
				851	memcpy(*blobp, sshbuf_ptr(b), len);
				852	}
				853	ret = 0;
				854	out:
				855	sshbuf_free(b);
				856	return ret;
				857	}
				858
				859	int
				860	sshkey_to_blob(const struct sshkey key, u_char blobp, size_t lenp)
				861	{
				862	return to_blob(key, blobp, lenp, 0);
				863	}
				864
				865	int
				866	sshkey_plain_to_blob(const struct sshkey key, u_char blobp, size_t lenp)
				867	{
				868	return to_blob(key, blobp, lenp, 1);
				869	}
				870
				871	int
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	872	sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	873	u_char *retp, size_t lenp)
				874	{
				875	u_char blob = NULL, ret = NULL;
				876	size_t blob_len = 0;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	877	int r = SSH_ERR_INTERNAL_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	878
				879	if (retp != NULL)
				880	*retp = NULL;
				881	if (lenp != NULL)
				882	*lenp = 0;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	883	if (ssh_digest_bytes(dgst_alg) == 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	884	r = SSH_ERR_INVALID_ARGUMENT;
				885	goto out;
				886	}
				887
				888	if (k->type == KEY_RSA1) {
				889	#ifdef WITH_OPENSSL
				890	int nlen = BN_num_bytes(k->rsa->n);
				891	int elen = BN_num_bytes(k->rsa->e);
				892
djm@openbsd.org	27c3a9c	2016-09-26 21:16:11 +0000	[diff] [blame]	893	if (nlen < 0 \|\| elen < 0 \|\| nlen >= INT_MAX - elen) {
				894	r = SSH_ERR_INVALID_FORMAT;
				895	goto out;
				896	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	897	blob_len = nlen + elen;
djm@openbsd.org	27c3a9c	2016-09-26 21:16:11 +0000	[diff] [blame]	898	if ((blob = malloc(blob_len)) == NULL) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	899	r = SSH_ERR_ALLOC_FAIL;
				900	goto out;
				901	}
				902	BN_bn2bin(k->rsa->n, blob);
				903	BN_bn2bin(k->rsa->e, blob + nlen);
				904	#endif /* WITH_OPENSSL */
				905	} else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0)
				906	goto out;
				907	if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
				908	r = SSH_ERR_ALLOC_FAIL;
				909	goto out;
				910	}
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	911	if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	912	ret, SSH_DIGEST_MAX_LENGTH)) != 0)
				913	goto out;
				914	/* success */
				915	if (retp != NULL) {
				916	*retp = ret;
				917	ret = NULL;
				918	}
				919	if (lenp != NULL)
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	920	*lenp = ssh_digest_bytes(dgst_alg);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	921	r = 0;
				922	out:
				923	free(ret);
				924	if (blob != NULL) {
				925	explicit_bzero(blob, blob_len);
				926	free(blob);
				927	}
				928	return r;
				929	}
				930
				931	static char *
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	932	fingerprint_b64(const char alg, u_char dgst_raw, size_t dgst_raw_len)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	933	{
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	934	char *ret;
				935	size_t plen = strlen(alg) + 1;
				936	size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
				937	int r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	938
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	939	if (dgst_raw_len > 65536 \|\| (ret = calloc(1, rlen)) == NULL)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	940	return NULL;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	941	strlcpy(ret, alg, rlen);
				942	strlcat(ret, ":", rlen);
				943	if (dgst_raw_len == 0)
				944	return ret;
				945	if ((r = b64_ntop(dgst_raw, dgst_raw_len,
				946	ret + plen, rlen - plen)) == -1) {
				947	explicit_bzero(ret, rlen);
				948	free(ret);
				949	return NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	950	}
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	951	/* Trim padding characters from end */
				952	ret[strcspn(ret, "=")] = '\0';
				953	return ret;
				954	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	955
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	956	static char *
				957	fingerprint_hex(const char alg, u_char dgst_raw, size_t dgst_raw_len)
				958	{
				959	char *retval, hex[5];
				960	size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
				961
				962	if (dgst_raw_len > 65536 \|\| (retval = calloc(1, rlen)) == NULL)
				963	return NULL;
				964	strlcpy(retval, alg, rlen);
				965	strlcat(retval, ":", rlen);
				966	for (i = 0; i < dgst_raw_len; i++) {
				967	snprintf(hex, sizeof(hex), "%s%02x",
				968	i > 0 ? ":" : "", dgst_raw[i]);
				969	strlcat(retval, hex, rlen);
				970	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	971	return retval;
				972	}
				973
				974	static char *
				975	fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
				976	{
				977	char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
				978	char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
				979	'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
				980	u_int i, j = 0, rounds, seed = 1;
				981	char *retval;
				982
				983	rounds = (dgst_raw_len / 2) + 1;
				984	if ((retval = calloc(rounds, 6)) == NULL)
				985	return NULL;
				986	retval[j++] = 'x';
				987	for (i = 0; i < rounds; i++) {
				988	u_int idx0, idx1, idx2, idx3, idx4;
				989	if ((i + 1 < rounds) \|\| (dgst_raw_len % 2 != 0)) {
				990	idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
				991	seed) % 6;
				992	idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
				993	idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
				994	(seed / 6)) % 6;
				995	retval[j++] = vowels[idx0];
				996	retval[j++] = consonants[idx1];
				997	retval[j++] = vowels[idx2];
				998	if ((i + 1) < rounds) {
				999	idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
				1000	idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
				1001	retval[j++] = consonants[idx3];
				1002	retval[j++] = '-';
				1003	retval[j++] = consonants[idx4];
				1004	seed = ((seed * 5) +
				1005	((((u_int)(dgst_raw[2 * i])) * 7) +
				1006	((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
				1007	}
				1008	} else {
				1009	idx0 = seed % 6;
				1010	idx1 = 16;
				1011	idx2 = seed / 6;
				1012	retval[j++] = vowels[idx0];
				1013	retval[j++] = consonants[idx1];
				1014	retval[j++] = vowels[idx2];
				1015	}
				1016	}
				1017	retval[j++] = 'x';
				1018	retval[j++] = '\0';
				1019	return retval;
				1020	}
				1021
				1022	/*
				1023	* Draw an ASCII-Art representing the fingerprint so human brain can
				1024	* profit from its built-in pattern recognition ability.
				1025	* This technique is called "random art" and can be found in some
				1026	* scientific publications like this original paper:
				1027	*
				1028	* "Hash Visualization: a New Technique to improve Real-World Security",
				1029	* Perrig A. and Song D., 1999, International Workshop on Cryptographic
				1030	* Techniques and E-Commerce (CrypTEC '99)
				1031	* sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
				1032	*
				1033	* The subject came up in a talk by Dan Kaminsky, too.
				1034	*
				1035	* If you see the picture is different, the key is different.
				1036	* If the picture looks the same, you still know nothing.
				1037	*
				1038	* The algorithm used here is a worm crawling over a discrete plane,
				1039	* leaving a trace (augmenting the field) everywhere it goes.
				1040	* Movement is taken from dgst_raw 2bit-wise. Bumping into walls
				1041	* makes the respective movement vector be ignored for this turn.
				1042	* Graphs are not unambiguous, because circles in graphs can be
				1043	* walked in either direction.
				1044	*/
				1045
				1046	/*
				1047	* Field sizes for the random art. Have to be odd, so the starting point
				1048	* can be in the exact middle of the picture, and FLDBASE should be >=8 .
				1049	* Else pictures would be too dense, and drawing the frame would
				1050	* fail, too, because the key type would not fit in anymore.
				1051	*/
				1052	#define FLDBASE 8
				1053	#define FLDSIZE_Y (FLDBASE + 1)
				1054	#define FLDSIZE_X (FLDBASE * 2 + 1)
				1055	static char *
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1056	fingerprint_randomart(const char alg, u_char dgst_raw, size_t dgst_raw_len,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1057	const struct sshkey *k)
				1058	{
				1059	/*
				1060	* Chars to be used after each other every time the worm
				1061	* intersects with itself. Matter of taste.
				1062	*/
				1063	char augmentation_string = " .o+=BOX@%&#/^SE";
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1064	char retval, p, title[FLDSIZE_X], hash[FLDSIZE_X];
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1065	u_char field[FLDSIZE_X][FLDSIZE_Y];
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1066	size_t i, tlen, hlen;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1067	u_int b;
Damien Miller	61e28e5	2014-07-03 21:22:22 +1000	[diff] [blame]	1068	int x, y, r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1069	size_t len = strlen(augmentation_string) - 1;
				1070
				1071	if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
				1072	return NULL;
				1073
				1074	/* initialize field */
				1075	memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
				1076	x = FLDSIZE_X / 2;
				1077	y = FLDSIZE_Y / 2;
				1078
				1079	/* process raw key */
				1080	for (i = 0; i < dgst_raw_len; i++) {
				1081	int input;
				1082	/* each byte conveys four 2-bit move commands */
				1083	input = dgst_raw[i];
				1084	for (b = 0; b < 4; b++) {
				1085	/* evaluate 2 bit, rest is shifted later */
				1086	x += (input & 0x1) ? 1 : -1;
				1087	y += (input & 0x2) ? 1 : -1;
				1088
				1089	/* assure we are still in bounds */
deraadt@openbsd.org	9136ec1	2016-09-12 01:22:38 +0000	[diff] [blame]	1090	x = MAXIMUM(x, 0);
				1091	y = MAXIMUM(y, 0);
				1092	x = MINIMUM(x, FLDSIZE_X - 1);
				1093	y = MINIMUM(y, FLDSIZE_Y - 1);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1094
				1095	/* augment the field */
				1096	if (field[x][y] < len - 2)
				1097	field[x][y]++;
				1098	input = input >> 2;
				1099	}
				1100	}
				1101
				1102	/* mark starting point and end point*/
				1103	field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
				1104	field[x][y] = len;
				1105
Damien Miller	61e28e5	2014-07-03 21:22:22 +1000	[diff] [blame]	1106	/* assemble title */
				1107	r = snprintf(title, sizeof(title), "[%s %u]",
				1108	sshkey_type(k), sshkey_size(k));
				1109	/* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
				1110	if (r < 0 \|\| r > (int)sizeof(title))
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1111	r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
				1112	tlen = (r <= 0) ? 0 : strlen(title);
				1113
				1114	/* assemble hash ID. */
				1115	r = snprintf(hash, sizeof(hash), "[%s]", alg);
				1116	hlen = (r <= 0) ? 0 : strlen(hash);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1117
				1118	/* output upper border */
Damien Miller	61e28e5	2014-07-03 21:22:22 +1000	[diff] [blame]	1119	p = retval;
				1120	*p++ = '+';
				1121	for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
				1122	*p++ = '-';
				1123	memcpy(p, title, tlen);
				1124	p += tlen;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1125	for (i += tlen; i < FLDSIZE_X; i++)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1126	*p++ = '-';
				1127	*p++ = '+';
				1128	*p++ = '\n';
				1129
				1130	/* output content */
				1131	for (y = 0; y < FLDSIZE_Y; y++) {
				1132	*p++ = '\|';
				1133	for (x = 0; x < FLDSIZE_X; x++)
deraadt@openbsd.org	9136ec1	2016-09-12 01:22:38 +0000	[diff] [blame]	1134	*p++ = augmentation_string[MINIMUM(field[x][y], len)];
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1135	*p++ = '\|';
				1136	*p++ = '\n';
				1137	}
				1138
				1139	/* output lower border */
				1140	*p++ = '+';
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1141	for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
				1142	*p++ = '-';
				1143	memcpy(p, hash, hlen);
				1144	p += hlen;
				1145	for (i += hlen; i < FLDSIZE_X; i++)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1146	*p++ = '-';
				1147	*p++ = '+';
				1148
				1149	return retval;
				1150	}
				1151
				1152	char *
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1153	sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1154	enum sshkey_fp_rep dgst_rep)
				1155	{
				1156	char *retval = NULL;
				1157	u_char *dgst_raw;
				1158	size_t dgst_raw_len;
				1159
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1160	if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1161	return NULL;
				1162	switch (dgst_rep) {
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1163	case SSH_FP_DEFAULT:
				1164	if (dgst_alg == SSH_DIGEST_MD5) {
				1165	retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
				1166	dgst_raw, dgst_raw_len);
				1167	} else {
				1168	retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
				1169	dgst_raw, dgst_raw_len);
				1170	}
				1171	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1172	case SSH_FP_HEX:
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1173	retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
				1174	dgst_raw, dgst_raw_len);
				1175	break;
				1176	case SSH_FP_BASE64:
				1177	retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
				1178	dgst_raw, dgst_raw_len);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1179	break;
				1180	case SSH_FP_BUBBLEBABBLE:
				1181	retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
				1182	break;
				1183	case SSH_FP_RANDOMART:
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1184	retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
				1185	dgst_raw, dgst_raw_len, k);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1186	break;
				1187	default:
				1188	explicit_bzero(dgst_raw, dgst_raw_len);
				1189	free(dgst_raw);
				1190	return NULL;
				1191	}
				1192	explicit_bzero(dgst_raw, dgst_raw_len);
				1193	free(dgst_raw);
				1194	return retval;
				1195	}
				1196
				1197	#ifdef WITH_SSH1
				1198	/*
				1199	* Reads a multiple-precision integer in decimal from the buffer, and advances
				1200	* the pointer. The integer must already be initialized. This function is
				1201	* permitted to modify the buffer. This leaves *cpp to point just beyond the
				1202	* last processed character.
				1203	*/
				1204	static int
				1205	read_decimal_bignum(char *cpp, BIGNUM v)
				1206	{
				1207	char *cp;
				1208	size_t e;
				1209	int skip = 1; /* skip white space */
				1210
				1211	cp = *cpp;
				1212	while (cp == ' ' \|\| cp == '\t')
				1213	cp++;
				1214	e = strspn(cp, "0123456789");
				1215	if (e == 0)
				1216	return SSH_ERR_INVALID_FORMAT;
				1217	if (e > SSHBUF_MAX_BIGNUM * 3)
				1218	return SSH_ERR_BIGNUM_TOO_LARGE;
				1219	if (cp[e] == '\0')
				1220	skip = 0;
millert@openbsd.org	259adb6	2015-11-16 23:47:52 +0000	[diff] [blame]	1221	else if (strchr(" \t\r\n", cp[e]) == NULL)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1222	return SSH_ERR_INVALID_FORMAT;
				1223	cp[e] = '\0';
				1224	if (BN_dec2bn(&v, cp) <= 0)
				1225	return SSH_ERR_INVALID_FORMAT;
				1226	*cpp = cp + e + skip;
				1227	return 0;
				1228	}
				1229	#endif /* WITH_SSH1 */
				1230
				1231	/* returns 0 ok, and < 0 error */
				1232	int
				1233	sshkey_read(struct sshkey ret, char *cpp)
				1234	{
				1235	struct sshkey *k;
				1236	int retval = SSH_ERR_INVALID_FORMAT;
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1237	char ep, cp, *space;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1238	int r, type, curve_nid = -1;
				1239	struct sshbuf *blob;
				1240	#ifdef WITH_SSH1
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1241	u_long bits;
				1242	#endif /* WITH_SSH1 */
				1243
dtucker@openbsd.org	7fadbb6	2017-03-10 03:48:57 +0000	[diff] [blame]	1244	if (ret == NULL)
				1245	return SSH_ERR_INVALID_ARGUMENT;
				1246
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1247	cp = *cpp;
				1248
				1249	switch (ret->type) {
				1250	case KEY_RSA1:
				1251	#ifdef WITH_SSH1
				1252	/* Get number of bits. */
				1253	bits = strtoul(cp, &ep, 10);
millert@openbsd.org	259adb6	2015-11-16 23:47:52 +0000	[diff] [blame]	1254	if (cp == '\0' \|\| strchr(" \t\r\n", ep) == NULL \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1255	bits == 0 \|\| bits > SSHBUF_MAX_BIGNUM * 8)
				1256	return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
				1257	/* Get public exponent, public modulus. */
				1258	if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
				1259	return r;
				1260	if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0)
				1261	return r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1262	/* validate the claimed number of bits */
				1263	if (BN_num_bits(ret->rsa->n) != (int)bits)
				1264	return SSH_ERR_KEY_BITS_MISMATCH;
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1265	*cpp = ep;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1266	retval = 0;
				1267	#endif /* WITH_SSH1 */
				1268	break;
				1269	case KEY_UNSPEC:
				1270	case KEY_RSA:
				1271	case KEY_DSA:
				1272	case KEY_ECDSA:
				1273	case KEY_ED25519:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1274	case KEY_DSA_CERT:
				1275	case KEY_ECDSA_CERT:
				1276	case KEY_RSA_CERT:
				1277	case KEY_ED25519_CERT:
				1278	space = strchr(cp, ' ');
				1279	if (space == NULL)
				1280	return SSH_ERR_INVALID_FORMAT;
				1281	*space = '\0';
				1282	type = sshkey_type_from_name(cp);
				1283	if (sshkey_type_plain(type) == KEY_ECDSA &&
				1284	(curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1)
				1285	return SSH_ERR_EC_CURVE_INVALID;
				1286	*space = ' ';
				1287	if (type == KEY_UNSPEC)
				1288	return SSH_ERR_INVALID_FORMAT;
				1289	cp = space+1;
				1290	if (*cp == '\0')
				1291	return SSH_ERR_INVALID_FORMAT;
djm@openbsd.org	d2d5100	2014-11-18 01:02:25 +0000	[diff] [blame]	1292	if (ret->type != KEY_UNSPEC && ret->type != type)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1293	return SSH_ERR_KEY_TYPE_MISMATCH;
				1294	if ((blob = sshbuf_new()) == NULL)
				1295	return SSH_ERR_ALLOC_FAIL;
				1296	/* trim comment */
				1297	space = strchr(cp, ' ');
markus@openbsd.org	816d153	2015-01-12 20:13:27 +0000	[diff] [blame]	1298	if (space) {
				1299	/* advance 'space': skip whitespace */
				1300	*space++ = '\0';
				1301	while (space == ' ' \|\| space == '\t')
				1302	space++;
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1303	ep = space;
markus@openbsd.org	816d153	2015-01-12 20:13:27 +0000	[diff] [blame]	1304	} else
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1305	ep = cp + strlen(cp);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1306	if ((r = sshbuf_b64tod(blob, cp)) != 0) {
				1307	sshbuf_free(blob);
				1308	return r;
				1309	}
				1310	if ((r = sshkey_from_blob(sshbuf_ptr(blob),
				1311	sshbuf_len(blob), &k)) != 0) {
				1312	sshbuf_free(blob);
				1313	return r;
				1314	}
				1315	sshbuf_free(blob);
				1316	if (k->type != type) {
				1317	sshkey_free(k);
				1318	return SSH_ERR_KEY_TYPE_MISMATCH;
				1319	}
				1320	if (sshkey_type_plain(type) == KEY_ECDSA &&
				1321	curve_nid != k->ecdsa_nid) {
				1322	sshkey_free(k);
				1323	return SSH_ERR_EC_CURVE_MISMATCH;
				1324	}
djm@openbsd.org	d2d5100	2014-11-18 01:02:25 +0000	[diff] [blame]	1325	ret->type = type;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1326	if (sshkey_is_cert(ret)) {
				1327	if (!sshkey_is_cert(k)) {
				1328	sshkey_free(k);
				1329	return SSH_ERR_EXPECTED_CERT;
				1330	}
				1331	if (ret->cert != NULL)
				1332	cert_free(ret->cert);
				1333	ret->cert = k->cert;
				1334	k->cert = NULL;
				1335	}
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1336	switch (sshkey_type_plain(ret->type)) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1337	#ifdef WITH_OPENSSL
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1338	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1339	if (ret->rsa != NULL)
				1340	RSA_free(ret->rsa);
				1341	ret->rsa = k->rsa;
				1342	k->rsa = NULL;
				1343	#ifdef DEBUG_PK
				1344	RSA_print_fp(stderr, ret->rsa, 8);
				1345	#endif
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1346	break;
				1347	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1348	if (ret->dsa != NULL)
				1349	DSA_free(ret->dsa);
				1350	ret->dsa = k->dsa;
				1351	k->dsa = NULL;
				1352	#ifdef DEBUG_PK
				1353	DSA_print_fp(stderr, ret->dsa, 8);
				1354	#endif
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1355	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1356	# ifdef OPENSSL_HAS_ECC
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1357	case KEY_ECDSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1358	if (ret->ecdsa != NULL)
				1359	EC_KEY_free(ret->ecdsa);
				1360	ret->ecdsa = k->ecdsa;
				1361	ret->ecdsa_nid = k->ecdsa_nid;
				1362	k->ecdsa = NULL;
				1363	k->ecdsa_nid = -1;
				1364	#ifdef DEBUG_PK
				1365	sshkey_dump_ec_key(ret->ecdsa);
				1366	#endif
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1367	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1368	# endif /* OPENSSL_HAS_ECC */
				1369	#endif /* WITH_OPENSSL */
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1370	case KEY_ED25519:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1371	free(ret->ed25519_pk);
				1372	ret->ed25519_pk = k->ed25519_pk;
				1373	k->ed25519_pk = NULL;
				1374	#ifdef DEBUG_PK
				1375	/* XXX */
				1376	#endif
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1377	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1378	}
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1379	*cpp = ep;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1380	retval = 0;
				1381	/XXXX/
				1382	sshkey_free(k);
				1383	if (retval != 0)
				1384	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1385	break;
				1386	default:
				1387	return SSH_ERR_INVALID_ARGUMENT;
				1388	}
				1389	return retval;
				1390	}
				1391
				1392	int
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1393	sshkey_to_base64(const struct sshkey key, char *b64p)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1394	{
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1395	int r = SSH_ERR_INTERNAL_ERROR;
				1396	struct sshbuf *b = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1397	char *uu = NULL;
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1398
				1399	if (b64p != NULL)
				1400	*b64p = NULL;
				1401	if ((b = sshbuf_new()) == NULL)
				1402	return SSH_ERR_ALLOC_FAIL;
				1403	if ((r = sshkey_putb(key, b)) != 0)
				1404	goto out;
				1405	if ((uu = sshbuf_dtob64(b)) == NULL) {
				1406	r = SSH_ERR_ALLOC_FAIL;
				1407	goto out;
				1408	}
				1409	/* Success */
				1410	if (b64p != NULL) {
				1411	*b64p = uu;
				1412	uu = NULL;
				1413	}
				1414	r = 0;
				1415	out:
				1416	sshbuf_free(b);
				1417	free(uu);
				1418	return r;
				1419	}
				1420
				1421	static int
				1422	sshkey_format_rsa1(const struct sshkey key, struct sshbuf b)
				1423	{
				1424	int r = SSH_ERR_INTERNAL_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1425	#ifdef WITH_SSH1
				1426	u_int bits = 0;
				1427	char dec_e = NULL, dec_n = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1428
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1429	if (key->rsa == NULL \|\| key->rsa->e == NULL \|\|
				1430	key->rsa->n == NULL) {
				1431	r = SSH_ERR_INVALID_ARGUMENT;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1432	goto out;
				1433	}
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1434	if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL \|\|
				1435	(dec_n = BN_bn2dec(key->rsa->n)) == NULL) {
				1436	r = SSH_ERR_ALLOC_FAIL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1437	goto out;
				1438	}
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1439	/* size of modulus 'n' */
				1440	if ((bits = BN_num_bits(key->rsa->n)) <= 0) {
				1441	r = SSH_ERR_INVALID_ARGUMENT;
				1442	goto out;
				1443	}
				1444	if ((r = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0)
				1445	goto out;
				1446
				1447	/* Success */
				1448	r = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1449	out:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1450	if (dec_e != NULL)
				1451	OPENSSL_free(dec_e);
				1452	if (dec_n != NULL)
				1453	OPENSSL_free(dec_n);
				1454	#endif /* WITH_SSH1 */
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1455
				1456	return r;
				1457	}
				1458
				1459	static int
				1460	sshkey_format_text(const struct sshkey key, struct sshbuf b)
				1461	{
				1462	int r = SSH_ERR_INTERNAL_ERROR;
				1463	char *uu = NULL;
				1464
				1465	if (key->type == KEY_RSA1) {
				1466	if ((r = sshkey_format_rsa1(key, b)) != 0)
				1467	goto out;
				1468	} else {
				1469	/* Unsupported key types handled in sshkey_to_base64() */
				1470	if ((r = sshkey_to_base64(key, &uu)) != 0)
				1471	goto out;
				1472	if ((r = sshbuf_putf(b, "%s %s",
				1473	sshkey_ssh_name(key), uu)) != 0)
				1474	goto out;
				1475	}
				1476	r = 0;
				1477	out:
				1478	free(uu);
				1479	return r;
				1480	}
				1481
				1482	int
				1483	sshkey_write(const struct sshkey key, FILE f)
				1484	{
				1485	struct sshbuf *b = NULL;
				1486	int r = SSH_ERR_INTERNAL_ERROR;
				1487
				1488	if ((b = sshbuf_new()) == NULL)
				1489	return SSH_ERR_ALLOC_FAIL;
				1490	if ((r = sshkey_format_text(key, b)) != 0)
				1491	goto out;
				1492	if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
				1493	if (feof(f))
				1494	errno = EPIPE;
				1495	r = SSH_ERR_SYSTEM_ERROR;
				1496	goto out;
				1497	}
				1498	/* Success */
				1499	r = 0;
				1500	out:
				1501	sshbuf_free(b);
				1502	return r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1503	}
				1504
				1505	const char *
				1506	sshkey_cert_type(const struct sshkey *k)
				1507	{
				1508	switch (k->cert->type) {
				1509	case SSH2_CERT_TYPE_USER:
				1510	return "user";
				1511	case SSH2_CERT_TYPE_HOST:
				1512	return "host";
				1513	default:
				1514	return "unknown";
				1515	}
				1516	}
				1517
				1518	#ifdef WITH_OPENSSL
				1519	static int
				1520	rsa_generate_private_key(u_int bits, RSA **rsap)
				1521	{
				1522	RSA *private = NULL;
				1523	BIGNUM *f4 = NULL;
				1524	int ret = SSH_ERR_INTERNAL_ERROR;
				1525
				1526	if (rsap == NULL \|\|
				1527	bits < SSH_RSA_MINIMUM_MODULUS_SIZE \|\|
				1528	bits > SSHBUF_MAX_BIGNUM * 8)
				1529	return SSH_ERR_INVALID_ARGUMENT;
				1530	*rsap = NULL;
				1531	if ((private = RSA_new()) == NULL \|\| (f4 = BN_new()) == NULL) {
				1532	ret = SSH_ERR_ALLOC_FAIL;
				1533	goto out;
				1534	}
				1535	if (!BN_set_word(f4, RSA_F4) \|\|
				1536	!RSA_generate_key_ex(private, bits, f4, NULL)) {
				1537	ret = SSH_ERR_LIBCRYPTO_ERROR;
				1538	goto out;
				1539	}
				1540	*rsap = private;
				1541	private = NULL;
				1542	ret = 0;
				1543	out:
				1544	if (private != NULL)
				1545	RSA_free(private);
				1546	if (f4 != NULL)
				1547	BN_free(f4);
				1548	return ret;
				1549	}
				1550
				1551	static int
				1552	dsa_generate_private_key(u_int bits, DSA **dsap)
				1553	{
				1554	DSA *private;
				1555	int ret = SSH_ERR_INTERNAL_ERROR;
				1556
				1557	if (dsap == NULL \|\| bits != 1024)
				1558	return SSH_ERR_INVALID_ARGUMENT;
				1559	if ((private = DSA_new()) == NULL) {
				1560	ret = SSH_ERR_ALLOC_FAIL;
				1561	goto out;
				1562	}
				1563	*dsap = NULL;
				1564	if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
				1565	NULL, NULL) \|\| !DSA_generate_key(private)) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1566	ret = SSH_ERR_LIBCRYPTO_ERROR;
				1567	goto out;
				1568	}
				1569	*dsap = private;
				1570	private = NULL;
				1571	ret = 0;
				1572	out:
				1573	if (private != NULL)
				1574	DSA_free(private);
				1575	return ret;
				1576	}
				1577
				1578	# ifdef OPENSSL_HAS_ECC
				1579	int
				1580	sshkey_ecdsa_key_to_nid(EC_KEY *k)
				1581	{
				1582	EC_GROUP *eg;
				1583	int nids[] = {
				1584	NID_X9_62_prime256v1,
				1585	NID_secp384r1,
				1586	# ifdef OPENSSL_HAS_NISTP521
				1587	NID_secp521r1,
				1588	# endif /* OPENSSL_HAS_NISTP521 */
				1589	-1
				1590	};
				1591	int nid;
				1592	u_int i;
				1593	BN_CTX *bnctx;
				1594	const EC_GROUP *g = EC_KEY_get0_group(k);
				1595
				1596	/*
				1597	* The group may be stored in a ASN.1 encoded private key in one of two
				1598	* ways: as a "named group", which is reconstituted by ASN.1 object ID
				1599	* or explicit group parameters encoded into the key blob. Only the
				1600	* "named group" case sets the group NID for us, but we can figure
				1601	* it out for the other case by comparing against all the groups that
				1602	* are supported.
				1603	*/
				1604	if ((nid = EC_GROUP_get_curve_name(g)) > 0)
				1605	return nid;
				1606	if ((bnctx = BN_CTX_new()) == NULL)
				1607	return -1;
				1608	for (i = 0; nids[i] != -1; i++) {
				1609	if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) {
				1610	BN_CTX_free(bnctx);
				1611	return -1;
				1612	}
				1613	if (EC_GROUP_cmp(g, eg, bnctx) == 0)
				1614	break;
				1615	EC_GROUP_free(eg);
				1616	}
				1617	BN_CTX_free(bnctx);
				1618	if (nids[i] != -1) {
				1619	/* Use the group with the NID attached */
				1620	EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
				1621	if (EC_KEY_set_group(k, eg) != 1) {
				1622	EC_GROUP_free(eg);
				1623	return -1;
				1624	}
				1625	}
				1626	return nids[i];
				1627	}
				1628
				1629	static int
				1630	ecdsa_generate_private_key(u_int bits, int nid, EC_KEY *ecdsap)
				1631	{
				1632	EC_KEY *private;
				1633	int ret = SSH_ERR_INTERNAL_ERROR;
				1634
				1635	if (nid == NULL \|\| ecdsap == NULL \|\|
				1636	(*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
				1637	return SSH_ERR_INVALID_ARGUMENT;
				1638	*ecdsap = NULL;
				1639	if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
				1640	ret = SSH_ERR_ALLOC_FAIL;
				1641	goto out;
				1642	}
				1643	if (EC_KEY_generate_key(private) != 1) {
				1644	ret = SSH_ERR_LIBCRYPTO_ERROR;
				1645	goto out;
				1646	}
				1647	EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
				1648	*ecdsap = private;
				1649	private = NULL;
				1650	ret = 0;
				1651	out:
				1652	if (private != NULL)
				1653	EC_KEY_free(private);
				1654	return ret;
				1655	}
				1656	# endif /* OPENSSL_HAS_ECC */
				1657	#endif /* WITH_OPENSSL */
				1658
				1659	int
				1660	sshkey_generate(int type, u_int bits, struct sshkey **keyp)
				1661	{
				1662	struct sshkey *k;
				1663	int ret = SSH_ERR_INTERNAL_ERROR;
				1664
				1665	if (keyp == NULL)
				1666	return SSH_ERR_INVALID_ARGUMENT;
				1667	*keyp = NULL;
				1668	if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
				1669	return SSH_ERR_ALLOC_FAIL;
				1670	switch (type) {
				1671	case KEY_ED25519:
				1672	if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL \|\|
				1673	(k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
				1674	ret = SSH_ERR_ALLOC_FAIL;
				1675	break;
				1676	}
				1677	crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
				1678	ret = 0;
				1679	break;
				1680	#ifdef WITH_OPENSSL
				1681	case KEY_DSA:
				1682	ret = dsa_generate_private_key(bits, &k->dsa);
				1683	break;
				1684	# ifdef OPENSSL_HAS_ECC
				1685	case KEY_ECDSA:
				1686	ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
				1687	&k->ecdsa);
				1688	break;
				1689	# endif /* OPENSSL_HAS_ECC */
				1690	case KEY_RSA:
				1691	case KEY_RSA1:
				1692	ret = rsa_generate_private_key(bits, &k->rsa);
				1693	break;
				1694	#endif /* WITH_OPENSSL */
				1695	default:
				1696	ret = SSH_ERR_INVALID_ARGUMENT;
				1697	}
				1698	if (ret == 0) {
				1699	k->type = type;
				1700	*keyp = k;
				1701	} else
				1702	sshkey_free(k);
				1703	return ret;
				1704	}
				1705
				1706	int
				1707	sshkey_cert_copy(const struct sshkey from_key, struct sshkey to_key)
				1708	{
				1709	u_int i;
				1710	const struct sshkey_cert *from;
				1711	struct sshkey_cert *to;
				1712	int ret = SSH_ERR_INTERNAL_ERROR;
				1713
				1714	if (to_key->cert != NULL) {
				1715	cert_free(to_key->cert);
				1716	to_key->cert = NULL;
				1717	}
				1718
				1719	if ((from = from_key->cert) == NULL)
				1720	return SSH_ERR_INVALID_ARGUMENT;
				1721
				1722	if ((to = to_key->cert = cert_new()) == NULL)
				1723	return SSH_ERR_ALLOC_FAIL;
				1724
				1725	if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 \|\|
				1726	(ret = sshbuf_putb(to->critical, from->critical)) != 0 \|\|
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	1727	(ret = sshbuf_putb(to->extensions, from->extensions)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1728	return ret;
				1729
				1730	to->serial = from->serial;
				1731	to->type = from->type;
				1732	if (from->key_id == NULL)
				1733	to->key_id = NULL;
				1734	else if ((to->key_id = strdup(from->key_id)) == NULL)
				1735	return SSH_ERR_ALLOC_FAIL;
				1736	to->valid_after = from->valid_after;
				1737	to->valid_before = from->valid_before;
				1738	if (from->signature_key == NULL)
				1739	to->signature_key = NULL;
				1740	else if ((ret = sshkey_from_private(from->signature_key,
				1741	&to->signature_key)) != 0)
				1742	return ret;
				1743
				1744	if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS)
				1745	return SSH_ERR_INVALID_ARGUMENT;
				1746	if (from->nprincipals > 0) {
				1747	if ((to->principals = calloc(from->nprincipals,
				1748	sizeof(*to->principals))) == NULL)
				1749	return SSH_ERR_ALLOC_FAIL;
				1750	for (i = 0; i < from->nprincipals; i++) {
				1751	to->principals[i] = strdup(from->principals[i]);
				1752	if (to->principals[i] == NULL) {
				1753	to->nprincipals = i;
				1754	return SSH_ERR_ALLOC_FAIL;
				1755	}
				1756	}
				1757	}
				1758	to->nprincipals = from->nprincipals;
				1759	return 0;
				1760	}
				1761
				1762	int
				1763	sshkey_from_private(const struct sshkey k, struct sshkey *pkp)
				1764	{
				1765	struct sshkey *n = NULL;
				1766	int ret = SSH_ERR_INTERNAL_ERROR;
				1767
djm@openbsd.org	1a2663a	2015-10-15 23:08:23 +0000	[diff] [blame]	1768	*pkp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1769	switch (k->type) {
				1770	#ifdef WITH_OPENSSL
				1771	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1772	case KEY_DSA_CERT:
				1773	if ((n = sshkey_new(k->type)) == NULL)
				1774	return SSH_ERR_ALLOC_FAIL;
				1775	if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) \|\|
				1776	(BN_copy(n->dsa->q, k->dsa->q) == NULL) \|\|
				1777	(BN_copy(n->dsa->g, k->dsa->g) == NULL) \|\|
				1778	(BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) {
				1779	sshkey_free(n);
				1780	return SSH_ERR_ALLOC_FAIL;
				1781	}
				1782	break;
				1783	# ifdef OPENSSL_HAS_ECC
				1784	case KEY_ECDSA:
				1785	case KEY_ECDSA_CERT:
				1786	if ((n = sshkey_new(k->type)) == NULL)
				1787	return SSH_ERR_ALLOC_FAIL;
				1788	n->ecdsa_nid = k->ecdsa_nid;
				1789	n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
				1790	if (n->ecdsa == NULL) {
				1791	sshkey_free(n);
				1792	return SSH_ERR_ALLOC_FAIL;
				1793	}
				1794	if (EC_KEY_set_public_key(n->ecdsa,
				1795	EC_KEY_get0_public_key(k->ecdsa)) != 1) {
				1796	sshkey_free(n);
				1797	return SSH_ERR_LIBCRYPTO_ERROR;
				1798	}
				1799	break;
				1800	# endif /* OPENSSL_HAS_ECC */
				1801	case KEY_RSA:
				1802	case KEY_RSA1:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1803	case KEY_RSA_CERT:
				1804	if ((n = sshkey_new(k->type)) == NULL)
				1805	return SSH_ERR_ALLOC_FAIL;
				1806	if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) \|\|
				1807	(BN_copy(n->rsa->e, k->rsa->e) == NULL)) {
				1808	sshkey_free(n);
				1809	return SSH_ERR_ALLOC_FAIL;
				1810	}
				1811	break;
				1812	#endif /* WITH_OPENSSL */
				1813	case KEY_ED25519:
				1814	case KEY_ED25519_CERT:
				1815	if ((n = sshkey_new(k->type)) == NULL)
				1816	return SSH_ERR_ALLOC_FAIL;
				1817	if (k->ed25519_pk != NULL) {
				1818	if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
				1819	sshkey_free(n);
				1820	return SSH_ERR_ALLOC_FAIL;
				1821	}
				1822	memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
				1823	}
				1824	break;
				1825	default:
				1826	return SSH_ERR_KEY_TYPE_UNKNOWN;
				1827	}
				1828	if (sshkey_is_cert(k)) {
				1829	if ((ret = sshkey_cert_copy(k, n)) != 0) {
				1830	sshkey_free(n);
				1831	return ret;
				1832	}
				1833	}
				1834	*pkp = n;
				1835	return 0;
				1836	}
				1837
				1838	static int
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1839	cert_parse(struct sshbuf b, struct sshkey key, struct sshbuf *certbuf)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1840	{
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1841	struct sshbuf principals = NULL, crit = NULL;
				1842	struct sshbuf exts = NULL, ca = NULL;
				1843	u_char *sig = NULL;
				1844	size_t signed_len = 0, slen = 0, kidlen = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1845	int ret = SSH_ERR_INTERNAL_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1846
				1847	/* Copy the entire key blob for verification and later serialisation */
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1848	if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1849	return ret;
				1850
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	1851	/* Parse body of certificate up to signature */
				1852	if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1853	(ret = sshbuf_get_u32(b, &key->cert->type)) != 0 \|\|
				1854	(ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 \|\|
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1855	(ret = sshbuf_froms(b, &principals)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1856	(ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 \|\|
				1857	(ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 \|\|
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1858	(ret = sshbuf_froms(b, &crit)) != 0 \|\|
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	1859	(ret = sshbuf_froms(b, &exts)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1860	(ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 \|\|
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1861	(ret = sshbuf_froms(b, &ca)) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1862	/* XXX debug print error for ret */
				1863	ret = SSH_ERR_INVALID_FORMAT;
				1864	goto out;
				1865	}
				1866
				1867	/* Signature is left in the buffer so we can calculate this length */
				1868	signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
				1869
				1870	if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
				1871	ret = SSH_ERR_INVALID_FORMAT;
				1872	goto out;
				1873	}
				1874
				1875	if (key->cert->type != SSH2_CERT_TYPE_USER &&
				1876	key->cert->type != SSH2_CERT_TYPE_HOST) {
				1877	ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
				1878	goto out;
				1879	}
				1880
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1881	/* Parse principals section */
				1882	while (sshbuf_len(principals) > 0) {
				1883	char *principal = NULL;
				1884	char **oprincipals = NULL;
				1885
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1886	if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
				1887	ret = SSH_ERR_INVALID_FORMAT;
				1888	goto out;
				1889	}
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1890	if ((ret = sshbuf_get_cstring(principals, &principal,
				1891	NULL)) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1892	ret = SSH_ERR_INVALID_FORMAT;
				1893	goto out;
				1894	}
				1895	oprincipals = key->cert->principals;
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	1896	key->cert->principals = reallocarray(key->cert->principals,
				1897	key->cert->nprincipals + 1, sizeof(*key->cert->principals));
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1898	if (key->cert->principals == NULL) {
				1899	free(principal);
				1900	key->cert->principals = oprincipals;
				1901	ret = SSH_ERR_ALLOC_FAIL;
				1902	goto out;
				1903	}
				1904	key->cert->principals[key->cert->nprincipals++] = principal;
				1905	}
				1906
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1907	/*
				1908	* Stash a copies of the critical options and extensions sections
				1909	* for later use.
				1910	*/
				1911	if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 \|\|
				1912	(exts != NULL &&
				1913	(ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1914	goto out;
				1915
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1916	/*
				1917	* Validate critical options and extensions sections format.
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1918	*/
				1919	while (sshbuf_len(crit) != 0) {
				1920	if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 \|\|
				1921	(ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
				1922	sshbuf_reset(key->cert->critical);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1923	ret = SSH_ERR_INVALID_FORMAT;
				1924	goto out;
				1925	}
				1926	}
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1927	while (exts != NULL && sshbuf_len(exts) != 0) {
				1928	if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 \|\|
				1929	(ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) {
				1930	sshbuf_reset(key->cert->extensions);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1931	ret = SSH_ERR_INVALID_FORMAT;
				1932	goto out;
				1933	}
				1934	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1935
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1936	/* Parse CA key and check signature */
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1937	if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1938	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				1939	goto out;
				1940	}
				1941	if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
				1942	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				1943	goto out;
				1944	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1945	if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
				1946	sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0)
				1947	goto out;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1948
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1949	/* Success */
				1950	ret = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1951	out:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1952	sshbuf_free(ca);
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1953	sshbuf_free(crit);
				1954	sshbuf_free(exts);
				1955	sshbuf_free(principals);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1956	free(sig);
				1957	return ret;
				1958	}
				1959
				1960	static int
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1961	sshkey_from_blob_internal(struct sshbuf b, struct sshkey *keyp,
				1962	int allow_cert)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1963	{
djm@openbsd.org	54924b5	2015-01-14 10:46:28 +0000	[diff] [blame]	1964	int type, ret = SSH_ERR_INTERNAL_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1965	char ktype = NULL, curve = NULL;
				1966	struct sshkey *key = NULL;
				1967	size_t len;
				1968	u_char *pk = NULL;
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1969	struct sshbuf *copy;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1970	#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
				1971	EC_POINT *q = NULL;
				1972	#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
				1973
				1974	#ifdef DEBUG_PK /* XXX */
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1975	sshbuf_dump(b, stderr);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1976	#endif
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	1977	if (keyp != NULL)
				1978	*keyp = NULL;
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1979	if ((copy = sshbuf_fromb(b)) == NULL) {
				1980	ret = SSH_ERR_ALLOC_FAIL;
				1981	goto out;
				1982	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1983	if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
				1984	ret = SSH_ERR_INVALID_FORMAT;
				1985	goto out;
				1986	}
				1987
				1988	type = sshkey_type_from_name(ktype);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1989	if (!allow_cert && sshkey_type_is_cert(type)) {
				1990	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				1991	goto out;
				1992	}
				1993	switch (type) {
				1994	#ifdef WITH_OPENSSL
				1995	case KEY_RSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1996	/* Skip nonce */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1997	if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
				1998	ret = SSH_ERR_INVALID_FORMAT;
				1999	goto out;
				2000	}
				2001	/* FALLTHROUGH */
				2002	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2003	if ((key = sshkey_new(type)) == NULL) {
				2004	ret = SSH_ERR_ALLOC_FAIL;
				2005	goto out;
				2006	}
djm@openbsd.org	3f4ea3c	2015-04-03 22:17:27 +0000	[diff] [blame]	2007	if (sshbuf_get_bignum2(b, key->rsa->e) != 0 \|\|
				2008	sshbuf_get_bignum2(b, key->rsa->n) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2009	ret = SSH_ERR_INVALID_FORMAT;
				2010	goto out;
				2011	}
				2012	#ifdef DEBUG_PK
				2013	RSA_print_fp(stderr, key->rsa, 8);
				2014	#endif
				2015	break;
				2016	case KEY_DSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2017	/* Skip nonce */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2018	if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
				2019	ret = SSH_ERR_INVALID_FORMAT;
				2020	goto out;
				2021	}
				2022	/* FALLTHROUGH */
				2023	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2024	if ((key = sshkey_new(type)) == NULL) {
				2025	ret = SSH_ERR_ALLOC_FAIL;
				2026	goto out;
				2027	}
djm@openbsd.org	3f4ea3c	2015-04-03 22:17:27 +0000	[diff] [blame]	2028	if (sshbuf_get_bignum2(b, key->dsa->p) != 0 \|\|
				2029	sshbuf_get_bignum2(b, key->dsa->q) != 0 \|\|
				2030	sshbuf_get_bignum2(b, key->dsa->g) != 0 \|\|
				2031	sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2032	ret = SSH_ERR_INVALID_FORMAT;
				2033	goto out;
				2034	}
				2035	#ifdef DEBUG_PK
				2036	DSA_print_fp(stderr, key->dsa, 8);
				2037	#endif
				2038	break;
				2039	case KEY_ECDSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2040	/* Skip nonce */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2041	if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
				2042	ret = SSH_ERR_INVALID_FORMAT;
				2043	goto out;
				2044	}
				2045	/* FALLTHROUGH */
				2046	# ifdef OPENSSL_HAS_ECC
				2047	case KEY_ECDSA:
				2048	if ((key = sshkey_new(type)) == NULL) {
				2049	ret = SSH_ERR_ALLOC_FAIL;
				2050	goto out;
				2051	}
djm@openbsd.org	54924b5	2015-01-14 10:46:28 +0000	[diff] [blame]	2052	key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2053	if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
				2054	ret = SSH_ERR_INVALID_FORMAT;
				2055	goto out;
				2056	}
				2057	if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
				2058	ret = SSH_ERR_EC_CURVE_MISMATCH;
				2059	goto out;
				2060	}
				2061	if (key->ecdsa != NULL)
				2062	EC_KEY_free(key->ecdsa);
				2063	if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
				2064	== NULL) {
				2065	ret = SSH_ERR_EC_CURVE_INVALID;
				2066	goto out;
				2067	}
				2068	if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
				2069	ret = SSH_ERR_ALLOC_FAIL;
				2070	goto out;
				2071	}
				2072	if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
				2073	ret = SSH_ERR_INVALID_FORMAT;
				2074	goto out;
				2075	}
				2076	if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
				2077	q) != 0) {
				2078	ret = SSH_ERR_KEY_INVALID_EC_VALUE;
				2079	goto out;
				2080	}
				2081	if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
				2082	/* XXX assume it is a allocation error */
				2083	ret = SSH_ERR_ALLOC_FAIL;
				2084	goto out;
				2085	}
				2086	#ifdef DEBUG_PK
				2087	sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
				2088	#endif
				2089	break;
				2090	# endif /* OPENSSL_HAS_ECC */
				2091	#endif /* WITH_OPENSSL */
				2092	case KEY_ED25519_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2093	/* Skip nonce */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2094	if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
				2095	ret = SSH_ERR_INVALID_FORMAT;
				2096	goto out;
				2097	}
				2098	/* FALLTHROUGH */
				2099	case KEY_ED25519:
				2100	if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
				2101	goto out;
				2102	if (len != ED25519_PK_SZ) {
				2103	ret = SSH_ERR_INVALID_FORMAT;
				2104	goto out;
				2105	}
				2106	if ((key = sshkey_new(type)) == NULL) {
				2107	ret = SSH_ERR_ALLOC_FAIL;
				2108	goto out;
				2109	}
				2110	key->ed25519_pk = pk;
				2111	pk = NULL;
				2112	break;
				2113	case KEY_UNSPEC:
				2114	if ((key = sshkey_new(type)) == NULL) {
				2115	ret = SSH_ERR_ALLOC_FAIL;
				2116	goto out;
				2117	}
				2118	break;
				2119	default:
				2120	ret = SSH_ERR_KEY_TYPE_UNKNOWN;
				2121	goto out;
				2122	}
				2123
				2124	/* Parse certificate potion */
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2125	if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2126	goto out;
				2127
				2128	if (key != NULL && sshbuf_len(b) != 0) {
				2129	ret = SSH_ERR_INVALID_FORMAT;
				2130	goto out;
				2131	}
				2132	ret = 0;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	2133	if (keyp != NULL) {
				2134	*keyp = key;
				2135	key = NULL;
				2136	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2137	out:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2138	sshbuf_free(copy);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2139	sshkey_free(key);
				2140	free(ktype);
				2141	free(curve);
				2142	free(pk);
				2143	#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
				2144	if (q != NULL)
				2145	EC_POINT_free(q);
				2146	#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
				2147	return ret;
				2148	}
				2149
				2150	int
				2151	sshkey_from_blob(const u_char blob, size_t blen, struct sshkey *keyp)
				2152	{
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2153	struct sshbuf *b;
				2154	int r;
				2155
				2156	if ((b = sshbuf_from(blob, blen)) == NULL)
				2157	return SSH_ERR_ALLOC_FAIL;
				2158	r = sshkey_from_blob_internal(b, keyp, 1);
				2159	sshbuf_free(b);
				2160	return r;
				2161	}
				2162
				2163	int
				2164	sshkey_fromb(struct sshbuf b, struct sshkey *keyp)
				2165	{
				2166	return sshkey_from_blob_internal(b, keyp, 1);
				2167	}
				2168
				2169	int
				2170	sshkey_froms(struct sshbuf buf, struct sshkey *keyp)
				2171	{
				2172	struct sshbuf *b;
				2173	int r;
				2174
				2175	if ((r = sshbuf_froms(buf, &b)) != 0)
				2176	return r;
				2177	r = sshkey_from_blob_internal(b, keyp, 1);
				2178	sshbuf_free(b);
				2179	return r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2180	}
				2181
				2182	int
				2183	sshkey_sign(const struct sshkey *key,
				2184	u_char *sigp, size_t lenp,
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	2185	const u_char data, size_t datalen, const char alg, u_int compat)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2186	{
				2187	if (sigp != NULL)
				2188	*sigp = NULL;
				2189	if (lenp != NULL)
				2190	*lenp = 0;
				2191	if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
				2192	return SSH_ERR_INVALID_ARGUMENT;
				2193	switch (key->type) {
				2194	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2195	case KEY_DSA_CERT:
				2196	case KEY_DSA:
				2197	return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
				2198	# ifdef OPENSSL_HAS_ECC
				2199	case KEY_ECDSA_CERT:
				2200	case KEY_ECDSA:
				2201	return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
				2202	# endif /* OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2203	case KEY_RSA_CERT:
				2204	case KEY_RSA:
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	2205	return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2206	#endif /* WITH_OPENSSL */
				2207	case KEY_ED25519:
				2208	case KEY_ED25519_CERT:
				2209	return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
				2210	default:
				2211	return SSH_ERR_KEY_TYPE_UNKNOWN;
				2212	}
				2213	}
				2214
				2215	/*
				2216	* ssh_key_verify returns 0 for a correct signature and < 0 on error.
				2217	*/
				2218	int
				2219	sshkey_verify(const struct sshkey *key,
				2220	const u_char *sig, size_t siglen,
				2221	const u_char *data, size_t dlen, u_int compat)
				2222	{
djm@openbsd.org	4cf87f4	2014-12-10 01:24:09 +0000	[diff] [blame]	2223	if (siglen == 0 \|\| dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2224	return SSH_ERR_INVALID_ARGUMENT;
				2225	switch (key->type) {
				2226	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2227	case KEY_DSA_CERT:
				2228	case KEY_DSA:
				2229	return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
				2230	# ifdef OPENSSL_HAS_ECC
				2231	case KEY_ECDSA_CERT:
				2232	case KEY_ECDSA:
				2233	return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
				2234	# endif /* OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2235	case KEY_RSA_CERT:
				2236	case KEY_RSA:
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	2237	return ssh_rsa_verify(key, sig, siglen, data, dlen);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2238	#endif /* WITH_OPENSSL */
				2239	case KEY_ED25519:
				2240	case KEY_ED25519_CERT:
				2241	return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
				2242	default:
				2243	return SSH_ERR_KEY_TYPE_UNKNOWN;
				2244	}
				2245	}
				2246
				2247	/* Converts a private to a public key */
				2248	int
				2249	sshkey_demote(const struct sshkey k, struct sshkey *dkp)
				2250	{
				2251	struct sshkey *pk;
				2252	int ret = SSH_ERR_INTERNAL_ERROR;
				2253
djm@openbsd.org	1a2663a	2015-10-15 23:08:23 +0000	[diff] [blame]	2254	*dkp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2255	if ((pk = calloc(1, sizeof(*pk))) == NULL)
				2256	return SSH_ERR_ALLOC_FAIL;
				2257	pk->type = k->type;
				2258	pk->flags = k->flags;
				2259	pk->ecdsa_nid = k->ecdsa_nid;
				2260	pk->dsa = NULL;
				2261	pk->ecdsa = NULL;
				2262	pk->rsa = NULL;
				2263	pk->ed25519_pk = NULL;
				2264	pk->ed25519_sk = NULL;
				2265
				2266	switch (k->type) {
				2267	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2268	case KEY_RSA_CERT:
				2269	if ((ret = sshkey_cert_copy(k, pk)) != 0)
				2270	goto fail;
				2271	/* FALLTHROUGH */
				2272	case KEY_RSA1:
				2273	case KEY_RSA:
				2274	if ((pk->rsa = RSA_new()) == NULL \|\|
				2275	(pk->rsa->e = BN_dup(k->rsa->e)) == NULL \|\|
				2276	(pk->rsa->n = BN_dup(k->rsa->n)) == NULL) {
				2277	ret = SSH_ERR_ALLOC_FAIL;
				2278	goto fail;
				2279	}
				2280	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2281	case KEY_DSA_CERT:
				2282	if ((ret = sshkey_cert_copy(k, pk)) != 0)
				2283	goto fail;
				2284	/* FALLTHROUGH */
				2285	case KEY_DSA:
				2286	if ((pk->dsa = DSA_new()) == NULL \|\|
				2287	(pk->dsa->p = BN_dup(k->dsa->p)) == NULL \|\|
				2288	(pk->dsa->q = BN_dup(k->dsa->q)) == NULL \|\|
				2289	(pk->dsa->g = BN_dup(k->dsa->g)) == NULL \|\|
				2290	(pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) {
				2291	ret = SSH_ERR_ALLOC_FAIL;
				2292	goto fail;
				2293	}
				2294	break;
				2295	case KEY_ECDSA_CERT:
				2296	if ((ret = sshkey_cert_copy(k, pk)) != 0)
				2297	goto fail;
				2298	/* FALLTHROUGH */
				2299	# ifdef OPENSSL_HAS_ECC
				2300	case KEY_ECDSA:
				2301	pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid);
				2302	if (pk->ecdsa == NULL) {
				2303	ret = SSH_ERR_ALLOC_FAIL;
				2304	goto fail;
				2305	}
				2306	if (EC_KEY_set_public_key(pk->ecdsa,
				2307	EC_KEY_get0_public_key(k->ecdsa)) != 1) {
				2308	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2309	goto fail;
				2310	}
				2311	break;
				2312	# endif /* OPENSSL_HAS_ECC */
				2313	#endif /* WITH_OPENSSL */
				2314	case KEY_ED25519_CERT:
				2315	if ((ret = sshkey_cert_copy(k, pk)) != 0)
				2316	goto fail;
				2317	/* FALLTHROUGH */
				2318	case KEY_ED25519:
				2319	if (k->ed25519_pk != NULL) {
				2320	if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
				2321	ret = SSH_ERR_ALLOC_FAIL;
				2322	goto fail;
				2323	}
				2324	memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
				2325	}
				2326	break;
				2327	default:
				2328	ret = SSH_ERR_KEY_TYPE_UNKNOWN;
				2329	fail:
				2330	sshkey_free(pk);
				2331	return ret;
				2332	}
				2333	*dkp = pk;
				2334	return 0;
				2335	}
				2336
				2337	/* Convert a plain key to their _CERT equivalent */
				2338	int
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2339	sshkey_to_certified(struct sshkey *k)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2340	{
				2341	int newtype;
				2342
				2343	switch (k->type) {
				2344	#ifdef WITH_OPENSSL
				2345	case KEY_RSA:
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2346	newtype = KEY_RSA_CERT;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2347	break;
				2348	case KEY_DSA:
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2349	newtype = KEY_DSA_CERT;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2350	break;
				2351	case KEY_ECDSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2352	newtype = KEY_ECDSA_CERT;
				2353	break;
				2354	#endif /* WITH_OPENSSL */
				2355	case KEY_ED25519:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2356	newtype = KEY_ED25519_CERT;
				2357	break;
				2358	default:
				2359	return SSH_ERR_INVALID_ARGUMENT;
				2360	}
				2361	if ((k->cert = cert_new()) == NULL)
				2362	return SSH_ERR_ALLOC_FAIL;
				2363	k->type = newtype;
				2364	return 0;
				2365	}
				2366
				2367	/* Convert a certificate to its raw key equivalent */
				2368	int
				2369	sshkey_drop_cert(struct sshkey *k)
				2370	{
				2371	if (!sshkey_type_is_cert(k->type))
				2372	return SSH_ERR_KEY_TYPE_UNKNOWN;
				2373	cert_free(k->cert);
				2374	k->cert = NULL;
				2375	k->type = sshkey_type_plain(k->type);
				2376	return 0;
				2377	}
				2378
				2379	/* Sign a certified key, (re-)generating the signed certblob. */
				2380	int
djm@openbsd.org	57464e3	2016-05-02 09:36:42 +0000	[diff] [blame]	2381	sshkey_certify(struct sshkey k, struct sshkey ca, const char *alg)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2382	{
				2383	struct sshbuf *principals = NULL;
				2384	u_char ca_blob = NULL, sig_blob = NULL, nonce[32];
				2385	size_t i, ca_len, sig_len;
				2386	int ret = SSH_ERR_INTERNAL_ERROR;
				2387	struct sshbuf *cert;
				2388
				2389	if (k == NULL \|\| k->cert == NULL \|\|
				2390	k->cert->certblob == NULL \|\| ca == NULL)
				2391	return SSH_ERR_INVALID_ARGUMENT;
				2392	if (!sshkey_is_cert(k))
				2393	return SSH_ERR_KEY_TYPE_UNKNOWN;
				2394	if (!sshkey_type_is_valid_ca(ca->type))
				2395	return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				2396
				2397	if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
				2398	return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				2399
				2400	cert = k->cert->certblob; /* for readability */
				2401	sshbuf_reset(cert);
				2402	if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
				2403	goto out;
				2404
				2405	/* -v01 certs put nonce first */
				2406	arc4random_buf(&nonce, sizeof(nonce));
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2407	if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
				2408	goto out;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2409
				2410	/* XXX this substantially duplicates to_blob(); refactor */
				2411	switch (k->type) {
				2412	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2413	case KEY_DSA_CERT:
				2414	if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 \|\|
				2415	(ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 \|\|
				2416	(ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 \|\|
				2417	(ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0)
				2418	goto out;
				2419	break;
				2420	# ifdef OPENSSL_HAS_ECC
				2421	case KEY_ECDSA_CERT:
				2422	if ((ret = sshbuf_put_cstring(cert,
				2423	sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 \|\|
				2424	(ret = sshbuf_put_ec(cert,
				2425	EC_KEY_get0_public_key(k->ecdsa),
				2426	EC_KEY_get0_group(k->ecdsa))) != 0)
				2427	goto out;
				2428	break;
				2429	# endif /* OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2430	case KEY_RSA_CERT:
				2431	if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 \|\|
				2432	(ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
				2433	goto out;
				2434	break;
				2435	#endif /* WITH_OPENSSL */
				2436	case KEY_ED25519_CERT:
				2437	if ((ret = sshbuf_put_string(cert,
				2438	k->ed25519_pk, ED25519_PK_SZ)) != 0)
				2439	goto out;
				2440	break;
				2441	default:
				2442	ret = SSH_ERR_INVALID_ARGUMENT;
djm@openbsd.org	55e5bde	2015-03-06 01:40:56 +0000	[diff] [blame]	2443	goto out;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2444	}
				2445
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2446	if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 \|\|
				2447	(ret = sshbuf_put_u32(cert, k->cert->type)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2448	(ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
				2449	goto out;
				2450
				2451	if ((principals = sshbuf_new()) == NULL) {
				2452	ret = SSH_ERR_ALLOC_FAIL;
				2453	goto out;
				2454	}
				2455	for (i = 0; i < k->cert->nprincipals; i++) {
				2456	if ((ret = sshbuf_put_cstring(principals,
				2457	k->cert->principals[i])) != 0)
				2458	goto out;
				2459	}
				2460	if ((ret = sshbuf_put_stringb(cert, principals)) != 0 \|\|
				2461	(ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 \|\|
				2462	(ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 \|\|
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2463	(ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 \|\|
				2464	(ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 \|\|
				2465	(ret = sshbuf_put_string(cert, NULL, 0)) != 0 \|\| /* Reserved */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2466	(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
				2467	goto out;
				2468
				2469	/* Sign the whole mess */
				2470	if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
djm@openbsd.org	57464e3	2016-05-02 09:36:42 +0000	[diff] [blame]	2471	sshbuf_len(cert), alg, 0)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2472	goto out;
				2473
				2474	/* Append signature and we are done */
				2475	if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
				2476	goto out;
				2477	ret = 0;
				2478	out:
				2479	if (ret != 0)
				2480	sshbuf_reset(cert);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame]	2481	free(sig_blob);
				2482	free(ca_blob);
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	2483	sshbuf_free(principals);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2484	return ret;
				2485	}
				2486
				2487	int
				2488	sshkey_cert_check_authority(const struct sshkey *k,
				2489	int want_host, int require_principal,
				2490	const char name, const char *reason)
				2491	{
				2492	u_int i, principal_matches;
				2493	time_t now = time(NULL);
				2494
				2495	if (reason != NULL)
				2496	*reason = NULL;
				2497
				2498	if (want_host) {
				2499	if (k->cert->type != SSH2_CERT_TYPE_HOST) {
				2500	*reason = "Certificate invalid: not a host certificate";
				2501	return SSH_ERR_KEY_CERT_INVALID;
				2502	}
				2503	} else {
				2504	if (k->cert->type != SSH2_CERT_TYPE_USER) {
				2505	*reason = "Certificate invalid: not a user certificate";
				2506	return SSH_ERR_KEY_CERT_INVALID;
				2507	}
				2508	}
				2509	if (now < 0) {
				2510	/* yikes - system clock before epoch! */
				2511	*reason = "Certificate invalid: not yet valid";
				2512	return SSH_ERR_KEY_CERT_INVALID;
				2513	}
				2514	if ((u_int64_t)now < k->cert->valid_after) {
				2515	*reason = "Certificate invalid: not yet valid";
				2516	return SSH_ERR_KEY_CERT_INVALID;
				2517	}
				2518	if ((u_int64_t)now >= k->cert->valid_before) {
				2519	*reason = "Certificate invalid: expired";
				2520	return SSH_ERR_KEY_CERT_INVALID;
				2521	}
				2522	if (k->cert->nprincipals == 0) {
				2523	if (require_principal) {
				2524	*reason = "Certificate lacks principal list";
				2525	return SSH_ERR_KEY_CERT_INVALID;
				2526	}
				2527	} else if (name != NULL) {
				2528	principal_matches = 0;
				2529	for (i = 0; i < k->cert->nprincipals; i++) {
				2530	if (strcmp(name, k->cert->principals[i]) == 0) {
				2531	principal_matches = 1;
				2532	break;
				2533	}
				2534	}
				2535	if (!principal_matches) {
				2536	*reason = "Certificate invalid: name is not a listed "
				2537	"principal";
				2538	return SSH_ERR_KEY_CERT_INVALID;
				2539	}
				2540	}
				2541	return 0;
				2542	}
				2543
djm@openbsd.org	499cf36	2015-11-19 01:08:55 +0000	[diff] [blame]	2544	size_t
				2545	sshkey_format_cert_validity(const struct sshkey_cert cert, char s, size_t l)
				2546	{
				2547	char from[32], to[32], ret[64];
				2548	time_t tt;
				2549	struct tm *tm;
				2550
				2551	from = to = '\0';
				2552	if (cert->valid_after == 0 &&
				2553	cert->valid_before == 0xffffffffffffffffULL)
				2554	return strlcpy(s, "forever", l);
				2555
				2556	if (cert->valid_after != 0) {
				2557	/* XXX revisit INT_MAX in 2038 :) */
				2558	tt = cert->valid_after > INT_MAX ?
				2559	INT_MAX : cert->valid_after;
				2560	tm = localtime(&tt);
				2561	strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
				2562	}
				2563	if (cert->valid_before != 0xffffffffffffffffULL) {
				2564	/* XXX revisit INT_MAX in 2038 :) */
				2565	tt = cert->valid_before > INT_MAX ?
				2566	INT_MAX : cert->valid_before;
				2567	tm = localtime(&tt);
				2568	strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
				2569	}
				2570
				2571	if (cert->valid_after == 0)
				2572	snprintf(ret, sizeof(ret), "before %s", to);
				2573	else if (cert->valid_before == 0xffffffffffffffffULL)
				2574	snprintf(ret, sizeof(ret), "after %s", from);
				2575	else
				2576	snprintf(ret, sizeof(ret), "from %s to %s", from, to);
				2577
				2578	return strlcpy(s, ret, l);
				2579	}
				2580
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2581	int
				2582	sshkey_private_serialize(const struct sshkey key, struct sshbuf b)
				2583	{
				2584	int r = SSH_ERR_INTERNAL_ERROR;
				2585
				2586	if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
				2587	goto out;
				2588	switch (key->type) {
				2589	#ifdef WITH_OPENSSL
				2590	case KEY_RSA:
				2591	if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 \|\|
				2592	(r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 \|\|
				2593	(r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 \|\|
				2594	(r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 \|\|
				2595	(r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 \|\|
				2596	(r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
				2597	goto out;
				2598	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2599	case KEY_RSA_CERT:
				2600	if (key->cert == NULL \|\| sshbuf_len(key->cert->certblob) == 0) {
				2601	r = SSH_ERR_INVALID_ARGUMENT;
				2602	goto out;
				2603	}
				2604	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
				2605	(r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 \|\|
				2606	(r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 \|\|
				2607	(r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 \|\|
				2608	(r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
				2609	goto out;
				2610	break;
				2611	case KEY_DSA:
				2612	if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 \|\|
				2613	(r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 \|\|
				2614	(r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 \|\|
				2615	(r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 \|\|
				2616	(r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
				2617	goto out;
				2618	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2619	case KEY_DSA_CERT:
				2620	if (key->cert == NULL \|\| sshbuf_len(key->cert->certblob) == 0) {
				2621	r = SSH_ERR_INVALID_ARGUMENT;
				2622	goto out;
				2623	}
				2624	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
				2625	(r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
				2626	goto out;
				2627	break;
				2628	# ifdef OPENSSL_HAS_ECC
				2629	case KEY_ECDSA:
				2630	if ((r = sshbuf_put_cstring(b,
				2631	sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 \|\|
				2632	(r = sshbuf_put_eckey(b, key->ecdsa)) != 0 \|\|
				2633	(r = sshbuf_put_bignum2(b,
				2634	EC_KEY_get0_private_key(key->ecdsa))) != 0)
				2635	goto out;
				2636	break;
				2637	case KEY_ECDSA_CERT:
				2638	if (key->cert == NULL \|\| sshbuf_len(key->cert->certblob) == 0) {
				2639	r = SSH_ERR_INVALID_ARGUMENT;
				2640	goto out;
				2641	}
				2642	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
				2643	(r = sshbuf_put_bignum2(b,
				2644	EC_KEY_get0_private_key(key->ecdsa))) != 0)
				2645	goto out;
				2646	break;
				2647	# endif /* OPENSSL_HAS_ECC */
				2648	#endif /* WITH_OPENSSL */
				2649	case KEY_ED25519:
				2650	if ((r = sshbuf_put_string(b, key->ed25519_pk,
				2651	ED25519_PK_SZ)) != 0 \|\|
				2652	(r = sshbuf_put_string(b, key->ed25519_sk,
				2653	ED25519_SK_SZ)) != 0)
				2654	goto out;
				2655	break;
				2656	case KEY_ED25519_CERT:
				2657	if (key->cert == NULL \|\| sshbuf_len(key->cert->certblob) == 0) {
				2658	r = SSH_ERR_INVALID_ARGUMENT;
				2659	goto out;
				2660	}
				2661	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
				2662	(r = sshbuf_put_string(b, key->ed25519_pk,
				2663	ED25519_PK_SZ)) != 0 \|\|
				2664	(r = sshbuf_put_string(b, key->ed25519_sk,
				2665	ED25519_SK_SZ)) != 0)
				2666	goto out;
				2667	break;
				2668	default:
				2669	r = SSH_ERR_INVALID_ARGUMENT;
				2670	goto out;
				2671	}
				2672	/* success */
				2673	r = 0;
				2674	out:
				2675	return r;
				2676	}
				2677
				2678	int
				2679	sshkey_private_deserialize(struct sshbuf buf, struct sshkey *kp)
				2680	{
				2681	char tname = NULL, curve = NULL;
				2682	struct sshkey *k = NULL;
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2683	size_t pklen = 0, sklen = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2684	int type, r = SSH_ERR_INTERNAL_ERROR;
				2685	u_char ed25519_pk = NULL, ed25519_sk = NULL;
				2686	#ifdef WITH_OPENSSL
				2687	BIGNUM *exponent = NULL;
				2688	#endif /* WITH_OPENSSL */
				2689
				2690	if (kp != NULL)
				2691	*kp = NULL;
				2692	if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
				2693	goto out;
				2694	type = sshkey_type_from_name(tname);
				2695	switch (type) {
				2696	#ifdef WITH_OPENSSL
				2697	case KEY_DSA:
				2698	if ((k = sshkey_new_private(type)) == NULL) {
				2699	r = SSH_ERR_ALLOC_FAIL;
				2700	goto out;
				2701	}
				2702	if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 \|\|
				2703	(r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 \|\|
				2704	(r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 \|\|
				2705	(r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 \|\|
				2706	(r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
				2707	goto out;
				2708	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2709	case KEY_DSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2710	if ((r = sshkey_froms(buf, &k)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2711	(r = sshkey_add_private(k)) != 0 \|\|
				2712	(r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
				2713	goto out;
				2714	break;
				2715	# ifdef OPENSSL_HAS_ECC
				2716	case KEY_ECDSA:
				2717	if ((k = sshkey_new_private(type)) == NULL) {
				2718	r = SSH_ERR_ALLOC_FAIL;
				2719	goto out;
				2720	}
				2721	if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
				2722	r = SSH_ERR_INVALID_ARGUMENT;
				2723	goto out;
				2724	}
				2725	if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
				2726	goto out;
				2727	if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
				2728	r = SSH_ERR_EC_CURVE_MISMATCH;
				2729	goto out;
				2730	}
				2731	k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
				2732	if (k->ecdsa == NULL \|\| (exponent = BN_new()) == NULL) {
				2733	r = SSH_ERR_LIBCRYPTO_ERROR;
				2734	goto out;
				2735	}
				2736	if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 \|\|
				2737	(r = sshbuf_get_bignum2(buf, exponent)))
				2738	goto out;
				2739	if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
				2740	r = SSH_ERR_LIBCRYPTO_ERROR;
				2741	goto out;
				2742	}
				2743	if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	2744	EC_KEY_get0_public_key(k->ecdsa))) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2745	(r = sshkey_ec_validate_private(k->ecdsa)) != 0)
				2746	goto out;
				2747	break;
				2748	case KEY_ECDSA_CERT:
				2749	if ((exponent = BN_new()) == NULL) {
				2750	r = SSH_ERR_LIBCRYPTO_ERROR;
				2751	goto out;
				2752	}
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2753	if ((r = sshkey_froms(buf, &k)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2754	(r = sshkey_add_private(k)) != 0 \|\|
				2755	(r = sshbuf_get_bignum2(buf, exponent)) != 0)
				2756	goto out;
				2757	if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
				2758	r = SSH_ERR_LIBCRYPTO_ERROR;
				2759	goto out;
				2760	}
				2761	if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	2762	EC_KEY_get0_public_key(k->ecdsa))) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2763	(r = sshkey_ec_validate_private(k->ecdsa)) != 0)
				2764	goto out;
				2765	break;
				2766	# endif /* OPENSSL_HAS_ECC */
				2767	case KEY_RSA:
				2768	if ((k = sshkey_new_private(type)) == NULL) {
				2769	r = SSH_ERR_ALLOC_FAIL;
				2770	goto out;
				2771	}
				2772	if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 \|\|
				2773	(r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 \|\|
				2774	(r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 \|\|
				2775	(r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 \|\|
				2776	(r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 \|\|
				2777	(r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 \|\|
				2778	(r = rsa_generate_additional_parameters(k->rsa)) != 0)
				2779	goto out;
				2780	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2781	case KEY_RSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2782	if ((r = sshkey_froms(buf, &k)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2783	(r = sshkey_add_private(k)) != 0 \|\|
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	2784	(r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 \|\|
				2785	(r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 \|\|
				2786	(r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 \|\|
				2787	(r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2788	(r = rsa_generate_additional_parameters(k->rsa)) != 0)
				2789	goto out;
				2790	break;
				2791	#endif /* WITH_OPENSSL */
				2792	case KEY_ED25519:
				2793	if ((k = sshkey_new_private(type)) == NULL) {
				2794	r = SSH_ERR_ALLOC_FAIL;
				2795	goto out;
				2796	}
				2797	if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 \|\|
				2798	(r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
				2799	goto out;
				2800	if (pklen != ED25519_PK_SZ \|\| sklen != ED25519_SK_SZ) {
				2801	r = SSH_ERR_INVALID_FORMAT;
				2802	goto out;
				2803	}
				2804	k->ed25519_pk = ed25519_pk;
				2805	k->ed25519_sk = ed25519_sk;
				2806	ed25519_pk = ed25519_sk = NULL;
				2807	break;
				2808	case KEY_ED25519_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2809	if ((r = sshkey_froms(buf, &k)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2810	(r = sshkey_add_private(k)) != 0 \|\|
				2811	(r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 \|\|
				2812	(r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
				2813	goto out;
				2814	if (pklen != ED25519_PK_SZ \|\| sklen != ED25519_SK_SZ) {
				2815	r = SSH_ERR_INVALID_FORMAT;
				2816	goto out;
				2817	}
				2818	k->ed25519_pk = ed25519_pk;
				2819	k->ed25519_sk = ed25519_sk;
				2820	ed25519_pk = ed25519_sk = NULL;
				2821	break;
				2822	default:
				2823	r = SSH_ERR_KEY_TYPE_UNKNOWN;
				2824	goto out;
				2825	}
				2826	#ifdef WITH_OPENSSL
				2827	/* enable blinding */
				2828	switch (k->type) {
				2829	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2830	case KEY_RSA_CERT:
				2831	case KEY_RSA1:
				2832	if (RSA_blinding_on(k->rsa, NULL) != 1) {
				2833	r = SSH_ERR_LIBCRYPTO_ERROR;
				2834	goto out;
				2835	}
				2836	break;
				2837	}
				2838	#endif /* WITH_OPENSSL */
				2839	/* success */
				2840	r = 0;
				2841	if (kp != NULL) {
				2842	*kp = k;
				2843	k = NULL;
				2844	}
				2845	out:
				2846	free(tname);
				2847	free(curve);
				2848	#ifdef WITH_OPENSSL
				2849	if (exponent != NULL)
				2850	BN_clear_free(exponent);
				2851	#endif /* WITH_OPENSSL */
				2852	sshkey_free(k);
				2853	if (ed25519_pk != NULL) {
				2854	explicit_bzero(ed25519_pk, pklen);
				2855	free(ed25519_pk);
				2856	}
				2857	if (ed25519_sk != NULL) {
				2858	explicit_bzero(ed25519_sk, sklen);
				2859	free(ed25519_sk);
				2860	}
				2861	return r;
				2862	}
				2863
				2864	#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
				2865	int
				2866	sshkey_ec_validate_public(const EC_GROUP group, const EC_POINT public)
				2867	{
				2868	BN_CTX *bnctx;
				2869	EC_POINT *nq = NULL;
				2870	BIGNUM order, x, y, tmp;
				2871	int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
				2872
djm@openbsd.org	a571dbc	2016-10-04 21:34:40 +0000	[diff] [blame]	2873	/*
				2874	* NB. This assumes OpenSSL has already verified that the public
				2875	* point lies on the curve. This is done by EC_POINT_oct2point()
				2876	* implicitly calling EC_POINT_is_on_curve(). If this code is ever
				2877	* reachable with public points not unmarshalled using
				2878	* EC_POINT_oct2point then the caller will need to explicitly check.
				2879	*/
				2880
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2881	if ((bnctx = BN_CTX_new()) == NULL)
				2882	return SSH_ERR_ALLOC_FAIL;
				2883	BN_CTX_start(bnctx);
				2884
				2885	/*
				2886	* We shouldn't ever hit this case because bignum_get_ecpoint()
				2887	* refuses to load GF2m points.
				2888	*/
				2889	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
				2890	NID_X9_62_prime_field)
				2891	goto out;
				2892
				2893	/* Q != infinity */
				2894	if (EC_POINT_is_at_infinity(group, public))
				2895	goto out;
				2896
				2897	if ((x = BN_CTX_get(bnctx)) == NULL \|\|
				2898	(y = BN_CTX_get(bnctx)) == NULL \|\|
				2899	(order = BN_CTX_get(bnctx)) == NULL \|\|
				2900	(tmp = BN_CTX_get(bnctx)) == NULL) {
				2901	ret = SSH_ERR_ALLOC_FAIL;
				2902	goto out;
				2903	}
				2904
				2905	/* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
				2906	if (EC_GROUP_get_order(group, order, bnctx) != 1 \|\|
				2907	EC_POINT_get_affine_coordinates_GFp(group, public,
				2908	x, y, bnctx) != 1) {
				2909	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2910	goto out;
				2911	}
				2912	if (BN_num_bits(x) <= BN_num_bits(order) / 2 \|\|
				2913	BN_num_bits(y) <= BN_num_bits(order) / 2)
				2914	goto out;
				2915
				2916	/* nQ == infinity (n == order of subgroup) */
				2917	if ((nq = EC_POINT_new(group)) == NULL) {
				2918	ret = SSH_ERR_ALLOC_FAIL;
				2919	goto out;
				2920	}
				2921	if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) {
				2922	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2923	goto out;
				2924	}
				2925	if (EC_POINT_is_at_infinity(group, nq) != 1)
				2926	goto out;
				2927
				2928	/* x < order - 1, y < order - 1 */
				2929	if (!BN_sub(tmp, order, BN_value_one())) {
				2930	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2931	goto out;
				2932	}
				2933	if (BN_cmp(x, tmp) >= 0 \|\| BN_cmp(y, tmp) >= 0)
				2934	goto out;
				2935	ret = 0;
				2936	out:
				2937	BN_CTX_free(bnctx);
				2938	if (nq != NULL)
				2939	EC_POINT_free(nq);
				2940	return ret;
				2941	}
				2942
				2943	int
				2944	sshkey_ec_validate_private(const EC_KEY *key)
				2945	{
				2946	BN_CTX *bnctx;
				2947	BIGNUM order, tmp;
				2948	int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
				2949
				2950	if ((bnctx = BN_CTX_new()) == NULL)
				2951	return SSH_ERR_ALLOC_FAIL;
				2952	BN_CTX_start(bnctx);
				2953
				2954	if ((order = BN_CTX_get(bnctx)) == NULL \|\|
				2955	(tmp = BN_CTX_get(bnctx)) == NULL) {
				2956	ret = SSH_ERR_ALLOC_FAIL;
				2957	goto out;
				2958	}
				2959
				2960	/* log2(private) > log2(order)/2 */
				2961	if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) {
				2962	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2963	goto out;
				2964	}
				2965	if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
				2966	BN_num_bits(order) / 2)
				2967	goto out;
				2968
				2969	/* private < order - 1 */
				2970	if (!BN_sub(tmp, order, BN_value_one())) {
				2971	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2972	goto out;
				2973	}
				2974	if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
				2975	goto out;
				2976	ret = 0;
				2977	out:
				2978	BN_CTX_free(bnctx);
				2979	return ret;
				2980	}
				2981
				2982	void
				2983	sshkey_dump_ec_point(const EC_GROUP group, const EC_POINT point)
				2984	{
				2985	BIGNUM x, y;
				2986	BN_CTX *bnctx;
				2987
				2988	if (point == NULL) {
				2989	fputs("point=(NULL)\n", stderr);
				2990	return;
				2991	}
				2992	if ((bnctx = BN_CTX_new()) == NULL) {
				2993	fprintf(stderr, "%s: BN_CTX_new failed\n", __func__);
				2994	return;
				2995	}
				2996	BN_CTX_start(bnctx);
				2997	if ((x = BN_CTX_get(bnctx)) == NULL \|\|
				2998	(y = BN_CTX_get(bnctx)) == NULL) {
				2999	fprintf(stderr, "%s: BN_CTX_get failed\n", __func__);
				3000	return;
				3001	}
				3002	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
				3003	NID_X9_62_prime_field) {
				3004	fprintf(stderr, "%s: group is not a prime field\n", __func__);
				3005	return;
				3006	}
				3007	if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y,
				3008	bnctx) != 1) {
				3009	fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
				3010	__func__);
				3011	return;
				3012	}
				3013	fputs("x=", stderr);
				3014	BN_print_fp(stderr, x);
				3015	fputs("\ny=", stderr);
				3016	BN_print_fp(stderr, y);
				3017	fputs("\n", stderr);
				3018	BN_CTX_free(bnctx);
				3019	}
				3020
				3021	void
				3022	sshkey_dump_ec_key(const EC_KEY *key)
				3023	{
				3024	const BIGNUM *exponent;
				3025
				3026	sshkey_dump_ec_point(EC_KEY_get0_group(key),
				3027	EC_KEY_get0_public_key(key));
				3028	fputs("exponent=", stderr);
				3029	if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
				3030	fputs("(NULL)", stderr);
				3031	else
				3032	BN_print_fp(stderr, EC_KEY_get0_private_key(key));
				3033	fputs("\n", stderr);
				3034	}
				3035	#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
				3036
				3037	static int
				3038	sshkey_private_to_blob2(const struct sshkey prv, struct sshbuf blob,
				3039	const char passphrase, const char comment, const char *ciphername,
				3040	int rounds)
				3041	{
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	3042	u_char cp, key = NULL, *pubkeyblob = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3043	u_char salt[SALT_LEN];
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	3044	char *b64 = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3045	size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
				3046	u_int check;
				3047	int r = SSH_ERR_INTERNAL_ERROR;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3048	struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3049	const struct sshcipher *cipher;
				3050	const char *kdfname = KDFNAME;
				3051	struct sshbuf encoded = NULL, encrypted = NULL, *kdf = NULL;
				3052
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3053	if (rounds <= 0)
				3054	rounds = DEFAULT_ROUNDS;
				3055	if (passphrase == NULL \|\| !strlen(passphrase)) {
				3056	ciphername = "none";
				3057	kdfname = "none";
				3058	} else if (ciphername == NULL)
				3059	ciphername = DEFAULT_CIPHERNAME;
				3060	else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) {
				3061	r = SSH_ERR_INVALID_ARGUMENT;
				3062	goto out;
				3063	}
				3064	if ((cipher = cipher_by_name(ciphername)) == NULL) {
				3065	r = SSH_ERR_INTERNAL_ERROR;
				3066	goto out;
				3067	}
				3068
				3069	if ((kdf = sshbuf_new()) == NULL \|\|
				3070	(encoded = sshbuf_new()) == NULL \|\|
				3071	(encrypted = sshbuf_new()) == NULL) {
				3072	r = SSH_ERR_ALLOC_FAIL;
				3073	goto out;
				3074	}
				3075	blocksize = cipher_blocksize(cipher);
				3076	keylen = cipher_keylen(cipher);
				3077	ivlen = cipher_ivlen(cipher);
				3078	authlen = cipher_authlen(cipher);
				3079	if ((key = calloc(1, keylen + ivlen)) == NULL) {
				3080	r = SSH_ERR_ALLOC_FAIL;
				3081	goto out;
				3082	}
				3083	if (strcmp(kdfname, "bcrypt") == 0) {
				3084	arc4random_buf(salt, SALT_LEN);
				3085	if (bcrypt_pbkdf(passphrase, strlen(passphrase),
				3086	salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
				3087	r = SSH_ERR_INVALID_ARGUMENT;
				3088	goto out;
				3089	}
				3090	if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 \|\|
				3091	(r = sshbuf_put_u32(kdf, rounds)) != 0)
				3092	goto out;
				3093	} else if (strcmp(kdfname, "none") != 0) {
				3094	/* Unsupported KDF type */
				3095	r = SSH_ERR_KEY_UNKNOWN_CIPHER;
				3096	goto out;
				3097	}
				3098	if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
				3099	key + keylen, ivlen, 1)) != 0)
				3100	goto out;
				3101
				3102	if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 \|\|
				3103	(r = sshbuf_put_cstring(encoded, ciphername)) != 0 \|\|
				3104	(r = sshbuf_put_cstring(encoded, kdfname)) != 0 \|\|
				3105	(r = sshbuf_put_stringb(encoded, kdf)) != 0 \|\|
				3106	(r = sshbuf_put_u32(encoded, 1)) != 0 \|\| /* number of keys */
				3107	(r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 \|\|
				3108	(r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
				3109	goto out;
				3110
				3111	/* set up the buffer that will be encrypted */
				3112
				3113	/* Random check bytes */
				3114	check = arc4random();
				3115	if ((r = sshbuf_put_u32(encrypted, check)) != 0 \|\|
				3116	(r = sshbuf_put_u32(encrypted, check)) != 0)
				3117	goto out;
				3118
				3119	/* append private key and comment*/
				3120	if ((r = sshkey_private_serialize(prv, encrypted)) != 0 \|\|
				3121	(r = sshbuf_put_cstring(encrypted, comment)) != 0)
				3122	goto out;
				3123
				3124	/* padding */
				3125	i = 0;
				3126	while (sshbuf_len(encrypted) % blocksize) {
				3127	if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
				3128	goto out;
				3129	}
				3130
				3131	/* length in destination buffer */
				3132	if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
				3133	goto out;
				3134
				3135	/* encrypt */
				3136	if ((r = sshbuf_reserve(encoded,
				3137	sshbuf_len(encrypted) + authlen, &cp)) != 0)
				3138	goto out;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3139	if ((r = cipher_crypt(ciphercontext, 0, cp,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3140	sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
				3141	goto out;
				3142
				3143	/* uuencode */
				3144	if ((b64 = sshbuf_dtob64(encoded)) == NULL) {
				3145	r = SSH_ERR_ALLOC_FAIL;
				3146	goto out;
				3147	}
				3148
				3149	sshbuf_reset(blob);
				3150	if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0)
				3151	goto out;
				3152	for (i = 0; i < strlen(b64); i++) {
				3153	if ((r = sshbuf_put_u8(blob, b64[i])) != 0)
				3154	goto out;
				3155	/* insert line breaks */
				3156	if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
				3157	goto out;
				3158	}
				3159	if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
				3160	goto out;
				3161	if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
				3162	goto out;
				3163
				3164	/* success */
				3165	r = 0;
				3166
				3167	out:
				3168	sshbuf_free(kdf);
				3169	sshbuf_free(encoded);
				3170	sshbuf_free(encrypted);
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3171	cipher_free(ciphercontext);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3172	explicit_bzero(salt, sizeof(salt));
				3173	if (key != NULL) {
				3174	explicit_bzero(key, keylen + ivlen);
				3175	free(key);
				3176	}
				3177	if (pubkeyblob != NULL) {
				3178	explicit_bzero(pubkeyblob, pubkeylen);
				3179	free(pubkeyblob);
				3180	}
				3181	if (b64 != NULL) {
				3182	explicit_bzero(b64, strlen(b64));
				3183	free(b64);
				3184	}
				3185	return r;
				3186	}
				3187
				3188	static int
				3189	sshkey_parse_private2(struct sshbuf blob, int type, const char passphrase,
				3190	struct sshkey keyp, char commentp)
				3191	{
				3192	char comment = NULL, ciphername = NULL, *kdfname = NULL;
				3193	const struct sshcipher *cipher = NULL;
				3194	const u_char *cp;
				3195	int r = SSH_ERR_INTERNAL_ERROR;
				3196	size_t encoded_len;
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3197	size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3198	struct sshbuf encoded = NULL, decoded = NULL;
				3199	struct sshbuf kdf = NULL, decrypted = NULL;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3200	struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3201	struct sshkey *k = NULL;
				3202	u_char key = NULL, salt = NULL, *dp, pad, last;
				3203	u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
				3204
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3205	if (keyp != NULL)
				3206	*keyp = NULL;
				3207	if (commentp != NULL)
				3208	*commentp = NULL;
				3209
				3210	if ((encoded = sshbuf_new()) == NULL \|\|
				3211	(decoded = sshbuf_new()) == NULL \|\|
				3212	(decrypted = sshbuf_new()) == NULL) {
				3213	r = SSH_ERR_ALLOC_FAIL;
				3214	goto out;
				3215	}
				3216
				3217	/* check preamble */
				3218	cp = sshbuf_ptr(blob);
				3219	encoded_len = sshbuf_len(blob);
				3220	if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) \|\|
				3221	memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
				3222	r = SSH_ERR_INVALID_FORMAT;
				3223	goto out;
				3224	}
				3225	cp += MARK_BEGIN_LEN;
				3226	encoded_len -= MARK_BEGIN_LEN;
				3227
				3228	/* Look for end marker, removing whitespace as we go */
				3229	while (encoded_len > 0) {
				3230	if (cp != '\n' && cp != '\r') {
				3231	if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
				3232	goto out;
				3233	}
				3234	last = *cp;
				3235	encoded_len--;
				3236	cp++;
				3237	if (last == '\n') {
				3238	if (encoded_len >= MARK_END_LEN &&
				3239	memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
				3240	/* \0 terminate */
				3241	if ((r = sshbuf_put_u8(encoded, 0)) != 0)
				3242	goto out;
				3243	break;
				3244	}
				3245	}
				3246	}
				3247	if (encoded_len == 0) {
				3248	r = SSH_ERR_INVALID_FORMAT;
				3249	goto out;
				3250	}
				3251
				3252	/* decode base64 */
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	3253	if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3254	goto out;
				3255
				3256	/* check magic */
				3257	if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) \|\|
				3258	memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
				3259	r = SSH_ERR_INVALID_FORMAT;
				3260	goto out;
				3261	}
				3262	/* parse public portion of key */
				3263	if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 \|\|
				3264	(r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 \|\|
				3265	(r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 \|\|
				3266	(r = sshbuf_froms(decoded, &kdf)) != 0 \|\|
				3267	(r = sshbuf_get_u32(decoded, &nkeys)) != 0 \|\|
				3268	(r = sshbuf_skip_string(decoded)) != 0 \|\| /* pubkey */
				3269	(r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
				3270	goto out;
				3271
				3272	if ((cipher = cipher_by_name(ciphername)) == NULL) {
				3273	r = SSH_ERR_KEY_UNKNOWN_CIPHER;
				3274	goto out;
				3275	}
				3276	if ((passphrase == NULL \|\| strlen(passphrase) == 0) &&
				3277	strcmp(ciphername, "none") != 0) {
				3278	/* passphrase required */
				3279	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3280	goto out;
				3281	}
				3282	if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
				3283	r = SSH_ERR_KEY_UNKNOWN_CIPHER;
				3284	goto out;
				3285	}
				3286	if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) {
				3287	r = SSH_ERR_INVALID_FORMAT;
				3288	goto out;
				3289	}
				3290	if (nkeys != 1) {
				3291	/* XXX only one key supported */
				3292	r = SSH_ERR_INVALID_FORMAT;
				3293	goto out;
				3294	}
				3295
				3296	/* check size of encrypted key blob */
				3297	blocksize = cipher_blocksize(cipher);
				3298	if (encrypted_len < blocksize \|\| (encrypted_len % blocksize) != 0) {
				3299	r = SSH_ERR_INVALID_FORMAT;
				3300	goto out;
				3301	}
				3302
				3303	/* setup key */
				3304	keylen = cipher_keylen(cipher);
				3305	ivlen = cipher_ivlen(cipher);
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3306	authlen = cipher_authlen(cipher);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3307	if ((key = calloc(1, keylen + ivlen)) == NULL) {
				3308	r = SSH_ERR_ALLOC_FAIL;
				3309	goto out;
				3310	}
				3311	if (strcmp(kdfname, "bcrypt") == 0) {
				3312	if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 \|\|
				3313	(r = sshbuf_get_u32(kdf, &rounds)) != 0)
				3314	goto out;
				3315	if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
				3316	key, keylen + ivlen, rounds) < 0) {
				3317	r = SSH_ERR_INVALID_FORMAT;
				3318	goto out;
				3319	}
				3320	}
				3321
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3322	/* check that an appropriate amount of auth data is present */
				3323	if (sshbuf_len(decoded) < encrypted_len + authlen) {
				3324	r = SSH_ERR_INVALID_FORMAT;
				3325	goto out;
				3326	}
				3327
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3328	/* decrypt private portion of key */
				3329	if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 \|\|
				3330	(r = cipher_init(&ciphercontext, cipher, key, keylen,
				3331	key + keylen, ivlen, 0)) != 0)
				3332	goto out;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3333	if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3334	encrypted_len, 0, authlen)) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3335	/* an integrity error here indicates an incorrect passphrase */
				3336	if (r == SSH_ERR_MAC_INVALID)
				3337	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3338	goto out;
				3339	}
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3340	if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3341	goto out;
				3342	/* there should be no trailing data */
				3343	if (sshbuf_len(decoded) != 0) {
				3344	r = SSH_ERR_INVALID_FORMAT;
				3345	goto out;
				3346	}
				3347
				3348	/* check check bytes */
				3349	if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 \|\|
				3350	(r = sshbuf_get_u32(decrypted, &check2)) != 0)
				3351	goto out;
				3352	if (check1 != check2) {
				3353	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3354	goto out;
				3355	}
				3356
				3357	/* Load the private key and comment */
				3358	if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 \|\|
				3359	(r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
				3360	goto out;
				3361
				3362	/* Check deterministic padding */
				3363	i = 0;
				3364	while (sshbuf_len(decrypted)) {
				3365	if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
				3366	goto out;
				3367	if (pad != (++i & 0xff)) {
				3368	r = SSH_ERR_INVALID_FORMAT;
				3369	goto out;
				3370	}
				3371	}
				3372
				3373	/* XXX decode pubkey and check against private */
				3374
				3375	/* success */
				3376	r = 0;
				3377	if (keyp != NULL) {
				3378	*keyp = k;
				3379	k = NULL;
				3380	}
				3381	if (commentp != NULL) {
				3382	*commentp = comment;
				3383	comment = NULL;
				3384	}
				3385	out:
				3386	pad = 0;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3387	cipher_free(ciphercontext);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3388	free(ciphername);
				3389	free(kdfname);
				3390	free(comment);
				3391	if (salt != NULL) {
				3392	explicit_bzero(salt, slen);
				3393	free(salt);
				3394	}
				3395	if (key != NULL) {
				3396	explicit_bzero(key, keylen + ivlen);
				3397	free(key);
				3398	}
				3399	sshbuf_free(encoded);
				3400	sshbuf_free(decoded);
				3401	sshbuf_free(kdf);
				3402	sshbuf_free(decrypted);
				3403	sshkey_free(k);
				3404	return r;
				3405	}
				3406
				3407	#if WITH_SSH1
				3408	/*
				3409	* Serialises the authentication (private) key to a blob, encrypting it with
				3410	* passphrase. The identification of the blob (lowest 64 bits of n) will
				3411	* precede the key to provide identification of the key without needing a
				3412	* passphrase.
				3413	*/
				3414	static int
				3415	sshkey_private_rsa1_to_blob(struct sshkey key, struct sshbuf blob,
				3416	const char passphrase, const char comment)
				3417	{
				3418	struct sshbuf buffer = NULL, encrypted = NULL;
				3419	u_char buf[8];
				3420	int r, cipher_num;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3421	struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3422	const struct sshcipher *cipher;
				3423	u_char *cp;
				3424
				3425	/*
				3426	* If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
				3427	* to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
				3428	*/
				3429	cipher_num = (strcmp(passphrase, "") == 0) ?
				3430	SSH_CIPHER_NONE : SSH_CIPHER_3DES;
				3431	if ((cipher = cipher_by_number(cipher_num)) == NULL)
				3432	return SSH_ERR_INTERNAL_ERROR;
				3433
				3434	/* This buffer is used to build the secret part of the private key. */
				3435	if ((buffer = sshbuf_new()) == NULL)
				3436	return SSH_ERR_ALLOC_FAIL;
				3437
				3438	/* Put checkbytes for checking passphrase validity. */
				3439	if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0)
				3440	goto out;
				3441	arc4random_buf(cp, 2);
				3442	memcpy(cp + 2, cp, 2);
				3443
				3444	/*
				3445	* Store the private key (n and e will not be stored because they
				3446	* will be stored in plain text, and storing them also in encrypted
				3447	* format would just give known plaintext).
				3448	* Note: q and p are stored in reverse order to SSL.
				3449	*/
				3450	if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 \|\|
				3451	(r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 \|\|
				3452	(r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 \|\|
				3453	(r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0)
				3454	goto out;
				3455
				3456	/* Pad the part to be encrypted to a size that is a multiple of 8. */
				3457	explicit_bzero(buf, 8);
				3458	if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0)
				3459	goto out;
				3460
				3461	/* This buffer will be used to contain the data in the file. */
				3462	if ((encrypted = sshbuf_new()) == NULL) {
				3463	r = SSH_ERR_ALLOC_FAIL;
				3464	goto out;
				3465	}
				3466
				3467	/* First store keyfile id string. */
				3468	if ((r = sshbuf_put(encrypted, LEGACY_BEGIN,
				3469	sizeof(LEGACY_BEGIN))) != 0)
				3470	goto out;
				3471
				3472	/* Store cipher type and "reserved" field. */
				3473	if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 \|\|
				3474	(r = sshbuf_put_u32(encrypted, 0)) != 0)
				3475	goto out;
				3476
				3477	/* Store public key. This will be in plain text. */
				3478	if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 \|\|
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	3479	(r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 \|\|
				3480	(r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 \|\|
				3481	(r = sshbuf_put_cstring(encrypted, comment)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3482	goto out;
				3483
				3484	/* Allocate space for the private part of the key in the buffer. */
				3485	if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0)
				3486	goto out;
				3487
				3488	if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
				3489	CIPHER_ENCRYPT)) != 0)
				3490	goto out;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3491	if ((r = cipher_crypt(ciphercontext, 0, cp,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3492	sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0)
				3493	goto out;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3494
				3495	r = sshbuf_putb(blob, encrypted);
				3496
				3497	out:
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3498	cipher_free(ciphercontext);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3499	explicit_bzero(buf, sizeof(buf));
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	3500	sshbuf_free(buffer);
				3501	sshbuf_free(encrypted);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3502
				3503	return r;
				3504	}
				3505	#endif /* WITH_SSH1 */
				3506
				3507	#ifdef WITH_OPENSSL
				3508	/* convert SSH v2 key in OpenSSL PEM format */
				3509	static int
				3510	sshkey_private_pem_to_blob(struct sshkey key, struct sshbuf blob,
				3511	const char _passphrase, const char comment)
				3512	{
				3513	int success, r;
				3514	int blen, len = strlen(_passphrase);
				3515	u_char passphrase = (len > 0) ? (u_char )_passphrase : NULL;
				3516	#if (OPENSSL_VERSION_NUMBER < 0x00907000L)
				3517	const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
				3518	#else
				3519	const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
				3520	#endif
				3521	const u_char *bptr;
				3522	BIO *bio = NULL;
				3523
				3524	if (len > 0 && len <= 4)
				3525	return SSH_ERR_PASSPHRASE_TOO_SHORT;
				3526	if ((bio = BIO_new(BIO_s_mem())) == NULL)
				3527	return SSH_ERR_ALLOC_FAIL;
				3528
				3529	switch (key->type) {
				3530	case KEY_DSA:
				3531	success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
				3532	cipher, passphrase, len, NULL, NULL);
				3533	break;
				3534	#ifdef OPENSSL_HAS_ECC
				3535	case KEY_ECDSA:
				3536	success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
				3537	cipher, passphrase, len, NULL, NULL);
				3538	break;
				3539	#endif
				3540	case KEY_RSA:
				3541	success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
				3542	cipher, passphrase, len, NULL, NULL);
				3543	break;
				3544	default:
				3545	success = 0;
				3546	break;
				3547	}
				3548	if (success == 0) {
				3549	r = SSH_ERR_LIBCRYPTO_ERROR;
				3550	goto out;
				3551	}
				3552	if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
				3553	r = SSH_ERR_INTERNAL_ERROR;
				3554	goto out;
				3555	}
				3556	if ((r = sshbuf_put(blob, bptr, blen)) != 0)
				3557	goto out;
				3558	r = 0;
				3559	out:
				3560	BIO_free(bio);
				3561	return r;
				3562	}
				3563	#endif /* WITH_OPENSSL */
				3564
				3565	/* Serialise "key" to buffer "blob" */
				3566	int
				3567	sshkey_private_to_fileblob(struct sshkey key, struct sshbuf blob,
				3568	const char passphrase, const char comment,
				3569	int force_new_format, const char *new_format_cipher, int new_format_rounds)
				3570	{
				3571	switch (key->type) {
markus@openbsd.org	f067cca	2015-01-12 13:29:27 +0000	[diff] [blame]	3572	#ifdef WITH_SSH1
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3573	case KEY_RSA1:
				3574	return sshkey_private_rsa1_to_blob(key, blob,
				3575	passphrase, comment);
markus@openbsd.org	f067cca	2015-01-12 13:29:27 +0000	[diff] [blame]	3576	#endif /* WITH_SSH1 */
				3577	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3578	case KEY_DSA:
				3579	case KEY_ECDSA:
				3580	case KEY_RSA:
				3581	if (force_new_format) {
				3582	return sshkey_private_to_blob2(key, blob, passphrase,
				3583	comment, new_format_cipher, new_format_rounds);
				3584	}
				3585	return sshkey_private_pem_to_blob(key, blob,
				3586	passphrase, comment);
				3587	#endif /* WITH_OPENSSL */
				3588	case KEY_ED25519:
				3589	return sshkey_private_to_blob2(key, blob, passphrase,
				3590	comment, new_format_cipher, new_format_rounds);
				3591	default:
				3592	return SSH_ERR_KEY_TYPE_UNKNOWN;
				3593	}
				3594	}
				3595
				3596	#ifdef WITH_SSH1
				3597	/*
				3598	* Parse the public, unencrypted portion of a RSA1 key.
				3599	*/
				3600	int
				3601	sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob,
				3602	struct sshkey keyp, char commentp)
				3603	{
				3604	int r;
				3605	struct sshkey *pub = NULL;
				3606	struct sshbuf *copy = NULL;
				3607
				3608	if (keyp != NULL)
				3609	*keyp = NULL;
				3610	if (commentp != NULL)
				3611	*commentp = NULL;
				3612
				3613	/* Check that it is at least big enough to contain the ID string. */
				3614	if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN))
				3615	return SSH_ERR_INVALID_FORMAT;
				3616
				3617	/*
				3618	* Make sure it begins with the id string. Consume the id string
				3619	* from the buffer.
				3620	*/
				3621	if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0)
				3622	return SSH_ERR_INVALID_FORMAT;
				3623	/* Make a working copy of the keyblob and skip past the magic */
				3624	if ((copy = sshbuf_fromb(blob)) == NULL)
				3625	return SSH_ERR_ALLOC_FAIL;
				3626	if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0)
				3627	goto out;
				3628
				3629	/* Skip cipher type, reserved data and key bits. */
				3630	if ((r = sshbuf_get_u8(copy, NULL)) != 0 \|\| /* cipher type */
				3631	(r = sshbuf_get_u32(copy, NULL)) != 0 \|\| /* reserved */
				3632	(r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */
				3633	goto out;
				3634
				3635	/* Read the public key from the buffer. */
				3636	if ((pub = sshkey_new(KEY_RSA1)) == NULL \|\|
				3637	(r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 \|\|
				3638	(r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0)
				3639	goto out;
				3640
				3641	/* Finally, the comment */
				3642	if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0)
				3643	goto out;
				3644
				3645	/* The encrypted private part is not parsed by this function. */
				3646
				3647	r = 0;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3648	if (keyp != NULL) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3649	*keyp = pub;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3650	pub = NULL;
				3651	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3652	out:
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	3653	sshbuf_free(copy);
mmcc@openbsd.org	89540b6	2015-12-11 02:31:47 +0000	[diff] [blame]	3654	sshkey_free(pub);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3655	return r;
				3656	}
				3657
				3658	static int
				3659	sshkey_parse_private_rsa1(struct sshbuf blob, const char passphrase,
				3660	struct sshkey keyp, char commentp)
				3661	{
				3662	int r;
				3663	u_int16_t check1, check2;
				3664	u_int8_t cipher_type;
				3665	struct sshbuf decrypted = NULL, copy = NULL;
				3666	u_char *cp;
				3667	char *comment = NULL;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3668	struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3669	const struct sshcipher *cipher;
				3670	struct sshkey *prv = NULL;
				3671
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3672	if (keyp != NULL)
				3673	*keyp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3674	if (commentp != NULL)
				3675	*commentp = NULL;
				3676
				3677	/* Check that it is at least big enough to contain the ID string. */
				3678	if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN))
				3679	return SSH_ERR_INVALID_FORMAT;
				3680
				3681	/*
				3682	* Make sure it begins with the id string. Consume the id string
				3683	* from the buffer.
				3684	*/
				3685	if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0)
				3686	return SSH_ERR_INVALID_FORMAT;
				3687
				3688	if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) {
				3689	r = SSH_ERR_ALLOC_FAIL;
				3690	goto out;
				3691	}
				3692	if ((copy = sshbuf_fromb(blob)) == NULL \|\|
				3693	(decrypted = sshbuf_new()) == NULL) {
				3694	r = SSH_ERR_ALLOC_FAIL;
				3695	goto out;
				3696	}
				3697	if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0)
				3698	goto out;
				3699
				3700	/* Read cipher type. */
				3701	if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 \|\|
				3702	(r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */
				3703	goto out;
				3704
				3705	/* Read the public key and comment from the buffer. */
				3706	if ((r = sshbuf_get_u32(copy, NULL)) != 0 \|\| /* key bits */
				3707	(r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 \|\|
				3708	(r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 \|\|
				3709	(r = sshbuf_get_cstring(copy, &comment, NULL)) != 0)
				3710	goto out;
				3711
				3712	/* Check that it is a supported cipher. */
				3713	cipher = cipher_by_number(cipher_type);
				3714	if (cipher == NULL) {
				3715	r = SSH_ERR_KEY_UNKNOWN_CIPHER;
				3716	goto out;
				3717	}
				3718	/* Initialize space for decrypted data. */
				3719	if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0)
				3720	goto out;
				3721
				3722	/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
				3723	if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
				3724	CIPHER_DECRYPT)) != 0)
				3725	goto out;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3726	if ((r = cipher_crypt(ciphercontext, 0, cp,
				3727	sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3728	goto out;
				3729
				3730	if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 \|\|
				3731	(r = sshbuf_get_u16(decrypted, &check2)) != 0)
				3732	goto out;
				3733	if (check1 != check2) {
				3734	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3735	goto out;
				3736	}
				3737
				3738	/* Read the rest of the private key. */
				3739	if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 \|\|
				3740	(r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 \|\|
				3741	(r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 \|\|
				3742	(r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0)
				3743	goto out;
				3744
				3745	/* calculate p-1 and q-1 */
				3746	if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0)
				3747	goto out;
				3748
				3749	/* enable blinding */
				3750	if (RSA_blinding_on(prv->rsa, NULL) != 1) {
				3751	r = SSH_ERR_LIBCRYPTO_ERROR;
				3752	goto out;
				3753	}
				3754	r = 0;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3755	if (keyp != NULL) {
				3756	*keyp = prv;
				3757	prv = NULL;
				3758	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3759	if (commentp != NULL) {
				3760	*commentp = comment;
				3761	comment = NULL;
				3762	}
				3763	out:
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3764	cipher_free(ciphercontext);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame]	3765	free(comment);
mmcc@openbsd.org	89540b6	2015-12-11 02:31:47 +0000	[diff] [blame]	3766	sshkey_free(prv);
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	3767	sshbuf_free(copy);
				3768	sshbuf_free(decrypted);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3769	return r;
				3770	}
				3771	#endif /* WITH_SSH1 */
				3772
				3773	#ifdef WITH_OPENSSL
djm@openbsd.org	1195f4c	2015-01-08 10:14:08 +0000	[diff] [blame]	3774	static int
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3775	sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
djm@openbsd.org	1195f4c	2015-01-08 10:14:08 +0000	[diff] [blame]	3776	const char passphrase, struct sshkey *keyp)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3777	{
				3778	EVP_PKEY *pk = NULL;
				3779	struct sshkey *prv = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3780	BIO *bio = NULL;
				3781	int r;
				3782
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3783	if (keyp != NULL)
				3784	*keyp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3785
				3786	if ((bio = BIO_new(BIO_s_mem())) == NULL \|\| sshbuf_len(blob) > INT_MAX)
				3787	return SSH_ERR_ALLOC_FAIL;
				3788	if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
				3789	(int)sshbuf_len(blob)) {
				3790	r = SSH_ERR_ALLOC_FAIL;
				3791	goto out;
				3792	}
				3793
				3794	if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
				3795	(char *)passphrase)) == NULL) {
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3796	unsigned long pem_err = ERR_peek_last_error();
				3797	int pem_reason = ERR_GET_REASON(pem_err);
				3798
				3799	/*
				3800	* Translate OpenSSL error codes to determine whether
				3801	* passphrase is required/incorrect.
				3802	*/
				3803	switch (ERR_GET_LIB(pem_err)) {
				3804	case ERR_LIB_PEM:
				3805	switch (pem_reason) {
				3806	case PEM_R_BAD_PASSWORD_READ:
				3807	case PEM_R_PROBLEMS_GETTING_PASSWORD:
				3808	case PEM_R_BAD_DECRYPT:
				3809	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3810	goto out;
				3811	default:
				3812	r = SSH_ERR_INVALID_FORMAT;
				3813	goto out;
				3814	}
				3815	case ERR_LIB_EVP:
				3816	switch (pem_reason) {
				3817	case EVP_R_BAD_DECRYPT:
				3818	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3819	goto out;
				3820	case EVP_R_BN_DECODE_ERROR:
				3821	case EVP_R_DECODE_ERROR:
Darren Tucker	bd5d7d2	2017-02-12 15:45:15 +1100	[diff] [blame]	3822	#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3823	case EVP_R_PRIVATE_KEY_DECODE_ERROR:
Darren Tucker	bd5d7d2	2017-02-12 15:45:15 +1100	[diff] [blame]	3824	#endif
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3825	r = SSH_ERR_INVALID_FORMAT;
				3826	goto out;
				3827	default:
				3828	r = SSH_ERR_LIBCRYPTO_ERROR;
				3829	goto out;
				3830	}
				3831	case ERR_LIB_ASN1:
				3832	r = SSH_ERR_INVALID_FORMAT;
				3833	goto out;
				3834	}
				3835	r = SSH_ERR_LIBCRYPTO_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3836	goto out;
				3837	}
				3838	if (pk->type == EVP_PKEY_RSA &&
				3839	(type == KEY_UNSPEC \|\| type == KEY_RSA)) {
				3840	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
				3841	r = SSH_ERR_ALLOC_FAIL;
				3842	goto out;
				3843	}
				3844	prv->rsa = EVP_PKEY_get1_RSA(pk);
				3845	prv->type = KEY_RSA;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3846	#ifdef DEBUG_PK
				3847	RSA_print_fp(stderr, prv->rsa, 8);
				3848	#endif
				3849	if (RSA_blinding_on(prv->rsa, NULL) != 1) {
				3850	r = SSH_ERR_LIBCRYPTO_ERROR;
				3851	goto out;
				3852	}
				3853	} else if (pk->type == EVP_PKEY_DSA &&
				3854	(type == KEY_UNSPEC \|\| type == KEY_DSA)) {
				3855	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
				3856	r = SSH_ERR_ALLOC_FAIL;
				3857	goto out;
				3858	}
				3859	prv->dsa = EVP_PKEY_get1_DSA(pk);
				3860	prv->type = KEY_DSA;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3861	#ifdef DEBUG_PK
				3862	DSA_print_fp(stderr, prv->dsa, 8);
				3863	#endif
				3864	#ifdef OPENSSL_HAS_ECC
				3865	} else if (pk->type == EVP_PKEY_EC &&
				3866	(type == KEY_UNSPEC \|\| type == KEY_ECDSA)) {
				3867	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
				3868	r = SSH_ERR_ALLOC_FAIL;
				3869	goto out;
				3870	}
				3871	prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
				3872	prv->type = KEY_ECDSA;
				3873	prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
				3874	if (prv->ecdsa_nid == -1 \|\|
				3875	sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL \|\|
				3876	sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
				3877	EC_KEY_get0_public_key(prv->ecdsa)) != 0 \|\|
				3878	sshkey_ec_validate_private(prv->ecdsa) != 0) {
				3879	r = SSH_ERR_INVALID_FORMAT;
				3880	goto out;
				3881	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3882	# ifdef DEBUG_PK
				3883	if (prv != NULL && prv->ecdsa != NULL)
				3884	sshkey_dump_ec_key(prv->ecdsa);
				3885	# endif
				3886	#endif /* OPENSSL_HAS_ECC */
				3887	} else {
				3888	r = SSH_ERR_INVALID_FORMAT;
				3889	goto out;
				3890	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3891	r = 0;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3892	if (keyp != NULL) {
				3893	*keyp = prv;
				3894	prv = NULL;
				3895	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3896	out:
				3897	BIO_free(bio);
				3898	if (pk != NULL)
				3899	EVP_PKEY_free(pk);
mmcc@openbsd.org	89540b6	2015-12-11 02:31:47 +0000	[diff] [blame]	3900	sshkey_free(prv);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3901	return r;
				3902	}
				3903	#endif /* WITH_OPENSSL */
				3904
				3905	int
				3906	sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
				3907	const char passphrase, struct sshkey keyp, char *commentp)
				3908	{
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3909	int r = SSH_ERR_INTERNAL_ERROR;
				3910
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3911	if (keyp != NULL)
				3912	*keyp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3913	if (commentp != NULL)
				3914	*commentp = NULL;
				3915
				3916	switch (type) {
markus@openbsd.org	f067cca	2015-01-12 13:29:27 +0000	[diff] [blame]	3917	#ifdef WITH_SSH1
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3918	case KEY_RSA1:
				3919	return sshkey_parse_private_rsa1(blob, passphrase,
				3920	keyp, commentp);
markus@openbsd.org	f067cca	2015-01-12 13:29:27 +0000	[diff] [blame]	3921	#endif /* WITH_SSH1 */
				3922	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3923	case KEY_DSA:
				3924	case KEY_ECDSA:
				3925	case KEY_RSA:
djm@openbsd.org	1195f4c	2015-01-08 10:14:08 +0000	[diff] [blame]	3926	return sshkey_parse_private_pem_fileblob(blob, type,
				3927	passphrase, keyp);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3928	#endif /* WITH_OPENSSL */
				3929	case KEY_ED25519:
				3930	return sshkey_parse_private2(blob, type, passphrase,
				3931	keyp, commentp);
				3932	case KEY_UNSPEC:
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3933	r = sshkey_parse_private2(blob, type, passphrase, keyp,
				3934	commentp);
				3935	/* Do not fallback to PEM parser if only passphrase is wrong. */
				3936	if (r == 0 \|\| r == SSH_ERR_KEY_WRONG_PASSPHRASE)
				3937	return r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3938	#ifdef WITH_OPENSSL
djm@openbsd.org	1195f4c	2015-01-08 10:14:08 +0000	[diff] [blame]	3939	return sshkey_parse_private_pem_fileblob(blob, type,
				3940	passphrase, keyp);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3941	#else
				3942	return SSH_ERR_INVALID_FORMAT;
				3943	#endif /* WITH_OPENSSL */
				3944	default:
				3945	return SSH_ERR_KEY_TYPE_UNKNOWN;
				3946	}
				3947	}
				3948
				3949	int
				3950	sshkey_parse_private_fileblob(struct sshbuf buffer, const char passphrase,
tim@openbsd.org	3c019a9	2015-09-13 14:39:16 +0000	[diff] [blame]	3951	struct sshkey keyp, char commentp)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3952	{
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3953	if (keyp != NULL)
				3954	*keyp = NULL;
				3955	if (commentp != NULL)
				3956	*commentp = NULL;
				3957
				3958	#ifdef WITH_SSH1
				3959	/* it's a SSH v1 key if the public key part is readable */
tim@openbsd.org	3c019a9	2015-09-13 14:39:16 +0000	[diff] [blame]	3960	if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3961	return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
				3962	passphrase, keyp, commentp);
				3963	}
				3964	#endif /* WITH_SSH1 */
tim@openbsd.org	3c019a9	2015-09-13 14:39:16 +0000	[diff] [blame]	3965	return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
				3966	passphrase, keyp, commentp);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3967	}