Blame - sshkey.c - platform/external/openssh

blob: 85fd1bd971c2ec3d87cfb25517c27f227827b3c8 [file] [log] [blame]

dtucker@openbsd.org	ecc3589	2017-02-17 02:31:14 +0000	[diff] [blame^]	1	/* $OpenBSD: sshkey.c,v 1.43 2017/02/17 02:31:14 dtucker Exp $ */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2	/*
				3	* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
				4	* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
				5	* Copyright (c) 2010,2011 Damien Miller. All rights reserved.
				6	*
				7	* Redistribution and use in source and binary forms, with or without
				8	* modification, are permitted provided that the following conditions
				9	* are met:
				10	* 1. Redistributions of source code must retain the above copyright
				11	* notice, this list of conditions and the following disclaimer.
				12	* 2. Redistributions in binary form must reproduce the above copyright
				13	* notice, this list of conditions and the following disclaimer in the
				14	* documentation and/or other materials provided with the distribution.
				15	*
				16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
				26	*/
				27
				28	#include "includes.h"
				29
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	30	#include <sys/types.h>
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	31	#include <netinet/in.h>
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	32
djm@openbsd.org	54924b5	2015-01-14 10:46:28 +0000	[diff] [blame]	33	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	34	#include <openssl/evp.h>
				35	#include <openssl/err.h>
				36	#include <openssl/pem.h>
djm@openbsd.org	54924b5	2015-01-14 10:46:28 +0000	[diff] [blame]	37	#endif
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	38
				39	#include "crypto_api.h"
				40
				41	#include <errno.h>
deraadt@openbsd.org	2ae4f33	2015-01-16 06:40:12 +0000	[diff] [blame]	42	#include <limits.h>
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	43	#include <stdio.h>
				44	#include <string.h>
Damien Miller	d16bdd8	2014-12-22 10:18:09 +1100	[diff] [blame]	45	#include <resolv.h>
Damien Miller	82b2482	2014-07-02 17:43:41 +1000	[diff] [blame]	46	#ifdef HAVE_UTIL_H
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	47	#include <util.h>
Damien Miller	82b2482	2014-07-02 17:43:41 +1000	[diff] [blame]	48	#endif /* HAVE_UTIL_H */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	49
				50	#include "ssh2.h"
				51	#include "ssherr.h"
				52	#include "misc.h"
				53	#include "sshbuf.h"
				54	#include "rsa.h"
				55	#include "cipher.h"
				56	#include "digest.h"
				57	#define SSHKEY_INTERNAL
				58	#include "sshkey.h"
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	59	#include "match.h"
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	60
				61	/* openssh private key file format */
				62	#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
				63	#define MARK_END "-----END OPENSSH PRIVATE KEY-----\n"
				64	#define MARK_BEGIN_LEN (sizeof(MARK_BEGIN) - 1)
				65	#define MARK_END_LEN (sizeof(MARK_END) - 1)
				66	#define KDFNAME "bcrypt"
				67	#define AUTH_MAGIC "openssh-key-v1"
				68	#define SALT_LEN 16
				69	#define DEFAULT_CIPHERNAME "aes256-cbc"
				70	#define DEFAULT_ROUNDS 16
				71
				72	/* Version identification string for SSH v1 identity files. */
				73	#define LEGACY_BEGIN "SSH PRIVATE KEY FILE FORMAT 1.1\n"
				74
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	75	static int sshkey_from_blob_internal(struct sshbuf *buf,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	76	struct sshkey **keyp, int allow_cert);
				77
				78	/* Supported key types */
				79	struct keytype {
				80	const char *name;
				81	const char *shortname;
				82	int type;
				83	int nid;
				84	int cert;
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	85	int sigonly;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	86	};
				87	static const struct keytype keytypes[] = {
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	88	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	89	{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	90	KEY_ED25519_CERT, 0, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	91	#ifdef WITH_OPENSSL
dtucker@openbsd.org	ecc3589	2017-02-17 02:31:14 +0000	[diff] [blame^]	92	# ifdef WITH_SSH1
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	93	{ NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
dtucker@openbsd.org	ecc3589	2017-02-17 02:31:14 +0000	[diff] [blame^]	94	# endif
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	95	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
				96	{ "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
				97	{ "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
				98	{ "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	99	# ifdef OPENSSL_HAS_ECC
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	100	{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
				101	{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	102	# ifdef OPENSSL_HAS_NISTP521
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	103	{ "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	104	# endif /* OPENSSL_HAS_NISTP521 */
				105	# endif /* OPENSSL_HAS_ECC */
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	106	{ "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
				107	{ "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	108	# ifdef OPENSSL_HAS_ECC
				109	{ "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	110	KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	111	{ "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	112	KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	113	# ifdef OPENSSL_HAS_NISTP521
				114	{ "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	115	KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	116	# endif /* OPENSSL_HAS_NISTP521 */
				117	# endif /* OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	118	#endif /* WITH_OPENSSL */
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	119	{ NULL, NULL, -1, -1, 0, 0 }
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	120	};
				121
				122	const char *
				123	sshkey_type(const struct sshkey *k)
				124	{
				125	const struct keytype *kt;
				126
				127	for (kt = keytypes; kt->type != -1; kt++) {
				128	if (kt->type == k->type)
				129	return kt->shortname;
				130	}
				131	return "unknown";
				132	}
				133
				134	static const char *
				135	sshkey_ssh_name_from_type_nid(int type, int nid)
				136	{
				137	const struct keytype *kt;
				138
				139	for (kt = keytypes; kt->type != -1; kt++) {
				140	if (kt->type == type && (kt->nid == 0 \|\| kt->nid == nid))
				141	return kt->name;
				142	}
				143	return "ssh-unknown";
				144	}
				145
				146	int
				147	sshkey_type_is_cert(int type)
				148	{
				149	const struct keytype *kt;
				150
				151	for (kt = keytypes; kt->type != -1; kt++) {
				152	if (kt->type == type)
				153	return kt->cert;
				154	}
				155	return 0;
				156	}
				157
				158	const char *
				159	sshkey_ssh_name(const struct sshkey *k)
				160	{
				161	return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
				162	}
				163
				164	const char *
				165	sshkey_ssh_name_plain(const struct sshkey *k)
				166	{
				167	return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
				168	k->ecdsa_nid);
				169	}
				170
				171	int
				172	sshkey_type_from_name(const char *name)
				173	{
				174	const struct keytype *kt;
				175
				176	for (kt = keytypes; kt->type != -1; kt++) {
				177	/* Only allow shortname matches for plain key types */
				178	if ((kt->name != NULL && strcmp(name, kt->name) == 0) \|\|
				179	(!kt->cert && strcasecmp(kt->shortname, name) == 0))
				180	return kt->type;
				181	}
				182	return KEY_UNSPEC;
				183	}
				184
				185	int
				186	sshkey_ecdsa_nid_from_name(const char *name)
				187	{
				188	const struct keytype *kt;
				189
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	190	for (kt = keytypes; kt->type != -1; kt++) {
				191	if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
				192	continue;
				193	if (kt->name != NULL && strcmp(name, kt->name) == 0)
				194	return kt->nid;
				195	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	196	return -1;
				197	}
				198
				199	char *
djm@openbsd.org	130f5df	2016-09-12 23:31:27 +0000	[diff] [blame]	200	sshkey_alg_list(int certs_only, int plain_only, char sep)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	201	{
				202	char tmp, ret = NULL;
				203	size_t nlen, rlen = 0;
				204	const struct keytype *kt;
				205
				206	for (kt = keytypes; kt->type != -1; kt++) {
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	207	if (kt->name == NULL \|\| kt->sigonly)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	208	continue;
				209	if ((certs_only && !kt->cert) \|\| (plain_only && kt->cert))
				210	continue;
				211	if (ret != NULL)
djm@openbsd.org	130f5df	2016-09-12 23:31:27 +0000	[diff] [blame]	212	ret[rlen++] = sep;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	213	nlen = strlen(kt->name);
				214	if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
				215	free(ret);
				216	return NULL;
				217	}
				218	ret = tmp;
				219	memcpy(ret + rlen, kt->name, nlen + 1);
				220	rlen += nlen;
				221	}
				222	return ret;
				223	}
				224
				225	int
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	226	sshkey_names_valid2(const char *names, int allow_wildcard)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	227	{
				228	char s, cp, *p;
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	229	const struct keytype *kt;
				230	int type;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	231
				232	if (names == NULL \|\| strcmp(names, "") == 0)
				233	return 0;
				234	if ((s = cp = strdup(names)) == NULL)
				235	return 0;
				236	for ((p = strsep(&cp, ",")); p && *p != '\0';
				237	(p = strsep(&cp, ","))) {
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	238	type = sshkey_type_from_name(p);
				239	if (type == KEY_RSA1) {
				240	free(s);
				241	return 0;
				242	}
				243	if (type == KEY_UNSPEC) {
				244	if (allow_wildcard) {
				245	/*
				246	* Try matching key types against the string.
				247	* If any has a positive or negative match then
				248	* the component is accepted.
				249	*/
				250	for (kt = keytypes; kt->type != -1; kt++) {
				251	if (kt->type == KEY_RSA1)
				252	continue;
				253	if (match_pattern_list(kt->name,
djm@openbsd.org	e661a86	2015-05-04 06:10:48 +0000	[diff] [blame]	254	p, 0) != 0)
djm@openbsd.org	1f729f0	2015-01-13 07:39:19 +0000	[diff] [blame]	255	break;
				256	}
				257	if (kt->type != -1)
				258	continue;
				259	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	260	free(s);
				261	return 0;
				262	}
				263	}
				264	free(s);
				265	return 1;
				266	}
				267
				268	u_int
				269	sshkey_size(const struct sshkey *k)
				270	{
				271	switch (k->type) {
				272	#ifdef WITH_OPENSSL
				273	case KEY_RSA1:
				274	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	275	case KEY_RSA_CERT:
				276	return BN_num_bits(k->rsa->n);
				277	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	278	case KEY_DSA_CERT:
				279	return BN_num_bits(k->dsa->p);
				280	case KEY_ECDSA:
				281	case KEY_ECDSA_CERT:
				282	return sshkey_curve_nid_to_bits(k->ecdsa_nid);
				283	#endif /* WITH_OPENSSL */
				284	case KEY_ED25519:
				285	case KEY_ED25519_CERT:
				286	return 256; /* XXX */
				287	}
				288	return 0;
				289	}
				290
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	291	static int
				292	sshkey_type_is_valid_ca(int type)
				293	{
				294	switch (type) {
				295	case KEY_RSA:
				296	case KEY_DSA:
				297	case KEY_ECDSA:
				298	case KEY_ED25519:
				299	return 1;
				300	default:
				301	return 0;
				302	}
				303	}
				304
				305	int
				306	sshkey_is_cert(const struct sshkey *k)
				307	{
				308	if (k == NULL)
				309	return 0;
				310	return sshkey_type_is_cert(k->type);
				311	}
				312
				313	/* Return the cert-less equivalent to a certified key type */
				314	int
				315	sshkey_type_plain(int type)
				316	{
				317	switch (type) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	318	case KEY_RSA_CERT:
				319	return KEY_RSA;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	320	case KEY_DSA_CERT:
				321	return KEY_DSA;
				322	case KEY_ECDSA_CERT:
				323	return KEY_ECDSA;
				324	case KEY_ED25519_CERT:
				325	return KEY_ED25519;
				326	default:
				327	return type;
				328	}
				329	}
				330
				331	#ifdef WITH_OPENSSL
				332	/* XXX: these are really begging for a table-driven approach */
				333	int
				334	sshkey_curve_name_to_nid(const char *name)
				335	{
				336	if (strcmp(name, "nistp256") == 0)
				337	return NID_X9_62_prime256v1;
				338	else if (strcmp(name, "nistp384") == 0)
				339	return NID_secp384r1;
				340	# ifdef OPENSSL_HAS_NISTP521
				341	else if (strcmp(name, "nistp521") == 0)
				342	return NID_secp521r1;
				343	# endif /* OPENSSL_HAS_NISTP521 */
				344	else
				345	return -1;
				346	}
				347
				348	u_int
				349	sshkey_curve_nid_to_bits(int nid)
				350	{
				351	switch (nid) {
				352	case NID_X9_62_prime256v1:
				353	return 256;
				354	case NID_secp384r1:
				355	return 384;
				356	# ifdef OPENSSL_HAS_NISTP521
				357	case NID_secp521r1:
				358	return 521;
				359	# endif /* OPENSSL_HAS_NISTP521 */
				360	default:
				361	return 0;
				362	}
				363	}
				364
				365	int
				366	sshkey_ecdsa_bits_to_nid(int bits)
				367	{
				368	switch (bits) {
				369	case 256:
				370	return NID_X9_62_prime256v1;
				371	case 384:
				372	return NID_secp384r1;
				373	# ifdef OPENSSL_HAS_NISTP521
				374	case 521:
				375	return NID_secp521r1;
				376	# endif /* OPENSSL_HAS_NISTP521 */
				377	default:
				378	return -1;
				379	}
				380	}
				381
				382	const char *
				383	sshkey_curve_nid_to_name(int nid)
				384	{
				385	switch (nid) {
				386	case NID_X9_62_prime256v1:
				387	return "nistp256";
				388	case NID_secp384r1:
				389	return "nistp384";
				390	# ifdef OPENSSL_HAS_NISTP521
				391	case NID_secp521r1:
				392	return "nistp521";
				393	# endif /* OPENSSL_HAS_NISTP521 */
				394	default:
				395	return NULL;
				396	}
				397	}
				398
				399	int
				400	sshkey_ec_nid_to_hash_alg(int nid)
				401	{
				402	int kbits = sshkey_curve_nid_to_bits(nid);
				403
				404	if (kbits <= 0)
				405	return -1;
				406
				407	/* RFC5656 section 6.2.1 */
				408	if (kbits <= 256)
				409	return SSH_DIGEST_SHA256;
				410	else if (kbits <= 384)
				411	return SSH_DIGEST_SHA384;
				412	else
				413	return SSH_DIGEST_SHA512;
				414	}
				415	#endif /* WITH_OPENSSL */
				416
				417	static void
				418	cert_free(struct sshkey_cert *cert)
				419	{
				420	u_int i;
				421
				422	if (cert == NULL)
				423	return;
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	424	sshbuf_free(cert->certblob);
				425	sshbuf_free(cert->critical);
				426	sshbuf_free(cert->extensions);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame]	427	free(cert->key_id);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	428	for (i = 0; i < cert->nprincipals; i++)
				429	free(cert->principals[i]);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame]	430	free(cert->principals);
mmcc@openbsd.org	89540b6	2015-12-11 02:31:47 +0000	[diff] [blame]	431	sshkey_free(cert->signature_key);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	432	explicit_bzero(cert, sizeof(*cert));
				433	free(cert);
				434	}
				435
				436	static struct sshkey_cert *
				437	cert_new(void)
				438	{
				439	struct sshkey_cert *cert;
				440
				441	if ((cert = calloc(1, sizeof(*cert))) == NULL)
				442	return NULL;
				443	if ((cert->certblob = sshbuf_new()) == NULL \|\|
				444	(cert->critical = sshbuf_new()) == NULL \|\|
				445	(cert->extensions = sshbuf_new()) == NULL) {
				446	cert_free(cert);
				447	return NULL;
				448	}
				449	cert->key_id = NULL;
				450	cert->principals = NULL;
				451	cert->signature_key = NULL;
				452	return cert;
				453	}
				454
				455	struct sshkey *
				456	sshkey_new(int type)
				457	{
				458	struct sshkey *k;
				459	#ifdef WITH_OPENSSL
				460	RSA *rsa;
				461	DSA *dsa;
				462	#endif /* WITH_OPENSSL */
				463
				464	if ((k = calloc(1, sizeof(*k))) == NULL)
				465	return NULL;
				466	k->type = type;
				467	k->ecdsa = NULL;
				468	k->ecdsa_nid = -1;
				469	k->dsa = NULL;
				470	k->rsa = NULL;
				471	k->cert = NULL;
				472	k->ed25519_sk = NULL;
				473	k->ed25519_pk = NULL;
				474	switch (k->type) {
				475	#ifdef WITH_OPENSSL
				476	case KEY_RSA1:
				477	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	478	case KEY_RSA_CERT:
				479	if ((rsa = RSA_new()) == NULL \|\|
				480	(rsa->n = BN_new()) == NULL \|\|
				481	(rsa->e = BN_new()) == NULL) {
				482	if (rsa != NULL)
				483	RSA_free(rsa);
				484	free(k);
				485	return NULL;
				486	}
				487	k->rsa = rsa;
				488	break;
				489	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	490	case KEY_DSA_CERT:
				491	if ((dsa = DSA_new()) == NULL \|\|
				492	(dsa->p = BN_new()) == NULL \|\|
				493	(dsa->q = BN_new()) == NULL \|\|
				494	(dsa->g = BN_new()) == NULL \|\|
				495	(dsa->pub_key = BN_new()) == NULL) {
				496	if (dsa != NULL)
				497	DSA_free(dsa);
				498	free(k);
				499	return NULL;
				500	}
				501	k->dsa = dsa;
				502	break;
				503	case KEY_ECDSA:
				504	case KEY_ECDSA_CERT:
				505	/* Cannot do anything until we know the group */
				506	break;
				507	#endif /* WITH_OPENSSL */
				508	case KEY_ED25519:
				509	case KEY_ED25519_CERT:
				510	/* no need to prealloc */
				511	break;
				512	case KEY_UNSPEC:
				513	break;
				514	default:
				515	free(k);
				516	return NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	517	}
				518
				519	if (sshkey_is_cert(k)) {
				520	if ((k->cert = cert_new()) == NULL) {
				521	sshkey_free(k);
				522	return NULL;
				523	}
				524	}
				525
				526	return k;
				527	}
				528
				529	int
				530	sshkey_add_private(struct sshkey *k)
				531	{
				532	switch (k->type) {
				533	#ifdef WITH_OPENSSL
				534	case KEY_RSA1:
				535	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	536	case KEY_RSA_CERT:
				537	#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
				538	if (bn_maybe_alloc_failed(k->rsa->d) \|\|
				539	bn_maybe_alloc_failed(k->rsa->iqmp) \|\|
				540	bn_maybe_alloc_failed(k->rsa->q) \|\|
				541	bn_maybe_alloc_failed(k->rsa->p) \|\|
				542	bn_maybe_alloc_failed(k->rsa->dmq1) \|\|
				543	bn_maybe_alloc_failed(k->rsa->dmp1))
				544	return SSH_ERR_ALLOC_FAIL;
				545	break;
				546	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	547	case KEY_DSA_CERT:
				548	if (bn_maybe_alloc_failed(k->dsa->priv_key))
				549	return SSH_ERR_ALLOC_FAIL;
				550	break;
				551	#undef bn_maybe_alloc_failed
				552	case KEY_ECDSA:
				553	case KEY_ECDSA_CERT:
				554	/* Cannot do anything until we know the group */
				555	break;
				556	#endif /* WITH_OPENSSL */
				557	case KEY_ED25519:
				558	case KEY_ED25519_CERT:
				559	/* no need to prealloc */
				560	break;
				561	case KEY_UNSPEC:
				562	break;
				563	default:
				564	return SSH_ERR_INVALID_ARGUMENT;
				565	}
				566	return 0;
				567	}
				568
				569	struct sshkey *
				570	sshkey_new_private(int type)
				571	{
				572	struct sshkey *k = sshkey_new(type);
				573
				574	if (k == NULL)
				575	return NULL;
				576	if (sshkey_add_private(k) != 0) {
				577	sshkey_free(k);
				578	return NULL;
				579	}
				580	return k;
				581	}
				582
				583	void
				584	sshkey_free(struct sshkey *k)
				585	{
				586	if (k == NULL)
				587	return;
				588	switch (k->type) {
				589	#ifdef WITH_OPENSSL
				590	case KEY_RSA1:
				591	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	592	case KEY_RSA_CERT:
				593	if (k->rsa != NULL)
				594	RSA_free(k->rsa);
				595	k->rsa = NULL;
				596	break;
				597	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	598	case KEY_DSA_CERT:
				599	if (k->dsa != NULL)
				600	DSA_free(k->dsa);
				601	k->dsa = NULL;
				602	break;
				603	# ifdef OPENSSL_HAS_ECC
				604	case KEY_ECDSA:
				605	case KEY_ECDSA_CERT:
				606	if (k->ecdsa != NULL)
				607	EC_KEY_free(k->ecdsa);
				608	k->ecdsa = NULL;
				609	break;
				610	# endif /* OPENSSL_HAS_ECC */
				611	#endif /* WITH_OPENSSL */
				612	case KEY_ED25519:
				613	case KEY_ED25519_CERT:
				614	if (k->ed25519_pk) {
				615	explicit_bzero(k->ed25519_pk, ED25519_PK_SZ);
				616	free(k->ed25519_pk);
				617	k->ed25519_pk = NULL;
				618	}
				619	if (k->ed25519_sk) {
				620	explicit_bzero(k->ed25519_sk, ED25519_SK_SZ);
				621	free(k->ed25519_sk);
				622	k->ed25519_sk = NULL;
				623	}
				624	break;
				625	case KEY_UNSPEC:
				626	break;
				627	default:
				628	break;
				629	}
				630	if (sshkey_is_cert(k))
				631	cert_free(k->cert);
				632	explicit_bzero(k, sizeof(*k));
				633	free(k);
				634	}
				635
				636	static int
				637	cert_compare(struct sshkey_cert a, struct sshkey_cert b)
				638	{
				639	if (a == NULL && b == NULL)
				640	return 1;
				641	if (a == NULL \|\| b == NULL)
				642	return 0;
				643	if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
				644	return 0;
				645	if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
				646	sshbuf_len(a->certblob)) != 0)
				647	return 0;
				648	return 1;
				649	}
				650
				651	/*
				652	* Compare public portions of key only, allowing comparisons between
				653	* certificates and plain keys too.
				654	*/
				655	int
				656	sshkey_equal_public(const struct sshkey a, const struct sshkey b)
				657	{
Darren Tucker	948a177	2014-07-22 01:07:11 +1000	[diff] [blame]	658	#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	659	BN_CTX *bnctx;
Darren Tucker	948a177	2014-07-22 01:07:11 +1000	[diff] [blame]	660	#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	661
				662	if (a == NULL \|\| b == NULL \|\|
				663	sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
				664	return 0;
				665
				666	switch (a->type) {
				667	#ifdef WITH_OPENSSL
				668	case KEY_RSA1:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	669	case KEY_RSA_CERT:
				670	case KEY_RSA:
				671	return a->rsa != NULL && b->rsa != NULL &&
				672	BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
				673	BN_cmp(a->rsa->n, b->rsa->n) == 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	674	case KEY_DSA_CERT:
				675	case KEY_DSA:
				676	return a->dsa != NULL && b->dsa != NULL &&
				677	BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
				678	BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
				679	BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
				680	BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
				681	# ifdef OPENSSL_HAS_ECC
				682	case KEY_ECDSA_CERT:
				683	case KEY_ECDSA:
				684	if (a->ecdsa == NULL \|\| b->ecdsa == NULL \|\|
				685	EC_KEY_get0_public_key(a->ecdsa) == NULL \|\|
				686	EC_KEY_get0_public_key(b->ecdsa) == NULL)
				687	return 0;
				688	if ((bnctx = BN_CTX_new()) == NULL)
				689	return 0;
				690	if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
				691	EC_KEY_get0_group(b->ecdsa), bnctx) != 0 \|\|
				692	EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
				693	EC_KEY_get0_public_key(a->ecdsa),
				694	EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
				695	BN_CTX_free(bnctx);
				696	return 0;
				697	}
				698	BN_CTX_free(bnctx);
				699	return 1;
				700	# endif /* OPENSSL_HAS_ECC */
				701	#endif /* WITH_OPENSSL */
				702	case KEY_ED25519:
				703	case KEY_ED25519_CERT:
				704	return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
				705	memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
				706	default:
				707	return 0;
				708	}
				709	/* NOTREACHED */
				710	}
				711
				712	int
				713	sshkey_equal(const struct sshkey a, const struct sshkey b)
				714	{
				715	if (a == NULL \|\| b == NULL \|\| a->type != b->type)
				716	return 0;
				717	if (sshkey_is_cert(a)) {
				718	if (!cert_compare(a->cert, b->cert))
				719	return 0;
				720	}
				721	return sshkey_equal_public(a, b);
				722	}
				723
				724	static int
				725	to_blob_buf(const struct sshkey key, struct sshbuf b, int force_plain)
				726	{
				727	int type, ret = SSH_ERR_INTERNAL_ERROR;
				728	const char *typename;
				729
				730	if (key == NULL)
				731	return SSH_ERR_INVALID_ARGUMENT;
				732
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	733	if (sshkey_is_cert(key)) {
				734	if (key->cert == NULL)
				735	return SSH_ERR_EXPECTED_CERT;
				736	if (sshbuf_len(key->cert->certblob) == 0)
				737	return SSH_ERR_KEY_LACKS_CERTBLOB;
				738	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	739	type = force_plain ? sshkey_type_plain(key->type) : key->type;
				740	typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
				741
				742	switch (type) {
				743	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	744	case KEY_DSA_CERT:
				745	case KEY_ECDSA_CERT:
				746	case KEY_RSA_CERT:
				747	#endif /* WITH_OPENSSL */
				748	case KEY_ED25519_CERT:
				749	/* Use the existing blob */
				750	/* XXX modified flag? */
				751	if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
				752	return ret;
				753	break;
				754	#ifdef WITH_OPENSSL
				755	case KEY_DSA:
				756	if (key->dsa == NULL)
				757	return SSH_ERR_INVALID_ARGUMENT;
				758	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
				759	(ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 \|\|
				760	(ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 \|\|
				761	(ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 \|\|
				762	(ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0)
				763	return ret;
				764	break;
Darren Tucker	d1a0421	2014-07-19 07:23:55 +1000	[diff] [blame]	765	# ifdef OPENSSL_HAS_ECC
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	766	case KEY_ECDSA:
				767	if (key->ecdsa == NULL)
				768	return SSH_ERR_INVALID_ARGUMENT;
				769	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
				770	(ret = sshbuf_put_cstring(b,
				771	sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 \|\|
				772	(ret = sshbuf_put_eckey(b, key->ecdsa)) != 0)
				773	return ret;
				774	break;
Darren Tucker	d1a0421	2014-07-19 07:23:55 +1000	[diff] [blame]	775	# endif
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	776	case KEY_RSA:
				777	if (key->rsa == NULL)
				778	return SSH_ERR_INVALID_ARGUMENT;
				779	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
				780	(ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 \|\|
				781	(ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0)
				782	return ret;
				783	break;
				784	#endif /* WITH_OPENSSL */
				785	case KEY_ED25519:
				786	if (key->ed25519_pk == NULL)
				787	return SSH_ERR_INVALID_ARGUMENT;
				788	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
				789	(ret = sshbuf_put_string(b,
				790	key->ed25519_pk, ED25519_PK_SZ)) != 0)
				791	return ret;
				792	break;
				793	default:
				794	return SSH_ERR_KEY_TYPE_UNKNOWN;
				795	}
				796	return 0;
				797	}
				798
				799	int
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	800	sshkey_putb(const struct sshkey key, struct sshbuf b)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	801	{
				802	return to_blob_buf(key, b, 0);
				803	}
				804
				805	int
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	806	sshkey_puts(const struct sshkey key, struct sshbuf b)
				807	{
				808	struct sshbuf *tmp;
				809	int r;
				810
				811	if ((tmp = sshbuf_new()) == NULL)
				812	return SSH_ERR_ALLOC_FAIL;
				813	r = to_blob_buf(key, tmp, 0);
				814	if (r == 0)
				815	r = sshbuf_put_stringb(b, tmp);
				816	sshbuf_free(tmp);
				817	return r;
				818	}
				819
				820	int
				821	sshkey_putb_plain(const struct sshkey key, struct sshbuf b)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	822	{
				823	return to_blob_buf(key, b, 1);
				824	}
				825
				826	static int
				827	to_blob(const struct sshkey key, u_char blobp, size_t lenp, int force_plain)
				828	{
				829	int ret = SSH_ERR_INTERNAL_ERROR;
				830	size_t len;
				831	struct sshbuf *b = NULL;
				832
				833	if (lenp != NULL)
				834	*lenp = 0;
				835	if (blobp != NULL)
				836	*blobp = NULL;
				837	if ((b = sshbuf_new()) == NULL)
				838	return SSH_ERR_ALLOC_FAIL;
				839	if ((ret = to_blob_buf(key, b, force_plain)) != 0)
				840	goto out;
				841	len = sshbuf_len(b);
				842	if (lenp != NULL)
				843	*lenp = len;
				844	if (blobp != NULL) {
				845	if ((*blobp = malloc(len)) == NULL) {
				846	ret = SSH_ERR_ALLOC_FAIL;
				847	goto out;
				848	}
				849	memcpy(*blobp, sshbuf_ptr(b), len);
				850	}
				851	ret = 0;
				852	out:
				853	sshbuf_free(b);
				854	return ret;
				855	}
				856
				857	int
				858	sshkey_to_blob(const struct sshkey key, u_char blobp, size_t lenp)
				859	{
				860	return to_blob(key, blobp, lenp, 0);
				861	}
				862
				863	int
				864	sshkey_plain_to_blob(const struct sshkey key, u_char blobp, size_t lenp)
				865	{
				866	return to_blob(key, blobp, lenp, 1);
				867	}
				868
				869	int
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	870	sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	871	u_char *retp, size_t lenp)
				872	{
				873	u_char blob = NULL, ret = NULL;
				874	size_t blob_len = 0;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	875	int r = SSH_ERR_INTERNAL_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	876
				877	if (retp != NULL)
				878	*retp = NULL;
				879	if (lenp != NULL)
				880	*lenp = 0;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	881	if (ssh_digest_bytes(dgst_alg) == 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	882	r = SSH_ERR_INVALID_ARGUMENT;
				883	goto out;
				884	}
				885
				886	if (k->type == KEY_RSA1) {
				887	#ifdef WITH_OPENSSL
				888	int nlen = BN_num_bytes(k->rsa->n);
				889	int elen = BN_num_bytes(k->rsa->e);
				890
djm@openbsd.org	27c3a9c	2016-09-26 21:16:11 +0000	[diff] [blame]	891	if (nlen < 0 \|\| elen < 0 \|\| nlen >= INT_MAX - elen) {
				892	r = SSH_ERR_INVALID_FORMAT;
				893	goto out;
				894	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	895	blob_len = nlen + elen;
djm@openbsd.org	27c3a9c	2016-09-26 21:16:11 +0000	[diff] [blame]	896	if ((blob = malloc(blob_len)) == NULL) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	897	r = SSH_ERR_ALLOC_FAIL;
				898	goto out;
				899	}
				900	BN_bn2bin(k->rsa->n, blob);
				901	BN_bn2bin(k->rsa->e, blob + nlen);
				902	#endif /* WITH_OPENSSL */
				903	} else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0)
				904	goto out;
				905	if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
				906	r = SSH_ERR_ALLOC_FAIL;
				907	goto out;
				908	}
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	909	if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	910	ret, SSH_DIGEST_MAX_LENGTH)) != 0)
				911	goto out;
				912	/* success */
				913	if (retp != NULL) {
				914	*retp = ret;
				915	ret = NULL;
				916	}
				917	if (lenp != NULL)
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	918	*lenp = ssh_digest_bytes(dgst_alg);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	919	r = 0;
				920	out:
				921	free(ret);
				922	if (blob != NULL) {
				923	explicit_bzero(blob, blob_len);
				924	free(blob);
				925	}
				926	return r;
				927	}
				928
				929	static char *
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	930	fingerprint_b64(const char alg, u_char dgst_raw, size_t dgst_raw_len)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	931	{
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	932	char *ret;
				933	size_t plen = strlen(alg) + 1;
				934	size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
				935	int r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	936
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	937	if (dgst_raw_len > 65536 \|\| (ret = calloc(1, rlen)) == NULL)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	938	return NULL;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	939	strlcpy(ret, alg, rlen);
				940	strlcat(ret, ":", rlen);
				941	if (dgst_raw_len == 0)
				942	return ret;
				943	if ((r = b64_ntop(dgst_raw, dgst_raw_len,
				944	ret + plen, rlen - plen)) == -1) {
				945	explicit_bzero(ret, rlen);
				946	free(ret);
				947	return NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	948	}
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	949	/* Trim padding characters from end */
				950	ret[strcspn(ret, "=")] = '\0';
				951	return ret;
				952	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	953
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	954	static char *
				955	fingerprint_hex(const char alg, u_char dgst_raw, size_t dgst_raw_len)
				956	{
				957	char *retval, hex[5];
				958	size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
				959
				960	if (dgst_raw_len > 65536 \|\| (retval = calloc(1, rlen)) == NULL)
				961	return NULL;
				962	strlcpy(retval, alg, rlen);
				963	strlcat(retval, ":", rlen);
				964	for (i = 0; i < dgst_raw_len; i++) {
				965	snprintf(hex, sizeof(hex), "%s%02x",
				966	i > 0 ? ":" : "", dgst_raw[i]);
				967	strlcat(retval, hex, rlen);
				968	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	969	return retval;
				970	}
				971
				972	static char *
				973	fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
				974	{
				975	char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
				976	char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
				977	'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
				978	u_int i, j = 0, rounds, seed = 1;
				979	char *retval;
				980
				981	rounds = (dgst_raw_len / 2) + 1;
				982	if ((retval = calloc(rounds, 6)) == NULL)
				983	return NULL;
				984	retval[j++] = 'x';
				985	for (i = 0; i < rounds; i++) {
				986	u_int idx0, idx1, idx2, idx3, idx4;
				987	if ((i + 1 < rounds) \|\| (dgst_raw_len % 2 != 0)) {
				988	idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
				989	seed) % 6;
				990	idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
				991	idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
				992	(seed / 6)) % 6;
				993	retval[j++] = vowels[idx0];
				994	retval[j++] = consonants[idx1];
				995	retval[j++] = vowels[idx2];
				996	if ((i + 1) < rounds) {
				997	idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
				998	idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
				999	retval[j++] = consonants[idx3];
				1000	retval[j++] = '-';
				1001	retval[j++] = consonants[idx4];
				1002	seed = ((seed * 5) +
				1003	((((u_int)(dgst_raw[2 * i])) * 7) +
				1004	((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
				1005	}
				1006	} else {
				1007	idx0 = seed % 6;
				1008	idx1 = 16;
				1009	idx2 = seed / 6;
				1010	retval[j++] = vowels[idx0];
				1011	retval[j++] = consonants[idx1];
				1012	retval[j++] = vowels[idx2];
				1013	}
				1014	}
				1015	retval[j++] = 'x';
				1016	retval[j++] = '\0';
				1017	return retval;
				1018	}
				1019
				1020	/*
				1021	* Draw an ASCII-Art representing the fingerprint so human brain can
				1022	* profit from its built-in pattern recognition ability.
				1023	* This technique is called "random art" and can be found in some
				1024	* scientific publications like this original paper:
				1025	*
				1026	* "Hash Visualization: a New Technique to improve Real-World Security",
				1027	* Perrig A. and Song D., 1999, International Workshop on Cryptographic
				1028	* Techniques and E-Commerce (CrypTEC '99)
				1029	* sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
				1030	*
				1031	* The subject came up in a talk by Dan Kaminsky, too.
				1032	*
				1033	* If you see the picture is different, the key is different.
				1034	* If the picture looks the same, you still know nothing.
				1035	*
				1036	* The algorithm used here is a worm crawling over a discrete plane,
				1037	* leaving a trace (augmenting the field) everywhere it goes.
				1038	* Movement is taken from dgst_raw 2bit-wise. Bumping into walls
				1039	* makes the respective movement vector be ignored for this turn.
				1040	* Graphs are not unambiguous, because circles in graphs can be
				1041	* walked in either direction.
				1042	*/
				1043
				1044	/*
				1045	* Field sizes for the random art. Have to be odd, so the starting point
				1046	* can be in the exact middle of the picture, and FLDBASE should be >=8 .
				1047	* Else pictures would be too dense, and drawing the frame would
				1048	* fail, too, because the key type would not fit in anymore.
				1049	*/
				1050	#define FLDBASE 8
				1051	#define FLDSIZE_Y (FLDBASE + 1)
				1052	#define FLDSIZE_X (FLDBASE * 2 + 1)
				1053	static char *
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1054	fingerprint_randomart(const char alg, u_char dgst_raw, size_t dgst_raw_len,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1055	const struct sshkey *k)
				1056	{
				1057	/*
				1058	* Chars to be used after each other every time the worm
				1059	* intersects with itself. Matter of taste.
				1060	*/
				1061	char augmentation_string = " .o+=BOX@%&#/^SE";
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1062	char retval, p, title[FLDSIZE_X], hash[FLDSIZE_X];
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1063	u_char field[FLDSIZE_X][FLDSIZE_Y];
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1064	size_t i, tlen, hlen;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1065	u_int b;
Damien Miller	61e28e5	2014-07-03 21:22:22 +1000	[diff] [blame]	1066	int x, y, r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1067	size_t len = strlen(augmentation_string) - 1;
				1068
				1069	if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
				1070	return NULL;
				1071
				1072	/* initialize field */
				1073	memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
				1074	x = FLDSIZE_X / 2;
				1075	y = FLDSIZE_Y / 2;
				1076
				1077	/* process raw key */
				1078	for (i = 0; i < dgst_raw_len; i++) {
				1079	int input;
				1080	/* each byte conveys four 2-bit move commands */
				1081	input = dgst_raw[i];
				1082	for (b = 0; b < 4; b++) {
				1083	/* evaluate 2 bit, rest is shifted later */
				1084	x += (input & 0x1) ? 1 : -1;
				1085	y += (input & 0x2) ? 1 : -1;
				1086
				1087	/* assure we are still in bounds */
deraadt@openbsd.org	9136ec1	2016-09-12 01:22:38 +0000	[diff] [blame]	1088	x = MAXIMUM(x, 0);
				1089	y = MAXIMUM(y, 0);
				1090	x = MINIMUM(x, FLDSIZE_X - 1);
				1091	y = MINIMUM(y, FLDSIZE_Y - 1);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1092
				1093	/* augment the field */
				1094	if (field[x][y] < len - 2)
				1095	field[x][y]++;
				1096	input = input >> 2;
				1097	}
				1098	}
				1099
				1100	/* mark starting point and end point*/
				1101	field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
				1102	field[x][y] = len;
				1103
Damien Miller	61e28e5	2014-07-03 21:22:22 +1000	[diff] [blame]	1104	/* assemble title */
				1105	r = snprintf(title, sizeof(title), "[%s %u]",
				1106	sshkey_type(k), sshkey_size(k));
				1107	/* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
				1108	if (r < 0 \|\| r > (int)sizeof(title))
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1109	r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
				1110	tlen = (r <= 0) ? 0 : strlen(title);
				1111
				1112	/* assemble hash ID. */
				1113	r = snprintf(hash, sizeof(hash), "[%s]", alg);
				1114	hlen = (r <= 0) ? 0 : strlen(hash);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1115
				1116	/* output upper border */
Damien Miller	61e28e5	2014-07-03 21:22:22 +1000	[diff] [blame]	1117	p = retval;
				1118	*p++ = '+';
				1119	for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
				1120	*p++ = '-';
				1121	memcpy(p, title, tlen);
				1122	p += tlen;
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1123	for (i += tlen; i < FLDSIZE_X; i++)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1124	*p++ = '-';
				1125	*p++ = '+';
				1126	*p++ = '\n';
				1127
				1128	/* output content */
				1129	for (y = 0; y < FLDSIZE_Y; y++) {
				1130	*p++ = '\|';
				1131	for (x = 0; x < FLDSIZE_X; x++)
deraadt@openbsd.org	9136ec1	2016-09-12 01:22:38 +0000	[diff] [blame]	1132	*p++ = augmentation_string[MINIMUM(field[x][y], len)];
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1133	*p++ = '\|';
				1134	*p++ = '\n';
				1135	}
				1136
				1137	/* output lower border */
				1138	*p++ = '+';
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1139	for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
				1140	*p++ = '-';
				1141	memcpy(p, hash, hlen);
				1142	p += hlen;
				1143	for (i += hlen; i < FLDSIZE_X; i++)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1144	*p++ = '-';
				1145	*p++ = '+';
				1146
				1147	return retval;
				1148	}
				1149
				1150	char *
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1151	sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1152	enum sshkey_fp_rep dgst_rep)
				1153	{
				1154	char *retval = NULL;
				1155	u_char *dgst_raw;
				1156	size_t dgst_raw_len;
				1157
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1158	if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1159	return NULL;
				1160	switch (dgst_rep) {
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1161	case SSH_FP_DEFAULT:
				1162	if (dgst_alg == SSH_DIGEST_MD5) {
				1163	retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
				1164	dgst_raw, dgst_raw_len);
				1165	} else {
				1166	retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
				1167	dgst_raw, dgst_raw_len);
				1168	}
				1169	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1170	case SSH_FP_HEX:
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1171	retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
				1172	dgst_raw, dgst_raw_len);
				1173	break;
				1174	case SSH_FP_BASE64:
				1175	retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
				1176	dgst_raw, dgst_raw_len);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1177	break;
				1178	case SSH_FP_BUBBLEBABBLE:
				1179	retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
				1180	break;
				1181	case SSH_FP_RANDOMART:
djm@openbsd.org	56d1c83	2014-12-21 22:27:55 +0000	[diff] [blame]	1182	retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
				1183	dgst_raw, dgst_raw_len, k);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1184	break;
				1185	default:
				1186	explicit_bzero(dgst_raw, dgst_raw_len);
				1187	free(dgst_raw);
				1188	return NULL;
				1189	}
				1190	explicit_bzero(dgst_raw, dgst_raw_len);
				1191	free(dgst_raw);
				1192	return retval;
				1193	}
				1194
				1195	#ifdef WITH_SSH1
				1196	/*
				1197	* Reads a multiple-precision integer in decimal from the buffer, and advances
				1198	* the pointer. The integer must already be initialized. This function is
				1199	* permitted to modify the buffer. This leaves *cpp to point just beyond the
				1200	* last processed character.
				1201	*/
				1202	static int
				1203	read_decimal_bignum(char *cpp, BIGNUM v)
				1204	{
				1205	char *cp;
				1206	size_t e;
				1207	int skip = 1; /* skip white space */
				1208
				1209	cp = *cpp;
				1210	while (cp == ' ' \|\| cp == '\t')
				1211	cp++;
				1212	e = strspn(cp, "0123456789");
				1213	if (e == 0)
				1214	return SSH_ERR_INVALID_FORMAT;
				1215	if (e > SSHBUF_MAX_BIGNUM * 3)
				1216	return SSH_ERR_BIGNUM_TOO_LARGE;
				1217	if (cp[e] == '\0')
				1218	skip = 0;
millert@openbsd.org	259adb6	2015-11-16 23:47:52 +0000	[diff] [blame]	1219	else if (strchr(" \t\r\n", cp[e]) == NULL)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1220	return SSH_ERR_INVALID_FORMAT;
				1221	cp[e] = '\0';
				1222	if (BN_dec2bn(&v, cp) <= 0)
				1223	return SSH_ERR_INVALID_FORMAT;
				1224	*cpp = cp + e + skip;
				1225	return 0;
				1226	}
				1227	#endif /* WITH_SSH1 */
				1228
				1229	/* returns 0 ok, and < 0 error */
				1230	int
				1231	sshkey_read(struct sshkey ret, char *cpp)
				1232	{
				1233	struct sshkey *k;
				1234	int retval = SSH_ERR_INVALID_FORMAT;
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1235	char ep, cp, *space;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1236	int r, type, curve_nid = -1;
				1237	struct sshbuf *blob;
				1238	#ifdef WITH_SSH1
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1239	u_long bits;
				1240	#endif /* WITH_SSH1 */
				1241
				1242	cp = *cpp;
				1243
				1244	switch (ret->type) {
				1245	case KEY_RSA1:
				1246	#ifdef WITH_SSH1
				1247	/* Get number of bits. */
				1248	bits = strtoul(cp, &ep, 10);
millert@openbsd.org	259adb6	2015-11-16 23:47:52 +0000	[diff] [blame]	1249	if (cp == '\0' \|\| strchr(" \t\r\n", ep) == NULL \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1250	bits == 0 \|\| bits > SSHBUF_MAX_BIGNUM * 8)
				1251	return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
				1252	/* Get public exponent, public modulus. */
				1253	if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
				1254	return r;
				1255	if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0)
				1256	return r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1257	/* validate the claimed number of bits */
				1258	if (BN_num_bits(ret->rsa->n) != (int)bits)
				1259	return SSH_ERR_KEY_BITS_MISMATCH;
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1260	*cpp = ep;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1261	retval = 0;
				1262	#endif /* WITH_SSH1 */
				1263	break;
				1264	case KEY_UNSPEC:
				1265	case KEY_RSA:
				1266	case KEY_DSA:
				1267	case KEY_ECDSA:
				1268	case KEY_ED25519:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1269	case KEY_DSA_CERT:
				1270	case KEY_ECDSA_CERT:
				1271	case KEY_RSA_CERT:
				1272	case KEY_ED25519_CERT:
				1273	space = strchr(cp, ' ');
				1274	if (space == NULL)
				1275	return SSH_ERR_INVALID_FORMAT;
				1276	*space = '\0';
				1277	type = sshkey_type_from_name(cp);
				1278	if (sshkey_type_plain(type) == KEY_ECDSA &&
				1279	(curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1)
				1280	return SSH_ERR_EC_CURVE_INVALID;
				1281	*space = ' ';
				1282	if (type == KEY_UNSPEC)
				1283	return SSH_ERR_INVALID_FORMAT;
				1284	cp = space+1;
				1285	if (*cp == '\0')
				1286	return SSH_ERR_INVALID_FORMAT;
djm@openbsd.org	d2d5100	2014-11-18 01:02:25 +0000	[diff] [blame]	1287	if (ret->type != KEY_UNSPEC && ret->type != type)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1288	return SSH_ERR_KEY_TYPE_MISMATCH;
				1289	if ((blob = sshbuf_new()) == NULL)
				1290	return SSH_ERR_ALLOC_FAIL;
				1291	/* trim comment */
				1292	space = strchr(cp, ' ');
markus@openbsd.org	816d153	2015-01-12 20:13:27 +0000	[diff] [blame]	1293	if (space) {
				1294	/* advance 'space': skip whitespace */
				1295	*space++ = '\0';
				1296	while (space == ' ' \|\| space == '\t')
				1297	space++;
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1298	ep = space;
markus@openbsd.org	816d153	2015-01-12 20:13:27 +0000	[diff] [blame]	1299	} else
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1300	ep = cp + strlen(cp);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1301	if ((r = sshbuf_b64tod(blob, cp)) != 0) {
				1302	sshbuf_free(blob);
				1303	return r;
				1304	}
				1305	if ((r = sshkey_from_blob(sshbuf_ptr(blob),
				1306	sshbuf_len(blob), &k)) != 0) {
				1307	sshbuf_free(blob);
				1308	return r;
				1309	}
				1310	sshbuf_free(blob);
				1311	if (k->type != type) {
				1312	sshkey_free(k);
				1313	return SSH_ERR_KEY_TYPE_MISMATCH;
				1314	}
				1315	if (sshkey_type_plain(type) == KEY_ECDSA &&
				1316	curve_nid != k->ecdsa_nid) {
				1317	sshkey_free(k);
				1318	return SSH_ERR_EC_CURVE_MISMATCH;
				1319	}
djm@openbsd.org	d2d5100	2014-11-18 01:02:25 +0000	[diff] [blame]	1320	ret->type = type;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1321	if (sshkey_is_cert(ret)) {
				1322	if (!sshkey_is_cert(k)) {
				1323	sshkey_free(k);
				1324	return SSH_ERR_EXPECTED_CERT;
				1325	}
				1326	if (ret->cert != NULL)
				1327	cert_free(ret->cert);
				1328	ret->cert = k->cert;
				1329	k->cert = NULL;
				1330	}
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1331	switch (sshkey_type_plain(ret->type)) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1332	#ifdef WITH_OPENSSL
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1333	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1334	if (ret->rsa != NULL)
				1335	RSA_free(ret->rsa);
				1336	ret->rsa = k->rsa;
				1337	k->rsa = NULL;
				1338	#ifdef DEBUG_PK
				1339	RSA_print_fp(stderr, ret->rsa, 8);
				1340	#endif
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1341	break;
				1342	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1343	if (ret->dsa != NULL)
				1344	DSA_free(ret->dsa);
				1345	ret->dsa = k->dsa;
				1346	k->dsa = NULL;
				1347	#ifdef DEBUG_PK
				1348	DSA_print_fp(stderr, ret->dsa, 8);
				1349	#endif
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1350	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1351	# ifdef OPENSSL_HAS_ECC
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1352	case KEY_ECDSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1353	if (ret->ecdsa != NULL)
				1354	EC_KEY_free(ret->ecdsa);
				1355	ret->ecdsa = k->ecdsa;
				1356	ret->ecdsa_nid = k->ecdsa_nid;
				1357	k->ecdsa = NULL;
				1358	k->ecdsa_nid = -1;
				1359	#ifdef DEBUG_PK
				1360	sshkey_dump_ec_key(ret->ecdsa);
				1361	#endif
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1362	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1363	# endif /* OPENSSL_HAS_ECC */
				1364	#endif /* WITH_OPENSSL */
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1365	case KEY_ED25519:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1366	free(ret->ed25519_pk);
				1367	ret->ed25519_pk = k->ed25519_pk;
				1368	k->ed25519_pk = NULL;
				1369	#ifdef DEBUG_PK
				1370	/* XXX */
				1371	#endif
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1372	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1373	}
djm@openbsd.org	3a9f84b	2015-11-16 22:50:01 +0000	[diff] [blame]	1374	*cpp = ep;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1375	retval = 0;
				1376	/XXXX/
				1377	sshkey_free(k);
				1378	if (retval != 0)
				1379	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1380	break;
				1381	default:
				1382	return SSH_ERR_INVALID_ARGUMENT;
				1383	}
				1384	return retval;
				1385	}
				1386
				1387	int
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1388	sshkey_to_base64(const struct sshkey key, char *b64p)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1389	{
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1390	int r = SSH_ERR_INTERNAL_ERROR;
				1391	struct sshbuf *b = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1392	char *uu = NULL;
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1393
				1394	if (b64p != NULL)
				1395	*b64p = NULL;
				1396	if ((b = sshbuf_new()) == NULL)
				1397	return SSH_ERR_ALLOC_FAIL;
				1398	if ((r = sshkey_putb(key, b)) != 0)
				1399	goto out;
				1400	if ((uu = sshbuf_dtob64(b)) == NULL) {
				1401	r = SSH_ERR_ALLOC_FAIL;
				1402	goto out;
				1403	}
				1404	/* Success */
				1405	if (b64p != NULL) {
				1406	*b64p = uu;
				1407	uu = NULL;
				1408	}
				1409	r = 0;
				1410	out:
				1411	sshbuf_free(b);
				1412	free(uu);
				1413	return r;
				1414	}
				1415
				1416	static int
				1417	sshkey_format_rsa1(const struct sshkey key, struct sshbuf b)
				1418	{
				1419	int r = SSH_ERR_INTERNAL_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1420	#ifdef WITH_SSH1
				1421	u_int bits = 0;
				1422	char dec_e = NULL, dec_n = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1423
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1424	if (key->rsa == NULL \|\| key->rsa->e == NULL \|\|
				1425	key->rsa->n == NULL) {
				1426	r = SSH_ERR_INVALID_ARGUMENT;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1427	goto out;
				1428	}
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1429	if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL \|\|
				1430	(dec_n = BN_bn2dec(key->rsa->n)) == NULL) {
				1431	r = SSH_ERR_ALLOC_FAIL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1432	goto out;
				1433	}
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1434	/* size of modulus 'n' */
				1435	if ((bits = BN_num_bits(key->rsa->n)) <= 0) {
				1436	r = SSH_ERR_INVALID_ARGUMENT;
				1437	goto out;
				1438	}
				1439	if ((r = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0)
				1440	goto out;
				1441
				1442	/* Success */
				1443	r = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1444	out:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1445	if (dec_e != NULL)
				1446	OPENSSL_free(dec_e);
				1447	if (dec_n != NULL)
				1448	OPENSSL_free(dec_n);
				1449	#endif /* WITH_SSH1 */
djm@openbsd.org	d80fbe4	2015-05-21 04:55:51 +0000	[diff] [blame]	1450
				1451	return r;
				1452	}
				1453
				1454	static int
				1455	sshkey_format_text(const struct sshkey key, struct sshbuf b)
				1456	{
				1457	int r = SSH_ERR_INTERNAL_ERROR;
				1458	char *uu = NULL;
				1459
				1460	if (key->type == KEY_RSA1) {
				1461	if ((r = sshkey_format_rsa1(key, b)) != 0)
				1462	goto out;
				1463	} else {
				1464	/* Unsupported key types handled in sshkey_to_base64() */
				1465	if ((r = sshkey_to_base64(key, &uu)) != 0)
				1466	goto out;
				1467	if ((r = sshbuf_putf(b, "%s %s",
				1468	sshkey_ssh_name(key), uu)) != 0)
				1469	goto out;
				1470	}
				1471	r = 0;
				1472	out:
				1473	free(uu);
				1474	return r;
				1475	}
				1476
				1477	int
				1478	sshkey_write(const struct sshkey key, FILE f)
				1479	{
				1480	struct sshbuf *b = NULL;
				1481	int r = SSH_ERR_INTERNAL_ERROR;
				1482
				1483	if ((b = sshbuf_new()) == NULL)
				1484	return SSH_ERR_ALLOC_FAIL;
				1485	if ((r = sshkey_format_text(key, b)) != 0)
				1486	goto out;
				1487	if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
				1488	if (feof(f))
				1489	errno = EPIPE;
				1490	r = SSH_ERR_SYSTEM_ERROR;
				1491	goto out;
				1492	}
				1493	/* Success */
				1494	r = 0;
				1495	out:
				1496	sshbuf_free(b);
				1497	return r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1498	}
				1499
				1500	const char *
				1501	sshkey_cert_type(const struct sshkey *k)
				1502	{
				1503	switch (k->cert->type) {
				1504	case SSH2_CERT_TYPE_USER:
				1505	return "user";
				1506	case SSH2_CERT_TYPE_HOST:
				1507	return "host";
				1508	default:
				1509	return "unknown";
				1510	}
				1511	}
				1512
				1513	#ifdef WITH_OPENSSL
				1514	static int
				1515	rsa_generate_private_key(u_int bits, RSA **rsap)
				1516	{
				1517	RSA *private = NULL;
				1518	BIGNUM *f4 = NULL;
				1519	int ret = SSH_ERR_INTERNAL_ERROR;
				1520
				1521	if (rsap == NULL \|\|
				1522	bits < SSH_RSA_MINIMUM_MODULUS_SIZE \|\|
				1523	bits > SSHBUF_MAX_BIGNUM * 8)
				1524	return SSH_ERR_INVALID_ARGUMENT;
				1525	*rsap = NULL;
				1526	if ((private = RSA_new()) == NULL \|\| (f4 = BN_new()) == NULL) {
				1527	ret = SSH_ERR_ALLOC_FAIL;
				1528	goto out;
				1529	}
				1530	if (!BN_set_word(f4, RSA_F4) \|\|
				1531	!RSA_generate_key_ex(private, bits, f4, NULL)) {
				1532	ret = SSH_ERR_LIBCRYPTO_ERROR;
				1533	goto out;
				1534	}
				1535	*rsap = private;
				1536	private = NULL;
				1537	ret = 0;
				1538	out:
				1539	if (private != NULL)
				1540	RSA_free(private);
				1541	if (f4 != NULL)
				1542	BN_free(f4);
				1543	return ret;
				1544	}
				1545
				1546	static int
				1547	dsa_generate_private_key(u_int bits, DSA **dsap)
				1548	{
				1549	DSA *private;
				1550	int ret = SSH_ERR_INTERNAL_ERROR;
				1551
				1552	if (dsap == NULL \|\| bits != 1024)
				1553	return SSH_ERR_INVALID_ARGUMENT;
				1554	if ((private = DSA_new()) == NULL) {
				1555	ret = SSH_ERR_ALLOC_FAIL;
				1556	goto out;
				1557	}
				1558	*dsap = NULL;
				1559	if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
				1560	NULL, NULL) \|\| !DSA_generate_key(private)) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1561	ret = SSH_ERR_LIBCRYPTO_ERROR;
				1562	goto out;
				1563	}
				1564	*dsap = private;
				1565	private = NULL;
				1566	ret = 0;
				1567	out:
				1568	if (private != NULL)
				1569	DSA_free(private);
				1570	return ret;
				1571	}
				1572
				1573	# ifdef OPENSSL_HAS_ECC
				1574	int
				1575	sshkey_ecdsa_key_to_nid(EC_KEY *k)
				1576	{
				1577	EC_GROUP *eg;
				1578	int nids[] = {
				1579	NID_X9_62_prime256v1,
				1580	NID_secp384r1,
				1581	# ifdef OPENSSL_HAS_NISTP521
				1582	NID_secp521r1,
				1583	# endif /* OPENSSL_HAS_NISTP521 */
				1584	-1
				1585	};
				1586	int nid;
				1587	u_int i;
				1588	BN_CTX *bnctx;
				1589	const EC_GROUP *g = EC_KEY_get0_group(k);
				1590
				1591	/*
				1592	* The group may be stored in a ASN.1 encoded private key in one of two
				1593	* ways: as a "named group", which is reconstituted by ASN.1 object ID
				1594	* or explicit group parameters encoded into the key blob. Only the
				1595	* "named group" case sets the group NID for us, but we can figure
				1596	* it out for the other case by comparing against all the groups that
				1597	* are supported.
				1598	*/
				1599	if ((nid = EC_GROUP_get_curve_name(g)) > 0)
				1600	return nid;
				1601	if ((bnctx = BN_CTX_new()) == NULL)
				1602	return -1;
				1603	for (i = 0; nids[i] != -1; i++) {
				1604	if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) {
				1605	BN_CTX_free(bnctx);
				1606	return -1;
				1607	}
				1608	if (EC_GROUP_cmp(g, eg, bnctx) == 0)
				1609	break;
				1610	EC_GROUP_free(eg);
				1611	}
				1612	BN_CTX_free(bnctx);
				1613	if (nids[i] != -1) {
				1614	/* Use the group with the NID attached */
				1615	EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
				1616	if (EC_KEY_set_group(k, eg) != 1) {
				1617	EC_GROUP_free(eg);
				1618	return -1;
				1619	}
				1620	}
				1621	return nids[i];
				1622	}
				1623
				1624	static int
				1625	ecdsa_generate_private_key(u_int bits, int nid, EC_KEY *ecdsap)
				1626	{
				1627	EC_KEY *private;
				1628	int ret = SSH_ERR_INTERNAL_ERROR;
				1629
				1630	if (nid == NULL \|\| ecdsap == NULL \|\|
				1631	(*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
				1632	return SSH_ERR_INVALID_ARGUMENT;
				1633	*ecdsap = NULL;
				1634	if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
				1635	ret = SSH_ERR_ALLOC_FAIL;
				1636	goto out;
				1637	}
				1638	if (EC_KEY_generate_key(private) != 1) {
				1639	ret = SSH_ERR_LIBCRYPTO_ERROR;
				1640	goto out;
				1641	}
				1642	EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
				1643	*ecdsap = private;
				1644	private = NULL;
				1645	ret = 0;
				1646	out:
				1647	if (private != NULL)
				1648	EC_KEY_free(private);
				1649	return ret;
				1650	}
				1651	# endif /* OPENSSL_HAS_ECC */
				1652	#endif /* WITH_OPENSSL */
				1653
				1654	int
				1655	sshkey_generate(int type, u_int bits, struct sshkey **keyp)
				1656	{
				1657	struct sshkey *k;
				1658	int ret = SSH_ERR_INTERNAL_ERROR;
				1659
				1660	if (keyp == NULL)
				1661	return SSH_ERR_INVALID_ARGUMENT;
				1662	*keyp = NULL;
				1663	if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
				1664	return SSH_ERR_ALLOC_FAIL;
				1665	switch (type) {
				1666	case KEY_ED25519:
				1667	if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL \|\|
				1668	(k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
				1669	ret = SSH_ERR_ALLOC_FAIL;
				1670	break;
				1671	}
				1672	crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
				1673	ret = 0;
				1674	break;
				1675	#ifdef WITH_OPENSSL
				1676	case KEY_DSA:
				1677	ret = dsa_generate_private_key(bits, &k->dsa);
				1678	break;
				1679	# ifdef OPENSSL_HAS_ECC
				1680	case KEY_ECDSA:
				1681	ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
				1682	&k->ecdsa);
				1683	break;
				1684	# endif /* OPENSSL_HAS_ECC */
				1685	case KEY_RSA:
				1686	case KEY_RSA1:
				1687	ret = rsa_generate_private_key(bits, &k->rsa);
				1688	break;
				1689	#endif /* WITH_OPENSSL */
				1690	default:
				1691	ret = SSH_ERR_INVALID_ARGUMENT;
				1692	}
				1693	if (ret == 0) {
				1694	k->type = type;
				1695	*keyp = k;
				1696	} else
				1697	sshkey_free(k);
				1698	return ret;
				1699	}
				1700
				1701	int
				1702	sshkey_cert_copy(const struct sshkey from_key, struct sshkey to_key)
				1703	{
				1704	u_int i;
				1705	const struct sshkey_cert *from;
				1706	struct sshkey_cert *to;
				1707	int ret = SSH_ERR_INTERNAL_ERROR;
				1708
				1709	if (to_key->cert != NULL) {
				1710	cert_free(to_key->cert);
				1711	to_key->cert = NULL;
				1712	}
				1713
				1714	if ((from = from_key->cert) == NULL)
				1715	return SSH_ERR_INVALID_ARGUMENT;
				1716
				1717	if ((to = to_key->cert = cert_new()) == NULL)
				1718	return SSH_ERR_ALLOC_FAIL;
				1719
				1720	if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 \|\|
				1721	(ret = sshbuf_putb(to->critical, from->critical)) != 0 \|\|
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	1722	(ret = sshbuf_putb(to->extensions, from->extensions)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1723	return ret;
				1724
				1725	to->serial = from->serial;
				1726	to->type = from->type;
				1727	if (from->key_id == NULL)
				1728	to->key_id = NULL;
				1729	else if ((to->key_id = strdup(from->key_id)) == NULL)
				1730	return SSH_ERR_ALLOC_FAIL;
				1731	to->valid_after = from->valid_after;
				1732	to->valid_before = from->valid_before;
				1733	if (from->signature_key == NULL)
				1734	to->signature_key = NULL;
				1735	else if ((ret = sshkey_from_private(from->signature_key,
				1736	&to->signature_key)) != 0)
				1737	return ret;
				1738
				1739	if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS)
				1740	return SSH_ERR_INVALID_ARGUMENT;
				1741	if (from->nprincipals > 0) {
				1742	if ((to->principals = calloc(from->nprincipals,
				1743	sizeof(*to->principals))) == NULL)
				1744	return SSH_ERR_ALLOC_FAIL;
				1745	for (i = 0; i < from->nprincipals; i++) {
				1746	to->principals[i] = strdup(from->principals[i]);
				1747	if (to->principals[i] == NULL) {
				1748	to->nprincipals = i;
				1749	return SSH_ERR_ALLOC_FAIL;
				1750	}
				1751	}
				1752	}
				1753	to->nprincipals = from->nprincipals;
				1754	return 0;
				1755	}
				1756
				1757	int
				1758	sshkey_from_private(const struct sshkey k, struct sshkey *pkp)
				1759	{
				1760	struct sshkey *n = NULL;
				1761	int ret = SSH_ERR_INTERNAL_ERROR;
				1762
djm@openbsd.org	1a2663a	2015-10-15 23:08:23 +0000	[diff] [blame]	1763	*pkp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1764	switch (k->type) {
				1765	#ifdef WITH_OPENSSL
				1766	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1767	case KEY_DSA_CERT:
				1768	if ((n = sshkey_new(k->type)) == NULL)
				1769	return SSH_ERR_ALLOC_FAIL;
				1770	if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) \|\|
				1771	(BN_copy(n->dsa->q, k->dsa->q) == NULL) \|\|
				1772	(BN_copy(n->dsa->g, k->dsa->g) == NULL) \|\|
				1773	(BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) {
				1774	sshkey_free(n);
				1775	return SSH_ERR_ALLOC_FAIL;
				1776	}
				1777	break;
				1778	# ifdef OPENSSL_HAS_ECC
				1779	case KEY_ECDSA:
				1780	case KEY_ECDSA_CERT:
				1781	if ((n = sshkey_new(k->type)) == NULL)
				1782	return SSH_ERR_ALLOC_FAIL;
				1783	n->ecdsa_nid = k->ecdsa_nid;
				1784	n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
				1785	if (n->ecdsa == NULL) {
				1786	sshkey_free(n);
				1787	return SSH_ERR_ALLOC_FAIL;
				1788	}
				1789	if (EC_KEY_set_public_key(n->ecdsa,
				1790	EC_KEY_get0_public_key(k->ecdsa)) != 1) {
				1791	sshkey_free(n);
				1792	return SSH_ERR_LIBCRYPTO_ERROR;
				1793	}
				1794	break;
				1795	# endif /* OPENSSL_HAS_ECC */
				1796	case KEY_RSA:
				1797	case KEY_RSA1:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1798	case KEY_RSA_CERT:
				1799	if ((n = sshkey_new(k->type)) == NULL)
				1800	return SSH_ERR_ALLOC_FAIL;
				1801	if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) \|\|
				1802	(BN_copy(n->rsa->e, k->rsa->e) == NULL)) {
				1803	sshkey_free(n);
				1804	return SSH_ERR_ALLOC_FAIL;
				1805	}
				1806	break;
				1807	#endif /* WITH_OPENSSL */
				1808	case KEY_ED25519:
				1809	case KEY_ED25519_CERT:
				1810	if ((n = sshkey_new(k->type)) == NULL)
				1811	return SSH_ERR_ALLOC_FAIL;
				1812	if (k->ed25519_pk != NULL) {
				1813	if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
				1814	sshkey_free(n);
				1815	return SSH_ERR_ALLOC_FAIL;
				1816	}
				1817	memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
				1818	}
				1819	break;
				1820	default:
				1821	return SSH_ERR_KEY_TYPE_UNKNOWN;
				1822	}
				1823	if (sshkey_is_cert(k)) {
				1824	if ((ret = sshkey_cert_copy(k, n)) != 0) {
				1825	sshkey_free(n);
				1826	return ret;
				1827	}
				1828	}
				1829	*pkp = n;
				1830	return 0;
				1831	}
				1832
				1833	static int
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1834	cert_parse(struct sshbuf b, struct sshkey key, struct sshbuf *certbuf)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1835	{
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1836	struct sshbuf principals = NULL, crit = NULL;
				1837	struct sshbuf exts = NULL, ca = NULL;
				1838	u_char *sig = NULL;
				1839	size_t signed_len = 0, slen = 0, kidlen = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1840	int ret = SSH_ERR_INTERNAL_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1841
				1842	/* Copy the entire key blob for verification and later serialisation */
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1843	if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1844	return ret;
				1845
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	1846	/* Parse body of certificate up to signature */
				1847	if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1848	(ret = sshbuf_get_u32(b, &key->cert->type)) != 0 \|\|
				1849	(ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 \|\|
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1850	(ret = sshbuf_froms(b, &principals)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1851	(ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 \|\|
				1852	(ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 \|\|
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1853	(ret = sshbuf_froms(b, &crit)) != 0 \|\|
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	1854	(ret = sshbuf_froms(b, &exts)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1855	(ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 \|\|
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1856	(ret = sshbuf_froms(b, &ca)) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1857	/* XXX debug print error for ret */
				1858	ret = SSH_ERR_INVALID_FORMAT;
				1859	goto out;
				1860	}
				1861
				1862	/* Signature is left in the buffer so we can calculate this length */
				1863	signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
				1864
				1865	if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
				1866	ret = SSH_ERR_INVALID_FORMAT;
				1867	goto out;
				1868	}
				1869
				1870	if (key->cert->type != SSH2_CERT_TYPE_USER &&
				1871	key->cert->type != SSH2_CERT_TYPE_HOST) {
				1872	ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
				1873	goto out;
				1874	}
				1875
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1876	/* Parse principals section */
				1877	while (sshbuf_len(principals) > 0) {
				1878	char *principal = NULL;
				1879	char **oprincipals = NULL;
				1880
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1881	if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
				1882	ret = SSH_ERR_INVALID_FORMAT;
				1883	goto out;
				1884	}
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1885	if ((ret = sshbuf_get_cstring(principals, &principal,
				1886	NULL)) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1887	ret = SSH_ERR_INVALID_FORMAT;
				1888	goto out;
				1889	}
				1890	oprincipals = key->cert->principals;
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	1891	key->cert->principals = reallocarray(key->cert->principals,
				1892	key->cert->nprincipals + 1, sizeof(*key->cert->principals));
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1893	if (key->cert->principals == NULL) {
				1894	free(principal);
				1895	key->cert->principals = oprincipals;
				1896	ret = SSH_ERR_ALLOC_FAIL;
				1897	goto out;
				1898	}
				1899	key->cert->principals[key->cert->nprincipals++] = principal;
				1900	}
				1901
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1902	/*
				1903	* Stash a copies of the critical options and extensions sections
				1904	* for later use.
				1905	*/
				1906	if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 \|\|
				1907	(exts != NULL &&
				1908	(ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1909	goto out;
				1910
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1911	/*
				1912	* Validate critical options and extensions sections format.
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1913	*/
				1914	while (sshbuf_len(crit) != 0) {
				1915	if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 \|\|
				1916	(ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
				1917	sshbuf_reset(key->cert->critical);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1918	ret = SSH_ERR_INVALID_FORMAT;
				1919	goto out;
				1920	}
				1921	}
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1922	while (exts != NULL && sshbuf_len(exts) != 0) {
				1923	if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 \|\|
				1924	(ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) {
				1925	sshbuf_reset(key->cert->extensions);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1926	ret = SSH_ERR_INVALID_FORMAT;
				1927	goto out;
				1928	}
				1929	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1930
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1931	/* Parse CA key and check signature */
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1932	if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1933	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				1934	goto out;
				1935	}
				1936	if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
				1937	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				1938	goto out;
				1939	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1940	if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
				1941	sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0)
				1942	goto out;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1943
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1944	/* Success */
				1945	ret = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1946	out:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1947	sshbuf_free(ca);
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	1948	sshbuf_free(crit);
				1949	sshbuf_free(exts);
				1950	sshbuf_free(principals);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1951	free(sig);
				1952	return ret;
				1953	}
				1954
				1955	static int
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1956	sshkey_from_blob_internal(struct sshbuf b, struct sshkey *keyp,
				1957	int allow_cert)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1958	{
djm@openbsd.org	54924b5	2015-01-14 10:46:28 +0000	[diff] [blame]	1959	int type, ret = SSH_ERR_INTERNAL_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1960	char ktype = NULL, curve = NULL;
				1961	struct sshkey *key = NULL;
				1962	size_t len;
				1963	u_char *pk = NULL;
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1964	struct sshbuf *copy;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1965	#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
				1966	EC_POINT *q = NULL;
				1967	#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
				1968
				1969	#ifdef DEBUG_PK /* XXX */
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1970	sshbuf_dump(b, stderr);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1971	#endif
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	1972	if (keyp != NULL)
				1973	*keyp = NULL;
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1974	if ((copy = sshbuf_fromb(b)) == NULL) {
				1975	ret = SSH_ERR_ALLOC_FAIL;
				1976	goto out;
				1977	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1978	if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
				1979	ret = SSH_ERR_INVALID_FORMAT;
				1980	goto out;
				1981	}
				1982
				1983	type = sshkey_type_from_name(ktype);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1984	if (!allow_cert && sshkey_type_is_cert(type)) {
				1985	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				1986	goto out;
				1987	}
				1988	switch (type) {
				1989	#ifdef WITH_OPENSSL
				1990	case KEY_RSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	1991	/* Skip nonce */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1992	if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
				1993	ret = SSH_ERR_INVALID_FORMAT;
				1994	goto out;
				1995	}
				1996	/* FALLTHROUGH */
				1997	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	1998	if ((key = sshkey_new(type)) == NULL) {
				1999	ret = SSH_ERR_ALLOC_FAIL;
				2000	goto out;
				2001	}
djm@openbsd.org	3f4ea3c	2015-04-03 22:17:27 +0000	[diff] [blame]	2002	if (sshbuf_get_bignum2(b, key->rsa->e) != 0 \|\|
				2003	sshbuf_get_bignum2(b, key->rsa->n) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2004	ret = SSH_ERR_INVALID_FORMAT;
				2005	goto out;
				2006	}
				2007	#ifdef DEBUG_PK
				2008	RSA_print_fp(stderr, key->rsa, 8);
				2009	#endif
				2010	break;
				2011	case KEY_DSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2012	/* Skip nonce */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2013	if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
				2014	ret = SSH_ERR_INVALID_FORMAT;
				2015	goto out;
				2016	}
				2017	/* FALLTHROUGH */
				2018	case KEY_DSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2019	if ((key = sshkey_new(type)) == NULL) {
				2020	ret = SSH_ERR_ALLOC_FAIL;
				2021	goto out;
				2022	}
djm@openbsd.org	3f4ea3c	2015-04-03 22:17:27 +0000	[diff] [blame]	2023	if (sshbuf_get_bignum2(b, key->dsa->p) != 0 \|\|
				2024	sshbuf_get_bignum2(b, key->dsa->q) != 0 \|\|
				2025	sshbuf_get_bignum2(b, key->dsa->g) != 0 \|\|
				2026	sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2027	ret = SSH_ERR_INVALID_FORMAT;
				2028	goto out;
				2029	}
				2030	#ifdef DEBUG_PK
				2031	DSA_print_fp(stderr, key->dsa, 8);
				2032	#endif
				2033	break;
				2034	case KEY_ECDSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2035	/* Skip nonce */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2036	if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
				2037	ret = SSH_ERR_INVALID_FORMAT;
				2038	goto out;
				2039	}
				2040	/* FALLTHROUGH */
				2041	# ifdef OPENSSL_HAS_ECC
				2042	case KEY_ECDSA:
				2043	if ((key = sshkey_new(type)) == NULL) {
				2044	ret = SSH_ERR_ALLOC_FAIL;
				2045	goto out;
				2046	}
djm@openbsd.org	54924b5	2015-01-14 10:46:28 +0000	[diff] [blame]	2047	key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2048	if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
				2049	ret = SSH_ERR_INVALID_FORMAT;
				2050	goto out;
				2051	}
				2052	if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
				2053	ret = SSH_ERR_EC_CURVE_MISMATCH;
				2054	goto out;
				2055	}
				2056	if (key->ecdsa != NULL)
				2057	EC_KEY_free(key->ecdsa);
				2058	if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
				2059	== NULL) {
				2060	ret = SSH_ERR_EC_CURVE_INVALID;
				2061	goto out;
				2062	}
				2063	if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
				2064	ret = SSH_ERR_ALLOC_FAIL;
				2065	goto out;
				2066	}
				2067	if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
				2068	ret = SSH_ERR_INVALID_FORMAT;
				2069	goto out;
				2070	}
				2071	if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
				2072	q) != 0) {
				2073	ret = SSH_ERR_KEY_INVALID_EC_VALUE;
				2074	goto out;
				2075	}
				2076	if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
				2077	/* XXX assume it is a allocation error */
				2078	ret = SSH_ERR_ALLOC_FAIL;
				2079	goto out;
				2080	}
				2081	#ifdef DEBUG_PK
				2082	sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
				2083	#endif
				2084	break;
				2085	# endif /* OPENSSL_HAS_ECC */
				2086	#endif /* WITH_OPENSSL */
				2087	case KEY_ED25519_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2088	/* Skip nonce */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2089	if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
				2090	ret = SSH_ERR_INVALID_FORMAT;
				2091	goto out;
				2092	}
				2093	/* FALLTHROUGH */
				2094	case KEY_ED25519:
				2095	if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
				2096	goto out;
				2097	if (len != ED25519_PK_SZ) {
				2098	ret = SSH_ERR_INVALID_FORMAT;
				2099	goto out;
				2100	}
				2101	if ((key = sshkey_new(type)) == NULL) {
				2102	ret = SSH_ERR_ALLOC_FAIL;
				2103	goto out;
				2104	}
				2105	key->ed25519_pk = pk;
				2106	pk = NULL;
				2107	break;
				2108	case KEY_UNSPEC:
				2109	if ((key = sshkey_new(type)) == NULL) {
				2110	ret = SSH_ERR_ALLOC_FAIL;
				2111	goto out;
				2112	}
				2113	break;
				2114	default:
				2115	ret = SSH_ERR_KEY_TYPE_UNKNOWN;
				2116	goto out;
				2117	}
				2118
				2119	/* Parse certificate potion */
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2120	if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2121	goto out;
				2122
				2123	if (key != NULL && sshbuf_len(b) != 0) {
				2124	ret = SSH_ERR_INVALID_FORMAT;
				2125	goto out;
				2126	}
				2127	ret = 0;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	2128	if (keyp != NULL) {
				2129	*keyp = key;
				2130	key = NULL;
				2131	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2132	out:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2133	sshbuf_free(copy);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2134	sshkey_free(key);
				2135	free(ktype);
				2136	free(curve);
				2137	free(pk);
				2138	#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
				2139	if (q != NULL)
				2140	EC_POINT_free(q);
				2141	#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
				2142	return ret;
				2143	}
				2144
				2145	int
				2146	sshkey_from_blob(const u_char blob, size_t blen, struct sshkey *keyp)
				2147	{
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2148	struct sshbuf *b;
				2149	int r;
				2150
				2151	if ((b = sshbuf_from(blob, blen)) == NULL)
				2152	return SSH_ERR_ALLOC_FAIL;
				2153	r = sshkey_from_blob_internal(b, keyp, 1);
				2154	sshbuf_free(b);
				2155	return r;
				2156	}
				2157
				2158	int
				2159	sshkey_fromb(struct sshbuf b, struct sshkey *keyp)
				2160	{
				2161	return sshkey_from_blob_internal(b, keyp, 1);
				2162	}
				2163
				2164	int
				2165	sshkey_froms(struct sshbuf buf, struct sshkey *keyp)
				2166	{
				2167	struct sshbuf *b;
				2168	int r;
				2169
				2170	if ((r = sshbuf_froms(buf, &b)) != 0)
				2171	return r;
				2172	r = sshkey_from_blob_internal(b, keyp, 1);
				2173	sshbuf_free(b);
				2174	return r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2175	}
				2176
				2177	int
				2178	sshkey_sign(const struct sshkey *key,
				2179	u_char *sigp, size_t lenp,
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	2180	const u_char data, size_t datalen, const char alg, u_int compat)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2181	{
				2182	if (sigp != NULL)
				2183	*sigp = NULL;
				2184	if (lenp != NULL)
				2185	*lenp = 0;
				2186	if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
				2187	return SSH_ERR_INVALID_ARGUMENT;
				2188	switch (key->type) {
				2189	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2190	case KEY_DSA_CERT:
				2191	case KEY_DSA:
				2192	return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
				2193	# ifdef OPENSSL_HAS_ECC
				2194	case KEY_ECDSA_CERT:
				2195	case KEY_ECDSA:
				2196	return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
				2197	# endif /* OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2198	case KEY_RSA_CERT:
				2199	case KEY_RSA:
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	2200	return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2201	#endif /* WITH_OPENSSL */
				2202	case KEY_ED25519:
				2203	case KEY_ED25519_CERT:
				2204	return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
				2205	default:
				2206	return SSH_ERR_KEY_TYPE_UNKNOWN;
				2207	}
				2208	}
				2209
				2210	/*
				2211	* ssh_key_verify returns 0 for a correct signature and < 0 on error.
				2212	*/
				2213	int
				2214	sshkey_verify(const struct sshkey *key,
				2215	const u_char *sig, size_t siglen,
				2216	const u_char *data, size_t dlen, u_int compat)
				2217	{
djm@openbsd.org	4cf87f4	2014-12-10 01:24:09 +0000	[diff] [blame]	2218	if (siglen == 0 \|\| dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2219	return SSH_ERR_INVALID_ARGUMENT;
				2220	switch (key->type) {
				2221	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2222	case KEY_DSA_CERT:
				2223	case KEY_DSA:
				2224	return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
				2225	# ifdef OPENSSL_HAS_ECC
				2226	case KEY_ECDSA_CERT:
				2227	case KEY_ECDSA:
				2228	return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
				2229	# endif /* OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2230	case KEY_RSA_CERT:
				2231	case KEY_RSA:
markus@openbsd.org	76c9fbb	2015-12-04 16:41:28 +0000	[diff] [blame]	2232	return ssh_rsa_verify(key, sig, siglen, data, dlen);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2233	#endif /* WITH_OPENSSL */
				2234	case KEY_ED25519:
				2235	case KEY_ED25519_CERT:
				2236	return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
				2237	default:
				2238	return SSH_ERR_KEY_TYPE_UNKNOWN;
				2239	}
				2240	}
				2241
				2242	/* Converts a private to a public key */
				2243	int
				2244	sshkey_demote(const struct sshkey k, struct sshkey *dkp)
				2245	{
				2246	struct sshkey *pk;
				2247	int ret = SSH_ERR_INTERNAL_ERROR;
				2248
djm@openbsd.org	1a2663a	2015-10-15 23:08:23 +0000	[diff] [blame]	2249	*dkp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2250	if ((pk = calloc(1, sizeof(*pk))) == NULL)
				2251	return SSH_ERR_ALLOC_FAIL;
				2252	pk->type = k->type;
				2253	pk->flags = k->flags;
				2254	pk->ecdsa_nid = k->ecdsa_nid;
				2255	pk->dsa = NULL;
				2256	pk->ecdsa = NULL;
				2257	pk->rsa = NULL;
				2258	pk->ed25519_pk = NULL;
				2259	pk->ed25519_sk = NULL;
				2260
				2261	switch (k->type) {
				2262	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2263	case KEY_RSA_CERT:
				2264	if ((ret = sshkey_cert_copy(k, pk)) != 0)
				2265	goto fail;
				2266	/* FALLTHROUGH */
				2267	case KEY_RSA1:
				2268	case KEY_RSA:
				2269	if ((pk->rsa = RSA_new()) == NULL \|\|
				2270	(pk->rsa->e = BN_dup(k->rsa->e)) == NULL \|\|
				2271	(pk->rsa->n = BN_dup(k->rsa->n)) == NULL) {
				2272	ret = SSH_ERR_ALLOC_FAIL;
				2273	goto fail;
				2274	}
				2275	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2276	case KEY_DSA_CERT:
				2277	if ((ret = sshkey_cert_copy(k, pk)) != 0)
				2278	goto fail;
				2279	/* FALLTHROUGH */
				2280	case KEY_DSA:
				2281	if ((pk->dsa = DSA_new()) == NULL \|\|
				2282	(pk->dsa->p = BN_dup(k->dsa->p)) == NULL \|\|
				2283	(pk->dsa->q = BN_dup(k->dsa->q)) == NULL \|\|
				2284	(pk->dsa->g = BN_dup(k->dsa->g)) == NULL \|\|
				2285	(pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) {
				2286	ret = SSH_ERR_ALLOC_FAIL;
				2287	goto fail;
				2288	}
				2289	break;
				2290	case KEY_ECDSA_CERT:
				2291	if ((ret = sshkey_cert_copy(k, pk)) != 0)
				2292	goto fail;
				2293	/* FALLTHROUGH */
				2294	# ifdef OPENSSL_HAS_ECC
				2295	case KEY_ECDSA:
				2296	pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid);
				2297	if (pk->ecdsa == NULL) {
				2298	ret = SSH_ERR_ALLOC_FAIL;
				2299	goto fail;
				2300	}
				2301	if (EC_KEY_set_public_key(pk->ecdsa,
				2302	EC_KEY_get0_public_key(k->ecdsa)) != 1) {
				2303	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2304	goto fail;
				2305	}
				2306	break;
				2307	# endif /* OPENSSL_HAS_ECC */
				2308	#endif /* WITH_OPENSSL */
				2309	case KEY_ED25519_CERT:
				2310	if ((ret = sshkey_cert_copy(k, pk)) != 0)
				2311	goto fail;
				2312	/* FALLTHROUGH */
				2313	case KEY_ED25519:
				2314	if (k->ed25519_pk != NULL) {
				2315	if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
				2316	ret = SSH_ERR_ALLOC_FAIL;
				2317	goto fail;
				2318	}
				2319	memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
				2320	}
				2321	break;
				2322	default:
				2323	ret = SSH_ERR_KEY_TYPE_UNKNOWN;
				2324	fail:
				2325	sshkey_free(pk);
				2326	return ret;
				2327	}
				2328	*dkp = pk;
				2329	return 0;
				2330	}
				2331
				2332	/* Convert a plain key to their _CERT equivalent */
				2333	int
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2334	sshkey_to_certified(struct sshkey *k)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2335	{
				2336	int newtype;
				2337
				2338	switch (k->type) {
				2339	#ifdef WITH_OPENSSL
				2340	case KEY_RSA:
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2341	newtype = KEY_RSA_CERT;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2342	break;
				2343	case KEY_DSA:
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2344	newtype = KEY_DSA_CERT;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2345	break;
				2346	case KEY_ECDSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2347	newtype = KEY_ECDSA_CERT;
				2348	break;
				2349	#endif /* WITH_OPENSSL */
				2350	case KEY_ED25519:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2351	newtype = KEY_ED25519_CERT;
				2352	break;
				2353	default:
				2354	return SSH_ERR_INVALID_ARGUMENT;
				2355	}
				2356	if ((k->cert = cert_new()) == NULL)
				2357	return SSH_ERR_ALLOC_FAIL;
				2358	k->type = newtype;
				2359	return 0;
				2360	}
				2361
				2362	/* Convert a certificate to its raw key equivalent */
				2363	int
				2364	sshkey_drop_cert(struct sshkey *k)
				2365	{
				2366	if (!sshkey_type_is_cert(k->type))
				2367	return SSH_ERR_KEY_TYPE_UNKNOWN;
				2368	cert_free(k->cert);
				2369	k->cert = NULL;
				2370	k->type = sshkey_type_plain(k->type);
				2371	return 0;
				2372	}
				2373
				2374	/* Sign a certified key, (re-)generating the signed certblob. */
				2375	int
djm@openbsd.org	57464e3	2016-05-02 09:36:42 +0000	[diff] [blame]	2376	sshkey_certify(struct sshkey k, struct sshkey ca, const char *alg)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2377	{
				2378	struct sshbuf *principals = NULL;
				2379	u_char ca_blob = NULL, sig_blob = NULL, nonce[32];
				2380	size_t i, ca_len, sig_len;
				2381	int ret = SSH_ERR_INTERNAL_ERROR;
				2382	struct sshbuf *cert;
				2383
				2384	if (k == NULL \|\| k->cert == NULL \|\|
				2385	k->cert->certblob == NULL \|\| ca == NULL)
				2386	return SSH_ERR_INVALID_ARGUMENT;
				2387	if (!sshkey_is_cert(k))
				2388	return SSH_ERR_KEY_TYPE_UNKNOWN;
				2389	if (!sshkey_type_is_valid_ca(ca->type))
				2390	return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				2391
				2392	if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
				2393	return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
				2394
				2395	cert = k->cert->certblob; /* for readability */
				2396	sshbuf_reset(cert);
				2397	if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
				2398	goto out;
				2399
				2400	/* -v01 certs put nonce first */
				2401	arc4random_buf(&nonce, sizeof(nonce));
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2402	if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
				2403	goto out;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2404
				2405	/* XXX this substantially duplicates to_blob(); refactor */
				2406	switch (k->type) {
				2407	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2408	case KEY_DSA_CERT:
				2409	if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 \|\|
				2410	(ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 \|\|
				2411	(ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 \|\|
				2412	(ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0)
				2413	goto out;
				2414	break;
				2415	# ifdef OPENSSL_HAS_ECC
				2416	case KEY_ECDSA_CERT:
				2417	if ((ret = sshbuf_put_cstring(cert,
				2418	sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 \|\|
				2419	(ret = sshbuf_put_ec(cert,
				2420	EC_KEY_get0_public_key(k->ecdsa),
				2421	EC_KEY_get0_group(k->ecdsa))) != 0)
				2422	goto out;
				2423	break;
				2424	# endif /* OPENSSL_HAS_ECC */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2425	case KEY_RSA_CERT:
				2426	if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 \|\|
				2427	(ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
				2428	goto out;
				2429	break;
				2430	#endif /* WITH_OPENSSL */
				2431	case KEY_ED25519_CERT:
				2432	if ((ret = sshbuf_put_string(cert,
				2433	k->ed25519_pk, ED25519_PK_SZ)) != 0)
				2434	goto out;
				2435	break;
				2436	default:
				2437	ret = SSH_ERR_INVALID_ARGUMENT;
djm@openbsd.org	55e5bde	2015-03-06 01:40:56 +0000	[diff] [blame]	2438	goto out;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2439	}
				2440
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2441	if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 \|\|
				2442	(ret = sshbuf_put_u32(cert, k->cert->type)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2443	(ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
				2444	goto out;
				2445
				2446	if ((principals = sshbuf_new()) == NULL) {
				2447	ret = SSH_ERR_ALLOC_FAIL;
				2448	goto out;
				2449	}
				2450	for (i = 0; i < k->cert->nprincipals; i++) {
				2451	if ((ret = sshbuf_put_cstring(principals,
				2452	k->cert->principals[i])) != 0)
				2453	goto out;
				2454	}
				2455	if ((ret = sshbuf_put_stringb(cert, principals)) != 0 \|\|
				2456	(ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 \|\|
				2457	(ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 \|\|
djm@openbsd.org	c28fc62	2015-07-03 03:43:18 +0000	[diff] [blame]	2458	(ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 \|\|
				2459	(ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 \|\|
				2460	(ret = sshbuf_put_string(cert, NULL, 0)) != 0 \|\| /* Reserved */
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2461	(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
				2462	goto out;
				2463
				2464	/* Sign the whole mess */
				2465	if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
djm@openbsd.org	57464e3	2016-05-02 09:36:42 +0000	[diff] [blame]	2466	sshbuf_len(cert), alg, 0)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2467	goto out;
				2468
				2469	/* Append signature and we are done */
				2470	if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
				2471	goto out;
				2472	ret = 0;
				2473	out:
				2474	if (ret != 0)
				2475	sshbuf_reset(cert);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame]	2476	free(sig_blob);
				2477	free(ca_blob);
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	2478	sshbuf_free(principals);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2479	return ret;
				2480	}
				2481
				2482	int
				2483	sshkey_cert_check_authority(const struct sshkey *k,
				2484	int want_host, int require_principal,
				2485	const char name, const char *reason)
				2486	{
				2487	u_int i, principal_matches;
				2488	time_t now = time(NULL);
				2489
				2490	if (reason != NULL)
				2491	*reason = NULL;
				2492
				2493	if (want_host) {
				2494	if (k->cert->type != SSH2_CERT_TYPE_HOST) {
				2495	*reason = "Certificate invalid: not a host certificate";
				2496	return SSH_ERR_KEY_CERT_INVALID;
				2497	}
				2498	} else {
				2499	if (k->cert->type != SSH2_CERT_TYPE_USER) {
				2500	*reason = "Certificate invalid: not a user certificate";
				2501	return SSH_ERR_KEY_CERT_INVALID;
				2502	}
				2503	}
				2504	if (now < 0) {
				2505	/* yikes - system clock before epoch! */
				2506	*reason = "Certificate invalid: not yet valid";
				2507	return SSH_ERR_KEY_CERT_INVALID;
				2508	}
				2509	if ((u_int64_t)now < k->cert->valid_after) {
				2510	*reason = "Certificate invalid: not yet valid";
				2511	return SSH_ERR_KEY_CERT_INVALID;
				2512	}
				2513	if ((u_int64_t)now >= k->cert->valid_before) {
				2514	*reason = "Certificate invalid: expired";
				2515	return SSH_ERR_KEY_CERT_INVALID;
				2516	}
				2517	if (k->cert->nprincipals == 0) {
				2518	if (require_principal) {
				2519	*reason = "Certificate lacks principal list";
				2520	return SSH_ERR_KEY_CERT_INVALID;
				2521	}
				2522	} else if (name != NULL) {
				2523	principal_matches = 0;
				2524	for (i = 0; i < k->cert->nprincipals; i++) {
				2525	if (strcmp(name, k->cert->principals[i]) == 0) {
				2526	principal_matches = 1;
				2527	break;
				2528	}
				2529	}
				2530	if (!principal_matches) {
				2531	*reason = "Certificate invalid: name is not a listed "
				2532	"principal";
				2533	return SSH_ERR_KEY_CERT_INVALID;
				2534	}
				2535	}
				2536	return 0;
				2537	}
				2538
djm@openbsd.org	499cf36	2015-11-19 01:08:55 +0000	[diff] [blame]	2539	size_t
				2540	sshkey_format_cert_validity(const struct sshkey_cert cert, char s, size_t l)
				2541	{
				2542	char from[32], to[32], ret[64];
				2543	time_t tt;
				2544	struct tm *tm;
				2545
				2546	from = to = '\0';
				2547	if (cert->valid_after == 0 &&
				2548	cert->valid_before == 0xffffffffffffffffULL)
				2549	return strlcpy(s, "forever", l);
				2550
				2551	if (cert->valid_after != 0) {
				2552	/* XXX revisit INT_MAX in 2038 :) */
				2553	tt = cert->valid_after > INT_MAX ?
				2554	INT_MAX : cert->valid_after;
				2555	tm = localtime(&tt);
				2556	strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
				2557	}
				2558	if (cert->valid_before != 0xffffffffffffffffULL) {
				2559	/* XXX revisit INT_MAX in 2038 :) */
				2560	tt = cert->valid_before > INT_MAX ?
				2561	INT_MAX : cert->valid_before;
				2562	tm = localtime(&tt);
				2563	strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
				2564	}
				2565
				2566	if (cert->valid_after == 0)
				2567	snprintf(ret, sizeof(ret), "before %s", to);
				2568	else if (cert->valid_before == 0xffffffffffffffffULL)
				2569	snprintf(ret, sizeof(ret), "after %s", from);
				2570	else
				2571	snprintf(ret, sizeof(ret), "from %s to %s", from, to);
				2572
				2573	return strlcpy(s, ret, l);
				2574	}
				2575
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2576	int
				2577	sshkey_private_serialize(const struct sshkey key, struct sshbuf b)
				2578	{
				2579	int r = SSH_ERR_INTERNAL_ERROR;
				2580
				2581	if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
				2582	goto out;
				2583	switch (key->type) {
				2584	#ifdef WITH_OPENSSL
				2585	case KEY_RSA:
				2586	if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 \|\|
				2587	(r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 \|\|
				2588	(r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 \|\|
				2589	(r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 \|\|
				2590	(r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 \|\|
				2591	(r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
				2592	goto out;
				2593	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2594	case KEY_RSA_CERT:
				2595	if (key->cert == NULL \|\| sshbuf_len(key->cert->certblob) == 0) {
				2596	r = SSH_ERR_INVALID_ARGUMENT;
				2597	goto out;
				2598	}
				2599	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
				2600	(r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 \|\|
				2601	(r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 \|\|
				2602	(r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 \|\|
				2603	(r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
				2604	goto out;
				2605	break;
				2606	case KEY_DSA:
				2607	if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 \|\|
				2608	(r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 \|\|
				2609	(r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 \|\|
				2610	(r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 \|\|
				2611	(r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
				2612	goto out;
				2613	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2614	case KEY_DSA_CERT:
				2615	if (key->cert == NULL \|\| sshbuf_len(key->cert->certblob) == 0) {
				2616	r = SSH_ERR_INVALID_ARGUMENT;
				2617	goto out;
				2618	}
				2619	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
				2620	(r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
				2621	goto out;
				2622	break;
				2623	# ifdef OPENSSL_HAS_ECC
				2624	case KEY_ECDSA:
				2625	if ((r = sshbuf_put_cstring(b,
				2626	sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 \|\|
				2627	(r = sshbuf_put_eckey(b, key->ecdsa)) != 0 \|\|
				2628	(r = sshbuf_put_bignum2(b,
				2629	EC_KEY_get0_private_key(key->ecdsa))) != 0)
				2630	goto out;
				2631	break;
				2632	case KEY_ECDSA_CERT:
				2633	if (key->cert == NULL \|\| sshbuf_len(key->cert->certblob) == 0) {
				2634	r = SSH_ERR_INVALID_ARGUMENT;
				2635	goto out;
				2636	}
				2637	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
				2638	(r = sshbuf_put_bignum2(b,
				2639	EC_KEY_get0_private_key(key->ecdsa))) != 0)
				2640	goto out;
				2641	break;
				2642	# endif /* OPENSSL_HAS_ECC */
				2643	#endif /* WITH_OPENSSL */
				2644	case KEY_ED25519:
				2645	if ((r = sshbuf_put_string(b, key->ed25519_pk,
				2646	ED25519_PK_SZ)) != 0 \|\|
				2647	(r = sshbuf_put_string(b, key->ed25519_sk,
				2648	ED25519_SK_SZ)) != 0)
				2649	goto out;
				2650	break;
				2651	case KEY_ED25519_CERT:
				2652	if (key->cert == NULL \|\| sshbuf_len(key->cert->certblob) == 0) {
				2653	r = SSH_ERR_INVALID_ARGUMENT;
				2654	goto out;
				2655	}
				2656	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
				2657	(r = sshbuf_put_string(b, key->ed25519_pk,
				2658	ED25519_PK_SZ)) != 0 \|\|
				2659	(r = sshbuf_put_string(b, key->ed25519_sk,
				2660	ED25519_SK_SZ)) != 0)
				2661	goto out;
				2662	break;
				2663	default:
				2664	r = SSH_ERR_INVALID_ARGUMENT;
				2665	goto out;
				2666	}
				2667	/* success */
				2668	r = 0;
				2669	out:
				2670	return r;
				2671	}
				2672
				2673	int
				2674	sshkey_private_deserialize(struct sshbuf buf, struct sshkey *kp)
				2675	{
				2676	char tname = NULL, curve = NULL;
				2677	struct sshkey *k = NULL;
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2678	size_t pklen = 0, sklen = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2679	int type, r = SSH_ERR_INTERNAL_ERROR;
				2680	u_char ed25519_pk = NULL, ed25519_sk = NULL;
				2681	#ifdef WITH_OPENSSL
				2682	BIGNUM *exponent = NULL;
				2683	#endif /* WITH_OPENSSL */
				2684
				2685	if (kp != NULL)
				2686	*kp = NULL;
				2687	if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
				2688	goto out;
				2689	type = sshkey_type_from_name(tname);
				2690	switch (type) {
				2691	#ifdef WITH_OPENSSL
				2692	case KEY_DSA:
				2693	if ((k = sshkey_new_private(type)) == NULL) {
				2694	r = SSH_ERR_ALLOC_FAIL;
				2695	goto out;
				2696	}
				2697	if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 \|\|
				2698	(r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 \|\|
				2699	(r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 \|\|
				2700	(r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 \|\|
				2701	(r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
				2702	goto out;
				2703	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2704	case KEY_DSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2705	if ((r = sshkey_froms(buf, &k)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2706	(r = sshkey_add_private(k)) != 0 \|\|
				2707	(r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
				2708	goto out;
				2709	break;
				2710	# ifdef OPENSSL_HAS_ECC
				2711	case KEY_ECDSA:
				2712	if ((k = sshkey_new_private(type)) == NULL) {
				2713	r = SSH_ERR_ALLOC_FAIL;
				2714	goto out;
				2715	}
				2716	if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
				2717	r = SSH_ERR_INVALID_ARGUMENT;
				2718	goto out;
				2719	}
				2720	if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
				2721	goto out;
				2722	if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
				2723	r = SSH_ERR_EC_CURVE_MISMATCH;
				2724	goto out;
				2725	}
				2726	k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
				2727	if (k->ecdsa == NULL \|\| (exponent = BN_new()) == NULL) {
				2728	r = SSH_ERR_LIBCRYPTO_ERROR;
				2729	goto out;
				2730	}
				2731	if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 \|\|
				2732	(r = sshbuf_get_bignum2(buf, exponent)))
				2733	goto out;
				2734	if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
				2735	r = SSH_ERR_LIBCRYPTO_ERROR;
				2736	goto out;
				2737	}
				2738	if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	2739	EC_KEY_get0_public_key(k->ecdsa))) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2740	(r = sshkey_ec_validate_private(k->ecdsa)) != 0)
				2741	goto out;
				2742	break;
				2743	case KEY_ECDSA_CERT:
				2744	if ((exponent = BN_new()) == NULL) {
				2745	r = SSH_ERR_LIBCRYPTO_ERROR;
				2746	goto out;
				2747	}
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2748	if ((r = sshkey_froms(buf, &k)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2749	(r = sshkey_add_private(k)) != 0 \|\|
				2750	(r = sshbuf_get_bignum2(buf, exponent)) != 0)
				2751	goto out;
				2752	if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
				2753	r = SSH_ERR_LIBCRYPTO_ERROR;
				2754	goto out;
				2755	}
				2756	if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	2757	EC_KEY_get0_public_key(k->ecdsa))) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2758	(r = sshkey_ec_validate_private(k->ecdsa)) != 0)
				2759	goto out;
				2760	break;
				2761	# endif /* OPENSSL_HAS_ECC */
				2762	case KEY_RSA:
				2763	if ((k = sshkey_new_private(type)) == NULL) {
				2764	r = SSH_ERR_ALLOC_FAIL;
				2765	goto out;
				2766	}
				2767	if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 \|\|
				2768	(r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 \|\|
				2769	(r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 \|\|
				2770	(r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 \|\|
				2771	(r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 \|\|
				2772	(r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 \|\|
				2773	(r = rsa_generate_additional_parameters(k->rsa)) != 0)
				2774	goto out;
				2775	break;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2776	case KEY_RSA_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2777	if ((r = sshkey_froms(buf, &k)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2778	(r = sshkey_add_private(k)) != 0 \|\|
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	2779	(r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 \|\|
				2780	(r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 \|\|
				2781	(r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 \|\|
				2782	(r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2783	(r = rsa_generate_additional_parameters(k->rsa)) != 0)
				2784	goto out;
				2785	break;
				2786	#endif /* WITH_OPENSSL */
				2787	case KEY_ED25519:
				2788	if ((k = sshkey_new_private(type)) == NULL) {
				2789	r = SSH_ERR_ALLOC_FAIL;
				2790	goto out;
				2791	}
				2792	if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 \|\|
				2793	(r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
				2794	goto out;
				2795	if (pklen != ED25519_PK_SZ \|\| sklen != ED25519_SK_SZ) {
				2796	r = SSH_ERR_INVALID_FORMAT;
				2797	goto out;
				2798	}
				2799	k->ed25519_pk = ed25519_pk;
				2800	k->ed25519_sk = ed25519_sk;
				2801	ed25519_pk = ed25519_sk = NULL;
				2802	break;
				2803	case KEY_ED25519_CERT:
djm@openbsd.org	60b1825	2015-01-26 02:59:11 +0000	[diff] [blame]	2804	if ((r = sshkey_froms(buf, &k)) != 0 \|\|
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2805	(r = sshkey_add_private(k)) != 0 \|\|
				2806	(r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 \|\|
				2807	(r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
				2808	goto out;
				2809	if (pklen != ED25519_PK_SZ \|\| sklen != ED25519_SK_SZ) {
				2810	r = SSH_ERR_INVALID_FORMAT;
				2811	goto out;
				2812	}
				2813	k->ed25519_pk = ed25519_pk;
				2814	k->ed25519_sk = ed25519_sk;
				2815	ed25519_pk = ed25519_sk = NULL;
				2816	break;
				2817	default:
				2818	r = SSH_ERR_KEY_TYPE_UNKNOWN;
				2819	goto out;
				2820	}
				2821	#ifdef WITH_OPENSSL
				2822	/* enable blinding */
				2823	switch (k->type) {
				2824	case KEY_RSA:
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2825	case KEY_RSA_CERT:
				2826	case KEY_RSA1:
				2827	if (RSA_blinding_on(k->rsa, NULL) != 1) {
				2828	r = SSH_ERR_LIBCRYPTO_ERROR;
				2829	goto out;
				2830	}
				2831	break;
				2832	}
				2833	#endif /* WITH_OPENSSL */
				2834	/* success */
				2835	r = 0;
				2836	if (kp != NULL) {
				2837	*kp = k;
				2838	k = NULL;
				2839	}
				2840	out:
				2841	free(tname);
				2842	free(curve);
				2843	#ifdef WITH_OPENSSL
				2844	if (exponent != NULL)
				2845	BN_clear_free(exponent);
				2846	#endif /* WITH_OPENSSL */
				2847	sshkey_free(k);
				2848	if (ed25519_pk != NULL) {
				2849	explicit_bzero(ed25519_pk, pklen);
				2850	free(ed25519_pk);
				2851	}
				2852	if (ed25519_sk != NULL) {
				2853	explicit_bzero(ed25519_sk, sklen);
				2854	free(ed25519_sk);
				2855	}
				2856	return r;
				2857	}
				2858
				2859	#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
				2860	int
				2861	sshkey_ec_validate_public(const EC_GROUP group, const EC_POINT public)
				2862	{
				2863	BN_CTX *bnctx;
				2864	EC_POINT *nq = NULL;
				2865	BIGNUM order, x, y, tmp;
				2866	int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
				2867
djm@openbsd.org	a571dbc	2016-10-04 21:34:40 +0000	[diff] [blame]	2868	/*
				2869	* NB. This assumes OpenSSL has already verified that the public
				2870	* point lies on the curve. This is done by EC_POINT_oct2point()
				2871	* implicitly calling EC_POINT_is_on_curve(). If this code is ever
				2872	* reachable with public points not unmarshalled using
				2873	* EC_POINT_oct2point then the caller will need to explicitly check.
				2874	*/
				2875
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	2876	if ((bnctx = BN_CTX_new()) == NULL)
				2877	return SSH_ERR_ALLOC_FAIL;
				2878	BN_CTX_start(bnctx);
				2879
				2880	/*
				2881	* We shouldn't ever hit this case because bignum_get_ecpoint()
				2882	* refuses to load GF2m points.
				2883	*/
				2884	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
				2885	NID_X9_62_prime_field)
				2886	goto out;
				2887
				2888	/* Q != infinity */
				2889	if (EC_POINT_is_at_infinity(group, public))
				2890	goto out;
				2891
				2892	if ((x = BN_CTX_get(bnctx)) == NULL \|\|
				2893	(y = BN_CTX_get(bnctx)) == NULL \|\|
				2894	(order = BN_CTX_get(bnctx)) == NULL \|\|
				2895	(tmp = BN_CTX_get(bnctx)) == NULL) {
				2896	ret = SSH_ERR_ALLOC_FAIL;
				2897	goto out;
				2898	}
				2899
				2900	/* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
				2901	if (EC_GROUP_get_order(group, order, bnctx) != 1 \|\|
				2902	EC_POINT_get_affine_coordinates_GFp(group, public,
				2903	x, y, bnctx) != 1) {
				2904	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2905	goto out;
				2906	}
				2907	if (BN_num_bits(x) <= BN_num_bits(order) / 2 \|\|
				2908	BN_num_bits(y) <= BN_num_bits(order) / 2)
				2909	goto out;
				2910
				2911	/* nQ == infinity (n == order of subgroup) */
				2912	if ((nq = EC_POINT_new(group)) == NULL) {
				2913	ret = SSH_ERR_ALLOC_FAIL;
				2914	goto out;
				2915	}
				2916	if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) {
				2917	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2918	goto out;
				2919	}
				2920	if (EC_POINT_is_at_infinity(group, nq) != 1)
				2921	goto out;
				2922
				2923	/* x < order - 1, y < order - 1 */
				2924	if (!BN_sub(tmp, order, BN_value_one())) {
				2925	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2926	goto out;
				2927	}
				2928	if (BN_cmp(x, tmp) >= 0 \|\| BN_cmp(y, tmp) >= 0)
				2929	goto out;
				2930	ret = 0;
				2931	out:
				2932	BN_CTX_free(bnctx);
				2933	if (nq != NULL)
				2934	EC_POINT_free(nq);
				2935	return ret;
				2936	}
				2937
				2938	int
				2939	sshkey_ec_validate_private(const EC_KEY *key)
				2940	{
				2941	BN_CTX *bnctx;
				2942	BIGNUM order, tmp;
				2943	int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
				2944
				2945	if ((bnctx = BN_CTX_new()) == NULL)
				2946	return SSH_ERR_ALLOC_FAIL;
				2947	BN_CTX_start(bnctx);
				2948
				2949	if ((order = BN_CTX_get(bnctx)) == NULL \|\|
				2950	(tmp = BN_CTX_get(bnctx)) == NULL) {
				2951	ret = SSH_ERR_ALLOC_FAIL;
				2952	goto out;
				2953	}
				2954
				2955	/* log2(private) > log2(order)/2 */
				2956	if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) {
				2957	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2958	goto out;
				2959	}
				2960	if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
				2961	BN_num_bits(order) / 2)
				2962	goto out;
				2963
				2964	/* private < order - 1 */
				2965	if (!BN_sub(tmp, order, BN_value_one())) {
				2966	ret = SSH_ERR_LIBCRYPTO_ERROR;
				2967	goto out;
				2968	}
				2969	if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
				2970	goto out;
				2971	ret = 0;
				2972	out:
				2973	BN_CTX_free(bnctx);
				2974	return ret;
				2975	}
				2976
				2977	void
				2978	sshkey_dump_ec_point(const EC_GROUP group, const EC_POINT point)
				2979	{
				2980	BIGNUM x, y;
				2981	BN_CTX *bnctx;
				2982
				2983	if (point == NULL) {
				2984	fputs("point=(NULL)\n", stderr);
				2985	return;
				2986	}
				2987	if ((bnctx = BN_CTX_new()) == NULL) {
				2988	fprintf(stderr, "%s: BN_CTX_new failed\n", __func__);
				2989	return;
				2990	}
				2991	BN_CTX_start(bnctx);
				2992	if ((x = BN_CTX_get(bnctx)) == NULL \|\|
				2993	(y = BN_CTX_get(bnctx)) == NULL) {
				2994	fprintf(stderr, "%s: BN_CTX_get failed\n", __func__);
				2995	return;
				2996	}
				2997	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
				2998	NID_X9_62_prime_field) {
				2999	fprintf(stderr, "%s: group is not a prime field\n", __func__);
				3000	return;
				3001	}
				3002	if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y,
				3003	bnctx) != 1) {
				3004	fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
				3005	__func__);
				3006	return;
				3007	}
				3008	fputs("x=", stderr);
				3009	BN_print_fp(stderr, x);
				3010	fputs("\ny=", stderr);
				3011	BN_print_fp(stderr, y);
				3012	fputs("\n", stderr);
				3013	BN_CTX_free(bnctx);
				3014	}
				3015
				3016	void
				3017	sshkey_dump_ec_key(const EC_KEY *key)
				3018	{
				3019	const BIGNUM *exponent;
				3020
				3021	sshkey_dump_ec_point(EC_KEY_get0_group(key),
				3022	EC_KEY_get0_public_key(key));
				3023	fputs("exponent=", stderr);
				3024	if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
				3025	fputs("(NULL)", stderr);
				3026	else
				3027	BN_print_fp(stderr, EC_KEY_get0_private_key(key));
				3028	fputs("\n", stderr);
				3029	}
				3030	#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
				3031
				3032	static int
				3033	sshkey_private_to_blob2(const struct sshkey prv, struct sshbuf blob,
				3034	const char passphrase, const char comment, const char *ciphername,
				3035	int rounds)
				3036	{
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	3037	u_char cp, key = NULL, *pubkeyblob = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3038	u_char salt[SALT_LEN];
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	3039	char *b64 = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3040	size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
				3041	u_int check;
				3042	int r = SSH_ERR_INTERNAL_ERROR;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3043	struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3044	const struct sshcipher *cipher;
				3045	const char *kdfname = KDFNAME;
				3046	struct sshbuf encoded = NULL, encrypted = NULL, *kdf = NULL;
				3047
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3048	if (rounds <= 0)
				3049	rounds = DEFAULT_ROUNDS;
				3050	if (passphrase == NULL \|\| !strlen(passphrase)) {
				3051	ciphername = "none";
				3052	kdfname = "none";
				3053	} else if (ciphername == NULL)
				3054	ciphername = DEFAULT_CIPHERNAME;
				3055	else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) {
				3056	r = SSH_ERR_INVALID_ARGUMENT;
				3057	goto out;
				3058	}
				3059	if ((cipher = cipher_by_name(ciphername)) == NULL) {
				3060	r = SSH_ERR_INTERNAL_ERROR;
				3061	goto out;
				3062	}
				3063
				3064	if ((kdf = sshbuf_new()) == NULL \|\|
				3065	(encoded = sshbuf_new()) == NULL \|\|
				3066	(encrypted = sshbuf_new()) == NULL) {
				3067	r = SSH_ERR_ALLOC_FAIL;
				3068	goto out;
				3069	}
				3070	blocksize = cipher_blocksize(cipher);
				3071	keylen = cipher_keylen(cipher);
				3072	ivlen = cipher_ivlen(cipher);
				3073	authlen = cipher_authlen(cipher);
				3074	if ((key = calloc(1, keylen + ivlen)) == NULL) {
				3075	r = SSH_ERR_ALLOC_FAIL;
				3076	goto out;
				3077	}
				3078	if (strcmp(kdfname, "bcrypt") == 0) {
				3079	arc4random_buf(salt, SALT_LEN);
				3080	if (bcrypt_pbkdf(passphrase, strlen(passphrase),
				3081	salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
				3082	r = SSH_ERR_INVALID_ARGUMENT;
				3083	goto out;
				3084	}
				3085	if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 \|\|
				3086	(r = sshbuf_put_u32(kdf, rounds)) != 0)
				3087	goto out;
				3088	} else if (strcmp(kdfname, "none") != 0) {
				3089	/* Unsupported KDF type */
				3090	r = SSH_ERR_KEY_UNKNOWN_CIPHER;
				3091	goto out;
				3092	}
				3093	if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
				3094	key + keylen, ivlen, 1)) != 0)
				3095	goto out;
				3096
				3097	if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 \|\|
				3098	(r = sshbuf_put_cstring(encoded, ciphername)) != 0 \|\|
				3099	(r = sshbuf_put_cstring(encoded, kdfname)) != 0 \|\|
				3100	(r = sshbuf_put_stringb(encoded, kdf)) != 0 \|\|
				3101	(r = sshbuf_put_u32(encoded, 1)) != 0 \|\| /* number of keys */
				3102	(r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 \|\|
				3103	(r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
				3104	goto out;
				3105
				3106	/* set up the buffer that will be encrypted */
				3107
				3108	/* Random check bytes */
				3109	check = arc4random();
				3110	if ((r = sshbuf_put_u32(encrypted, check)) != 0 \|\|
				3111	(r = sshbuf_put_u32(encrypted, check)) != 0)
				3112	goto out;
				3113
				3114	/* append private key and comment*/
				3115	if ((r = sshkey_private_serialize(prv, encrypted)) != 0 \|\|
				3116	(r = sshbuf_put_cstring(encrypted, comment)) != 0)
				3117	goto out;
				3118
				3119	/* padding */
				3120	i = 0;
				3121	while (sshbuf_len(encrypted) % blocksize) {
				3122	if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
				3123	goto out;
				3124	}
				3125
				3126	/* length in destination buffer */
				3127	if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
				3128	goto out;
				3129
				3130	/* encrypt */
				3131	if ((r = sshbuf_reserve(encoded,
				3132	sshbuf_len(encrypted) + authlen, &cp)) != 0)
				3133	goto out;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3134	if ((r = cipher_crypt(ciphercontext, 0, cp,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3135	sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
				3136	goto out;
				3137
				3138	/* uuencode */
				3139	if ((b64 = sshbuf_dtob64(encoded)) == NULL) {
				3140	r = SSH_ERR_ALLOC_FAIL;
				3141	goto out;
				3142	}
				3143
				3144	sshbuf_reset(blob);
				3145	if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0)
				3146	goto out;
				3147	for (i = 0; i < strlen(b64); i++) {
				3148	if ((r = sshbuf_put_u8(blob, b64[i])) != 0)
				3149	goto out;
				3150	/* insert line breaks */
				3151	if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
				3152	goto out;
				3153	}
				3154	if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
				3155	goto out;
				3156	if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
				3157	goto out;
				3158
				3159	/* success */
				3160	r = 0;
				3161
				3162	out:
				3163	sshbuf_free(kdf);
				3164	sshbuf_free(encoded);
				3165	sshbuf_free(encrypted);
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3166	cipher_free(ciphercontext);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3167	explicit_bzero(salt, sizeof(salt));
				3168	if (key != NULL) {
				3169	explicit_bzero(key, keylen + ivlen);
				3170	free(key);
				3171	}
				3172	if (pubkeyblob != NULL) {
				3173	explicit_bzero(pubkeyblob, pubkeylen);
				3174	free(pubkeyblob);
				3175	}
				3176	if (b64 != NULL) {
				3177	explicit_bzero(b64, strlen(b64));
				3178	free(b64);
				3179	}
				3180	return r;
				3181	}
				3182
				3183	static int
				3184	sshkey_parse_private2(struct sshbuf blob, int type, const char passphrase,
				3185	struct sshkey keyp, char commentp)
				3186	{
				3187	char comment = NULL, ciphername = NULL, *kdfname = NULL;
				3188	const struct sshcipher *cipher = NULL;
				3189	const u_char *cp;
				3190	int r = SSH_ERR_INTERNAL_ERROR;
				3191	size_t encoded_len;
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3192	size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3193	struct sshbuf encoded = NULL, decoded = NULL;
				3194	struct sshbuf kdf = NULL, decrypted = NULL;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3195	struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3196	struct sshkey *k = NULL;
				3197	u_char key = NULL, salt = NULL, *dp, pad, last;
				3198	u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
				3199
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3200	if (keyp != NULL)
				3201	*keyp = NULL;
				3202	if (commentp != NULL)
				3203	*commentp = NULL;
				3204
				3205	if ((encoded = sshbuf_new()) == NULL \|\|
				3206	(decoded = sshbuf_new()) == NULL \|\|
				3207	(decrypted = sshbuf_new()) == NULL) {
				3208	r = SSH_ERR_ALLOC_FAIL;
				3209	goto out;
				3210	}
				3211
				3212	/* check preamble */
				3213	cp = sshbuf_ptr(blob);
				3214	encoded_len = sshbuf_len(blob);
				3215	if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) \|\|
				3216	memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
				3217	r = SSH_ERR_INVALID_FORMAT;
				3218	goto out;
				3219	}
				3220	cp += MARK_BEGIN_LEN;
				3221	encoded_len -= MARK_BEGIN_LEN;
				3222
				3223	/* Look for end marker, removing whitespace as we go */
				3224	while (encoded_len > 0) {
				3225	if (cp != '\n' && cp != '\r') {
				3226	if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
				3227	goto out;
				3228	}
				3229	last = *cp;
				3230	encoded_len--;
				3231	cp++;
				3232	if (last == '\n') {
				3233	if (encoded_len >= MARK_END_LEN &&
				3234	memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
				3235	/* \0 terminate */
				3236	if ((r = sshbuf_put_u8(encoded, 0)) != 0)
				3237	goto out;
				3238	break;
				3239	}
				3240	}
				3241	}
				3242	if (encoded_len == 0) {
				3243	r = SSH_ERR_INVALID_FORMAT;
				3244	goto out;
				3245	}
				3246
				3247	/* decode base64 */
djm@openbsd.org	3cc1fbb	2014-10-08 21:45:48 +0000	[diff] [blame]	3248	if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3249	goto out;
				3250
				3251	/* check magic */
				3252	if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) \|\|
				3253	memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
				3254	r = SSH_ERR_INVALID_FORMAT;
				3255	goto out;
				3256	}
				3257	/* parse public portion of key */
				3258	if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 \|\|
				3259	(r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 \|\|
				3260	(r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 \|\|
				3261	(r = sshbuf_froms(decoded, &kdf)) != 0 \|\|
				3262	(r = sshbuf_get_u32(decoded, &nkeys)) != 0 \|\|
				3263	(r = sshbuf_skip_string(decoded)) != 0 \|\| /* pubkey */
				3264	(r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
				3265	goto out;
				3266
				3267	if ((cipher = cipher_by_name(ciphername)) == NULL) {
				3268	r = SSH_ERR_KEY_UNKNOWN_CIPHER;
				3269	goto out;
				3270	}
				3271	if ((passphrase == NULL \|\| strlen(passphrase) == 0) &&
				3272	strcmp(ciphername, "none") != 0) {
				3273	/* passphrase required */
				3274	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3275	goto out;
				3276	}
				3277	if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
				3278	r = SSH_ERR_KEY_UNKNOWN_CIPHER;
				3279	goto out;
				3280	}
				3281	if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) {
				3282	r = SSH_ERR_INVALID_FORMAT;
				3283	goto out;
				3284	}
				3285	if (nkeys != 1) {
				3286	/* XXX only one key supported */
				3287	r = SSH_ERR_INVALID_FORMAT;
				3288	goto out;
				3289	}
				3290
				3291	/* check size of encrypted key blob */
				3292	blocksize = cipher_blocksize(cipher);
				3293	if (encrypted_len < blocksize \|\| (encrypted_len % blocksize) != 0) {
				3294	r = SSH_ERR_INVALID_FORMAT;
				3295	goto out;
				3296	}
				3297
				3298	/* setup key */
				3299	keylen = cipher_keylen(cipher);
				3300	ivlen = cipher_ivlen(cipher);
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3301	authlen = cipher_authlen(cipher);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3302	if ((key = calloc(1, keylen + ivlen)) == NULL) {
				3303	r = SSH_ERR_ALLOC_FAIL;
				3304	goto out;
				3305	}
				3306	if (strcmp(kdfname, "bcrypt") == 0) {
				3307	if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 \|\|
				3308	(r = sshbuf_get_u32(kdf, &rounds)) != 0)
				3309	goto out;
				3310	if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
				3311	key, keylen + ivlen, rounds) < 0) {
				3312	r = SSH_ERR_INVALID_FORMAT;
				3313	goto out;
				3314	}
				3315	}
				3316
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3317	/* check that an appropriate amount of auth data is present */
				3318	if (sshbuf_len(decoded) < encrypted_len + authlen) {
				3319	r = SSH_ERR_INVALID_FORMAT;
				3320	goto out;
				3321	}
				3322
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3323	/* decrypt private portion of key */
				3324	if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 \|\|
				3325	(r = cipher_init(&ciphercontext, cipher, key, keylen,
				3326	key + keylen, ivlen, 0)) != 0)
				3327	goto out;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3328	if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3329	encrypted_len, 0, authlen)) != 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3330	/* an integrity error here indicates an incorrect passphrase */
				3331	if (r == SSH_ERR_MAC_INVALID)
				3332	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3333	goto out;
				3334	}
djm@openbsd.org	63ebf01	2015-05-08 03:17:49 +0000	[diff] [blame]	3335	if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3336	goto out;
				3337	/* there should be no trailing data */
				3338	if (sshbuf_len(decoded) != 0) {
				3339	r = SSH_ERR_INVALID_FORMAT;
				3340	goto out;
				3341	}
				3342
				3343	/* check check bytes */
				3344	if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 \|\|
				3345	(r = sshbuf_get_u32(decrypted, &check2)) != 0)
				3346	goto out;
				3347	if (check1 != check2) {
				3348	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3349	goto out;
				3350	}
				3351
				3352	/* Load the private key and comment */
				3353	if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 \|\|
				3354	(r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
				3355	goto out;
				3356
				3357	/* Check deterministic padding */
				3358	i = 0;
				3359	while (sshbuf_len(decrypted)) {
				3360	if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
				3361	goto out;
				3362	if (pad != (++i & 0xff)) {
				3363	r = SSH_ERR_INVALID_FORMAT;
				3364	goto out;
				3365	}
				3366	}
				3367
				3368	/* XXX decode pubkey and check against private */
				3369
				3370	/* success */
				3371	r = 0;
				3372	if (keyp != NULL) {
				3373	*keyp = k;
				3374	k = NULL;
				3375	}
				3376	if (commentp != NULL) {
				3377	*commentp = comment;
				3378	comment = NULL;
				3379	}
				3380	out:
				3381	pad = 0;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3382	cipher_free(ciphercontext);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3383	free(ciphername);
				3384	free(kdfname);
				3385	free(comment);
				3386	if (salt != NULL) {
				3387	explicit_bzero(salt, slen);
				3388	free(salt);
				3389	}
				3390	if (key != NULL) {
				3391	explicit_bzero(key, keylen + ivlen);
				3392	free(key);
				3393	}
				3394	sshbuf_free(encoded);
				3395	sshbuf_free(decoded);
				3396	sshbuf_free(kdf);
				3397	sshbuf_free(decrypted);
				3398	sshkey_free(k);
				3399	return r;
				3400	}
				3401
				3402	#if WITH_SSH1
				3403	/*
				3404	* Serialises the authentication (private) key to a blob, encrypting it with
				3405	* passphrase. The identification of the blob (lowest 64 bits of n) will
				3406	* precede the key to provide identification of the key without needing a
				3407	* passphrase.
				3408	*/
				3409	static int
				3410	sshkey_private_rsa1_to_blob(struct sshkey key, struct sshbuf blob,
				3411	const char passphrase, const char comment)
				3412	{
				3413	struct sshbuf buffer = NULL, encrypted = NULL;
				3414	u_char buf[8];
				3415	int r, cipher_num;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3416	struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3417	const struct sshcipher *cipher;
				3418	u_char *cp;
				3419
				3420	/*
				3421	* If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
				3422	* to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
				3423	*/
				3424	cipher_num = (strcmp(passphrase, "") == 0) ?
				3425	SSH_CIPHER_NONE : SSH_CIPHER_3DES;
				3426	if ((cipher = cipher_by_number(cipher_num)) == NULL)
				3427	return SSH_ERR_INTERNAL_ERROR;
				3428
				3429	/* This buffer is used to build the secret part of the private key. */
				3430	if ((buffer = sshbuf_new()) == NULL)
				3431	return SSH_ERR_ALLOC_FAIL;
				3432
				3433	/* Put checkbytes for checking passphrase validity. */
				3434	if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0)
				3435	goto out;
				3436	arc4random_buf(cp, 2);
				3437	memcpy(cp + 2, cp, 2);
				3438
				3439	/*
				3440	* Store the private key (n and e will not be stored because they
				3441	* will be stored in plain text, and storing them also in encrypted
				3442	* format would just give known plaintext).
				3443	* Note: q and p are stored in reverse order to SSL.
				3444	*/
				3445	if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 \|\|
				3446	(r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 \|\|
				3447	(r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 \|\|
				3448	(r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0)
				3449	goto out;
				3450
				3451	/* Pad the part to be encrypted to a size that is a multiple of 8. */
				3452	explicit_bzero(buf, 8);
				3453	if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0)
				3454	goto out;
				3455
				3456	/* This buffer will be used to contain the data in the file. */
				3457	if ((encrypted = sshbuf_new()) == NULL) {
				3458	r = SSH_ERR_ALLOC_FAIL;
				3459	goto out;
				3460	}
				3461
				3462	/* First store keyfile id string. */
				3463	if ((r = sshbuf_put(encrypted, LEGACY_BEGIN,
				3464	sizeof(LEGACY_BEGIN))) != 0)
				3465	goto out;
				3466
				3467	/* Store cipher type and "reserved" field. */
				3468	if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 \|\|
				3469	(r = sshbuf_put_u32(encrypted, 0)) != 0)
				3470	goto out;
				3471
				3472	/* Store public key. This will be in plain text. */
				3473	if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 \|\|
jsg@openbsd.org	f3a3ea1	2015-09-02 07:51:12 +0000	[diff] [blame]	3474	(r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 \|\|
				3475	(r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 \|\|
				3476	(r = sshbuf_put_cstring(encrypted, comment)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3477	goto out;
				3478
				3479	/* Allocate space for the private part of the key in the buffer. */
				3480	if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0)
				3481	goto out;
				3482
				3483	if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
				3484	CIPHER_ENCRYPT)) != 0)
				3485	goto out;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3486	if ((r = cipher_crypt(ciphercontext, 0, cp,
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3487	sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0)
				3488	goto out;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3489
				3490	r = sshbuf_putb(blob, encrypted);
				3491
				3492	out:
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3493	cipher_free(ciphercontext);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3494	explicit_bzero(buf, sizeof(buf));
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	3495	sshbuf_free(buffer);
				3496	sshbuf_free(encrypted);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3497
				3498	return r;
				3499	}
				3500	#endif /* WITH_SSH1 */
				3501
				3502	#ifdef WITH_OPENSSL
				3503	/* convert SSH v2 key in OpenSSL PEM format */
				3504	static int
				3505	sshkey_private_pem_to_blob(struct sshkey key, struct sshbuf blob,
				3506	const char _passphrase, const char comment)
				3507	{
				3508	int success, r;
				3509	int blen, len = strlen(_passphrase);
				3510	u_char passphrase = (len > 0) ? (u_char )_passphrase : NULL;
				3511	#if (OPENSSL_VERSION_NUMBER < 0x00907000L)
				3512	const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
				3513	#else
				3514	const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
				3515	#endif
				3516	const u_char *bptr;
				3517	BIO *bio = NULL;
				3518
				3519	if (len > 0 && len <= 4)
				3520	return SSH_ERR_PASSPHRASE_TOO_SHORT;
				3521	if ((bio = BIO_new(BIO_s_mem())) == NULL)
				3522	return SSH_ERR_ALLOC_FAIL;
				3523
				3524	switch (key->type) {
				3525	case KEY_DSA:
				3526	success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
				3527	cipher, passphrase, len, NULL, NULL);
				3528	break;
				3529	#ifdef OPENSSL_HAS_ECC
				3530	case KEY_ECDSA:
				3531	success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
				3532	cipher, passphrase, len, NULL, NULL);
				3533	break;
				3534	#endif
				3535	case KEY_RSA:
				3536	success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
				3537	cipher, passphrase, len, NULL, NULL);
				3538	break;
				3539	default:
				3540	success = 0;
				3541	break;
				3542	}
				3543	if (success == 0) {
				3544	r = SSH_ERR_LIBCRYPTO_ERROR;
				3545	goto out;
				3546	}
				3547	if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
				3548	r = SSH_ERR_INTERNAL_ERROR;
				3549	goto out;
				3550	}
				3551	if ((r = sshbuf_put(blob, bptr, blen)) != 0)
				3552	goto out;
				3553	r = 0;
				3554	out:
				3555	BIO_free(bio);
				3556	return r;
				3557	}
				3558	#endif /* WITH_OPENSSL */
				3559
				3560	/* Serialise "key" to buffer "blob" */
				3561	int
				3562	sshkey_private_to_fileblob(struct sshkey key, struct sshbuf blob,
				3563	const char passphrase, const char comment,
				3564	int force_new_format, const char *new_format_cipher, int new_format_rounds)
				3565	{
				3566	switch (key->type) {
markus@openbsd.org	f067cca	2015-01-12 13:29:27 +0000	[diff] [blame]	3567	#ifdef WITH_SSH1
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3568	case KEY_RSA1:
				3569	return sshkey_private_rsa1_to_blob(key, blob,
				3570	passphrase, comment);
markus@openbsd.org	f067cca	2015-01-12 13:29:27 +0000	[diff] [blame]	3571	#endif /* WITH_SSH1 */
				3572	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3573	case KEY_DSA:
				3574	case KEY_ECDSA:
				3575	case KEY_RSA:
				3576	if (force_new_format) {
				3577	return sshkey_private_to_blob2(key, blob, passphrase,
				3578	comment, new_format_cipher, new_format_rounds);
				3579	}
				3580	return sshkey_private_pem_to_blob(key, blob,
				3581	passphrase, comment);
				3582	#endif /* WITH_OPENSSL */
				3583	case KEY_ED25519:
				3584	return sshkey_private_to_blob2(key, blob, passphrase,
				3585	comment, new_format_cipher, new_format_rounds);
				3586	default:
				3587	return SSH_ERR_KEY_TYPE_UNKNOWN;
				3588	}
				3589	}
				3590
				3591	#ifdef WITH_SSH1
				3592	/*
				3593	* Parse the public, unencrypted portion of a RSA1 key.
				3594	*/
				3595	int
				3596	sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob,
				3597	struct sshkey keyp, char commentp)
				3598	{
				3599	int r;
				3600	struct sshkey *pub = NULL;
				3601	struct sshbuf *copy = NULL;
				3602
				3603	if (keyp != NULL)
				3604	*keyp = NULL;
				3605	if (commentp != NULL)
				3606	*commentp = NULL;
				3607
				3608	/* Check that it is at least big enough to contain the ID string. */
				3609	if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN))
				3610	return SSH_ERR_INVALID_FORMAT;
				3611
				3612	/*
				3613	* Make sure it begins with the id string. Consume the id string
				3614	* from the buffer.
				3615	*/
				3616	if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0)
				3617	return SSH_ERR_INVALID_FORMAT;
				3618	/* Make a working copy of the keyblob and skip past the magic */
				3619	if ((copy = sshbuf_fromb(blob)) == NULL)
				3620	return SSH_ERR_ALLOC_FAIL;
				3621	if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0)
				3622	goto out;
				3623
				3624	/* Skip cipher type, reserved data and key bits. */
				3625	if ((r = sshbuf_get_u8(copy, NULL)) != 0 \|\| /* cipher type */
				3626	(r = sshbuf_get_u32(copy, NULL)) != 0 \|\| /* reserved */
				3627	(r = sshbuf_get_u32(copy, NULL)) != 0) /* key bits */
				3628	goto out;
				3629
				3630	/* Read the public key from the buffer. */
				3631	if ((pub = sshkey_new(KEY_RSA1)) == NULL \|\|
				3632	(r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 \|\|
				3633	(r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0)
				3634	goto out;
				3635
				3636	/* Finally, the comment */
				3637	if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0)
				3638	goto out;
				3639
				3640	/* The encrypted private part is not parsed by this function. */
				3641
				3642	r = 0;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3643	if (keyp != NULL) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3644	*keyp = pub;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3645	pub = NULL;
				3646	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3647	out:
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	3648	sshbuf_free(copy);
mmcc@openbsd.org	89540b6	2015-12-11 02:31:47 +0000	[diff] [blame]	3649	sshkey_free(pub);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3650	return r;
				3651	}
				3652
				3653	static int
				3654	sshkey_parse_private_rsa1(struct sshbuf blob, const char passphrase,
				3655	struct sshkey keyp, char commentp)
				3656	{
				3657	int r;
				3658	u_int16_t check1, check2;
				3659	u_int8_t cipher_type;
				3660	struct sshbuf decrypted = NULL, copy = NULL;
				3661	u_char *cp;
				3662	char *comment = NULL;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3663	struct sshcipher_ctx *ciphercontext = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3664	const struct sshcipher *cipher;
				3665	struct sshkey *prv = NULL;
				3666
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3667	if (keyp != NULL)
				3668	*keyp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3669	if (commentp != NULL)
				3670	*commentp = NULL;
				3671
				3672	/* Check that it is at least big enough to contain the ID string. */
				3673	if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN))
				3674	return SSH_ERR_INVALID_FORMAT;
				3675
				3676	/*
				3677	* Make sure it begins with the id string. Consume the id string
				3678	* from the buffer.
				3679	*/
				3680	if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0)
				3681	return SSH_ERR_INVALID_FORMAT;
				3682
				3683	if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) {
				3684	r = SSH_ERR_ALLOC_FAIL;
				3685	goto out;
				3686	}
				3687	if ((copy = sshbuf_fromb(blob)) == NULL \|\|
				3688	(decrypted = sshbuf_new()) == NULL) {
				3689	r = SSH_ERR_ALLOC_FAIL;
				3690	goto out;
				3691	}
				3692	if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0)
				3693	goto out;
				3694
				3695	/* Read cipher type. */
				3696	if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 \|\|
				3697	(r = sshbuf_get_u32(copy, NULL)) != 0) /* reserved */
				3698	goto out;
				3699
				3700	/* Read the public key and comment from the buffer. */
				3701	if ((r = sshbuf_get_u32(copy, NULL)) != 0 \|\| /* key bits */
				3702	(r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 \|\|
				3703	(r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 \|\|
				3704	(r = sshbuf_get_cstring(copy, &comment, NULL)) != 0)
				3705	goto out;
				3706
				3707	/* Check that it is a supported cipher. */
				3708	cipher = cipher_by_number(cipher_type);
				3709	if (cipher == NULL) {
				3710	r = SSH_ERR_KEY_UNKNOWN_CIPHER;
				3711	goto out;
				3712	}
				3713	/* Initialize space for decrypted data. */
				3714	if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0)
				3715	goto out;
				3716
				3717	/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
				3718	if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
				3719	CIPHER_DECRYPT)) != 0)
				3720	goto out;
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3721	if ((r = cipher_crypt(ciphercontext, 0, cp,
				3722	sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3723	goto out;
				3724
				3725	if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 \|\|
				3726	(r = sshbuf_get_u16(decrypted, &check2)) != 0)
				3727	goto out;
				3728	if (check1 != check2) {
				3729	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3730	goto out;
				3731	}
				3732
				3733	/* Read the rest of the private key. */
				3734	if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 \|\|
				3735	(r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 \|\|
				3736	(r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 \|\|
				3737	(r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0)
				3738	goto out;
				3739
				3740	/* calculate p-1 and q-1 */
				3741	if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0)
				3742	goto out;
				3743
				3744	/* enable blinding */
				3745	if (RSA_blinding_on(prv->rsa, NULL) != 1) {
				3746	r = SSH_ERR_LIBCRYPTO_ERROR;
				3747	goto out;
				3748	}
				3749	r = 0;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3750	if (keyp != NULL) {
				3751	*keyp = prv;
				3752	prv = NULL;
				3753	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3754	if (commentp != NULL) {
				3755	*commentp = comment;
				3756	comment = NULL;
				3757	}
				3758	out:
djm@openbsd.org	4706c1d	2016-08-03 05:41:57 +0000	[diff] [blame]	3759	cipher_free(ciphercontext);
mmcc@openbsd.org	d59ce08	2015-12-10 17:08:40 +0000	[diff] [blame]	3760	free(comment);
mmcc@openbsd.org	89540b6	2015-12-11 02:31:47 +0000	[diff] [blame]	3761	sshkey_free(prv);
mmcc@openbsd.org	52d7078	2015-12-11 04:21:11 +0000	[diff] [blame]	3762	sshbuf_free(copy);
				3763	sshbuf_free(decrypted);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3764	return r;
				3765	}
				3766	#endif /* WITH_SSH1 */
				3767
				3768	#ifdef WITH_OPENSSL
djm@openbsd.org	1195f4c	2015-01-08 10:14:08 +0000	[diff] [blame]	3769	static int
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3770	sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
djm@openbsd.org	1195f4c	2015-01-08 10:14:08 +0000	[diff] [blame]	3771	const char passphrase, struct sshkey *keyp)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3772	{
				3773	EVP_PKEY *pk = NULL;
				3774	struct sshkey *prv = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3775	BIO *bio = NULL;
				3776	int r;
				3777
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3778	if (keyp != NULL)
				3779	*keyp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3780
				3781	if ((bio = BIO_new(BIO_s_mem())) == NULL \|\| sshbuf_len(blob) > INT_MAX)
				3782	return SSH_ERR_ALLOC_FAIL;
				3783	if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
				3784	(int)sshbuf_len(blob)) {
				3785	r = SSH_ERR_ALLOC_FAIL;
				3786	goto out;
				3787	}
				3788
				3789	if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
				3790	(char *)passphrase)) == NULL) {
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3791	unsigned long pem_err = ERR_peek_last_error();
				3792	int pem_reason = ERR_GET_REASON(pem_err);
				3793
				3794	/*
				3795	* Translate OpenSSL error codes to determine whether
				3796	* passphrase is required/incorrect.
				3797	*/
				3798	switch (ERR_GET_LIB(pem_err)) {
				3799	case ERR_LIB_PEM:
				3800	switch (pem_reason) {
				3801	case PEM_R_BAD_PASSWORD_READ:
				3802	case PEM_R_PROBLEMS_GETTING_PASSWORD:
				3803	case PEM_R_BAD_DECRYPT:
				3804	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3805	goto out;
				3806	default:
				3807	r = SSH_ERR_INVALID_FORMAT;
				3808	goto out;
				3809	}
				3810	case ERR_LIB_EVP:
				3811	switch (pem_reason) {
				3812	case EVP_R_BAD_DECRYPT:
				3813	r = SSH_ERR_KEY_WRONG_PASSPHRASE;
				3814	goto out;
				3815	case EVP_R_BN_DECODE_ERROR:
				3816	case EVP_R_DECODE_ERROR:
Darren Tucker	bd5d7d2	2017-02-12 15:45:15 +1100	[diff] [blame]	3817	#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3818	case EVP_R_PRIVATE_KEY_DECODE_ERROR:
Darren Tucker	bd5d7d2	2017-02-12 15:45:15 +1100	[diff] [blame]	3819	#endif
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3820	r = SSH_ERR_INVALID_FORMAT;
				3821	goto out;
				3822	default:
				3823	r = SSH_ERR_LIBCRYPTO_ERROR;
				3824	goto out;
				3825	}
				3826	case ERR_LIB_ASN1:
				3827	r = SSH_ERR_INVALID_FORMAT;
				3828	goto out;
				3829	}
				3830	r = SSH_ERR_LIBCRYPTO_ERROR;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3831	goto out;
				3832	}
				3833	if (pk->type == EVP_PKEY_RSA &&
				3834	(type == KEY_UNSPEC \|\| type == KEY_RSA)) {
				3835	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
				3836	r = SSH_ERR_ALLOC_FAIL;
				3837	goto out;
				3838	}
				3839	prv->rsa = EVP_PKEY_get1_RSA(pk);
				3840	prv->type = KEY_RSA;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3841	#ifdef DEBUG_PK
				3842	RSA_print_fp(stderr, prv->rsa, 8);
				3843	#endif
				3844	if (RSA_blinding_on(prv->rsa, NULL) != 1) {
				3845	r = SSH_ERR_LIBCRYPTO_ERROR;
				3846	goto out;
				3847	}
				3848	} else if (pk->type == EVP_PKEY_DSA &&
				3849	(type == KEY_UNSPEC \|\| type == KEY_DSA)) {
				3850	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
				3851	r = SSH_ERR_ALLOC_FAIL;
				3852	goto out;
				3853	}
				3854	prv->dsa = EVP_PKEY_get1_DSA(pk);
				3855	prv->type = KEY_DSA;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3856	#ifdef DEBUG_PK
				3857	DSA_print_fp(stderr, prv->dsa, 8);
				3858	#endif
				3859	#ifdef OPENSSL_HAS_ECC
				3860	} else if (pk->type == EVP_PKEY_EC &&
				3861	(type == KEY_UNSPEC \|\| type == KEY_ECDSA)) {
				3862	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
				3863	r = SSH_ERR_ALLOC_FAIL;
				3864	goto out;
				3865	}
				3866	prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
				3867	prv->type = KEY_ECDSA;
				3868	prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
				3869	if (prv->ecdsa_nid == -1 \|\|
				3870	sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL \|\|
				3871	sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
				3872	EC_KEY_get0_public_key(prv->ecdsa)) != 0 \|\|
				3873	sshkey_ec_validate_private(prv->ecdsa) != 0) {
				3874	r = SSH_ERR_INVALID_FORMAT;
				3875	goto out;
				3876	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3877	# ifdef DEBUG_PK
				3878	if (prv != NULL && prv->ecdsa != NULL)
				3879	sshkey_dump_ec_key(prv->ecdsa);
				3880	# endif
				3881	#endif /* OPENSSL_HAS_ECC */
				3882	} else {
				3883	r = SSH_ERR_INVALID_FORMAT;
				3884	goto out;
				3885	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3886	r = 0;
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3887	if (keyp != NULL) {
				3888	*keyp = prv;
				3889	prv = NULL;
				3890	}
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3891	out:
				3892	BIO_free(bio);
				3893	if (pk != NULL)
				3894	EVP_PKEY_free(pk);
mmcc@openbsd.org	89540b6	2015-12-11 02:31:47 +0000	[diff] [blame]	3895	sshkey_free(prv);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3896	return r;
				3897	}
				3898	#endif /* WITH_OPENSSL */
				3899
				3900	int
				3901	sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
				3902	const char passphrase, struct sshkey keyp, char *commentp)
				3903	{
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3904	int r = SSH_ERR_INTERNAL_ERROR;
				3905
djm@openbsd.org	dce19bf	2016-04-09 12:39:30 +0000	[diff] [blame]	3906	if (keyp != NULL)
				3907	*keyp = NULL;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3908	if (commentp != NULL)
				3909	*commentp = NULL;
				3910
				3911	switch (type) {
markus@openbsd.org	f067cca	2015-01-12 13:29:27 +0000	[diff] [blame]	3912	#ifdef WITH_SSH1
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3913	case KEY_RSA1:
				3914	return sshkey_parse_private_rsa1(blob, passphrase,
				3915	keyp, commentp);
markus@openbsd.org	f067cca	2015-01-12 13:29:27 +0000	[diff] [blame]	3916	#endif /* WITH_SSH1 */
				3917	#ifdef WITH_OPENSSL
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3918	case KEY_DSA:
				3919	case KEY_ECDSA:
				3920	case KEY_RSA:
djm@openbsd.org	1195f4c	2015-01-08 10:14:08 +0000	[diff] [blame]	3921	return sshkey_parse_private_pem_fileblob(blob, type,
				3922	passphrase, keyp);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3923	#endif /* WITH_OPENSSL */
				3924	case KEY_ED25519:
				3925	return sshkey_parse_private2(blob, type, passphrase,
				3926	keyp, commentp);
				3927	case KEY_UNSPEC:
djm@openbsd.org	155d540	2017-02-10 04:34:50 +0000	[diff] [blame]	3928	r = sshkey_parse_private2(blob, type, passphrase, keyp,
				3929	commentp);
				3930	/* Do not fallback to PEM parser if only passphrase is wrong. */
				3931	if (r == 0 \|\| r == SSH_ERR_KEY_WRONG_PASSPHRASE)
				3932	return r;
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3933	#ifdef WITH_OPENSSL
djm@openbsd.org	1195f4c	2015-01-08 10:14:08 +0000	[diff] [blame]	3934	return sshkey_parse_private_pem_fileblob(blob, type,
				3935	passphrase, keyp);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3936	#else
				3937	return SSH_ERR_INVALID_FORMAT;
				3938	#endif /* WITH_OPENSSL */
				3939	default:
				3940	return SSH_ERR_KEY_TYPE_UNKNOWN;
				3941	}
				3942	}
				3943
				3944	int
				3945	sshkey_parse_private_fileblob(struct sshbuf buffer, const char passphrase,
tim@openbsd.org	3c019a9	2015-09-13 14:39:16 +0000	[diff] [blame]	3946	struct sshkey keyp, char commentp)
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3947	{
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3948	if (keyp != NULL)
				3949	*keyp = NULL;
				3950	if (commentp != NULL)
				3951	*commentp = NULL;
				3952
				3953	#ifdef WITH_SSH1
				3954	/* it's a SSH v1 key if the public key part is readable */
tim@openbsd.org	3c019a9	2015-09-13 14:39:16 +0000	[diff] [blame]	3955	if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3956	return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
				3957	passphrase, keyp, commentp);
				3958	}
				3959	#endif /* WITH_SSH1 */
tim@openbsd.org	3c019a9	2015-09-13 14:39:16 +0000	[diff] [blame]	3960	return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
				3961	passphrase, keyp, commentp);
Damien Miller	8668706	2014-07-02 15:28:02 +1000	[diff] [blame]	3962	}