Return to sshkey.c CVS log

Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/sshkey.c, Revision 1.128

1.128   ! djm         1: /* $OpenBSD: sshkey.c,v 1.127 2022/10/28 00:39:29 djm Exp $ */
1.1       djm         2: /*
                      3:  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
                      4:  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
                      5:  * Copyright (c) 2010,2011 Damien Miller.  All rights reserved.
                      6:  *
                      7:  * Redistribution and use in source and binary forms, with or without
                      8:  * modification, are permitted provided that the following conditions
                      9:  * are met:
                     10:  * 1. Redistributions of source code must retain the above copyright
                     11:  *    notice, this list of conditions and the following disclaimer.
                     12:  * 2. Redistributions in binary form must reproduce the above copyright
                     13:  *    notice, this list of conditions and the following disclaimer in the
                     14:  *    documentation and/or other materials provided with the distribution.
                     15:  *
                     16:  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
                     17:  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
                     18:  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
                     19:  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
                     20:  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
                     21:  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
                     22:  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
                     23:  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
                     24:  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
                     25:  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     26:  */
                     27:
                     28: #include <sys/types.h>
1.7       djm        29: #include <netinet/in.h>
1.1       djm        30:
1.12      djm        31: #ifdef WITH_OPENSSL
1.1       djm        32: #include <openssl/evp.h>
                     33: #include <openssl/err.h>
                     34: #include <openssl/pem.h>
1.12      djm        35: #endif
1.1       djm        36:
                     37: #include "crypto_api.h"
                     38:
                     39: #include <errno.h>
                     40: #include <stdio.h>
                     41: #include <string.h>
                     42: #include <util.h>
1.13      deraadt    43: #include <limits.h>
1.7       djm        44: #include <resolv.h>
1.1       djm        45:
                     46: #include "ssh2.h"
                     47: #include "ssherr.h"
                     48: #include "misc.h"
                     49: #include "sshbuf.h"
                     50: #include "cipher.h"
                     51: #include "digest.h"
                     52: #define SSHKEY_INTERNAL
                     53: #include "sshkey.h"
1.11      djm        54: #include "match.h"
1.86      djm        55: #include "ssh-sk.h"
1.1       djm        56:
1.74      dtucker    57: #ifdef WITH_XMSS
                     58: #include "sshkey-xmss.h"
1.62      markus     59: #include "xmss_fast.h"
1.74      dtucker    60: #endif
1.62      markus     61:
1.1       djm        62: /* openssh private key file format */
                     63: #define MARK_BEGIN             "-----BEGIN OPENSSH PRIVATE KEY-----\n"
                     64: #define MARK_END               "-----END OPENSSH PRIVATE KEY-----\n"
                     65: #define MARK_BEGIN_LEN         (sizeof(MARK_BEGIN) - 1)
                     66: #define MARK_END_LEN           (sizeof(MARK_END) - 1)
                     67: #define KDFNAME                        "bcrypt"
                     68: #define AUTH_MAGIC             "openssh-key-v1"
                     69: #define SALT_LEN               16
1.56      djm        70: #define DEFAULT_CIPHERNAME     "aes256-ctr"
1.1       djm        71: #define        DEFAULT_ROUNDS          16
                     72:
                     73: /* Version identification string for SSH v1 identity files. */
                     74: #define LEGACY_BEGIN           "SSH PRIVATE KEY FILE FORMAT 1.1\n"
                     75:
1.76      djm        76: /*
                     77:  * Constants relating to "shielding" support; protection of keys expected
                     78:  * to remain in memory for long durations
                     79:  */
                     80: #define SSHKEY_SHIELD_PREKEY_LEN       (16 * 1024)
                     81: #define SSHKEY_SHIELD_CIPHER           "aes256-ctr" /* XXX want AES-EME* */
                     82: #define SSHKEY_SHIELD_PREKEY_HASH      SSH_DIGEST_SHA512
                     83:
                     84: int    sshkey_private_serialize_opt(struct sshkey *key,
1.62      markus     85:     struct sshbuf *buf, enum sshkey_serialize_rep);
1.14      djm        86: static int sshkey_from_blob_internal(struct sshbuf *buf,
1.1       djm        87:     struct sshkey **keyp, int allow_cert);
                     88:
                     89: /* Supported key types */
1.123     djm        90: extern const struct sshkey_impl sshkey_ed25519_impl;
                     91: extern const struct sshkey_impl sshkey_ed25519_cert_impl;
                     92: extern const struct sshkey_impl sshkey_ed25519_sk_impl;
                     93: extern const struct sshkey_impl sshkey_ed25519_sk_cert_impl;
                     94: #ifdef WITH_OPENSSL
                     95: extern const struct sshkey_impl sshkey_ecdsa_sk_impl;
                     96: extern const struct sshkey_impl sshkey_ecdsa_sk_cert_impl;
                     97: extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_impl;
                     98: extern const struct sshkey_impl sshkey_ecdsa_nistp256_impl;
                     99: extern const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl;
                    100: extern const struct sshkey_impl sshkey_ecdsa_nistp384_impl;
                    101: extern const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl;
                    102: extern const struct sshkey_impl sshkey_ecdsa_nistp521_impl;
                    103: extern const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl;
                    104: extern const struct sshkey_impl sshkey_rsa_impl;
                    105: extern const struct sshkey_impl sshkey_rsa_cert_impl;
                    106: extern const struct sshkey_impl sshkey_rsa_sha256_impl;
                    107: extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl;
                    108: extern const struct sshkey_impl sshkey_rsa_sha512_impl;
                    109: extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl;
                    110: extern const struct sshkey_impl sshkey_dss_impl;
                    111: extern const struct sshkey_impl sshkey_dsa_cert_impl;
                    112: #endif /* WITH_OPENSSL */
1.62      markus    113: #ifdef WITH_XMSS
1.123     djm       114: extern const struct sshkey_impl sshkey_xmss_impl;
                    115: extern const struct sshkey_impl sshkey_xmss_cert_impl;
                    116: #endif
                    117:
                    118: const struct sshkey_impl * const keyimpls[] = {
                    119:        &sshkey_ed25519_impl,
                    120:        &sshkey_ed25519_cert_impl,
                    121:        &sshkey_ed25519_sk_impl,
                    122:        &sshkey_ed25519_sk_cert_impl,
                    123: #ifdef WITH_OPENSSL
                    124:        &sshkey_ecdsa_nistp256_impl,
                    125:        &sshkey_ecdsa_nistp256_cert_impl,
                    126:        &sshkey_ecdsa_nistp384_impl,
                    127:        &sshkey_ecdsa_nistp384_cert_impl,
                    128:        &sshkey_ecdsa_nistp521_impl,
                    129:        &sshkey_ecdsa_nistp521_cert_impl,
                    130:        &sshkey_ecdsa_sk_impl,
                    131:        &sshkey_ecdsa_sk_cert_impl,
                    132:        &sshkey_ecdsa_sk_webauthn_impl,
                    133:        &sshkey_dss_impl,
                    134:        &sshkey_dsa_cert_impl,
                    135:        &sshkey_rsa_impl,
                    136:        &sshkey_rsa_cert_impl,
                    137:        &sshkey_rsa_sha256_impl,
                    138:        &sshkey_rsa_sha256_cert_impl,
                    139:        &sshkey_rsa_sha512_impl,
                    140:        &sshkey_rsa_sha512_cert_impl,
1.1       djm       141: #endif /* WITH_OPENSSL */
1.123     djm       142: #ifdef WITH_XMSS
                    143:        &sshkey_xmss_impl,
                    144:        &sshkey_xmss_cert_impl,
                    145: #endif
                    146:        NULL
1.1       djm       147: };
                    148:
1.123     djm       149: static const struct sshkey_impl *
                    150: sshkey_impl_from_type(int type)
                    151: {
                    152:        int i;
                    153:
                    154:        for (i = 0; keyimpls[i] != NULL; i++) {
                    155:                if (keyimpls[i]->type == type)
                    156:                        return keyimpls[i];
                    157:        }
                    158:        return NULL;
                    159: }
                    160:
                    161: static const struct sshkey_impl *
                    162: sshkey_impl_from_type_nid(int type, int nid)
                    163: {
                    164:        int i;
                    165:
                    166:        for (i = 0; keyimpls[i] != NULL; i++) {
                    167:                if (keyimpls[i]->type == type &&
                    168:                    (keyimpls[i]->nid == 0 || keyimpls[i]->nid == nid))
                    169:                        return keyimpls[i];
                    170:        }
                    171:        return NULL;
                    172: }
                    173:
1.126     djm       174: static const struct sshkey_impl *
                    175: sshkey_impl_from_key(const struct sshkey *k)
                    176: {
                    177:        if (k == NULL)
                    178:                return NULL;
                    179:        return sshkey_impl_from_type_nid(k->type, k->ecdsa_nid);
                    180: }
                    181:
1.1       djm       182: const char *
                    183: sshkey_type(const struct sshkey *k)
                    184: {
1.123     djm       185:        const struct sshkey_impl *impl;
1.1       djm       186:
1.126     djm       187:        if ((impl = sshkey_impl_from_key(k)) == NULL)
1.123     djm       188:                return "unknown";
                    189:        return impl->shortname;
1.1       djm       190: }
                    191:
                    192: static const char *
                    193: sshkey_ssh_name_from_type_nid(int type, int nid)
                    194: {
1.123     djm       195:        const struct sshkey_impl *impl;
1.1       djm       196:
1.123     djm       197:        if ((impl = sshkey_impl_from_type_nid(type, nid)) == NULL)
                    198:                return "ssh-unknown";
                    199:        return impl->name;
1.1       djm       200: }
                    201:
                    202: int
                    203: sshkey_type_is_cert(int type)
                    204: {
1.123     djm       205:        const struct sshkey_impl *impl;
1.1       djm       206:
1.123     djm       207:        if ((impl = sshkey_impl_from_type(type)) == NULL)
                    208:                return 0;
                    209:        return impl->cert;
1.1       djm       210: }
                    211:
                    212: const char *
                    213: sshkey_ssh_name(const struct sshkey *k)
                    214: {
                    215:        return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
                    216: }
                    217:
                    218: const char *
                    219: sshkey_ssh_name_plain(const struct sshkey *k)
                    220: {
                    221:        return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
                    222:            k->ecdsa_nid);
                    223: }
                    224:
                    225: int
                    226: sshkey_type_from_name(const char *name)
                    227: {
1.123     djm       228:        int i;
                    229:        const struct sshkey_impl *impl;
1.1       djm       230:
1.123     djm       231:        for (i = 0; keyimpls[i] != NULL; i++) {
                    232:                impl = keyimpls[i];
1.1       djm       233:                /* Only allow shortname matches for plain key types */
1.123     djm       234:                if ((impl->name != NULL && strcmp(name, impl->name) == 0) ||
                    235:                    (!impl->cert && strcasecmp(impl->shortname, name) == 0))
                    236:                        return impl->type;
1.1       djm       237:        }
                    238:        return KEY_UNSPEC;
                    239: }
                    240:
1.85      djm       241: static int
                    242: key_type_is_ecdsa_variant(int type)
                    243: {
                    244:        switch (type) {
                    245:        case KEY_ECDSA:
                    246:        case KEY_ECDSA_CERT:
                    247:        case KEY_ECDSA_SK:
                    248:        case KEY_ECDSA_SK_CERT:
                    249:                return 1;
                    250:        }
                    251:        return 0;
                    252: }
                    253:
1.1       djm       254: int
                    255: sshkey_ecdsa_nid_from_name(const char *name)
                    256: {
1.123     djm       257:        int i;
1.1       djm       258:
1.123     djm       259:        for (i = 0; keyimpls[i] != NULL; i++) {
                    260:                if (!key_type_is_ecdsa_variant(keyimpls[i]->type))
1.4       djm       261:                        continue;
1.123     djm       262:                if (keyimpls[i]->name != NULL &&
                    263:                    strcmp(name, keyimpls[i]->name) == 0)
                    264:                        return keyimpls[i]->nid;
1.4       djm       265:        }
1.1       djm       266:        return -1;
1.120     djm       267: }
                    268:
                    269: int
                    270: sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs)
                    271: {
                    272:        int ktype;
                    273:
                    274:        if (sigalgs == NULL || *sigalgs == '\0' ||
                    275:            (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC)
                    276:                return 0;
                    277:        else if (ktype == KEY_RSA) {
                    278:                return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 ||
                    279:                    match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 ||
                    280:                    match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1;
                    281:        } else if (ktype == KEY_RSA_CERT) {
                    282:                return match_pattern_list("ssh-rsa-cert-v01@openssh.com",
                    283:                    sigalgs, 0) == 1 ||
                    284:                    match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
                    285:                    sigalgs, 0) == 1 ||
                    286:                    match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
                    287:                    sigalgs, 0) == 1;
                    288:        } else
                    289:                return match_pattern_list(keyname, sigalgs, 0) == 1;
1.1       djm       290: }
                    291:
                    292: char *
1.45      djm       293: sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
1.1       djm       294: {
                    295:        char *tmp, *ret = NULL;
1.123     djm       296:        size_t i, nlen, rlen = 0;
                    297:        const struct sshkey_impl *impl;
1.1       djm       298:
1.123     djm       299:        for (i = 0; keyimpls[i] != NULL; i++) {
                    300:                impl = keyimpls[i];
                    301:                if (impl->name == NULL)
1.45      djm       302:                        continue;
1.123     djm       303:                if (!include_sigonly && impl->sigonly)
1.1       djm       304:                        continue;
1.123     djm       305:                if ((certs_only && !impl->cert) || (plain_only && impl->cert))
1.1       djm       306:                        continue;
                    307:                if (ret != NULL)
1.38      djm       308:                        ret[rlen++] = sep;
1.123     djm       309:                nlen = strlen(impl->name);
1.1       djm       310:                if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
                    311:                        free(ret);
                    312:                        return NULL;
                    313:                }
                    314:                ret = tmp;
1.123     djm       315:                memcpy(ret + rlen, impl->name, nlen + 1);
1.1       djm       316:                rlen += nlen;
                    317:        }
                    318:        return ret;
                    319: }
                    320:
                    321: int
1.11      djm       322: sshkey_names_valid2(const char *names, int allow_wildcard)
1.1       djm       323: {
                    324:        char *s, *cp, *p;
1.123     djm       325:        const struct sshkey_impl *impl;
                    326:        int i, type;
1.1       djm       327:
                    328:        if (names == NULL || strcmp(names, "") == 0)
                    329:                return 0;
                    330:        if ((s = cp = strdup(names)) == NULL)
                    331:                return 0;
                    332:        for ((p = strsep(&cp, ",")); p && *p != '\0';
                    333:            (p = strsep(&cp, ","))) {
1.11      djm       334:                type = sshkey_type_from_name(p);
                    335:                if (type == KEY_UNSPEC) {
                    336:                        if (allow_wildcard) {
                    337:                                /*
                    338:                                 * Try matching key types against the string.
                    339:                                 * If any has a positive or negative match then
                    340:                                 * the component is accepted.
                    341:                                 */
1.123     djm       342:                                impl = NULL;
                    343:                                for (i = 0; keyimpls[i] != NULL; i++) {
                    344:                                        if (match_pattern_list(
                    345:                                            keyimpls[i]->name, p, 0) != 0) {
                    346:                                                impl = keyimpls[i];
1.11      djm       347:                                                break;
1.123     djm       348:                                        }
1.11      djm       349:                                }
1.123     djm       350:                                if (impl != NULL)
1.11      djm       351:                                        continue;
                    352:                        }
1.1       djm       353:                        free(s);
                    354:                        return 0;
                    355:                }
                    356:        }
                    357:        free(s);
                    358:        return 1;
                    359: }
                    360:
                    361: u_int
                    362: sshkey_size(const struct sshkey *k)
                    363: {
1.123     djm       364:        const struct sshkey_impl *impl;
1.69      djm       365:
1.126     djm       366:        if ((impl = sshkey_impl_from_key(k)) == NULL)
1.123     djm       367:                return 0;
                    368:        if (impl->funcs->size != NULL)
                    369:                return impl->funcs->size(k);
                    370:        return impl->keybits;
1.1       djm       371: }
                    372:
                    373: static int
                    374: sshkey_type_is_valid_ca(int type)
                    375: {
1.123     djm       376:        const struct sshkey_impl *impl;
                    377:
                    378:        if ((impl = sshkey_impl_from_type(type)) == NULL)
1.1       djm       379:                return 0;
1.123     djm       380:        /* All non-certificate types may act as CAs */
                    381:        return !impl->cert;
1.1       djm       382: }
                    383:
                    384: int
                    385: sshkey_is_cert(const struct sshkey *k)
                    386: {
                    387:        if (k == NULL)
                    388:                return 0;
                    389:        return sshkey_type_is_cert(k->type);
                    390: }
                    391:
1.90      markus    392: int
                    393: sshkey_is_sk(const struct sshkey *k)
                    394: {
                    395:        if (k == NULL)
                    396:                return 0;
                    397:        switch (sshkey_type_plain(k->type)) {
                    398:        case KEY_ECDSA_SK:
                    399:        case KEY_ED25519_SK:
                    400:                return 1;
                    401:        default:
                    402:                return 0;
                    403:        }
                    404: }
                    405:
1.1       djm       406: /* Return the cert-less equivalent to a certified key type */
                    407: int
                    408: sshkey_type_plain(int type)
                    409: {
                    410:        switch (type) {
                    411:        case KEY_RSA_CERT:
                    412:                return KEY_RSA;
                    413:        case KEY_DSA_CERT:
                    414:                return KEY_DSA;
                    415:        case KEY_ECDSA_CERT:
                    416:                return KEY_ECDSA;
1.85      djm       417:        case KEY_ECDSA_SK_CERT:
                    418:                return KEY_ECDSA_SK;
1.1       djm       419:        case KEY_ED25519_CERT:
                    420:                return KEY_ED25519;
1.90      markus    421:        case KEY_ED25519_SK_CERT:
                    422:                return KEY_ED25519_SK;
1.62      markus    423:        case KEY_XMSS_CERT:
                    424:                return KEY_XMSS;
1.1       djm       425:        default:
                    426:                return type;
                    427:        }
                    428: }
                    429:
                    430: #ifdef WITH_OPENSSL
                    431: /* XXX: these are really begging for a table-driven approach */
                    432: int
                    433: sshkey_curve_name_to_nid(const char *name)
                    434: {
                    435:        if (strcmp(name, "nistp256") == 0)
                    436:                return NID_X9_62_prime256v1;
                    437:        else if (strcmp(name, "nistp384") == 0)
                    438:                return NID_secp384r1;
                    439:        else if (strcmp(name, "nistp521") == 0)
                    440:                return NID_secp521r1;
                    441:        else
                    442:                return -1;
                    443: }
                    444:
                    445: u_int
                    446: sshkey_curve_nid_to_bits(int nid)
                    447: {
                    448:        switch (nid) {
                    449:        case NID_X9_62_prime256v1:
                    450:                return 256;
                    451:        case NID_secp384r1:
                    452:                return 384;
                    453:        case NID_secp521r1:
                    454:                return 521;
                    455:        default:
                    456:                return 0;
                    457:        }
                    458: }
                    459:
                    460: int
                    461: sshkey_ecdsa_bits_to_nid(int bits)
                    462: {
                    463:        switch (bits) {
                    464:        case 256:
                    465:                return NID_X9_62_prime256v1;
                    466:        case 384:
                    467:                return NID_secp384r1;
                    468:        case 521:
                    469:                return NID_secp521r1;
                    470:        default:
                    471:                return -1;
                    472:        }
                    473: }
                    474:
                    475: const char *
                    476: sshkey_curve_nid_to_name(int nid)
                    477: {
                    478:        switch (nid) {
                    479:        case NID_X9_62_prime256v1:
                    480:                return "nistp256";
                    481:        case NID_secp384r1:
                    482:                return "nistp384";
                    483:        case NID_secp521r1:
                    484:                return "nistp521";
                    485:        default:
                    486:                return NULL;
                    487:        }
                    488: }
                    489:
                    490: int
                    491: sshkey_ec_nid_to_hash_alg(int nid)
                    492: {
                    493:        int kbits = sshkey_curve_nid_to_bits(nid);
                    494:
                    495:        if (kbits <= 0)
                    496:                return -1;
                    497:
                    498:        /* RFC5656 section 6.2.1 */
                    499:        if (kbits <= 256)
                    500:                return SSH_DIGEST_SHA256;
                    501:        else if (kbits <= 384)
                    502:                return SSH_DIGEST_SHA384;
                    503:        else
                    504:                return SSH_DIGEST_SHA512;
                    505: }
                    506: #endif /* WITH_OPENSSL */
                    507:
                    508: static void
                    509: cert_free(struct sshkey_cert *cert)
                    510: {
                    511:        u_int i;
                    512:
                    513:        if (cert == NULL)
                    514:                return;
1.31      mmcc      515:        sshbuf_free(cert->certblob);
                    516:        sshbuf_free(cert->critical);
                    517:        sshbuf_free(cert->extensions);
1.29      mmcc      518:        free(cert->key_id);
1.1       djm       519:        for (i = 0; i < cert->nprincipals; i++)
                    520:                free(cert->principals[i]);
1.29      mmcc      521:        free(cert->principals);
1.30      mmcc      522:        sshkey_free(cert->signature_key);
1.67      djm       523:        free(cert->signature_type);
1.61      jsing     524:        freezero(cert, sizeof(*cert));
1.1       djm       525: }
                    526:
                    527: static struct sshkey_cert *
                    528: cert_new(void)
                    529: {
                    530:        struct sshkey_cert *cert;
                    531:
                    532:        if ((cert = calloc(1, sizeof(*cert))) == NULL)
                    533:                return NULL;
                    534:        if ((cert->certblob = sshbuf_new()) == NULL ||
                    535:            (cert->critical = sshbuf_new()) == NULL ||
                    536:            (cert->extensions = sshbuf_new()) == NULL) {
                    537:                cert_free(cert);
                    538:                return NULL;
                    539:        }
                    540:        cert->key_id = NULL;
                    541:        cert->principals = NULL;
                    542:        cert->signature_key = NULL;
1.67      djm       543:        cert->signature_type = NULL;
1.1       djm       544:        return cert;
                    545: }
                    546:
                    547: struct sshkey *
                    548: sshkey_new(int type)
                    549: {
                    550:        struct sshkey *k;
1.123     djm       551:        const struct sshkey_impl *impl = NULL;
                    552:
                    553:        if (type != KEY_UNSPEC &&
                    554:            (impl = sshkey_impl_from_type(type)) == NULL)
                    555:                return NULL;
1.1       djm       556:
1.123     djm       557:        /* All non-certificate types may act as CAs */
1.1       djm       558:        if ((k = calloc(1, sizeof(*k))) == NULL)
                    559:                return NULL;
                    560:        k->type = type;
                    561:        k->ecdsa_nid = -1;
1.123     djm       562:        if (impl != NULL && impl->funcs->alloc != NULL) {
                    563:                if (impl->funcs->alloc(k) != 0) {
1.1       djm       564:                        free(k);
                    565:                        return NULL;
                    566:                }
                    567:        }
                    568:        if (sshkey_is_cert(k)) {
                    569:                if ((k->cert = cert_new()) == NULL) {
                    570:                        sshkey_free(k);
                    571:                        return NULL;
                    572:                }
                    573:        }
                    574:
                    575:        return k;
                    576: }
                    577:
1.124     djm       578: /* Frees common FIDO fields */
                    579: void
                    580: sshkey_sk_cleanup(struct sshkey *k)
                    581: {
                    582:        free(k->sk_application);
                    583:        sshbuf_free(k->sk_key_handle);
                    584:        sshbuf_free(k->sk_reserved);
                    585:        k->sk_application = NULL;
                    586:        k->sk_key_handle = k->sk_reserved = NULL;
                    587: }
                    588:
1.126     djm       589: static void
                    590: sshkey_free_contents(struct sshkey *k)
1.1       djm       591: {
1.123     djm       592:        const struct sshkey_impl *impl;
                    593:
1.1       djm       594:        if (k == NULL)
                    595:                return;
1.123     djm       596:        if ((impl = sshkey_impl_from_type(k->type)) != NULL &&
                    597:            impl->funcs->cleanup != NULL)
                    598:                impl->funcs->cleanup(k);
1.1       djm       599:        if (sshkey_is_cert(k))
                    600:                cert_free(k->cert);
1.76      djm       601:        freezero(k->shielded_private, k->shielded_len);
                    602:        freezero(k->shield_prekey, k->shield_prekey_len);
1.126     djm       603: }
                    604:
                    605: void
                    606: sshkey_free(struct sshkey *k)
                    607: {
                    608:        sshkey_free_contents(k);
1.61      jsing     609:        freezero(k, sizeof(*k));
1.1       djm       610: }
                    611:
                    612: static int
                    613: cert_compare(struct sshkey_cert *a, struct sshkey_cert *b)
                    614: {
                    615:        if (a == NULL && b == NULL)
                    616:                return 1;
                    617:        if (a == NULL || b == NULL)
                    618:                return 0;
                    619:        if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
                    620:                return 0;
                    621:        if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
                    622:            sshbuf_len(a->certblob)) != 0)
                    623:                return 0;
                    624:        return 1;
                    625: }
                    626:
1.124     djm       627: /* Compares FIDO-specific pubkey fields only */
                    628: int
                    629: sshkey_sk_fields_equal(const struct sshkey *a, const struct sshkey *b)
                    630: {
                    631:        if (a->sk_application == NULL || b->sk_application == NULL)
                    632:                return 0;
                    633:        if (strcmp(a->sk_application, b->sk_application) != 0)
                    634:                return 0;
                    635:        return 1;
                    636: }
                    637:
1.1       djm       638: /*
                    639:  * Compare public portions of key only, allowing comparisons between
                    640:  * certificates and plain keys too.
                    641:  */
                    642: int
                    643: sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
                    644: {
1.124     djm       645:        const struct sshkey_impl *impl;
1.1       djm       646:
                    647:        if (a == NULL || b == NULL ||
                    648:            sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
                    649:                return 0;
1.124     djm       650:        if ((impl = sshkey_impl_from_type(a->type)) == NULL)
1.1       djm       651:                return 0;
1.124     djm       652:        return impl->funcs->equal(a, b);
1.1       djm       653: }
                    654:
                    655: int
                    656: sshkey_equal(const struct sshkey *a, const struct sshkey *b)
                    657: {
                    658:        if (a == NULL || b == NULL || a->type != b->type)
                    659:                return 0;
                    660:        if (sshkey_is_cert(a)) {
                    661:                if (!cert_compare(a->cert, b->cert))
                    662:                        return 0;
                    663:        }
                    664:        return sshkey_equal_public(a, b);
                    665: }
                    666:
1.125     djm       667:
                    668: /* Serialise common FIDO key parts */
                    669: int
                    670: sshkey_serialize_sk(const struct sshkey *key, struct sshbuf *b)
                    671: {
                    672:        int r;
                    673:
                    674:        if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0)
                    675:                return r;
                    676:
                    677:        return 0;
                    678: }
                    679:
1.1       djm       680: static int
1.62      markus    681: to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
                    682:   enum sshkey_serialize_rep opts)
1.1       djm       683: {
                    684:        int type, ret = SSH_ERR_INTERNAL_ERROR;
                    685:        const char *typename;
1.125     djm       686:        const struct sshkey_impl *impl;
1.1       djm       687:
                    688:        if (key == NULL)
                    689:                return SSH_ERR_INVALID_ARGUMENT;
                    690:
1.125     djm       691:        type = force_plain ? sshkey_type_plain(key->type) : key->type;
                    692:
                    693:        if (sshkey_type_is_cert(type)) {
1.19      djm       694:                if (key->cert == NULL)
                    695:                        return SSH_ERR_EXPECTED_CERT;
                    696:                if (sshbuf_len(key->cert->certblob) == 0)
                    697:                        return SSH_ERR_KEY_LACKS_CERTBLOB;
1.1       djm       698:                /* Use the existing blob */
                    699:                if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
                    700:                        return ret;
1.125     djm       701:                return 0;
                    702:        }
                    703:        if ((impl = sshkey_impl_from_type(type)) == NULL)
1.1       djm       704:                return SSH_ERR_KEY_TYPE_UNKNOWN;
1.125     djm       705:
                    706:        typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
                    707:        return impl->funcs->serialize_public(key, b, typename, opts);
1.1       djm       708: }
                    709:
                    710: int
1.14      djm       711: sshkey_putb(const struct sshkey *key, struct sshbuf *b)
1.1       djm       712: {
1.62      markus    713:        return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT);
1.1       djm       714: }
                    715:
                    716: int
1.62      markus    717: sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b,
                    718:     enum sshkey_serialize_rep opts)
1.14      djm       719: {
                    720:        struct sshbuf *tmp;
                    721:        int r;
                    722:
                    723:        if ((tmp = sshbuf_new()) == NULL)
                    724:                return SSH_ERR_ALLOC_FAIL;
1.62      markus    725:        r = to_blob_buf(key, tmp, 0, opts);
1.14      djm       726:        if (r == 0)
                    727:                r = sshbuf_put_stringb(b, tmp);
                    728:        sshbuf_free(tmp);
                    729:        return r;
                    730: }
                    731:
                    732: int
1.62      markus    733: sshkey_puts(const struct sshkey *key, struct sshbuf *b)
                    734: {
                    735:        return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT);
                    736: }
                    737:
                    738: int
1.14      djm       739: sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b)
1.1       djm       740: {
1.62      markus    741:        return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT);
1.1       djm       742: }
                    743:
                    744: static int
1.62      markus    745: to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain,
                    746:     enum sshkey_serialize_rep opts)
1.1       djm       747: {
                    748:        int ret = SSH_ERR_INTERNAL_ERROR;
                    749:        size_t len;
                    750:        struct sshbuf *b = NULL;
                    751:
                    752:        if (lenp != NULL)
                    753:                *lenp = 0;
                    754:        if (blobp != NULL)
                    755:                *blobp = NULL;
                    756:        if ((b = sshbuf_new()) == NULL)
                    757:                return SSH_ERR_ALLOC_FAIL;
1.62      markus    758:        if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0)
1.1       djm       759:                goto out;
                    760:        len = sshbuf_len(b);
                    761:        if (lenp != NULL)
                    762:                *lenp = len;
                    763:        if (blobp != NULL) {
                    764:                if ((*blobp = malloc(len)) == NULL) {
                    765:                        ret = SSH_ERR_ALLOC_FAIL;
                    766:                        goto out;
                    767:                }
                    768:                memcpy(*blobp, sshbuf_ptr(b), len);
                    769:        }
                    770:        ret = 0;
                    771:  out:
                    772:        sshbuf_free(b);
                    773:        return ret;
                    774: }
                    775:
                    776: int
                    777: sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
                    778: {
1.62      markus    779:        return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT);
1.1       djm       780: }
                    781:
                    782: int
                    783: sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
                    784: {
1.62      markus    785:        return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT);
1.1       djm       786: }
                    787:
                    788: int
1.7       djm       789: sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
1.1       djm       790:     u_char **retp, size_t *lenp)
                    791: {
                    792:        u_char *blob = NULL, *ret = NULL;
                    793:        size_t blob_len = 0;
1.7       djm       794:        int r = SSH_ERR_INTERNAL_ERROR;
1.1       djm       795:
                    796:        if (retp != NULL)
                    797:                *retp = NULL;
                    798:        if (lenp != NULL)
                    799:                *lenp = 0;
1.7       djm       800:        if (ssh_digest_bytes(dgst_alg) == 0) {
1.1       djm       801:                r = SSH_ERR_INVALID_ARGUMENT;
                    802:                goto out;
                    803:        }
1.62      markus    804:        if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT))
                    805:            != 0)
1.1       djm       806:                goto out;
                    807:        if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
                    808:                r = SSH_ERR_ALLOC_FAIL;
                    809:                goto out;
                    810:        }
1.7       djm       811:        if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
1.1       djm       812:            ret, SSH_DIGEST_MAX_LENGTH)) != 0)
                    813:                goto out;
                    814:        /* success */
                    815:        if (retp != NULL) {
                    816:                *retp = ret;
                    817:                ret = NULL;
                    818:        }
                    819:        if (lenp != NULL)
1.7       djm       820:                *lenp = ssh_digest_bytes(dgst_alg);
1.1       djm       821:        r = 0;
                    822:  out:
                    823:        free(ret);
1.100     jsg       824:        if (blob != NULL)
                    825:                freezero(blob, blob_len);
1.1       djm       826:        return r;
                    827: }
                    828:
                    829: static char *
1.7       djm       830: fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
                    831: {
                    832:        char *ret;
                    833:        size_t plen = strlen(alg) + 1;
                    834:        size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
                    835:
                    836:        if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
                    837:                return NULL;
                    838:        strlcpy(ret, alg, rlen);
                    839:        strlcat(ret, ":", rlen);
                    840:        if (dgst_raw_len == 0)
                    841:                return ret;
1.79      dtucker   842:        if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) {
1.61      jsing     843:                freezero(ret, rlen);
1.7       djm       844:                return NULL;
                    845:        }
                    846:        /* Trim padding characters from end */
                    847:        ret[strcspn(ret, "=")] = '\0';
                    848:        return ret;
                    849: }
                    850:
                    851: static char *
                    852: fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
1.1       djm       853: {
1.7       djm       854:        char *retval, hex[5];
                    855:        size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
1.1       djm       856:
1.7       djm       857:        if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
1.1       djm       858:                return NULL;
1.7       djm       859:        strlcpy(retval, alg, rlen);
                    860:        strlcat(retval, ":", rlen);
1.1       djm       861:        for (i = 0; i < dgst_raw_len; i++) {
1.7       djm       862:                snprintf(hex, sizeof(hex), "%s%02x",
                    863:                    i > 0 ? ":" : "", dgst_raw[i]);
                    864:                strlcat(retval, hex, rlen);
1.1       djm       865:        }
                    866:        return retval;
                    867: }
                    868:
                    869: static char *
                    870: fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
                    871: {
                    872:        char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
                    873:        char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
                    874:            'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
                    875:        u_int i, j = 0, rounds, seed = 1;
                    876:        char *retval;
                    877:
                    878:        rounds = (dgst_raw_len / 2) + 1;
                    879:        if ((retval = calloc(rounds, 6)) == NULL)
                    880:                return NULL;
                    881:        retval[j++] = 'x';
                    882:        for (i = 0; i < rounds; i++) {
                    883:                u_int idx0, idx1, idx2, idx3, idx4;
                    884:                if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
                    885:                        idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
                    886:                            seed) % 6;
                    887:                        idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
                    888:                        idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
                    889:                            (seed / 6)) % 6;
                    890:                        retval[j++] = vowels[idx0];
                    891:                        retval[j++] = consonants[idx1];
                    892:                        retval[j++] = vowels[idx2];
                    893:                        if ((i + 1) < rounds) {
                    894:                                idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
                    895:                                idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
                    896:                                retval[j++] = consonants[idx3];
                    897:                                retval[j++] = '-';
                    898:                                retval[j++] = consonants[idx4];
                    899:                                seed = ((seed * 5) +
                    900:                                    ((((u_int)(dgst_raw[2 * i])) * 7) +
                    901:                                    ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
                    902:                        }
                    903:                } else {
                    904:                        idx0 = seed % 6;
                    905:                        idx1 = 16;
                    906:                        idx2 = seed / 6;
                    907:                        retval[j++] = vowels[idx0];
                    908:                        retval[j++] = consonants[idx1];
                    909:                        retval[j++] = vowels[idx2];
                    910:                }
                    911:        }
                    912:        retval[j++] = 'x';
                    913:        retval[j++] = '\0';
                    914:        return retval;
                    915: }
                    916:
                    917: /*
                    918:  * Draw an ASCII-Art representing the fingerprint so human brain can
                    919:  * profit from its built-in pattern recognition ability.
                    920:  * This technique is called "random art" and can be found in some
                    921:  * scientific publications like this original paper:
                    922:  *
                    923:  * "Hash Visualization: a New Technique to improve Real-World Security",
                    924:  * Perrig A. and Song D., 1999, International Workshop on Cryptographic
                    925:  * Techniques and E-Commerce (CrypTEC '99)
                    926:  * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
                    927:  *
                    928:  * The subject came up in a talk by Dan Kaminsky, too.
                    929:  *
                    930:  * If you see the picture is different, the key is different.
                    931:  * If the picture looks the same, you still know nothing.
                    932:  *
                    933:  * The algorithm used here is a worm crawling over a discrete plane,
                    934:  * leaving a trace (augmenting the field) everywhere it goes.
                    935:  * Movement is taken from dgst_raw 2bit-wise.  Bumping into walls
                    936:  * makes the respective movement vector be ignored for this turn.
                    937:  * Graphs are not unambiguous, because circles in graphs can be
                    938:  * walked in either direction.
                    939:  */
                    940:
                    941: /*
                    942:  * Field sizes for the random art.  Have to be odd, so the starting point
                    943:  * can be in the exact middle of the picture, and FLDBASE should be >=8 .
                    944:  * Else pictures would be too dense, and drawing the frame would
                    945:  * fail, too, because the key type would not fit in anymore.
                    946:  */
                    947: #define        FLDBASE         8
                    948: #define        FLDSIZE_Y       (FLDBASE + 1)
                    949: #define        FLDSIZE_X       (FLDBASE * 2 + 1)
                    950: static char *
1.7       djm       951: fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
1.1       djm       952:     const struct sshkey *k)
                    953: {
                    954:        /*
                    955:         * Chars to be used after each other every time the worm
                    956:         * intersects with itself.  Matter of taste.
                    957:         */
                    958:        char    *augmentation_string = " .o+=*BOX@%&#/^SE";
1.7       djm       959:        char    *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
1.1       djm       960:        u_char   field[FLDSIZE_X][FLDSIZE_Y];
1.7       djm       961:        size_t   i, tlen, hlen;
1.1       djm       962:        u_int    b;
1.3       djm       963:        int      x, y, r;
1.1       djm       964:        size_t   len = strlen(augmentation_string) - 1;
                    965:
                    966:        if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
                    967:                return NULL;
                    968:
                    969:        /* initialize field */
                    970:        memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
                    971:        x = FLDSIZE_X / 2;
                    972:        y = FLDSIZE_Y / 2;
                    973:
                    974:        /* process raw key */
                    975:        for (i = 0; i < dgst_raw_len; i++) {
                    976:                int input;
                    977:                /* each byte conveys four 2-bit move commands */
                    978:                input = dgst_raw[i];
                    979:                for (b = 0; b < 4; b++) {
                    980:                        /* evaluate 2 bit, rest is shifted later */
                    981:                        x += (input & 0x1) ? 1 : -1;
                    982:                        y += (input & 0x2) ? 1 : -1;
                    983:
                    984:                        /* assure we are still in bounds */
1.37      deraadt   985:                        x = MAXIMUM(x, 0);
                    986:                        y = MAXIMUM(y, 0);
                    987:                        x = MINIMUM(x, FLDSIZE_X - 1);
                    988:                        y = MINIMUM(y, FLDSIZE_Y - 1);
1.1       djm       989:
                    990:                        /* augment the field */
                    991:                        if (field[x][y] < len - 2)
                    992:                                field[x][y]++;
                    993:                        input = input >> 2;
                    994:                }
                    995:        }
                    996:
                    997:        /* mark starting point and end point*/
                    998:        field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
                    999:        field[x][y] = len;
                   1000:
1.3       djm      1001:        /* assemble title */
                   1002:        r = snprintf(title, sizeof(title), "[%s %u]",
                   1003:                sshkey_type(k), sshkey_size(k));
                   1004:        /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
                   1005:        if (r < 0 || r > (int)sizeof(title))
1.7       djm      1006:                r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
                   1007:        tlen = (r <= 0) ? 0 : strlen(title);
                   1008:
                   1009:        /* assemble hash ID. */
                   1010:        r = snprintf(hash, sizeof(hash), "[%s]", alg);
                   1011:        hlen = (r <= 0) ? 0 : strlen(hash);
1.1       djm      1012:
                   1013:        /* output upper border */
1.3       djm      1014:        p = retval;
                   1015:        *p++ = '+';
                   1016:        for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
                   1017:                *p++ = '-';
                   1018:        memcpy(p, title, tlen);
                   1019:        p += tlen;
1.7       djm      1020:        for (i += tlen; i < FLDSIZE_X; i++)
1.1       djm      1021:                *p++ = '-';
                   1022:        *p++ = '+';
                   1023:        *p++ = '\n';
                   1024:
                   1025:        /* output content */
                   1026:        for (y = 0; y < FLDSIZE_Y; y++) {
                   1027:                *p++ = '|';
                   1028:                for (x = 0; x < FLDSIZE_X; x++)
1.37      deraadt  1029:                        *p++ = augmentation_string[MINIMUM(field[x][y], len)];
1.1       djm      1030:                *p++ = '|';
                   1031:                *p++ = '\n';
                   1032:        }
                   1033:
                   1034:        /* output lower border */
                   1035:        *p++ = '+';
1.7       djm      1036:        for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
                   1037:                *p++ = '-';
                   1038:        memcpy(p, hash, hlen);
                   1039:        p += hlen;
                   1040:        for (i += hlen; i < FLDSIZE_X; i++)
1.1       djm      1041:                *p++ = '-';
                   1042:        *p++ = '+';
                   1043:
                   1044:        return retval;
                   1045: }
                   1046:
                   1047: char *
1.7       djm      1048: sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
1.1       djm      1049:     enum sshkey_fp_rep dgst_rep)
                   1050: {
                   1051:        char *retval = NULL;
                   1052:        u_char *dgst_raw;
                   1053:        size_t dgst_raw_len;
                   1054:
1.7       djm      1055:        if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
1.1       djm      1056:                return NULL;
                   1057:        switch (dgst_rep) {
1.7       djm      1058:        case SSH_FP_DEFAULT:
                   1059:                if (dgst_alg == SSH_DIGEST_MD5) {
                   1060:                        retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
                   1061:                            dgst_raw, dgst_raw_len);
                   1062:                } else {
                   1063:                        retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
                   1064:                            dgst_raw, dgst_raw_len);
                   1065:                }
                   1066:                break;
1.1       djm      1067:        case SSH_FP_HEX:
1.7       djm      1068:                retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
                   1069:                    dgst_raw, dgst_raw_len);
                   1070:                break;
                   1071:        case SSH_FP_BASE64:
                   1072:                retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
                   1073:                    dgst_raw, dgst_raw_len);
1.1       djm      1074:                break;
                   1075:        case SSH_FP_BUBBLEBABBLE:
                   1076:                retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
                   1077:                break;
                   1078:        case SSH_FP_RANDOMART:
1.7       djm      1079:                retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
                   1080:                    dgst_raw, dgst_raw_len, k);
1.1       djm      1081:                break;
                   1082:        default:
1.100     jsg      1083:                freezero(dgst_raw, dgst_raw_len);
1.1       djm      1084:                return NULL;
                   1085:        }
1.100     jsg      1086:        freezero(dgst_raw, dgst_raw_len);
1.1       djm      1087:        return retval;
                   1088: }
                   1089:
1.63      djm      1090: static int
                   1091: peek_type_nid(const char *s, size_t l, int *nid)
                   1092: {
1.123     djm      1093:        const struct sshkey_impl *impl;
                   1094:        int i;
1.63      djm      1095:
1.123     djm      1096:        for (i = 0; keyimpls[i] != NULL; i++) {
                   1097:                impl = keyimpls[i];
                   1098:                if (impl->name == NULL || strlen(impl->name) != l)
1.63      djm      1099:                        continue;
1.123     djm      1100:                if (memcmp(s, impl->name, l) == 0) {
1.63      djm      1101:                        *nid = -1;
1.123     djm      1102:                        if (key_type_is_ecdsa_variant(impl->type))
                   1103:                                *nid = impl->nid;
                   1104:                        return impl->type;
1.63      djm      1105:                }
                   1106:        }
                   1107:        return KEY_UNSPEC;
                   1108: }
1.1       djm      1109:
1.63      djm      1110: /* XXX this can now be made const char * */
1.1       djm      1111: int
                   1112: sshkey_read(struct sshkey *ret, char **cpp)
                   1113: {
                   1114:        struct sshkey *k;
1.63      djm      1115:        char *cp, *blobcopy;
                   1116:        size_t space;
1.1       djm      1117:        int r, type, curve_nid = -1;
                   1118:        struct sshbuf *blob;
1.44      dtucker  1119:
                   1120:        if (ret == NULL)
                   1121:                return SSH_ERR_INVALID_ARGUMENT;
1.126     djm      1122:        if (ret->type != KEY_UNSPEC && sshkey_impl_from_type(ret->type) == NULL)
1.63      djm      1123:                return SSH_ERR_INVALID_ARGUMENT;
                   1124:
                   1125:        /* Decode type */
                   1126:        cp = *cpp;
                   1127:        space = strcspn(cp, " \t");
                   1128:        if (space == strlen(cp))
                   1129:                return SSH_ERR_INVALID_FORMAT;
                   1130:        if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC)
                   1131:                return SSH_ERR_INVALID_FORMAT;
                   1132:
                   1133:        /* skip whitespace */
                   1134:        for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
                   1135:                ;
                   1136:        if (*cp == '\0')
                   1137:                return SSH_ERR_INVALID_FORMAT;
                   1138:        if (ret->type != KEY_UNSPEC && ret->type != type)
                   1139:                return SSH_ERR_KEY_TYPE_MISMATCH;
                   1140:        if ((blob = sshbuf_new()) == NULL)
                   1141:                return SSH_ERR_ALLOC_FAIL;
                   1142:
                   1143:        /* find end of keyblob and decode */
                   1144:        space = strcspn(cp, " \t");
                   1145:        if ((blobcopy = strndup(cp, space)) == NULL) {
                   1146:                sshbuf_free(blob);
                   1147:                return SSH_ERR_ALLOC_FAIL;
                   1148:        }
                   1149:        if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) {
                   1150:                free(blobcopy);
                   1151:                sshbuf_free(blob);
                   1152:                return r;
                   1153:        }
                   1154:        free(blobcopy);
                   1155:        if ((r = sshkey_fromb(blob, &k)) != 0) {
1.1       djm      1156:                sshbuf_free(blob);
1.63      djm      1157:                return r;
                   1158:        }
                   1159:        sshbuf_free(blob);
                   1160:
                   1161:        /* skip whitespace and leave cp at start of comment */
                   1162:        for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
                   1163:                ;
                   1164:
                   1165:        /* ensure type of blob matches type at start of line */
                   1166:        if (k->type != type) {
                   1167:                sshkey_free(k);
                   1168:                return SSH_ERR_KEY_TYPE_MISMATCH;
                   1169:        }
1.85      djm      1170:        if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) {
1.63      djm      1171:                sshkey_free(k);
                   1172:                return SSH_ERR_EC_CURVE_MISMATCH;
                   1173:        }
                   1174:
                   1175:        /* Fill in ret from parsed key */
1.126     djm      1176:        sshkey_free_contents(ret);
                   1177:        *ret = *k;
                   1178:        freezero(k, sizeof(*k));
1.63      djm      1179:
                   1180:        /* success */
                   1181:        *cpp = cp;
                   1182:        return 0;
1.1       djm      1183: }
                   1184:
                   1185: int
1.19      djm      1186: sshkey_to_base64(const struct sshkey *key, char **b64p)
1.1       djm      1187: {
1.19      djm      1188:        int r = SSH_ERR_INTERNAL_ERROR;
                   1189:        struct sshbuf *b = NULL;
1.1       djm      1190:        char *uu = NULL;
1.19      djm      1191:
                   1192:        if (b64p != NULL)
                   1193:                *b64p = NULL;
                   1194:        if ((b = sshbuf_new()) == NULL)
                   1195:                return SSH_ERR_ALLOC_FAIL;
                   1196:        if ((r = sshkey_putb(key, b)) != 0)
                   1197:                goto out;
1.81      djm      1198:        if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) {
1.19      djm      1199:                r = SSH_ERR_ALLOC_FAIL;
                   1200:                goto out;
                   1201:        }
                   1202:        /* Success */
                   1203:        if (b64p != NULL) {
                   1204:                *b64p = uu;
                   1205:                uu = NULL;
                   1206:        }
                   1207:        r = 0;
                   1208:  out:
                   1209:        sshbuf_free(b);
                   1210:        free(uu);
                   1211:        return r;
                   1212: }
                   1213:
1.52      djm      1214: int
1.19      djm      1215: sshkey_format_text(const struct sshkey *key, struct sshbuf *b)
                   1216: {
                   1217:        int r = SSH_ERR_INTERNAL_ERROR;
                   1218:        char *uu = NULL;
                   1219:
1.48      djm      1220:        if ((r = sshkey_to_base64(key, &uu)) != 0)
                   1221:                goto out;
                   1222:        if ((r = sshbuf_putf(b, "%s %s",
                   1223:            sshkey_ssh_name(key), uu)) != 0)
                   1224:                goto out;
1.19      djm      1225:        r = 0;
                   1226:  out:
                   1227:        free(uu);
                   1228:        return r;
                   1229: }
                   1230:
                   1231: int
                   1232: sshkey_write(const struct sshkey *key, FILE *f)
                   1233: {
                   1234:        struct sshbuf *b = NULL;
                   1235:        int r = SSH_ERR_INTERNAL_ERROR;
                   1236:
                   1237:        if ((b = sshbuf_new()) == NULL)
                   1238:                return SSH_ERR_ALLOC_FAIL;
                   1239:        if ((r = sshkey_format_text(key, b)) != 0)
1.1       djm      1240:                goto out;
                   1241:        if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
                   1242:                if (feof(f))
                   1243:                        errno = EPIPE;
1.19      djm      1244:                r = SSH_ERR_SYSTEM_ERROR;
1.1       djm      1245:                goto out;
                   1246:        }
1.19      djm      1247:        /* Success */
                   1248:        r = 0;
1.1       djm      1249:  out:
1.19      djm      1250:        sshbuf_free(b);
                   1251:        return r;
1.1       djm      1252: }
                   1253:
                   1254: const char *
                   1255: sshkey_cert_type(const struct sshkey *k)
                   1256: {
                   1257:        switch (k->cert->type) {
                   1258:        case SSH2_CERT_TYPE_USER:
                   1259:                return "user";
                   1260:        case SSH2_CERT_TYPE_HOST:
                   1261:                return "host";
                   1262:        default:
                   1263:                return "unknown";
                   1264:        }
                   1265: }
                   1266:
                   1267: #ifdef WITH_OPENSSL
                   1268: int
                   1269: sshkey_ecdsa_key_to_nid(EC_KEY *k)
                   1270: {
                   1271:        EC_GROUP *eg;
                   1272:        int nids[] = {
                   1273:                NID_X9_62_prime256v1,
                   1274:                NID_secp384r1,
                   1275:                NID_secp521r1,
                   1276:                -1
                   1277:        };
                   1278:        int nid;
                   1279:        u_int i;
                   1280:        const EC_GROUP *g = EC_KEY_get0_group(k);
                   1281:
                   1282:        /*
                   1283:         * The group may be stored in a ASN.1 encoded private key in one of two
                   1284:         * ways: as a "named group", which is reconstituted by ASN.1 object ID
                   1285:         * or explicit group parameters encoded into the key blob. Only the
                   1286:         * "named group" case sets the group NID for us, but we can figure
                   1287:         * it out for the other case by comparing against all the groups that
                   1288:         * are supported.
                   1289:         */
                   1290:        if ((nid = EC_GROUP_get_curve_name(g)) > 0)
                   1291:                return nid;
                   1292:        for (i = 0; nids[i] != -1; i++) {
1.93      djm      1293:                if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
1.1       djm      1294:                        return -1;
1.93      djm      1295:                if (EC_GROUP_cmp(g, eg, NULL) == 0)
1.1       djm      1296:                        break;
                   1297:                EC_GROUP_free(eg);
                   1298:        }
                   1299:        if (nids[i] != -1) {
                   1300:                /* Use the group with the NID attached */
                   1301:                EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
                   1302:                if (EC_KEY_set_group(k, eg) != 1) {
                   1303:                        EC_GROUP_free(eg);
                   1304:                        return -1;
                   1305:                }
                   1306:        }
                   1307:        return nids[i];
                   1308: }
                   1309:
                   1310: #endif /* WITH_OPENSSL */
                   1311:
                   1312: int
                   1313: sshkey_generate(int type, u_int bits, struct sshkey **keyp)
                   1314: {
                   1315:        struct sshkey *k;
                   1316:        int ret = SSH_ERR_INTERNAL_ERROR;
1.127     djm      1317:        const struct sshkey_impl *impl;
1.1       djm      1318:
1.127     djm      1319:        if (keyp == NULL || sshkey_type_is_cert(type))
1.1       djm      1320:                return SSH_ERR_INVALID_ARGUMENT;
                   1321:        *keyp = NULL;
1.127     djm      1322:        if ((impl = sshkey_impl_from_type(type)) == NULL)
                   1323:                return SSH_ERR_KEY_TYPE_UNKNOWN;
                   1324:        if (impl->funcs->generate == NULL)
                   1325:                return SSH_ERR_FEATURE_UNSUPPORTED;
1.1       djm      1326:        if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
                   1327:                return SSH_ERR_ALLOC_FAIL;
1.127     djm      1328:        k->type = type;
                   1329:        if ((ret = impl->funcs->generate(k, bits)) != 0) {
                   1330:                sshkey_free(k);
                   1331:                return ret;
1.1       djm      1332:        }
1.127     djm      1333:        /* success */
                   1334:        *keyp = k;
                   1335:        return 0;
1.1       djm      1336: }
                   1337:
                   1338: int
                   1339: sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
                   1340: {
                   1341:        u_int i;
                   1342:        const struct sshkey_cert *from;
                   1343:        struct sshkey_cert *to;
1.67      djm      1344:        int r = SSH_ERR_INTERNAL_ERROR;
1.1       djm      1345:
1.67      djm      1346:        if (to_key == NULL || (from = from_key->cert) == NULL)
1.1       djm      1347:                return SSH_ERR_INVALID_ARGUMENT;
                   1348:
1.67      djm      1349:        if ((to = cert_new()) == NULL)
1.1       djm      1350:                return SSH_ERR_ALLOC_FAIL;
                   1351:
1.67      djm      1352:        if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
                   1353:            (r = sshbuf_putb(to->critical, from->critical)) != 0 ||
                   1354:            (r = sshbuf_putb(to->extensions, from->extensions)) != 0)
                   1355:                goto out;
1.1       djm      1356:
                   1357:        to->serial = from->serial;
                   1358:        to->type = from->type;
                   1359:        if (from->key_id == NULL)
                   1360:                to->key_id = NULL;
1.67      djm      1361:        else if ((to->key_id = strdup(from->key_id)) == NULL) {
                   1362:                r = SSH_ERR_ALLOC_FAIL;
                   1363:                goto out;
                   1364:        }
1.1       djm      1365:        to->valid_after = from->valid_after;
                   1366:        to->valid_before = from->valid_before;
                   1367:        if (from->signature_key == NULL)
                   1368:                to->signature_key = NULL;
1.67      djm      1369:        else if ((r = sshkey_from_private(from->signature_key,
1.1       djm      1370:            &to->signature_key)) != 0)
1.67      djm      1371:                goto out;
                   1372:        if (from->signature_type != NULL &&
                   1373:            (to->signature_type = strdup(from->signature_type)) == NULL) {
                   1374:                r = SSH_ERR_ALLOC_FAIL;
                   1375:                goto out;
                   1376:        }
                   1377:        if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) {
                   1378:                r = SSH_ERR_INVALID_ARGUMENT;
                   1379:                goto out;
                   1380:        }
1.1       djm      1381:        if (from->nprincipals > 0) {
                   1382:                if ((to->principals = calloc(from->nprincipals,
1.67      djm      1383:                    sizeof(*to->principals))) == NULL) {
                   1384:                        r = SSH_ERR_ALLOC_FAIL;
                   1385:                        goto out;
                   1386:                }
1.1       djm      1387:                for (i = 0; i < from->nprincipals; i++) {
                   1388:                        to->principals[i] = strdup(from->principals[i]);
                   1389:                        if (to->principals[i] == NULL) {
                   1390:                                to->nprincipals = i;
1.67      djm      1391:                                r = SSH_ERR_ALLOC_FAIL;
                   1392:                                goto out;
1.1       djm      1393:                        }
                   1394:                }
                   1395:        }
                   1396:        to->nprincipals = from->nprincipals;
1.67      djm      1397:
                   1398:        /* success */
                   1399:        cert_free(to_key->cert);
                   1400:        to_key->cert = to;
                   1401:        to = NULL;
                   1402:        r = 0;
                   1403:  out:
                   1404:        cert_free(to);
                   1405:        return r;
1.1       djm      1406: }
                   1407:
                   1408: int
1.128   ! djm      1409: sshkey_copy_public_sk(const struct sshkey *from, struct sshkey *to)
        !          1410: {
        !          1411:        /* Append security-key application string */
        !          1412:        if ((to->sk_application = strdup(from->sk_application)) == NULL)
        !          1413:                return SSH_ERR_ALLOC_FAIL;
        !          1414:        return 0;
        !          1415: }
        !          1416:
        !          1417: int
1.1       djm      1418: sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
                   1419: {
                   1420:        struct sshkey *n = NULL;
1.69      djm      1421:        int r = SSH_ERR_INTERNAL_ERROR;
1.128   ! djm      1422:        const struct sshkey_impl *impl;
1.1       djm      1423:
1.24      djm      1424:        *pkp = NULL;
1.128   ! djm      1425:        if ((impl = sshkey_impl_from_key(k)) == NULL)
        !          1426:                return SSH_ERR_KEY_TYPE_UNKNOWN;
1.85      djm      1427:        if ((n = sshkey_new(k->type)) == NULL) {
                   1428:                r = SSH_ERR_ALLOC_FAIL;
                   1429:                goto out;
                   1430:        }
1.128   ! djm      1431:        if ((r = impl->funcs->copy_public(k, n)) != 0)
1.69      djm      1432:                goto out;
                   1433:        if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0)
                   1434:                goto out;
                   1435:        /* success */
1.1       djm      1436:        *pkp = n;
1.69      djm      1437:        n = NULL;
                   1438:        r = 0;
                   1439:  out:
                   1440:        sshkey_free(n);
                   1441:        return r;
1.1       djm      1442: }
                   1443:
1.76      djm      1444: int
                   1445: sshkey_is_shielded(struct sshkey *k)
                   1446: {
                   1447:        return k != NULL && k->shielded_private != NULL;
                   1448: }
                   1449:
                   1450: int
                   1451: sshkey_shield_private(struct sshkey *k)
                   1452: {
                   1453:        struct sshbuf *prvbuf = NULL;
                   1454:        u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH];
                   1455:        struct sshcipher_ctx *cctx = NULL;
                   1456:        const struct sshcipher *cipher;
                   1457:        size_t i, enclen = 0;
                   1458:        struct sshkey *kswap = NULL, tmp;
                   1459:        int r = SSH_ERR_INTERNAL_ERROR;
                   1460:
                   1461: #ifdef DEBUG_PK
                   1462:        fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
                   1463: #endif
                   1464:        if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
                   1465:                r = SSH_ERR_INVALID_ARGUMENT;
                   1466:                goto out;
                   1467:        }
                   1468:        if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
                   1469:            ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
                   1470:                r = SSH_ERR_INTERNAL_ERROR;
                   1471:                goto out;
                   1472:        }
                   1473:
                   1474:        /* Prepare a random pre-key, and from it an ephemeral key */
                   1475:        if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) {
                   1476:                r = SSH_ERR_ALLOC_FAIL;
                   1477:                goto out;
                   1478:        }
                   1479:        arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN);
                   1480:        if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
                   1481:            prekey, SSHKEY_SHIELD_PREKEY_LEN,
                   1482:            keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
                   1483:                goto out;
                   1484: #ifdef DEBUG_PK
                   1485:        fprintf(stderr, "%s: key+iv\n", __func__);
                   1486:        sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
                   1487:            stderr);
                   1488: #endif
                   1489:        if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
                   1490:            keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0)
                   1491:                goto out;
                   1492:
                   1493:        /* Serialise and encrypt the private key using the ephemeral key */
                   1494:        if ((prvbuf = sshbuf_new()) == NULL) {
                   1495:                r = SSH_ERR_ALLOC_FAIL;
                   1496:                goto out;
                   1497:        }
                   1498:        if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0)
                   1499:                goto out;
                   1500:        if ((r = sshkey_private_serialize_opt(k, prvbuf,
1.116     djm      1501:            SSHKEY_SERIALIZE_SHIELD)) != 0)
1.76      djm      1502:                goto out;
                   1503:        /* pad to cipher blocksize */
                   1504:        i = 0;
                   1505:        while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) {
                   1506:                if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0)
                   1507:                        goto out;
                   1508:        }
                   1509: #ifdef DEBUG_PK
                   1510:        fprintf(stderr, "%s: serialised\n", __func__);
                   1511:        sshbuf_dump(prvbuf, stderr);
                   1512: #endif
                   1513:        /* encrypt */
                   1514:        enclen = sshbuf_len(prvbuf);
                   1515:        if ((enc = malloc(enclen)) == NULL) {
                   1516:                r = SSH_ERR_ALLOC_FAIL;
                   1517:                goto out;
                   1518:        }
                   1519:        if ((r = cipher_crypt(cctx, 0, enc,
                   1520:            sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0)
                   1521:                goto out;
                   1522: #ifdef DEBUG_PK
                   1523:        fprintf(stderr, "%s: encrypted\n", __func__);
                   1524:        sshbuf_dump_data(enc, enclen, stderr);
                   1525: #endif
                   1526:
                   1527:        /* Make a scrubbed, public-only copy of our private key argument */
                   1528:        if ((r = sshkey_from_private(k, &kswap)) != 0)
                   1529:                goto out;
                   1530:
                   1531:        /* Swap the private key out (it will be destroyed below) */
                   1532:        tmp = *kswap;
                   1533:        *kswap = *k;
                   1534:        *k = tmp;
                   1535:
                   1536:        /* Insert the shielded key into our argument */
                   1537:        k->shielded_private = enc;
                   1538:        k->shielded_len = enclen;
                   1539:        k->shield_prekey = prekey;
                   1540:        k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN;
                   1541:        enc = prekey = NULL; /* transferred */
                   1542:        enclen = 0;
1.99      djm      1543:
                   1544:        /* preserve key fields that are required for correct operation */
                   1545:        k->sk_flags = kswap->sk_flags;
1.76      djm      1546:
                   1547:        /* success */
                   1548:        r = 0;
                   1549:
                   1550:  out:
                   1551:        /* XXX behaviour on error - invalidate original private key? */
                   1552:        cipher_free(cctx);
                   1553:        explicit_bzero(keyiv, sizeof(keyiv));
                   1554:        explicit_bzero(&tmp, sizeof(tmp));
1.78      djm      1555:        freezero(enc, enclen);
1.76      djm      1556:        freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN);
                   1557:        sshkey_free(kswap);
                   1558:        sshbuf_free(prvbuf);
                   1559:        return r;
                   1560: }
                   1561:
1.121     djm      1562: /* Check deterministic padding after private key */
                   1563: static int
                   1564: private2_check_padding(struct sshbuf *decrypted)
                   1565: {
                   1566:        u_char pad;
                   1567:        size_t i;
                   1568:        int r;
                   1569:
                   1570:        i = 0;
                   1571:        while (sshbuf_len(decrypted)) {
                   1572:                if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
                   1573:                        goto out;
                   1574:                if (pad != (++i & 0xff)) {
                   1575:                        r = SSH_ERR_INVALID_FORMAT;
                   1576:                        goto out;
                   1577:                }
                   1578:        }
                   1579:        /* success */
                   1580:        r = 0;
                   1581:  out:
                   1582:        explicit_bzero(&pad, sizeof(pad));
                   1583:        explicit_bzero(&i, sizeof(i));
                   1584:        return r;
                   1585: }
                   1586:
1.76      djm      1587: int
                   1588: sshkey_unshield_private(struct sshkey *k)
                   1589: {
                   1590:        struct sshbuf *prvbuf = NULL;
1.121     djm      1591:        u_char *cp, keyiv[SSH_DIGEST_MAX_LENGTH];
1.76      djm      1592:        struct sshcipher_ctx *cctx = NULL;
                   1593:        const struct sshcipher *cipher;
                   1594:        struct sshkey *kswap = NULL, tmp;
                   1595:        int r = SSH_ERR_INTERNAL_ERROR;
                   1596:
                   1597: #ifdef DEBUG_PK
                   1598:        fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
                   1599: #endif
                   1600:        if (!sshkey_is_shielded(k))
                   1601:                return 0; /* nothing to do */
                   1602:
                   1603:        if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
                   1604:                r = SSH_ERR_INVALID_ARGUMENT;
                   1605:                goto out;
                   1606:        }
                   1607:        if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
                   1608:            ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
                   1609:                r = SSH_ERR_INTERNAL_ERROR;
                   1610:                goto out;
                   1611:        }
                   1612:        /* check size of shielded key blob */
                   1613:        if (k->shielded_len < cipher_blocksize(cipher) ||
                   1614:            (k->shielded_len % cipher_blocksize(cipher)) != 0) {
                   1615:                r = SSH_ERR_INVALID_FORMAT;
                   1616:                goto out;
                   1617:        }
                   1618:
                   1619:        /* Calculate the ephemeral key from the prekey */
                   1620:        if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
                   1621:            k->shield_prekey, k->shield_prekey_len,
                   1622:            keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
                   1623:                goto out;
                   1624:        if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
                   1625:            keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0)
                   1626:                goto out;
                   1627: #ifdef DEBUG_PK
                   1628:        fprintf(stderr, "%s: key+iv\n", __func__);
                   1629:        sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
                   1630:            stderr);
                   1631: #endif
                   1632:
                   1633:        /* Decrypt and parse the shielded private key using the ephemeral key */
                   1634:        if ((prvbuf = sshbuf_new()) == NULL) {
                   1635:                r = SSH_ERR_ALLOC_FAIL;
                   1636:                goto out;
                   1637:        }
                   1638:        if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0)
                   1639:                goto out;
                   1640:        /* decrypt */
                   1641: #ifdef DEBUG_PK
                   1642:        fprintf(stderr, "%s: encrypted\n", __func__);
                   1643:        sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr);
                   1644: #endif
                   1645:        if ((r = cipher_crypt(cctx, 0, cp,
                   1646:            k->shielded_private, k->shielded_len, 0, 0)) != 0)
                   1647:                goto out;
                   1648: #ifdef DEBUG_PK
                   1649:        fprintf(stderr, "%s: serialised\n", __func__);
                   1650:        sshbuf_dump(prvbuf, stderr);
                   1651: #endif
                   1652:        /* Parse private key */
                   1653:        if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0)
                   1654:                goto out;
1.121     djm      1655:
                   1656:        if ((r = private2_check_padding(prvbuf)) != 0)
                   1657:                goto out;
1.76      djm      1658:
                   1659:        /* Swap the parsed key back into place */
                   1660:        tmp = *kswap;
                   1661:        *kswap = *k;
                   1662:        *k = tmp;
                   1663:
                   1664:        /* success */
                   1665:        r = 0;
                   1666:
                   1667:  out:
                   1668:        cipher_free(cctx);
                   1669:        explicit_bzero(keyiv, sizeof(keyiv));
                   1670:        explicit_bzero(&tmp, sizeof(tmp));
                   1671:        sshkey_free(kswap);
                   1672:        sshbuf_free(prvbuf);
                   1673:        return r;
                   1674: }
                   1675:
1.1       djm      1676: static int
1.14      djm      1677: cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1.1       djm      1678: {
1.14      djm      1679:        struct sshbuf *principals = NULL, *crit = NULL;
                   1680:        struct sshbuf *exts = NULL, *ca = NULL;
                   1681:        u_char *sig = NULL;
                   1682:        size_t signed_len = 0, slen = 0, kidlen = 0;
1.1       djm      1683:        int ret = SSH_ERR_INTERNAL_ERROR;
                   1684:
                   1685:        /* Copy the entire key blob for verification and later serialisation */
1.14      djm      1686:        if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1.1       djm      1687:                return ret;
                   1688:
1.20      djm      1689:        /* Parse body of certificate up to signature */
                   1690:        if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
1.1       djm      1691:            (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
                   1692:            (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
1.4       djm      1693:            (ret = sshbuf_froms(b, &principals)) != 0 ||
1.1       djm      1694:            (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
                   1695:            (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
1.4       djm      1696:            (ret = sshbuf_froms(b, &crit)) != 0 ||
1.20      djm      1697:            (ret = sshbuf_froms(b, &exts)) != 0 ||
1.1       djm      1698:            (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
1.14      djm      1699:            (ret = sshbuf_froms(b, &ca)) != 0) {
1.1       djm      1700:                /* XXX debug print error for ret */
                   1701:                ret = SSH_ERR_INVALID_FORMAT;
                   1702:                goto out;
                   1703:        }
                   1704:
                   1705:        /* Signature is left in the buffer so we can calculate this length */
                   1706:        signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
                   1707:
                   1708:        if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
                   1709:                ret = SSH_ERR_INVALID_FORMAT;
                   1710:                goto out;
                   1711:        }
                   1712:
                   1713:        if (key->cert->type != SSH2_CERT_TYPE_USER &&
                   1714:            key->cert->type != SSH2_CERT_TYPE_HOST) {
                   1715:                ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
                   1716:                goto out;
                   1717:        }
                   1718:
1.4       djm      1719:        /* Parse principals section */
                   1720:        while (sshbuf_len(principals) > 0) {
                   1721:                char *principal = NULL;
                   1722:                char **oprincipals = NULL;
                   1723:
1.1       djm      1724:                if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
                   1725:                        ret = SSH_ERR_INVALID_FORMAT;
                   1726:                        goto out;
                   1727:                }
1.4       djm      1728:                if ((ret = sshbuf_get_cstring(principals, &principal,
                   1729:                    NULL)) != 0) {
1.1       djm      1730:                        ret = SSH_ERR_INVALID_FORMAT;
                   1731:                        goto out;
                   1732:                }
                   1733:                oprincipals = key->cert->principals;
1.51      deraadt  1734:                key->cert->principals = recallocarray(key->cert->principals,
                   1735:                    key->cert->nprincipals, key->cert->nprincipals + 1,
                   1736:                    sizeof(*key->cert->principals));
1.1       djm      1737:                if (key->cert->principals == NULL) {
                   1738:                        free(principal);
                   1739:                        key->cert->principals = oprincipals;
                   1740:                        ret = SSH_ERR_ALLOC_FAIL;
                   1741:                        goto out;
                   1742:                }
                   1743:                key->cert->principals[key->cert->nprincipals++] = principal;
                   1744:        }
                   1745:
1.4       djm      1746:        /*
                   1747:         * Stash a copies of the critical options and extensions sections
                   1748:         * for later use.
                   1749:         */
                   1750:        if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||
                   1751:            (exts != NULL &&
                   1752:            (ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
1.1       djm      1753:                goto out;
                   1754:
1.4       djm      1755:        /*
                   1756:         * Validate critical options and extensions sections format.
                   1757:         */
                   1758:        while (sshbuf_len(crit) != 0) {
                   1759:                if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
                   1760:                    (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
                   1761:                        sshbuf_reset(key->cert->critical);
1.1       djm      1762:                        ret = SSH_ERR_INVALID_FORMAT;
                   1763:                        goto out;
                   1764:                }
                   1765:        }
1.4       djm      1766:        while (exts != NULL && sshbuf_len(exts) != 0) {
                   1767:                if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 ||
                   1768:                    (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) {
                   1769:                        sshbuf_reset(key->cert->extensions);
1.1       djm      1770:                        ret = SSH_ERR_INVALID_FORMAT;
                   1771:                        goto out;
                   1772:                }
                   1773:        }
                   1774:
1.4       djm      1775:        /* Parse CA key and check signature */
1.14      djm      1776:        if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
1.1       djm      1777:                ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
                   1778:                goto out;
                   1779:        }
                   1780:        if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
                   1781:                ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
                   1782:                goto out;
                   1783:        }
                   1784:        if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
1.96      djm      1785:            sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0)
1.1       djm      1786:                goto out;
1.82      djm      1787:        if ((ret = sshkey_get_sigtype(sig, slen,
                   1788:            &key->cert->signature_type)) != 0)
1.67      djm      1789:                goto out;
1.4       djm      1790:
                   1791:        /* Success */
1.1       djm      1792:        ret = 0;
                   1793:  out:
1.14      djm      1794:        sshbuf_free(ca);
1.4       djm      1795:        sshbuf_free(crit);
                   1796:        sshbuf_free(exts);
                   1797:        sshbuf_free(principals);
1.1       djm      1798:        free(sig);
                   1799:        return ret;
                   1800: }
                   1801:
1.122     djm      1802: int
                   1803: sshkey_check_rsa_length(const struct sshkey *k, int min_size)
                   1804: {
1.83      djm      1805: #ifdef WITH_OPENSSL
1.69      djm      1806:        const BIGNUM *rsa_n;
1.122     djm      1807:        int nbits;
1.69      djm      1808:
1.122     djm      1809:        if (k == NULL || k->rsa == NULL ||
                   1810:            (k->type != KEY_RSA && k->type != KEY_RSA_CERT))
                   1811:                return 0;
                   1812:        RSA_get0_key(k->rsa, &rsa_n, NULL, NULL);
                   1813:        nbits = BN_num_bits(rsa_n);
                   1814:        if (nbits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
                   1815:            (min_size > 0 && nbits < min_size))
1.69      djm      1816:                return SSH_ERR_KEY_LENGTH;
1.122     djm      1817: #endif /* WITH_OPENSSL */
1.69      djm      1818:        return 0;
                   1819: }
                   1820:
                   1821: static int
1.14      djm      1822: sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
                   1823:     int allow_cert)
1.1       djm      1824: {
1.12      djm      1825:        int type, ret = SSH_ERR_INTERNAL_ERROR;
1.62      markus   1826:        char *ktype = NULL, *curve = NULL, *xmss_name = NULL;
1.1       djm      1827:        struct sshkey *key = NULL;
                   1828:        size_t len;
                   1829:        u_char *pk = NULL;
1.14      djm      1830:        struct sshbuf *copy;
1.1       djm      1831: #ifdef WITH_OPENSSL
                   1832:        EC_POINT *q = NULL;
1.69      djm      1833:        BIGNUM *rsa_n = NULL, *rsa_e = NULL;
                   1834:        BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL;
1.1       djm      1835: #endif /* WITH_OPENSSL */
                   1836:
                   1837: #ifdef DEBUG_PK /* XXX */
1.14      djm      1838:        sshbuf_dump(b, stderr);
1.1       djm      1839: #endif
1.32      djm      1840:        if (keyp != NULL)
                   1841:                *keyp = NULL;
1.14      djm      1842:        if ((copy = sshbuf_fromb(b)) == NULL) {
                   1843:                ret = SSH_ERR_ALLOC_FAIL;
                   1844:                goto out;
                   1845:        }
1.1       djm      1846:        if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
                   1847:                ret = SSH_ERR_INVALID_FORMAT;
                   1848:                goto out;
                   1849:        }
                   1850:
                   1851:        type = sshkey_type_from_name(ktype);
                   1852:        if (!allow_cert && sshkey_type_is_cert(type)) {
                   1853:                ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
                   1854:                goto out;
                   1855:        }
                   1856:        switch (type) {
                   1857: #ifdef WITH_OPENSSL
                   1858:        case KEY_RSA_CERT:
1.14      djm      1859:                /* Skip nonce */
1.1       djm      1860:                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
                   1861:                        ret = SSH_ERR_INVALID_FORMAT;
                   1862:                        goto out;
                   1863:                }
                   1864:                /* FALLTHROUGH */
                   1865:        case KEY_RSA:
                   1866:                if ((key = sshkey_new(type)) == NULL) {
                   1867:                        ret = SSH_ERR_ALLOC_FAIL;
                   1868:                        goto out;
                   1869:                }
1.73      djm      1870:                if (sshbuf_get_bignum2(b, &rsa_e) != 0 ||
                   1871:                    sshbuf_get_bignum2(b, &rsa_n) != 0) {
1.1       djm      1872:                        ret = SSH_ERR_INVALID_FORMAT;
                   1873:                        goto out;
                   1874:                }
1.69      djm      1875:                if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) {
                   1876:                        ret = SSH_ERR_LIBCRYPTO_ERROR;
1.49      djm      1877:                        goto out;
                   1878:                }
1.69      djm      1879:                rsa_n = rsa_e = NULL; /* transferred */
1.122     djm      1880:                if ((ret = sshkey_check_rsa_length(key, 0)) != 0)
1.69      djm      1881:                        goto out;
1.1       djm      1882: #ifdef DEBUG_PK
                   1883:                RSA_print_fp(stderr, key->rsa, 8);
                   1884: #endif
                   1885:                break;
                   1886:        case KEY_DSA_CERT:
1.14      djm      1887:                /* Skip nonce */
1.1       djm      1888:                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
                   1889:                        ret = SSH_ERR_INVALID_FORMAT;
                   1890:                        goto out;
                   1891:                }
                   1892:                /* FALLTHROUGH */
                   1893:        case KEY_DSA:
                   1894:                if ((key = sshkey_new(type)) == NULL) {
                   1895:                        ret = SSH_ERR_ALLOC_FAIL;
                   1896:                        goto out;
                   1897:                }
1.73      djm      1898:                if (sshbuf_get_bignum2(b, &dsa_p) != 0 ||
                   1899:                    sshbuf_get_bignum2(b, &dsa_q) != 0 ||
                   1900:                    sshbuf_get_bignum2(b, &dsa_g) != 0 ||
                   1901:                    sshbuf_get_bignum2(b, &dsa_pub_key) != 0) {
1.1       djm      1902:                        ret = SSH_ERR_INVALID_FORMAT;
                   1903:                        goto out;
                   1904:                }
1.69      djm      1905:                if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) {
                   1906:                        ret = SSH_ERR_LIBCRYPTO_ERROR;
                   1907:                        goto out;
                   1908:                }
                   1909:                dsa_p = dsa_q = dsa_g = NULL; /* transferred */
                   1910:                if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) {
                   1911:                        ret = SSH_ERR_LIBCRYPTO_ERROR;
                   1912:                        goto out;
                   1913:                }
                   1914:                dsa_pub_key = NULL; /* transferred */
1.1       djm      1915: #ifdef DEBUG_PK
                   1916:                DSA_print_fp(stderr, key->dsa, 8);
                   1917: #endif
                   1918:                break;
                   1919:        case KEY_ECDSA_CERT:
1.85      djm      1920:        case KEY_ECDSA_SK_CERT:
1.14      djm      1921:                /* Skip nonce */
1.1       djm      1922:                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
                   1923:                        ret = SSH_ERR_INVALID_FORMAT;
                   1924:                        goto out;
                   1925:                }
                   1926:                /* FALLTHROUGH */
                   1927:        case KEY_ECDSA:
1.85      djm      1928:        case KEY_ECDSA_SK:
1.1       djm      1929:                if ((key = sshkey_new(type)) == NULL) {
                   1930:                        ret = SSH_ERR_ALLOC_FAIL;
                   1931:                        goto out;
                   1932:                }
1.12      djm      1933:                key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
1.1       djm      1934:                if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
                   1935:                        ret = SSH_ERR_INVALID_FORMAT;
                   1936:                        goto out;
                   1937:                }
                   1938:                if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
                   1939:                        ret = SSH_ERR_EC_CURVE_MISMATCH;
                   1940:                        goto out;
                   1941:                }
1.60      jsing    1942:                EC_KEY_free(key->ecdsa);
1.1       djm      1943:                if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
                   1944:                    == NULL) {
                   1945:                        ret = SSH_ERR_EC_CURVE_INVALID;
                   1946:                        goto out;
                   1947:                }
                   1948:                if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
                   1949:                        ret = SSH_ERR_ALLOC_FAIL;
                   1950:                        goto out;
                   1951:                }
                   1952:                if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
                   1953:                        ret = SSH_ERR_INVALID_FORMAT;
                   1954:                        goto out;
                   1955:                }
                   1956:                if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
                   1957:                    q) != 0) {
                   1958:                        ret = SSH_ERR_KEY_INVALID_EC_VALUE;
                   1959:                        goto out;
                   1960:                }
                   1961:                if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
                   1962:                        /* XXX assume it is a allocation error */
                   1963:                        ret = SSH_ERR_ALLOC_FAIL;
                   1964:                        goto out;
                   1965:                }
                   1966: #ifdef DEBUG_PK
                   1967:                sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
                   1968: #endif
1.85      djm      1969:                if (type == KEY_ECDSA_SK || type == KEY_ECDSA_SK_CERT) {
                   1970:                        /* Parse additional security-key application string */
                   1971:                        if (sshbuf_get_cstring(b, &key->sk_application,
                   1972:                            NULL) != 0) {
                   1973:                                ret = SSH_ERR_INVALID_FORMAT;
                   1974:                                goto out;
                   1975:                        }
                   1976: #ifdef DEBUG_PK
                   1977:                        fprintf(stderr, "App: %s\n", key->sk_application);
                   1978: #endif
                   1979:                }
1.1       djm      1980:                break;
                   1981: #endif /* WITH_OPENSSL */
                   1982:        case KEY_ED25519_CERT:
1.90      markus   1983:        case KEY_ED25519_SK_CERT:
1.14      djm      1984:                /* Skip nonce */
1.1       djm      1985:                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
                   1986:                        ret = SSH_ERR_INVALID_FORMAT;
                   1987:                        goto out;
                   1988:                }
                   1989:                /* FALLTHROUGH */
                   1990:        case KEY_ED25519:
1.90      markus   1991:        case KEY_ED25519_SK:
1.1       djm      1992:                if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
                   1993:                        goto out;
                   1994:                if (len != ED25519_PK_SZ) {
                   1995:                        ret = SSH_ERR_INVALID_FORMAT;
                   1996:                        goto out;
                   1997:                }
                   1998:                if ((key = sshkey_new(type)) == NULL) {
                   1999:                        ret = SSH_ERR_ALLOC_FAIL;
                   2000:                        goto out;
                   2001:                }
1.90      markus   2002:                if (type == KEY_ED25519_SK || type == KEY_ED25519_SK_CERT) {
                   2003:                        /* Parse additional security-key application string */
                   2004:                        if (sshbuf_get_cstring(b, &key->sk_application,
                   2005:                            NULL) != 0) {
                   2006:                                ret = SSH_ERR_INVALID_FORMAT;
                   2007:                                goto out;
                   2008:                        }
                   2009: #ifdef DEBUG_PK
                   2010:                        fprintf(stderr, "App: %s\n", key->sk_application);
                   2011: #endif
                   2012:                }
1.1       djm      2013:                key->ed25519_pk = pk;
                   2014:                pk = NULL;
                   2015:                break;
1.62      markus   2016: #ifdef WITH_XMSS
                   2017:        case KEY_XMSS_CERT:
                   2018:                /* Skip nonce */
                   2019:                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
                   2020:                        ret = SSH_ERR_INVALID_FORMAT;
                   2021:                        goto out;
                   2022:                }
                   2023:                /* FALLTHROUGH */
                   2024:        case KEY_XMSS:
                   2025:                if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL)) != 0)
                   2026:                        goto out;
                   2027:                if ((key = sshkey_new(type)) == NULL) {
                   2028:                        ret = SSH_ERR_ALLOC_FAIL;
                   2029:                        goto out;
                   2030:                }
                   2031:                if ((ret = sshkey_xmss_init(key, xmss_name)) != 0)
                   2032:                        goto out;
                   2033:                if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
                   2034:                        goto out;
                   2035:                if (len == 0 || len != sshkey_xmss_pklen(key)) {
                   2036:                        ret = SSH_ERR_INVALID_FORMAT;
                   2037:                        goto out;
                   2038:                }
                   2039:                key->xmss_pk = pk;
                   2040:                pk = NULL;
                   2041:                if (type != KEY_XMSS_CERT &&
                   2042:                    (ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0)
                   2043:                        goto out;
                   2044:                break;
                   2045: #endif /* WITH_XMSS */
1.1       djm      2046:        case KEY_UNSPEC:
                   2047:        default:
                   2048:                ret = SSH_ERR_KEY_TYPE_UNKNOWN;
                   2049:                goto out;
                   2050:        }
                   2051:
                   2052:        /* Parse certificate potion */
1.14      djm      2053:        if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
1.1       djm      2054:                goto out;
                   2055:
                   2056:        if (key != NULL && sshbuf_len(b) != 0) {
                   2057:                ret = SSH_ERR_INVALID_FORMAT;
                   2058:                goto out;
                   2059:        }
                   2060:        ret = 0;
1.32      djm      2061:        if (keyp != NULL) {
                   2062:                *keyp = key;
                   2063:                key = NULL;
                   2064:        }
1.1       djm      2065:  out:
1.14      djm      2066:        sshbuf_free(copy);
1.1       djm      2067:        sshkey_free(key);
1.62      markus   2068:        free(xmss_name);
1.1       djm      2069:        free(ktype);
                   2070:        free(curve);
                   2071:        free(pk);
                   2072: #ifdef WITH_OPENSSL
1.60      jsing    2073:        EC_POINT_free(q);
1.69      djm      2074:        BN_clear_free(rsa_n);
                   2075:        BN_clear_free(rsa_e);
                   2076:        BN_clear_free(dsa_p);
                   2077:        BN_clear_free(dsa_q);
                   2078:        BN_clear_free(dsa_g);
                   2079:        BN_clear_free(dsa_pub_key);
1.1       djm      2080: #endif /* WITH_OPENSSL */
                   2081:        return ret;
                   2082: }
                   2083:
                   2084: int
                   2085: sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp)
                   2086: {
1.14      djm      2087:        struct sshbuf *b;
                   2088:        int r;
                   2089:
                   2090:        if ((b = sshbuf_from(blob, blen)) == NULL)
                   2091:                return SSH_ERR_ALLOC_FAIL;
                   2092:        r = sshkey_from_blob_internal(b, keyp, 1);
                   2093:        sshbuf_free(b);
                   2094:        return r;
                   2095: }
                   2096:
                   2097: int
                   2098: sshkey_fromb(struct sshbuf *b, struct sshkey **keyp)
                   2099: {
                   2100:        return sshkey_from_blob_internal(b, keyp, 1);
                   2101: }
                   2102:
                   2103: int
                   2104: sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
                   2105: {
                   2106:        struct sshbuf *b;
                   2107:        int r;
                   2108:
                   2109:        if ((r = sshbuf_froms(buf, &b)) != 0)
                   2110:                return r;
                   2111:        r = sshkey_from_blob_internal(b, keyp, 1);
1.58      djm      2112:        sshbuf_free(b);
                   2113:        return r;
                   2114: }
                   2115:
1.82      djm      2116: int
                   2117: sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
1.58      djm      2118: {
                   2119:        int r;
                   2120:        struct sshbuf *b = NULL;
                   2121:        char *sigtype = NULL;
                   2122:
                   2123:        if (sigtypep != NULL)
                   2124:                *sigtypep = NULL;
                   2125:        if ((b = sshbuf_from(sig, siglen)) == NULL)
                   2126:                return SSH_ERR_ALLOC_FAIL;
                   2127:        if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0)
                   2128:                goto out;
                   2129:        /* success */
                   2130:        if (sigtypep != NULL) {
                   2131:                *sigtypep = sigtype;
                   2132:                sigtype = NULL;
                   2133:        }
                   2134:        r = 0;
                   2135:  out:
                   2136:        free(sigtype);
1.14      djm      2137:        sshbuf_free(b);
                   2138:        return r;
1.68      djm      2139: }
                   2140:
                   2141: /*
                   2142:  *
                   2143:  * Checks whether a certificate's signature type is allowed.
                   2144:  * Returns 0 (success) if the certificate signature type appears in the
                   2145:  * "allowed" pattern-list, or the key is not a certificate to begin with.
                   2146:  * Otherwise returns a ssherr.h code.
                   2147:  */
                   2148: int
                   2149: sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed)
                   2150: {
                   2151:        if (key == NULL || allowed == NULL)
                   2152:                return SSH_ERR_INVALID_ARGUMENT;
                   2153:        if (!sshkey_type_is_cert(key->type))
                   2154:                return 0;
                   2155:        if (key->cert == NULL || key->cert->signature_type == NULL)
                   2156:                return SSH_ERR_INVALID_ARGUMENT;
                   2157:        if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
                   2158:                return SSH_ERR_SIGN_ALG_UNSUPPORTED;
                   2159:        return 0;
1.65      djm      2160: }
                   2161:
                   2162: /*
                   2163:  * Returns the expected signature algorithm for a given public key algorithm.
                   2164:  */
1.66      djm      2165: const char *
                   2166: sshkey_sigalg_by_name(const char *name)
1.65      djm      2167: {
1.123     djm      2168:        const struct sshkey_impl *impl;
                   2169:        int i;
1.65      djm      2170:
1.123     djm      2171:        for (i = 0; keyimpls[i] != NULL; i++) {
                   2172:                impl = keyimpls[i];
                   2173:                if (strcmp(impl->name, name) != 0)
1.65      djm      2174:                        continue;
1.123     djm      2175:                if (impl->sigalg != NULL)
                   2176:                        return impl->sigalg;
                   2177:                if (!impl->cert)
                   2178:                        return impl->name;
1.65      djm      2179:                return sshkey_ssh_name_from_type_nid(
1.123     djm      2180:                    sshkey_type_plain(impl->type), impl->nid);
1.65      djm      2181:        }
                   2182:        return NULL;
                   2183: }
                   2184:
                   2185: /*
                   2186:  * Verifies that the signature algorithm appearing inside the signature blob
                   2187:  * matches that which was requested.
                   2188:  */
                   2189: int
                   2190: sshkey_check_sigtype(const u_char *sig, size_t siglen,
                   2191:     const char *requested_alg)
                   2192: {
                   2193:        const char *expected_alg;
                   2194:        char *sigtype = NULL;
                   2195:        int r;
                   2196:
                   2197:        if (requested_alg == NULL)
                   2198:                return 0;
1.66      djm      2199:        if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL)
1.65      djm      2200:                return SSH_ERR_INVALID_ARGUMENT;
1.82      djm      2201:        if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0)
1.65      djm      2202:                return r;
                   2203:        r = strcmp(expected_alg, sigtype) == 0;
                   2204:        free(sigtype);
                   2205:        return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED;
1.1       djm      2206: }
                   2207:
                   2208: int
1.76      djm      2209: sshkey_sign(struct sshkey *key,
1.1       djm      2210:     u_char **sigp, size_t *lenp,
1.86      djm      2211:     const u_char *data, size_t datalen,
1.111     djm      2212:     const char *alg, const char *sk_provider, const char *sk_pin, u_int compat)
1.1       djm      2213: {
1.76      djm      2214:        int was_shielded = sshkey_is_shielded(key);
                   2215:        int r2, r = SSH_ERR_INTERNAL_ERROR;
                   2216:
1.1       djm      2217:        if (sigp != NULL)
                   2218:                *sigp = NULL;
                   2219:        if (lenp != NULL)
                   2220:                *lenp = 0;
                   2221:        if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
                   2222:                return SSH_ERR_INVALID_ARGUMENT;
1.76      djm      2223:        if ((r = sshkey_unshield_private(key)) != 0)
                   2224:                return r;
1.1       djm      2225:        switch (key->type) {
                   2226: #ifdef WITH_OPENSSL
                   2227:        case KEY_DSA_CERT:
                   2228:        case KEY_DSA:
1.76      djm      2229:                r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
                   2230:                break;
1.1       djm      2231:        case KEY_ECDSA_CERT:
                   2232:        case KEY_ECDSA:
1.76      djm      2233:                r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
                   2234:                break;
1.1       djm      2235:        case KEY_RSA_CERT:
                   2236:        case KEY_RSA:
1.76      djm      2237:                r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
                   2238:                break;
1.1       djm      2239: #endif /* WITH_OPENSSL */
                   2240:        case KEY_ED25519:
                   2241:        case KEY_ED25519_CERT:
1.76      djm      2242:                r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
1.89      markus   2243:                break;
                   2244:        case KEY_ED25519_SK:
                   2245:        case KEY_ED25519_SK_CERT:
1.97      djm      2246:        case KEY_ECDSA_SK_CERT:
                   2247:        case KEY_ECDSA_SK:
                   2248:                r = sshsk_sign(sk_provider, key, sigp, lenp, data,
1.111     djm      2249:                    datalen, compat, sk_pin);
1.76      djm      2250:                break;
1.62      markus   2251: #ifdef WITH_XMSS
                   2252:        case KEY_XMSS:
                   2253:        case KEY_XMSS_CERT:
1.76      djm      2254:                r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat);
                   2255:                break;
1.62      markus   2256: #endif /* WITH_XMSS */
1.1       djm      2257:        default:
1.76      djm      2258:                r = SSH_ERR_KEY_TYPE_UNKNOWN;
                   2259:                break;
1.1       djm      2260:        }
1.76      djm      2261:        if (was_shielded && (r2 = sshkey_shield_private(key)) != 0)
                   2262:                return r2;
                   2263:        return r;
1.1       djm      2264: }
                   2265:
                   2266: /*
                   2267:  * ssh_key_verify returns 0 for a correct signature  and < 0 on error.
1.59      djm      2268:  * If "alg" specified, then the signature must use that algorithm.
1.1       djm      2269:  */
                   2270: int
                   2271: sshkey_verify(const struct sshkey *key,
                   2272:     const u_char *sig, size_t siglen,
1.96      djm      2273:     const u_char *data, size_t dlen, const char *alg, u_int compat,
                   2274:     struct sshkey_sig_details **detailsp)
1.1       djm      2275: {
1.96      djm      2276:        if (detailsp != NULL)
                   2277:                *detailsp = NULL;
1.6       djm      2278:        if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
1.1       djm      2279:                return SSH_ERR_INVALID_ARGUMENT;
                   2280:        switch (key->type) {
                   2281: #ifdef WITH_OPENSSL
                   2282:        case KEY_DSA_CERT:
                   2283:        case KEY_DSA:
                   2284:                return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
                   2285:        case KEY_ECDSA_CERT:
                   2286:        case KEY_ECDSA:
                   2287:                return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
1.85      djm      2288:        case KEY_ECDSA_SK_CERT:
                   2289:        case KEY_ECDSA_SK:
                   2290:                return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen,
1.96      djm      2291:                    compat, detailsp);
1.1       djm      2292:        case KEY_RSA_CERT:
                   2293:        case KEY_RSA:
1.59      djm      2294:                return ssh_rsa_verify(key, sig, siglen, data, dlen, alg);
1.1       djm      2295: #endif /* WITH_OPENSSL */
                   2296:        case KEY_ED25519:
                   2297:        case KEY_ED25519_CERT:
                   2298:                return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
1.87      markus   2299:        case KEY_ED25519_SK:
                   2300:        case KEY_ED25519_SK_CERT:
                   2301:                return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen,
1.96      djm      2302:                    compat, detailsp);
1.62      markus   2303: #ifdef WITH_XMSS
                   2304:        case KEY_XMSS:
                   2305:        case KEY_XMSS_CERT:
                   2306:                return ssh_xmss_verify(key, sig, siglen, data, dlen, compat);
                   2307: #endif /* WITH_XMSS */
1.1       djm      2308:        default:
                   2309:                return SSH_ERR_KEY_TYPE_UNKNOWN;
                   2310:        }
                   2311: }
                   2312:
                   2313: /* Convert a plain key to their _CERT equivalent */
                   2314: int
1.20      djm      2315: sshkey_to_certified(struct sshkey *k)
1.1       djm      2316: {
                   2317:        int newtype;
                   2318:
                   2319:        switch (k->type) {
                   2320: #ifdef WITH_OPENSSL
                   2321:        case KEY_RSA:
1.20      djm      2322:                newtype = KEY_RSA_CERT;
1.1       djm      2323:                break;
                   2324:        case KEY_DSA:
1.20      djm      2325:                newtype = KEY_DSA_CERT;
1.1       djm      2326:                break;
                   2327:        case KEY_ECDSA:
                   2328:                newtype = KEY_ECDSA_CERT;
                   2329:                break;
1.85      djm      2330:        case KEY_ECDSA_SK:
                   2331:                newtype = KEY_ECDSA_SK_CERT;
                   2332:                break;
1.1       djm      2333: #endif /* WITH_OPENSSL */
1.90      markus   2334:        case KEY_ED25519_SK:
                   2335:                newtype = KEY_ED25519_SK_CERT;
                   2336:                break;
1.1       djm      2337:        case KEY_ED25519:
                   2338:                newtype = KEY_ED25519_CERT;
                   2339:                break;
1.62      markus   2340: #ifdef WITH_XMSS
                   2341:        case KEY_XMSS:
                   2342:                newtype = KEY_XMSS_CERT;
                   2343:                break;
                   2344: #endif /* WITH_XMSS */
1.1       djm      2345:        default:
                   2346:                return SSH_ERR_INVALID_ARGUMENT;
                   2347:        }
                   2348:        if ((k->cert = cert_new()) == NULL)
                   2349:                return SSH_ERR_ALLOC_FAIL;
                   2350:        k->type = newtype;
                   2351:        return 0;
                   2352: }
                   2353:
                   2354: /* Convert a certificate to its raw key equivalent */
                   2355: int
                   2356: sshkey_drop_cert(struct sshkey *k)
                   2357: {
                   2358:        if (!sshkey_type_is_cert(k->type))
                   2359:                return SSH_ERR_KEY_TYPE_UNKNOWN;
                   2360:        cert_free(k->cert);
                   2361:        k->cert = NULL;
                   2362:        k->type = sshkey_type_plain(k->type);
                   2363:        return 0;
                   2364: }
                   2365:
                   2366: /* Sign a certified key, (re-)generating the signed certblob. */
                   2367: int
1.53      djm      2368: sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
1.111     djm      2369:     const char *sk_provider, const char *sk_pin,
                   2370:     sshkey_certify_signer *signer, void *signer_ctx)
1.1       djm      2371: {
                   2372:        struct sshbuf *principals = NULL;
                   2373:        u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
                   2374:        size_t i, ca_len, sig_len;
                   2375:        int ret = SSH_ERR_INTERNAL_ERROR;
1.67      djm      2376:        struct sshbuf *cert = NULL;
                   2377:        char *sigtype = NULL;
1.69      djm      2378: #ifdef WITH_OPENSSL
                   2379:        const BIGNUM *rsa_n, *rsa_e, *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
                   2380: #endif /* WITH_OPENSSL */
1.1       djm      2381:
                   2382:        if (k == NULL || k->cert == NULL ||
                   2383:            k->cert->certblob == NULL || ca == NULL)
                   2384:                return SSH_ERR_INVALID_ARGUMENT;
                   2385:        if (!sshkey_is_cert(k))
                   2386:                return SSH_ERR_KEY_TYPE_UNKNOWN;
                   2387:        if (!sshkey_type_is_valid_ca(ca->type))
                   2388:                return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
                   2389:
1.67      djm      2390:        /*
                   2391:         * If no alg specified as argument but a signature_type was set,
                   2392:         * then prefer that. If both were specified, then they must match.
                   2393:         */
                   2394:        if (alg == NULL)
                   2395:                alg = k->cert->signature_type;
                   2396:        else if (k->cert->signature_type != NULL &&
                   2397:            strcmp(alg, k->cert->signature_type) != 0)
                   2398:                return SSH_ERR_INVALID_ARGUMENT;
1.75      djm      2399:
                   2400:        /*
                   2401:         * If no signing algorithm or signature_type was specified and we're
                   2402:         * using a RSA key, then default to a good signature algorithm.
                   2403:         */
                   2404:        if (alg == NULL && ca->type == KEY_RSA)
                   2405:                alg = "rsa-sha2-512";
1.67      djm      2406:
1.1       djm      2407:        if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
                   2408:                return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
                   2409:
                   2410:        cert = k->cert->certblob; /* for readability */
                   2411:        sshbuf_reset(cert);
                   2412:        if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
                   2413:                goto out;
                   2414:
                   2415:        /* -v01 certs put nonce first */
                   2416:        arc4random_buf(&nonce, sizeof(nonce));
1.20      djm      2417:        if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
                   2418:                goto out;
1.1       djm      2419:
                   2420:        /* XXX this substantially duplicates to_blob(); refactor */
                   2421:        switch (k->type) {
                   2422: #ifdef WITH_OPENSSL
                   2423:        case KEY_DSA_CERT:
1.69      djm      2424:                DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
                   2425:                DSA_get0_key(k->dsa, &dsa_pub_key, NULL);
                   2426:                if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 ||
                   2427:                    (ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 ||
                   2428:                    (ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 ||
                   2429:                    (ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0)
1.1       djm      2430:                        goto out;
                   2431:                break;
                   2432:        case KEY_ECDSA_CERT:
1.85      djm      2433:        case KEY_ECDSA_SK_CERT:
1.1       djm      2434:                if ((ret = sshbuf_put_cstring(cert,
                   2435:                    sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
                   2436:                    (ret = sshbuf_put_ec(cert,
                   2437:                    EC_KEY_get0_public_key(k->ecdsa),
                   2438:                    EC_KEY_get0_group(k->ecdsa))) != 0)
                   2439:                        goto out;
1.85      djm      2440:                if (k->type == KEY_ECDSA_SK_CERT) {
                   2441:                        if ((ret = sshbuf_put_cstring(cert,
                   2442:                            k->sk_application)) != 0)
                   2443:                                goto out;
                   2444:                }
1.1       djm      2445:                break;
                   2446:        case KEY_RSA_CERT:
1.69      djm      2447:                RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL);
                   2448:                if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 ||
                   2449:                    (ret = sshbuf_put_bignum2(cert, rsa_n)) != 0)
1.1       djm      2450:                        goto out;
                   2451:                break;
                   2452: #endif /* WITH_OPENSSL */
                   2453:        case KEY_ED25519_CERT:
1.94      djm      2454:        case KEY_ED25519_SK_CERT:
1.1       djm      2455:                if ((ret = sshbuf_put_string(cert,
                   2456:                    k->ed25519_pk, ED25519_PK_SZ)) != 0)
                   2457:                        goto out;
1.94      djm      2458:                if (k->type == KEY_ED25519_SK_CERT) {
                   2459:                        if ((ret = sshbuf_put_cstring(cert,
                   2460:                            k->sk_application)) != 0)
                   2461:                                goto out;
                   2462:                }
1.1       djm      2463:                break;
1.62      markus   2464: #ifdef WITH_XMSS
                   2465:        case KEY_XMSS_CERT:
                   2466:                if (k->xmss_name == NULL) {
                   2467:                        ret = SSH_ERR_INVALID_ARGUMENT;
                   2468:                        goto out;
                   2469:                }
                   2470:                if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) ||
                   2471:                    (ret = sshbuf_put_string(cert,
                   2472:                    k->xmss_pk, sshkey_xmss_pklen(k))) != 0)
                   2473:                        goto out;
                   2474:                break;
                   2475: #endif /* WITH_XMSS */
1.1       djm      2476:        default:
                   2477:                ret = SSH_ERR_INVALID_ARGUMENT;
1.15      djm      2478:                goto out;
1.1       djm      2479:        }
                   2480:
1.20      djm      2481:        if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
                   2482:            (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
1.1       djm      2483:            (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
                   2484:                goto out;
                   2485:
                   2486:        if ((principals = sshbuf_new()) == NULL) {
                   2487:                ret = SSH_ERR_ALLOC_FAIL;
                   2488:                goto out;
                   2489:        }
                   2490:        for (i = 0; i < k->cert->nprincipals; i++) {
                   2491:                if ((ret = sshbuf_put_cstring(principals,
                   2492:                    k->cert->principals[i])) != 0)
                   2493:                        goto out;
                   2494:        }
                   2495:        if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
                   2496:            (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
                   2497:            (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
1.20      djm      2498:            (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
                   2499:            (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
                   2500:            (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
1.1       djm      2501:            (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
                   2502:                goto out;
                   2503:
                   2504:        /* Sign the whole mess */
1.53      djm      2505:        if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
1.111     djm      2506:            sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0)
1.1       djm      2507:                goto out;
1.67      djm      2508:        /* Check and update signature_type against what was actually used */
1.82      djm      2509:        if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
1.67      djm      2510:                goto out;
                   2511:        if (alg != NULL && strcmp(alg, sigtype) != 0) {
                   2512:                ret = SSH_ERR_SIGN_ALG_UNSUPPORTED;
                   2513:                goto out;
                   2514:        }
                   2515:        if (k->cert->signature_type == NULL) {
                   2516:                k->cert->signature_type = sigtype;
                   2517:                sigtype = NULL;
                   2518:        }
1.1       djm      2519:        /* Append signature and we are done */
                   2520:        if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
                   2521:                goto out;
                   2522:        ret = 0;
                   2523:  out:
                   2524:        if (ret != 0)
                   2525:                sshbuf_reset(cert);
1.29      mmcc     2526:        free(sig_blob);
                   2527:        free(ca_blob);
1.67      djm      2528:        free(sigtype);
1.31      mmcc     2529:        sshbuf_free(principals);
1.1       djm      2530:        return ret;
1.53      djm      2531: }
                   2532:
                   2533: static int
1.76      djm      2534: default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
1.53      djm      2535:     const u_char *data, size_t datalen,
1.111     djm      2536:     const char *alg, const char *sk_provider, const char *sk_pin,
                   2537:     u_int compat, void *ctx)
1.53      djm      2538: {
                   2539:        if (ctx != NULL)
                   2540:                return SSH_ERR_INVALID_ARGUMENT;
1.86      djm      2541:        return sshkey_sign(key, sigp, lenp, data, datalen, alg,
1.111     djm      2542:            sk_provider, sk_pin, compat);
1.53      djm      2543: }
                   2544:
                   2545: int
1.86      djm      2546: sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg,
1.111     djm      2547:     const char *sk_provider, const char *sk_pin)
1.53      djm      2548: {
1.111     djm      2549:        return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin,
1.86      djm      2550:            default_key_sign, NULL);
1.1       djm      2551: }
                   2552:
                   2553: int
                   2554: sshkey_cert_check_authority(const struct sshkey *k,
1.114     djm      2555:     int want_host, int require_principal, int wildcard_pattern,
1.119     djm      2556:     uint64_t verify_time, const char *name, const char **reason)
1.1       djm      2557: {
                   2558:        u_int i, principal_matches;
                   2559:
1.102     markus   2560:        if (reason == NULL)
                   2561:                return SSH_ERR_INVALID_ARGUMENT;
1.114     djm      2562:        if (!sshkey_is_cert(k)) {
                   2563:                *reason = "Key is not a certificate";
                   2564:                return SSH_ERR_KEY_CERT_INVALID;
                   2565:        }
1.1       djm      2566:        if (want_host) {
                   2567:                if (k->cert->type != SSH2_CERT_TYPE_HOST) {
                   2568:                        *reason = "Certificate invalid: not a host certificate";
                   2569:                        return SSH_ERR_KEY_CERT_INVALID;
                   2570:                }
                   2571:        } else {
                   2572:                if (k->cert->type != SSH2_CERT_TYPE_USER) {
                   2573:                        *reason = "Certificate invalid: not a user certificate";
                   2574:                        return SSH_ERR_KEY_CERT_INVALID;
                   2575:                }
                   2576:        }
1.119     djm      2577:        if (verify_time < k->cert->valid_after) {
1.1       djm      2578:                *reason = "Certificate invalid: not yet valid";
                   2579:                return SSH_ERR_KEY_CERT_INVALID;
                   2580:        }
1.119     djm      2581:        if (verify_time >= k->cert->valid_before) {
1.1       djm      2582:                *reason = "Certificate invalid: expired";
                   2583:                return SSH_ERR_KEY_CERT_INVALID;
                   2584:        }
                   2585:        if (k->cert->nprincipals == 0) {
                   2586:                if (require_principal) {
                   2587:                        *reason = "Certificate lacks principal list";
                   2588:                        return SSH_ERR_KEY_CERT_INVALID;
                   2589:                }
                   2590:        } else if (name != NULL) {
                   2591:                principal_matches = 0;
                   2592:                for (i = 0; i < k->cert->nprincipals; i++) {
1.114     djm      2593:                        if (wildcard_pattern) {
                   2594:                                if (match_pattern(k->cert->principals[i],
                   2595:                                    name)) {
                   2596:                                        principal_matches = 1;
                   2597:                                        break;
                   2598:                                }
                   2599:                        } else if (strcmp(name, k->cert->principals[i]) == 0) {
1.1       djm      2600:                                principal_matches = 1;
                   2601:                                break;
                   2602:                        }
                   2603:                }
                   2604:                if (!principal_matches) {
                   2605:                        *reason = "Certificate invalid: name is not a listed "
                   2606:                            "principal";
                   2607:                        return SSH_ERR_KEY_CERT_INVALID;
                   2608:                }
1.114     djm      2609:        }
                   2610:        return 0;
                   2611: }
                   2612:
                   2613: int
1.119     djm      2614: sshkey_cert_check_authority_now(const struct sshkey *k,
                   2615:     int want_host, int require_principal, int wildcard_pattern,
                   2616:     const char *name, const char **reason)
                   2617: {
                   2618:        time_t now;
                   2619:
                   2620:        if ((now = time(NULL)) < 0) {
                   2621:                /* yikes - system clock before epoch! */
                   2622:                *reason = "Certificate invalid: not yet valid";
                   2623:                return SSH_ERR_KEY_CERT_INVALID;
                   2624:        }
                   2625:        return sshkey_cert_check_authority(k, want_host, require_principal,
                   2626:            wildcard_pattern, (uint64_t)now, name, reason);
                   2627: }
                   2628:
                   2629: int
1.114     djm      2630: sshkey_cert_check_host(const struct sshkey *key, const char *host,
                   2631:     int wildcard_principals, const char *ca_sign_algorithms,
                   2632:     const char **reason)
                   2633: {
                   2634:        int r;
                   2635:
1.119     djm      2636:        if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals,
1.114     djm      2637:            host, reason)) != 0)
                   2638:                return r;
                   2639:        if (sshbuf_len(key->cert->critical) != 0) {
                   2640:                *reason = "Certificate contains unsupported critical options";
                   2641:                return SSH_ERR_KEY_CERT_INVALID;
                   2642:        }
                   2643:        if (ca_sign_algorithms != NULL &&
                   2644:            (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) {
                   2645:                *reason = "Certificate signed with disallowed algorithm";
                   2646:                return SSH_ERR_KEY_CERT_INVALID;
1.1       djm      2647:        }
                   2648:        return 0;
1.27      djm      2649: }
                   2650:
                   2651: size_t
                   2652: sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
                   2653: {
1.113     dtucker  2654:        char from[32], to[32], ret[128];
1.27      djm      2655:
                   2656:        *from = *to = '\0';
                   2657:        if (cert->valid_after == 0 &&
                   2658:            cert->valid_before == 0xffffffffffffffffULL)
                   2659:                return strlcpy(s, "forever", l);
                   2660:
1.118     dtucker  2661:        if (cert->valid_after != 0)
                   2662:                format_absolute_time(cert->valid_after, from, sizeof(from));
                   2663:        if (cert->valid_before != 0xffffffffffffffffULL)
                   2664:                format_absolute_time(cert->valid_before, to, sizeof(to));
1.27      djm      2665:
                   2666:        if (cert->valid_after == 0)
                   2667:                snprintf(ret, sizeof(ret), "before %s", to);
                   2668:        else if (cert->valid_before == 0xffffffffffffffffULL)
                   2669:                snprintf(ret, sizeof(ret), "after %s", from);
                   2670:        else
                   2671:                snprintf(ret, sizeof(ret), "from %s to %s", from, to);
                   2672:
                   2673:        return strlcpy(s, ret, l);
1.1       djm      2674: }
                   2675:
                   2676: int
1.76      djm      2677: sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf,
1.62      markus   2678:     enum sshkey_serialize_rep opts)
1.1       djm      2679: {
                   2680:        int r = SSH_ERR_INTERNAL_ERROR;
1.76      djm      2681:        int was_shielded = sshkey_is_shielded(key);
                   2682:        struct sshbuf *b = NULL;
1.69      djm      2683: #ifdef WITH_OPENSSL
                   2684:        const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q;
                   2685:        const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key;
                   2686: #endif /* WITH_OPENSSL */
1.1       djm      2687:
1.76      djm      2688:        if ((r = sshkey_unshield_private(key)) != 0)
                   2689:                return r;
                   2690:        if ((b = sshbuf_new()) == NULL)
                   2691:                return SSH_ERR_ALLOC_FAIL;
1.1       djm      2692:        if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
                   2693:                goto out;
                   2694:        switch (key->type) {
                   2695: #ifdef WITH_OPENSSL
                   2696:        case KEY_RSA:
1.69      djm      2697:                RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d);
                   2698:                RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
                   2699:                RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
                   2700:                if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 ||
                   2701:                    (r = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
                   2702:                    (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
                   2703:                    (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
                   2704:                    (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
                   2705:                    (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
1.1       djm      2706:                        goto out;
                   2707:                break;
                   2708:        case KEY_RSA_CERT:
                   2709:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2710:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2711:                        goto out;
                   2712:                }
1.69      djm      2713:                RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
                   2714:                RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
                   2715:                RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
1.1       djm      2716:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
1.69      djm      2717:                    (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
                   2718:                    (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
                   2719:                    (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
                   2720:                    (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
1.1       djm      2721:                        goto out;
                   2722:                break;
                   2723:        case KEY_DSA:
1.69      djm      2724:                DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
                   2725:                DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key);
                   2726:                if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
                   2727:                    (r = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
                   2728:                    (r = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
                   2729:                    (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 ||
                   2730:                    (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
1.1       djm      2731:                        goto out;
                   2732:                break;
                   2733:        case KEY_DSA_CERT:
                   2734:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2735:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2736:                        goto out;
                   2737:                }
1.69      djm      2738:                DSA_get0_key(key->dsa, NULL, &dsa_priv_key);
1.1       djm      2739:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
1.69      djm      2740:                    (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
1.1       djm      2741:                        goto out;
                   2742:                break;
                   2743:        case KEY_ECDSA:
                   2744:                if ((r = sshbuf_put_cstring(b,
                   2745:                    sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
                   2746:                    (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
                   2747:                    (r = sshbuf_put_bignum2(b,
                   2748:                    EC_KEY_get0_private_key(key->ecdsa))) != 0)
                   2749:                        goto out;
                   2750:                break;
                   2751:        case KEY_ECDSA_CERT:
                   2752:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2753:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2754:                        goto out;
                   2755:                }
                   2756:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2757:                    (r = sshbuf_put_bignum2(b,
                   2758:                    EC_KEY_get0_private_key(key->ecdsa))) != 0)
                   2759:                        goto out;
                   2760:                break;
1.85      djm      2761:        case KEY_ECDSA_SK:
                   2762:                if ((r = sshbuf_put_cstring(b,
                   2763:                    sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
                   2764:                    (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
                   2765:                    (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
                   2766:                    (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
                   2767:                    (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
                   2768:                    (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
                   2769:                        goto out;
                   2770:                break;
                   2771:        case KEY_ECDSA_SK_CERT:
                   2772:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2773:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2774:                        goto out;
                   2775:                }
                   2776:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2777:                    (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
                   2778:                    (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
                   2779:                    (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
                   2780:                    (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
                   2781:                        goto out;
                   2782:                break;
1.1       djm      2783: #endif /* WITH_OPENSSL */
                   2784:        case KEY_ED25519:
                   2785:                if ((r = sshbuf_put_string(b, key->ed25519_pk,
                   2786:                    ED25519_PK_SZ)) != 0 ||
                   2787:                    (r = sshbuf_put_string(b, key->ed25519_sk,
                   2788:                    ED25519_SK_SZ)) != 0)
                   2789:                        goto out;
                   2790:                break;
                   2791:        case KEY_ED25519_CERT:
                   2792:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2793:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2794:                        goto out;
                   2795:                }
                   2796:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2797:                    (r = sshbuf_put_string(b, key->ed25519_pk,
                   2798:                    ED25519_PK_SZ)) != 0 ||
                   2799:                    (r = sshbuf_put_string(b, key->ed25519_sk,
                   2800:                    ED25519_SK_SZ)) != 0)
                   2801:                        goto out;
                   2802:                break;
1.90      markus   2803:        case KEY_ED25519_SK:
                   2804:                if ((r = sshbuf_put_string(b, key->ed25519_pk,
                   2805:                    ED25519_PK_SZ)) != 0 ||
                   2806:                    (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
                   2807:                    (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
                   2808:                    (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
                   2809:                    (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
                   2810:                        goto out;
                   2811:                break;
                   2812:        case KEY_ED25519_SK_CERT:
                   2813:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2814:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2815:                        goto out;
                   2816:                }
                   2817:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2818:                    (r = sshbuf_put_string(b, key->ed25519_pk,
                   2819:                    ED25519_PK_SZ)) != 0 ||
                   2820:                    (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
                   2821:                    (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
                   2822:                    (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
                   2823:                    (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
                   2824:                        goto out;
                   2825:                break;
1.62      markus   2826: #ifdef WITH_XMSS
                   2827:        case KEY_XMSS:
                   2828:                if (key->xmss_name == NULL) {
                   2829:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2830:                        goto out;
                   2831:                }
                   2832:                if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
                   2833:                    (r = sshbuf_put_string(b, key->xmss_pk,
                   2834:                    sshkey_xmss_pklen(key))) != 0 ||
                   2835:                    (r = sshbuf_put_string(b, key->xmss_sk,
                   2836:                    sshkey_xmss_sklen(key))) != 0 ||
                   2837:                    (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
                   2838:                        goto out;
                   2839:                break;
                   2840:        case KEY_XMSS_CERT:
                   2841:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 ||
                   2842:                    key->xmss_name == NULL) {
                   2843:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2844:                        goto out;
                   2845:                }
                   2846:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2847:                    (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
                   2848:                    (r = sshbuf_put_string(b, key->xmss_pk,
                   2849:                    sshkey_xmss_pklen(key))) != 0 ||
                   2850:                    (r = sshbuf_put_string(b, key->xmss_sk,
                   2851:                    sshkey_xmss_sklen(key))) != 0 ||
                   2852:                    (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
                   2853:                        goto out;
                   2854:                break;
                   2855: #endif /* WITH_XMSS */
1.1       djm      2856:        default:
                   2857:                r = SSH_ERR_INVALID_ARGUMENT;
                   2858:                goto out;
                   2859:        }
1.76      djm      2860:        /*
                   2861:         * success (but we still need to append the output to buf after
                   2862:         * possibly re-shielding the private key)
                   2863:         */
1.1       djm      2864:        r = 0;
                   2865:  out:
1.76      djm      2866:        if (was_shielded)
                   2867:                r = sshkey_shield_private(key);
                   2868:        if (r == 0)
                   2869:                r = sshbuf_putb(buf, b);
                   2870:        sshbuf_free(b);
                   2871:
1.1       djm      2872:        return r;
                   2873: }
                   2874:
                   2875: int
1.76      djm      2876: sshkey_private_serialize(struct sshkey *key, struct sshbuf *b)
1.62      markus   2877: {
                   2878:        return sshkey_private_serialize_opt(key, b,
                   2879:            SSHKEY_SERIALIZE_DEFAULT);
                   2880: }
                   2881:
                   2882: int
1.1       djm      2883: sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
                   2884: {
1.62      markus   2885:        char *tname = NULL, *curve = NULL, *xmss_name = NULL;
1.115     djm      2886:        char *expect_sk_application = NULL;
1.1       djm      2887:        struct sshkey *k = NULL;
1.14      djm      2888:        size_t pklen = 0, sklen = 0;
1.1       djm      2889:        int type, r = SSH_ERR_INTERNAL_ERROR;
                   2890:        u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
1.115     djm      2891:        u_char *expect_ed25519_pk = NULL;
1.62      markus   2892:        u_char *xmss_pk = NULL, *xmss_sk = NULL;
1.1       djm      2893: #ifdef WITH_OPENSSL
                   2894:        BIGNUM *exponent = NULL;
1.69      djm      2895:        BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
                   2896:        BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL;
                   2897:        BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
                   2898:        BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
1.1       djm      2899: #endif /* WITH_OPENSSL */
                   2900:
                   2901:        if (kp != NULL)
                   2902:                *kp = NULL;
                   2903:        if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
                   2904:                goto out;
                   2905:        type = sshkey_type_from_name(tname);
1.108     djm      2906:        if (sshkey_type_is_cert(type)) {
                   2907:                /*
                   2908:                 * Certificate key private keys begin with the certificate
                   2909:                 * itself. Make sure this matches the type of the enclosing
                   2910:                 * private key.
                   2911:                 */
                   2912:                if ((r = sshkey_froms(buf, &k)) != 0)
                   2913:                        goto out;
                   2914:                if (k->type != type) {
                   2915:                        r = SSH_ERR_KEY_CERT_MISMATCH;
                   2916:                        goto out;
                   2917:                }
                   2918:                /* For ECDSA keys, the group must match too */
                   2919:                if (k->type == KEY_ECDSA &&
                   2920:                    k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
                   2921:                        r = SSH_ERR_KEY_CERT_MISMATCH;
                   2922:                        goto out;
                   2923:                }
1.115     djm      2924:                /*
                   2925:                 * Several fields are redundant between certificate and
                   2926:                 * private key body, we require these to match.
                   2927:                 */
                   2928:                expect_sk_application = k->sk_application;
                   2929:                expect_ed25519_pk = k->ed25519_pk;
                   2930:                k->sk_application = NULL;
                   2931:                k->ed25519_pk = NULL;
1.108     djm      2932:        } else {
1.70      djm      2933:                if ((k = sshkey_new(type)) == NULL) {
1.1       djm      2934:                        r = SSH_ERR_ALLOC_FAIL;
                   2935:                        goto out;
                   2936:                }
1.108     djm      2937:        }
                   2938:        switch (type) {
                   2939: #ifdef WITH_OPENSSL
                   2940:        case KEY_DSA:
1.73      djm      2941:                if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 ||
                   2942:                    (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 ||
                   2943:                    (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 ||
1.108     djm      2944:                    (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0)
1.69      djm      2945:                        goto out;
                   2946:                if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) {
                   2947:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2948:                        goto out;
                   2949:                }
                   2950:                dsa_p = dsa_q = dsa_g = NULL; /* transferred */
1.108     djm      2951:                if (!DSA_set0_key(k->dsa, dsa_pub_key, NULL)) {
1.69      djm      2952:                        r = SSH_ERR_LIBCRYPTO_ERROR;
1.1       djm      2953:                        goto out;
1.69      djm      2954:                }
1.108     djm      2955:                dsa_pub_key = NULL; /* transferred */
                   2956:                /* FALLTHROUGH */
1.1       djm      2957:        case KEY_DSA_CERT:
1.108     djm      2958:                if ((r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
1.84      djm      2959:                        goto out;
1.69      djm      2960:                if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
                   2961:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2962:                        goto out;
                   2963:                }
                   2964:                dsa_priv_key = NULL; /* transferred */
1.1       djm      2965:                break;
                   2966:        case KEY_ECDSA:
                   2967:                if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
                   2968:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2969:                        goto out;
                   2970:                }
                   2971:                if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
                   2972:                        goto out;
                   2973:                if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
                   2974:                        r = SSH_ERR_EC_CURVE_MISMATCH;
                   2975:                        goto out;
                   2976:                }
                   2977:                k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
1.73      djm      2978:                if (k->ecdsa  == NULL) {
1.1       djm      2979:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2980:                        goto out;
                   2981:                }
1.108     djm      2982:                if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0)
1.1       djm      2983:                        goto out;
1.108     djm      2984:                /* FALLTHROUGH */
1.1       djm      2985:        case KEY_ECDSA_CERT:
1.108     djm      2986:                if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0)
1.1       djm      2987:                        goto out;
                   2988:                if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
                   2989:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2990:                        goto out;
                   2991:                }
                   2992:                if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
1.22      jsg      2993:                    EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
1.1       djm      2994:                    (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
                   2995:                        goto out;
                   2996:                break;
1.85      djm      2997:        case KEY_ECDSA_SK:
                   2998:                if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
                   2999:                        r = SSH_ERR_INVALID_ARGUMENT;
                   3000:                        goto out;
                   3001:                }
                   3002:                if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
                   3003:                        goto out;
                   3004:                if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
                   3005:                        r = SSH_ERR_EC_CURVE_MISMATCH;
                   3006:                        goto out;
                   3007:                }
                   3008:                if ((k->sk_key_handle = sshbuf_new()) == NULL ||
                   3009:                    (k->sk_reserved = sshbuf_new()) == NULL) {
                   3010:                        r = SSH_ERR_ALLOC_FAIL;
                   3011:                        goto out;
                   3012:                }
                   3013:                k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
                   3014:                if (k->ecdsa  == NULL) {
                   3015:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   3016:                        goto out;
                   3017:                }
                   3018:                if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
                   3019:                    (r = sshbuf_get_cstring(buf, &k->sk_application,
                   3020:                    NULL)) != 0 ||
                   3021:                    (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
                   3022:                    (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
                   3023:                    (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
                   3024:                        goto out;
                   3025:                if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
                   3026:                    EC_KEY_get0_public_key(k->ecdsa))) != 0)
                   3027:                        goto out;
                   3028:                break;
                   3029:        case KEY_ECDSA_SK_CERT:
                   3030:                if ((k->sk_key_handle = sshbuf_new()) == NULL ||
                   3031:                    (k->sk_reserved = sshbuf_new()) == NULL) {
                   3032:                        r = SSH_ERR_ALLOC_FAIL;
                   3033:                        goto out;
                   3034:                }
                   3035:                if ((r = sshbuf_get_cstring(buf, &k->sk_application,
                   3036:                    NULL)) != 0 ||
                   3037:                    (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
                   3038:                    (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
                   3039:                    (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
                   3040:                        goto out;
                   3041:                if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
                   3042:                    EC_KEY_get0_public_key(k->ecdsa))) != 0)
                   3043:                        goto out;
                   3044:                break;
1.1       djm      3045:        case KEY_RSA:
1.73      djm      3046:                if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 ||
1.108     djm      3047:                    (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0)
1.1       djm      3048:                        goto out;
1.108     djm      3049:                if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, NULL)) {
1.69      djm      3050:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   3051:                        goto out;
                   3052:                }
1.108     djm      3053:                rsa_n = rsa_e = NULL; /* transferred */
                   3054:                /* FALLTHROUGH */
1.1       djm      3055:        case KEY_RSA_CERT:
1.108     djm      3056:                if ((r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
1.73      djm      3057:                    (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 ||
                   3058:                    (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
                   3059:                    (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
1.1       djm      3060:                        goto out;
1.69      djm      3061:                if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
                   3062:                        r = SSH_ERR_LIBCRYPTO_ERROR;
1.49      djm      3063:                        goto out;
                   3064:                }
1.69      djm      3065:                rsa_d = NULL; /* transferred */
                   3066:                if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
                   3067:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   3068:                        goto out;
                   3069:                }
                   3070:                rsa_p = rsa_q = NULL; /* transferred */
1.122     djm      3071:                if ((r = sshkey_check_rsa_length(k, 0)) != 0)
1.69      djm      3072:                        goto out;
                   3073:                if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
                   3074:                        goto out;
1.1       djm      3075:                break;
                   3076: #endif /* WITH_OPENSSL */
                   3077:        case KEY_ED25519:
1.108     djm      3078:        case KEY_ED25519_CERT:
1.1       djm      3079:                if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
                   3080:                    (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
                   3081:                        goto out;
                   3082:                if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
                   3083:                        r = SSH_ERR_INVALID_FORMAT;
                   3084:                        goto out;
                   3085:                }
                   3086:                k->ed25519_pk = ed25519_pk;
                   3087:                k->ed25519_sk = ed25519_sk;
1.84      djm      3088:                ed25519_pk = ed25519_sk = NULL; /* transferred */
1.1       djm      3089:                break;
1.90      markus   3090:        case KEY_ED25519_SK:
1.108     djm      3091:        case KEY_ED25519_SK_CERT:
1.90      markus   3092:                if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
                   3093:                        goto out;
                   3094:                if (pklen != ED25519_PK_SZ) {
                   3095:                        r = SSH_ERR_INVALID_FORMAT;
                   3096:                        goto out;
                   3097:                }
                   3098:                if ((k->sk_key_handle = sshbuf_new()) == NULL ||
                   3099:                    (k->sk_reserved = sshbuf_new()) == NULL) {
                   3100:                        r = SSH_ERR_ALLOC_FAIL;
                   3101:                        goto out;
                   3102:                }
                   3103:                if ((r = sshbuf_get_cstring(buf, &k->sk_application,
                   3104:                    NULL)) != 0 ||
                   3105:                    (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
                   3106:                    (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
                   3107:                    (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
                   3108:                        goto out;
                   3109:                k->ed25519_pk = ed25519_pk;
                   3110:                ed25519_pk = NULL; /* transferred */
                   3111:                break;
1.62      markus   3112: #ifdef WITH_XMSS
                   3113:        case KEY_XMSS:
1.108     djm      3114:        case KEY_XMSS_CERT:
1.62      markus   3115:                if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
                   3116:                    (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
                   3117:                    (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
1.110     markus   3118:                        goto out;
                   3119:                if (type == KEY_XMSS &&
                   3120:                    (r = sshkey_xmss_init(k, xmss_name)) != 0)
1.62      markus   3121:                        goto out;
                   3122:                if (pklen != sshkey_xmss_pklen(k) ||
                   3123:                    sklen != sshkey_xmss_sklen(k)) {
                   3124:                        r = SSH_ERR_INVALID_FORMAT;
                   3125:                        goto out;
                   3126:                }
                   3127:                k->xmss_pk = xmss_pk;
                   3128:                k->xmss_sk = xmss_sk;
                   3129:                xmss_pk = xmss_sk = NULL;
                   3130:                /* optional internal state */
                   3131:                if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
                   3132:                        goto out;
                   3133:                break;
                   3134: #endif /* WITH_XMSS */
1.1       djm      3135:        default:
                   3136:                r = SSH_ERR_KEY_TYPE_UNKNOWN;
                   3137:                goto out;
                   3138:        }
                   3139: #ifdef WITH_OPENSSL
                   3140:        /* enable blinding */
                   3141:        switch (k->type) {
                   3142:        case KEY_RSA:
                   3143:        case KEY_RSA_CERT:
                   3144:                if (RSA_blinding_on(k->rsa, NULL) != 1) {
                   3145:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   3146:                        goto out;
                   3147:                }
                   3148:                break;
                   3149:        }
                   3150: #endif /* WITH_OPENSSL */
1.115     djm      3151:        if ((expect_sk_application != NULL && (k->sk_application == NULL ||
                   3152:            strcmp(expect_sk_application, k->sk_application) != 0)) ||
                   3153:            (expect_ed25519_pk != NULL && (k->ed25519_pk == NULL ||
1.116     djm      3154:            memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) {
1.115     djm      3155:                r = SSH_ERR_KEY_CERT_MISMATCH;
                   3156:                goto out;
                   3157:        }
1.1       djm      3158:        /* success */
                   3159:        r = 0;
                   3160:        if (kp != NULL) {
                   3161:                *kp = k;
                   3162:                k = NULL;
                   3163:        }
                   3164:  out:
                   3165:        free(tname);
                   3166:        free(curve);
                   3167: #ifdef WITH_OPENSSL
1.60      jsing    3168:        BN_clear_free(exponent);
1.69      djm      3169:        BN_clear_free(dsa_p);
                   3170:        BN_clear_free(dsa_q);
                   3171:        BN_clear_free(dsa_g);
                   3172:        BN_clear_free(dsa_pub_key);
                   3173:        BN_clear_free(dsa_priv_key);
                   3174:        BN_clear_free(rsa_n);
                   3175:        BN_clear_free(rsa_e);
                   3176:        BN_clear_free(rsa_d);
                   3177:        BN_clear_free(rsa_p);
                   3178:        BN_clear_free(rsa_q);
                   3179:        BN_clear_free(rsa_iqmp);
1.1       djm      3180: #endif /* WITH_OPENSSL */
                   3181:        sshkey_free(k);
1.61      jsing    3182:        freezero(ed25519_pk, pklen);
                   3183:        freezero(ed25519_sk, sklen);
1.62      markus   3184:        free(xmss_name);
                   3185:        freezero(xmss_pk, pklen);
                   3186:        freezero(xmss_sk, sklen);
1.115     djm      3187:        free(expect_sk_application);
                   3188:        free(expect_ed25519_pk);
1.1       djm      3189:        return r;
                   3190: }
                   3191:
                   3192: #ifdef WITH_OPENSSL
                   3193: int
                   3194: sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
                   3195: {
                   3196:        EC_POINT *nq = NULL;
1.93      djm      3197:        BIGNUM *order = NULL, *x = NULL, *y = NULL, *tmp = NULL;
1.1       djm      3198:        int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
1.40      djm      3199:
                   3200:        /*
                   3201:         * NB. This assumes OpenSSL has already verified that the public
                   3202:         * point lies on the curve. This is done by EC_POINT_oct2point()
                   3203:         * implicitly calling EC_POINT_is_on_curve(). If this code is ever
                   3204:         * reachable with public points not unmarshalled using
                   3205:         * EC_POINT_oct2point then the caller will need to explicitly check.
                   3206:         */
1.1       djm      3207:
                   3208:        /*
                   3209:         * We shouldn't ever hit this case because bignum_get_ecpoint()
                   3210:         * refuses to load GF2m points.
                   3211:         */
                   3212:        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
                   3213:            NID_X9_62_prime_field)
                   3214:                goto out;
                   3215:
                   3216:        /* Q != infinity */
                   3217:        if (EC_POINT_is_at_infinity(group, public))
                   3218:                goto out;
                   3219:
1.93      djm      3220:        if ((x = BN_new()) == NULL ||
                   3221:            (y = BN_new()) == NULL ||
                   3222:            (order = BN_new()) == NULL ||
                   3223:            (tmp = BN_new()) == NULL) {
1.1       djm      3224:                ret = SSH_ERR_ALLOC_FAIL;
                   3225:                goto out;
                   3226:        }
                   3227:
                   3228:        /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
1.93      djm      3229:        if (EC_GROUP_get_order(group, order, NULL) != 1 ||
1.1       djm      3230:            EC_POINT_get_affine_coordinates_GFp(group, public,
1.93      djm      3231:            x, y, NULL) != 1) {
1.1       djm      3232:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   3233:                goto out;
                   3234:        }
                   3235:        if (BN_num_bits(x) <= BN_num_bits(order) / 2 ||
                   3236:            BN_num_bits(y) <= BN_num_bits(order) / 2)
                   3237:                goto out;
                   3238:
                   3239:        /* nQ == infinity (n == order of subgroup) */
                   3240:        if ((nq = EC_POINT_new(group)) == NULL) {
                   3241:                ret = SSH_ERR_ALLOC_FAIL;
                   3242:                goto out;
                   3243:        }
1.93      djm      3244:        if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) {
1.1       djm      3245:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   3246:                goto out;
                   3247:        }
                   3248:        if (EC_POINT_is_at_infinity(group, nq) != 1)
                   3249:                goto out;
                   3250:
                   3251:        /* x < order - 1, y < order - 1 */
                   3252:        if (!BN_sub(tmp, order, BN_value_one())) {
                   3253:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   3254:                goto out;
                   3255:        }
                   3256:        if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0)
                   3257:                goto out;
                   3258:        ret = 0;
                   3259:  out:
1.93      djm      3260:        BN_clear_free(x);
                   3261:        BN_clear_free(y);
                   3262:        BN_clear_free(order);
                   3263:        BN_clear_free(tmp);
1.60      jsing    3264:        EC_POINT_free(nq);
1.1       djm      3265:        return ret;
                   3266: }
                   3267:
                   3268: int
                   3269: sshkey_ec_validate_private(const EC_KEY *key)
                   3270: {
1.93      djm      3271:        BIGNUM *order = NULL, *tmp = NULL;
1.1       djm      3272:        int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
                   3273:
1.93      djm      3274:        if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) {
1.1       djm      3275:                ret = SSH_ERR_ALLOC_FAIL;
                   3276:                goto out;
                   3277:        }
                   3278:
                   3279:        /* log2(private) > log2(order)/2 */
1.93      djm      3280:        if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) {
1.1       djm      3281:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   3282:                goto out;
                   3283:        }
                   3284:        if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
                   3285:            BN_num_bits(order) / 2)
                   3286:                goto out;
                   3287:
                   3288:        /* private < order - 1 */
                   3289:        if (!BN_sub(tmp, order, BN_value_one())) {
                   3290:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   3291:                goto out;
                   3292:        }
                   3293:        if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
                   3294:                goto out;
                   3295:        ret = 0;
                   3296:  out:
1.93      djm      3297:        BN_clear_free(order);
                   3298:        BN_clear_free(tmp);
1.1       djm      3299:        return ret;
                   3300: }
                   3301:
                   3302: void
                   3303: sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
                   3304: {
1.93      djm      3305:        BIGNUM *x = NULL, *y = NULL;
1.1       djm      3306:
                   3307:        if (point == NULL) {
                   3308:                fputs("point=(NULL)\n", stderr);
                   3309:                return;
                   3310:        }
1.93      djm      3311:        if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) {
                   3312:                fprintf(stderr, "%s: BN_new failed\n", __func__);
                   3313:                goto out;
1.1       djm      3314:        }
                   3315:        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
                   3316:            NID_X9_62_prime_field) {
                   3317:                fprintf(stderr, "%s: group is not a prime field\n", __func__);
1.93      djm      3318:                goto out;
1.1       djm      3319:        }
1.93      djm      3320:        if (EC_POINT_get_affine_coordinates_GFp(group, point,
                   3321:            x, y, NULL) != 1) {
1.1       djm      3322:                fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
                   3323:                    __func__);
1.93      djm      3324:                goto out;
1.1       djm      3325:        }
                   3326:        fputs("x=", stderr);
                   3327:        BN_print_fp(stderr, x);
                   3328:        fputs("\ny=", stderr);
                   3329:        BN_print_fp(stderr, y);
                   3330:        fputs("\n", stderr);
1.93      djm      3331:  out:
                   3332:        BN_clear_free(x);
                   3333:        BN_clear_free(y);
1.1       djm      3334: }
                   3335:
                   3336: void
                   3337: sshkey_dump_ec_key(const EC_KEY *key)
                   3338: {
                   3339:        const BIGNUM *exponent;
                   3340:
                   3341:        sshkey_dump_ec_point(EC_KEY_get0_group(key),
                   3342:            EC_KEY_get0_public_key(key));
                   3343:        fputs("exponent=", stderr);
                   3344:        if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
                   3345:                fputs("(NULL)", stderr);
                   3346:        else
                   3347:                BN_print_fp(stderr, EC_KEY_get0_private_key(key));
                   3348:        fputs("\n", stderr);
                   3349: }
                   3350: #endif /* WITH_OPENSSL */
                   3351:
                   3352: static int
1.76      djm      3353: sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob,
1.1       djm      3354:     const char *passphrase, const char *comment, const char *ciphername,
                   3355:     int rounds)
                   3356: {
1.4       djm      3357:        u_char *cp, *key = NULL, *pubkeyblob = NULL;
1.1       djm      3358:        u_char salt[SALT_LEN];
1.4       djm      3359:        char *b64 = NULL;
1.1       djm      3360:        size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
                   3361:        u_int check;
                   3362:        int r = SSH_ERR_INTERNAL_ERROR;
1.36      djm      3363:        struct sshcipher_ctx *ciphercontext = NULL;
1.1       djm      3364:        const struct sshcipher *cipher;
                   3365:        const char *kdfname = KDFNAME;
                   3366:        struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL;
                   3367:
                   3368:        if (rounds <= 0)
                   3369:                rounds = DEFAULT_ROUNDS;
                   3370:        if (passphrase == NULL || !strlen(passphrase)) {
                   3371:                ciphername = "none";
                   3372:                kdfname = "none";
                   3373:        } else if (ciphername == NULL)
                   3374:                ciphername = DEFAULT_CIPHERNAME;
1.47      djm      3375:        if ((cipher = cipher_by_name(ciphername)) == NULL) {
1.1       djm      3376:                r = SSH_ERR_INVALID_ARGUMENT;
                   3377:                goto out;
                   3378:        }
                   3379:
                   3380:        if ((kdf = sshbuf_new()) == NULL ||
                   3381:            (encoded = sshbuf_new()) == NULL ||
                   3382:            (encrypted = sshbuf_new()) == NULL) {
                   3383:                r = SSH_ERR_ALLOC_FAIL;
                   3384:                goto out;
                   3385:        }
                   3386:        blocksize = cipher_blocksize(cipher);
                   3387:        keylen = cipher_keylen(cipher);
                   3388:        ivlen = cipher_ivlen(cipher);
                   3389:        authlen = cipher_authlen(cipher);
                   3390:        if ((key = calloc(1, keylen + ivlen)) == NULL) {
                   3391:                r = SSH_ERR_ALLOC_FAIL;
                   3392:                goto out;
                   3393:        }
                   3394:        if (strcmp(kdfname, "bcrypt") == 0) {
                   3395:                arc4random_buf(salt, SALT_LEN);
                   3396:                if (bcrypt_pbkdf(passphrase, strlen(passphrase),
                   3397:                    salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
                   3398:                        r = SSH_ERR_INVALID_ARGUMENT;
                   3399:                        goto out;
                   3400:                }
                   3401:                if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 ||
                   3402:                    (r = sshbuf_put_u32(kdf, rounds)) != 0)
                   3403:                        goto out;
                   3404:        } else if (strcmp(kdfname, "none") != 0) {
                   3405:                /* Unsupported KDF type */
                   3406:                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
                   3407:                goto out;
                   3408:        }
                   3409:        if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
                   3410:            key + keylen, ivlen, 1)) != 0)
                   3411:                goto out;
                   3412:
                   3413:        if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 ||
                   3414:            (r = sshbuf_put_cstring(encoded, ciphername)) != 0 ||
                   3415:            (r = sshbuf_put_cstring(encoded, kdfname)) != 0 ||
                   3416:            (r = sshbuf_put_stringb(encoded, kdf)) != 0 ||
                   3417:            (r = sshbuf_put_u32(encoded, 1)) != 0 ||    /* number of keys */
                   3418:            (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 ||
                   3419:            (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
                   3420:                goto out;
                   3421:
                   3422:        /* set up the buffer that will be encrypted */
                   3423:
                   3424:        /* Random check bytes */
                   3425:        check = arc4random();
                   3426:        if ((r = sshbuf_put_u32(encrypted, check)) != 0 ||
                   3427:            (r = sshbuf_put_u32(encrypted, check)) != 0)
                   3428:                goto out;
                   3429:
                   3430:        /* append private key and comment*/
1.62      markus   3431:        if ((r = sshkey_private_serialize_opt(prv, encrypted,
1.116     djm      3432:            SSHKEY_SERIALIZE_FULL)) != 0 ||
1.1       djm      3433:            (r = sshbuf_put_cstring(encrypted, comment)) != 0)
                   3434:                goto out;
                   3435:
                   3436:        /* padding */
                   3437:        i = 0;
                   3438:        while (sshbuf_len(encrypted) % blocksize) {
                   3439:                if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
                   3440:                        goto out;
                   3441:        }
                   3442:
                   3443:        /* length in destination buffer */
                   3444:        if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
                   3445:                goto out;
                   3446:
                   3447:        /* encrypt */
                   3448:        if ((r = sshbuf_reserve(encoded,
                   3449:            sshbuf_len(encrypted) + authlen, &cp)) != 0)
                   3450:                goto out;
1.36      djm      3451:        if ((r = cipher_crypt(ciphercontext, 0, cp,
1.1       djm      3452:            sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
                   3453:                goto out;
                   3454:
1.81      djm      3455:        sshbuf_reset(blob);
1.1       djm      3456:
1.81      djm      3457:        /* assemble uuencoded key */
                   3458:        if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 ||
                   3459:            (r = sshbuf_dtob64(encoded, blob, 1)) != 0 ||
                   3460:            (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
1.1       djm      3461:                goto out;
                   3462:
                   3463:        /* success */
                   3464:        r = 0;
                   3465:
                   3466:  out:
                   3467:        sshbuf_free(kdf);
                   3468:        sshbuf_free(encoded);
                   3469:        sshbuf_free(encrypted);
1.36      djm      3470:        cipher_free(ciphercontext);
1.1       djm      3471:        explicit_bzero(salt, sizeof(salt));
1.100     jsg      3472:        if (key != NULL)
                   3473:                freezero(key, keylen + ivlen);
1.121     djm      3474:        if (pubkeyblob != NULL)
1.100     jsg      3475:                freezero(pubkeyblob, pubkeylen);
1.121     djm      3476:        if (b64 != NULL)
1.100     jsg      3477:                freezero(b64, strlen(b64));
1.1       djm      3478:        return r;
                   3479: }
                   3480:
                   3481: static int
1.103     djm      3482: private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp)
1.1       djm      3483: {
                   3484:        const u_char *cp;
                   3485:        size_t encoded_len;
1.103     djm      3486:        int r;
                   3487:        u_char last;
1.1       djm      3488:        struct sshbuf *encoded = NULL, *decoded = NULL;
                   3489:
1.103     djm      3490:        if (blob == NULL || decodedp == NULL)
                   3491:                return SSH_ERR_INVALID_ARGUMENT;
                   3492:
                   3493:        *decodedp = NULL;
1.1       djm      3494:
                   3495:        if ((encoded = sshbuf_new()) == NULL ||
1.103     djm      3496:            (decoded = sshbuf_new()) == NULL) {
1.1       djm      3497:                r = SSH_ERR_ALLOC_FAIL;
                   3498:                goto out;
                   3499:        }
                   3500:
                   3501:        /* check preamble */
                   3502:        cp = sshbuf_ptr(blob);
                   3503:        encoded_len = sshbuf_len(blob);
                   3504:        if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) ||
                   3505:            memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
                   3506:                r = SSH_ERR_INVALID_FORMAT;
                   3507:                goto out;
                   3508:        }
                   3509:        cp += MARK_BEGIN_LEN;
                   3510:        encoded_len -= MARK_BEGIN_LEN;
                   3511:
                   3512:        /* Look for end marker, removing whitespace as we go */
                   3513:        while (encoded_len > 0) {
                   3514:                if (*cp != '\n' && *cp != '\r') {
                   3515:                        if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
                   3516:                                goto out;
                   3517:                }
                   3518:                last = *cp;
                   3519:                encoded_len--;
                   3520:                cp++;
                   3521:                if (last == '\n') {
                   3522:                        if (encoded_len >= MARK_END_LEN &&
                   3523:                            memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
                   3524:                                /* \0 terminate */
                   3525:                                if ((r = sshbuf_put_u8(encoded, 0)) != 0)
                   3526:                                        goto out;
                   3527:                                break;
                   3528:                        }
                   3529:                }
                   3530:        }
                   3531:        if (encoded_len == 0) {
                   3532:                r = SSH_ERR_INVALID_FORMAT;
                   3533:                goto out;
                   3534:        }
                   3535:
                   3536:        /* decode base64 */
1.4       djm      3537:        if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
1.1       djm      3538:                goto out;
                   3539:
                   3540:        /* check magic */
                   3541:        if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) ||
                   3542:            memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
                   3543:                r = SSH_ERR_INVALID_FORMAT;
                   3544:                goto out;
                   3545:        }
1.103     djm      3546:        /* success */
                   3547:        *decodedp = decoded;
                   3548:        decoded = NULL;
                   3549:        r = 0;
                   3550:  out:
                   3551:        sshbuf_free(encoded);
                   3552:        sshbuf_free(decoded);
                   3553:        return r;
                   3554: }
                   3555:
                   3556: static int
1.104     djm      3557: private2_decrypt(struct sshbuf *decoded, const char *passphrase,
                   3558:     struct sshbuf **decryptedp, struct sshkey **pubkeyp)
1.103     djm      3559: {
                   3560:        char *ciphername = NULL, *kdfname = NULL;
                   3561:        const struct sshcipher *cipher = NULL;
                   3562:        int r = SSH_ERR_INTERNAL_ERROR;
                   3563:        size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0;
                   3564:        struct sshbuf *kdf = NULL, *decrypted = NULL;
                   3565:        struct sshcipher_ctx *ciphercontext = NULL;
1.104     djm      3566:        struct sshkey *pubkey = NULL;
1.103     djm      3567:        u_char *key = NULL, *salt = NULL, *dp;
                   3568:        u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
                   3569:
1.104     djm      3570:        if (decoded == NULL || decryptedp == NULL || pubkeyp == NULL)
1.103     djm      3571:                return SSH_ERR_INVALID_ARGUMENT;
                   3572:
                   3573:        *decryptedp = NULL;
1.104     djm      3574:        *pubkeyp = NULL;
1.103     djm      3575:
                   3576:        if ((decrypted = sshbuf_new()) == NULL) {
                   3577:                r = SSH_ERR_ALLOC_FAIL;
                   3578:                goto out;
                   3579:        }
                   3580:
1.1       djm      3581:        /* parse public portion of key */
                   3582:        if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
                   3583:            (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 ||
                   3584:            (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 ||
                   3585:            (r = sshbuf_froms(decoded, &kdf)) != 0 ||
1.103     djm      3586:            (r = sshbuf_get_u32(decoded, &nkeys)) != 0)
                   3587:                goto out;
                   3588:
                   3589:        if (nkeys != 1) {
                   3590:                /* XXX only one key supported at present */
                   3591:                r = SSH_ERR_INVALID_FORMAT;
                   3592:                goto out;
                   3593:        }
                   3594:
1.104     djm      3595:        if ((r = sshkey_froms(decoded, &pubkey)) != 0 ||
1.1       djm      3596:            (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
                   3597:                goto out;
                   3598:
                   3599:        if ((cipher = cipher_by_name(ciphername)) == NULL) {
                   3600:                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
                   3601:                goto out;
                   3602:        }
                   3603:        if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
                   3604:                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
                   3605:                goto out;
                   3606:        }
1.101     markus   3607:        if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) {
1.1       djm      3608:                r = SSH_ERR_INVALID_FORMAT;
1.101     markus   3609:                goto out;
                   3610:        }
                   3611:        if ((passphrase == NULL || strlen(passphrase) == 0) &&
                   3612:            strcmp(kdfname, "none") != 0) {
                   3613:                /* passphrase required */
                   3614:                r = SSH_ERR_KEY_WRONG_PASSPHRASE;
1.1       djm      3615:                goto out;
                   3616:        }
                   3617:
                   3618:        /* check size of encrypted key blob */
                   3619:        blocksize = cipher_blocksize(cipher);
                   3620:        if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
                   3621:                r = SSH_ERR_INVALID_FORMAT;
                   3622:                goto out;
                   3623:        }
                   3624:
                   3625:        /* setup key */
                   3626:        keylen = cipher_keylen(cipher);
                   3627:        ivlen = cipher_ivlen(cipher);
1.18      djm      3628:        authlen = cipher_authlen(cipher);
1.1       djm      3629:        if ((key = calloc(1, keylen + ivlen)) == NULL) {
                   3630:                r = SSH_ERR_ALLOC_FAIL;
                   3631:                goto out;
                   3632:        }
                   3633:        if (strcmp(kdfname, "bcrypt") == 0) {
                   3634:                if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 ||
                   3635:                    (r = sshbuf_get_u32(kdf, &rounds)) != 0)
                   3636:                        goto out;
                   3637:                if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
                   3638:                    key, keylen + ivlen, rounds) < 0) {
                   3639:                        r = SSH_ERR_INVALID_FORMAT;
                   3640:                        goto out;
                   3641:                }
                   3642:        }
                   3643:
1.18      djm      3644:        /* check that an appropriate amount of auth data is present */
1.84      djm      3645:        if (sshbuf_len(decoded) < authlen ||
                   3646:            sshbuf_len(decoded) - authlen < encrypted_len) {
1.18      djm      3647:                r = SSH_ERR_INVALID_FORMAT;
                   3648:                goto out;
                   3649:        }
                   3650:
1.1       djm      3651:        /* decrypt private portion of key */
                   3652:        if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 ||
                   3653:            (r = cipher_init(&ciphercontext, cipher, key, keylen,
                   3654:            key + keylen, ivlen, 0)) != 0)
                   3655:                goto out;
1.36      djm      3656:        if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
1.18      djm      3657:            encrypted_len, 0, authlen)) != 0) {
1.1       djm      3658:                /* an integrity error here indicates an incorrect passphrase */
                   3659:                if (r == SSH_ERR_MAC_INVALID)
                   3660:                        r = SSH_ERR_KEY_WRONG_PASSPHRASE;
                   3661:                goto out;
                   3662:        }
1.18      djm      3663:        if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
1.1       djm      3664:                goto out;
                   3665:        /* there should be no trailing data */
                   3666:        if (sshbuf_len(decoded) != 0) {
                   3667:                r = SSH_ERR_INVALID_FORMAT;
                   3668:                goto out;
                   3669:        }
                   3670:
                   3671:        /* check check bytes */
                   3672:        if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 ||
                   3673:            (r = sshbuf_get_u32(decrypted, &check2)) != 0)
                   3674:                goto out;
                   3675:        if (check1 != check2) {
                   3676:                r = SSH_ERR_KEY_WRONG_PASSPHRASE;
                   3677:                goto out;
                   3678:        }
1.103     djm      3679:        /* success */
                   3680:        *decryptedp = decrypted;
                   3681:        decrypted = NULL;
1.104     djm      3682:        *pubkeyp = pubkey;
                   3683:        pubkey = NULL;
1.103     djm      3684:        r = 0;
                   3685:  out:
                   3686:        cipher_free(ciphercontext);
                   3687:        free(ciphername);
                   3688:        free(kdfname);
1.104     djm      3689:        sshkey_free(pubkey);
1.103     djm      3690:        if (salt != NULL) {
                   3691:                explicit_bzero(salt, slen);
                   3692:                free(salt);
                   3693:        }
                   3694:        if (key != NULL) {
                   3695:                explicit_bzero(key, keylen + ivlen);
                   3696:                free(key);
                   3697:        }
                   3698:        sshbuf_free(kdf);
                   3699:        sshbuf_free(decrypted);
                   3700:        return r;
                   3701: }
                   3702:
                   3703: static int
                   3704: sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
                   3705:     struct sshkey **keyp, char **commentp)
                   3706: {
                   3707:        char *comment = NULL;
                   3708:        int r = SSH_ERR_INTERNAL_ERROR;
                   3709:        struct sshbuf *decoded = NULL, *decrypted = NULL;
1.104     djm      3710:        struct sshkey *k = NULL, *pubkey = NULL;
1.103     djm      3711:
                   3712:        if (keyp != NULL)
                   3713:                *keyp = NULL;
                   3714:        if (commentp != NULL)
                   3715:                *commentp = NULL;
                   3716:
                   3717:        /* Undo base64 encoding and decrypt the private section */
                   3718:        if ((r = private2_uudecode(blob, &decoded)) != 0 ||
1.104     djm      3719:            (r = private2_decrypt(decoded, passphrase,
                   3720:            &decrypted, &pubkey)) != 0)
1.103     djm      3721:                goto out;
1.105     djm      3722:
                   3723:        if (type != KEY_UNSPEC &&
                   3724:            sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
                   3725:                r = SSH_ERR_KEY_TYPE_MISMATCH;
                   3726:                goto out;
                   3727:        }
1.103     djm      3728:
                   3729:        /* Load the private key and comment */
                   3730:        if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 ||
                   3731:            (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
                   3732:                goto out;
                   3733:
                   3734:        /* Check deterministic padding after private section */
                   3735:        if ((r = private2_check_padding(decrypted)) != 0)
                   3736:                goto out;
1.1       djm      3737:
1.104     djm      3738:        /* Check that the public key in the envelope matches the private key */
                   3739:        if (!sshkey_equal(pubkey, k)) {
                   3740:                r = SSH_ERR_INVALID_FORMAT;
                   3741:                goto out;
                   3742:        }
1.1       djm      3743:
                   3744:        /* success */
                   3745:        r = 0;
                   3746:        if (keyp != NULL) {
                   3747:                *keyp = k;
                   3748:                k = NULL;
                   3749:        }
                   3750:        if (commentp != NULL) {
                   3751:                *commentp = comment;
                   3752:                comment = NULL;
                   3753:        }
                   3754:  out:
                   3755:        free(comment);
                   3756:        sshbuf_free(decoded);
                   3757:        sshbuf_free(decrypted);
                   3758:        sshkey_free(k);
1.104     djm      3759:        sshkey_free(pubkey);
1.1       djm      3760:        return r;
                   3761: }
                   3762:
1.107     djm      3763: static int
                   3764: sshkey_parse_private2_pubkey(struct sshbuf *blob, int type,
                   3765:     struct sshkey **keyp)
                   3766: {
                   3767:        int r = SSH_ERR_INTERNAL_ERROR;
                   3768:        struct sshbuf *decoded = NULL;
                   3769:        struct sshkey *pubkey = NULL;
                   3770:        u_int nkeys = 0;
                   3771:
                   3772:        if (keyp != NULL)
                   3773:                *keyp = NULL;
                   3774:
                   3775:        if ((r = private2_uudecode(blob, &decoded)) != 0)
                   3776:                goto out;
                   3777:        /* parse public key from unencrypted envelope */
                   3778:        if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
                   3779:            (r = sshbuf_skip_string(decoded)) != 0 || /* cipher */
                   3780:            (r = sshbuf_skip_string(decoded)) != 0 || /* KDF alg */
                   3781:            (r = sshbuf_skip_string(decoded)) != 0 || /* KDF hint */
                   3782:            (r = sshbuf_get_u32(decoded, &nkeys)) != 0)
                   3783:                goto out;
                   3784:
                   3785:        if (nkeys != 1) {
                   3786:                /* XXX only one key supported at present */
                   3787:                r = SSH_ERR_INVALID_FORMAT;
                   3788:                goto out;
                   3789:        }
                   3790:
                   3791:        /* Parse the public key */
                   3792:        if ((r = sshkey_froms(decoded, &pubkey)) != 0)
                   3793:                goto out;
                   3794:
                   3795:        if (type != KEY_UNSPEC &&
                   3796:            sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
                   3797:                r = SSH_ERR_KEY_TYPE_MISMATCH;
                   3798:                goto out;
                   3799:        }
                   3800:
                   3801:        /* success */
                   3802:        r = 0;
                   3803:        if (keyp != NULL) {
                   3804:                *keyp = pubkey;
                   3805:                pubkey = NULL;
                   3806:        }
                   3807:  out:
                   3808:        sshbuf_free(decoded);
                   3809:        sshkey_free(pubkey);
                   3810:        return r;
                   3811: }
                   3812:
1.1       djm      3813: #ifdef WITH_OPENSSL
1.80      djm      3814: /* convert SSH v2 key to PEM or PKCS#8 format */
1.1       djm      3815: static int
1.80      djm      3816: sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf,
                   3817:     int format, const char *_passphrase, const char *comment)
1.1       djm      3818: {
1.76      djm      3819:        int was_shielded = sshkey_is_shielded(key);
1.1       djm      3820:        int success, r;
                   3821:        int blen, len = strlen(_passphrase);
                   3822:        u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
                   3823:        const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
1.57      djm      3824:        char *bptr;
1.1       djm      3825:        BIO *bio = NULL;
1.76      djm      3826:        struct sshbuf *blob;
1.80      djm      3827:        EVP_PKEY *pkey = NULL;
1.1       djm      3828:
                   3829:        if (len > 0 && len <= 4)
                   3830:                return SSH_ERR_PASSPHRASE_TOO_SHORT;
1.76      djm      3831:        if ((blob = sshbuf_new()) == NULL)
1.1       djm      3832:                return SSH_ERR_ALLOC_FAIL;
1.76      djm      3833:        if ((bio = BIO_new(BIO_s_mem())) == NULL) {
1.80      djm      3834:                r = SSH_ERR_ALLOC_FAIL;
                   3835:                goto out;
                   3836:        }
                   3837:        if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) {
                   3838:                r = SSH_ERR_ALLOC_FAIL;
                   3839:                goto out;
1.76      djm      3840:        }
                   3841:        if ((r = sshkey_unshield_private(key)) != 0)
                   3842:                goto out;
1.1       djm      3843:
                   3844:        switch (key->type) {
                   3845:        case KEY_DSA:
1.80      djm      3846:                if (format == SSHKEY_PRIVATE_PEM) {
                   3847:                        success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
                   3848:                            cipher, passphrase, len, NULL, NULL);
                   3849:                } else {
                   3850:                        success = EVP_PKEY_set1_DSA(pkey, key->dsa);
                   3851:                }
1.1       djm      3852:                break;
                   3853:        case KEY_ECDSA:
1.80      djm      3854:                if (format == SSHKEY_PRIVATE_PEM) {
                   3855:                        success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
                   3856:                            cipher, passphrase, len, NULL, NULL);
                   3857:                } else {
                   3858:                        success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
                   3859:                }
1.1       djm      3860:                break;
                   3861:        case KEY_RSA:
1.80      djm      3862:                if (format == SSHKEY_PRIVATE_PEM) {
                   3863:                        success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
                   3864:                            cipher, passphrase, len, NULL, NULL);
                   3865:                } else {
                   3866:                        success = EVP_PKEY_set1_RSA(pkey, key->rsa);
                   3867:                }
1.1       djm      3868:                break;
                   3869:        default:
                   3870:                success = 0;
                   3871:                break;
                   3872:        }
                   3873:        if (success == 0) {
                   3874:                r = SSH_ERR_LIBCRYPTO_ERROR;
                   3875:                goto out;
                   3876:        }
1.80      djm      3877:        if (format == SSHKEY_PRIVATE_PKCS8) {
                   3878:                if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
                   3879:                    passphrase, len, NULL, NULL)) == 0) {
                   3880:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   3881:                        goto out;
                   3882:                }
                   3883:        }
1.1       djm      3884:        if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
                   3885:                r = SSH_ERR_INTERNAL_ERROR;
                   3886:                goto out;
                   3887:        }
                   3888:        if ((r = sshbuf_put(blob, bptr, blen)) != 0)
                   3889:                goto out;
                   3890:        r = 0;
                   3891:  out:
1.76      djm      3892:        if (was_shielded)
                   3893:                r = sshkey_shield_private(key);
                   3894:        if (r == 0)
                   3895:                r = sshbuf_putb(buf, blob);
1.80      djm      3896:
                   3897:        EVP_PKEY_free(pkey);
1.76      djm      3898:        sshbuf_free(blob);
1.1       djm      3899:        BIO_free(bio);
                   3900:        return r;
                   3901: }
                   3902: #endif /* WITH_OPENSSL */
                   3903:
                   3904: /* Serialise "key" to buffer "blob" */
                   3905: int
                   3906: sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
                   3907:     const char *passphrase, const char *comment,
1.80      djm      3908:     int format, const char *openssh_format_cipher, int openssh_format_rounds)
1.1       djm      3909: {
                   3910:        switch (key->type) {
1.9       markus   3911: #ifdef WITH_OPENSSL
1.1       djm      3912:        case KEY_DSA:
                   3913:        case KEY_ECDSA:
                   3914:        case KEY_RSA:
1.80      djm      3915:                break; /* see below */
1.1       djm      3916: #endif /* WITH_OPENSSL */
                   3917:        case KEY_ED25519:
1.90      markus   3918:        case KEY_ED25519_SK:
1.62      markus   3919: #ifdef WITH_XMSS
                   3920:        case KEY_XMSS:
                   3921: #endif /* WITH_XMSS */
1.85      djm      3922: #ifdef WITH_OPENSSL
                   3923:        case KEY_ECDSA_SK:
                   3924: #endif /* WITH_OPENSSL */
1.1       djm      3925:                return sshkey_private_to_blob2(key, blob, passphrase,
1.80      djm      3926:                    comment, openssh_format_cipher, openssh_format_rounds);
1.1       djm      3927:        default:
                   3928:                return SSH_ERR_KEY_TYPE_UNKNOWN;
                   3929:        }
1.80      djm      3930:
                   3931: #ifdef WITH_OPENSSL
                   3932:        switch (format) {
                   3933:        case SSHKEY_PRIVATE_OPENSSH:
                   3934:                return sshkey_private_to_blob2(key, blob, passphrase,
                   3935:                    comment, openssh_format_cipher, openssh_format_rounds);
                   3936:        case SSHKEY_PRIVATE_PEM:
                   3937:        case SSHKEY_PRIVATE_PKCS8:
                   3938:                return sshkey_private_to_blob_pem_pkcs8(key, blob,
                   3939:                    format, passphrase, comment);
                   3940:        default:
                   3941:                return SSH_ERR_INVALID_ARGUMENT;
                   3942:        }
                   3943: #endif /* WITH_OPENSSL */
1.1       djm      3944: }
                   3945:
                   3946: #ifdef WITH_OPENSSL
1.8       djm      3947: static int
1.52      djm      3948: translate_libcrypto_error(unsigned long pem_err)
                   3949: {
                   3950:        int pem_reason = ERR_GET_REASON(pem_err);
                   3951:
                   3952:        switch (ERR_GET_LIB(pem_err)) {
                   3953:        case ERR_LIB_PEM:
                   3954:                switch (pem_reason) {
                   3955:                case PEM_R_BAD_PASSWORD_READ:
                   3956:                case PEM_R_PROBLEMS_GETTING_PASSWORD:
                   3957:                case PEM_R_BAD_DECRYPT:
                   3958:                        return SSH_ERR_KEY_WRONG_PASSPHRASE;
                   3959:                default:
                   3960:                        return SSH_ERR_INVALID_FORMAT;
                   3961:                }
                   3962:        case ERR_LIB_EVP:
                   3963:                switch (pem_reason) {
                   3964:                case EVP_R_BAD_DECRYPT:
                   3965:                        return SSH_ERR_KEY_WRONG_PASSPHRASE;
1.69      djm      3966: #ifdef EVP_R_BN_DECODE_ERROR
1.52      djm      3967:                case EVP_R_BN_DECODE_ERROR:
1.69      djm      3968: #endif
1.52      djm      3969:                case EVP_R_DECODE_ERROR:
                   3970: #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
                   3971:                case EVP_R_PRIVATE_KEY_DECODE_ERROR:
                   3972: #endif
                   3973:                        return SSH_ERR_INVALID_FORMAT;
                   3974:                default:
                   3975:                        return SSH_ERR_LIBCRYPTO_ERROR;
                   3976:                }
                   3977:        case ERR_LIB_ASN1:
                   3978:                return SSH_ERR_INVALID_FORMAT;
                   3979:        }
                   3980:        return SSH_ERR_LIBCRYPTO_ERROR;
                   3981: }
                   3982:
                   3983: static void
                   3984: clear_libcrypto_errors(void)
                   3985: {
                   3986:        while (ERR_get_error() != 0)
                   3987:                ;
                   3988: }
                   3989:
                   3990: /*
                   3991:  * Translate OpenSSL error codes to determine whether
                   3992:  * passphrase is required/incorrect.
                   3993:  */
                   3994: static int
                   3995: convert_libcrypto_error(void)
                   3996: {
                   3997:        /*
                   3998:         * Some password errors are reported at the beginning
                   3999:         * of the error queue.
                   4000:         */
                   4001:        if (translate_libcrypto_error(ERR_peek_error()) ==
                   4002:            SSH_ERR_KEY_WRONG_PASSPHRASE)
                   4003:                return SSH_ERR_KEY_WRONG_PASSPHRASE;
                   4004:        return translate_libcrypto_error(ERR_peek_last_error());
                   4005: }
                   4006:
                   4007: static int
1.1       djm      4008: sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
1.8       djm      4009:     const char *passphrase, struct sshkey **keyp)
1.1       djm      4010: {
                   4011:        EVP_PKEY *pk = NULL;
                   4012:        struct sshkey *prv = NULL;
                   4013:        BIO *bio = NULL;
                   4014:        int r;
                   4015:
1.32      djm      4016:        if (keyp != NULL)
                   4017:                *keyp = NULL;
1.1       djm      4018:
                   4019:        if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
                   4020:                return SSH_ERR_ALLOC_FAIL;
                   4021:        if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
                   4022:            (int)sshbuf_len(blob)) {
                   4023:                r = SSH_ERR_ALLOC_FAIL;
                   4024:                goto out;
                   4025:        }
                   4026:
1.52      djm      4027:        clear_libcrypto_errors();
1.1       djm      4028:        if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
                   4029:            (char *)passphrase)) == NULL) {
1.116     djm      4030:                /*
                   4031:                 * libcrypto may return various ASN.1 errors when attempting
                   4032:                 * to parse a key with an incorrect passphrase.
                   4033:                 * Treat all format errors as "incorrect passphrase" if a
                   4034:                 * passphrase was supplied.
                   4035:                 */
1.71      djm      4036:                if (passphrase != NULL && *passphrase != '\0')
                   4037:                        r = SSH_ERR_KEY_WRONG_PASSPHRASE;
                   4038:                else
                   4039:                        r = convert_libcrypto_error();
1.1       djm      4040:                goto out;
                   4041:        }
1.69      djm      4042:        if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA &&
1.1       djm      4043:            (type == KEY_UNSPEC || type == KEY_RSA)) {
                   4044:                if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
                   4045:                        r = SSH_ERR_ALLOC_FAIL;
                   4046:                        goto out;
                   4047:                }
                   4048:                prv->rsa = EVP_PKEY_get1_RSA(pk);
                   4049:                prv->type = KEY_RSA;
                   4050: #ifdef DEBUG_PK
                   4051:                RSA_print_fp(stderr, prv->rsa, 8);
                   4052: #endif
                   4053:                if (RSA_blinding_on(prv->rsa, NULL) != 1) {
                   4054:                        r = SSH_ERR_LIBCRYPTO_ERROR;
1.49      djm      4055:                        goto out;
                   4056:                }
1.122     djm      4057:                if ((r = sshkey_check_rsa_length(prv, 0)) != 0)
1.1       djm      4058:                        goto out;
1.69      djm      4059:        } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA &&
1.1       djm      4060:            (type == KEY_UNSPEC || type == KEY_DSA)) {
                   4061:                if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
                   4062:                        r = SSH_ERR_ALLOC_FAIL;
                   4063:                        goto out;
                   4064:                }
                   4065:                prv->dsa = EVP_PKEY_get1_DSA(pk);
                   4066:                prv->type = KEY_DSA;
                   4067: #ifdef DEBUG_PK
                   4068:                DSA_print_fp(stderr, prv->dsa, 8);
                   4069: #endif
1.69      djm      4070:        } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC &&
1.1       djm      4071:            (type == KEY_UNSPEC || type == KEY_ECDSA)) {
                   4072:                if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
                   4073:                        r = SSH_ERR_ALLOC_FAIL;
                   4074:                        goto out;
                   4075:                }
                   4076:                prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
                   4077:                prv->type = KEY_ECDSA;
                   4078:                prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
                   4079:                if (prv->ecdsa_nid == -1 ||
                   4080:                    sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
                   4081:                    sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
                   4082:                    EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
                   4083:                    sshkey_ec_validate_private(prv->ecdsa) != 0) {
                   4084:                        r = SSH_ERR_INVALID_FORMAT;
                   4085:                        goto out;
                   4086:                }
                   4087: #ifdef DEBUG_PK
                   4088:                if (prv != NULL && prv->ecdsa != NULL)
                   4089:                        sshkey_dump_ec_key(prv->ecdsa);
                   4090: #endif
                   4091:        } else {
                   4092:                r = SSH_ERR_INVALID_FORMAT;
                   4093:                goto out;
                   4094:        }
                   4095:        r = 0;
1.32      djm      4096:        if (keyp != NULL) {
                   4097:                *keyp = prv;
                   4098:                prv = NULL;
                   4099:        }
1.1       djm      4100:  out:
                   4101:        BIO_free(bio);
1.60      jsing    4102:        EVP_PKEY_free(pk);
1.30      mmcc     4103:        sshkey_free(prv);
1.1       djm      4104:        return r;
                   4105: }
                   4106: #endif /* WITH_OPENSSL */
                   4107:
                   4108: int
                   4109: sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
                   4110:     const char *passphrase, struct sshkey **keyp, char **commentp)
                   4111: {
1.42      djm      4112:        int r = SSH_ERR_INTERNAL_ERROR;
                   4113:
1.32      djm      4114:        if (keyp != NULL)
                   4115:                *keyp = NULL;
1.1       djm      4116:        if (commentp != NULL)
                   4117:                *commentp = NULL;
                   4118:
                   4119:        switch (type) {
                   4120:        case KEY_ED25519:
1.62      markus   4121:        case KEY_XMSS:
1.106     djm      4122:                /* No fallback for new-format-only keys */
1.1       djm      4123:                return sshkey_parse_private2(blob, type, passphrase,
                   4124:                    keyp, commentp);
1.106     djm      4125:        default:
1.42      djm      4126:                r = sshkey_parse_private2(blob, type, passphrase, keyp,
                   4127:                    commentp);
1.106     djm      4128:                /* Only fallback to PEM parser if a format error occurred. */
                   4129:                if (r != SSH_ERR_INVALID_FORMAT)
1.42      djm      4130:                        return r;
1.1       djm      4131: #ifdef WITH_OPENSSL
1.8       djm      4132:                return sshkey_parse_private_pem_fileblob(blob, type,
                   4133:                    passphrase, keyp);
1.1       djm      4134: #else
                   4135:                return SSH_ERR_INVALID_FORMAT;
                   4136: #endif /* WITH_OPENSSL */
                   4137:        }
                   4138: }
                   4139:
                   4140: int
                   4141: sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
1.23      tim      4142:     struct sshkey **keyp, char **commentp)
1.1       djm      4143: {
                   4144:        if (keyp != NULL)
                   4145:                *keyp = NULL;
                   4146:        if (commentp != NULL)
                   4147:                *commentp = NULL;
                   4148:
1.23      tim      4149:        return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
                   4150:            passphrase, keyp, commentp);
1.96      djm      4151: }
                   4152:
                   4153: void
                   4154: sshkey_sig_details_free(struct sshkey_sig_details *details)
                   4155: {
                   4156:        freezero(details, sizeof(*details));
1.107     djm      4157: }
                   4158:
                   4159: int
                   4160: sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type,
                   4161:     struct sshkey **pubkeyp)
                   4162: {
                   4163:        int r = SSH_ERR_INTERNAL_ERROR;
                   4164:
                   4165:        if (pubkeyp != NULL)
                   4166:                *pubkeyp = NULL;
                   4167:        /* only new-format private keys bundle a public key inside */
                   4168:        if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0)
                   4169:                return r;
                   4170:        return 0;
1.1       djm      4171: }
1.62      markus   4172:
                   4173: #ifdef WITH_XMSS
                   4174: /*
                   4175:  * serialize the key with the current state and forward the state
                   4176:  * maxsign times.
                   4177:  */
                   4178: int
1.77      djm      4179: sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
1.112     dtucker  4180:     u_int32_t maxsign, int printerror)
1.62      markus   4181: {
                   4182:        int r, rupdate;
                   4183:
                   4184:        if (maxsign == 0 ||
                   4185:            sshkey_type_plain(k->type) != KEY_XMSS)
                   4186:                return sshkey_private_serialize_opt(k, b,
                   4187:                    SSHKEY_SERIALIZE_DEFAULT);
1.112     dtucker  4188:        if ((r = sshkey_xmss_get_state(k, printerror)) != 0 ||
1.62      markus   4189:            (r = sshkey_private_serialize_opt(k, b,
                   4190:            SSHKEY_SERIALIZE_STATE)) != 0 ||
                   4191:            (r = sshkey_xmss_forward_state(k, maxsign)) != 0)
                   4192:                goto out;
                   4193:        r = 0;
                   4194: out:
1.112     dtucker  4195:        if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) {
1.62      markus   4196:                if (r == 0)
                   4197:                        r = rupdate;
                   4198:        }
                   4199:        return r;
                   4200: }
                   4201:
                   4202: u_int32_t
                   4203: sshkey_signatures_left(const struct sshkey *k)
                   4204: {
                   4205:        if (sshkey_type_plain(k->type) == KEY_XMSS)
                   4206:                return sshkey_xmss_signatures_left(k);
                   4207:        return 0;
                   4208: }
                   4209:
                   4210: int
                   4211: sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
                   4212: {
                   4213:        if (sshkey_type_plain(k->type) != KEY_XMSS)
                   4214:                return SSH_ERR_INVALID_ARGUMENT;
                   4215:        return sshkey_xmss_enable_maxsign(k, maxsign);
                   4216: }
                   4217:
                   4218: int
                   4219: sshkey_set_filename(struct sshkey *k, const char *filename)
                   4220: {
                   4221:        if (k == NULL)
                   4222:                return SSH_ERR_INVALID_ARGUMENT;
                   4223:        if (sshkey_type_plain(k->type) != KEY_XMSS)
                   4224:                return 0;
                   4225:        if (filename == NULL)
                   4226:                return SSH_ERR_INVALID_ARGUMENT;
                   4227:        if ((k->xmss_filename = strdup(filename)) == NULL)
                   4228:                return SSH_ERR_ALLOC_FAIL;
                   4229:        return 0;
                   4230: }
                   4231: #else
                   4232: int
1.76      djm      4233: sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
1.112     dtucker  4234:     u_int32_t maxsign, int printerror)
1.62      markus   4235: {
                   4236:        return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT);
                   4237: }
                   4238:
                   4239: u_int32_t
                   4240: sshkey_signatures_left(const struct sshkey *k)
                   4241: {
                   4242:        return 0;
                   4243: }
                   4244:
                   4245: int
                   4246: sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
                   4247: {
                   4248:        return SSH_ERR_INVALID_ARGUMENT;
                   4249: }
                   4250:
                   4251: int
                   4252: sshkey_set_filename(struct sshkey *k, const char *filename)
                   4253: {
                   4254:        if (k == NULL)
                   4255:                return SSH_ERR_INVALID_ARGUMENT;
                   4256:        return 0;
                   4257: }
                   4258: #endif /* WITH_XMSS */